Update faq.mdx / make TURN firewall rule recommended (#207)

* Update faq.mdx

make the TURN firewall rule recommended - it's needed for peers to connect consistently

* Update src/pages/about-netbird/faq.mdx

Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>

* Update src/pages/about-netbird/faq.mdx

Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>

---------

Co-authored-by: Maycon Santos <mlsmaycon@gmail.com>

src/pages/about-netbird/faq.mdx

@@ -9,7 +9,14 @@ NetBird's agent doesn't require any incoming port to be open; It negotiates the
 ### Outgoing ports
 NetBird usually won't need open ports, but sometimes you or your IT team needs to secure and verify
 all outgoing traffic, and that may affect how NetBird clients connect to the [control layer](/about-netbird/how-netbird-works)
-and negotiate the peer-to-peer connections.
+and negotiate the peer-to-peer connections. 
+
+<Note>
+    Allowing the outbound **Relay (TURN)** service below is **recommended** in more restricted networks for reliable peer connections. This will also improve the reliability of your [High Availability Routes](https://docs.netbird.io/how-to/routing-traffic-to-private-networks#high-availability-routes).
+</Note>
+<Note>
+    If using `fail2ban` or similar, you should whitelist each netbird.io endpoint below.
+</Note>
 
 Below is the list of NetBird hosted endpoints and ports they listen to:
 * Management service:
@@ -27,6 +34,8 @@ Below is the list of NetBird hosted endpoints and ports they listen to:
     * **Port range**: UDP/80,443 and TCP/443-65535
     * **IPv4**: The list is dynamic and geo-distributed; we advise you to check the nearest cluster with the following command:
         * `nslookup turn.netbird.io`
+    * In more restricted environments, `netbird status` will show `keepalive ping failed` errors without a firewall rule for TURN
+        * Example `nftables` outbound firewall rule: `ip daddr turn.netbird.io tcp dport 443-65535 accept`
 
 ## Why and what are the anonymous usage metrics?