How To Configure Firewall When Fusionhub Server is placed behind it

Modified on Wed, 20 Apr, 2022 at 9:42 AM

Scope


This article applies when a Fusionhub Server is installed behind a firewall.

A right configuration of Firewall is needed in that case to make it work properly.


Intended Audience


This article is intended for IT Managers, IT staff and Project Managers.


In This Task


- Summary 


- Solution


       1. Minimum Requirements

       2. Firewall Inbound Rules

       3. Firewall Outbound Rules

       4. Strict security on Firewall Outbound Rules

       5. Additional optional Outbound Rules

       6. Outbound LAN/DMZ IP Nat to Public IP

       7. Additional Routes

       


- Related articles


- Troubleshooting

 


Summary


The Fusionhub Networking can be configured in multiple ways.


A. Fusionhub directly published on the Internet with no access to the local LAN/DMZ : then there is only one Network Interface in the Fusionhub Server and the WAN IP in the Fusionhub Server (called WAN_IP) is the Public IP (called PUBLIC_IP).


B. Fusionhub directly published on the Internet with access to the LAN/DMZ : then 2 Network interfaces are configured in the Fusionhub Server, One (Called WAN_IP) with the Public IP (Called PUBLIC_IP) and one with a LAN/DMZ/ IP (Called  DMZ_IP).  In that case the Internal Firewall of the Fusionhub Server has to be used to limit and protect the traffic.


C. Fusionhub behind an existing firewall with only 1 Network Interface in the Fusionhub Server : then WAN IP of the Fusionhub Server (Called WAN_IP) is a LAN/DMZ IP (Called DMZ_IP) on the LAN/DMZ subnet of the Firewall, wich will be Natted to the Public IP (Called PUBLIC_IP) published by the Firewall. The Fusionhub Server will also have access to the internal LAN/DMZ subnet on the same interface.


D. Fusionhub behind a Firewall with 2 network interfaces in the Fusionhub Server : then WAN IP of the Fusionhub Server (Called WAN_IP) is a LAN/DMZ IP (Called DMZ_IP) on the LAN/DMZ subnet of the Firewall, wich will be Natted to the Public IP (Called PUBLIC_IP) published by the Firewall. The second Interface of the Fusionhub Server will then be configured with an IP (Called LAN_IP) on the subnet of the local LAN (or DMZ eventually). 


Depending on your Network configuration the right option has to be choosen.


This Article explains how to configure the Firewall for the two last scenarios (C and D).


For the installation and configuration of the Fusionhub Server itself consult articles found at the bottom in "Related Articles" Section.



Solution


1. Minimum Requirements


1 Public IP is needed for setting up the Pepvpn tunnels from the routers to the Fusionhub Server.

1 or 2 free LAN/DMZ IP according to scenario chosed (C or D)



2. Firewall Inbound Rules


In order to function properly, following Inbound rules have to be created in the Firewall, from WAN_IP inteface to 

DMZ_IP interface


Mandatory
UDP 4501
PepVPN / Speedfusion Data
TCP 32015
PepVPN / Speedfusion Handshake
TCP 5312Web Admin Interface (*)
Optional
Only in some specific cases or when debugging needed.
TCP 2222Direct Remote Access for Troubleshooting Assistance
TCP 5246Used when TCP 443 is not responding
UDP 5246 Incontrol Data Flow
UDP 4500PepVPN / Speedfusion Data
UDP 4505PepVPN / Speedfusion Data
UDP 32015PepVPN / Speedfusion alternative Data
TCP 443Web Admin Interface (*)

(*) port 443 must sometimes be authorised during Setup Process but can be removed when Fusionhub Server is configured to accept https connection on port TCP 5312, which is the standard configuration automatically pushed at the end of the Fusionhub installation process.



3. Firewall Outbound Rules


Some services need to have outbound access to the Internet and should be authorized at minimum :


Mandatory
UDP 53
DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition
UDP 123
Network Time Service
TCP 1443Remote Web Admin from Incontrol
TCP 5312FusionHub management Access
TCP 5246Used when TCP 443 is not responding
UDP 5246 Incontrol Data Flow
TCP 443Communication with Incontrol


Important Note : if FusionHub heve to route traffic to Internet, then all ports should be opened to outside, at least ports authorized to Internet by company policy.


4. Strict Security on Firewall Outbound Rules 


In situations where outbound rules are to be more restricted in firewall, outgoing ports can be limited to following URLs :


ic.venn.be (Venn Private Incontrol Central Management System)

ic2.venn.be (Venn Private Incontrol Central Management System)

smtp.venn.be  (smtp alerts)

earth.ic.peplink.com (Peplink Incontrol Central Management System) 

incontrol2.peplink.com (Peplink Incontrol Central Management System) 
ra.peplink.com (Peplink Remote Access Server)

ra-1.ic.peplink.com (Peplink Remote Access Server) 

ra-2.ic.peplink.com (Peplink Remote Access Server) 

ac1.peplink.com (Peplink Incontrol communication)

ac2.peplink.com ((Peplink Incontrol communication) )

push.ic.peplink.com (DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition)


Some firewalls will not be able to add this granularity based on URL's, rules can then be created based on the resolved IP addresses but there is no garantie that those IP addresses will not change during time.


If possible you can also only allow ports for following domains instead of te URLs.


venn.be

peplink.com



5. Additional Firewall Optional Outbound Ports


Some additional rules could be needed in the Firewall and/or Venn Router depending on your Network configuration and depending on the needs.


If an IPSEC connection has to be established from the Venn router or through the Venn Router to an external location following outgoing ports must also be allowed :


IP : 50IPSEC
IP : 51IPSEC
UDP 500IPSEC VPN initiation
UDP 4500IPSEC DATA
UDP 10000IPSEC


In some situations inbound port forwarding in Fusionhub Server will also be needed for those ports.


In some situations where advanced functionalities are used in Venn router some other ports could also be needed :


Optional
SMTPPort 25 or other ports to SMTP server
SNMPUDP 161, UDP 162 or other ports to SNMP Server
SYSLOGUDP 514 or other ports to SYSLOG Server
NETFLOWThe standard or most common UDP port used by NetFlow is UDP port 2055, but other ports, such as 9555, 9995, 9025, and 9026, can also be used. UDP port 4739 is the default port used by IPFIX. 


6. Outbound LAN/DMZ IP Nat to Public IP


In order the Dyndns Service to function properly,  the firewall must NAT at least the DNS traffic (UDP 53) from DMZ_IP to Venn and Peplink Incontrol Servers.

Incontrol Servers must see that traffic incoming as Public_IP and not the private IP DMZ_IP.


7. Additional Routes


Some additional routes will have to be configured in the Firewall and/or Fusionhub Server depending on your Network configuration and depending on the needs.

As an example, if the local LAN/DMZ have to be able to access resources on a remote site, a route will be needed in the Firewall to forward that traffic to that remote site (subnet) to the DMZ_IP of the Fusionhub Server.



Related Articles


https://help.venntelecom.com/a/solutions/articles/44001541010?lang=en

https://help.venntelecom.com/a/solutions/articles/44001551246?lang=en


Troubleshooting


For troubleshooting please contact our support on [email protected] or +32 2 318 48 25





Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article