homelab-optimized/docs/infrastructure/port-forwarding-guide.md

🌐 Router Port Forwarding Guide

This guide covers the essential ports you need to forward on your router to access your homelab services from outside your network.

🚨 Security Warning

⚠️ IMPORTANT: Only forward ports for services you actually need external access to. Each forwarded port is a potential security risk. Consider using a VPN instead for most services.

🔑 Essential Ports (Recommended)

🛡️ VPN Access (Highest Priority)

Forward these first - they provide secure access to everything else:

Port	Protocol	Service	Host	Purpose
51820	UDP	WireGuard VPN	Atlantis	Primary VPN server
51820	UDP	WireGuard VPN	concord_nuc	Secondary VPN server

Why VPN First?: Once you have VPN access, you can reach all internal services securely without exposing them directly to the internet.

🌐 Web Services (If VPN isn't sufficient)

Only if you need direct external access:

Port	Protocol	Service	Host	Purpose
80	TCP	HTTP	Nginx Proxy Manager	Web traffic (redirects to HTTPS)
443	TCP	HTTPS	Nginx Proxy Manager	Secure web traffic
8341	TCP	HTTP Alt	Atlantis	Nginx Proxy Manager HTTP
8766	TCP	HTTPS Alt	Atlantis	Nginx Proxy Manager HTTPS

🎮 Gaming Servers (If Hosting Public Games)

Satisfactory Server

Port	Protocol	Service	Host	Purpose
7777	TCP/UDP	Satisfactory	homelab_vm	Game server

Left 4 Dead 2 Server

Port	Protocol	Service	Host	Purpose
27015	TCP/UDP	L4D2 Server	homelab_vm	Game server
27020	UDP	L4D2 Server	homelab_vm	SourceTV
27005	UDP	L4D2 Server	homelab_vm	Client port

📱 Communication Services (If Needed Externally)

Port	Protocol	Service	Host	Purpose
8065	TCP	Mattermost	homelab_vm	Team chat (if external users)
8080	TCP	Signal API	homelab_vm	Signal messaging API

🔄 File Sync (If External Sync Needed)

Port	Protocol	Service	Host	Purpose
22000	TCP/UDP	Syncthing	homelab_vm	File synchronization
21027	UDP	Syncthing	homelab_vm	Discovery

🚫 Ports You Should NOT Forward

These services should remain internal-only:

• Database ports (PostgreSQL: 5432, MySQL: 3306, Redis: 6379)
• Monitoring services (Prometheus: 9090, Grafana: 3000)
• Admin interfaces (Portainer, Docker APIs)
• Internal APIs and microservices
• Development tools (VS Code Server, etc.)

🏗️ Recommended Setup Architecture

Option 1: VPN-Only (Most Secure)

Internet → Router → VPN Server → Internal Services

1. Forward only VPN ports (51820/UDP)
2. Access all services through VPN tunnel
3. No other ports exposed to internet

Option 2: Reverse Proxy + VPN (Balanced)

Internet → Router → Nginx Proxy Manager → Internal Services
                 → VPN Server → Internal Services

1. Forward HTTP/HTTPS (80, 443) to Nginx Proxy Manager
2. Forward VPN port (51820/UDP)
3. Use SSL certificates and authentication
4. VPN for admin access

Option 3: Selective Forwarding (Least Secure)

Internet → Router → Individual Services

1. Forward only specific service ports
2. Use strong authentication on each service
3. Regular security updates essential

🔧 Router Configuration Steps

1. Access Router Admin

• Open router web interface (usually 192.168.1.1 or 192.168.0.1)
• Login with admin credentials

2. Find Port Forwarding Section

• Look for "Port Forwarding", "Virtual Servers", or "NAT"
• May be under "Advanced" or "Security" settings

3. Add Port Forward Rules

For each port, configure:

• External Port: Port from internet
• Internal IP: IP of your homelab host
• Internal Port: Port on the host
• Protocol: TCP, UDP, or Both

Example Configuration:

Service: WireGuard VPN
External Port: 51820
Internal IP: 192.168.1.100 (Atlantis IP)
Internal Port: 51820
Protocol: UDP

🛡️ Security Best Practices

1. Use Strong Authentication

• Enable 2FA where possible
• Use complex passwords
• Consider fail2ban for brute force protection

2. Keep Services Updated

• Regular Docker image updates
• Security patches for host OS
• Monitor security advisories

3. Monitor Access Logs

• Check for unusual access patterns
• Set up alerts for failed login attempts
• Regular security audits

4. Use SSL/TLS

• Let's Encrypt certificates through Nginx Proxy Manager
• Force HTTPS redirects
• Strong cipher suites

5. Network Segmentation

• Separate IoT devices
• DMZ for public services
• VLANs for different service types

🔍 Testing Your Setup

Internal Testing

# Test from inside network
curl -I http://your-service:port
nmap -p port your-internal-ip

External Testing

# Test from outside network (use mobile data or different network)
curl -I http://your-external-ip:port
nmap -p port your-external-ip

VPN Testing

# Connect to VPN, then test internal services
ping internal-service-ip
curl http://internal-service:port

🚨 Emergency Procedures

If Compromised

1. Immediately disable port forwarding for affected services
2. Change all passwords
3. Check logs for unauthorized access
4. Update all services
5. Consider rebuilding affected containers

Monitoring Commands

# Check active connections
netstat -an | grep :port

# Monitor logs
docker logs container-name --tail 100 -f

# Check for failed logins
grep "Failed" /var/log/auth.log

📊 Port Summary Table

Priority	Ports	Services	Security Level
High	51820/UDP	VPN	🟢 High
Medium	80, 443	Web (via proxy)	🟡 Medium
Low	7777, 27015	Gaming	🟡 Medium
Avoid	22, 3389, 5432	SSH, RDP, DB	🔴 High Risk

💡 Pro Tips

1. Start with VPN only - Get WireGuard working first
2. Use non-standard ports - Change default ports when possible
3. Document everything - Keep track of what's forwarded and why
4. Regular audits - Review forwarded ports monthly
5. Test from outside - Verify access works as expected

🔗 Related Documentation

• 🔧 TP-Link Archer BE800 Setup - Specific router configuration guide
• Security Model - Overall security architecture
• Network Architecture - Network topology and design
• VPN Setup Guide - WireGuard configuration
• Nginx Proxy Manager - Reverse proxy setup

---

Remember: The best security practice is to expose as few services as possible to the internet. Use VPN for most access and only forward ports for services that absolutely need direct external access.