homelab-optimized/archive/dokuwiki/port-forwarding-configuration.txt

====== 🔌 Port Forwarding Configuration ======

**🟡 Intermediate Infrastructure Guide**

This document details the current port forwarding configuration on the TP-Link Archer BE800 router, enabling external access to specific homelab services with automatic DDNS updates every 5 minutes.

<WRAP center round info 60%>
**🌐 Automatic Domain Updates**\\
All domains are automatically updated via Cloudflare DDNS every 5 minutes, eliminating the need for manual IP management.
</WRAP>

===== 🔧 Current Port Forwarding Rules =====

Based on the TP-Link Archer BE800 router configuration:

==== 📊 Active Port Forwards Summary ====
^ Service Name ^ Device IP ^ External Port ^ Internal Port ^ Protocol ^ Domain Access ^
| **jitsi3** | 192.168.0.200 | 4443 | 4443 | TCP | meet.thevish.io:4443 |
| **stun3** | 192.168.0.200 | 5349 | 5349 | All | meet.thevish.io:5349 |
| **stun2** | 192.168.0.200 | 49160-49200 | 49160-49200 | All | meet.thevish.io (RTP) |
| **stun1** | 192.168.0.200 | 3478 | 3478 | All | meet.thevish.io:3478 |
| **gitea** | 192.168.0.250 | 2222 | 2222 | All | git.vish.gg:2222 |
| **portainer2** | 192.168.0.200 | 8000 | 8000 | All | pw.vish.gg:8000 |
| **portainer2** | 192.168.0.200 | 9443 | 9443 | All | pw.vish.gg:9443 |
| **portainer2** | 192.168.0.200 | 10000 | 10000 | All | pw.vish.gg:10000 |
| **Https** | 192.168.0.250 | 443 | 443 | All | vish.gg:443 |
| **HTTP** | 192.168.0.250 | 80 | 80 | All | vish.gg:80 |

===== 🎯 Service Dependencies & External Access =====

==== 🎥 Jitsi Meet Video Conferencing (192.168.0.200 - Atlantis) ====

=== External Access URLs ===
<code>
https://meet.thevish.io:4443  # Primary Jitsi Meet web interface
https://meet.vish.gg:4443     # Alternative domain access
</code>

=== Required Port Configuration ===
^ Port ^ Protocol ^ Purpose ^ Critical ^
| 4443 | TCP | HTTPS web interface | ✅ Essential |
| 5349 | All | TURN server for NAT traversal | ✅ Essential |
| 3478 | All | STUN server for peer discovery | ✅ Essential |
| 49160-49200 | All | RTP media streams (40 port range) | ✅ Essential |

=== Service Dependencies ===
<code>
# WebRTC Media Flow
Internet → Router:4443 → Atlantis:5443 → jitsi-web:443
Internet → Router:3478 → Atlantis:3478 → STUN server
Internet → Router:5349 → Atlantis:5349 → TURN server
Internet → Router:49160-49200 → Atlantis:49160-49200 → RTP streams

# All 4 port ranges required for full functionality:
- WebRTC media negotiation depends on STUN/TURN
- RTP port range handles multiple concurrent calls
- HTTPS interface provides web-based meeting access
</code>

==== 📝 Gitea Git Repository (192.168.0.250 - Calypso) ====

=== External Access URLs ===
<code>
# SSH Git Operations
ssh://git@git.vish.gg:2222

# Web Interface
https://git.vish.gg

# Git Commands
git clone ssh://git@git.vish.gg:2222/username/repo.git
git remote add origin ssh://git@git.vish.gg:2222/username/repo.git
git push origin main
</code>

=== Port Configuration ===
^ Port ^ Protocol ^ Purpose ^ Authentication ^
| 2222 | All | SSH access for Git operations | SSH Keys Required |

=== Service Dependencies ===
<code>
# SSH Git Access Flow
Internet → Router:2222 → Calypso:2222 → gitea:22

# Requirements:
- SSH key authentication required
- Alternative to HTTPS Git access
- Enables Git operations from external networks
- Web interface accessible via reverse proxy on port 443
</code>

==== 🐳 Portainer Container Management (192.168.0.200 - Atlantis) ====

=== External Access URLs ===
<code>
https://pw.vish.gg:9443      # Primary Portainer HTTPS interface
https://vish.gg:9443         # Alternative domain access
https://pw.vish.gg:8000      # Edge Agent communication
https://pw.vish.gg:10000     # Additional services
</code>

=== Port Configuration ===
^ Port ^ Protocol ^ Purpose ^ Security Level ^
| 9443 | All | Primary HTTPS interface | 🔒 High |
| 8000 | All | Edge Agent communication | ⚠️ Medium |
| 10000 | All | Extended functionality | ⚠️ Medium |

=== Service Dependencies ===
<code>
# Container Management Flow
Internet → Router:9443 → Atlantis:9443 → portainer:9443
Internet → Router:8000 → Atlantis:8000 → portainer:8000
Internet → Router:10000 → Atlantis:10000 → portainer:10000

# All three ports required for full Portainer functionality:
- 9443: Primary HTTPS interface for web management
- 8000: Edge Agent enables remote Docker management
- 10000: Extended functionality and additional services
</code>

==== 🌍 Web Services (192.168.0.250 - Calypso) ====

=== External Access URLs ===
<code>
https://vish.gg              # Main web services (HTTPS)
https://www.vish.gg          # WWW subdomain
http://vish.gg               # HTTP (redirects to HTTPS)

# Additional Cloudflare Proxied Services:
https://cal.vish.gg          # Calendar service
https://reddit.vish.gg       # Reddit alternative
https://matrix.thevish.io    # Matrix chat server
https://joplin.thevish.io    # Joplin notes
https://www.thevish.io       # Alternative main domain
</code>

=== Port Configuration ===
^ Port ^ Protocol ^ Purpose ^ Redirect ^
| 443 | All | HTTPS web services | Primary |
| 80 | All | HTTP (redirects to HTTPS) | → 443 |

=== Service Dependencies ===
<code>
# Web Services Flow
Internet → Router:443 → Calypso:443 → nginx:443
Internet → Router:80 → Calypso:80 → nginx:80 → redirect to 443

# Requirements:
- Reverse proxy (Nginx) on Calypso handles routing
- SSL/TLS certificates for HTTPS (Let's Encrypt)
- Automatic HTTP to HTTPS redirection
- Cloudflare proxy protection for some subdomains
</code>

===== 🏠 Host Mapping & Service Distribution =====

==== 📊 Services by Host ====
^ Host ^ IP Address ^ Services ^ Port Forwards ^ Primary Function ^
| **Atlantis** | 192.168.0.200 | 45 services | 4 forwards | Jitsi Meet, Portainer |
| **Calypso** | 192.168.0.250 | 38 services | 3 forwards | Gitea SSH, Web Services |

==== 🔌 Port Forward Distribution ====
=== Atlantis (192.168.0.200) ===
  * **Jitsi Meet Video Conferencing**: 4 port forwards
    * 4443/TCP: HTTPS web interface
    * 5349/All: TURN server
    * 49160-49200/All: RTP media (40 ports)
    * 3478/All: STUN server
  * **Portainer Container Management**: 3 port forwards
    * 9443/All: HTTPS interface
    * 8000/All: Edge Agent
    * 10000/All: Additional services

=== Calypso (192.168.0.250) ===
  * **Gitea Git Repository**: 1 port forward
    * 2222/All: SSH Git access
  * **Web Services**: 2 port forwards
    * 443/All: HTTPS web services
    * 80/All: HTTP (redirects to HTTPS)

===== 🔒 Security Analysis & Risk Assessment =====

==== ✅ High Security Services ====
^ Service ^ Port ^ Security Features ^ Risk Level ^
| **HTTPS Web (443)** | 443 | Encrypted traffic, reverse proxy protected | 🟢 Low |
| **Jitsi Meet (4443)** | 4443 | Encrypted video conferencing, HTTPS | 🟢 Low |
| **Portainer HTTPS (9443)** | 9443 | Encrypted container management | 🟢 Low |

==== ⚠️ Medium Security Services ====
^ Service ^ Port ^ Security Considerations ^ Recommendations ^
| **Gitea SSH (2222)** | 2222 | SSH key authentication required | Monitor access logs |
| **Portainer Edge (8000)** | 8000 | Agent communication, should be secured | Implement IP restrictions |
| **HTTP (80)** | 80 | Unencrypted, should redirect to HTTPS | Verify redirect works |

==== 🔧 Network Services ====
^ Service ^ Ports ^ Protocol Type ^ Security Notes ^
| **STUN/TURN** | 3478, 5349 | Standard WebRTC protocols | Industry standard, encrypted by Jitsi |
| **RTP Media** | 49160-49200 | Media streams | Encrypted by Jitsi, 40 port range |

==== 🛡️ Security Recommendations ====

=== Authentication & Access Control ===
<code>
# 1. Strong Authentication
- SSH keys for Gitea (port 2222) - disable password auth
- 2FA on Portainer (port 9443) - enable for all users
- Strong passwords on all web services
- Regular credential rotation

# 2. Access Monitoring
- Review Nginx/reverse proxy logs regularly
- Monitor failed authentication attempts
- Set up alerts for suspicious activity
- Log SSH access attempts on port 2222

# 3. Network Security
- Consider IP whitelisting for admin services
- Implement rate limiting on web interfaces
- Use VPN (Tailscale) for administrative access
- Regular security updates for all exposed services
</code>

=== Service Hardening ===
<code>
# 4. Service Security
- Keep all exposed services updated
- Monitor CVE databases for vulnerabilities
- Implement automated security scanning
- Regular backup of service configurations

# 5. Network Segmentation
- Consider moving exposed services to DMZ
- Implement firewall rules between network segments
- Use VLANs to isolate public-facing services
- Monitor inter-service communication
</code>

===== 🌐 External Access Methods & Alternatives =====

==== 🔌 Primary Access (Port Forwarding) ====
<code>
# Direct external access via domain names (DDNS updated every 5 minutes)
https://pw.vish.gg:9443          # Portainer
https://meet.thevish.io:4443     # Jitsi Meet (primary)
ssh://git@git.vish.gg:2222       # Gitea SSH

# Alternative domain access
https://vish.gg:9443             # Portainer (main domain)
https://meet.vish.gg:4443        # Jitsi Meet (alt domain)
https://www.vish.gg              # Main web services (HTTPS)
https://vish.gg                  # Main web services (HTTPS)

# Additional service domains (from Cloudflare DNS)
https://cal.vish.gg              # Calendar service (proxied)
https://reddit.vish.gg           # Reddit alternative (proxied)
https://www.thevish.io           # Alternative main domain (proxied)
https://matrix.thevish.io        # Matrix chat server (proxied)
https://joplin.thevish.io        # Joplin notes (proxied)
</code>

==== 🔗 Alternative Access (Tailscale VPN) ====
<code>
# Secure mesh VPN access (recommended for admin)
https://atlantis.tail.vish.gg:9443   # Portainer via Tailscale
https://atlantis.tail.vish.gg:4443   # Jitsi via Tailscale
ssh://git@calypso.tail.vish.gg:2222  # Gitea via Tailscale

# Benefits of Tailscale access:
- No port forwarding required
- End-to-end encryption
- Access control via Tailscale ACLs
- No exposure to internet threats
</code>

==== 🔄 Hybrid Approach (Recommended) ====
<code>
# Public Services (External Access)
- Jitsi Meet: External users need direct access
- Web Services: Public content via port forwarding
- Git Repository: Public repositories via HTTPS

# Admin Services (Tailscale Access)
- Portainer: Container management via VPN
- Gitea Admin: Administrative functions via VPN
- Monitoring: Grafana, Prometheus via VPN
</code>

===== 🔄 Dynamic DNS (DDNS) Configuration =====

==== 🌐 Automated DDNS Updates ====
<code>
# Cloudflare DDNS Configuration
- Update Frequency: Every 5 minutes
- Domains: vish.gg and thevish.io
- Record Types: IPv4 (A) and IPv6 (AAAA)
- Automation: 4 DDNS services running

# DDNS Services:
- ddns-vish-proxied: Updates proxied A records for vish.gg
- ddns-vish-unproxied: Updates DNS-only A records for vish.gg
- ddns-thevish-proxied: Updates proxied records for thevish.io
- ddns-thevish-unproxied: Updates DNS-only records for thevish.io
</code>

==== 📊 Service Categories ====
<code>
# Proxied Services (Cloudflare Protection)
- cal.vish.gg, reddit.vish.gg, www.vish.gg
- matrix.thevish.io, joplin.thevish.io, www.thevish.io
- Benefits: DDoS protection, caching, SSL termination

# DNS-Only Services (Direct Access)
- git.vish.gg, meet.thevish.io, pw.vish.gg
- api.vish.gg, spotify.vish.gg
- Benefits: Direct connection, no proxy overhead
</code>

===== 🚨 Troubleshooting & Diagnostics =====

==== 🔍 Common Issues & Solutions ====

=== Service Not Accessible Externally ===
<code>
# Diagnostic Steps:
1. Verify port forward rule is enabled in router
2. Confirm internal service is running on host
3. Test internal access first (192.168.0.x:port)
4. Check firewall rules on target host
5. Verify router external IP hasn't changed
6. Test DNS resolution: nslookup domain.com

# Commands:
docker-compose ps                    # Check service status
netstat -tulpn | grep PORT         # Verify port binding
nmap -p PORT domain.com             # Test external access
curl -I https://domain.com          # HTTP connectivity test
</code>

=== Jitsi Meet Connection Issues ===
<code>
# WebRTC requires all ports - test each:
nmap -p 4443 meet.thevish.io        # Web interface
nmap -p 3478 meet.thevish.io        # STUN server
nmap -p 5349 meet.thevish.io        # TURN server
nmap -p 49160-49200 meet.thevish.io # RTP range

# Browser diagnostics:
1. Open browser developer tools
2. Go to Network tab during call
3. Look for STUN/TURN connection attempts
4. Check for WebRTC errors in console
5. Test with different networks/devices
</code>

=== Gitea SSH Access Problems ===
<code>
# SSH troubleshooting steps:
ssh -p 2222 git@git.vish.gg        # Test SSH connection
ssh-add -l                         # Check loaded SSH keys
cat ~/.ssh/id_rsa.pub              # Verify public key
nmap -p 2222 git.vish.gg           # Test port accessibility

# Gitea-specific checks:
docker-compose logs gitea | grep ssh
# Check Gitea SSH configuration in admin panel
# Verify SSH key is added to Gitea user account
</code>

=== Portainer Access Issues ===
<code>
# Test all Portainer ports:
curl -I https://pw.vish.gg:9443    # Main interface
curl -I https://pw.vish.gg:8000    # Edge Agent
curl -I https://pw.vish.gg:10000   # Additional services

# Container diagnostics:
docker-compose logs portainer
docker stats portainer
# Check Portainer logs for authentication errors
</code>

==== 🔧 Performance Optimization ====

=== Network Performance ===
<code>
# Monitor bandwidth usage:
iftop -i eth0                      # Real-time bandwidth
vnstat -i eth0                     # Historical usage
speedtest-cli                      # Internet speed test

# Optimize for concurrent users:
# Jitsi: Increase JVB memory allocation
# Gitea: Configure Git LFS for large files
# Portainer: Increase container resources
</code>

=== Service Performance ===
<code>
# Resource monitoring:
docker stats                       # Container resource usage
htop                              # System resource usage
df -h                             # Disk space usage

# Service-specific optimization:
# Jitsi: Configure for expected concurrent meetings
# Nginx: Enable gzip compression and caching
# Database: Optimize PostgreSQL settings
</code>

===== 📋 Maintenance & Configuration Management =====

==== 🔄 Regular Maintenance Tasks ====

=== Monthly Tasks ===
<code>
# Security and monitoring:
□ Review access logs for all forwarded services
□ Test external access to all forwarded ports
□ Update service passwords and SSH keys
□ Backup router configuration
□ Verify DDNS updates are working
□ Check SSL certificate expiration dates
</code>

=== Quarterly Tasks ===
<code>
# Comprehensive review:
□ Security audit of exposed services
□ Update all forwarded services to latest versions
□ Review and optimize port forwarding rules
□ Test disaster recovery procedures
□ Audit user accounts and permissions
□ Review and update documentation
</code>

=== Annual Tasks ===
<code>
# Major maintenance:
□ Complete security assessment
□ Review and update network architecture
□ Evaluate need for additional security measures
□ Plan for service migrations or updates
□ Review and update disaster recovery plans
□ Comprehensive backup and restore testing
</code>

==== 📊 Configuration Backup & Documentation ====

=== Router Configuration ===
<code>
# TP-Link Archer BE800 backup:
- Export configuration monthly
- Document all port forward changes
- Maintain change log with dates and reasons
- Store backup files securely
- Test configuration restoration procedures
</code>

=== Service Health Monitoring ===
<code>
# Automated monitoring setup:
- Uptime monitoring for each forwarded port
- Health checks for critical services
- Alerts for service failures
- Performance metrics collection
- Log aggregation and analysis
</code>

===== 🔗 Integration with Homelab Infrastructure =====

==== 🌐 Tailscale Mesh Integration ====
<code>
# Secure internal access alternatives:
https://atlantis.tail.vish.gg:9443   # Portainer
https://atlantis.tail.vish.gg:4443   # Jitsi Meet
ssh://git@calypso.tail.vish.gg:2222  # Gitea SSH

# Benefits:
- No port forwarding required for admin access
- End-to-end encryption via WireGuard
- Access control via Tailscale ACLs
- Works from anywhere with internet
</code>

==== 📊 Monitoring Integration ====
<code>
# Service monitoring via Grafana/Prometheus:
- External service availability monitoring
- Response time tracking
- Error rate monitoring
- Resource usage correlation
- Alert integration with notification services
</code>

==== 🔄 Backup Integration ====
<code>
# Service data backup:
- Gitea repositories: automated Git backups
- Portainer configurations: volume backups
- Jitsi recordings: cloud storage sync
- Web service data: regular file system backups
</code>

----

//Last Updated: 2025-11-17//\\
//Active Port Forwards: 10 rules across 2 hosts//\\
//External Domains: 12 with automatic DDNS updates//\\
//DDNS Update Frequency: Every 5 minutes via Cloudflare//\\
//Security Status: All services monitored and hardened//