OT Link Platform Ports
Estimated reading time: 1 minute
When considering firewall configurations, use the following lists of ports.
Network Address Translation (NAT) can be used. Symmetric NAT is not supported. Remote Access and LWM2M protocols use NAT traversal techniques, which do not work well with Symmetric NAT.
Network Edge Ports
OT Link Platform expects unrestricted outbound connections for services such as the Network Time Protocol (NTP), Licensing, Remote Access, Workload Orchestrator, and third-party cloud providers. These services are deployed in the cloud and they typically have dynamic IP addresses. Therefore, restricting outgoing traffic is undesirable.
As a starting point the following outbound ports and protocols are recommended:
- TCP 443 (https)
- TCP 80 (http)
- UDP 5683 (lwm2m), also requires a firewall session TTL (time to live) of at least 240 seconds
- TCP 8883 (mqtt-ssl)
- TCP 1883 (mqtt-tcp)
- UDP 9993 (remote access)
- UDP/TCP 53 (dns) - only if public DNS servers are used
- UDP 123 (ntp) - only if public NTP servers are used
OT Link Platform does not need any specific inbound ports opened on the firewall except for:
- Regular TCP/UDP sessions to allow return traffic
- See the UDP 5683 note (in the above list) regarding the 240-second session requirement for TTL
OT Link Platform Device Ports
The OT Link Platform device itself has the following ports open:
- TCP 443 - HTTPS
- TCP 80 - HTTP, redirects to 443
- TCP 21, 2121 - FTP
- TCP 41250:41275 - passive FTP ports
- UDP 161 - SNMP
- UDP 5353 - mDNS (multicast DNS)
- TCP/UDP 5355 - LLMNR (Link-Local Multicast Name Resolution)
- TCP/UDP 4840 - OPC UA Server
Any other ports are blocked by the
iptables firewall. This means that the OT Link Platform Flows application can initiate only outgoing traffic and cannot listen for incoming connections.
Marketplace applications manage their own ports. Those ports are application-specific and are outside of the
OT Link Platform ports: