Network and firewall rules for use of Dewesoft devices
Network devices
This instructions define the firewall and network rules required for the secure and functional operation of Dewesoft network devices:
- OBSIDIAN
- IOLITE-X
- SIRIUS-X
- SIRIUS-XHS (when USB connection is used, XHS works as a RNDIS device and uses the same protocols)
For seamless operation mentioned devices, those firewall and network rules must be applied on client computer
Ports and protocols | Firewall rules | Service | Use case |
---|---|---|---|
TCP 4840 | Outgoing: * ALLOW TCP port 4840 to the OPC-UA server’s IP address. |
OPC-UA | Use for RT devices (configuration and streaming). For openDAQ devices it is used only when OPC-UA is needed |
TCP 7420 | Outgoing: * ALLOW TCP port 7420 to the target server0s IP address. |
Native streaming & configuration | Default configuration and streaming for openDAQ devices (RT devices don’t have this) |
UDP 5353 | Outgoing: * ALLOW UDP port 5353 to the multicast addresses 224.0.0.251 (IPv4) and FF02::FB (IPv6). Incoming: * ALLOW UDP responses from these addresses and port 5353. |
mDNS discovery | openDAQ discovery service used on addresses |
TCP 22 | Outgoing: * ALLOW TCP port 22 to the target server’s IP address. |
SSH | Advanced configuration, scripts and transfer of data files |
ICMP | Outgoing: * ALLOW ICMP Type 8 (Echo Request) to the target IP. Incoming: * ALLOW ICMP Type 0 (Echo Reply) from the target IP (to see the response). |
Ping | Detection if device is present on network |
TCP 30002 UDP 30004 |
Outgoing: * ALLOW UDP port 30004 to the multicast address 239.255.0.1 (IPv4) Incoming: * ALLOW UDP responses from multicast adress 239.255.0.1 and port 30004 * ALLOW TCP port 30002 from the target server’s IP address. |
RT discovery | Used for RT multicast discovery and IP configuration change |
EtherCAT devices
For use of EtherCAT devices (e.g., Krypton, IOLite), DewesoftX becomes EtheterCAT master. Apply the rules below:
Default Communication (EtherCAT Over Raw Ethernet)
- EtherType: Allow raw Ethernet frames with EtherType 0x88A4:
- ALLOW EtherType 0x88A4.
Broadcast Traffic
- Allow outgoing broadcast traffic to destination MAC
ff:ff:ff:ff:ff:ff:
- Source MAC:
03:01:01:01:01:01
. - Destination MAC:
ff:ff:ff:ff:ff:ff
. - ALLOW EtherType
0x88A4
.
- Source MAC:
USB devices
USB devices (SIRIUS, SIRIUS HD, SIRIUS HS, Dewe43, DS-CAN2) communicate directly over USB drivers and there are no network-specific rules needed for their operation.
The only exception is SIRIUS- XHS, which uses RNDIS and should be considered as a network device.
Dewesoft NET
When using Dewesoft NET to connect together multiple instances of DeweosoftX running on separate systems, those rules are needed.
Ports and protocols | Firewall rules | Service | Use case |
---|---|---|---|
TCP 8980-8999 | Outgoing: * ALLOW TCP ports 8980-8999 to any remote address. Incoming: * ALLOW TCP ports 8980-8999 from any remote address. |
NET | Default port numbers for NET client connections |
TCP 1999 UDP 8979 |
Outgoing: * ALLOW TCP port 1999 to any remote address. * ALLOW UDP port 8979 to any remote address. Incoming: * ALLOW TCP port 1999 from any remote address. * ALLOW UDP port 8979 from any remote address. |
Launcher | Discovery of NET clients |
UDP 8000 | Outgoing: * ALLOW UDP port 8000 to any remote address. Incoming: * ALLOW UDP port 8000 from any remote address. |
Cross trigger | Default cross trigger port. Needed only if cross trigger will be used in a system. |
TCP 3389 UDP 3389 |
Outgoing Rules * ALLOW TCP port 3389 to the remote computer’s IP address (for establishing the RDP session). * ALLOW UDP port 3389 to the remote computer’s IP address (optional, for improved performance in modern RDP versions). Incoming Rules * ALLOW TCP port 3389 from the client’s IP address (to accept RDP connections). * ALLOW UDP port 3389 from the client’s IP address (optional) |
RDP | Needed only if RDP (remote desktop protocol) will be used for remote access of NET clients |
TCP 443 TCP 5500 TCP 5800 TCP 5900 |
Outgoing: * ALLOW TCP ports 443, 5500, 5800, 5900 to any remote address. Incoming: ALLOW TCP ports 443, 5500, 5800, 5900 from any remote address. |
VNC | (disabled by default) Needed only if VNC will be used for remote access of NET clients |