Recent hurricane activity has caused major disruptions to the IT infrastructure of many businesses in the Atlantic and Gulf regions. If you are in an impacted area, visit the Disaster Recovery Resources guide for preparedness information. For live updates, follow @dattosupport on Twitter.

SIRIS, Alto & DNAS Networking and Bandwidth Requirements



This article describes the local and offsite networking requirements and best practices for Datto appliances. This includes both the network speed requirements and requirements for open ports and DNS resolution.

As of April 27, 2017, SNMP support on Datto appliances has been discontinued.

Speed Requirements

This section explains the speed requirements for the following:

  • Connections between protected machines and the Datto appliance over a LAN.
  • Connections between protected machines and the Datto appliance over a WAN.
  • Connections between the Datto appliance and the internet, for the purpose of synchronization with the Datto Cloud.

Connection between protected machines and the Datto appliance over a LAN

Since a 100 Mbps network cannot efficiently transfer large datasets between the protected machines and a Datto appliance, gigabit network connections are required between all protected machines and the Datto appliance over a LAN.

All SIRIS 3 devices must be connected using a gigabit connection. They will not function on a slower connection.

Connection between protected machines and the Datto appliance over a WAN

Datto strongly recommends placing the Datto appliance and all protected machines on the same LAN. However, if you need to set up backups over a WAN, you will need a 50-Mbps dedicated uplink for every terabyte of protected data. Otherwise, backups will not be reliable. Even if this requirement is met, the latency between endpoints will have a considerable influence on the speed of backups.

Connection between the Datto appliance and the internet

Datto expects that BDR appliances will be deployed in a secure LAN environment, with no inbound Internet access, and that appropriate network access control will exist in the LAN to limit the accessibility of appliance network daemons and services. For more information, see the Secure Deployment Best Practices For Datto Appliances article.

To reliably synchronize with the Datto Cloud, ensure that your connection is at least 1 Mbps (125 KBps) uplink per terabyte of protected data stored locally on the Datto device. To see how much data your Datto appliance is currently protecting, see the article Remote Web - Device Overview.

Router MTU Settings

The Datto appliance will most reliably be able to communicate with our monitoring servers when the router's MTU size is set to 1500 bytes. This will prevent packet fragmentation since the Datto appliance is also using a 1500 byte MTU size. Packet fragmentation may cause issues with communication to our monitoring servers.

Communication to Datto's monitoring servers, offsite synchronization, and remote access to your Datto appliance may become unreliable if your router's MTU settings are different from those described in this section.

Port Access and IP Whitelist Requirements

This section describes the port access and IP whitelist requirements for the protected machines and the Datto appliance. Refer to Figure 1 for a diagram of the required connections.

Figure 1: IP and Port Access Requirements (click for a larger image)

Requirements on Protected Machines

These requirements differ for Windows, Linux, and Mac machines.

On protected Windows machines:

  • For the Datto Windows Agent, ensure that:
    Ports 3262 and 3260 are reachable and accessible on the device
    Ports 3262 and 3260 outbound are allowed on the agent machine
    Ports 25567 and 25568 is available and accessible on the agent machine
  • For the ShadowSnap Agent:
    The ShadowSnap agent needs bi-directional access to the Datto appliance through TCP ports 139 (SMB) and 25566. If a protected machine is using backup encryption, TCP port 3260 (iSCSI) must not be filtered or blocked in either direction between the protected machine and the Datto appliance. Finally, the protected machine must have access to through TCP port 80 (HTTP) in order to verify the ShadowSnap agent's license.

On protected Linux machines, TCP ports 3260 (iSCSI) and 25567 must be open between the protected machine and the Datto appliance.

On protected Mac machines, TCP ports 3260 (iSCSI) and 25569 must be open between the protected machine and the Datto appliance.

Depending on your network infrastructure, you might also have to open UDP port 25566 for successful ShadowSnap agent communication, and port 445, which is used by Samba for devices that do not use NetBIOS.
Depending on your network security configuration, you might also have to whitelist for correct Remote Web functionality, and for optimal device communication.

Internet access requirements for protected machines

The  Datto Windows, Mac and Linux agents require access to on their initial setup run to generate the necessary certificates. 

Requirements for the Datto Appliance

The Datto appliance must have access to the Datto Cloud for backup replication and remote device management. In addition, all ICMP packets must be allowed through the firewall. If you have a configuration in which you need specific ports and IP addresses to allow access to the Datto appliance, refer to Figure 1 and the sections below.

  • TCP ports 22, 80, 443 and 2200-2250, as well as UDP port 123, must allow outbound communication between the Datto appliance and
  • TCP ports 25567 and 25568 must be open inbound to the protected machine for agent calls.
  • Ports 3260 and 3262 must both be reachable from the protected machine to the Datto device.

To synchronize time and download operating system updates, all Datto appliances must be able to resolve the following sites in the local DNS:


All Datto appliances must be able to access the following IP ranges for Cloud infrastructure, DNS failback, and device management:

  • port 5044
  • port 5044
  •, port 443 and port 80
  •, port 80 and port 2200

Depending on your country, the Datto appliance must have access to the following IP ranges for the offsite storage nodes:

United States



  • (Ontario)
  • (Ontario)
  • (Alberta)


  • (UK)
  • (UK)
  • (Iceland)
  • (Germany)

ANZ (Australia and New Zealand)

  • (


It is normal to see the Datto appliance repeatedly connecting to one or more of the IP addresses listed above as it checks in with our monitoring servers.

If you want to find out which Cloud storage node your Datto appliance is connecting to, open the appliance's web interface. You will see the screen as shown in Figure 2.

Figure 2: Offsite Server IP address

Additional Resources

Was this article helpful?

33 out of 36 found this helpful

You must sign in before voting on this article.

Want to talk about it? Head on over to our Community Forum!