first of all make sure that in your “modem” all options for VOIP are “unblocked”. I have a FritzBox and once I accidentally blocked VOIP in the FritzBox, then no matter what I tried on the IPFire, calls would never go through.
Anyway, concerning IPFire:
Clarify if you need SIP (Port 5060) or SIPoverTLS (Port 5061), it depends on wether your phone system uses encrypted connection or not.
Simplified: The SIP-ports are for building up and managing the call itself, think of it as the “permission to ring”.
10000-20000 look like RTP-ports. These ports are needed for the audio transmission, as soon as the call is answered. In IPFire you need to use a colon if you want to define a port range. “10000:20000” would mean every port from 10000 to 20000.
443 obviously is https, I guess this is for your voicevox to connect to a server? I don’t know how these voicevox works, so I can only guess BUT because you wrote that you need to open the ports to only two external IP adresses, I would assume that the voicevox is something like a client, that connects to a server on the web.
In this case, you only need to allow OUTGOING connection, so from GREEN (or rather the voicevox) to the external IP-adresses.
Depending on your setup (what is between your IPFire and the Internet?) and the configuration of your IPFire in general (NAT activated?), you do not need to activate NAT specifically in this one firewall-rule.
Wrapping up (the comfortable way):
Create a host: 220.127.116.11
Create another host: 18.104.22.168
Create a host-group with both hosts in it.
Create a service for SIP (5060) or SIPoverTLS (5061).
Create another service for RTP (10000:20000).
Create another service for HTTPS (443).
Create a service-group with all the services in it.
Allow traffic from your voicevox to the newly created host-group and as protocols choose the newly created service-group.
Personal opinion: You could separate the traffic to the two different external IP addresses for security reasons but this seems a bit overkill in this case.
Please note: If my assumption is wrong and the voicevox is something like a phone server itself the RTP and SIP ports have be opened to the whole RED network and not just one IP because these ports must be opened to every IP address you want to call (at least for “direct connections”). On the other hand, there would be no need for the open port 443 to an external IP address if the voicevox is a server itself. Also if the voicevox is a server you need to allow INGOING traffic as well because it must be reachable for people who want to call you.
A bit much text but I hope this explains some things. =)