TCP port 32015 open on Balance 20

Michael234 · July 22, 2015, 11:18am

Running a Balance 20 with firmware 6.2.1 build 2992
ShieldsUP! at grc.com found port 32015 was open for TCP.
What is it used for?
Can I close it?

The router has an active PepVPN profile, but it connects to its partner Peplink router, it does not leave itself open for incoming PepVPN connections.

TK_Liew · July 22, 2015, 3:33pm

Hi Michael,

Not to worry, this is PepVPN handshake port.

Michael234 · July 23, 2015, 7:13am

The firmware 6.2.1 user manual says that port 32015 is used with speed fusion. Quoting

“Peplink proprietary SpeedFusion uses TCP port 32015 and UDP port 4500 for establishing VPN connections.”

I am using PepVPN but my Balance 20 doesn’t support Speed Fusion, at least I don’t see it in the web UI where the manual says it should be.

The manual also describes the Data Port field for PepVPN as a UDP port number used for outgoing VPN data. But here too, it does not seem to apply. I detected the port being open using TCP from the outside, which means incoming data.

Quoting the user manual on Data Port: “This field is used to specify a UDP port number for transporting outgoing VPN data. If Default is selected, UDP port 4500 will be used. Port 32015 will be used if the remote unit uses Firmware prior to version 5.4 or if port 4500 is unavailable.”

The PepVPN connection in the Balance 20 is to a Surf SOHO running firmware 6.2.0, so we are not dealing with firmware prior to version 5.4.

And the web UI helps says: “This field specifies the outgoing UDP port number for transporting VPN data. If Default is selected, port 4500 will be used by default. Port 32015 will be used if the remote unit’s firmware version is prior to 5.4 or the port 4500 is unavailable for use.”

If the documentation is correct, the Balance 20 should not have port 32015 open to accept incoming TCP connections.

TK_Liew · July 23, 2015, 11:58am

Michael234:

The firmware 6.2.1 user manual says that port 32015 is used with speed fusion. Quoting

“Peplink proprietary SpeedFusion uses TCP port 32015 and UDP port 4500 for establishing VPN connections.”

I am using PepVPN but my Balance 20 doesn’t support Speed Fusion, at least I don’t see it in the web UI where the manual says it should be.

The manual also describes the Data Port field for PepVPN as a UDP port number used for outgoing VPN data. But here too, it does not seem to apply. I detected the port being open using TCP from the outside, which means incoming data.

Quoting the user manual on Data Port: “This field is used to specify a UDP port number for transporting outgoing VPN data. If Default is selected, UDP port 4500 will be used. Port 32015 will be used if the remote unit uses Firmware prior to version 5.4 or if port 4500 is unavailable.”

The PepVPN connection in the Balance 20 is to a Surf SOHO running firmware 6.2.0, so we are not dealing with firmware prior to version 5.4.

And the web UI helps says: “This field specifies the outgoing UDP port number for transporting VPN data. If Default is selected, port 4500 will be used by default. Port 32015 will be used if the remote unit’s firmware version is prior to 5.4 or the port 4500 is unavailable for use.”

If the documentation is correct, the Balance 20 should not have port 32015 open to accept incoming TCP connections.

Hi Michael,

SpeedFusion and PepVPN also using this handshake port. You may find here for details of SpeedFusion Bonding, SpeedFusion Hot Failover and PepVPN.

SpeedFusion or PepVPN establishes via WAN interface, of course it will listens this port from outside. This is expected.

We also documented the required ports for SpeedFusion/PepVPN in knowledgebase.

Thank you.

Edward_Holcroft · October 1, 2015, 10:34pm

What concerns me about this port being open is that it advertises certain information that could be used by a hacker to build his intelligence about my network. For example on my Balance 380 a whole bunch of info is world accessible, so now a potential hacker has the LAN and WAN address, subnets, status etc. Is there some way this can be blocked without breaking SpeedFusion?

SYNC_HELLO=6
SYNC_HELLO=6

SYNC_SUPPORT_VERSION=4,5,6
SYNC_SUPPORT_VERSION=4,5,6

SYNC_SN=1824-4CB3-20D0
SYNC_SID=PRI
SYNC_SN=1824-‐6188-‐3E67
SYNC_SID=NWO
SESSION_KEY_START=1
SESSION_KEY_END=1
SYNC_REQUEST=SYSCONFIG
SYNC_REQUEST=SYSCONFIG

SYNC_SYSCONFIG_START=1
DAEMON_VERSION=6
SERIAL_NUMBER=1824-4CB3-20D0
SITE_ID=PRI
LAN_IP1=192.168.150.1
LAN_MASK1=255.255.255.0
WAN_NUM=4
UP_WAN=2
WAN1_INDEX=1
WAN1_IP=208.17.74.15
WAN1_UP=y
WAN1_MTU=1500
WAN1_BWUPSTREAM=384
WAN1_BWDOWNSTREAM=64
WAN1_MEDIA=ETHERNET
WAN2_INDEX=2
WAN2_IP=74.94.51.29
WAN2_UP=y
WAN2_MTU=1492
WAN2_BWUPSTREAM=2560
WAN2_BWDOWNSTREAM=12800
WAN2_MEDIA=ETHERNET
WAN3_INDEX=3
WAN3_IP=0.0.0.0
WAN3_UP=n
WAN3_MTU=0
WAN3_BWUPSTREAM=128000
WAN3_BWDOWNSTREAM=128000
WAN3_MEDIA=ETHERNET
WAN4_INDEX=4
WAN4_IP=0.0.0.0
WAN4_UP=n
WAN4_MTU=0
WAN4_BWUPSTREAM=12800
WAN4_BWDOWNSTREAM=12800
WAN4_MEDIA=MODEM
HC_INTERVAL=5000
HC_RETRY=3
IS_ENDPOINT=0
PEER_ROLL=0
SYNC_SYSCONFIG_END=1
SYNC_ACCESS=ERROR

TK_Liew · October 4, 2015, 11:09am

Edward_Holcroft:

What concerns me about this port being open is that it advertises certain information that could be used by a hacker to build his intelligence about my network. For example on my Balance 380 a whole bunch of info is world accessible, so now a potential hacker has the LAN and WAN address, subnets, status etc. Is there some way this can be blocked without breaking SpeedFusion?

SYNC_HELLO=6
SYNC_HELLO=6

SYNC_SUPPORT_VERSION=4,5,6
SYNC_SUPPORT_VERSION=4,5,6

SYNC_SN=1824-4CB3-20D0
SYNC_SID=PRI
SYNC_SN=1824-‐6188-‐3E67
SYNC_SID=NWO
SESSION_KEY_START=1
SESSION_KEY_END=1
SYNC_REQUEST=SYSCONFIG
SYNC_REQUEST=SYSCONFIG

SYNC_SYSCONFIG_START=1
DAEMON_VERSION=6
SERIAL_NUMBER=1824-4CB3-20D0
SITE_ID=PRI
LAN_IP1=192.168.150.1
LAN_MASK1=255.255.255.0
WAN_NUM=4
UP_WAN=2
WAN1_INDEX=1
WAN1_IP=208.17.74.15
WAN1_UP=y
WAN1_MTU=1500
WAN1_BWUPSTREAM=384
WAN1_BWDOWNSTREAM=64
WAN1_MEDIA=ETHERNET
WAN2_INDEX=2
WAN2_IP=74.94.51.29
WAN2_UP=y
WAN2_MTU=1492
WAN2_BWUPSTREAM=2560
WAN2_BWDOWNSTREAM=12800
WAN2_MEDIA=ETHERNET
WAN3_INDEX=3
WAN3_IP=0.0.0.0
WAN3_UP=n
WAN3_MTU=0
WAN3_BWUPSTREAM=128000
WAN3_BWDOWNSTREAM=128000
WAN3_MEDIA=ETHERNET
WAN4_INDEX=4
WAN4_IP=0.0.0.0
WAN4_UP=n
WAN4_MTU=0
WAN4_BWUPSTREAM=12800
WAN4_BWDOWNSTREAM=12800
WAN4_MEDIA=MODEM
HC_INTERVAL=5000
HC_RETRY=3
IS_ENDPOINT=0
PEER_ROLL=0
SYNC_SYSCONFIG_END=1
SYNC_ACCESS=ERROR

Hi Edward,

What firmware version you are using? Please ensure you are using latest firmware version.
You perform above scan on LAN side?

Please help to configure PSK for SpeedFusion (Network > SpeedFusion > Select SpeedFusion profile > Remote ID / Pre-shared Key > enter pre-shared Key for both SpeedFusion peer). This will help in your situation.

Edward_Holcroft · October 4, 2015, 8:23pm

I can get this info from the wan side. I would be less concerned if it was only on the LAN side.

Im on the latest v5 firmware since these are out of warranty devices. Now that v6 is available without a warranty I’ll upgrade to 6.2 and report back with my findings. This will take me a while because I’m out of the office for the next week.

TK_Liew · October 5, 2015, 10:59am

Hi Edward,

Do remember to enable PSK for SpeedFusion.

Edward_Holcroft · October 15, 2015, 5:02am

I upgraded to firmware 6.2.2 and it looks like I can no longer grab internal LAN info by issuing the expect command. I’ll keep exploring this for a while, but thanks for the advice so far, which seems to have worked.

ed

TK_Liew · October 15, 2015, 12:07pm

Hi Edward,

Glad to hear that! Thanks for your efforts!