Smartlink Server IP ranges - locking down firewall access

andyg8tjq

Apologies for cross posting but I am new to the group and originally posted this as a question so not sure if it reached the right audience.

For good security reasons I want to limit the range of IP addresses that can use the Smartlink port forwarding capability of my firewall to only the Flex smartlink servers. Can somebody advise the server ip address ranges in use please so i can tighten my firewall access? Many thanks

Mike-VA3MW

In your Router/Firewall you should be able to check on the current connections in use and find the IP addresses you require on the ports you have configured (4992 and 4993 on the LAN - Trusted Side)

But, you then won't be able to connect to the radio from a remote site if do not know the IP address that you are operating remotely from since the connection from the User to the Radio is a Peer to Peer connection in order to provide the best performance.

If you are concerned about security, the connection is a secure TLS-encrypted connection and without the proper encryption keys you can't connect to the radio anyway.

73

andyg8tjq

Many thanks Mike. I was under the impression (clearly mistaken) that the Smartlink system acted as a relay in the comms channel - so if I understand you correctly the role of the Smartlink server is only to act as a broker for the initial connecton of the remote user directly to the radio over TLS at which point the Smartlink system has no further role to play.
My desire to lock down the 'allowed' ip addresses to connect to the designated ports on the router was simply to minimise the attack surface.
73

Mike-VA3MW

That is correct. It is just the lookup resource.

You could still do that, but you need to know all the IP addresses you are going to be operating from.

andyg8tjq

Many thanks for the replies @Mike-VA3MW