OK. Let me explain what is going on.
There are two modes for the browser to connect to the Companion. The older mode, now labeled “Legacy Mode” requires port 8001 between the PC and the device. (and port 80 access to rendezvous.appinventor.mit.edu
The default mode, aka non-Legacy mode, uses a newer technology called WebRTC. WebRTC uses UDP and indeed chooses a random port in a large range. Unfortunately we have no control over this. On the phone side the ports are chosen by a WebRTC library that we are loath to modify. And on the browser side, the ports are chosen by the browser where we have no control whatsoever.
For now if you do not want to unblock the UDP ports in question, then you can use legacy mode which only uses TCP over port 8001. HOWEVER at some point we will deprecate legacy mode, though we do not have a schedule established yet.
We will need to deprecate legacy mode in order to support serving MIT App Inventor over https. If you look at your browser’s location bar you will see we are using just http, which the browser vendors are labeling “insecure” (because it is...). However if we serve MIT App Inventor over https, then the *browsers* will not let legacy mode work. This is why we are moving to the WebRTC solution.