As indicated here, the biggest issue are phones behind dynamic IPs. I can’t recall many issues many behind a static when I used the Firewall module, unless there was a phone with bad credentials.
Most common scenario seemed to be when the IP the phone is behind changes, the phone continues to send packets without realizing it needs to re-register (and therefore clear the IP by the responsive firewall). By the time is re-registers, the IP has been blocked. Particularly a problem if there are multiple BLFs generating a lot of packets, or if there are multiple phones behind the IP, or both.
Increasing the fail2ban retry limit may help, but the freepbx firewall rate-limit/attacker checks may also block the traffic. Unfortunately those limits aren’t tunable.
Mobile softphones on mobile data are generally aware of when their IP changes and register pretty quickly. A crude workaround can be limiting the softphone to mobile data so it is always aware of IP changes, and (mostly) eliminate the multiple phones behind one wifi IP problem.