Implementation Guide for IT Services (Internet, VPN, MQTT, ...)

firewall

#1

Hi,

Do you have a complete guide to give the IT Services to ensure a good and full implementation of a Flexy module in the company firewall.

Thanks
Christian


#2

Hi Christian,

I would recommend referring them to this page: https://websupport.ewon.biz/support/docs/flexy#5

Specifically to the User Manual: https://websupport.ewon.biz/sites/default/files/um-0002-00-en-flexy-family.pdf as the Implementation manual deals a lot with the hardware.

The Flexy external (WAN) communication is through OpenVPN: https://websupport.ewon.biz/sites/default/files/kb-0018-0-en_using_ewon_with_openvpn.pdf which greatly simplifies what IT has to deal with. As long as OpenVPN is not blocked, there should not be any issues. Only the device and it’s internal LAN are accessible through the VPN and the default configuration segregates the internal LAN from the rest of the network.

There can be more complex set ups and more info can be found on the support page above, but for a basic set up, it only requires a connection to the internet.

Kyle


#4

Hi Kyle,

Here is my summary for configuring the Firewall for the Flexy IP address on the WAN side

For the Internet connection
The following port must be configured “outcoming”:

  • 80 (TCP) for HTTP

For the VPN connection
The following ports must be configured “outcoming”:

  • 443 (TCP) for openVPN
  • 1194 (UDP) for openVPN

Firewall rules

  • “openVPN” service must be allowed
  • *.talk2M.com domains must be accessible

For MQTT communication (does not go through the VPN)
The following port must be configured “outcoming”:

  • 1883 (TCP) if not over TLS/SSL
  • 8883 (TCP) over TLS / SSL

For HTTPX communication
The following port must be configured “outcoming”:

  • 443 (TCP) HTTPS over TLS / SSL

I would like to know if the summary is good and if there are important things to clarify or modify?

Thanks
Christian


#5

Christian,

Looks good! The big one is making sure they aren’t blocking 1194 out. No external firewall ports need to be opened. Do they enforce a whitelist? (not allowing any URLs (websites) unless they are on an approved list?) If they are not, you should be all set. Nice job.

Thanks,
Kyle


#6

Hi Kyle,

When I use Basic HTTPX instructions, I would like to know if the information goes outside the VPN as an MQTT transaction?

Thanks again
Christian


#7

Where is your MQTT broker located, on your local network or is it accessible over the internet?


#8

Hi Kyle,

I use AWS IoT or Azure IoT Hub as MQTT Broker.

In another post Deryck said:

Is this the same for Basic HTTPX instructions?

Thanks
Christian


#9

What do mean by “Basic HTTPX instructions”?


#10

HTTPX:
The BASIC implemented in the device is capable of dealing with HTTP(S) request & response

  • REQUESTHTTPX
  • RESPONSEHTTPX

Christian


#11

Thanks. Packets may or may not go through the VPN depending on their destination and the devices security and routing settings. If the destination is on the LAN they won’t, but given default settings anything going to the WAN side will go through the VPN. However, you can make a number of different changes to how the device routes traffic, like setting up NAT or proxies for example.