diff --git a/README.md b/README.md
index d25a619d3..d3fee0bf1 100644
--- a/README.md
+++ b/README.md
@@ -552,6 +552,15 @@ Typically, a sentry process will run one eth/xx protocol (e.g. eth/66) and will
 Port
 9091 is for internal gRCP connections (e.g erigon -> sentry).
 
+#### `sentinel` ports
+
+| Port  | Protocol  |     Purpose      | Expose  |
+|:-----:|:---------:|:----------------:|:-------:|
+| 4000  |    UDP    |     Peering      | Public  |
+| 4001  |    TCP    |     Peering      | Public  |
+| 7777  |    TCP    | gRPC Connections | Private |
+
+
 #### Other ports
 
 | Port | Protocol | Purpose | Expose  |
diff --git a/cmd/lightclient/main.go b/cmd/lightclient/main.go
index 15447b04f..922176845 100644
--- a/cmd/lightclient/main.go
+++ b/cmd/lightclient/main.go
@@ -57,7 +57,7 @@ func runLightClientNode(cliCtx *cli.Context) {
 		NetworkConfig: lcCfg.NetworkCfg,
 		BeaconConfig:  lcCfg.BeaconCfg,
 		NoDiscovery:   lcCfg.NoDiscovery,
-	}, &service.ServerConfig{Network: lcCfg.ServerProtocol, Addr: lcCfg.ServerAddr})
+	}, &service.ServerConfig{Network: lcCfg.ServerProtocol, Addr: lcCfg.ServerAddr}, nil)
 	if err != nil {
 		log.Error("Could not start sentinel", "err", err)
 	}
diff --git a/cmd/sentinel/main.go b/cmd/sentinel/main.go
index 0ce6b9acc..19b16ed4f 100644
--- a/cmd/sentinel/main.go
+++ b/cmd/sentinel/main.go
@@ -87,7 +87,7 @@ func runSentinelNode(cliCtx *cli.Context) {
 		NetworkConfig: lcCfg.NetworkCfg,
 		BeaconConfig:  lcCfg.BeaconCfg,
 		NoDiscovery:   lcCfg.NoDiscovery,
-	}, &service.ServerConfig{Network: lcCfg.ServerProtocol, Addr: lcCfg.ServerAddr})
+	}, &service.ServerConfig{Network: lcCfg.ServerProtocol, Addr: lcCfg.ServerAddr}, nil)
 	if err != nil {
 		log.Error("Could not start sentinel", "err", err)
 		return
diff --git a/cmd/sentinel/sentinel/service/start.go b/cmd/sentinel/sentinel/service/start.go
index 93de03e84..03cbfc80e 100644
--- a/cmd/sentinel/sentinel/service/start.go
+++ b/cmd/sentinel/sentinel/service/start.go
@@ -10,6 +10,7 @@ import (
 	"github.com/ledgerwatch/erigon/cmd/sentinel/sentinel"
 	"github.com/ledgerwatch/log/v3"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
 )
 
@@ -18,7 +19,7 @@ type ServerConfig struct {
 	Addr    string
 }
 
-func StartSentinelService(cfg *sentinel.SentinelConfig, srvCfg *ServerConfig) (consensusrpc.SentinelClient, error) {
+func StartSentinelService(cfg *sentinel.SentinelConfig, srvCfg *ServerConfig, creds credentials.TransportCredentials) (consensusrpc.SentinelClient, error) {
 	ctx := context.Background()
 	sent, err := sentinel.New(context.Background(), cfg)
 	if err != nil {
@@ -51,7 +52,11 @@ func StartSentinelService(cfg *sentinel.SentinelConfig, srvCfg *ServerConfig) (c
 	log.Info("Sentinel started", "enr", sent.String())
 
 	server := NewSentinelServer(ctx, sent)
-	go StartServe(server, srvCfg)
+	if creds == nil {
+		creds = insecure.NewCredentials()
+	}
+
+	go StartServe(server, srvCfg, creds)
 	timeOutTimer := time.NewTimer(5 * time.Second)
 WaitingLoop:
 	for {
@@ -64,7 +69,8 @@ WaitingLoop:
 			}
 		}
 	}
-	conn, err := grpc.DialContext(ctx, srvCfg.Addr, grpc.WithTransportCredentials(insecure.NewCredentials()))
+
+	conn, err := grpc.DialContext(ctx, srvCfg.Addr, grpc.WithTransportCredentials(creds))
 	if err != nil {
 		return nil, err
 	}
@@ -72,13 +78,13 @@ WaitingLoop:
 	return consensusrpc.NewSentinelClient(conn), nil
 }
 
-func StartServe(server *SentinelServer, srvCfg *ServerConfig) {
+func StartServe(server *SentinelServer, srvCfg *ServerConfig, creds credentials.TransportCredentials) {
 	lis, err := net.Listen(srvCfg.Network, srvCfg.Addr)
 	if err != nil {
 		log.Warn("[Sentinel] could not serve service", "reason", err)
 	}
 	// Create a gRPC server
-	gRPCserver := grpc.NewServer()
+	gRPCserver := grpc.NewServer(grpc.Creds(creds))
 	go server.ListenToGossip()
 	// Regiser our server as a gRPC server
 	consensusrpc.RegisterSentinelServer(gRPCserver, server)
diff --git a/cmd/utils/flags.go b/cmd/utils/flags.go
index 7249d2d16..3dfcaa783 100644
--- a/cmd/utils/flags.go
+++ b/cmd/utils/flags.go
@@ -726,6 +726,31 @@ var (
 		Usage: "Sets erigon flags from YAML/TOML file",
 		Value: "",
 	}
+	LightClientDiscoveryAddrFlag = cli.StringFlag{
+		Name:  "lightclient.discovery.addr",
+		Usage: "Address for lightclient DISCV5 protocol",
+		Value: "127.0.0.1",
+	}
+	LightClientDiscoveryPortFlag = cli.Uint64Flag{
+		Name:  "lightclient.discovery.port",
+		Usage: "Port for lightclient DISCV5 protocol",
+		Value: 4000,
+	}
+	LightClientDiscoveryTCPPortFlag = cli.Uint64Flag{
+		Name:  "lightclient.discovery.tcpport",
+		Usage: "TCP Port for lightclient DISCV5 protocol",
+		Value: 4001,
+	}
+	SentinelAddrFlag = cli.StringFlag{
+		Name:  "sentinel.addr",
+		Usage: "Address for sentinel",
+		Value: "localhost",
+	}
+	SentinelPortFlag = cli.Uint64Flag{
+		Name:  "sentinel.port",
+		Usage: "Port for sentinel",
+		Value: 7777,
+	}
 )
 
 var MetricFlags = []cli.Flag{MetricsEnabledFlag, MetricsEnabledExpensiveFlag, MetricsHTTPFlag, MetricsPortFlag}
@@ -1428,6 +1453,12 @@ func CheckExclusive(ctx *cli.Context, args ...interface{}) {
 // SetEthConfig applies eth-related command line flags to the config.
 func SetEthConfig(ctx *cli.Context, nodeConfig *nodecfg.Config, cfg *ethconfig.Config) {
 	cfg.CL = ctx.GlobalBool(ExternalConsensusFlag.Name)
+	cfg.LightClientDiscoveryAddr = ctx.GlobalString(LightClientDiscoveryAddrFlag.Name)
+	cfg.LightClientDiscoveryPort = ctx.GlobalUint64(LightClientDiscoveryPortFlag.Name)
+	cfg.LightClientDiscoveryTCPPort = ctx.GlobalUint64(LightClientDiscoveryTCPPortFlag.Name)
+	cfg.SentinelAddr = ctx.GlobalString(SentinelAddrFlag.Name)
+	cfg.SentinelPort = ctx.GlobalUint64(SentinelPortFlag.Name)
+
 	cfg.Sync.UseSnapshots = ctx.GlobalBoolT(SnapshotFlag.Name)
 	cfg.Dirs = nodeConfig.Dirs
 	cfg.Snapshot.KeepBlocks = ctx.GlobalBool(SnapKeepBlocksFlag.Name)
diff --git a/eth/backend.go b/eth/backend.go
index f0cfcaa88..7e77df29d 100644
--- a/eth/backend.go
+++ b/eth/backend.go
@@ -453,6 +453,28 @@ func New(stack *node.Node, config *ethconfig.Config, logger log.Logger) (*Ethere
 		blockReader, chainConfig, assembleBlockPOS, backend.sentriesClient.Hd, config.Miner.EnabledPOS)
 	miningRPC = privateapi.NewMiningServer(ctx, backend, ethashApi)
 
+	var creds credentials.TransportCredentials
+	if stack.Config().PrivateApiAddr != "" {
+		if stack.Config().TLSConnection {
+			creds, err = grpcutil.TLS(stack.Config().TLSCACert, stack.Config().TLSCertFile, stack.Config().TLSKeyFile)
+			if err != nil {
+				return nil, err
+			}
+		}
+		backend.privateAPI, err = privateapi.StartGrpc(
+			kvRPC,
+			ethBackendRPC,
+			backend.txPool2GrpcServer,
+			miningRPC,
+			stack.Config().PrivateApiAddr,
+			stack.Config().PrivateApiRateLimit,
+			creds,
+			stack.Config().HealthCheck)
+		if err != nil {
+			return nil, fmt.Errorf("private api: %w", err)
+		}
+	}
+
 	// If we choose not to run a consensus layer, run our embedded.
 	if !config.CL && clparams.Supported(config.NetworkID) {
 		genesisCfg, networkCfg, beaconCfg := clparams.GetConfigsByNetwork(clparams.NetworkType(config.NetworkID))
@@ -460,13 +482,13 @@ func New(stack *node.Node, config *ethconfig.Config, logger log.Logger) (*Ethere
 			return nil, err
 		}
 		client, err := service.StartSentinelService(&sentinel.SentinelConfig{
-			IpAddr:        "127.0.0.1",
-			Port:          4000,
-			TCPPort:       4001,
+			IpAddr:        config.LightClientDiscoveryAddr,
+			Port:          int(config.LightClientDiscoveryPort),
+			TCPPort:       uint(config.LightClientDiscoveryTCPPort),
 			GenesisConfig: genesisCfg,
 			NetworkConfig: networkCfg,
 			BeaconConfig:  beaconCfg,
-		}, &service.ServerConfig{Network: "tcp", Addr: "localhost:7777"})
+		}, &service.ServerConfig{Network: "tcp", Addr: fmt.Sprintf("%s:%d", config.SentinelAddr, config.SentinelPort)}, creds)
 		if err != nil {
 			return nil, err
 		}
@@ -489,28 +511,6 @@ func New(stack *node.Node, config *ethconfig.Config, logger log.Logger) (*Ethere
 		go lc.Start()
 	}
 
-	if stack.Config().PrivateApiAddr != "" {
-		var creds credentials.TransportCredentials
-		if stack.Config().TLSConnection {
-			creds, err = grpcutil.TLS(stack.Config().TLSCACert, stack.Config().TLSCertFile, stack.Config().TLSKeyFile)
-			if err != nil {
-				return nil, err
-			}
-		}
-		backend.privateAPI, err = privateapi.StartGrpc(
-			kvRPC,
-			ethBackendRPC,
-			backend.txPool2GrpcServer,
-			miningRPC,
-			stack.Config().PrivateApiAddr,
-			stack.Config().PrivateApiRateLimit,
-			creds,
-			stack.Config().HealthCheck)
-		if err != nil {
-			return nil, fmt.Errorf("private api: %w", err)
-		}
-	}
-
 	if currentBlock == nil {
 		currentBlock = genesis
 	}
diff --git a/eth/ethconfig/config.go b/eth/ethconfig/config.go
index c87d9f10a..1e3baf072 100644
--- a/eth/ethconfig/config.go
+++ b/eth/ethconfig/config.go
@@ -236,7 +236,12 @@ type Config struct {
 	// Ethstats service
 	Ethstats string
 	// ConsenSUS layer
-	CL bool
+	CL                          bool
+	LightClientDiscoveryAddr    string
+	LightClientDiscoveryPort    uint64
+	LightClientDiscoveryTCPPort uint64
+	SentinelAddr                string
+	SentinelPort                uint64
 
 	// FORK_NEXT_VALUE (see EIP-3675) block override
 	OverrideMergeNetsplitBlock *big.Int `toml:",omitempty"`
diff --git a/turbo/cli/default_flags.go b/turbo/cli/default_flags.go
index 4ba36a8e3..d84016e0f 100644
--- a/turbo/cli/default_flags.go
+++ b/turbo/cli/default_flags.go
@@ -148,4 +148,10 @@ var DefaultFlags = []cli.Flag{
 	logging.LogConsoleJsonFlag,
 	logging.LogJsonFlag,
 	logging.LogDirJsonFlag,
+
+	utils.LightClientDiscoveryAddrFlag,
+	utils.LightClientDiscoveryPortFlag,
+	utils.LightClientDiscoveryTCPPortFlag,
+	utils.SentinelAddrFlag,
+	utils.SentinelPortFlag,
 }