MQTT ports 1883 and 8883

For MQTT IANA has reserved those ports and due to the the amount of devices I’d say those are relevant. Can you open those up, if not already done.

Open these up where or for what?

If I understood right, there is not an open port range, but only discrete ports that are supported by the service. I am having trouble connecting my iot devices to my backend and am currently narrowing it down to DNS not being being able to forward requests.

Opening up = supporting them with the service

Cloudflare currently only proxies HTTP(S) and WebSocet traffic over a select few ports.

If you need to serve requests over ports other than those listed in the above article you would need to do so over gray clouded DNS records (read: bypassing our proxies). It isn’t possible to open up individual ports on a per-customer basis.


Thanks that is actually helpful!

Why not reconfigure your tools to talk over HTTP/HTTPS on port 80/443? Rather than wait for a network wide upgrade to be pushed out?

As part of our IoT initiatives we are evaluating solutions to support different devices, protocols & ports. Generally when we open a port (allow it to be orange clouded) we expect to provide some (but not necessarily all) of our services to that port/specific protocols. Timing is still TBD on ports, protocols and functionality we’ll support, but I will pass along your input to the teams working on the problem.


so i have “mydomain” in Cloudflare. I’d like to send MQTT messages to I currently have that A record in my DNS. Is that a mistake? I have not been able to reach my server, which is also hosting nodejs on 80 and 443 through NGINX.

did you get any solution to this situation as I am trying the same but seems like 5 years later this issue still persists. Cannot use iot devices over mqtt, neither over tcp 1883 default nor ws (web socket) 9001 default for mqtt protocols over Cloudflare


I don’t understand why this works, nor do I understand the security implications, but the solution was to, in Cloudflare, turn of “Proxied” in the list of DNS entries. So, I go to my domain in Cloudflare, click DNS, and then, under mqtt.[your domain].com, one of the options will be Proxy Status. If you edit the line, and unselect that option, it turns to “DNS Only”. Then, Cloudflare shows a warning saying that your IP address is exposed by this, so you should use Cloudflare to protect… I don’t know that I care. I guess, with my IP address, they can do DDoS attack or something, but I cared more about getting my mosquitto broker going.

I am using Cloudflare certificates for all of my subdomains except for MQTT. For MQTT, I created a 20-years LetsEncrypt/Certbot certificate, and that certificate is on my original server, referenced directly by the Mosquitto broker. So I guess the implication of what I described is that when you have a domain managed by Cloudflare, you need to deselect the subdomain in question, so that you can expose it and protect it (SSL) independently from Cloudflare.

Does that help? Let me know if the explanation wasn’t clear.

oh, okay! I understood the process on how to do it. Just one thing which does not match in my case is the IP. Since my network is a private NAT from my local ISP so I do not get any public facing IP and thus started using Cloudflare tunnel service. So in my case the IP (exposed when we use dns only option) does not exist. I am stuck on that part otherwise for any AWS or other public facing server instance, the method you have suggested works fine. But in my case I do not have that luxury so was looking for some solution. Still thank you for your time and help, if any other tips or tricks to achieve the same, please feel free to reply back , I will be glad to hear. Have a good one ahead.