Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e7652c8dab68570c56dea207552eed4f2d1eca6b
homelab-optimized/docs/infrastructure/port-forwarding-configuration.md
Gitea Mirror Bot e7652c8dab
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m3s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details
Sanitized mirror from private repository - 2026-04-20 01:32:01 UTC
2026-04-20 01:32:01 +00:00

287 lines
8.9 KiB
Markdown
Raw Blame History

# 🌐 Port Forwarding Configuration
**🟡 Intermediate Guide**
This document details the current port forwarding configuration on the TP-Link Archer BE800 router, enabling external access to specific homelab services.
---
## 🔧 Current Port Forwarding Rules
Based on the TP-Link router configuration:
### **Active Port Forwards**
| Service Name | Device IP | External Port | Internal Port | Protocol | Purpose |
|--------------|-----------|---------------|---------------|----------|---------|
| **jitsi3** | 192.168.0.200 | 4443 | 4443 | TCP | Jitsi Meet video conferencing |
| **stun3** | 192.168.0.200 | 5349 | 5349 | All | STUN server for WebRTC |
| **stun2** | 192.168.0.200 | 49160-49200 | 49160-49200 | All | RTP media ports for Jitsi |
| **stun1** | 192.168.0.200 | 3478 | 3478 | All | Primary STUN server |
| **gitea** | 192.168.0.250 | 2222 | 2222 | All | Gitea SSH access |
| **portainer2** | 192.168.0.200 | 8000 | 8000 | All | Portainer Edge Agent |
| **portainer2** | 192.168.0.200 | 9443 | 9443 | All | Portainer HTTPS interface |
| **portainer2** | 192.168.0.200 | 10000 | 10000 | All | Portainer additional service |
| **Https** | 192.168.0.250 | 443 | 443 | All | HTTPS web services |
| **HTTP** | 192.168.0.250 | 80 | 80 | All | HTTP web services (redirects to HTTPS) |
---
## 🎯 Service Dependencies & Access
### **Jitsi Meet Video Conferencing (192.168.0.200)**
```bash
# External Access URLs:
https://your-domain.com:4443 # Jitsi Meet web interface
# Required Ports:
- 4443/TCP # HTTPS web interface
- 5349/All # TURN server for NAT traversal
- 3478/All # STUN server for peer discovery
- 49160-49200/All # RTP media streams (40 port range)
# Service Dependencies:
- Requires all 4 port ranges for full functionality
- WebRTC media negotiation depends on STUN/TURN
- RTP port range handles multiple concurrent calls
```
### **Gitea Git Repository (192.168.0.250 - Calypso)**
```bash
# External SSH Access:
git clone ssh://git@your-domain.com:2222/username/repo.git
# Required Ports:
- 2222/All # SSH access for Git operations
# Service Dependencies:
- SSH key authentication required
- Alternative to HTTPS Git access
- Enables Git operations from external networks
```
### **Portainer Container Management (192.168.0.200)**
```bash
# External Access URLs:
https://your-domain.com:9443 # Main Portainer interface
https://your-domain.com:8000 # Edge Agent communication
https://your-domain.com:10000 # Additional services
# Required Ports:
- 9443/All # Primary HTTPS interface
- 8000/All # Edge Agent communication
- 10000/All # Extended functionality
# Service Dependencies:
- All three ports required for full Portainer functionality
- Edge Agent enables remote Docker management
- HTTPS interface provides web-based container management
```
### **Web Services (192.168.0.250 - Calypso)**
```bash
# External Access URLs:
https://your-domain.com # Main web services (443)
http://your-domain.com # HTTP redirect to HTTPS (80)
# Required Ports:
- 443/All # HTTPS web services
- 80/All # HTTP (typically redirects to HTTPS)
# Service Dependencies:
- Reverse proxy (likely Nginx/Traefik) on Calypso
- SSL/TLS certificates for HTTPS
- Automatic HTTP to HTTPS redirection
```
---
## 🏠 Host Mapping
### **192.168.0.200 - Atlantis (Primary NAS)**
- **Jitsi Meet**: Video conferencing platform
- **Portainer**: Container management interface
- **Services**: 4 port forwards (Jitsi + Portainer)
### **192.168.0.250 - Calypso (Development Server)**
- **Gitea**: Git repository hosting
- **Web Services**: HTTPS/HTTP reverse proxy
- **Services**: 3 port forwards (Git SSH + Web)
---
## 🔒 Security Considerations
### **Exposed Services Risk Assessment**
#### **High Security Services** ✅
- **HTTPS (443)**: Encrypted web traffic, reverse proxy protected
- **Jitsi Meet (4443)**: Encrypted video conferencing
- **Portainer HTTPS (9443)**: Encrypted container management
#### **Medium Security Services** ⚠️
- **Gitea SSH (2222)**: SSH key authentication required
- **Portainer Edge (8000)**: Agent communication, should be secured
- **HTTP (80)**: Unencrypted, should redirect to HTTPS
#### **Network Services** 🔧
- **STUN/TURN (3478, 5349)**: Required for WebRTC, standard protocols
- **RTP Range (49160-49200)**: Media streams, encrypted by Jitsi
### **Security Recommendations**
```bash
# 1. Ensure Strong Authentication
- Use SSH keys for Gitea (port 2222)
- Enable 2FA on Portainer (port 9443)
- Implement strong passwords on all services
# 2. Monitor Access Logs
- Review Nginx/reverse proxy logs regularly
- Monitor failed authentication attempts
- Set up alerts for suspicious activity
# 3. Keep Services Updated
- Regular security updates for all exposed services
- Monitor CVE databases for vulnerabilities
- Implement automated security scanning
# 4. Network Segmentation
- Consider moving exposed services to DMZ
- Implement firewall rules between network segments
- Use VLANs to isolate public-facing services
```
---
## 🌐 External Access Methods
### **Primary Access (Port Forwarding)**
```bash
# Direct external access via domain names (DDNS updated every 5 minutes)
https://pw.vish.gg:9443 # Portainer
https://meet.thevish.io:4443 # Jitsi Meet (primary)
ssh://git@git.vish.gg:2222 # Gitea SSH
# Alternative domain access
https://vish.gg:9443 # Portainer (main domain)
https://meet.vish.gg:4443 # Jitsi Meet (alt domain)
https://www.vish.gg # Main web services (HTTPS)
https://vish.gg # Main web services (HTTPS)
# Additional service domains (from Cloudflare DNS)
https://cal.vish.gg # Calendar service (proxied)
https://reddit.vish.gg # Reddit alternative (proxied)
https://www.thevish.io # Alternative main domain (proxied)
https://matrix.thevish.io # Matrix chat server (proxied)
https://joplin.thevish.io # Joplin notes (proxied)
```
### **Alternative Access (Tailscale)**
```bash
# Secure mesh VPN access (recommended)
https://atlantis.tail.vish.gg:9443 # Portainer via Tailscale
https://atlantis.tail.vish.gg:4443 # Jitsi via Tailscale
ssh://git@calypso.tail.vish.gg:2222 # Gitea via Tailscale
```
### **Hybrid Approach**
- **Public Services**: Jitsi Meet (external users need direct access)
- **Admin Services**: Portainer, Gitea (use Tailscale for security)
- **Web Services**: Public content via port forwarding, admin via Tailscale
---
## 🔧 Configuration Management
### **Router Configuration Backup**
```bash
# Regular backups of port forwarding rules
- Export TP-Link configuration monthly
- Document all port forward changes
- Maintain change log with dates and reasons
```
### **Service Health Monitoring**
```bash
# Monitor forwarded services
- Set up uptime monitoring for each forwarded port
- Implement health checks for critical services
- Configure alerts for service failures
```
### **Dynamic DNS Configuration**
```bash
# Automated DDNS updates via Cloudflare
- DDNS updater runs every 5 minutes
- Updates both vish.gg and thevish.io domains
- Handles both IPv4 (A) and IPv6 (AAAA) records
- Proxied services: cal, reddit, www, matrix, joplin
- DNS-only services: git, meet, pw, api, spotify
# DDNS Services Running:
- ddns-vish-proxied: Updates proxied A records
- ddns-vish-unproxied: Updates DNS-only A records
- ddns-thevish-proxied: Updates thevish.io proxied records
- ddns-thevish-unproxied: Updates thevish.io DNS-only records
```
---
## 🚨 Troubleshooting
### **Common Issues**
#### **Service Not Accessible Externally**
```bash
# Check list:
1. Verify port forward rule is enabled
2. Confirm internal service is running
3. Test internal access first (192.168.0.x:port)
4. Check firewall rules on target host
5. Verify router external IP hasn't changed
```
#### **Jitsi Meet Connection Issues**
```bash
# WebRTC requires all ports:
1. Test STUN server: 3478, 5349
2. Verify RTP range: 49160-49200
3. Check browser WebRTC settings
4. Test with different networks/devices
```
#### **Gitea SSH Access Problems**
```bash
# SSH troubleshooting:
1. Verify SSH key is added to Gitea
2. Test SSH connection: ssh -p 2222 git@git.vish.gg
3. Check Gitea SSH configuration
4. Verify port 2222 is not blocked by ISP
```
---
## 📋 Maintenance Tasks
### **Monthly Tasks**
- [ ] Review access logs for all forwarded services
- [ ] Test external access to all forwarded ports
- [ ] Update service passwords and SSH keys
- [ ] Backup router configuration
### **Quarterly Tasks**
- [ ] Security audit of exposed services
- [ ] Update all forwarded services to latest versions
- [ ] Review and optimize port forwarding rules
- [ ] Test disaster recovery procedures
### **Annual Tasks**
- [ ] Complete security assessment
- [ ] Review and update documentation
- [ ] Evaluate need for additional security measures
- [ ] Plan for service migrations or updates
---
*This port forwarding configuration enables external access to critical homelab services while maintaining security through proper authentication and monitoring.*
Reference in New Issue View Git Blame Copy Permalink