How does the built-in firewall work? What is the difference between Local Service firewall and Inbound Firewall rules? I read some older threads and it seems some Peplink services such as Speedfusion VPN may have overridden the Inbound firewall rules so the Local service firewall was created to control Peplink services and give true control over firewall rules? What exactly does the Local service firewall control? Speedfusion VPN? Remote Web Admin? Remote Assistance? Anything else?
Based on my reading, at the very least, the following ports are needed:
speedfusion: udp 4500 & tcp 32015
incontrol: udp 5246
web admin: tcp 443 (although one could disable and rely on remote web admin?)
remote web admin: tcp 5246
remote assistance: tcp 443
I found the list of IPs that Peplink uses for incontrol, remote web admin, and remote assistance. It seems ideally, you’d block ALL traffic, except those IPs and ports? They would be needed both inbound AND outbound or only inbound? I am trying to understand how Peplink devices work whether connections are made INTO the devices or they call home (outbound)?
Finally, how does Speedfusion VPN stay connected? Is there somewhere to designate the Fusionhub as the primary since it has a public/static IP? How can I make sure the MK2 can find it at all times?
Please refer to the ports used by Peplink here. This will be the direction of the connection for the ports you listed below if there is a firewall in front of Peplink:
speedfusion: udp 4500 & tcp 32015 <— outbound and inbound
incontrol: udp 5246 <— outbound
web admin: tcp 443 (although one could disable and rely on remote web admin?) <— outbound (for Remote Web Admin)
remote web admin: tcp 5246 <— outbound
remote assistance: tcp 443 <— outbound
Both SpeedFusion peers will keep sending health check traffic within the SpeecFusion tunnel to ensure both sides are reachable.
Thanks, I set up the VPN via Incontrol so it does not look like I can edit on the device itself. Attached is the screenshot. So it looks like it automatically set up the Remote IP. For future reference, is there any way to edit it in Incontrol or on the device?
In your case, for InControl2, you would create this as a star topology profile with the FusionHub as the hub device.
In peer-to-peer topologies, both ends are sent the detected/reported IP’s of the opposite end. Since both sides will be trying to reach the other, this should still work fine. We recommend a star topology when you have large numbers of endpoints connecting to a central node, otherwise every IP change generates a configuration update to the hub device.
