I typically set up an untrusted network for use with IoT devices. Hosts from this network are allowed to access the outside internet, but are blocked from accessing hosts on other networks (i.e. the trusted or guest networks). Some ports are then explicitly allowed for specific services (ideally these ports are also restricted to just the hosts that need them as well).
| Port Number | Description |
|---|---|
| 319 | Precision Time Protocol, used in Airplay it seems |
| 320 | Also Precision Time Protocol |
| 554 | RTSP (Airplay) |
| 1900 | SSDP, UPnP service discovery |
| 3689 | DAAP (Airplay) |
| 3722 | Undocumented Apple Home Sharing |
| 5353 | mDNS |
| 8008 | Chromecast |
| 8009 | Chromecast |
| 57621 | Spotify Connect with spotifyd |
I also whitelist some ports, always restricted to specific hosts, allowing automatic NAT traversal. For these, access just needs to be allowed to the firewall.
| Port Number | Description |
|---|---|
| 2189 | UPnP Port Mapping |
| 5351 | NAT-PMP (mainly Apple devices) |