Scope
This article applies when a Venn SD-WAN Router is installed behind a firewall.
A right configuration of Firewall is needed in that case to make it work properly.
Intended Audience
This article is intended for IT Managers, IT staff and Project Managers.
In This Task
- Summary
- Solution
1. Minimum Requirements
2. Firewall Inbound Rules
3. Firewall outbound Rules
4. Strict security on Firewall Outbound Rules
4. Additional Optional Outbound Ports
- Related articles
- Troubleshooting
Summary
Venn SD-WAN routers must be able to communicate with the Central management center (INCONTROL).
They must also be able to establish special VPN connections (PEPVPN) to Managed VPN Servers (FUSIONHUB Servers)
Solution
1. Minimum Requirements
The Wan port of Venn Router must be connected to a LAN or DMZ interface of the firewall.
It can be via a Switch.
2. Firewall Inbound Rules
No Inbound rules are needed by default on Firewall.
All communications from Internet to the Lan and Vlans of Venn Router are blocked by default anyway.
If specific inbound ports are needed, for remote access on a camera for example, then ports will have to be opened on Firewall but also on Venn Router. If needed please contact Venn on [email protected] or +32 2 318 48 25.
3. Firewall Outbound Rules
Following router services need to have outbound access to the Internet and must be authorized :
Mandatory | |
UDP 53 | DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition |
UDP 123 | Network Time Service |
TCP 443 | Management traffic to Incontrol and FusionHub |
TCP 1443 | Remote Web Admin from Incontrol |
TCP 5312 | FusionHub management Access |
TCP 5246 | Used when TCP 443 is not responding |
UDP 5246 | Incontrol Data Flow |
UDP 4500 | PepVPN / Speedfusion Data |
UDP 4501 | PepVPN / Speedfusion Data |
UDP 4505 | PepVPN / Speedfusion Data |
TCP 32015 | PepVPN / Speedfusion Handshake |
UDP 32015 | PepVPN / Speedfusion alternative Data |
TCP 80 | HTTP is needed for WAN healthcheck to http/hello1.venntelecom.com/hello/ http/hello2.venntelecom.com/hello/ |
ICMP (PING) | For debugging purposes |
4. Strict Security on Firewall Outbound Rules
In situations where outbound rules are to be more restricted in firewall, some outgoing ports can be limited to following URLs. This has to be done in collaboration with Venn Telecom depending on configurations.
IP adress or UNC of FusionHb Server
ic.venn.be (Venn Private Incontrol Central Management System)
ic2.venn.be (Venn Private Incontrol Central Management System)
hello2.venntelecom.com
smtp.venn.be (smtp alerts)
download.peplink.com (upgrades)
earth.ic.peplink.com (Peplink Incontrol Central Management System)
incontrol2.peplink.com (Peplink Incontrol Central Management System)
ra.peplink.com (Peplink Remote Access Server)
rwa.peplink.com (Remote Web Access)
ra-1.ic.peplink.com (Peplink Remote Access Server)
ra-2.ic.peplink.com (Peplink Remote Access Server)
ac1.peplink.com (Peplink Incontrol communication)
ac2.peplink.com ((Peplink Incontrol communication) )
push.ic.peplink.com (DNS for Incontrol DYNDNS (Find My Peplink Service) and SSL Certificate acquisition)
Some firewalls will not be able to add this granularity based on URL's, rules can then be created based on the resolved IP addresses but there is no garantie that those IP addresses will not change during time.
If possible you can also only allow ports for following domains instead of te URLs.
venn.be
venntelecom.com
peplink.com
5. Additional Optional Outbound Ports
Some additional rules could be needed in the Firewall and/or Venn Router depending on your Network configuration and depending on the needs.
If an IPSEC connection has to be established from the Venn router or through the Venn Router to an external location following outgoing ports must also be allowed :
IP : 50 | IPSEC |
IP : 51 | IPSEC |
UDP 500 | IPSEC VPN initiation |
UDP 4500 | IPSEC DATA |
UDP 10000 | IPSEC |
In some situations where advanced functionalities are used in Venn router some other ports could also be needed :
Optional | Destination |
SMTP | Port 25 or other ports to SMTP server |
SNMP | UDP 161, UDP 162 or other ports to SNMP Server |
SYSLOG | UDP 514 or other ports to SYSLOG Server |
NETFLOW | The standard or most common UDP port used by NetFlow is UDP port 2055, but other ports, such as 9555, 9995, 9025, and 9026, can also be used. UDP port 4739 is the default port used by IPFIX. |
Related Articles
https://help.venntelecom.com/a/solutions/articles/44000984120?lang=en
Troubleshooting
For troubleshooting please contact our support on [email protected] or +32 2 318 48 25
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article