Default Ports and Firewalls

Erigon Ports

Component	Port	Protocol	Purpose	Should Expose
engine	9090	TCP	gRPC Server	Private
engine	42069	TCP & UDP	Snap sync (Bittorrent)	Public
engine	8551	TCP	Engine API (JWT auth)	Private
sentry	30303	TCP & UDP	eth/68 peering	Public
sentry	30304	TCP & UDP	eth/67 peering	Public
sentry	9091	TCP	incoming gRPC Connections	Private
rpcdaemon	8545	TCP	HTTP & WebSockets & GraphQL	Private

Component

Port

Protocol

Purpose

Should Expose

engine

9090

TCP

gRPC Server

Private

engine

42069

TCP & UDP

Snap sync (Bittorrent)

Public

engine

8551

TCP

Engine API (JWT auth)

Private

sentry

30303

TCP & UDP

eth/68 peering

Public

sentry

30304

TCP & UDP

eth/67 peering

Public

sentry

9091

TCP

incoming gRPC Connections

Private

rpcdaemon

8545

TCP

HTTP & WebSockets & GraphQL

Private

Typically, 30303 and 30304 are exposed to the internet to allow incoming peering connections. 9090 is exposed only internally for rpcdaemon or other connections, (e.g. rpcdaemon -> erigon). Port 8551 (JWT authenticated) is exposed only internally for Engine API JSON-RPC queries from the Consensus Layer node.

Caplin ports

Component	Port	Protocol	Purpose	Should Expose
sentinel	4000	UDP	Peering	Public
sentinel	4001	TCP	Peering	Public

Component

Port

Protocol

Purpose

Should Expose

sentinel

4000

UDP

Peering

Public

sentinel

4001

TCP

Peering

Public

If you are using --internalcl aka caplin as your consensus client, then also look at the chart above

Shared ports

Component	Port	Protocol	Purpose	Should Expose
all	6060	TCP	pprof	Private
all	6060	TCP	metrics	Private

Component

Port

Protocol

Purpose

Should Expose

all

6060

TCP

pprof

Private

all

6060

TCP

metrics

Private

Optional flags can be enabled that enable pprof or metrics (or both) - however, they both run on 6060 by default, so

you'll have to change one if you want to run both at the same time. use --help with the binary for more info.

Other ports

Reserved for future use: gRPC ports: 9092 consensus engine, 9093 snapshot downloader, 9094 TxPool

Hetzner firewall rules

Hetzner may apply strict firewall rules:

0.0.0.0/8             "This" Network             RFC 1122, Section 3.2.1.3
10.0.0.0/8            Private-Use Networks       RFC 1918
100.64.0.0/10         Carrier-Grade NAT (CGN)    RFC 6598, Section 7
127.16.0.0/12         Private-Use Networks       RFC 1918
169.254.0.0/16        Link Local                 RFC 3927
172.16.0.0/12         Private-Use Networks       RFC 1918
192.0.0.0/24          IETF Protocol Assignments  RFC 5736
192.0.2.0/24          TEST-NET-1                 RFC 5737
192.88.99.0/24        6to4 Relay Anycast         RFC 3068
192.168.0.0/16        Private-Use Networks       RFC 1918
198.18.0.0/15         Network Interconnect
Device Benchmark Testing   RFC 2544
198.51.100.0/24       TEST-NET-2                 RFC 5737
203.0.113.0/24        TEST-NET-3                 RFC 5737
224.0.0.0/4           Multicast                  RFC 3171
240.0.0.0/4           Reserved for Future Use    RFC 1112, Section 4
255.255.255.255/32    Limited Broadcast          RFC 919, Section 7
RFC 922, Section 7

Same in IpTables syntax.

Last updated 5 months ago