====== 🔌 Port Forwarding Configuration ======
**🟡 Intermediate Infrastructure Guide**
This document details the current port forwarding configuration on the TP-Link Archer BE800 router, enabling external access to specific homelab services with automatic DDNS updates every 5 minutes.
**🌐 Automatic Domain Updates**\\
All domains are automatically updated via Cloudflare DDNS every 5 minutes, eliminating the need for manual IP management.
===== 🔧 Current Port Forwarding Rules =====
Based on the TP-Link Archer BE800 router configuration:
==== 📊 Active Port Forwards Summary ====
^ Service Name ^ Device IP ^ External Port ^ Internal Port ^ Protocol ^ Domain Access ^
| **jitsi3** | 192.168.0.200 | 4443 | 4443 | TCP | meet.thevish.io:4443 |
| **stun3** | 192.168.0.200 | 5349 | 5349 | All | meet.thevish.io:5349 |
| **stun2** | 192.168.0.200 | 49160-49200 | 49160-49200 | All | meet.thevish.io (RTP) |
| **stun1** | 192.168.0.200 | 3478 | 3478 | All | meet.thevish.io:3478 |
| **gitea** | 192.168.0.250 | 2222 | 2222 | All | git.vish.gg:2222 |
| **portainer2** | 192.168.0.200 | 8000 | 8000 | All | pw.vish.gg:8000 |
| **portainer2** | 192.168.0.200 | 9443 | 9443 | All | pw.vish.gg:9443 |
| **portainer2** | 192.168.0.200 | 10000 | 10000 | All | pw.vish.gg:10000 |
| **Https** | 192.168.0.250 | 443 | 443 | All | vish.gg:443 |
| **HTTP** | 192.168.0.250 | 80 | 80 | All | vish.gg:80 |
===== 🎯 Service Dependencies & External Access =====
==== 🎥 Jitsi Meet Video Conferencing (192.168.0.200 - Atlantis) ====
=== External Access URLs ===
https://meet.thevish.io:4443 # Primary Jitsi Meet web interface
https://meet.vish.gg:4443 # Alternative domain access
=== Required Port Configuration ===
^ Port ^ Protocol ^ Purpose ^ Critical ^
| 4443 | TCP | HTTPS web interface | ✅ Essential |
| 5349 | All | TURN server for NAT traversal | ✅ Essential |
| 3478 | All | STUN server for peer discovery | ✅ Essential |
| 49160-49200 | All | RTP media streams (40 port range) | ✅ Essential |
=== Service Dependencies ===
# WebRTC Media Flow
Internet → Router:4443 → Atlantis:5443 → jitsi-web:443
Internet → Router:3478 → Atlantis:3478 → STUN server
Internet → Router:5349 → Atlantis:5349 → TURN server
Internet → Router:49160-49200 → Atlantis:49160-49200 → RTP streams
# All 4 port ranges required for full functionality:
- WebRTC media negotiation depends on STUN/TURN
- RTP port range handles multiple concurrent calls
- HTTPS interface provides web-based meeting access
==== 📝 Gitea Git Repository (192.168.0.250 - Calypso) ====
=== External Access URLs ===
# SSH Git Operations
ssh://git@git.vish.gg:2222
# Web Interface
https://git.vish.gg
# Git Commands
git clone ssh://git@git.vish.gg:2222/username/repo.git
git remote add origin ssh://git@git.vish.gg:2222/username/repo.git
git push origin main
=== Port Configuration ===
^ Port ^ Protocol ^ Purpose ^ Authentication ^
| 2222 | All | SSH access for Git operations | SSH Keys Required |
=== Service Dependencies ===
# SSH Git Access Flow
Internet → Router:2222 → Calypso:2222 → gitea:22
# Requirements:
- SSH key authentication required
- Alternative to HTTPS Git access
- Enables Git operations from external networks
- Web interface accessible via reverse proxy on port 443
==== 🐳 Portainer Container Management (192.168.0.200 - Atlantis) ====
=== External Access URLs ===
https://pw.vish.gg:9443 # Primary Portainer HTTPS interface
https://vish.gg:9443 # Alternative domain access
https://pw.vish.gg:8000 # Edge Agent communication
https://pw.vish.gg:10000 # Additional services
=== Port Configuration ===
^ Port ^ Protocol ^ Purpose ^ Security Level ^
| 9443 | All | Primary HTTPS interface | 🔒 High |
| 8000 | All | Edge Agent communication | ⚠️ Medium |
| 10000 | All | Extended functionality | ⚠️ Medium |
=== Service Dependencies ===
# Container Management Flow
Internet → Router:9443 → Atlantis:9443 → portainer:9443
Internet → Router:8000 → Atlantis:8000 → portainer:8000
Internet → Router:10000 → Atlantis:10000 → portainer:10000
# All three ports required for full Portainer functionality:
- 9443: Primary HTTPS interface for web management
- 8000: Edge Agent enables remote Docker management
- 10000: Extended functionality and additional services
==== 🌍 Web Services (192.168.0.250 - Calypso) ====
=== External Access URLs ===
https://vish.gg # Main web services (HTTPS)
https://www.vish.gg # WWW subdomain
http://vish.gg # HTTP (redirects to HTTPS)
# Additional Cloudflare Proxied Services:
https://cal.vish.gg # Calendar service
https://reddit.vish.gg # Reddit alternative
https://matrix.thevish.io # Matrix chat server
https://joplin.thevish.io # Joplin notes
https://www.thevish.io # Alternative main domain
=== Port Configuration ===
^ Port ^ Protocol ^ Purpose ^ Redirect ^
| 443 | All | HTTPS web services | Primary |
| 80 | All | HTTP (redirects to HTTPS) | → 443 |
=== Service Dependencies ===
# Web Services Flow
Internet → Router:443 → Calypso:443 → nginx:443
Internet → Router:80 → Calypso:80 → nginx:80 → redirect to 443
# Requirements:
- Reverse proxy (Nginx) on Calypso handles routing
- SSL/TLS certificates for HTTPS (Let's Encrypt)
- Automatic HTTP to HTTPS redirection
- Cloudflare proxy protection for some subdomains
===== 🏠 Host Mapping & Service Distribution =====
==== 📊 Services by Host ====
^ Host ^ IP Address ^ Services ^ Port Forwards ^ Primary Function ^
| **Atlantis** | 192.168.0.200 | 45 services | 4 forwards | Jitsi Meet, Portainer |
| **Calypso** | 192.168.0.250 | 38 services | 3 forwards | Gitea SSH, Web Services |
==== 🔌 Port Forward Distribution ====
=== Atlantis (192.168.0.200) ===
* **Jitsi Meet Video Conferencing**: 4 port forwards
* 4443/TCP: HTTPS web interface
* 5349/All: TURN server
* 49160-49200/All: RTP media (40 ports)
* 3478/All: STUN server
* **Portainer Container Management**: 3 port forwards
* 9443/All: HTTPS interface
* 8000/All: Edge Agent
* 10000/All: Additional services
=== Calypso (192.168.0.250) ===
* **Gitea Git Repository**: 1 port forward
* 2222/All: SSH Git access
* **Web Services**: 2 port forwards
* 443/All: HTTPS web services
* 80/All: HTTP (redirects to HTTPS)
===== 🔒 Security Analysis & Risk Assessment =====
==== ✅ High Security Services ====
^ Service ^ Port ^ Security Features ^ Risk Level ^
| **HTTPS Web (443)** | 443 | Encrypted traffic, reverse proxy protected | 🟢 Low |
| **Jitsi Meet (4443)** | 4443 | Encrypted video conferencing, HTTPS | 🟢 Low |
| **Portainer HTTPS (9443)** | 9443 | Encrypted container management | 🟢 Low |
==== ⚠️ Medium Security Services ====
^ Service ^ Port ^ Security Considerations ^ Recommendations ^
| **Gitea SSH (2222)** | 2222 | SSH key authentication required | Monitor access logs |
| **Portainer Edge (8000)** | 8000 | Agent communication, should be secured | Implement IP restrictions |
| **HTTP (80)** | 80 | Unencrypted, should redirect to HTTPS | Verify redirect works |
==== 🔧 Network Services ====
^ Service ^ Ports ^ Protocol Type ^ Security Notes ^
| **STUN/TURN** | 3478, 5349 | Standard WebRTC protocols | Industry standard, encrypted by Jitsi |
| **RTP Media** | 49160-49200 | Media streams | Encrypted by Jitsi, 40 port range |
==== 🛡️ Security Recommendations ====
=== Authentication & Access Control ===
# 1. Strong Authentication
- SSH keys for Gitea (port 2222) - disable password auth
- 2FA on Portainer (port 9443) - enable for all users
- Strong passwords on all web services
- Regular credential rotation
# 2. Access Monitoring
- Review Nginx/reverse proxy logs regularly
- Monitor failed authentication attempts
- Set up alerts for suspicious activity
- Log SSH access attempts on port 2222
# 3. Network Security
- Consider IP whitelisting for admin services
- Implement rate limiting on web interfaces
- Use VPN (Tailscale) for administrative access
- Regular security updates for all exposed services
=== Service Hardening ===
# 4. Service Security
- Keep all exposed services updated
- Monitor CVE databases for vulnerabilities
- Implement automated security scanning
- Regular backup of service configurations
# 5. Network Segmentation
- Consider moving exposed services to DMZ
- Implement firewall rules between network segments
- Use VLANs to isolate public-facing services
- Monitor inter-service communication
===== 🌐 External Access Methods & Alternatives =====
==== 🔌 Primary Access (Port Forwarding) ====
# Direct external access via domain names (DDNS updated every 5 minutes)
https://pw.vish.gg:9443 # Portainer
https://meet.thevish.io:4443 # Jitsi Meet (primary)
ssh://git@git.vish.gg:2222 # Gitea SSH
# Alternative domain access
https://vish.gg:9443 # Portainer (main domain)
https://meet.vish.gg:4443 # Jitsi Meet (alt domain)
https://www.vish.gg # Main web services (HTTPS)
https://vish.gg # Main web services (HTTPS)
# Additional service domains (from Cloudflare DNS)
https://cal.vish.gg # Calendar service (proxied)
https://reddit.vish.gg # Reddit alternative (proxied)
https://www.thevish.io # Alternative main domain (proxied)
https://matrix.thevish.io # Matrix chat server (proxied)
https://joplin.thevish.io # Joplin notes (proxied)
==== 🔗 Alternative Access (Tailscale VPN) ====
# Secure mesh VPN access (recommended for admin)
https://atlantis.tail.vish.gg:9443 # Portainer via Tailscale
https://atlantis.tail.vish.gg:4443 # Jitsi via Tailscale
ssh://git@calypso.tail.vish.gg:2222 # Gitea via Tailscale
# Benefits of Tailscale access:
- No port forwarding required
- End-to-end encryption
- Access control via Tailscale ACLs
- No exposure to internet threats
==== 🔄 Hybrid Approach (Recommended) ====
# Public Services (External Access)
- Jitsi Meet: External users need direct access
- Web Services: Public content via port forwarding
- Git Repository: Public repositories via HTTPS
# Admin Services (Tailscale Access)
- Portainer: Container management via VPN
- Gitea Admin: Administrative functions via VPN
- Monitoring: Grafana, Prometheus via VPN
===== 🔄 Dynamic DNS (DDNS) Configuration =====
==== 🌐 Automated DDNS Updates ====
# Cloudflare DDNS Configuration
- Update Frequency: Every 5 minutes
- Domains: vish.gg and thevish.io
- Record Types: IPv4 (A) and IPv6 (AAAA)
- Automation: 4 DDNS services running
# DDNS Services:
- ddns-vish-proxied: Updates proxied A records for vish.gg
- ddns-vish-unproxied: Updates DNS-only A records for vish.gg
- ddns-thevish-proxied: Updates proxied records for thevish.io
- ddns-thevish-unproxied: Updates DNS-only records for thevish.io
==== 📊 Service Categories ====
# Proxied Services (Cloudflare Protection)
- cal.vish.gg, reddit.vish.gg, www.vish.gg
- matrix.thevish.io, joplin.thevish.io, www.thevish.io
- Benefits: DDoS protection, caching, SSL termination
# DNS-Only Services (Direct Access)
- git.vish.gg, meet.thevish.io, pw.vish.gg
- api.vish.gg, spotify.vish.gg
- Benefits: Direct connection, no proxy overhead
===== 🚨 Troubleshooting & Diagnostics =====
==== 🔍 Common Issues & Solutions ====
=== Service Not Accessible Externally ===
# Diagnostic Steps:
1. Verify port forward rule is enabled in router
2. Confirm internal service is running on host
3. Test internal access first (192.168.0.x:port)
4. Check firewall rules on target host
5. Verify router external IP hasn't changed
6. Test DNS resolution: nslookup domain.com
# Commands:
docker-compose ps # Check service status
netstat -tulpn | grep PORT # Verify port binding
nmap -p PORT domain.com # Test external access
curl -I https://domain.com # HTTP connectivity test
=== Jitsi Meet Connection Issues ===
# WebRTC requires all ports - test each:
nmap -p 4443 meet.thevish.io # Web interface
nmap -p 3478 meet.thevish.io # STUN server
nmap -p 5349 meet.thevish.io # TURN server
nmap -p 49160-49200 meet.thevish.io # RTP range
# Browser diagnostics:
1. Open browser developer tools
2. Go to Network tab during call
3. Look for STUN/TURN connection attempts
4. Check for WebRTC errors in console
5. Test with different networks/devices
=== Gitea SSH Access Problems ===
# SSH troubleshooting steps:
ssh -p 2222 git@git.vish.gg # Test SSH connection
ssh-add -l # Check loaded SSH keys
cat ~/.ssh/id_rsa.pub # Verify public key
nmap -p 2222 git.vish.gg # Test port accessibility
# Gitea-specific checks:
docker-compose logs gitea | grep ssh
# Check Gitea SSH configuration in admin panel
# Verify SSH key is added to Gitea user account
=== Portainer Access Issues ===
# Test all Portainer ports:
curl -I https://pw.vish.gg:9443 # Main interface
curl -I https://pw.vish.gg:8000 # Edge Agent
curl -I https://pw.vish.gg:10000 # Additional services
# Container diagnostics:
docker-compose logs portainer
docker stats portainer
# Check Portainer logs for authentication errors
==== 🔧 Performance Optimization ====
=== Network Performance ===
# Monitor bandwidth usage:
iftop -i eth0 # Real-time bandwidth
vnstat -i eth0 # Historical usage
speedtest-cli # Internet speed test
# Optimize for concurrent users:
# Jitsi: Increase JVB memory allocation
# Gitea: Configure Git LFS for large files
# Portainer: Increase container resources
=== Service Performance ===
# Resource monitoring:
docker stats # Container resource usage
htop # System resource usage
df -h # Disk space usage
# Service-specific optimization:
# Jitsi: Configure for expected concurrent meetings
# Nginx: Enable gzip compression and caching
# Database: Optimize PostgreSQL settings
===== 📋 Maintenance & Configuration Management =====
==== 🔄 Regular Maintenance Tasks ====
=== Monthly Tasks ===
# Security and monitoring:
□ Review access logs for all forwarded services
□ Test external access to all forwarded ports
□ Update service passwords and SSH keys
□ Backup router configuration
□ Verify DDNS updates are working
□ Check SSL certificate expiration dates
=== Quarterly Tasks ===
# Comprehensive review:
□ Security audit of exposed services
□ Update all forwarded services to latest versions
□ Review and optimize port forwarding rules
□ Test disaster recovery procedures
□ Audit user accounts and permissions
□ Review and update documentation
=== Annual Tasks ===
# Major maintenance:
□ Complete security assessment
□ Review and update network architecture
□ Evaluate need for additional security measures
□ Plan for service migrations or updates
□ Review and update disaster recovery plans
□ Comprehensive backup and restore testing
==== 📊 Configuration Backup & Documentation ====
=== Router Configuration ===
# TP-Link Archer BE800 backup:
- Export configuration monthly
- Document all port forward changes
- Maintain change log with dates and reasons
- Store backup files securely
- Test configuration restoration procedures
=== Service Health Monitoring ===
# Automated monitoring setup:
- Uptime monitoring for each forwarded port
- Health checks for critical services
- Alerts for service failures
- Performance metrics collection
- Log aggregation and analysis
===== 🔗 Integration with Homelab Infrastructure =====
==== 🌐 Tailscale Mesh Integration ====
# Secure internal access alternatives:
https://atlantis.tail.vish.gg:9443 # Portainer
https://atlantis.tail.vish.gg:4443 # Jitsi Meet
ssh://git@calypso.tail.vish.gg:2222 # Gitea SSH
# Benefits:
- No port forwarding required for admin access
- End-to-end encryption via WireGuard
- Access control via Tailscale ACLs
- Works from anywhere with internet
==== 📊 Monitoring Integration ====
# Service monitoring via Grafana/Prometheus:
- External service availability monitoring
- Response time tracking
- Error rate monitoring
- Resource usage correlation
- Alert integration with notification services
==== 🔄 Backup Integration ====
# Service data backup:
- Gitea repositories: automated Git backups
- Portainer configurations: volume backups
- Jitsi recordings: cloud storage sync
- Web service data: regular file system backups
----
//Last Updated: 2025-11-17//\\
//Active Port Forwards: 10 rules across 2 hosts//\\
//External Domains: 12 with automatic DDNS updates//\\
//DDNS Update Frequency: Every 5 minutes via Cloudflare//\\
//Security Status: All services monitored and hardened//