[tor-relays] firewall ports needed to run a middle relay

torix at protonmail.com torix at protonmail.com
Fri Apr 26 15:56:58 UTC 2019

Thank you all for your helpful replies on this - more than just what I asked.

I think the router (actiontec MI424WR from Verizon) is up to the task - for the first year it went up to about 6,000 connexions; in the last year since the dos mitigation patch came out it averages about 2,500. My service is equal up/download speeds, about 55/60 megabits/sec on the verizon speed test, and I have never noticed tor's use on it.  I've never had to configure it except to put the tor box in the DMZ, as most games and remote desktop were already pre-configured.  I'll look at openWRT, Neel, tho not sure I'm up to configuring it.

Thanks Again,


Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, April 26, 2019 2:05 AM, Neel Chauhan <neel at neelc.org> wrote:

> If you have fiber to the home or another symmetrical speed broadband
> connection (like some wireless ISPs like Webpass), you may have a lot of
> upstream speed. In this case it's perfect for Tor relays. If you do,
> invest in a good router with a big enough NAT table if you don't have
> one, flash custom firmware if your router supports it and is powerful
> enough, or reuse your old desktop as a pfSense box. I have Verizon FiOS
> FTTH and use a Linksys WRT1900AC running OpenWRT instead of a Verizon
> gateway.
> Some ISPs may force you to use their router, like AT&T in some parts of
> the US who forces 802.X authentication to use VDSL/FTTH that is only
> spoken on their router.
> But your uplink probably is crappy if you have cable, DSL, or fixed
> wireless.
> -Neel
> ==================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================
> https://www.neelc.org/
> On 2019-04-25 17:48, nusenu wrote:
> > torix at protonmail.com:
> >
> > > I need to move to a new router, which, unlike the old Verizon home
> > > router, doesn't have a quick DMZ host to which I attach the tor
> > > telay's local ip address. So I think I need to do port forwarding,
> > > and for that what rules do I need? My torrc config has: ControlPort
> > > 9052 ORPort 8443 DirPort 8080
> > > So I forwarded 8443 and just in case, 8080. But the number of my
> > > connexions kept dropping, so I put it back in the DMZ and it started
> > > getting new ones again. Trying to figure out if I screwed up the
> > > config gui, or if I need to add other ports. Did I miss a port?
> >
> > Forwarding the ORPort and DirPort (if you set one) is all you need
> > but home broadband uplinks frequently are not made for the amount of
> > concurrent sessions a tor relay usually has to handle.
> > So failures might still happen even if you setup the port-forwarding
> > part correctly.
> >
> > tor-relays mailing list
> > tor-relays at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays

More information about the tor-relays mailing list