Advanced20 minUpdated 2026-02-22

Firewall Configuration for IP Camera Streaming

Configure corporate firewalls and network security for IP camera streaming with PanoraCast. Covers outbound RTMP rules, camera subnet isolation, and VLAN best practices.

All guides

Firewall and camera streaming

In corporate and enterprise environments, firewalls control all network traffic. This guide covers how to configure your firewall to allow camera streaming to PanoraCast while maintaining security best practices.

Two streaming modes

PanoraCast supports two streaming architectures. Your firewall rules depend on which one you use:

  • RTSP Pull: PanoraCast connects inbound to your camera on port 554. Requires port forwarding or direct access. Simpler camera setup but requires inbound firewall rules.
  • RTMP Push: Your camera (or a local relay) pushes outbound to PanoraCast on port 1935. No inbound rules needed. More secure for corporate networks.

Required firewall ports

Depending on your streaming mode, open these ports:

bash
# RTMP Push mode (recommended — outbound only)
Outbound TCP 1935  →  panoracast.com (RTMP ingest)
Outbound TCP 443   →  panoracast.com (API/dashboard)

# RTSP Pull mode (requires inbound)
Inbound  TCP 554   ←  PanoraCast servers (RTSP)
Outbound TCP 443   →  panoracast.com (API/dashboard)

# If using non-standard ports
Inbound  TCP 8554  ←  GeoVision cameras
Inbound  TCP 88    ←  Foscam cameras
Inbound  TCP 7441  ←  UniFi Protect (RTSPS)

Camera VLAN isolation

Best practice: place all IP cameras on a dedicated VLAN, separate from your corporate LAN. This limits the blast radius if a camera is compromised.

  • Create a dedicated camera VLAN (e.g., VLAN 100, subnet 10.100.0.0/24)
  • Place all cameras on this VLAN via switch port assignment
  • Allow only RTSP traffic (port 554) from the camera VLAN to the internet (if using RTSP Pull)
  • Allow only RTMP traffic (port 1935) from the camera VLAN to the internet (if using RTMP Push)
  • Block all other traffic from the camera VLAN to the corporate LAN
  • Allow HTTPS (443) from the management VLAN to camera IPs for web interface access

PanoraCast server IPs for allowlisting

If your firewall requires IP-based allowlisting (rather than domain-based), PanoraCast's ingestion servers use a static IP range. Contact [email protected] for the current IP list. For domain-based rules, allow *.panoracast.com on ports 443 and 1935.

Troubleshooting

Common issues:

  • Connection timeout — Verify the correct port is open in the correct direction (inbound vs outbound)
  • Intermittent drops — Check for firewall session timeouts. RTSP sessions are long-lived; increase the timeout to 3600s or more
  • IDS/IPS blocking — Some intrusion prevention systems flag RTSP traffic as suspicious. Add an exception for known camera IPs
  • Proxy interference — Transparent HTTP proxies can break RTSP. Bypass the proxy for camera traffic

Ready to stream?

Create a free account and connect your camera in minutes.

Get started freeView all guides