PPS Documentation

Is there official documentation on the ports, protocols and services (PPS) required through a firewall to allow the access points to communicate with on-prem controllers as well as cloud controllers?

I would like this as well!

I can gather them from my Palo but I’d prefer if the team had official documentation.

Not official, but port 443 to the desired controller (cloud controller is manage.alta.inc), as well as port 443 for dl.alta.inc for firmware updates should be the main two hosts and ports you will need. You will always want NTP and DNS open.

-Jeff

So tcp/443, udp/123, tcp/53 and udp/53.

Seeing a lot more traffic reaching out to end points other than what you’ve listed above. A lot of dns-over-https and the use of DNS servers other than the ones I’ve hardcoded on the access point…


Last connection on 8/26/2024



You’ll need ping.alta.inc as well. That’s the 75.2.70.75 address. Every 30 seconds the APs will hit that.

1 Like

Appears DNS servers that have been configured by Alta in /etc/config/https-dns-proxy are being used even after you manually configure your preferred servers in the UI. In my opinion, this shouldn’t happen. Especially DNS over TLS.

root@FamilyRoom:/etc/config# cat https-dns-proxy
config main β€˜config’
option canary_domains_icloud β€˜1’
option canary_domains_mozilla β€˜1’
option dnsmasq_config_update β€˜*’
option force_dns β€˜0’
list force_dns_port β€˜53’
list force_dns_port β€˜853’
#Items below were commented out. Removed the comment to remove the bold font#
ports listed below are used by some
of the dnscrypt-proxy v1 resolvers
list force_dns_port β€˜553’
list force_dns_port β€˜1443’
list force_dns_port β€˜4343’
list force_dns_port β€˜4434’
list force_dns_port β€˜5443’
list force_dns_port β€˜8443’
#Items above were commented out. Removed the comment to remove the bold font#
option procd_trigger_wan6 β€˜0’

config https-dns-proxy
option bootstrap_dns β€˜1.1.1.1,1.0.0.1’
option resolver_url β€˜https://cloudflare-dns.com/dns-query’
option listen_addr β€˜127.0.0.1’
option listen_port β€˜5054’
option user β€˜nobody’
option group β€˜nogroup’

config https-dns-proxy
option bootstrap_dns β€˜8.8.8.8,8.8.4.4’
option resolver_url β€˜https://dns.google/dns-query’
option listen_addr β€˜127.0.0.1’
option listen_port β€˜5053’
option user β€˜nobody’
option group β€˜nogroup’

config https-dns-proxy
option bootstrap_dns β€˜208.67.222.222,208.67.220.220’
option resolver_url β€˜https://doh.opendns.com/dns-query’
option listen_addr β€˜127.0.0.1’
option listen_port β€˜5055’
option user β€˜nobody’
option group β€˜nogroup’
root@FamilyRoom:/etc/config#

Looks like the following NTP servers are in use.

0.openwrt.pool.ntp.org
1.openwrt.pool.ntp.org
2.openwrt.pool.ntp.org
3.openwrt.pool.ntp.org

Source Information
system.ntp.enabled=β€˜1’
system.ntp.enable_server=β€˜0’
system.ntp.server=β€˜0.openwrt.pool.ntp.org’ β€˜1.openwrt.pool.ntp.org’ β€˜2.openwrt.pool.ntp.org’ β€˜3.openwrt.pool.ntp.org’

Both DHCP-provided and integrated DOH servers are enabled in parallel on all Alta devices, in order to support local controllers behind networks that have DNS rebinding protection enabled (in general we recommend that this protection be disabled).

Both are not required to maintain a connection to the cloud; only one is, but it will still use both if possible.

Good catch on ping.alta.inc. All of our main web endpoints are AWS CloudFront endpoints, so the IPs will change and be dependent on your geographical location.