# Edge Port Verification Runbook (Phase 0)

**Last Updated:** 2026-02-05  
**Status:** Active  
**Purpose:** Pre-requisite for Fastly/Direct edge design. Verifies whether inbound 80/443 are reachable on the public origin IP so the team can choose Option A (Fastly), Option C (direct), or Option B (tunnel/VPS).

---

## Why This Matters

- **Spectrum** (ISP) gateway at **76.53.10.33** shows ports 21, 22, 23, 80, 110, 143, 443, 3389 as **filtered** when scanned.
- The **origin for public traffic** is **76.53.10.36** (UDM Pro port forward to NPMplus). Reachability of **76.53.10.36:80** and **76.53.10.36:443** from the internet determines whether Fastly or direct-to-origin is viable.
- If both are **open**: proceed with Option A (Fastly) or Option C (DNS direct to 76.53.10.36).
- If **closed/filtered**: Option B required (Cloudflare Tunnel fix, or VPS/outbound connector).

---

## Prerequisite

Run the check from **outside** your network (e.g. mobile hotspot, different ISP, or a cloud VM). Do not rely on LAN or same-Spectrum tests.

---

## Step 1: Port check from outside your network

### Option A: Online port checker

1. Use a public service (e.g. [yougetsignal.com](https://www.yougetsignal.com/tools/open-ports/) or similar).
2. Target: **76.53.10.36**
3. Ports: **80** (HTTP), **443** (HTTPS)
4. Record result: Open / Closed / Filtered for each.

### Option B: nmap from external host

From a host that is **not** on 192.168.11.0/24 and **not** behind the same Spectrum gateway:

```bash
nmap -p 80,443 76.53.10.36
```

Interpret:

- **open**: Proceed with Fastly (Option A) or direct (Option C).
- **filtered** or **closed**: Use Option B (tunnel or VPS origin).

---

## Step 2: Record and decide

| Port | Result   | Action |
|------|----------|--------|
| 80   | open     | HTTP redirect/origin possible |
| 80   | filtered/closed | Option B or HTTPS-only to 443 |
| 443  | open     | Fastly/direct HTTPS viable |
| 443  | filtered/closed | Option B required (no inbound HTTPS to .36) |

**Go/no-go:**

- **Go for Option A/C:** Both 80 and 443 open on 76.53.10.36 from internet.
- **No-go for Option A/C:** 443 closed or filtered → implement Option B (tunnel or VPS origin; see [NETWORK_CONFIGURATION_MASTER.md](../11-references/NETWORK_CONFIGURATION_MASTER.md) and edge options in project runbooks).

---

## References

- [NETWORK_CONFIGURATION_MASTER.md](../11-references/NETWORK_CONFIGURATION_MASTER.md) – Origin IP 76.53.10.36, Spectrum block
- [MASTER_INDEX.md](../MASTER_INDEX.md) – Topology and edge design