Default Ports

This page lists every port ProxPanel uses, whether it should be exposed to the public internet, restricted to localhost, or opened only outbound. Use it when:

• Configuring a firewall in front of a ProxPanel server.
• Setting up Security Groups on a cloud VM.
• Diagnosing “connection refused” or “port already in use” errors.
• Planning a multi-server cluster.

The convention used below:

Direction	Meaning
Inbound (public)	Internet → ProxPanel. Must be open on the public interface.
Inbound (LAN/BNG)	BNG / NAS → ProxPanel. Open to your management network, not the internet.
Inbound (localhost)	Bound to 127.0.0.1 only. Never expose.
Outbound	ProxPanel → external service. Egress firewall rule.

Quick reference — what to open

For a typical single-server install with one BNG:

What	Port	Direction	Rule
SSH	22/tcp	Public (admin IPs only)	ALLOW from <admin IPs>
HTTP redirect	80/tcp	Public	ALLOW any
HTTPS panel	443/tcp	Public	ALLOW any
RADIUS auth	1812/udp	LAN/BNG	ALLOW from <BNG IP>
RADIUS acct	1813/udp	LAN/BNG	ALLOW from <BNG IP>
CoA listener	1700/udp	LAN/BNG	ALLOW from <BNG IP>
TR-069 ACS	7547/tcp (or 80 via nginx)	Public (CPE)	ALLOW any

Everything else (database, Redis, internal API) stays on 127.0.0.1.

Full table

Direction	Port	Proto	Service	Purpose	Configurable	Default open in install
Inbound	22	TCP	SSH	Admin shell access	Yes (sshd_config)	Yes (admin IPs only)
Inbound	80	TCP	nginx	HTTP→HTTPS redirect. Also proxies /acs to TR-069 ACS so routers that can’t open 7547 still work.	nginx.conf	Yes
Inbound	443	TCP	nginx	HTTPS panel (admin / reseller / customer / API)	nginx.conf	Yes
Inbound	1812	UDP	proxpanel-radius	RADIUS Authentication (PAP, MS-CHAPv2, CHAP)	Per-NAS in nas_devices.auth_port	Yes
Inbound	1813	UDP	proxpanel-radius	RADIUS Accounting (Start / Interim-Update / Stop)	Per-NAS in nas_devices.acct_port	Yes
Inbound	1700	UDP	proxpanel-radius	CoA listener — MikroTik’s default for inbound CoA replies.	Per-NAS in nas_devices.coa_port	Yes
Inbound	3799	UDP	proxpanel-radius	CoA listener — RFC 5176 standard. Used by Cisco / Juniper / Huawei generic-RADIUS path.	Per-NAS in nas_devices.coa_port	Optional
Inbound	7547	TCP	TR-069 ACS	Direct ACS endpoint. Most installs proxy this through nginx :80//acs — that’s the recommended path.	API container env	Optional
Inbound (localhost)	5432	TCP	PostgreSQL 16	Database. Bound to 127.0.0.1 only (v1.0.178+)	docker-compose.yml	Localhost-only
Inbound (localhost)	6379	TCP	Redis 7	Cache + session store. Bound to 127.0.0.1 only	docker-compose.yml	Localhost-only
Inbound (localhost)	8080	TCP	proxpanel-api	Go API server. nginx proxies /api/* to this.	API env (API_PORT)	Localhost-only
Outbound	443	TCP	license.proxrad.com	License validation, update download, anti-replay heartbeat	LICENSE_SERVER env	Required
Outbound	8728	TCP	MikroTik API (plain)	RouterOS API to BNG — queues, PPP active, torch, pool reads.	Per-NAS in nas_devices.api_port	Required
Outbound	8729	TCP	MikroTik API (TLS)	Same as above, encrypted. Set nas_devices.use_ssl=true.	Per-NAS in nas_devices.api_ssl_port	Optional
Outbound	21	TCP	FTP (MikroTik)	Backup retrieval for legacy NAS sync.	Per-NAS in nas_devices.ftp_port	Optional
Outbound	25 / 465 / 587	TCP	SMTP	Email notifications	Settings → Notifications	Optional
Outbound	443	TCP	Ultramsg / Zender	WhatsApp gateway API	Settings → Notifications	Optional

Optional observability stack (LGTM)

If you deploy the optional Loki+Grafana+Tempo+Prometheus stack (separate VM):

Direction	Port	Proto	Service	Purpose	Default exposure
Inbound	3000	TCP	Grafana	Dashboards UI	Behind reverse-proxy or admin IPs only
Inbound	9090	TCP	Prometheus	Metrics UI / API	Localhost or admin IPs
Inbound	3100	TCP	Loki	Log ingestion HTTP	Localhost or VPN
Inbound	4317 / 4318	TCP	Tempo	OTLP trace ingestion	Localhost or VPN
Outbound	9100	TCP	node_exporter	Host metrics scrape — Prometheus pulls from each ProxPanel server	Open to Prometheus IP only
Outbound	5060	TCP	mt-exporter	MikroTik metrics scrape — Prometheus pulls from each NAS	Open to Prometheus IP only

Note

The default Grafana port (3000) collides with the React dev server. Production ProxPanel installs do not run the React dev server, so this is only a problem on developer machines.

Per-NAS ports

NAS rows in ProxPanel carry their own port configuration so heterogeneous BNGs can co-exist:

Column	Default	Purpose
auth_port	1812	RADIUS auth port on this NAS.
acct_port	1813	RADIUS accounting port on this NAS.
coa_port	1700	CoA port. MikroTik default = 1700; RFC standard = 3799.
api_port	8728	MikroTik API plain.
api_ssl_port	8729	MikroTik API TLS.
ftp_port	21	Optional FTP for legacy sync.
use_ssl	false	Whether ProxPanel uses api_ssl_port instead of api_port.

SSH ports per production server

The fleet uses non-standard SSH ports on some servers to reduce script-kiddie noise. As of 2026-05-12:

Server	SSH port	Notes
Dev box ()	22	Public, key auth only
Acme customer ()	2222	Tunnelled to via license server
Acme ISP customer ()	2223	Tunnel port 20017
SaaS ()	22
License main ()	22	Cloudflare LB origin
License backup ()	22	CF LB origin

All accept a single SSH key only — password auth is disabled.

RouterOS-side requirements

The MikroTik BNG must accept connections from ProxPanel on the API ports:

/ip service set api address=<proxpanel-server-ip>/32 disabled=no
/ip service set api-ssl address=<proxpanel-server-ip>/32 disabled=no

If the BNG is behind a NAT, configure port-forwards for inbound RADIUS / CoA and outbound API.

Common port-related errors

bind: address already in use on RADIUS startup

Another process is listening on 1812/1813/1700 — usually freeradius from a prior install. Stop it: systemctl disable --now freeradius.

connection refused to MikroTik API

Either:

• The MikroTik API service is disabled (/ip service enable api).
• The MikroTik firewall blocks port 8728 from your ProxPanel IP.
• nas_devices.use_ssl=true but the cert is invalid — set to false or fix the cert.

CoA disconnect not working but auth is fine

The BNG isn’t sending CoA replies to the right port. MikroTik defaults to 1700; the RFC default is 3799. Confirm nas_devices.coa_port matches what MikroTik is configured to use.

”Update server not reachable”

Outbound 443 to license.proxrad.com is blocked. The license server is behind Cloudflare; allowlisting Cloudflare’s IP ranges (or just 443/tcp to any) fixes this.

Network topology cheatsheet

                     ┌──────────────┐
        443 ────────►│              │
         80 ────────►│    nginx     │──► 8080 (API)
       7547 ────────►│              │──► /acs → 7547 (ACS)
                     └──────────────┘
                          │
                          ▼
                   ┌──────────────┐
       1812/UDP ──►│  proxpanel-  │
       1813/UDP ──►│    radius    │──► postgres (5432, localhost)
       1700/UDP ──►│              │──► redis (6379, localhost)
                   └──────────────┘
                          │
                          ▼
                   ┌──────────────┐
                   │   MikroTik   │  ◄── 8728 / 8729 (outbound from API)
                   │     BNG      │
                   └──────────────┘

Cluster ports (HA only)

When the optional Hot-Standby RADIUS + PostgreSQL replication is enabled, the two cluster nodes need additional connectivity:

Direction	Port	Proto	Service	Purpose	Notes
Main → Secondary	5432	TCP	PostgreSQL streaming replication	WAL stream from primary to replica	Authenticated via replicator role + pg_hba.conf
Secondary → Main	5432	TCP	Replication slot	Replica fetches missed WAL on reconnect	Same as above
Both directions	80	TCP	Cluster heartbeat / promotion	Node health, manual failover trigger	Authenticated via X-Cluster-Secret header
Both directions	6379	TCP	Redis replication (optional)	Session sync for hot-standby RADIUS	Optional — only when Redis replication is enabled

For the heartbeat to traverse intermediate firewalls, both cluster nodes typically sit on the same management VLAN. Putting them in different data centres requires a private link.

SaaS-specific ports

If you run the SaaS variant (saas.proxrad.com):

Direction	Port	Proto	Service	Purpose	Notes
Inbound	51820	UDP	WireGuard	Tenant relay tunnels for RADIUS / API back to the central SaaS panel	Must be grey-clouded if behind Cloudflare (UDP cannot proxy)
Inbound	1812	UDP	RADIUS auth	Direct from tenant BNGs over the WireGuard tunnel	Grey-cloud required
Inbound	1813	UDP	RADIUS acct	Same	Grey-cloud required

The SaaS panel uses wildcard DNS (*.saas.proxrad.com) — every tenant gets a subdomain.

Common port-related errors

bind: address already in use on RADIUS startup

Another process is listening on 1812 / 1813 / 1700 — usually freeradius from a prior install. Stop it: systemctl disable --now freeradius.

connection refused to MikroTik API

Either:

• The MikroTik API service is disabled (/ip service enable api).
• The MikroTik firewall blocks port 8728 from your ProxPanel IP.
• nas_devices.use_ssl=true but the cert is invalid — set to false or fix the cert.
• Wrong port — newer ProxPanel installs default to 8728 but some legacy installs override to 8730+ via per-NAS api_port.

CoA disconnect not working but auth is fine

The BNG isn’t sending CoA replies to the right port. MikroTik defaults to 1700; the RFC default is 3799. Confirm nas_devices.coa_port matches what MikroTik is configured to use.

”Update server not reachable”

Outbound 443 to license.proxrad.com is blocked. The license server is behind Cloudflare; allowlisting Cloudflare’s IP ranges (or just 443/tcp to any) fixes this.

EADDRINUSE from the API container at startup

Port 8080 is in use on 127.0.0.1. Common causes: another local dev server, a leftover container from a previous docker compose up. docker ps -a | grep 8080 and remove the stale container.

MikroTik appears in NAS list but is_online=false

ProxPanel polls /system/identity over the API every cycle. If polling fails three times in a row, the NAS is marked offline. Verify outbound TCP 8728 from the API host, and that the configured api_username has API permission on the router (/user group set full policy=...,api,...).

Linux firewall examples

iptables (single BNG)

# Allow SSH from admin IPs
iptables -A INPUT -p tcp --dport 22 -s <admin-ip>/32 -j ACCEPT
# Allow HTTPS panel
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 80  -j ACCEPT
# Allow RADIUS + CoA from BNG only
iptables -A INPUT -p udp --dport 1812 -s <bng-ip>/32 -j ACCEPT
iptables -A INPUT -p udp --dport 1813 -s <bng-ip>/32 -j ACCEPT
iptables -A INPUT -p udp --dport 1700 -s <bng-ip>/32 -j ACCEPT
# Default deny
iptables -P INPUT DROP

UFW (Ubuntu defaults)

ufw default deny incoming
ufw allow from <admin-ip> to any port 22 proto tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw allow from <bng-ip> to any port 1812 proto udp
ufw allow from <bng-ip> to any port 1813 proto udp
ufw allow from <bng-ip> to any port 1700 proto udp
ufw enable

Cloud security group (AWS / Azure / GCP)

• Inbound: 22 (admin IPs), 80, 443 (any), 1812 / 1813 / 1700 UDP (BNG IPs).
• Outbound: All (default). At minimum 443/tcp to any (license server, Ultramsg, etc.) and 8728 / 8729 TCP to BNG.

Related pages

• System Requirements — bandwidth and CPU sizing.
• NAS / Routers — per-NAS port configuration.
• Security Hardening — recommended firewall rules.
• Cluster — additional ports for HA replication.