Network configuration

The diagram below shows a common network configuration for PortaSwitch.

PortaSwitch server requires two physical network interfaces:

• The first network interface is connected to a private LAN segment for internal communication between servers (the grey lines on the diagram). Private LAN must allow servers to initialize outgoing connections to the internet (using NAT) for the purposes of monitoring, performing maintenance, and updating the servers.
• The other network interface is connected to the public internet segment. This interface is used to provide “public” services (such as VoIP calls or access to the self-care portal) to your customers. This public internet connection is marked by the orange lines on the diagram.
  If all servers can initialize outgoing connections to the internet via the public internet segment, there is no need to configure an outgoing connection for a private LAN.

Two physical network interfaces are required for the following purposes:

• Improved network security, since all data (such as access to the database or the transfer of sensitive customer information) is transported via a dedicated interface.
• Ability to quickly and easily relocate services (including public IPs allocated to each service) from one physical server to another, or to change the roles of the servers.
• In case public IPs are not accessible anymore (e.g., the servers have been physically moved to a different hosting facility, or the administrator supplied incorrect information regarding a public IP), it is still possible to access the server via the internal interface and fix the configuration.
• Intensive data transfer on one interface (e.g., database copy for a daily backup) does not affect services provided on the other interface (e.g., media transport for voice calls).

Consider the following when planning your network:

• Private IP addresses must be in the same LAN (or VPN).
• The 10.19.0.0/16 and 10.11.0.0/16 private IP address subnetworks are reserved for configuring the Docker infrastructure. Thus, don’t use the 10.19.0.0-10.19.255.255 and 10.11.0.0-10.11.255.255 address pools while configuring the network interfaces on the servers.
• RADIUS servers do not normally require a connection to the public internet segment, so it is recommended that you not assign public IP addresses to them. The only exception is when you have remote RADIUS clients which cannot interconnect with RADIUS servers via private IP addresses. Below you will find the parameters that must be configured when you only assign private IP addresses to RADIUS servers. This is usually done by the PortaOne support team once the system has been installed:

If you only assign private IP addresses to RADIUS servers then you must specify a RADIUS server’s private IP address in the RadiusClient.Source_Address option on the Configuration server web interface.

If you are installing a RADIUS cluster, then the RADIUS.Forward_Mode option on the Configuration server web interface must also be enabled. This allows the RADIUS requests to be relayed to all of the RADIUS servers when you specify the private IP address for only one of them in the above options.

• Additional processes (e.g., geo-IP database auto-update or real-time lookup in a central LNP database) may run on the RADIUS servers if respective features are enabled (even if they do not relate to the RADIUS protocol.) These processes may require outgoing connections to specific IP addresses or to the whole public internet: direct, via NAT, or via different sorts of custom proxying.
• Dedicated database servers do not require a connection to the public internet segment, so it is recommended to not assign them public IP addresses.
• If you are planning to pass PCI DSS compliance, you should have dedicated databases with only private IP addresses. These IP addresses must be on a separate subnet.

Although not all servers need to be assigned IP addresses from the public internet segment, we recommend that a physical connection be established for all servers (then you can easily swap roles between the servers using PortaSwitch configuration tools).

You can find our recommendations regarding the firewall in the What is the Recommended Setup for the PortaSwitch Behind a Firewall? section of the "Frequently Asked Questions" chapter.

You may configure virtual interfaces (VLANs for trunking) and/or network bonding (link aggregation) for servers using the Configuration server. For more details see the PortaSwitch Configuration Server Web Reference Guide.

By default, to monitor your installation and troubleshoot issues, our Support team uses:

• SSH protocol v.2 – for remote access to the servers of your installation. This is done with a key-based authentication and an individual one-time password (OTP) to connect to PortaOne’s internal access servers via public IP addresses providing access to your installation. These internal access servers act as a secure gateway, allowing our team to connect to your system while protecting both parties from unauthorized access. The access servers are redundant for failover purposes.
• A corporate proxy (via HTTPS) – acts as a secure intermediary between a device and the internet, e.g., for safely accessing your web interface through a browser. The proxy is also redundant for failover purposes. This adds an extra layer of protection while enabling access to self-care portals.

We recommend configuring a firewall to limit access to your PortaSwitch servers, allowing connections only from the IP addresses of PortaOne’s internal access servers and PortaOne’s corporate proxy (via HTTPS).

However, for enhanced security, and in cases where a firewall alone is insufficient (e.g., due to corporate security policies or legal requirements), you can block direct access and set up a VPN connection between your installation and PortaOne servers. Note that it must be carefully planned, approved, and verified during the initial system setup and network design.

Setting up a VPN connection can be a complex and lengthy process, involving the following steps:

• Identifying VPN requirements (user(s) configuration, specifications, and other necessary details).
• Exchanging network details between you and PortaOne, including:
  • public IP addresses
  • subnet details for the internal network on both sides
  • required ports and protocols
• Configuration of VPN gateways – setting up the hardware or software gateways for secure communication.
• Establishing secure connections – initiating and validating the VPN link.
• Ongoing monitoring and maintenance – regularly checking and maintaining the VPN for consistent performance.