Hi,

I've been trying to setup a fabric network spread across multiple locations. One of the major issues has been locating and communicating with peer nodes behind firewalls. The only solutions I've come up with have been setting up a VPN and joining all the nodes to that or port forwarding some of the nodes (anchor peers and orderers) so that some communication can occur. The first one is usable now, but becomes a nightmare to manage if the network expands. The second is a security risk. Am I missing something obvious? Is there a better alternative to what I'm doing? 

Thanks for any help given,
Cavell Teng

I can only say that port forwarding anchor peers alone won't get you much, because peers try to connect to one another forming a full mesh of an undirected graph (peers p and qhave a single connection between them, either from p to qor from q to p).
Anchor peers are just for bootstrapping membership across organizations.





From:        "Cavell" <cavellt@...>
To:        fabric@...
Date:        01/23/2020 03:05 AM
Subject:        [EXTERNAL] [Hyperledger Fabric] #fabric-questions Fabric Networking
Sent by:        fabric@...

---

Hi,

I've been trying to setup a fabric network spread across multiple locations. One of the major issues has been locating and communicating with peer nodes behind firewalls. The only solutions I've come up with have been setting up a VPN and joining all the nodes to that or port forwarding some of the nodes (anchor peers and orderers) so that some communication can occur. The first one is usable now, but becomes a nightmare to manage if the network expands. The second is a security risk. Am I missing something obvious? Is there a better alternative to what I'm doing?

Thanks for any help given,
Cavell Teng

You didn't mention if you are having NAT traversal issues or straight up firewall issues.

If the latter, opening ports should be sufficient.

If the former, put it in a DMZ with real public ip addresses and ditch NAT entirely.

NAT is a cancer, and never interacts well with p2p protocols.

Apologies for the confusion in my wording,

I accidentally used firewall instead of router. Since the nodes are in different locations, its hard to access them without port forwarding them. From an initial glance, it seems like to build the network, I'll need to port forward all the nodes and make the publicly accessible to deploy them in different locations. I'm concerned about the security risks of doing so since anyone can access the nodes so long as they have the public address and port number.

Thanks for the quick responses,
Cavell Teng

If you plan on running a p2p node on the public internet, ideally it should be secured such that a firewall (other than possibly a simple port whitelist at the router) isn't needed.

If you believe a firewall is needed, put them all in a shared VPN or put each in a DMZ each with a public address and only allow the protocol ports (or ssh if you don't have a jump box in the DMZ). If you run a patchwork of NAT/forwarding hacks, you are inevitably going to run into DNS/TLS issues unless you are very careful.

In my experience, people generally overly rely on firewalls instead of addressing node security directly.