Deploying a Swarm Sensor on a Home Network

GreyNoise Swarm sensors require inbound internet traffic to reach the sensor host directly. When deploying on a home or office network, your router acts as a NAT gateway — meaning inbound traffic from the internet is blocked by default and never reaches the sensor. This guide explains how to configure your router to forward all inbound traffic to your sensor so it can begin capturing attack data.

Prerequisites

Before configuring your router, confirm the following:

• Your Swarm sensor is installed and shows Connected or Healthy in the GreyNoise Visualizer (Observe → Sensors)
• The sensor host is connected to your router via ethernet or Wi-Fi (ethernet recommended over Wi-Fi for stability)
• You have admin access to your router's configuration interface
• You know your sensor host's local IP address (e.g., 192.168.1.183)

📘

Tip

To find your sensor's local IP address, run ip addr show eth0(or ip addr show wlan0 if using Wi-Fi) on the sensor host and look for the inet line.

Step 1: Assign a Static IP to Your Sensor

Port forwarding rules are tied to a specific IP address. If your sensor's local IP changes (which it will if it's assigned via DHCP), the forwarding rules will stop working and your sensor will go dark.

Before setting up port forwarding, lock your sensor to a permanent IP. There are two ways to do this — use whichever your router supports:

Option A: DHCP reservation in your router (preferred) A DHCP reservation tells the router to always assign the same IP to a specific device based on its MAC address. Log into your router's admin interface and create a reservation binding your sensor's MAC address to its current IP. To find the MAC address, run:

# Ethernet
ip link show eth0

# Wi-Fi
ip link show wlan0

Look for the link/ether line — for example:

link/ether 88:a2:9e:36:26:a2

The specific steps vary by router — see the ISP-specific sections below for guidance. Note that some routers (such as the Verizon CR1000A) do not support MAC-based DHCP reservations, in which case use Option B.

Option B: Static IP configured on the sensor host If your router doesn't support DHCP reservations, configure a static IP directly on the sensor host. On Ubuntu, edit the netplan configuration:

sudo tee /etc/netplan/50-cloud-init.yaml << 'EOF'
network:
  version: 2
  ethernets:
    eth0:
      optional: true
      dhcp4: false
      dhcp6: false
      addresses:
        - 192.168.1.242/24
      routes:
        - to: default
          via: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]
EOF
sudo netplan apply

Replace 192.168.1.242 with your sensor's current IP and 192.168.1.1 with your router's gateway IP. Verify it took effect by running ip addr show eth0 (or ip addr show wlan0 if your sensor is connected via Wi-Fi) — you should see valid_lft forever with no dynamic label.

🚧

Important

If your sensor is currently using a DHCP-assigned IP, lock the IP first and confirm it is stable before creating port forwarding rules.

Step 2: Configure Port Forwarding

GreyNoise Swarm sensors need to receive traffic on all ports so they can observe the full range of internet scanning activity. You will need to forward all inbound TCP and UDP traffic (ports 1–65535) from your router's public IP to the sensor's local IP.

One exception: exclude the SSH management port assigned to your sensor during installation. Forwarding that port to the sensor is unnecessary and could expose your SSH service to the internet. The sensor's SSH port is shown on the sensor detail page in the GreyNoise Visualizer.

Most routers support port range forwarding, so you can typically cover all ports with two rules:

For example, if your SSH port is 59102:

📘

Tip

Some routers don't support port ranges and require individual rules per port. If your router has this limitation, consider using a DMZ (see below) as an alternative.

Alternative: Use a DMZ

If your router supports DMZ mode, you can designate the sensor host as the DMZ host instead of configuring individual port forwarding rules. DMZ mode forwards all inbound traffic on all ports to the designated host automatically.

DMZ is simpler to configure but means the sensor host receives all unsolicited inbound traffic with no router-level filtering. This is acceptable — and expected — for a honeypot sensor, but make sure the host is dedicated to the sensor and is not running any other services.

🚧

Important

Never place a general-purpose machine (a laptop, desktop, or shared server) in DMZ. Use DMZ only for a host dedicated to running the GreyNoise sensor.

Step 3: Verify Traffic Is Flowing

After saving your port forwarding rules, SSH into the sensor and run:

sudo tcpdump -i eth0 -nn -c 50

Within a few minutes, you should see inbound connections from random public IP addresses on various ports — these are internet scanners hitting your sensor. If you only see your own SSH session traffic, double-check that your router saved the rules and that the forwarding addresses match the sensor's current local IP.

You can also check the sensor's Session Explorer in the GreyNoise Visualizer to confirm sessions are being recorded.

ISP-Specific Setup Guides

Verizon Fios (CR1000A)

Accessing the router admin interface: Navigate to https://192.168.1.1 in a browser. If you see a certificate warning, click "Visit this website" — this is expected for local router admin pages and is not a security risk. Log in using the credentials on the sticker on the back of the router.

Static IP: The CR1000A does not support MAC-based DHCP reservations in its standard UI. Instead, configure a static IP directly on the sensor host using netplan. SSH into the sensor and run:

sudo tee /etc/netplan/50-cloud-init.yaml << 'EOF'
network:
  version: 2
  ethernets:
    eth0:
      optional: true
      dhcp4: false
      dhcp6: false
      addresses:
        - 192.168.1.242/24
      routes:
        - to: default
          via: 192.168.1.1
      nameservers:
        addresses: [8.8.8.8, 8.8.4.4]
EOF
sudo netplan apply

Replace 192.168.1.242 with your sensor's current IP and 192.168.1.1 with your router's gateway IP. verify the IP is static by running ip addr show eth0 (or ip addr show wlan0 if using Wi-Fi) — you should see valid_lft forever with no dynamic label.Port forwarding: Go to Devices → select your sensor → Port Forwarding (under Device Add-Ons), or navigate via Advanced → Security & Firewall → Port Forwarding.

Click Add to list and create two rules covering all ports except your SSH port. The CR1000A supports port ranges in the Original Port field (e.g., 1-59101). Set Protocol to Both (TCP + UDP), Fwd to Addr to your sensor's IP, and Schedule to Always. Click Apply Changes when done.

🚧

Important

The CR1000A may have pre-existing port forwarding rules on ports like 4567 and 4577. If you encounter an "in use" error when adding rules, split your ranges to skip those ports and add them as separate rules.

References:

• CR1000A Official User Guide
• Verizon Port Forwarding Support

Xfinity / Comcast (xFi Gateway)

Accessing the router admin interface: Navigate to http://10.0.0.1 or http://192.168.1.1 depending on your gateway model. Log in with your admin credentials (default credentials are on the gateway label).

DHCP reservation: In the xFi app or web interface, go to Connect → See All Devices, select your sensor, and choose Reserve IP to assign a permanent IP based on the device's MAC address. Alternatively, log into the gateway directly and navigate to Gateway → Connection → Local IP Network to manage DHCP reservations.

Port forwarding: In the gateway admin interface, go to Advanced → Port Forwarding. Create two rules covering your port ranges (excluding the SSH port), forwarding to the sensor's reserved IP. Set protocol to TCP & UDP and ensure the rules are enabled.

📘

Tip

If you manage your network through the Xfinity xFi app, port forwarding is available under More → Advanced Settings → Port Forwarding.

References:

• Official Xfinity Port Forwarding Guide (xFi app)

AT&T (BGW320 / BGW210)

Accessing the router admin interface: Navigate to http://192.168.1.254. The default access code is printed on the gateway label.

DHCP reservation (IP Passthrough or address allocation): Go to Home Network → IP Allocation. Find your sensor in the connected devices list and change its allocation from DHCP to Fixed to reserve its current IP permanently.

Port forwarding: Go to Firewall → NAT/Gaming (AT&T uses the "NAT/Gaming" label for port forwarding). Click Add a new user-defined application, set the protocol to TCP/UDP, define your port range, and save. Then assign that application rule to your sensor's IP address in the device list.

References:

• Official AT&T Port Forwarding Guide (Firewall → NAT/Gaming)
• Official AT&T IP Passthrough Configuration Guide

🚧

Important

AT&T gateways have IP Passthrough mode, which forwards all traffic to a single device — similar to DMZ. If you have a dedicated sensor host and want the simplest configuration, go to Firewall → IP Passthrough, set Allocation Mode to Passthrough, and select your sensor as the passthrough device.