# 🔌 Port Forwarding Configuration **🟡 Intermediate Infrastructure Guide** This document details the current port forwarding configuration on the TP-Link Archer BE800 router, enabling external access to specific homelab services with automatic DDNS updates every 5 minutes. > **🌐 Automatic Domain Updates** > All domains are automatically updated via Cloudflare DDNS every 5 minutes, eliminating the need for manual IP management. ## 🔧 Current Port Forwarding Rules Based on the TP-Link Archer BE800 router configuration: ### 📊 Active Port Forwards Summary | Service Name | Device IP | External Port | Internal Port | Protocol | Domain Access | |--------------|-----------|---------------|---------------|----------|---------------| | **jitsi3** | 192.168.0.200 | 4443 | 4443 | TCP | meet.thevish.io:4443 | | **stun3** | 192.168.0.200 | 5349 | 5349 | All | meet.thevish.io:5349 | | **stun2** | 192.168.0.200 | 49160-49200 | 49160-49200 | All | meet.thevish.io (RTP) | | **stun1** | 192.168.0.200 | 3478 | 3478 | All | meet.thevish.io:3478 | | **gitea** | 192.168.0.250 | 2222 | 2222 | All | git.vish.gg:2222 | | **portainer2** | 192.168.0.200 | 8000 | 8000 | All | pw.vish.gg:8000 | | **portainer2** | 192.168.0.200 | 9443 | 9443 | All | pw.vish.gg:9443 | | **portainer2** | 192.168.0.200 | 10000 | 10000 | All | pw.vish.gg:10000 | | **Https** | 192.168.0.250 | 443 | 443 | All | vish.gg:443 | | **HTTP** | 192.168.0.250 | 80 | 80 | All | vish.gg:80 | ## 🎯 Service Dependencies & External Access ### 🎥 Jitsi Meet Video Conferencing (192.168.0.200 - Atlantis) #### External Access URLs ``` https://meet.thevish.io:4443 # Primary Jitsi Meet web interface https://meet.vish.gg:4443 # Alternative domain access ``` #### Required Port Configuration | Port | Protocol | Purpose | Critical | |------|----------|---------|----------| | 4443 | TCP | HTTPS web interface | ✅ Essential | | 5349 | All | TURN server for NAT traversal | ✅ Essential | | 3478 | All | STUN server for peer discovery | ✅ Essential | | 49160-49200 | All | RTP media streams (40 port range) | ✅ Essential | #### Service Dependencies ``` # WebRTC Media Flow Internet → Router:4443 → Atlantis:5443 → jitsi-web:443 Internet → Router:3478 → Atlantis:3478 → STUN server Internet → Router:5349 → Atlantis:5349 → TURN server Internet → Router:49160-49200 → Atlantis:49160-49200 → RTP streams # All 4 port ranges required for full functionality: - WebRTC media negotiation depends on STUN/TURN - RTP port range handles multiple concurrent calls - HTTPS interface provides web-based meeting access ``` ### 📝 Gitea Git Repository (192.168.0.250 - Calypso) #### External Access URLs ``` # SSH Git Operations ssh://git@git.vish.gg:2222 # Web Interface https://git.vish.gg # Git Commands git clone ssh://git@git.vish.gg:2222/username/repo.git git remote add origin ssh://git@git.vish.gg:2222/username/repo.git git push origin main ``` #### Port Configuration | Port | Protocol | Purpose | Authentication | |------|----------|---------|----------------| | 2222 | All | SSH access for Git operations | SSH Keys Required | #### Service Dependencies ``` # SSH Git Access Flow Internet → Router:2222 → Calypso:2222 → gitea:22 # Requirements: - SSH key authentication required - Alternative to HTTPS Git access - Enables Git operations from external networks - Web interface accessible via reverse proxy on port 443 ``` ### 🐳 Portainer Container Management (192.168.0.200 - Atlantis) #### External Access URLs ``` https://pw.vish.gg:9443 # Primary Portainer HTTPS interface https://vish.gg:9443 # Alternative domain access https://pw.vish.gg:8000 # Edge Agent communication https://pw.vish.gg:10000 # Additional services ``` #### Port Configuration | Port | Protocol | Purpose | Security Level | |------|----------|---------|----------------| | 9443 | All | Primary HTTPS interface | 🔒 High | | 8000 | All | Edge Agent communication | ⚠️ Medium | | 10000 | All | Extended functionality | ⚠️ Medium | #### Service Dependencies ``` # Container Management Flow Internet → Router:9443 → Atlantis:9443 → portainer:9443 Internet → Router:8000 → Atlantis:8000 → portainer:8000 Internet → Router:10000 → Atlantis:10000 → portainer:10000 # All three ports required for full Portainer functionality: - 9443: Primary HTTPS interface for web management - 8000: Edge Agent enables remote Docker management - 10000: Extended functionality and additional services ``` ### 🌍 Web Services (192.168.0.250 - Calypso) #### External Access URLs ``` https://vish.gg # Main web services (HTTPS) https://www.vish.gg # WWW subdomain http://vish.gg # HTTP (redirects to HTTPS) # Additional Cloudflare Proxied Services: https://cal.vish.gg # Calendar service https://reddit.vish.gg # Reddit alternative https://matrix.thevish.io # Matrix chat server https://joplin.thevish.io # Joplin notes https://www.thevish.io # Alternative main domain ``` #### Port Configuration | Port | Protocol | Purpose | Redirect | |------|----------|---------|----------| | 443 | All | HTTPS web services | Primary | | 80 | All | HTTP (redirects to HTTPS) | → 443 | #### Service Dependencies ``` # Web Services Flow Internet → Router:443 → Calypso:443 → nginx:443 Internet → Router:80 → Calypso:80 → nginx:80 → redirect to 443 # Requirements: - Reverse proxy (Nginx) on Calypso handles routing - SSL/TLS certificates for HTTPS (Let's Encrypt) - Automatic HTTP to HTTPS redirection - Cloudflare proxy protection for some subdomains ``` ## 🏠 Host Mapping & Service Distribution ### 📊 Services by Host | Host | IP Address | Services | Port Forwards | Primary Function | |------|------------|----------|---------------|------------------| | **Atlantis** | 192.168.0.200 | 45 services | 4 forwards | Jitsi Meet, Portainer | | **Calypso** | 192.168.0.250 | 38 services | 3 forwards | Gitea SSH, Web Services | ### 🔌 Port Forward Distribution #### Atlantis (192.168.0.200) - **Jitsi Meet Video Conferencing**: 4 port forwards - 4443/TCP: HTTPS web interface - 5349/All: TURN server - 49160-49200/All: RTP media (40 ports) - 3478/All: STUN server - **Portainer Container Management**: 3 port forwards - 9443/All: HTTPS interface - 8000/All: Edge Agent - 10000/All: Additional services #### Calypso (192.168.0.250) - **Gitea Git Repository**: 1 port forward - 2222/All: SSH Git access - **Web Services**: 2 port forwards - 443/All: HTTPS web services - 80/All: HTTP (redirects to HTTPS) ## 🔒 Security Analysis & Risk Assessment ### ✅ High Security Services | Service | Port | Security Features | Risk Level | |---------|------|-------------------|------------| | **HTTPS Web (443)** | 443 | Encrypted traffic, reverse proxy protected | 🟢 Low | | **Jitsi Meet (4443)** | 4443 | Encrypted video conferencing, HTTPS | 🟢 Low | | **Portainer HTTPS (9443)** | 9443 | Encrypted container management | 🟢 Low | ### ⚠️ Medium Security Services | Service | Port | Security Considerations | Recommendations | |---------|------|------------------------|-----------------| | **Gitea SSH (2222)** | 2222 | SSH key authentication required | Monitor access logs | | **Portainer Edge (8000)** | 8000 | Agent communication, should be secured | Implement IP restrictions | | **HTTP (80)** | 80 | Unencrypted, should redirect to HTTPS | Verify redirect works | ### 🔧 Network Services | Service | Ports | Protocol Type | Security Notes | |---------|-------|---------------|----------------| | **STUN/TURN** | 3478, 5349 | Standard WebRTC protocols | Industry standard, encrypted by Jitsi | | **RTP Media** | 49160-49200 | Media streams | Encrypted by Jitsi, 40 port range | ### 🛡️ Security Recommendations #### Authentication & Access Control ``` # 1. Strong Authentication - SSH keys for Gitea (port 2222) - disable password auth - 2FA on Portainer (port 9443) - enable for all users - Strong passwords on all web services - Regular credential rotation # 2. Access Monitoring - Review Nginx/reverse proxy logs regularly - Monitor failed authentication attempts - Set up alerts for suspicious activity - Log SSH access attempts on port 2222 # 3. Network Security - Consider IP whitelisting for admin services - Implement rate limiting on web interfaces - Use VPN (Tailscale) for administrative access - Regular security updates for all exposed services ``` #### Service Hardening ``` # 4. Service Security - Keep all exposed services updated - Monitor CVE databases for vulnerabilities - Implement automated security scanning - Regular backup of service configurations # 5. Network Segmentation - Consider moving exposed services to DMZ - Implement firewall rules between network segments - Use VLANs to isolate public-facing services - Monitor inter-service communication ``` ## 🌐 External Access Methods & Alternatives ### 🔌 Primary Access (Port Forwarding) ``` # Direct external access via domain names (DDNS updated every 5 minutes) https://pw.vish.gg:9443 # Portainer https://meet.thevish.io:4443 # Jitsi Meet (primary) ssh://git@git.vish.gg:2222 # Gitea SSH # Alternative domain access https://vish.gg:9443 # Portainer (main domain) https://meet.vish.gg:4443 # Jitsi Meet (alt domain) https://www.vish.gg # Main web services (HTTPS) https://vish.gg # Main web services (HTTPS) # Additional service domains (from Cloudflare DNS) https://cal.vish.gg # Calendar service (proxied) https://reddit.vish.gg # Reddit alternative (proxied) https://www.thevish.io # Alternative main domain (proxied) https://matrix.thevish.io # Matrix chat server (proxied) https://joplin.thevish.io # Joplin notes (proxied) ``` ### 🔗 Alternative Access (Tailscale VPN) ``` # Secure mesh VPN access (recommended for admin) https://atlantis.tail.vish.gg:9443 # Portainer via Tailscale https://atlantis.tail.vish.gg:4443 # Jitsi via Tailscale ssh://git@calypso.tail.vish.gg:2222 # Gitea via Tailscale # Benefits of Tailscale access: - No port forwarding required - End-to-end encryption - Access control via Tailscale ACLs - No exposure to internet threats ``` ### 🔄 Hybrid Approach (Recommended) ``` # Public Services (External Access) - Jitsi Meet: External users need direct access - Web Services: Public content via port forwarding - Git Repository: Public repositories via HTTPS # Admin Services (Tailscale Access) - Portainer: Container management via VPN - Gitea Admin: Administrative functions via VPN - Monitoring: Grafana, Prometheus via VPN ``` ## 🔄 Dynamic DNS (DDNS) Configuration ### 🌐 Automated DDNS Updates ``` # Cloudflare DDNS Configuration - Update Frequency: Every 5 minutes - Domains: vish.gg and thevish.io - Record Types: IPv4 (A) and IPv6 (AAAA) - Automation: 4 DDNS services running # DDNS Services: - ddns-vish-proxied: Updates proxied A records for vish.gg - ddns-vish-unproxied: Updates DNS-only A records for vish.gg - ddns-thevish-proxied: Updates proxied records for thevish.io - ddns-thevish-unproxied: Updates DNS-only records for thevish.io ``` ### 📊 Service Categories ``` # Proxied Services (Cloudflare Protection) - cal.vish.gg, reddit.vish.gg, www.vish.gg - matrix.thevish.io, joplin.thevish.io, www.thevish.io - Benefits: DDoS protection, caching, SSL termination # DNS-Only Services (Direct Access) - git.vish.gg, meet.thevish.io, pw.vish.gg - api.vish.gg, spotify.vish.gg - Benefits: Direct connection, no proxy overhead ``` ## 🚨 Troubleshooting & Diagnostics ### 🔍 Common Issues & Solutions #### Service Not Accessible Externally ``` # Diagnostic Steps: 1. Verify port forward rule is enabled in router 2. Confirm internal service is running on host 3. Test internal access first (192.168.0.x:port) 4. Check firewall rules on target host 5. Verify router external IP hasn't changed 6. Test DNS resolution: nslookup domain.com # Commands: docker-compose ps # Check service status netstat -tulpn | grep PORT # Verify port binding nmap -p PORT domain.com # Test external access curl -I https://domain.com # HTTP connectivity test ``` #### Jitsi Meet Connection Issues ``` # WebRTC requires all ports - test each: nmap -p 4443 meet.thevish.io # Web interface nmap -p 3478 meet.thevish.io # STUN server nmap -p 5349 meet.thevish.io # TURN server nmap -p 49160-49200 meet.thevish.io # RTP range # Browser diagnostics: 1. Open browser developer tools 2. Go to Network tab during call 3. Look for STUN/TURN connection attempts 4. Check for WebRTC errors in console 5. Test with different networks/devices ``` #### Gitea SSH Access Problems ``` # SSH troubleshooting steps: ssh -p 2222 git@git.vish.gg # Test SSH connection ssh-add -l # Check loaded SSH keys cat ~/.ssh/id_rsa.pub # Verify public key nmap -p 2222 git.vish.gg # Test port accessibility # Gitea-specific checks: docker-compose logs gitea | grep ssh # Check Gitea SSH configuration in admin panel # Verify SSH key is added to Gitea user account ``` #### Portainer Access Issues ``` # Test all Portainer ports: curl -I https://pw.vish.gg:9443 # Main interface curl -I https://pw.vish.gg:8000 # Edge Agent curl -I https://pw.vish.gg:10000 # Additional services # Container diagnostics: docker-compose logs portainer docker stats portainer # Check Portainer logs for authentication errors ``` ### 🔧 Performance Optimization #### Network Performance ``` # Monitor bandwidth usage: iftop -i eth0 # Real-time bandwidth vnstat -i eth0 # Historical usage speedtest-cli # Internet speed test # Optimize for concurrent users: # Jitsi: Increase JVB memory allocation # Gitea: Configure Git LFS for large files # Portainer: Increase container resources ``` #### Service Performance ``` # Resource monitoring: docker stats # Container resource usage htop # System resource usage df -h # Disk space usage # Service-specific optimization: # Jitsi: Configure for expected concurrent meetings # Nginx: Enable gzip compression and caching # Database: Optimize PostgreSQL settings ``` ## 📋 Maintenance & Configuration Management ### 🔄 Regular Maintenance Tasks #### Monthly Tasks ``` # Security and monitoring: □ Review access logs for all forwarded services □ Test external access to all forwarded ports □ Update service passwords and SSH keys □ Backup router configuration □ Verify DDNS updates are working □ Check SSL certificate expiration dates ``` #### Quarterly Tasks ``` # Comprehensive review: □ Security audit of exposed services □ Update all forwarded services to latest versions □ Review and optimize port forwarding rules □ Test disaster recovery procedures □ Audit user accounts and permissions □ Review and update documentation ``` #### Annual Tasks ``` # Major maintenance: □ Complete security assessment □ Review and update network architecture □ Evaluate need for additional security measures □ Plan for service migrations or updates □ Review and update disaster recovery plans □ Comprehensive backup and restore testing ``` ### 📊 Configuration Backup & Documentation #### Router Configuration ``` # TP-Link Archer BE800 backup: - Export configuration monthly - Document all port forward changes - Maintain change log with dates and reasons - Store backup files securely - Test configuration restoration procedures ``` #### Service Health Monitoring ``` # Automated monitoring setup: - Uptime monitoring for each forwarded port - Health checks for critical services - Alerts for service failures - Performance metrics collection - Log aggregation and analysis ``` ## 🔗 Integration with Homelab Infrastructure ### 🌐 Tailscale Mesh Integration ``` # Secure internal access alternatives: https://atlantis.tail.vish.gg:9443 # Portainer https://atlantis.tail.vish.gg:4443 # Jitsi Meet ssh://git@calypso.tail.vish.gg:2222 # Gitea SSH # Benefits: - No port forwarding required for admin access - End-to-end encryption via WireGuard - Access control via Tailscale ACLs - Works from anywhere with internet ``` ### 📊 Monitoring Integration ``` # Service monitoring via Grafana/Prometheus: - External service availability monitoring - Response time tracking - Error rate monitoring - Resource usage correlation - Alert integration with notification services ``` ### 🔄 Backup Integration ``` # Service data backup: - Gitea repositories: automated Git backups - Portainer configurations: volume backups - Jitsi recordings: cloud storage sync - Web service data: regular file system backups ``` --- *Last Updated: 2025-11-17* *Active Port Forwards: 10 rules across 2 hosts* *External Domains: 12 with automatic DDNS updates* *DDNS Update Frequency: Every 5 minutes via Cloudflare* *Security Status: All services monitored and hardened*