It’s indeed not always obvious what’s inbound or outbound, and from which entity to which other entity.
For this post which is about Fusionhub we always authorise at minimum following INBOUND rules (from INTERNET to FUSIONHUB Server):
|UDP 4500| PepVPN / SPeedfusion and IPSEC Data
|UDP 450x| PepVPN /SPeedfusion In case of conflict on port 4500
|TCP 32015| PepVPN /SPeedfusion Handshake
|UDP 32015| PepVPN Data (alternative)
|TCP 2222| Direct Remote Access for Peplink Troubleshooting Assistance (Not sure)
|TCP 443| Web Admin Interface access (and change that afterwards to our own Admin TCP port)
For port TCP 2222 I am not sure it must be inbound or outbound or both ???
For OUTBOUND traffic To the INTERNET at minimum:
|UDP 53| DNS Resolution
|UDP 123| Network Time Service
Then following OUTBOUND Traffic to PEPLINK SERVERS and/or to INCONTROL VIRTUAL APPLIANCES are needed :
UDP 5246 for Incontrol
TCP 5246 for Incontrol
TCP 443 for all servers
UDP 53 for Dyndns Incontrol
TCP 2222 (not sure).
Option 1: Simply define an outbound rule authorizing all those ports to domains *.venn.be, *.peplink.com and *.letsencrypt.org (optional)
Option 2 : define outbound rule authorizing all/some of those ports to following domains:
ic.venn.be Venn Private incontrol|
ic2.venn.be Venn Backup Private incontrol
earth.ic.peplink.com Peplink Incontrol (in our case)
ac1.peplink.com Peplink Incontrol commmunication
ac2.peplink.com Peplink Incontrol Failover communication
ra.peplink.com Remote Access
ra-1.ic.peplink.com Remote Access
ra-2.ic.peplink.com Remote Access
api.ic.peplink.com Product name lookup when importing
push.ic.peplink.com Push notifications for the InControl mobile app (optional)
download.peplink.com Firmware validation
*.letsencrypt.org Automatic SSL certificate acquisition from letsencrypt.org (optional)
All of them only needs outbound TCP 443 except Incontrol related adresses which need all of them.
Option 3 : If the router/firewall does not support domain-based rules, then configure your firewall to permit the following server IP addresses:
188.8.131.52 (added on 2017-09-14)
184.108.40.206 (added on 2018-09-04)
220.127.116.11 (added on 2018-11-19)
18.104.22.168 (added on 2018-12-19)
Same, all of them only needs TCP 443 except for Incontrol related IP’s which needs all of them.
I hope this makes sence and helps, tell me if I’m wrong on something.
The question remains open for TCP 2222.