Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5510a99ba614258d0cb405c0a6d70f33d3a113a0
homelab-optimized/docs/infrastructure/port-forwarding-guide.md
Gitea Mirror Bot 5510a99ba6
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m1s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details
Sanitized mirror from private repository - 2026-03-22 08:40:48 UTC
2026-03-22 08:40:48 +00:00

221 lines
7.0 KiB
Markdown
Raw Blame History

# 🌐 Router Port Forwarding Guide
This guide covers the essential ports you need to forward on your router to access your homelab services from outside your network.
## 🚨 Security Warning
**⚠️ IMPORTANT**: Only forward ports for services you actually need external access to. Each forwarded port is a potential security risk. Consider using a VPN instead for most services.
## 🔑 Essential Ports (Recommended)
### 🛡️ VPN Access (Highest Priority)
**Forward these first - they provide secure access to everything else:**
| Port | Protocol | Service | Host | Purpose |
|------|----------|---------|------|---------|
| `51820` | UDP | WireGuard VPN | Atlantis | Primary VPN server |
| `51820` | UDP | WireGuard VPN | concord_nuc | Secondary VPN server |
**Why VPN First?**: Once you have VPN access, you can reach all internal services securely without exposing them directly to the internet.
### 🌐 Web Services (If VPN isn't sufficient)
**Only if you need direct external access:**
| Port | Protocol | Service | Host | Purpose |
|------|----------|---------|------|---------|
| `80` | TCP | HTTP | Nginx Proxy Manager | Web traffic (redirects to HTTPS) |
| `443` | TCP | HTTPS | Nginx Proxy Manager | Secure web traffic |
| `8341` | TCP | HTTP Alt | Atlantis | Nginx Proxy Manager HTTP |
| `8766` | TCP | HTTPS Alt | Atlantis | Nginx Proxy Manager HTTPS |
## 🎮 Gaming Servers (If Hosting Public Games)
### Satisfactory Server
| Port | Protocol | Service | Host | Purpose |
|------|----------|---------|------|---------|
| `7777` | TCP/UDP | Satisfactory | homelab_vm | Game server |
### Left 4 Dead 2 Server
| Port | Protocol | Service | Host | Purpose |
|------|----------|---------|------|---------|
| `27015` | TCP/UDP | L4D2 Server | homelab_vm | Game server |
| `27020` | UDP | L4D2 Server | homelab_vm | SourceTV |
| `27005` | UDP | L4D2 Server | homelab_vm | Client port |
## 📱 Communication Services (If Needed Externally)
| Port | Protocol | Service | Host | Purpose |
|------|----------|---------|------|---------|
| `8065` | TCP | Mattermost | homelab_vm | Team chat (if external users) |
| `8080` | TCP | Signal API | homelab_vm | Signal messaging API |
## 🔄 File Sync (If External Sync Needed)
| Port | Protocol | Service | Host | Purpose |
|------|----------|---------|------|---------|
| `22000` | TCP/UDP | Syncthing | homelab_vm | File synchronization |
| `21027` | UDP | Syncthing | homelab_vm | Discovery |
## 🚫 Ports You Should NOT Forward
**These services should remain internal-only:**
- **Database ports** (PostgreSQL: 5432, MySQL: 3306, Redis: 6379)
- **Monitoring services** (Prometheus: 9090, Grafana: 3000)
- **Admin interfaces** (Portainer, Docker APIs)
- **Internal APIs** and microservices
- **Development tools** (VS Code Server, etc.)
## 🏗️ Recommended Setup Architecture
### Option 1: VPN-Only (Most Secure)
```
Internet → Router → VPN Server → Internal Services
```
1. Forward only VPN ports (51820/UDP)
2. Access all services through VPN tunnel
3. No other ports exposed to internet
### Option 2: Reverse Proxy + VPN (Balanced)
```
Internet → Router → Nginx Proxy Manager → Internal Services
→ VPN Server → Internal Services
```
1. Forward HTTP/HTTPS (80, 443) to Nginx Proxy Manager
2. Forward VPN port (51820/UDP)
3. Use SSL certificates and authentication
4. VPN for admin access
### Option 3: Selective Forwarding (Least Secure)
```
Internet → Router → Individual Services
```
1. Forward only specific service ports
2. Use strong authentication on each service
3. Regular security updates essential
## 🔧 Router Configuration Steps
### 1. Access Router Admin
- Open router web interface (usually `192.168.1.1` or `192.168.0.1`)
- Login with admin credentials
### 2. Find Port Forwarding Section
- Look for "Port Forwarding", "Virtual Servers", or "NAT"
- May be under "Advanced" or "Security" settings
### 3. Add Port Forward Rules
For each port, configure:
- **External Port**: Port from internet
- **Internal IP**: IP of your homelab host
- **Internal Port**: Port on the host
- **Protocol**: TCP, UDP, or Both
### Example Configuration:
```
Service: WireGuard VPN
External Port: 51820
Internal IP: 192.168.1.100 (Atlantis IP)
Internal Port: 51820
Protocol: UDP
```
## 🛡️ Security Best Practices
### 1. Use Strong Authentication
- Enable 2FA where possible
- Use complex passwords
- Consider fail2ban for brute force protection
### 2. Keep Services Updated
- Regular Docker image updates
- Security patches for host OS
- Monitor security advisories
### 3. Monitor Access Logs
- Check for unusual access patterns
- Set up alerts for failed login attempts
- Regular security audits
### 4. Use SSL/TLS
- Let's Encrypt certificates through Nginx Proxy Manager
- Force HTTPS redirects
- Strong cipher suites
### 5. Network Segmentation
- Separate IoT devices
- DMZ for public services
- VLANs for different service types
## 🔍 Testing Your Setup
### Internal Testing
```bash
# Test from inside network
curl -I http://your-service:port
nmap -p port your-internal-ip
```
### External Testing
```bash
# Test from outside network (use mobile data or different network)
curl -I http://your-external-ip:port
nmap -p port your-external-ip
```
### VPN Testing
```bash
# Connect to VPN, then test internal services
ping internal-service-ip
curl http://internal-service:port
```
## 🚨 Emergency Procedures
### If Compromised
1. **Immediately disable port forwarding** for affected services
2. Change all passwords
3. Check logs for unauthorized access
4. Update all services
5. Consider rebuilding affected containers
### Monitoring Commands
```bash
# Check active connections
netstat -an | grep :port
# Monitor logs
docker logs container-name --tail 100 -f
# Check for failed logins
grep "Failed" /var/log/auth.log
```
## 📊 Port Summary Table
| Priority | Ports | Services | Security Level |
|----------|-------|----------|----------------|
| **High** | 51820/UDP | VPN | 🟢 High |
| **Medium** | 80, 443 | Web (via proxy) | 🟡 Medium |
| **Low** | 7777, 27015 | Gaming | 🟡 Medium |
| **Avoid** | 22, 3389, 5432 | SSH, RDP, DB | 🔴 High Risk |
## 💡 Pro Tips
1. **Start with VPN only** - Get WireGuard working first
2. **Use non-standard ports** - Change default ports when possible
3. **Document everything** - Keep track of what's forwarded and why
4. **Regular audits** - Review forwarded ports monthly
5. **Test from outside** - Verify access works as expected
## 🔗 Related Documentation
- [🔧 TP-Link Archer BE800 Setup](tplink-archer-be800-setup.md) - Specific router configuration guide
- [Security Model](security.md) - Overall security architecture
- [Network Architecture](networking.md) - Network topology and design
- [VPN Setup Guide](../services/individual/wg-easy.md) - WireGuard configuration
- [Nginx Proxy Manager](../services/individual/nginx-proxy-manager.md) - Reverse proxy setup
---
**Remember**: The best security practice is to expose as few services as possible to the internet. Use VPN for most access and only forward ports for services that absolutely need direct external access.
Reference in New Issue View Git Blame Copy Permalink