Skip to main content

Firewall Rules

Firewall rules based on [[VLANs]]

NAT Port Forwarding

InterfaceProtoAddressPortsAddressPortsIPPortsDescription
LANTCP**LAN address80, 8443**Anti-Lockout Rule
SERVER WAN WAN2TCP/UDP**WAN addressPlex_Ports  Plex_App  Plex_Ports  NAT 32400 Plex
SERVER WAN WAN2TCP/UDP**WAN addressSynologyNAS_Ports  PandaNAS  SynologyNAS_Ports  NAT Synology NAS port
SERVER WAN WAN2TCP**WAN address443 (HTTPS)SparrowDockerVM  443 (HTTPS)HTTPS NAT to Docker
SERVER WAN WAN2TCP**WAN address80 (HTTP)SparrowDockerVM  80 (HTTP)HTTP NAT to Docker

Floating

ProtocolSourcePortDestinationPort#interfacesDescription
IPv4 TCP***443 (HTTPS)3Tailscale P2P
IPv4 UDP**PrivateNetworks 416413Direct WireGuard tunnels within internal network
IPv4 TCP/UDP**Plex_App Plex_Ports 3NAT 32400 Plex
IPv4 TCP**SparrowDockerVM 443 (HTTPS)3HTTPS NAT to Docker
IPv4 TCP**SparrowDockerVM 80 (HTTP)3HTTP NAT to Docker
IPv4 TCP/UDP**PandaNAS SynologyNAS_Ports 3NAT Synology NAS port

APP

ProtocolSourcePortDestinationPortGatewaySchedule#interfacesDescription

DMZ

ProtocolSourcePortDestinationPortDescription
IPv4 TCP/UDPDMZ net*DMZ address53 (DNS)Allow access to DNS
IPv4 *DMZ net*! PrivateNetworks*Allow access only to Internet

Guest

ProtocolSourcePortDestinationPortGatewayScheduleDescription
IPv4 TCP/UDPGUEST net*GUEST address53 (DNS)**Allow access to DNS on the GUEST interface
IPv4 *GUEST net*! PrivateNetworks ***Block access to other internal networks but allow access to the Internet

Home

ProtocolSourcePortDestinationPortDescription
IPv4 ICMPCannon*SERVER net*Allow ICMPv4 from Cannon to SERVER
IPv4 TCP/UDPHOME net*LAN address53 (DNS)Allow access to DNS
IPv4 TCP/UDPHOME net*HOME address53 (DNS)Allow access to DNS (Need more research)
IPv4 TCP/UDPHOME net*HOME address5351Allow send to 5351
IPv4 UDPHOME net*HOME address5353Allow access to multicast DNS
IPv4 UDPHOME net*HOME address1900Allow access to UPNP
IPv4 TCP/UDPHOME net*PandaNAS *Allow HOME net to access NAS
IPv4 TCP/UDPHOME net*PVE_hosts *Allow HOME net to access NUC
IPv4 TCP/UDPHOME net*SparrowDockerVM *Allow HOME net to access NUC
IPv4 TCP/UDPHOME net*Docker_IPs Plex_Ports Allow HOME net to Plex through Docker IP
IPv4 TCP/UDPCannon *LAN net*Allow Cannon to access LAN
IPv4 TCP/UDPCannon *k3s_cluster *Allow Cannon to access k3s cluster
IPv4 TCP/UDPHOME net*Printers *Allow HOME net to access Printers
IPv4 TCP/UDPHOME net*HomeAssistant *Allow HOME net to access Home Assistant
IPv4 TCP/UDPHOME net*IOT net*Allow HOME net to access IoT Devices
IPv4 UDPHOME net*192.168.27.25519967Allow HOME net to query Broadcast port of KTV
IPv4 UDPKTV *192.168.27.25519967Allow HOME net to query Broadcast port of KTV
IPv4 UDPHOME net*KTV *Allow HOME net to KTV
IPv4 IGMPHOME net*multicast_addr *Allow HOME to multicast
IPv4 TCP/UDPHOME net*! PrivateNetworks *Allow access only to internet

IoT

ProtocolSourcePortDestinationPortDescription
IPv4 TCP/UDPIOT net*IOT address53 (DNS)Allow access to DNS
IPv4 TCP/UDPIOT net*LAN address53 (DNS)Allow access to DNS
IPv4 TCP/UDPIOT net*Plex_App Plex_Ports Allow IOT net to Plex
IPv4 TCP/UDPLR_LGTV *Docker_IPs Plex_Ports Allow LGTV Plex through Docker IP
IPv4 UDPLR_LGTV *IOT address5353Allow TV access to multicast DNS
IPv4 UDPIOT net*multicast_addr *Allow IOT to multicast
IPv4 UDPLR_LGTV *HOME net30000 - 65535Allow TV to talk to HOME for AirPlay
IPv4 UDPKTV *HOME net19967Allow KTV back to HOME
IPv4 UDPHOME net*192.168.228.25519967Allow HOME net to query Broadcast port of KTV
IPv4 UDPKTV *192.168.228.25519967Allow KTV to Broadcast
IPv4 *IOT net*! PrivateNetworks *Allow access only to Internet

Lab

ProtocolSourcePortDestinationPortDescription
IPv4 TCP/UDPLAB net*LAB address53 (DNS)Allow access to DNS
IPv4 *LAB net*! PrivateNetworks *Allow access only to Internet

LAN

ProtocolSourcePortDestinationPortDescription
IPv4 TCP192.168.100.153 (DNS)192.168.100.15335Allow AdGuard Home DNS to query Unbound DNS
IPv4 TCP/UDPLAN net*LAN address53 (DNS)Allow access to DNS on the LAN interface
IPv4 ICMPLAN net***Allow ICMPv4 from LAN to all networks
IPv4 TCP/UDP192.168.100.2/24*PandaNAS *Allow Proxmox to access NAS
IPv4 *LAN net*SERVER net*Allow LAN to Server
IPv4 TCPCloudflareIPs *PVE_hosts *Allow Cloudflare IPs to Server PVC Hosts
IPv4 *LAN net*! PrivateNetworks *Block access to other internal networks but allow access to the Internet

Loopback

None

Server

ProtocolSourcePortDestinationPortDescription
IPv4 TCP/UDPSERVER net*LAN address53 (DNS)Allow Access to DNS
IPv4 TCP/UDPSERVER net*SERVER address53 (DNS)Allow Access to local DNS
IPv4 TCP/UDPPandaNAS *PVE_hosts *Allow NAS Access to NUC
IPv4 TCP/UDPPVE_hosts *PandaNAS *Allow NUC Access to NAS
IPv4 TCP/UDPdocker_swarm *docker_swarm *Allow all connections within docker swarm subnet
IPv4 TCP/UDPHomeAssistant *Printers 631Allow Home Assistant to Printer IPP
IPv4 TCP/UDPHomeAssistant *IOT net*Allow Home Assistant to IoT
IPv4 TCP/UDPHomeAssistant *LAN address3000 (HBCI)Allow Home Assistant to AdGuard Home
IPv4 TCP/UDPHomeAssistant *OmadaController 8043Allow Home Assistant to Omada Controller
IPv4 TCP/UDPSERVER net*SparrowDockerVM 10051Allow access to Zabbix Server Port
IPv4 TCP/UDPSparrowDockerVM *SERVER net10051Allow Zabbix Server to Zabbix Agent Port 10051
IPv4 ICMPSERVER net*PrivateNetworks *Allow SERVER to response to Ping within PrivateNetworks
IPv4 TCP/UDPSERVER net*! PrivateNetworks *Allow Access to Internet

TS

ProtocolSourcePortDestinationPortDescription
IPv4 UDPTS net*TS address53 (DNS)Allow TS net to access TS DNS
IPv4 UDPTS net*100.104.184.10453 (DNS)Allow TS net to access TS DNS
IPv4 UDPTS net*TS net53 (DNS)Allow TS net to access TS DNS
IPv4 UDPTS net**53 (DNS)Allow TS net to access TS DNS
IPv4 UDP****Allow TS net to access TS any
IPv4 *TS net*! PrivateNetworks *Allow External internet access

WAN

None

WAN2

None