Wireless Access

I've installed a Virtual Mobility Master on a Proxmox (KVM) instance, hosted in a data center. This VMM is sitting behind a pfSense instance that does NAT.

I then have multiple hardware Mobility Controllers at different physical locations.

So the VMM and Mobility Controllers would be communicating over the internet.

I haven't yet added them to the VMM yet.

My question is - what ports do I need to forward on the VMM side, in order for the Mobility Controller to communicate with it?

https://www.arubanetworks.com/techdocs/ArubaOS_83_Web_Help/content/arubaframestyles/external_firewall_config/underst_firewa_port_config_arub_devic.htm?Highlight=firewall%20ports%20between

So just to be clear - for VMM (Virtual Mobility Master) to MC (Mobility Controller), I need all of the following ports to be port forwarded?

IPsec (UDP port 4500) for communication between Mobility Master and a managed device.

IPsec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between Mobility Master and a managed device is encapsulated in IPsec.

IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled

GRE (protocol 47) if tunneling guest traffic over GRE to DMZ managed device

IKE (UDP 500)

ESP (protocol 50)

NAT-T (UDP 4500)

That seems like...an awful lot of ports =(.

Is there any other way of linking a VMM hosted somewhere in a colo or in the cloud, and where you have Mobility Controllers and APs in various locations?

That looks like port udp 4500 repeated several times along with IKE (udp 500) ESP (protocol 50).

There is not another way, unfortunately.

EDIT:  All you need is UDP 4500 between a mobility master and a mobility controller, btw.  The other protocols are not necessary.