Scope
This article applies when a Fusionhub Server is installed behind a firewall.
A right configuration of Firewall is needed in that case to make it work properly.
Intended Audience
This article is intended for IT Managers, IT staff and Project Managers.
In This Task
- Summary
- Solution
1. Minimum Requirements
2. Firewall Inbound Rules
3. Firewall Outbound Rules
4. Strict security on Firewall Outbound Rules
5. Additional optional Outbound Rules
6. Outbound LAN/DMZ IP Nat to Public IP
7. Additional Routes
- Related articles
- Troubleshooting
Summary
The Fusionhub Networking can be configured in multiple ways.
A. Fusionhub directly published on the Internet with no access to the local LAN/DMZ : then there is only one Network Interface in the Fusionhub Server and the WAN IP in the Fusionhub Server (called WAN_IP) is the Public IP (called PUBLIC_IP).
B. Fusionhub directly published on the Internet with access to the LAN/DMZ : then 2 Network interfaces are configured in the Fusionhub Server, One (Called WAN_IP) with the Public IP (Called PUBLIC_IP) and one with a LAN/DMZ/ IP (Called DMZ_IP). In that case the Internal Firewall of the Fusionhub Server has to be used to limit and protect the traffic.
C. Fusionhub behind an existing firewall with only 1 Network Interface in the Fusionhub Server : then WAN IP of the Fusionhub Server (Called WAN_IP) is a LAN/DMZ IP (Called DMZ_IP) on the LAN/DMZ subnet of the Firewall, wich will be Natted to the Public IP (Called PUBLIC_IP) published by the Firewall. The Fusionhub Server will also have access to the internal LAN/DMZ subnet on the same interface.
D. Fusionhub behind a Firewall with 2 network interfaces in the Fusionhub Server : then WAN IP of the Fusionhub Server (Called WAN_IP) is a LAN/DMZ IP (Called DMZ_IP) on the LAN/DMZ subnet of the Firewall, wich will be Natted to the Public IP (Called PUBLIC_IP) published by the Firewall. The second Interface of the Fusionhub Server will then be configured with an IP (Called LAN_IP) on the subnet of the local LAN (or DMZ eventually).
Depending on your Network configuration the right option has to be choosen.
This Article explains how to configure the Firewall for the two last scenarios (C and D).
For the installation and configuration of the Fusionhub Server itself consult articles found at the bottom in "Related Articles" Section.
Solution
1. Minimum Requirements
1 Public IP is needed for setting up the Pepvpn tunnels from the routers to the Fusionhub Server.
1 or 2 free LAN/DMZ IP according to scenario chosed (C or D)
2. Firewall Inbound Rules
In order to function properly, following Inbound rules have to be created in the Firewall, from WAN_IP inteface to
DMZ_IP interface
| Mandatory | |
| UDP 4501 | PepVPN / Speedfusion Data |
| TCP 32015 | PepVPN / Speedfusion Handshake |
| TCP 5312 | Web Admin Interface (*) |
| Optional | Only in some specific cases or when debugging needed. |
| TCP 2222 | Direct Remote Access for Troubleshooting Assistance |
| TCP 5246 | Used when TCP 443 is not responding |
| UDP 5246 | Incontrol Data Flow |
| UDP 4500 | PepVPN / Speedfusion Data |
| UDP 4505 | PepVPN / Speedfusion Data |
| UDP 32015 | PepVPN / Speedfusion alternative Data |
| TCP 443 | Web Admin Interface (*) |
(*) port 443 must sometimes be authorised during Setup Process but can be removed when Fusionhub Server is configured to accept https connection on port TCP 5312, which is the standard configuration automatically pushed at the end of the Fusionhub installation process.
3. Firewall Outbound Rules
Some services need to have outbound access to the Internet and should be authorized at minimum :
| Mandatory | |
| UDP 53 | DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition |
| UDP 123 | Network Time Service |
| TCP 1443 | Remote Web Admin from Incontrol |
| TCP 5312 | FusionHub management Access |
| TCP 5246 | Used when TCP 443 is not responding |
| UDP 5246 | Incontrol Data Flow |
| TCP 443 | Communication with Incontrol |
Important Note : if FusionHub heve to route traffic to Internet, then all ports should be opened to outside, at least ports authorized to Internet by company policy.
4. Strict Security on Firewall Outbound Rules
In situations where outbound rules are to be more restricted in firewall, outgoing ports can be limited to following URLs :
ic.venn.be (Venn Private Incontrol Central Management System)
ic2.venn.be (Venn Private Incontrol Central Management System)
smtp.venn.be (smtp alerts)
earth.ic.peplink.com (Peplink Incontrol Central Management System)
incontrol2.peplink.com (Peplink Incontrol Central Management System)
ra.peplink.com (Peplink Remote Access Server)
ra-1.ic.peplink.com (Peplink Remote Access Server)
ra-2.ic.peplink.com (Peplink Remote Access Server)
ac1.peplink.com (Peplink Incontrol communication)
ac2.peplink.com ((Peplink Incontrol communication) )
push.ic.peplink.com (DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition)
Some firewalls will not be able to add this granularity based on URL's, rules can then be created based on the resolved IP addresses but there is no garantie that those IP addresses will not change during time.
If possible you can also only allow ports for following domains instead of te URLs.
venn.be
peplink.com
5. Additional Firewall Optional Outbound Ports
Some additional rules could be needed in the Firewall and/or Venn Router depending on your Network configuration and depending on the needs.
If an IPSEC connection has to be established from the Venn router or through the Venn Router to an external location following outgoing ports must also be allowed :
| IP : 50 | IPSEC |
| IP : 51 | IPSEC |
| UDP 500 | IPSEC VPN initiation |
| UDP 4500 | IPSEC DATA |
| UDP 10000 | IPSEC |
In some situations inbound port forwarding in Fusionhub Server will also be needed for those ports.
In some situations where advanced functionalities are used in Venn router some other ports could also be needed :
| Optional | |
| SMTP | Port 25 or other ports to SMTP server |
| SNMP | UDP 161, UDP 162 or other ports to SNMP Server |
| SYSLOG | UDP 514 or other ports to SYSLOG Server |
| NETFLOW | The standard or most common UDP port used by NetFlow is UDP port 2055, but other ports, such as 9555, 9995, 9025, and 9026, can also be used. UDP port 4739 is the default port used by IPFIX. |
6. Outbound LAN/DMZ IP Nat to Public IP
In order the Dyndns Service to function properly, the firewall must NAT at least the DNS traffic (UDP 53) from DMZ_IP to Venn and Peplink Incontrol Servers.
Incontrol Servers must see that traffic incoming as Public_IP and not the private IP DMZ_IP.
7. Additional Routes
Some additional routes will have to be configured in the Firewall and/or Fusionhub Server depending on your Network configuration and depending on the needs.
As an example, if the local LAN/DMZ have to be able to access resources on a remote site, a route will be needed in the Firewall to forward that traffic to that remote site (subnet) to the DMZ_IP of the Fusionhub Server.
Related Articles
https://help.venntelecom.com/a/solutions/articles/44001541010?lang=en
https://help.venntelecom.com/a/solutions/articles/44001551246?lang=en
Troubleshooting
For troubleshooting please contact our support on support@venntelcom.com or +32 2 318 48 25
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article