Limit RTC port range for client

We’ve been asked all the time by some organizations, that security matters for them, about required ports to be opened on their network/firewall for using our service, which is base on mediasoup of course.

I know we can set the rtcMinPort/rtcMaxPort in server side. However I wonder is there a way to set such a limit also for clients? Or users have to open WHOLE in/out ports in their network and devices (UDP at least)?

1 Like

For questions like this, please first the WebRTC spec. There is nothing in there to narrow local ports, so nothing we can do to achieve that.

It seems using TURN server is the only option for networks with strict security rules. However some guys have found an interesting solution by implementing the TURN protocol over the top of the native PeerConnection.

For those who are looking for the preferred firewall settings in the client side I did some tests. Fortunately opening inbound ports which is the main concern for network admins is not necessary. Here’s the require firewall settings against RTP data:

Inbound UDP or TCP: Deny All
Outbound UDP or TCP: Allow the port range defined in mediasoup server (i.e. rtcMinPort / rtcMaxPort)

1 Like

Hi mkh,

We are using mediasoup in our organization and due to strict security reason the ports are not allowed to be opened. For this case we use turn servers to direct the traffic into our data center, Since port 80 and 443 are always open in organizations. The traffic goes to the mediasoup servers mentioned rtc port of the ice candidate via the turn server…

Hi @madabhaviamit

Thanks for the confirmation. I have zero experience on using TURN server. So you’ve configured the TURN server to listen on a single TCP port (443 or 80), right? Can I ask what TURN server do you use and how does it affect the latency and quality?

Hi Mohsen,

Yes, I have configured the turn server to listen on port 443 over ssl. I have a document made on how to setup up the turn server with all the necessary links. Once done with the setup you just need to mention the turn server’s ip, port, username and password to connect. It is also possible to mention the stun and turn server urls in mediasoup client library. I will share the document with you in sometime.

1 Like

Wow! That would be great. I’m looking forward to your document. Thank you.