From ced4e7dfe5eea4ab8704271199c8d2aef6aa9f7c Mon Sep 17 00:00:00 2001
From: Jack Carter <128555021+SunsetDrifter@users.noreply.github.com>
Date: Thu, 19 Jun 2025 19:49:58 +0200
Subject: [PATCH] Update faq.mdx (#369)

Mimicked the TURN ports and added a section for STUN ports.
---
 src/pages/about-netbird/faq.mdx | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/pages/about-netbird/faq.mdx b/src/pages/about-netbird/faq.mdx
index 9f46f2b5..2f673886 100644
--- a/src/pages/about-netbird/faq.mdx
+++ b/src/pages/about-netbird/faq.mdx
@@ -11,6 +11,9 @@ NetBird usually won't need open ports, but sometimes you or your IT team needs t
 all outgoing traffic, and that may affect how NetBird clients connect to the [control layer](/about-netbird/how-netbird-works)
 and negotiate the peer-to-peer connections. 
 
+<Note>
+    Allowing the outbound **P2P (STUN)** service below is **recommended** in more restricted networks for reliable peer connections. This will also improve the reliability of your [High Availability Routes](https://docs.netbird.io/how-to/routing-traffic-to-private-networks#high-availability-routes).
+</Note>
 <Note>
     Allowing the outbound **Relay (TURN)** service below is **recommended** in more restricted networks for reliable peer connections. This will also improve the reliability of your [High Availability Routes](https://docs.netbird.io/how-to/routing-traffic-to-private-networks#high-availability-routes).
 </Note>
@@ -29,6 +32,13 @@ Below is the list of NetBird hosted endpoints and ports they listen to:
     * **Port**: TCP/443
     * **IPv4**: 35.186.199.111
     * **IPv6**: 2600:1901:0:adb3::
+* P2P (STUN) service:
+  * **Endpoint**: stun.netbird.io
+    * **Port range**: UDP/80,443,3478,5555
+    * **IPv4**: The list is dynamic and geo-distributed; we advise you to check the nearest cluster with the following command:
+        * `nslookup stun.netbird.io`
+    * In more restricted environments, `netbird status` will show `keepalive ping failed` errors without a firewall rule for STUN
+        * Example `nftables` outbound firewall rule: `ip daddr stun.netbird.io tcp dport 443-443 accept`
 * Relay (TURN) service:
   * **Endpoint**: turn.netbird.io
     * **Port range**: UDP/80,443 and TCP/443-65535