UPDATE: wo.vzwwo.com is an additional domain that needs to be allowed.

This is short and sweet.  If you want to get Verizon Wi-Fi calling enabled on a restrictive network here is what you need.

UDP ports 500 & 4500 open to sg.vzwfemto.com and wo.vzwwo.com. The first FQDN comes from https://www.verizonwireless.com/support/knowledge-base-25525/. The second one I had to figure out after my WiFi calling stopped working.  A quick packet capture identified the domain name.

There are lots of posts online with specific IPs but I set it with that hostname and everything seems to be working.

As for my specific set up in pfSense I have our phones set up with static IPs and then created an alias for them. I then created an alias for the FQDNs above. Finally, one firewall rule each for the two ports.