Firewall overview

Before configuring vendor-specific firewall rules, review these general requirements that apply to all Tillered Cloud deployments.

Port requirements

Tillered nodes communicate using the following ports:

Ensure these ports are open between your Tillered nodes and on any intermediate firewalls or NAT devices.

DNS requirements

Tillered nodes need to resolve the following domains:

• hub.tillered.com - management and provisioning
• installcdn.tillered.com - software updates

Ensure your DNS configuration allows resolution of these domains from the network where Tillered nodes are deployed.

SSL/TLS inspection warning

Network placement

Tillered nodes are designed to sit alongside your network, not inline with traffic. Connect the entry node to a dedicated interface, VLAN, or DMZ segment. Your firewall then uses policy-based routing to direct specific traffic through the Tillered node.

Recommended topology

1. Place the Tillered entry node on a dedicated network segment (DMZ or separate VLAN)
2. Configure DHCP on that segment to assign reserved IP addresses to Tillered interfaces
3. Create firewall policy routes that direct desired traffic through the Tillered gateway IP
4. Allow the Tillered node outbound access to the internet for Hub communication

DHCP reservations

Each exit node connected to an entry node creates a virtual interface that receives an IP from your DHCP server. Create DHCP reservations for these MAC/IP pairs to ensure consistent gateway addresses for your firewall rules.

Vendor-specific guides

Configure policy-based routing on your firewall using one of these guides:

• Fortinet
• MikroTik
• pfSense
• OPNsense
• Ubiquiti UniFi
• Palo Alto