Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fb49e7caad9534eaf85c06710fff6093f2f23fe7
homelab-optimized/docs/infrastructure/port-forwarding-configuration.md
Gitea Mirror Bot fb49e7caad
Some checks failed
Documentation / Build Docusaurus (push) Failing after 4m59s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details
Sanitized mirror from private repository - 2026-03-24 12:51:03 UTC
2026-03-24 12:51:03 +00:00

8.9 KiB
Raw Blame History

🌐 Port Forwarding Configuration

🟡 Intermediate Guide

This document details the current port forwarding configuration on the TP-Link Archer BE800 router, enabling external access to specific homelab services.

🔧 Current Port Forwarding Rules

Based on the TP-Link router configuration:

Active Port Forwards

Service Name Device IP External Port Internal Port Protocol Purpose
jitsi3 192.168.0.200 4443 4443 TCP Jitsi Meet video conferencing
stun3 192.168.0.200 5349 5349 All STUN server for WebRTC
stun2 192.168.0.200 49160-49200 49160-49200 All RTP media ports for Jitsi
stun1 192.168.0.200 3478 3478 All Primary STUN server
gitea 192.168.0.250 2222 2222 All Gitea SSH access
portainer2 192.168.0.200 8000 8000 All Portainer Edge Agent
portainer2 192.168.0.200 9443 9443 All Portainer HTTPS interface
portainer2 192.168.0.200 10000 10000 All Portainer additional service
Https 192.168.0.250 443 443 All HTTPS web services
HTTP 192.168.0.250 80 80 All HTTP web services (redirects to HTTPS)

🎯 Service Dependencies & Access

Jitsi Meet Video Conferencing (192.168.0.200)

# External Access URLs:
https://your-domain.com:4443  # Jitsi Meet web interface

# Required Ports:
- 4443/TCP   # HTTPS web interface
- 5349/All   # TURN server for NAT traversal
- 3478/All   # STUN server for peer discovery
- 49160-49200/All  # RTP media streams (40 port range)

# Service Dependencies:
- Requires all 4 port ranges for full functionality
- WebRTC media negotiation depends on STUN/TURN
- RTP port range handles multiple concurrent calls

Gitea Git Repository (192.168.0.250 - Calypso)

# External SSH Access:
git clone ssh://git@your-domain.com:2222/username/repo.git

# Required Ports:
- 2222/All   # SSH access for Git operations

# Service Dependencies:
- SSH key authentication required
- Alternative to HTTPS Git access
- Enables Git operations from external networks

Portainer Container Management (192.168.0.200)

# External Access URLs:
https://your-domain.com:9443  # Main Portainer interface
https://your-domain.com:8000  # Edge Agent communication
https://your-domain.com:10000 # Additional services

# Required Ports:
- 9443/All   # Primary HTTPS interface
- 8000/All   # Edge Agent communication
- 10000/All  # Extended functionality

# Service Dependencies:
- All three ports required for full Portainer functionality
- Edge Agent enables remote Docker management
- HTTPS interface provides web-based container management

Web Services (192.168.0.250 - Calypso)

# External Access URLs:
https://your-domain.com       # Main web services (443)
http://your-domain.com        # HTTP redirect to HTTPS (80)

# Required Ports:
- 443/All    # HTTPS web services
- 80/All     # HTTP (typically redirects to HTTPS)

# Service Dependencies:
- Reverse proxy (likely Nginx/Traefik) on Calypso
- SSL/TLS certificates for HTTPS
- Automatic HTTP to HTTPS redirection

🏠 Host Mapping

192.168.0.200 - Atlantis (Primary NAS)

  • Jitsi Meet: Video conferencing platform
  • Portainer: Container management interface
  • Services: 4 port forwards (Jitsi + Portainer)

192.168.0.250 - Calypso (Development Server)

  • Gitea: Git repository hosting
  • Web Services: HTTPS/HTTP reverse proxy
  • Services: 3 port forwards (Git SSH + Web)

🔒 Security Considerations

Exposed Services Risk Assessment

High Security Services

  • HTTPS (443): Encrypted web traffic, reverse proxy protected
  • Jitsi Meet (4443): Encrypted video conferencing
  • Portainer HTTPS (9443): Encrypted container management

Medium Security Services ⚠️

  • Gitea SSH (2222): SSH key authentication required
  • Portainer Edge (8000): Agent communication, should be secured
  • HTTP (80): Unencrypted, should redirect to HTTPS

Network Services 🔧

  • STUN/TURN (3478, 5349): Required for WebRTC, standard protocols
  • RTP Range (49160-49200): Media streams, encrypted by Jitsi

Security Recommendations

# 1. Ensure Strong Authentication
- Use SSH keys for Gitea (port 2222)
- Enable 2FA on Portainer (port 9443)
- Implement strong passwords on all services

# 2. Monitor Access Logs
- Review Nginx/reverse proxy logs regularly
- Monitor failed authentication attempts
- Set up alerts for suspicious activity

# 3. Keep Services Updated
- Regular security updates for all exposed services
- Monitor CVE databases for vulnerabilities
- Implement automated security scanning

# 4. Network Segmentation
- Consider moving exposed services to DMZ
- Implement firewall rules between network segments
- Use VLANs to isolate public-facing services

🌐 External Access Methods

Primary Access (Port Forwarding)

# Direct external access via domain names (DDNS updated every 5 minutes)
https://pw.vish.gg:9443          # Portainer
https://meet.thevish.io:4443     # Jitsi Meet (primary)
ssh://git@git.vish.gg:2222       # Gitea SSH

# Alternative domain access
https://vish.gg:9443             # Portainer (main domain)
https://meet.vish.gg:4443        # Jitsi Meet (alt domain)
https://www.vish.gg              # Main web services (HTTPS)
https://vish.gg                  # Main web services (HTTPS)

# Additional service domains (from Cloudflare DNS)
https://cal.vish.gg              # Calendar service (proxied)
https://reddit.vish.gg           # Reddit alternative (proxied)
https://www.thevish.io           # Alternative main domain (proxied)
https://matrix.thevish.io        # Matrix chat server (proxied)
https://joplin.thevish.io        # Joplin notes (proxied)

Alternative Access (Tailscale)

# Secure mesh VPN access (recommended)
https://atlantis.tail.vish.gg:9443   # Portainer via Tailscale
https://atlantis.tail.vish.gg:4443   # Jitsi via Tailscale
ssh://git@calypso.tail.vish.gg:2222  # Gitea via Tailscale

Hybrid Approach

  • Public Services: Jitsi Meet (external users need direct access)
  • Admin Services: Portainer, Gitea (use Tailscale for security)
  • Web Services: Public content via port forwarding, admin via Tailscale

🔧 Configuration Management

Router Configuration Backup

# Regular backups of port forwarding rules
- Export TP-Link configuration monthly
- Document all port forward changes
- Maintain change log with dates and reasons

Service Health Monitoring

# Monitor forwarded services
- Set up uptime monitoring for each forwarded port
- Implement health checks for critical services
- Configure alerts for service failures

Dynamic DNS Configuration

# Automated DDNS updates via Cloudflare
- DDNS updater runs every 5 minutes
- Updates both vish.gg and thevish.io domains
- Handles both IPv4 (A) and IPv6 (AAAA) records
- Proxied services: cal, reddit, www, matrix, joplin
- DNS-only services: git, meet, pw, api, spotify

# DDNS Services Running:
- ddns-vish-proxied: Updates proxied A records
- ddns-vish-unproxied: Updates DNS-only A records  
- ddns-thevish-proxied: Updates thevish.io proxied records
- ddns-thevish-unproxied: Updates thevish.io DNS-only records

🚨 Troubleshooting

Common Issues

Service Not Accessible Externally

# Check list:
1. Verify port forward rule is enabled
2. Confirm internal service is running
3. Test internal access first (192.168.0.x:port)
4. Check firewall rules on target host
5. Verify router external IP hasn't changed

Jitsi Meet Connection Issues

# WebRTC requires all ports:
1. Test STUN server: 3478, 5349
2. Verify RTP range: 49160-49200
3. Check browser WebRTC settings
4. Test with different networks/devices

Gitea SSH Access Problems

# SSH troubleshooting:
1. Verify SSH key is added to Gitea
2. Test SSH connection: ssh -p 2222 git@git.vish.gg
3. Check Gitea SSH configuration
4. Verify port 2222 is not blocked by ISP

📋 Maintenance Tasks

Monthly Tasks

  • Review access logs for all forwarded services
  • Test external access to all forwarded ports
  • Update service passwords and SSH keys
  • Backup router configuration

Quarterly Tasks

  • Security audit of exposed services
  • Update all forwarded services to latest versions
  • Review and optimize port forwarding rules
  • Test disaster recovery procedures

Annual Tasks

  • Complete security assessment
  • Review and update documentation
  • Evaluate need for additional security measures
  • Plan for service migrations or updates

This port forwarding configuration enables external access to critical homelab services while maintaining security through proper authentication and monitoring.

Reference in New Issue View Git Blame Copy Permalink