Limit RTC port range for client

We’ve been asked all the time by some organizations, that security matters for them, about required ports to be opened on their network/firewall for using our service, which is base on mediasoup of course.

I know we can set the rtcMinPort/rtcMaxPort in server side. However I wonder is there a way to set such a limit also for clients? Or users have to open WHOLE in/out ports in their network and devices (UDP at least)?

1 Like

For questions like this, please first the WebRTC spec. There is nothing in there to narrow local ports, so nothing we can do to achieve that.

It seems using TURN server is the only option for networks with strict security rules. However some guys have found an interesting solution by implementing the TURN protocol over the top of the native PeerConnection.

For those who are looking for the preferred firewall settings in the client side I did some tests. Fortunately opening inbound ports which is the main concern for network admins is not necessary. Here’s the require firewall settings against RTP data:

Inbound UDP or TCP: Deny All
Outbound UDP or TCP: Allow the port range defined in mediasoup server (i.e. rtcMinPort / rtcMaxPort)

2 Likes

Hi mkh,

We are using mediasoup in our organization and due to strict security reason the ports are not allowed to be opened. For this case we use turn servers to direct the traffic into our data center, Since port 80 and 443 are always open in organizations. The traffic goes to the mediasoup servers mentioned rtc port of the ice candidate via the turn server…

Hi @madabhaviamit

Thanks for the confirmation. I have zero experience on using TURN server. So you’ve configured the TURN server to listen on a single TCP port (443 or 80), right? Can I ask what TURN server do you use and how does it affect the latency and quality?

Hi Mohsen,

Yes, I have configured the turn server to listen on port 443 over ssl. I have a document made on how to setup up the turn server with all the necessary links. Once done with the setup you just need to mention the turn server’s ip, port, username and password to connect. It is also possible to mention the stun and turn server urls in mediasoup client library. I will share the document with you in sometime.

3 Likes

Wow! That would be great. I’m looking forward to your document. Thank you.

Hi, is the document ready?

Hi Aidar

Were you able to find your way around this?

Hi Amit,
I’m also trying to solve this problem.
Right now it seems that for general reliability you really need a TURN server in front of mediasoup. Some firewalls are just too locked down.

I am looking into Coturn as the TURN server, but am yet to succeed in setting it up.

Would love to see the doc you speak of!

Sam

For the sake of testing, and maybe even production, you might investigate the STUN / TURN vendor xirsys.com. They have a generous free tier, a global STUN/TURN network, and reasonable pricing for production. (I’ve used their free tier for a few proof-of-concept operations. Other than that I have no affiliation.)