Share your thoughts i have a pms/pos server at my end im using a balance 580 peplink router since we dont have a site to site vpn connection yet im planning to just port forward it to my public ip address but im afraid it is vulnerable to threats do you think ill just create a pptp or l2tp account then create a vpn tunnel through the laptop so if im away from the office i can still access my servers or still work or should i just portforward it? Thanks for your answers guys more powers to the community
Every time a customer asks me to set up port forwarding on their internet facing routers I always refuse - especially on cellular WAN links.
I fight tooth and nail to change their infrastructure / topology to restrict / lower the number of ports that need to be opened.
In a perfect world, the only inbound ports I leave open on a Balance are 32015 and 4500 (for PepVPN) and even then that’s only at the Hub device where I will have a firewall sat in front of the Fusionhub / Balance wherever possible for additional monitoring / security.
There has to be an immovable commercial / technical reason for port forwarding to be justified in my opinion.
If there is ever the option to use another approach - you should. In your case then I would argue that using a client VPN to connect to the B580 would be way better than using port forwarding.
4 Likes
Thanks martin appreciate it so much, is there a cased you encountered wayback then that there networks were got hacked or attacked by ransomware or what so ever because of port forwarding? You think ill just set up a pptp or l2tp on my laptop then create a username and password on my peplink? Does it safer this way martin?
I should clarify this perhaps a little. Port forwarding in itself isn’t dangerous - its what you’re forwarding to that’s always the worry.
For example a lot of CCTV firms port forward to the IP cameras on their customers LAN for remote management / monitoring. Home users have done the same thing for baby cams too. They open ports for video streaming (RTP) and for the web uis of the cameras themselves. Then they walk away.
The best firms remotely manage those devices and actively maintain the firmware on the cameras and NVRs - most will not (as customers we tend to go for the cheapest quote - without management).
Imagine what happens when there is a security issue with the IP camera firmware - if the vendor is any good they will tell their customers (the installing firm) but in my experience very few firms then tell their customers if they are not under active management.
So then the customer is left with a hackable device attached directly to the internet. Anything is possible after that. Then bring IoT devices into the mix. There are so many security flaws discovered regularly with IoT devices it make my blood run cold.
So yes. Set up a PPTP with IPSEC remote client for access to your B580 - only open ports if you really have to,
1 Like
Thank you so much for the wonderful suggestion martin cheers