In and out ports on the relays?

Hi there,

We’ve successfully managed to set a stake pool on the testnet, but to get it to work we had to open all ports on the relay, it this the way to do it? Additionally on our BP we only have the port for the communicating with our relays open.



no:) only 1 port should be opened - which is the listening port of your node. (default is 3001) - and that is what you did with your BP, which is fine.
The communication between nodes are based on the topology file - right now. So your node can connect to a node only which is listed in the topology file - by default it is a IOHK server. To able to have more outgoing connections you need to extend the topology file either with
or topolgy updater script.
I recommend to choose the topologyupdater script since with that the address of your relay node will be spread among others and that means you will have incoming connections as well, which is kind of a mandatory for block creation…

Hi laplasz,

The relays topology is working just fine using the topologyupdater, but only if we allow traffic on all the ports on the relay. So to rephrase my question: Which ports should be open on the relay-nodes?

What do you mean allow traffic? yes, random local ports will be used to able to create a connection with the listening port of another node…

So port 0 to 65536 has to be open for all IPs in the relay, in order to talk to the rest of the network?

how do you want to open it? by creating a NAT rule? if so, that is not needed

We use AWS, so we need to open the necessary ports.

ok, so specify what do you mean opening a port in a system? using it? enabling it? because for me opening a port means that creating a NAT rule (port forwarding)

We just edit the inbound rules in the security group on AWS, hopefully this screenshot elaborates.

“Inbound means incoming traffic coming to your EC2 instances . For that you have to add inbound rule. For web server generally we use port 80”
so in Cardano-node case that is 3001 by default. So the port range would be 3001-3001

But in LiveView I can see that the incoming connections, to the relay, use a lot of different ports from all the other relays nodes, don’t we have to allow them?

can you please attach a screenshot? I am not familiar with the LiveView. or if you could provide the output of netstat -ant | grep <your node port> command

The nodes is not currently running, but I have an old screenshot of the node with only one unreachable incoming connection, however this got sorted out, and the node had a lot of incoming afterwards. As you can see the incoming connection uses port 34713.

Peers relay

ok so what we can see here is that the remote relay node connects to your listening port 6000 (by default 3001) with a port 34713

your relay IP:6000 <---- remote relay IP:34713 (random local port)

that is why only 6000 should be opened - to able to connect to it from outside

local ports of a connection does not matter, like in the outgoing case as well
your relay IP: random local port ---->

Oh, so the port 34713 doesn’t matter at all to our relay, we just need to have port 6000 open?

no, it does not - what matters is your listening port only - it should be reachable from outside - hence the security inbound rule

I see, and the listening port is the one we include in the topology which get pushed using the topologyupdater, it makes sense! Thanks!

in the topology file you provide other nodes address (listening port) where your node will connect to. so if I would put the IP address and listening port of your node into the topology file of my node, then my node could connect with a random local port to your node listening port

Yea, exactly. That why we use the topologyupdater to push our own IP and port to the list, and then fetch the list for us to connect to.

please mark one of the answer as solution if you think it helped solving your issue