Upcloud firewall settings for fusionhub

I’ve read a few different threads but some are going back to 2016 and previous firmware versions, so I’m getting confused. I wonder if someone can help me with a clear firewall setting guide. At upcloud the firewall requires:

incoming
source ip
source port
destination ip
destination port
(or all)

outoing
source ip
source port
destination ip
destination port
(or all)

Could someone help me with a clear guide of ips and ports that need to be opened for pepvpn and/or speedfusion to function while locking down for security as much as possible.

Fusionhub is on one public WAN IP address. PepVPN connections will be over dynamic IP dsl or dynamic IP cellular.

Thanks very much for your time.

Looking at that list, are those all required inbound? For example, it lists NTP requiring UDP port 123 to be opened. Does that need to be opened on the incoming side???

Also it mentions TCP 8822 for SSH.
Would this be required to be opened all the time under incoming for normal pepVPN operation?

No, some are Inbound while others are Outbound.

NTP should be Outbound as the Peplink is acting as NTP Client.

If you intend to allow CLI SSH Access via the WAN interface, then you will need to allow Inbound TCP 8822.

image1222×823 67 KB

The PepVPN is using different service ports.

Hi,

It’s indeed not always obvious what’s inbound or outbound, and from which entity to which other entity.

For this post which is about Fusionhub we always authorise at minimum following INBOUND rules (from INTERNET to FUSIONHUB Server):

|UDP 4500| PepVPN / SPeedfusion and IPSEC Data
|UDP 450x| PepVPN /SPeedfusion In case of conflict on port 4500
|TCP 32015| PepVPN /SPeedfusion Handshake
|UDP 32015| PepVPN Data (alternative)
|TCP 2222| Direct Remote Access for Peplink Troubleshooting Assistance (Not sure)
|TCP 443| Web Admin Interface access (and change that afterwards to our own Admin TCP port)

For port TCP 2222 I am not sure it must be inbound or outbound or both ???

For OUTBOUND traffic To the INTERNET at minimum:

|UDP 53| DNS Resolution
|UDP 123| Network Time Service

Then following OUTBOUND Traffic to PEPLINK SERVERS and/or to INCONTROL VIRTUAL APPLIANCES are needed :

UDP 5246 for Incontrol
TCP 5246 for Incontrol
TCP 443 for all servers
UDP 53 for Dyndns Incontrol
TCP 2222 (not sure).

Option 1: Simply define an outbound rule authorizing all those ports to domains *.venn.be, *.peplink.com and *.letsencrypt.org (optional)

Option 2 : define outbound rule authorizing all/some of those ports to following domains:

ic.venn.be Venn Private incontrol|
ic2.venn.be Venn Backup Private incontrol
earth.ic.peplink.com Peplink Incontrol (in our case)
ac1.peplink.com Peplink Incontrol commmunication
ac2.peplink.com Peplink Incontrol Failover communication
ra.peplink.com Remote Access
ra-1.ic.peplink.com Remote Access
ra-2.ic.peplink.com Remote Access
api.ic.peplink.com Product name lookup when importing
push.ic.peplink.com Push notifications for the InControl mobile app (optional)
download.peplink.com Firmware validation
*.letsencrypt.org Automatic SSL certificate acquisition from letsencrypt.org (optional)

All of them only needs outbound TCP 443 except Incontrol related adresses which need all of them.

Option 3 : If the router/firewall does not support domain-based rules, then configure your firewall to permit the following server IP addresses:

185.197.36.251
185.197.36.251
52.24.152.249
52.38.10.66
54.254.186.173
54.201.63.99
54.69.133.25
54.218.62.163
54.213.17.185
54.68.148.178
54.218.73.43
54.213.230.221
54.213.108.78
54.213.245.97
54.218.3.77
52.37.112.82
52.33.148.23
54.148.216.73
54.186.87.252
35.167.224.48
35.166.227.55
54.200.27.33
54.200.29.147
34.209.167.139 (added on 2017-09-14)
52.13.179.234 (added on 2018-09-04)
52.88.12.218 (added on 2018-11-19)
35.163.7.32 (added on 2018-12-19)

Same, all of them only needs TCP 443 except for Incontrol related IP’s which needs all of them.

I hope this makes sence and helps, tell me if I’m wrong on something.

The question remains open for TCP 2222.

Kind regards,
Sven