# 🌐 Port Forwarding Configuration

**🟡 Intermediate Guide**

This document details the current port forwarding configuration on the TP-Link Archer BE800 router, enabling external access to specific homelab services.

---

## 🔧 Current Port Forwarding Rules

Based on the TP-Link router configuration:

### **Active Port Forwards**

| Service Name | Device IP | External Port | Internal Port | Protocol | Purpose |
|--------------|-----------|---------------|---------------|----------|---------|
| **jitsi3** | 192.168.0.200 | 4443 | 4443 | TCP | Jitsi Meet video conferencing |
| **stun3** | 192.168.0.200 | 5349 | 5349 | All | STUN server for WebRTC |
| **stun2** | 192.168.0.200 | 49160-49200 | 49160-49200 | All | RTP media ports for Jitsi |
| **stun1** | 192.168.0.200 | 3478 | 3478 | All | Primary STUN server |
| **gitea** | 192.168.0.250 | 2222 | 2222 | All | Gitea SSH access |
| **portainer2** | 192.168.0.200 | 8000 | 8000 | All | Portainer Edge Agent |
| **portainer2** | 192.168.0.200 | 9443 | 9443 | All | Portainer HTTPS interface |
| **portainer2** | 192.168.0.200 | 10000 | 10000 | All | Portainer additional service |
| **Https** | 192.168.0.250 | 443 | 443 | All | HTTPS web services |
| **HTTP** | 192.168.0.250 | 80 | 80 | All | HTTP web services (redirects to HTTPS) |

---

## 🎯 Service Dependencies & Access

### **Jitsi Meet Video Conferencing (192.168.0.200)**
```bash
# External Access URLs:
https://your-domain.com:4443  # Jitsi Meet web interface

# Required Ports:
- 4443/TCP   # HTTPS web interface
- 5349/All   # TURN server for NAT traversal
- 3478/All   # STUN server for peer discovery
- 49160-49200/All  # RTP media streams (40 port range)

# Service Dependencies:
- Requires all 4 port ranges for full functionality
- WebRTC media negotiation depends on STUN/TURN
- RTP port range handles multiple concurrent calls
```

### **Gitea Git Repository (192.168.0.250 - Calypso)**
```bash
# External SSH Access:
git clone ssh://git@your-domain.com:2222/username/repo.git

# Required Ports:
- 2222/All   # SSH access for Git operations

# Service Dependencies:
- SSH key authentication required
- Alternative to HTTPS Git access
- Enables Git operations from external networks
```

### **Portainer Container Management (192.168.0.200)**
```bash
# External Access URLs:
https://your-domain.com:9443  # Main Portainer interface
https://your-domain.com:8000  # Edge Agent communication
https://your-domain.com:10000 # Additional services

# Required Ports:
- 9443/All   # Primary HTTPS interface
- 8000/All   # Edge Agent communication
- 10000/All  # Extended functionality

# Service Dependencies:
- All three ports required for full Portainer functionality
- Edge Agent enables remote Docker management
- HTTPS interface provides web-based container management
```

### **Web Services (192.168.0.250 - Calypso)**
```bash
# External Access URLs:
https://your-domain.com       # Main web services (443)
http://your-domain.com        # HTTP redirect to HTTPS (80)

# Required Ports:
- 443/All    # HTTPS web services
- 80/All     # HTTP (typically redirects to HTTPS)

# Service Dependencies:
- Reverse proxy (likely Nginx/Traefik) on Calypso
- SSL/TLS certificates for HTTPS
- Automatic HTTP to HTTPS redirection
```

---

## 🏠 Host Mapping

### **192.168.0.200 - Atlantis (Primary NAS)**
- **Jitsi Meet**: Video conferencing platform
- **Portainer**: Container management interface
- **Services**: 4 port forwards (Jitsi + Portainer)

### **192.168.0.250 - Calypso (Development Server)**
- **Gitea**: Git repository hosting
- **Web Services**: HTTPS/HTTP reverse proxy
- **Services**: 3 port forwards (Git SSH + Web)

---

## 🔒 Security Considerations

### **Exposed Services Risk Assessment**

#### **High Security Services** ✅
- **HTTPS (443)**: Encrypted web traffic, reverse proxy protected
- **Jitsi Meet (4443)**: Encrypted video conferencing
- **Portainer HTTPS (9443)**: Encrypted container management

#### **Medium Security Services** ⚠️
- **Gitea SSH (2222)**: SSH key authentication required
- **Portainer Edge (8000)**: Agent communication, should be secured
- **HTTP (80)**: Unencrypted, should redirect to HTTPS

#### **Network Services** 🔧
- **STUN/TURN (3478, 5349)**: Required for WebRTC, standard protocols
- **RTP Range (49160-49200)**: Media streams, encrypted by Jitsi

### **Security Recommendations**

```bash
# 1. Ensure Strong Authentication
- Use SSH keys for Gitea (port 2222)
- Enable 2FA on Portainer (port 9443)
- Implement strong passwords on all services

# 2. Monitor Access Logs
- Review Nginx/reverse proxy logs regularly
- Monitor failed authentication attempts
- Set up alerts for suspicious activity

# 3. Keep Services Updated
- Regular security updates for all exposed services
- Monitor CVE databases for vulnerabilities
- Implement automated security scanning

# 4. Network Segmentation
- Consider moving exposed services to DMZ
- Implement firewall rules between network segments
- Use VLANs to isolate public-facing services
```

---

## 🌐 External Access Methods

### **Primary Access (Port Forwarding)**
```bash
# Direct external access via domain names (DDNS updated every 5 minutes)
https://pw.vish.gg:9443          # Portainer
https://meet.thevish.io:4443     # Jitsi Meet (primary)
ssh://git@git.vish.gg:2222       # Gitea SSH

# Alternative domain access
https://vish.gg:9443             # Portainer (main domain)
https://meet.vish.gg:4443        # Jitsi Meet (alt domain)
https://www.vish.gg              # Main web services (HTTPS)
https://vish.gg                  # Main web services (HTTPS)

# Additional service domains (from Cloudflare DNS)
https://cal.vish.gg              # Calendar service (proxied)
https://reddit.vish.gg           # Reddit alternative (proxied)
https://www.thevish.io           # Alternative main domain (proxied)
https://matrix.thevish.io        # Matrix chat server (proxied)
https://joplin.thevish.io        # Joplin notes (proxied)
```

### **Alternative Access (Tailscale)**
```bash
# Secure mesh VPN access (recommended)
https://atlantis.tail.vish.gg:9443   # Portainer via Tailscale
https://atlantis.tail.vish.gg:4443   # Jitsi via Tailscale
ssh://git@calypso.tail.vish.gg:2222  # Gitea via Tailscale
```

### **Hybrid Approach**
- **Public Services**: Jitsi Meet (external users need direct access)
- **Admin Services**: Portainer, Gitea (use Tailscale for security)
- **Web Services**: Public content via port forwarding, admin via Tailscale

---

## 🔧 Configuration Management

### **Router Configuration Backup**
```bash
# Regular backups of port forwarding rules
- Export TP-Link configuration monthly
- Document all port forward changes
- Maintain change log with dates and reasons
```

### **Service Health Monitoring**
```bash
# Monitor forwarded services
- Set up uptime monitoring for each forwarded port
- Implement health checks for critical services
- Configure alerts for service failures
```

### **Dynamic DNS Configuration**
```bash
# Automated DDNS updates via Cloudflare
- DDNS updater runs every 5 minutes
- Updates both vish.gg and thevish.io domains
- Handles both IPv4 (A) and IPv6 (AAAA) records
- Proxied services: cal, reddit, www, matrix, joplin
- DNS-only services: git, meet, pw, api, spotify

# DDNS Services Running:
- ddns-vish-proxied: Updates proxied A records
- ddns-vish-unproxied: Updates DNS-only A records  
- ddns-thevish-proxied: Updates thevish.io proxied records
- ddns-thevish-unproxied: Updates thevish.io DNS-only records
```

---

## 🚨 Troubleshooting

### **Common Issues**

#### **Service Not Accessible Externally**
```bash
# Check list:
1. Verify port forward rule is enabled
2. Confirm internal service is running
3. Test internal access first (192.168.0.x:port)
4. Check firewall rules on target host
5. Verify router external IP hasn't changed
```

#### **Jitsi Meet Connection Issues**
```bash
# WebRTC requires all ports:
1. Test STUN server: 3478, 5349
2. Verify RTP range: 49160-49200
3. Check browser WebRTC settings
4. Test with different networks/devices
```

#### **Gitea SSH Access Problems**
```bash
# SSH troubleshooting:
1. Verify SSH key is added to Gitea
2. Test SSH connection: ssh -p 2222 git@git.vish.gg
3. Check Gitea SSH configuration
4. Verify port 2222 is not blocked by ISP
```

---

## 📋 Maintenance Tasks

### **Monthly Tasks**
- [ ] Review access logs for all forwarded services
- [ ] Test external access to all forwarded ports
- [ ] Update service passwords and SSH keys
- [ ] Backup router configuration

### **Quarterly Tasks**
- [ ] Security audit of exposed services
- [ ] Update all forwarded services to latest versions
- [ ] Review and optimize port forwarding rules
- [ ] Test disaster recovery procedures

### **Annual Tasks**
- [ ] Complete security assessment
- [ ] Review and update documentation
- [ ] Evaluate need for additional security measures
- [ ] Plan for service migrations or updates

---

*This port forwarding configuration enables external access to critical homelab services while maintaining security through proper authentication and monitoring.*