Ports and protocols
Every NovaVMS component listens on a specific port. This page lists them all so you can open firewalls or diagnose connectivity.
Component ports
| Port | Protocol | Component | Direction | Configurable via | Notes |
|---|---|---|---|---|---|
| 443 | TCP | Frontend / API ingress (Caddy) | Inbound from browsers and gateways | Reverse-proxy config | TLS terminates here in production. |
| 5200 | TCP | Frontend dev server (Vite) | Inbound (dev only) | vite.config.ts | Local development only. |
| 8090 | TCP | Cloud backend REST API + WebSocket | Inbound from browsers, gateways, service accounts | SERVER_ADDR | Production default is 127.0.0.1:8090 behind Caddy. |
| 8554 | TCP | RTSP server (go2rtc) | Inbound from cameras and playback clients | go2rtc config | Used in direct-mode streaming and relay. |
| 8555 | UDP | WebRTC media (go2rtc) | Bidirectional with browsers | go2rtc config | ICE candidate transport. |
| 11984 | TCP | go2rtc HTTP API | Loopback only | GO2RTC_ADDR | Stream management. Not exposed publicly. |
| 3478 | UDP | TURN relay control (Pion) | Inbound from browsers behind strict NAT | TURN_ADDR | Used only when direct P2P fails after 5 s. |
| 49152 - 49252 | UDP | TURN relay media ports | Bidirectional | TURN_RELAY_MIN_PORT, TURN_RELAY_MAX_PORT | Allocate the whole range. |
| 5432 | TCP | PostgreSQL | Loopback only (prod); dev uses 5434 | DATABASE_URL | Not exposed to the internet. |
| 5434 | TCP | PostgreSQL (dev override) | Loopback only | DATABASE_URL | Used when port 5432 is occupied on the dev host. |
| 9000 | TCP | MinIO S3 API | Loopback only | MINIO_ENDPOINT | Planned for v2; not in production. |
Firewall rules for a typical install
- Browser -> cloud frontend: allow inbound TCP 443 on the public IP that serves
novavms.novalien.com. - Browser -> WebRTC: allow inbound and outbound UDP 8555 and UDP 49152-49252 on the cloud server.
- Gateway -> cloud: allow outbound TCP 443 on the gateway host (WebSocket + API over TLS).
- Camera -> gateway: allow inbound TCP 554 (RTSP) and UDP 3702 (ONVIF WS-Discovery) on the gateway LAN.
- Gateway -> cameras: allow outbound TCP 80, 443, 554, and the camera’s ONVIF port (often 2020) on the gateway host.
- Cloud -> TURN: leave UDP 3478 inbound open on the cloud server for clients behind strict NAT.
- Between cloud and database: loopback only, no external rule needed.
Related
- Retention policy — how long clips, events, and audit entries are kept
- Roles and permissions — who can trigger network-facing actions