How To Configure Firewall When a Venn SD-WAN Router is placed behind it

Scope

This article applies when a Venn SD-WAN Router is installed behind a firewall.

A right configuration of Firewall is needed in that case to make it work properly.

Intended Audience

This article is intended for IT Managers, IT staff and Project Managers.

In This Task

- Summary 

- Solution

       1. Minimum Requirements

       2. Firewall Inbound Rules

       3. Firewall outbound Rules

       4. Strict security on Firewall Outbound Rules

       4. Additional Optional Outbound Ports

- Related articles

- Troubleshooting

Summary

Venn SD-WAN routers must be able to communicate with the Central management center (INCONTROL).

They must also be able to establish special VPN connections (PEPVPN) to Managed VPN Servers (FUSIONHUB Servers)

Solution

1. Minimum Requirements

The Wan port of Venn Router must be connected to a LAN or DMZ interface of the firewall.

It can be via a Switch.

2. Firewall Inbound Rules

No Inbound rules are needed by default on Firewall.

All communications from Internet to the Lan and Vlans of Venn Router are blocked by default anyway.

If specific inbound ports are needed, for remote access on a camera for example, then ports will have to be opened on Firewall but also on Venn Router. If needed please contact Venn on support@venntelcom.com or +32 2 318 48 25.

3. Firewall Outbound Rules

Following router services need to have outbound access to the Internet and must be authorized :

4. Strict Security on Firewall Outbound Rules

In situations where outbound rules are to be more restricted in firewall, some outgoing ports can be limited to following URLs. This has to be done in collaboration with Venn Telecom depending on configurations.

IP adress or UNC of FusionHb Server

ic.venn.be (Venn Private Incontrol Central Management System)

ic2.venn.be (Venn Private Incontrol Central Management System)

hello1.venntelecom.com

hello2.venntelecom.com  

smtp.venn.be  (smtp alerts)

download.peplink.com (upgrades)

earth.ic.peplink.com (Peplink Incontrol Central Management System) 

incontrol2.peplink.com (Peplink Incontrol Central Management System) 
ra.peplink.com (Peplink Remote Access Server)

rwa.peplink.com (Remote Web Access)

ra-1.ic.peplink.com (Peplink Remote Access Server) 

ra-2.ic.peplink.com (Peplink Remote Access Server) 

ac1.peplink.com (Peplink Incontrol communication)

ac2.peplink.com ((Peplink Incontrol communication) )

push.ic.peplink.com (DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition)

Some firewalls will not be able to add this granularity based on URL's, rules can then be created based on the resolved IP addresses but there is no garantie that those IP addresses will not change during time.

If possible you can also only allow ports for following domains instead of te URLs.

venn.be

venntelecom.com

peplink.com

5. Additional Optional Outbound Ports

Some additional rules could be needed in the Firewall and/or Venn Router depending on your Network configuration and depending on the needs.

If an IPSEC connection has to be established from the Venn router or through the Venn Router to an external location following outgoing ports must also be allowed :

In some situations where advanced functionalities are used in Venn router some other ports could also be needed :

Related Articles

https://help.venntelecom.com/a/solutions/articles/44000984120?lang=en

Troubleshooting

For troubleshooting please contact our support on support@venntelcom.com or +32 2 318 48 25