Is there official documentation on the ports, protocols and services (PPS) required through a firewall to allow the access points to communicate with on-prem controllers as well as cloud controllers?
I would like this as well!
I can gather them from my Palo but Iβd prefer if the team had official documentation.
Not official, but port 443 to the desired controller (cloud controller is manage.alta.inc), as well as port 443 for dl.alta.inc for firmware updates should be the main two hosts and ports you will need. You will always want NTP and DNS open.
-Jeff
So tcp/443, udp/123, tcp/53 and udp/53.
Seeing a lot more traffic reaching out to end points other than what youβve listed above. A lot of dns-over-https and the use of DNS servers other than the ones Iβve hardcoded on the access pointβ¦
Last connection on 8/26/2024
Youβll need ping.alta.inc as well. Thatβs the 75.2.70.75 address. Every 30 seconds the APs will hit that.
Appears DNS servers that have been configured by Alta in /etc/config/https-dns-proxy are being used even after you manually configure your preferred servers in the UI. In my opinion, this shouldnβt happen. Especially DNS over TLS.
root@FamilyRoom:/etc/config# cat https-dns-proxy
config main βconfigβ
option canary_domains_icloud β1β
option canary_domains_mozilla β1β
option dnsmasq_config_update β*β
option force_dns β0β
list force_dns_port β53β
list force_dns_port β853β
#Items below were commented out. Removed the comment to remove the bold font#
ports listed below are used by some
of the dnscrypt-proxy v1 resolvers
list force_dns_port β553β
list force_dns_port β1443β
list force_dns_port β4343β
list force_dns_port β4434β
list force_dns_port β5443β
list force_dns_port β8443β
#Items above were commented out. Removed the comment to remove the bold font#
option procd_trigger_wan6 β0β
config https-dns-proxy
option bootstrap_dns β1.1.1.1,1.0.0.1β
option resolver_url βhttps://cloudflare-dns.com/dns-queryβ
option listen_addr β127.0.0.1β
option listen_port β5054β
option user βnobodyβ
option group βnogroupβ
config https-dns-proxy
option bootstrap_dns β8.8.8.8,8.8.4.4β
option resolver_url βhttps://dns.google/dns-queryβ
option listen_addr β127.0.0.1β
option listen_port β5053β
option user βnobodyβ
option group βnogroupβ
config https-dns-proxy
option bootstrap_dns β208.67.222.222,208.67.220.220β
option resolver_url βhttps://doh.opendns.com/dns-queryβ
option listen_addr β127.0.0.1β
option listen_port β5055β
option user βnobodyβ
option group βnogroupβ
root@FamilyRoom:/etc/config#
Looks like the following NTP servers are in use.
0.openwrt.pool.ntp.org
1.openwrt.pool.ntp.org
2.openwrt.pool.ntp.org
3.openwrt.pool.ntp.org
Source Information
system.ntp.enabled=β1β
system.ntp.enable_server=β0β
system.ntp.server=β0.openwrt.pool.ntp.orgβ β1.openwrt.pool.ntp.orgβ β2.openwrt.pool.ntp.orgβ β3.openwrt.pool.ntp.orgβ
Both DHCP-provided and integrated DOH servers are enabled in parallel on all Alta devices, in order to support local controllers behind networks that have DNS rebinding protection enabled (in general we recommend that this protection be disabled).
Both are not required to maintain a connection to the cloud; only one is, but it will still use both if possible.
Good catch on ping.alta.inc. All of our main web endpoints are AWS CloudFront endpoints, so the IPs will change and be dependent on your geographical location.