This article applies when a Venn SD-WAN Router is installed behind a firewall.

A right configuration of Firewall is needed in that case to make it work properly.

Intended Audience

This article is intended for IT Managers, IT staff and Project Managers.

In This Task

- Summary 

- Solution

       1. Minimum Requirements

       2. Firewall Inbound Rules

       3. Firewall outbound Rules

       4. Strict security on Firewall Outbound Rules

       4. Additional Optional Outbound Ports


- Related articles

- Troubleshooting



Venn SD-WAN routers must be able to communicate with the Central management center (INCONTROL).

They must also be able to establish special VPN connections (PEPVPN) to Managed VPN Servers (FUSIONHUB Servers)


1. Minimum Requirements

The Wan port of Venn Router must be connected to a LAN or DMZ interface of the firewall.

It can be via a Switch.

2. Firewall Inbound Rules

No Inbound rules are needed by default on Firewall.

All communications from Internet to the Lan and Vlans of Venn Router are blocked by default anyway.

If specific inbound ports are needed, for remote access on a camera for example, then ports will have to be opened on Firewall but also on Venn Router. If needed please contact Venn on or +32 2 318 48 25.

3. Firewall Outbound Rules

Following router services need to have outbound access to the Internet and must be authorized :

UDP 53
DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition
UDP 123
Network Time Service
TCP 443Management traffic to Incontrol and FusionHub
TCP 1443Remote Web Admin from Incontrol
TCP 5312FusionHub management Access
TCP 5246Used when TCP 443 is not responding
UDP 5246 Incontrol Data Flow
UDP 4500PepVPN / Speedfusion Data
UDP 4501
PepVPN / Speedfusion Data
UDP 4505PepVPN / Speedfusion Data
TCP 32015PepVPN / Speedfusion Handshake
UDP 32015PepVPN / Speedfusion alternative Data
TCP 80HTTP is needed for WAN healthcheck to
ICMP (PING)For debugging purposes

4. Strict Security on Firewall Outbound Rules

In situations where outbound rules are to be more restricted in firewall, some outgoing ports can be limited to following URLs. This has to be done in collaboration with Venn Telecom depending on configurations.

IP adress or UNC of FusionHb Server (Venn Private Incontrol Central Management System) (Venn Private Incontrol Central Management System)  (smtp alerts) (upgrades) (Peplink Incontrol Central Management System) (Peplink Incontrol Central Management System) (Peplink Remote Access Server) (Remote Web Access) (Peplink Remote Access Server) (Peplink Remote Access Server) (Peplink Incontrol communication) ((Peplink Incontrol communication) ) (DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition)

Some firewalls will not be able to add this granularity based on URL's, rules can then be created based on the resolved IP addresses but there is no garantie that those IP addresses will not change during time.

If possible you can also only allow ports for following domains instead of te URLs.

5. Additional Optional Outbound Ports

Some additional rules could be needed in the Firewall and/or Venn Router depending on your Network configuration and depending on the needs.

If an IPSEC connection has to be established from the Venn router or through the Venn Router to an external location following outgoing ports must also be allowed :

UDP 500IPSEC VPN initiation

In some situations where advanced functionalities are used in Venn router some other ports could also be needed :

SMTPPort 25 or other ports to SMTP server
SNMPUDP 161, UDP 162 or other ports to SNMP Server
SYSLOGUDP 514 or other ports to SYSLOG Server
NETFLOWThe standard or most common UDP port used by NetFlow is UDP port 2055, but other ports, such as 9555, 9995, 9025, and 9026, can also be used. UDP port 4739 is the default port used by IPFIX. 

Related Articles


For troubleshooting please contact our support on or +32 2 318 48 25