Flightaware MLAT UDP using wrong port range

Hey community,

I have set up a Raspberry Pi running the Debian Package Add-On, currently updated to 3.8.1 and I’m feeding regular ADS-B/Mode-S as well as MLAT to Flightaware.
The Raspberry Pi runs behind a OpnSense Firewall restricting access to only pre-specified port ranges.

When I set up the system, I noticed that my MLAT traffic was not coming trough, which I was notified about by an “anomaly” message on my feeder page on Flightaware. This message told me, that for MLAT, an OUTBOUND port range of 4999:9999 was needed, which I manually opened in the FW.

After a few restarts of the RPi and the FW due to package upgrades, I would often notice, that MLAT traffic stopped with the same error message, although the FW had ports 4999:9999 open. I then noticed that the RPi tried to connect to FA using a completely different port (usually somewhere above 10,000). Once I (manually) opened the port on the FW, MLAT UDP connection was fine again - until I rebooted again which once again triggered the use of another port.
I don’t want to open all ports for this RPi due to security concerns but I also don’t want to manually add every port that might show up once anything was rebooted.

I’m therefore asking: is this a misconfiguration on my side?
Is the anomaly message concerning port range 4999:9999 on the feeder page on FA plain wrong/outdated?
Is this a bug in the FA software? What is the correct port range that needs to be opened?

Any help greatly appreciated. Thanks in advance :slight_smile:

This is outdated documentation - the port range was recently expanded to 4999…19999 (the previous range was getting too small as we now handle a lot more clients per server host). Sorry for the confusion.

(Note that you do not need to open these ports for inbound traffic - it is purely outbound UDP)

Ah, I see - makes sense. Thanks for the info!
And yes, I was aware of the fact that it is only needed for outbound traffic. It’s just that my FW is specifically configured to block any outbound traffic unless I manually allow it (or certain conditions are met).

Just because this seems related: documentation at the anomaly message states that only a connection to the domain piaware.flightaware.com is needed. Is this still correct? Are there any fixed IP addresses that would be more appropriate.
I’m asking because I’m seeing UDP traffic on port 8099 and/or 15190, which is only allowed for the domain piaware.flightaware.com (can’t see the domain for the traffic, only host IP) but I’m not sure if this is FA traffic or from another program.

This is still correct. The piaware.flightaware.com DNS name points to a pool of servers. The TCP connection goes to a host from that pool, and the UDP data then goes to the same host that the TCP connection ended up going to.

The pool might point to different hosts (or even different CIDR blocks) over time as we rearrange things on the server side; it’s hard to give a set of IPs that will stay the same in the long term.

Well, those are in the mlat UDP range so that sounds normal?

Sorry about the confusion: I rechecked my FW settings and noticed that I had entered the URL incorrectly, so the domain was not resolved properly. I corrected this mistake and with the new port range it works out fine now!
Thanks for the prompt reply! If possible, it would be great to update the documentation on the required port ranges or at least have a section on port ranges and URLs (external connecting to FA as well as internal dump1090 just for documentation if one is not using the standard image) somewhere. For example, this would be the perfect location.

Nevertheless, thanks for the quick help! Great community and community support!

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.