Network and firewall rules for use of Dewesoft devices

Network devices

This instructions define the firewall and network rules required for the secure and functional operation of Dewesoft network devices:

  • OBSIDIAN
  • IOLITE-X
  • SIRIUS-X
  • SIRIUS-XHS (when USB connection is used, XHS works as a RNDIS device and uses the same protocols)

For seamless operation mentioned devices, those firewall and network rules must be applied on client computer

Ports and protocols Firewall rules Service Use case
TCP 4840 Outgoing:
* ALLOW TCP port 4840 to the OPC-UA server’s IP address.
OPC-UA Use for RT devices (configuration and streaming). For openDAQ devices it is used only when OPC-UA is needed
TCP 7420 Outgoing:
* ALLOW TCP port 7420 to the target server0s IP address.
Native streaming & configuration Default configuration and streaming for openDAQ devices (RT devices don’t have this)
UDP 5353 Outgoing:
* ALLOW UDP port 5353 to the multicast addresses 224.0.0.251 (IPv4) and FF02::FB (IPv6).

Incoming:
* ALLOW UDP responses from these addresses and port 5353.
mDNS discovery openDAQ discovery service used on addresses
TCP 22 Outgoing:
* ALLOW TCP port 22 to the target server’s IP address.
SSH Advanced configuration, scripts and transfer of data files
ICMP Outgoing:
* ALLOW ICMP Type 8 (Echo Request) to the target IP.

Incoming:
* ALLOW ICMP Type 0 (Echo Reply) from the target IP (to see the response).
Ping Detection if device is present on network
TCP 30002
UDP 30004
Outgoing:
* ALLOW UDP port 30004 to the multicast address 239.255.0.1 (IPv4)

Incoming:
* ALLOW UDP responses from multicast adress 239.255.0.1 and port 30004
* ALLOW TCP port 30002 from the target server’s IP address.
RT discovery Used for RT multicast discovery and IP configuration change

EtherCAT devices

For use of EtherCAT devices (e.g., Krypton, IOLite), DewesoftX becomes EtheterCAT master. Apply the rules below:

Default Communication (EtherCAT Over Raw Ethernet)

  • EtherType: Allow raw Ethernet frames with EtherType 0x88A4:
    • ALLOW EtherType 0x88A4.

Broadcast Traffic

  • Allow outgoing broadcast traffic to destination MAC ff:ff:ff:ff:ff:ff:
    • Source MAC: 03:01:01:01:01:01.
    • Destination MAC: ff:ff:ff:ff:ff:ff.
    • ALLOW EtherType 0x88A4.

USB devices

USB devices (SIRIUS, SIRIUS HD, SIRIUS HS, Dewe43, DS-CAN2) communicate directly over USB drivers and there are no network-specific rules needed for their operation.

The only exception is SIRIUS- XHS, which uses RNDIS and should be considered as a network device.

Dewesoft NET

When using Dewesoft NET to connect together multiple instances of DeweosoftX running on separate systems, those rules are needed.

Ports and protocols Firewall rules Service Use case
TCP 8980-8999 Outgoing:
* ALLOW TCP ports 8980-8999 to any remote address.

Incoming:
* ALLOW TCP ports 8980-8999 from any remote address.
NET Default port numbers for NET client connections
TCP 1999
UDP 8979
Outgoing:
* ALLOW TCP port 1999 to any remote address.
* ALLOW UDP port 8979 to any remote address.

Incoming:
* ALLOW TCP port 1999 from any remote address.
* ALLOW UDP port 8979 from any remote address.
Launcher Discovery of NET clients
UDP 8000 Outgoing:
* ALLOW UDP port 8000 to any remote address.

Incoming:
* ALLOW UDP port 8000 from any remote address.
Cross trigger Default cross trigger port. Needed only if cross trigger will be used in a system.
TCP 3389
UDP 3389
Outgoing Rules
* ALLOW TCP port 3389 to the remote computer’s IP address (for establishing the RDP session).
* ALLOW UDP port 3389 to the remote computer’s IP address (optional, for improved performance in modern RDP versions).

Incoming Rules
* ALLOW TCP port 3389 from the client’s IP address (to accept RDP connections).
* ALLOW UDP port 3389 from the client’s IP address (optional)
RDP Needed only if RDP (remote desktop protocol) will be used for remote access of NET clients
TCP 443
TCP 5500
TCP 5800
TCP 5900
Outgoing:
* ALLOW TCP ports 443, 5500, 5800, 5900 to any remote address.

Incoming:
ALLOW TCP ports 443, 5500, 5800, 5900 from any remote address.
VNC (disabled by default) Needed only if VNC will be used for remote access of NET clients