You're absolutely correct. **Xsan** (Apple's high-performance file system) uses a **dynamic port range** (49152–65535) for **data transfer** between clients and servers. These ports are essential for **high-throughput file access** in environments like video production, where Apple TVs or other devices may interact with Xsan servers. Below is the updated list of **critical ports** for Apple services, including **Xsan**: --- ### 🚫 **Critical Ports to Open (Updated)** | Port Range | Protocol | Purpose | Required | |------------------|----------|----------------------------------------------|----------| | **5353** | UDP | **mDNS/Bonjour** (service discovery) | ✅ Yes | | **80** | TCP | **HTTP** (web services, streaming) | ✅ Yes | | **443** | TCP | **HTTPS** (secure web services) | ✅ Yes | | **554** | TCP/UDP | **RTSP** (media streaming) | ✅ Yes | | **9876** | TCP | **Apple TV Remote Access** | ✅ Yes | | **9877** | TCP | **Apple TV Media Streaming** | ✅ Yes | | **49152–65535** | TCP | **Xsan Filesystem Access** (dynamic range) | ✅ Yes | --- ### 📌 **Key Notes** 1. **Xsan (49152–65535)** - **Purpose**: Used for **high-performance file transfers** between Xsan clients (e.g., Apple TVs, editing stations) and Xsan servers. - **Why It Matters**: Xsan is designed for **low-latency, high-throughput** environments. The dynamic port range ensures scalability and avoids port exhaustion. - **Security**: While these ports are required for Xsan, they are **dynamic** and should be **restricted to trusted VLANs** (e.g., Apple TV VLAN ↔ Xsan server VLAN). 2. **Firewall Rules** - **Direction**: Allow **bidirectional traffic** between VLANs. - **Stateful Inspection**: Use stateful rules (e.g., in OPNsense) to automatically handle both directions. - **VLAN Isolation**: Ensure traffic is only allowed between **Apple TV VLAN** and **Xsan server VLAN** (or Teacher/Student VLANs, if applicable). 3. **Testing and Validation** - **Simulate Load**: Use tools like `tcpdump` or `Wireshark` to capture traffic and confirm the port range is being used. - **Monitor Traffic**: Ensure no unintended exposure by restricting access to only the necessary VLANs. --- ### 🧠 **Example OPNsense Rule (Xsan Server ↔ Apple TV VLAN)** 1. **Interface**: Create VLAN interfaces (e.g., `VLAN10` for Apple TV, `VLAN20` for Xsan server). 2. **Rule**: - **Action**: Allow - **Source**: `VLAN10` (Apple TV VLAN) - **Destination**: `VLAN20` (Xsan server VLAN) - **Protocol**: TCP (49152–65535) - **State**: Enable (for bidirectional traffic). --- ### ✅ **Summary** - **Xsan** requires the **dynamic port range 49152–65535 (TCP)** for efficient file access. - Ensure these ports are **allowed between relevant VLANs** and **restricted to trusted devices**. - Always **verify if Xsan is required** in your environment to avoid unnecessary exposure. By including these ports and configuring the firewall accordingly, Apple services (including Xsan) will function seamlessly across VLANs.