Overview of Ports Used by Peplink SD-WAN Routers and Other Peplink Services

Overview of Ports Used by Peplink SD-WAN Routers and Other Peplink Services#

InControl Appliance

Please allow the following traffic to pass through if a firewall is set up in front of the appliance.

Direction	Protocol	Purpose
Inbound	UDP 5246	Device communication.
	TCP 5246 (if port 5246 is not reachable, port 1443 will be tried)	Device communication for remote web admin and InTouch.
	TCP 443	Web accesses.
	TCP 80	Automatic acquisition and renewal of SSL certificate for InControl appliance from letsencrypt.org (optional)
	TCP 4443	Web accesses to control panel
	UDP 53	Dynamic DNS service and automatic acquisition and renewal of SSL certificate for devices from letsencrypt.org (optional)
	TCP 2222	Direct remote assistance (optional, needed by Peplink for troubleshooting only when outbound to ra.peplink.com on TCP 443 is not accessible)
Outbound	ra.peplink.com on TCP 443	Remote assistance (optional, recommended)
	api.ic.peplink.com on TCP 443	For lively look up device’s model when importing serial numbers (optional, recommended)
	download.peplink.com on TCP 443	Device firmware validation (optional)
	push.ic.peplink.com on TCP 443	Push notifications for the InControl 2 mobile app (optional)
	acme-v02.api.letsencrypt.org on TCP 443	Automatic acquisition and renewal of SSL certificate for InControl appliance from letsencrypt.org (optional)
	*.peplink.com on UDP 5246 (details)	For lively device service expiration date synchronization* and transferring FusionHub licenses from InControl 2 (public cloud) to FusionHub units connected to the InControl Appliance.

(recommended)

* Lively service expiration date sync is required for SaaS and Region Networks identification in outbound policy/firewall rules to work regardless of whether the appliance’s license is legacy or modern.

Timeserver on UDP 123

Network time sync

DNS resolver on UDP 53

DNS resolutions

Overview of ports used by Peplink SD-WAN routers and other Peplink services

Default Port Number	Usage	Service	Inbound/Outbound	Default Status
UDP 5246	Data flow	InControl	Outbound	Enabled
TCP 443	HTTPS service	InControl	Outbound	Enabled
TCP 5246	Optional, used when TCP 443 is not responding	InControl	Outbound	Enabled
TCP 5246	Remote Web Admin	InControl Virtual Appliance	Outbound	Enabled
TCP 4500	VPN Data (TCP Mode)	PepVPN / SpeedFusion	Inbound / Outbound*	Disabled
TCP 32015	VPN handshake	PepVPN / SpeedFusion	Inbound / Outbound*	Disabled
UDP 4500	VPN Data	PepVPN / SpeedFusion	Inbound / Outbound*	Disabled
UDP 32015º	VPN Data (alternative)	PepVPN / SpeedFusion	Inbound / Outbound*	Disabled
TCP/UDP 4500+N-1^	VPN Sub-Tunnels Data	PepVPN / SpeedFusion	Inbound / Outbound*	Disabled
UDP 32015+N-1^	VPN Sub-Tunnels Data (alternative)	PepVPN / SpeedFusion	Inbound / Outbound*	Disabled
UDP 4500	VPN Data	IPsec	Inbound / Outbound*	Disabled
UDP 500	VPN initiation	IPsec	Inbound / Outbound*	Disabled
UDP 500	L2TP	Remote User Access	Inbound	Disabled
UDP 1701	L2TP	Remote User Access	Inbound	Disabled
UDP 4500	L2TP	Remote User Access	Inbound	Disabled
UDP 1194	OpenVPN	Remote User Access	Inbound	Disabled
IP 47	PPTP (GRE)	Remote User Access	Inbound	Disabled
TCP 2222	Remote Assistance Direct connection	Peplink Troubleshooting Assistance	Outbound	Enabled
TCP 80	HTTP traffic	Web Admin Interface access	Inbound	Enabled
TCP 443	HTTPS traffic	Web Admin Interface access (secure)	Inbound	Enabled
TCP 8822	SSH	SSH	Inbound	Disabled
UDP 161	SNMP Get	SNMP monitoring	Inbound	Disabled
UDP 162	SNMP Trap	SNMP monitoring	Outbound	Disabled
TCP, UDP 1812	Radius Authentication	Radius	Outbound	Disabled
TCP, UDP 1813	Radius Accounting	Radius	Outbound	Disabled
UDP 123	Network Time Protocol	NTP	Inbound Outbound	Disabled Enabled
TCP 60660	Real-time location data in NMEA format	GPS	Inbound	Disabled

Disclaimer#

By default, only TCP 32015 and UDP 4500 are needed for PepVPN / SpeedFusion.
Inbound / Outbound* – Inbound = For Server mode; Outbound = For Client mode
UDP 32015º – If IPsec VPN or L2TP/IPsec RUA is enabled, UDP 4500 is occupied, so PepVPN / SpeedFusion will automatically switch to UDP 32015 as the VPN data port.
UDP 32015+N–1^ / TCP/UDP 4500+N–1^ – When using Sub-Tunnels, multiple ports are used (1 for each Sub-Tunnel profile).
The default UDP data ports used when using N Sub-Tunnel profiles are: 4500…4500+N-1, or (when port 4500 is in use by IPsec or L2TP/IPsec) 32015…32015+N-1.