How to Whitelist Discord Endpoints in pfSense

If you use pfSense as your firewall or router, you may find that Discord voice calls fail, images won’t load, or the app cannot connect at all. This happens because pfSense blocks or restricts the specific servers Discord uses to send voice, video, and text data. These servers are called endpoints, and they are spread across multiple IP ranges and domain names. This article explains which Discord endpoints you need to whitelist and shows you how to create the correct firewall rules and alias entries in pfSense so Discord works reliably.

What Are Discord Endpoints and Why Does pfSense Block Them?

Discord uses a distributed network of servers to deliver its services. These servers are grouped into endpoints. The main types of endpoints are:

Voice endpoints: These handle real-time audio and video during calls. They use UDP ports 50000 through 65535. If pfSense does not allow outbound UDP traffic on these ports, voice calls will fail with a “No Route” error.

Media proxy endpoints: These handle image uploads, file attachments, and embed previews. They use HTTPS on port 443.

Gateway endpoints: These are the servers that your Discord client connects to for text chat, notifications, and presence updates. They use WebSockets over HTTPS on port 443.

pfSense, by default, blocks all inbound traffic and only allows established outbound connections. However, pfSense can also block outbound traffic if you have strict firewall rules, IDS/IPS rules, or custom blocking lists. If Discord’s endpoints are not explicitly allowed, the connection will be dropped.

Discord’s Published IP Ranges

Discord publishes the following IP ranges for its services. You should use these as of the date of this article. Always verify against Discord’s official documentation or status page, as ranges may change.

• IPv4 ranges: 69.164.192.0/18, 66.249.80.0/20, 34.95.0.0/16, 34.96.0.0/16, 34.97.0.0/16, 34.98.0.0/16, 34.99.0.0/16, 34.100.0.0/16, 34.101.0.0/16, 34.102.0.0/16, 34.103.0.0/16, 34.104.0.0/16, 34.105.0.0/16, 34.106.0.0/16, 34.107.0.0/16, 34.108.0.0/16, 34.109.0.0/16, 34.110.0.0/16, 34.111.0.0/16, 34.112.0.0/16, 34.113.0.0/16, 34.114.0.0/16, 34.115.0.0/16, 34.116.0.0/16, 34.117.0.0/16, 34.118.0.0/16, 34.119.0.0/16, 34.120.0.0/16, 34.121.0.0/16, 34.122.0.0/16, 34.123.0.0/16, 34.124.0.0/16, 34.125.0.0/16, 34.126.0.0/16, 34.127.0.0/16
• Domain names (for URL alias): discord.com, discordapp.com, discord.gg, discord.media, discord-attachments-uploads.s3.amazonaws.com, discordapp.net, discordstatus.com

Steps to Create a Discord Endpoint Alias in pfSense

Before creating firewall rules, you need to define an alias that groups all Discord IP ranges and domains together. This keeps your firewall rules clean and easy to update.

1. Log into pfSense web interface
   Open your browser and go to your pfSense management IP address. Enter your admin username and password.
2. Go to Firewall > Aliases
   Click on the Firewall menu, then select Aliases. This is where you create groups of IP addresses, ports, or URLs.
3. Click the Add button to create a new alias
   Choose the type “Network” for IP ranges. Give it a name like “Discord_IPs”. In the Description field, write “Discord server IP ranges”.
4. Enter the Discord IP ranges
   Click “Add Network” for each CIDR range from the list above. Enter the network address and select /32 for each single IP or the correct subnet mask. For example, for 69.164.192.0/18, enter 69.164.192.0 and select /18.
5. Save the alias
   Click Save at the bottom of the page. Then click Apply Changes.
6. Create a URL alias for Discord domains
   Click Add again. Choose type “URL (IPs)”. Name it “Discord_Domains”. In the URL field, enter each domain on a new line: discord.com, discordapp.com, discord.gg, discord.media, discord-attachments-uploads.s3.amazonaws.com, discordapp.net, discordstatus.com. pfSense will resolve these domains to their current IP addresses.
7. Save the URL alias
   Click Save, then Apply Changes.

Create a Firewall Rule to Allow Discord Traffic

Now that the aliases are ready, create a pass rule on your LAN interface that allows outbound traffic to these aliases.

1. Go to Firewall > Rules
   Click on the Firewall menu, then select Rules. Make sure the LAN tab is selected.
2. Click the Add button to create a new rule
   A new rule configuration page opens.
3. Set the Action to Pass
   Change the Action dropdown from “Block” to “Pass”.
4. Set the Protocol to TCP/UDP
   In the Protocol dropdown, select “TCP/UDP”. This covers both HTTPS on port 443 and UDP voice traffic.
5. Set the Source
   Leave Source as “LAN net” or select the specific subnet of your local network.
6. Set the Destination
   In the Destination dropdown, choose “Single host or Alias”. In the Destination Address field, start typing the name of your IP alias, for example “Discord_IPs”. Select it from the dropdown.
7. Set the Destination Port Range
   For the TCP/UDP rule, set the Destination Port Range From: “HTTP (80)” To: “HTTPS (443)”. This allows web and WebSocket traffic.
8. Click Save
   Scroll down and click Save. Then click Apply Changes.
9. Create a second rule for UDP voice
   Click Add again. Set Action to Pass. Set Protocol to UDP. Set Source to LAN net. Set Destination to “Discord_IPs”. Set Destination Port Range From: “50000” To: “65535”. Save and apply.
10. Repeat for the URL alias
    Create two more rules identical to the above, but use the URL alias “Discord_Domains” as the destination. This ensures that any IP changes in Discord’s domain names are automatically updated.

If Discord Still Has Issues After Whitelisting

After adding the rules, test Discord. If problems persist, check the following.

Discord Voice Calls Still Fail with “No Route”

This usually means the UDP voice rule is not matching. Verify that the rule for UDP ports 50000-65535 is placed above any block rules on the LAN tab. Rule order matters: pfSense processes rules from top to bottom. Move the Discord pass rules to the top of the list using the drag handle.

Discord Cannot Connect at All

Your pfSense might have an intrusion detection system like Suricata or Snort enabled. These systems can block traffic even if the firewall allows it. Temporarily disable the IDS/IPS and test Discord. If Discord works, add an exception rule in your IDS/IPS for Discord IP ranges and domains.

Discord Works on Some Clients but Not Others

Check if the affected clients are using a VPN or proxy. VPNs route traffic outside your pfSense rules. Disable any VPN software on the client and test again. Also ensure that the pfSense DNS resolver is not blocking Discord domains. Go to Services > DNS Resolver and check if any custom blocking lists are enabled.

Discord Endpoint Types: Voice vs Media vs Gateway

Item	Voice Endpoints	Media Proxy Endpoints	Gateway Endpoints
Purpose	Real-time audio and video calls	Image uploads, file attachments, embed previews	Text chat, notifications, presence, WebSocket connections
Protocol and Ports	UDP 50000-65535	HTTPS TCP 443	HTTPS TCP 443 (WebSocket)
IP Range Source	Discord published CIDR blocks (see above)	Same CIDR blocks plus CDN domains	Same CIDR blocks plus discord.com, discordapp.com
Common Failure Symptom	“No Route” error in voice channel	Images not loading, file uploads fail	App stuck on “Connecting”

Whitelisting Discord endpoints in pfSense requires creating two aliases and four firewall rules. The key is to allow UDP traffic on high ports for voice, and TCP on ports 80 and 443 for web and media. After setting up the rules, move them above any block rules and test with a Discord voice call. If you use IDS/IPS, add Discord IP ranges to its whitelist as well. For ongoing maintenance, set the URL alias to update automatically by enabling the “Auto-update” option in the alias settings. This ensures your firewall stays current with Discord’s changing infrastructure.