Proxmox VE (Virtual Environment) is a robust, open-source virtualization management platform that combines KVM, LXC, ZFS, Ceph, and a powerful web-based interface. Like any enterprise-grade system, Proxmox uses various ports to support its features—from GUI access and storage to clustering and live migration.
This article provides a complete overview of all the ports used by Proxmox VE, categorized by function, to help you configure firewalls, plan network architecture, or troubleshoot connectivity issues.
1. Web Interface & API
| Port | Protocol | Purpose |
|---|
| 8006 | HTTPS (TCP) | Proxmox Web GUI and REST API |
- Secure access to the web interface
- Self-signed certificate by default (replaceable with Let’s Encrypt or CA-signed certs)
- Example URL:
https://<host-ip>:8006
2. SSH and Shell Access
| Port | Protocol | Purpose |
|---|
| 22 | SSH (TCP) | Shell access, ZFS replication, cluster sync |
- Used for remote login
- Also used internally for ZFS replication and some migration commands
- Ensure this is open between nodes
3. VNC, SPICE & Console Access
| Port Range | Protocol | Purpose |
|---|
| 5900–5999 | TCP | VNC access for virtual machines |
| 3128 | TCP | SPICE proxy for graphical console |
- VNC and SPICE ports are dynamically allocated
- Only needed if using console access via GUI
- Proxmox uses websockify for browser-based access
4. Cluster Communication
| Port | Protocol | Purpose |
|---|
| 5404–5405 | UDP | Corosync cluster traffic |
| 8006 | TCP | Web GUI (inter-node access for GUI/API) |
| 22 | TCP | SSH for inter-node operations (e.g., replication) |
- Corosync is the heart of Proxmox clustering
- These ports must be open between all cluster nodes
- For best performance, use a dedicated cluster network
5. Storage (ZFS, Ceph, NFS, iSCSI)
ZFS Replication
| Port | Protocol | Purpose |
|---|
| 22 | TCP | Used for ZFS snapshot replication via SSH |
Ceph
| Port | Protocol | Purpose |
|---|
| 6789 | TCP | Ceph monitor (mon) |
| 6800–7300 | TCP | Ceph OSDs |
- Needed between all nodes in a Ceph cluster
NFS
| Port | Protocol | Purpose |
|---|
| 2049 | TCP/UDP | Network File System |
| 111 | TCP/UDP | Portmapper (rpcbind) |
iSCSI
| Port | Protocol | Purpose |
|---|
| 3260 | TCP | iSCSI target access |
6. Proxmox Backup Server (PBS)
| Port | Protocol | Purpose |
|---|
| 8007 | HTTPS (TCP) | PBS Web UI/API |
| 22 | TCP | SSH access |
| PBS uses port 8007, separate from 8006 to avoid conflict with Proxmox VE. | | |
- Proxmox VE connects to PBS via port 8007 for backup and restore operations
7. Email Notifications
| Port | Protocol | Purpose |
|---|
| 25 / 465 / 587 | SMTP (TCP) | Used to send email alerts (configurable) |
- Proxmox can send health, error, or backup emails using your SMTP server
8. Optional: Metrics, Monitoring & Add-ons
SNMP
| Port | Protocol | Purpose |
|---|
| 161 / 162 | UDP | For SNMP-based monitoring (external tools) |
External Monitoring (e.g., Nagios, Prometheus)
- Ports vary by the monitoring stack used
- Prometheus exporters or Nagios agents may need custom ports
Recommended Firewall Rules for Proxmox Cluster
| Direction | Port(s) | Purpose |
|---|
| Inbound | 8006, 8007 | Web GUI for VE and PBS |
| Inbound | 22 | SSH access, ZFS replication |
| Inbound | 5404–5405 (UDP) | Corosync cluster communication |
| Inbound | 5900–5999 | VNC |
| Inbound | 3128 | SPICE console |
| Inbound | 6789, 6800–7300 | Ceph (if used) |
| Inbound | 2049, 111 | NFS (if used) |
Tips for Securing Proxmox Ports
- Restrict SSH and GUI ports to internal management IPs
- Use firewall rules (Proxmox has built-in firewall)
- Optional – Use Let’s Encrypt SSL certificates for HTTPS
- Enable 2FA for the GUI
- Monitor logs and access attempts
