Sanitized mirror from private repository - 2026-04-19 08:22:03 UTC

2026-04-19 08:22:03 +00:00
commit dca0a02a19
1438 changed files with 363149 additions and 0 deletions
--- a/docs/infrastructure/port-forwarding-configuration.md
+++ b/docs/infrastructure/port-forwarding-configuration.md
@@ -0,0 +1,287 @@
+# 🌐 Port Forwarding Configuration
+
+**🟡 Intermediate Guide**
+
+This document details the current port forwarding configuration on the TP-Link Archer BE800 router, enabling external access to specific homelab services.
+
+---
+
+## 🔧 Current Port Forwarding Rules
+
+Based on the TP-Link router configuration:
+
+### **Active Port Forwards**
+
+| Service Name | Device IP | External Port | Internal Port | Protocol | Purpose |
+|--------------|-----------|---------------|---------------|----------|---------|
+| **jitsi3** | 192.168.0.200 | 4443 | 4443 | TCP | Jitsi Meet video conferencing |
+| **stun3** | 192.168.0.200 | 5349 | 5349 | All | STUN server for WebRTC |
+| **stun2** | 192.168.0.200 | 49160-49200 | 49160-49200 | All | RTP media ports for Jitsi |
+| **stun1** | 192.168.0.200 | 3478 | 3478 | All | Primary STUN server |
+| **gitea** | 192.168.0.250 | 2222 | 2222 | All | Gitea SSH access |
+| **portainer2** | 192.168.0.200 | 8000 | 8000 | All | Portainer Edge Agent |
+| **portainer2** | 192.168.0.200 | 9443 | 9443 | All | Portainer HTTPS interface |
+| **portainer2** | 192.168.0.200 | 10000 | 10000 | All | Portainer additional service |
+| **Https** | 192.168.0.250 | 443 | 443 | All | HTTPS web services |
+| **HTTP** | 192.168.0.250 | 80 | 80 | All | HTTP web services (redirects to HTTPS) |
+
+---
+
+## 🎯 Service Dependencies & Access
+
+### **Jitsi Meet Video Conferencing (192.168.0.200)**
+```bash
+# External Access URLs:
+https://your-domain.com:4443  # Jitsi Meet web interface
+
+# Required Ports:
+- 4443/TCP   # HTTPS web interface
+- 5349/All   # TURN server for NAT traversal
+- 3478/All   # STUN server for peer discovery
+- 49160-49200/All  # RTP media streams (40 port range)
+
+# Service Dependencies:
+- Requires all 4 port ranges for full functionality
+- WebRTC media negotiation depends on STUN/TURN
+- RTP port range handles multiple concurrent calls
+```
+
+### **Gitea Git Repository (192.168.0.250 - Calypso)**
+```bash
+# External SSH Access:
+git clone ssh://git@your-domain.com:2222/username/repo.git
+
+# Required Ports:
+- 2222/All   # SSH access for Git operations
+
+# Service Dependencies:
+- SSH key authentication required
+- Alternative to HTTPS Git access
+- Enables Git operations from external networks
+```
+
+### **Portainer Container Management (192.168.0.200)**
+```bash
+# External Access URLs:
+https://your-domain.com:9443  # Main Portainer interface
+https://your-domain.com:8000  # Edge Agent communication
+https://your-domain.com:10000 # Additional services
+
+# Required Ports:
+- 9443/All   # Primary HTTPS interface
+- 8000/All   # Edge Agent communication
+- 10000/All  # Extended functionality
+
+# Service Dependencies:
+- All three ports required for full Portainer functionality
+- Edge Agent enables remote Docker management
+- HTTPS interface provides web-based container management
+```
+
+### **Web Services (192.168.0.250 - Calypso)**
+```bash
+# External Access URLs:
+https://your-domain.com       # Main web services (443)
+http://your-domain.com        # HTTP redirect to HTTPS (80)
+
+# Required Ports:
+- 443/All    # HTTPS web services
+- 80/All     # HTTP (typically redirects to HTTPS)
+
+# Service Dependencies:
+- Reverse proxy (likely Nginx/Traefik) on Calypso
+- SSL/TLS certificates for HTTPS
+- Automatic HTTP to HTTPS redirection
+```
+
+---
+
+## 🏠 Host Mapping
+
+### **192.168.0.200 - Atlantis (Primary NAS)**
+- **Jitsi Meet**: Video conferencing platform
+- **Portainer**: Container management interface
+- **Services**: 4 port forwards (Jitsi + Portainer)
+
+### **192.168.0.250 - Calypso (Development Server)**
+- **Gitea**: Git repository hosting
+- **Web Services**: HTTPS/HTTP reverse proxy
+- **Services**: 3 port forwards (Git SSH + Web)
+
+---
+
+## 🔒 Security Considerations
+
+### **Exposed Services Risk Assessment**
+
+#### **High Security Services** ✅
+- **HTTPS (443)**: Encrypted web traffic, reverse proxy protected
+- **Jitsi Meet (4443)**: Encrypted video conferencing
+- **Portainer HTTPS (9443)**: Encrypted container management
+
+#### **Medium Security Services** ⚠️
+- **Gitea SSH (2222)**: SSH key authentication required
+- **Portainer Edge (8000)**: Agent communication, should be secured
+- **HTTP (80)**: Unencrypted, should redirect to HTTPS
+
+#### **Network Services** 🔧
+- **STUN/TURN (3478, 5349)**: Required for WebRTC, standard protocols
+- **RTP Range (49160-49200)**: Media streams, encrypted by Jitsi
+
+### **Security Recommendations**
+
+```bash
+# 1. Ensure Strong Authentication
+- Use SSH keys for Gitea (port 2222)
+- Enable 2FA on Portainer (port 9443)
+- Implement strong passwords on all services
+
+# 2. Monitor Access Logs
+- Review Nginx/reverse proxy logs regularly
+- Monitor failed authentication attempts
+- Set up alerts for suspicious activity
+
+# 3. Keep Services Updated
+- Regular security updates for all exposed services
+- Monitor CVE databases for vulnerabilities
+- Implement automated security scanning
+
+# 4. Network Segmentation
+- Consider moving exposed services to DMZ
+- Implement firewall rules between network segments
+- Use VLANs to isolate public-facing services
+```
+
+---
+
+## 🌐 External Access Methods
+
+### **Primary Access (Port Forwarding)**
+```bash
+# Direct external access via domain names (DDNS updated every 5 minutes)
+https://pw.vish.gg:9443          # Portainer
+https://meet.thevish.io:4443     # Jitsi Meet (primary)
+ssh://git@git.vish.gg:2222       # Gitea SSH
+
+# Alternative domain access
+https://vish.gg:9443             # Portainer (main domain)
+https://meet.vish.gg:4443        # Jitsi Meet (alt domain)
+https://www.vish.gg              # Main web services (HTTPS)
+https://vish.gg                  # Main web services (HTTPS)
+
+# Additional service domains (from Cloudflare DNS)
+https://cal.vish.gg              # Calendar service (proxied)
+https://reddit.vish.gg           # Reddit alternative (proxied)
+https://www.thevish.io           # Alternative main domain (proxied)
+https://matrix.thevish.io        # Matrix chat server (proxied)
+https://joplin.thevish.io        # Joplin notes (proxied)
+```
+
+### **Alternative Access (Tailscale)**
+```bash
+# Secure mesh VPN access (recommended)
+https://atlantis.tail.vish.gg:9443   # Portainer via Tailscale
+https://atlantis.tail.vish.gg:4443   # Jitsi via Tailscale
+ssh://git@calypso.tail.vish.gg:2222  # Gitea via Tailscale
+```
+
+### **Hybrid Approach**
+- **Public Services**: Jitsi Meet (external users need direct access)
+- **Admin Services**: Portainer, Gitea (use Tailscale for security)
+- **Web Services**: Public content via port forwarding, admin via Tailscale
+
+---
+
+## 🔧 Configuration Management
+
+### **Router Configuration Backup**
+```bash
+# Regular backups of port forwarding rules
+- Export TP-Link configuration monthly
+- Document all port forward changes
+- Maintain change log with dates and reasons
+```
+
+### **Service Health Monitoring**
+```bash
+# Monitor forwarded services
+- Set up uptime monitoring for each forwarded port
+- Implement health checks for critical services
+- Configure alerts for service failures
+```
+
+### **Dynamic DNS Configuration**
+```bash
+# Automated DDNS updates via Cloudflare
+- DDNS updater runs every 5 minutes
+- Updates both vish.gg and thevish.io domains
+- Handles both IPv4 (A) and IPv6 (AAAA) records
+- Proxied services: cal, reddit, www, matrix, joplin
+- DNS-only services: git, meet, pw, api, spotify
+
+# DDNS Services Running:
+- ddns-vish-proxied: Updates proxied A records
+- ddns-vish-unproxied: Updates DNS-only A records  
+- ddns-thevish-proxied: Updates thevish.io proxied records
+- ddns-thevish-unproxied: Updates thevish.io DNS-only records
+```
+
+---
+
+## 🚨 Troubleshooting
+
+### **Common Issues**
+
+#### **Service Not Accessible Externally**
+```bash
+# Check list:
+1. Verify port forward rule is enabled
+2. Confirm internal service is running
+3. Test internal access first (192.168.0.x:port)
+4. Check firewall rules on target host
+5. Verify router external IP hasn't changed
+```
+
+#### **Jitsi Meet Connection Issues**
+```bash
+# WebRTC requires all ports:
+1. Test STUN server: 3478, 5349
+2. Verify RTP range: 49160-49200
+3. Check browser WebRTC settings
+4. Test with different networks/devices
+```
+
+#### **Gitea SSH Access Problems**
+```bash
+# SSH troubleshooting:
+1. Verify SSH key is added to Gitea
+2. Test SSH connection: ssh -p 2222 git@git.vish.gg
+3. Check Gitea SSH configuration
+4. Verify port 2222 is not blocked by ISP
+```
+
+---
+
+## 📋 Maintenance Tasks
+
+### **Monthly Tasks**
+- [ ] Review access logs for all forwarded services
+- [ ] Test external access to all forwarded ports
+- [ ] Update service passwords and SSH keys
+- [ ] Backup router configuration
+
+### **Quarterly Tasks**
+- [ ] Security audit of exposed services
+- [ ] Update all forwarded services to latest versions
+- [ ] Review and optimize port forwarding rules
+- [ ] Test disaster recovery procedures
+
+### **Annual Tasks**
+- [ ] Complete security assessment
+- [ ] Review and update documentation
+- [ ] Evaluate need for additional security measures
+- [ ] Plan for service migrations or updates
+
+---
+
+*This port forwarding configuration enables external access to critical homelab services while maintaining security through proper authentication and monitoring.*