Applicable Products
- QuWAN Orchestrator
- QuRouter 2.4.4 and later versions
Details
To utilize QuWAN services, configure the necessary service ports on the third-party firewall device.
The network topology depicted in the image illustrates a hub-and-edge SD-WAN deployment leveraging QNAP's QuWAN infrastructure. The key components and their roles are as follows:
QuRouter (QNAP router): Positioned at the network perimeter, this device connects to a third-party firewall device and functions as either a hub for internal traffic or an edge device for external connectivity, depending on the deployment. Third-party firewall: Situated behind the QNAP router, this firewall enforces security policies, regulates network traffic, and manages access control.
Best Practices
To ensure seamless connectivity to QuWAN Orchestrator, configure the following firewall rules on all routers in your network topology before accessing Orchestrator from a client device (such as a browser). These settings enable secure VPN communication, proper traffic routing, and uninterrupted access to QuWAN services.
1. Configure Firewall Rules for QuWAN Orchestrator
- Source: Any
- Protocol: TCP
- Destination ports: 8883 (MQTT), 443 (HTTPS)
2. Configure Firewall Rules for QuWAN QBelt VPN Server
| Traffic Type | Source | Protocol | Source Ports | Destination | Destination Ports | Action |
|---|
| Outbound | Click Define to specify the source connection | UDP | 5533 (QuWAN QBelt VPN Server) | Any | - | Allow |
| Inbound | Click Define to specify the remote device details | UDP | Any | - | 5533 (QuWAN QBelt VPN Server) | Allow |
To add a new firewall rule in QuWAN Orchestrator, see the "Adding a device firewall rule" topic in the QuWAN and QuWAN Orchestrator Web Help.
Note
The default port for QuWAN QBelt VPN is 5533, but it can be changed. To check the router service ports in QuWAN Orchestrator, select your organization and device, and then go to Service Management.
3. Configure Firewall Rules for Mesh VPN Site-to-Site Traffic
When using QuRouter in a mesh VPN setup, you must configure firewall rules on a third-party firewall device to allow site-to-site VPN traffic. These rules ensure that IPSec communication between the hub and edge sites is not blocked, enabling secure VPN tunnel establishment.
On the third-party firewall device, allow inbound and outbound UDP traffic on the following ports:
- 500 (ISAKMP/IKE): Used for key exchange in IPSec VPN connections.
- 4500 (IPSec NAT Traversal): Used when VPN traffic traverses NAT devices.
- 61001-61999 (Dynamic high ports for IPSec NAT Traversal): Required for certain IPSec configurations.
Configure the firewall rules as follows:
- Inbound traffic: Allow VPN packets from remote sites to reach the firewall.
- Outbound traffic: Permit VPN packets to be sent to remote sites without interference.
Properly configuring these rules on the third-party firewall device ensures uninterrupted VPN connectivity between mesh sites.
| QuRouter Role | Hub | Edge |
|---|
| Protocol | UDP | UDP |
| Inbound traffic | - Source ports: 500 (ISAKMP/IKE), 4500/61xxx* (IPSec NAT Traversal)
- Destination ports: 500 (ISAKMP/IKE), 4500* (IPSec NAT Traversal)
| - Source ports: 500 (ISAKMP/IKE), 4500* (IPSec NAT Traversal)
- Destination ports: 500 (ISAKMP/IKE), 61xxx* (IPSec NAT Traversal)
|
| Outbound traffic | - Source ports: 500 (ISAKMP/IKE), 4500* (IPSec NAT Traversal)
- Destination ports: 500 (ISAKMP/IKE), 4500/61xxx* (IPSec NAT Traversal)
| - Source ports: 500 (ISAKMP/IKE), 61xxx* (IPSec NAT Traversal)
- Destination ports: 500 (ISAKMP/IKE), 4500* (IPSec NAT Traversal)
|
Note
- * The default port for hubs and edge devices is 4500.
- * The system selects a random port between 61001-61999. To check the router service ports, select your organization and device in QuWAN Orchestrator, and then go to Service Management and review the port details in IPSec NAT Traversal.
Important
To determine if additional IPSec NAT traversal ports are required, select your organization and device in QuWAN Orchestrator, and then go to Service Management.
4. Allow IP Ranges for QuWAN Communication
To ensure proper communication between QuWAN Orchestrator and your existing firewall services, it is essential to configure your firewall and router to allow specific IP ranges related to QuWAN. The router plays a crucial role by routing traffic between your local network and external networks, while the firewall filters and permits necessary QuWAN-related traffic to ensure secure and uninterrupted communication. Without proper configuration, you may encounter disruptions.
Follow the steps below to add the necessary QuWAN-related IP ranges to your firewall's allow list:
- QuWAN VPN tunnel
- Add
198.19.0.0/16 to your firewall's allow list to ensure that VPN tunnel connections established by QuWAN are not blocked:
- QuWAN LAN IP subnet
- Identify the LAN IP subnet of your QuWAN deployment and include it in your firewall's allow list.
- To locate the LAN IP subnet, navigate to QuWAN Device > System Status > Network > LAN Details in the QuWAN Orchestrator interface.
By configuring both your firewall and router with these settings, you can ensure proper traffic routing, secure filtering, and uninterrupted communication between QuWAN services and your network, minimizing potential disruptions caused by blocked traffic.
For further assistance, refer to the QuWAN Orchestrator documentation or contact QNAP Customer Service.
Additional Notes
To enable internet pings from LAN to WAN, add a firewall rule:
- Destination: Click Define to specify the internet gateway address
- Protocol: ICMP
- Source: Any (allows traffic from any device on your LAN)
- Destination: Your LAN subnet (e.g., 192.168.60.1/24)
- Action: Allow
If a device remains offline despite an active WAN connection, verify that ports 8883 (MQTT) and 443 (HTTPS) are not blocked by the firewall.
For detailed instructions on configuring firewall rules in QuWAN Orchestrator, see the Firewall and Traffic Mapping section in the QuWAN and QuWAN Orchestrator Web Help.
To modify service ports, perform the following actions:
Further Reading
Anvendelige Produkter
- QuWAN Orchestrator
- QuRouter 2.4.4 and later versions
Detaljer
For at bruge QuWAN-tjenester, konfigurer de nødvendige serviceporte på tredjeparts Firewall enhed.
Netværkstopologien afbildet i billedet illustrerer en hub-og-edge SD-WAN-implementering, der udnytter QNAP's QuWAN-infrastruktur. De vigtigste komponenter og deres roller er som følger:
QuRouter (QNAP router): Placeret ved netværksperimeteret, forbinder denne enhed til en tredjeparts Firewall enhed og fungerer enten som en Hub for intern trafik eller en Kant enhed for ekstern forbindelse, afhængigt af implementeringen. Tredjeparts Firewall: Beliggende bag QNAP-routeren, håndhæver denne Firewall sikkerhedspolitikker, regulerer netværkstrafik og administrerer Adgangskontrol.
Bedste Praksis
For at sikre problemfri forbindelse til QuWAN Orchestrator, konfigurer følgende Firewall regler på alle routere i din netværkstopologi, før du får adgang til Orchestrator fra en klientenhed (såsom en browser). Disse indstillinger muliggør sikker VPN-kommunikation, korrekt trafikstyring og uafbrudt adgang til QuWAN-tjenester.
1. Konfigurer Firewall Regler for QuWAN Orchestrator
- Kilde: Enhver
- Protokol: TCP
- Destinationsporte: 8883 (MQTT), 443 (HTTPS)
2. Konfigurer Firewall Regler for QuWAN QBelt VPN Server
| Trafiktype | Kilde | Protokol | Kildeporte | Destination | Destinationsporte | Handling |
|---|
| Udgående | Klik Definer for at specificere kildeforbindelsen | UDP | 5533 (QuWAN QBelt VPN Server) | Enhver | - | Tillad |
| Indgående | Klik Definer for at specificere fjernenhedsdetaljerne | UDP | Enhver | - | 5533 (QuWAN QBelt VPN Server) | Tillad |
For at tilføje en ny Firewall regel i QuWAN Orchestrator, se emnet "Tilføjelse af enheds Firewall regel" i QuWAN og QuWAN Orchestrator Web Hjælp.
Bemærk
Standardporten for QuWAN QBelt VPN er 5533, men den kan ændres. For at kontrollere routerens serviceporte i QuWAN Orchestrator, vælg din organisation og enhed, og gå derefter til Service Management.
3. Konfigurer Firewall Regler for Mesh VPN Site-to-Site Trafik
Når du bruger QuRouter i en mesh VPN-opsætning, skal du konfigurere Firewall regler på en tredjeparts Firewall enhed for at tillade site-to-site VPN-trafik. Disse regler sikrer, at IPSec-kommunikation mellem Hub og Kant steder ikke blokeres, hvilket muliggør sikker VPN-tunneloprettelse.
På tredjeparts Firewall enhed, tillad indgående og udgående UDP-trafik på følgende porte:
- 500 (ISAKMP/IKE): Bruges til nøgleudveksling i IPSec VPN-forbindelser.
- 4500 (IPSec NAT Traversal): Bruges, når VPN-trafik passerer NAT-enheder.
- 61001-61999 (Dynamiske høje porte til IPSec NAT Traversal): Påkrævet for visse IPSec-konfigurationer.
Konfigurer Firewall reglerne som følger:
- Indgående trafik: Tillad VPN-pakker fra fjernsteder at nå Firewall.
- Udgående trafik: Tillad VPN-pakker at blive sendt til fjernsteder uden indblanding.
Korrekt konfiguration af disse regler på tredjeparts Firewall enhed sikrer uafbrudt VPN-forbindelse mellem mesh-steder.
| QuRouter Rolle | Hub | Kant |
|---|
| Protokol | UDP | UDP |
| Indgående trafik | - Kildeporte: 500 (ISAKMP/IKE), 4500/61xxx* (IPSec NAT Traversal)
- Destinationsporte: 500 (ISAKMP/IKE), 4500* (IPSec NAT Traversal)
| - Kildeporte: 500 (ISAKMP/IKE), 4500* (IPSec NAT Traversal)
- Destinationsporte: 500 (ISAKMP/IKE), 61xxx* (IPSec NAT Traversal)
|
| Udgående trafik | - Kildeporte: 500 (ISAKMP/IKE), 4500* (IPSec NAT Traversal)
- Destinationsporte: 500 (ISAKMP/IKE), 4500/61xxx* (IPSec NAT Traversal)
| - Kildeporte: 500 (ISAKMP/IKE), 61xxx* (IPSec NAT Traversal)
- Destinationsporte: 500 (ISAKMP/IKE), 4500* (IPSec NAT Traversal)
|
Bemærk
- * Standardporten for Hub og Kant enheder er 4500.
- * Systemet vælger en tilfældig port mellem 61001-61999. For at kontrollere routerens serviceporte, vælg din organisation og enhed i QuWAN Orchestrator, og gå derefter til Service Management og gennemgå portdetaljerne i IPSec NAT Traversal.
Vigtigt
For at afgøre, om yderligere IPSec NAT traversal-porte er nødvendige, vælg din organisation og enhed i QuWAN Orchestrator, og gå derefter til Service Management.
4. Tillad IP-områder for QuWAN-kommunikation
For at sikre korrekt kommunikation mellem QuWAN Orchestrator og dine eksisterende Firewall tjenester, er det vigtigt at konfigurere din Firewall og router til at tillade specifikke IP-områder relateret til QuWAN. Routeren spiller en afgørende rolle ved at dirigere trafik mellem dit lokale netværk og eksterne netværk, mens Firewall filtrerer og tillader nødvendig QuWAN-relateret trafik for at sikre sikker og uafbrudt kommunikation. Uden korrekt konfiguration kan du opleve forstyrrelser.
Følg nedenstående trin for at tilføje de nødvendige QuWAN-relaterede IP-områder til din Firewall's tilladelsesliste:
- QuWAN VPN-tunnel
- Tilføj
198.19.0.0/16til din Firewall's tilladelsesliste for at sikre, at VPN-tunnel-forbindelser etableret af QuWAN ikke blokeres:
- QuWAN LAN IP-subnet
- Identificer LAN IP-subnettet for din QuWAN-implementering og inkluder det i din Firewall's tilladelsesliste.
- For at finde LAN IP-subnettet, naviger til QuWAN Enhed >Systemstatus >Netværk >LAN Detaljer i QuWAN Orchestrator-grænsefladen.
Ved at konfigurere både din Firewall og router med disse indstillinger, kan du sikre korrekt trafikstyring, sikker filtrering og uafbrudt kommunikation mellem QuWAN-tjenester og dit netværk, hvilket minimerer potentielle forstyrrelser forårsaget af blokeret trafik.
For yderligere hjælp, se QuWAN Orchestrator dokumentationen eller kontakt QNAP Kundeservice.
Yderligere Noter
For at aktivere internet-pings fra LAN til WAN, tilføj en Firewall regel:
- Destination: Klik Definer for at specificere internet-gateway-adressen
- Protokol: ICMP
- Kilde: Enhver (tillader trafik fra enhver enhed på dit LAN)
- Destination: Dit LAN-subnet (f.eks. 192.168.60.1/24)
- Handling: Tillad
Hvis en enhed forbliver offline trods en aktiv WAN-forbindelse, skal du kontrollere, at portene 8883 (MQTT) og 443 (HTTPS) ikke blokeres af Firewall.
For detaljerede instruktioner om konfiguration af Firewall regler i QuWAN Orchestrator, se Firewall og Trafikkortlægning sektionen i QuWAN og QuWAN Orchestrator Web Hjælp.
For at ændre serviceporte, udfør følgende handlinger:
Yderligere Læsning
