How To Configure Firewall When a Venn SD-WAN Router is placed behind it

Modified on Wed, 20 Apr, 2022 at 10:55 AM

Scope


This article applies when a Venn SD-WAN Router is installed behind a firewall.

A right configuration of Firewall is needed in that case to make it work properly.


Intended Audience


This article is intended for IT Managers, IT staff and Project Managers.


In This Task


- Summary 


- Solution


       1. Minimum Requirements

       2. Firewall Inbound Rules

       3. Firewall outbound Rules

       4. Strict security on Firewall Outbound Rules

       4. Additional Optional Outbound Ports

       


- Related articles


- Troubleshooting

 


Summary


Venn SD-WAN routers must be able to communicate with the Central management center (INCONTROL).

They must also be able to establish special VPN connections (PEPVPN) to Managed VPN Servers (FUSIONHUB Servers)



Solution


1. Minimum Requirements


The Wan port of Venn Router must be connected to a LAN or DMZ interface of the firewall.

It can be via a Switch.



2. Firewall Inbound Rules


No Inbound rules are needed by default on Firewall.

All communications from Internet to the Lan and Vlans of Venn Router are blocked by default anyway.


If specific inbound ports are needed, for remote access on a camera for example, then ports will have to be opened on Firewall but also on Venn Router. If needed please contact Venn on [email protected] or +32 2 318 48 25.


3. Firewall Outbound Rules


Following router services need to have outbound access to the Internet and must be authorized :



Mandatory
UDP 53
DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition
UDP 123
Network Time Service
TCP 443Management traffic to Incontrol and FusionHub
TCP 1443Remote Web Admin from Incontrol
TCP 5312FusionHub management Access
TCP 5246Used when TCP 443 is not responding
UDP 5246 Incontrol Data Flow
UDP 4500PepVPN / Speedfusion Data
UDP 4501
PepVPN / Speedfusion Data
UDP 4505PepVPN / Speedfusion Data
TCP 32015PepVPN / Speedfusion Handshake
UDP 32015PepVPN / Speedfusion alternative Data
TCP 80HTTP is needed for WAN healthcheck to
http/hello1.venntelecom.com/hello/
http/hello2.venntelecom.com/hello/
ICMP (PING)For debugging purposes




4. Strict Security on Firewall Outbound Rules


In situations where outbound rules are to be more restricted in firewall, some outgoing ports can be limited to following URLs. This has to be done in collaboration with Venn Telecom depending on configurations.


IP adress or UNC of FusionHb Server

ic.venn.be (Venn Private Incontrol Central Management System)

ic2.venn.be (Venn Private Incontrol Central Management System)

hello1.venntelecom.com

hello2.venntelecom.com  

smtp.venn.be  (smtp alerts)

download.peplink.com (upgrades)

earth.ic.peplink.com (Peplink Incontrol Central Management System) 

incontrol2.peplink.com (Peplink Incontrol Central Management System) 
ra.peplink.com (Peplink Remote Access Server)

rwa.peplink.com (Remote Web Access)

ra-1.ic.peplink.com (Peplink Remote Access Server) 

ra-2.ic.peplink.com (Peplink Remote Access Server) 

ac1.peplink.com (Peplink Incontrol communication)

ac2.peplink.com ((Peplink Incontrol communication) )

push.ic.peplink.com (DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition)


Some firewalls will not be able to add this granularity based on URL's, rules can then be created based on the resolved IP addresses but there is no garantie that those IP addresses will not change during time.


If possible you can also only allow ports for following domains instead of te URLs.


venn.be

venntelecom.com

peplink.com



5. Additional Optional Outbound Ports


Some additional rules could be needed in the Firewall and/or Venn Router depending on your Network configuration and depending on the needs.


If an IPSEC connection has to be established from the Venn router or through the Venn Router to an external location following outgoing ports must also be allowed :


IP : 50IPSEC
IP : 51IPSEC
UDP 500IPSEC VPN initiation
UDP 4500IPSEC DATA
UDP 10000IPSEC


In some situations where advanced functionalities are used in Venn router some other ports could also be needed :


OptionalDestination
SMTPPort 25 or other ports to SMTP server
SNMPUDP 161, UDP 162 or other ports to SNMP Server
SYSLOGUDP 514 or other ports to SYSLOG Server
NETFLOWThe standard or most common UDP port used by NetFlow is UDP port 2055, but other ports, such as 9555, 9995, 9025, and 9026, can also be used. UDP port 4739 is the default port used by IPFIX. 


Related Articles

https://help.venntelecom.com/a/solutions/articles/44000984120?lang=en


Troubleshooting


For troubleshooting please contact our support on [email protected] or +32 2 318 48 25





Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article