Authorizing base station flows to and from ThingPark core network
If using a SaaS platform, this topic describes the required flows to authorize in your base station deployment environment, such as proxies, firewalls... These flows allow base stations to exchange traffic with ThingPark core network, as well as external time-synchronization servers.
LRR flows when IPsec is used
| # | From (system) | From (application) | Type | Protocol | Dest. Port | To (system) | To (application) | Description |
|---|---|---|---|---|---|---|---|---|
| i6 | BASE STATION | strongswan (client) | Bidirectional | IKE v2 (secure) MOBIKE v2 (secure) | UDP/500 UDP/4500 | SLRC | strongswan | IPsec IKE (UDP) / MOBIKE (UDP) ike=aes128-sha256-ecp256,aes128-sha384-ecp384,aes256-sha512-ecp521 |
| i7 | BASE STATION | strongswan (client) | Bidirectional | ESP (secure) | - | SLRC | strongswan | ESP (protocol 50) ike=aes128-sha256-ecp256,aes128-sha384-ecp384,aes256-sha512-ecp521 esp=aes128gcm128,aes256gcm128 |
| i7a | BASE STATION | stunnel | Unidirectional | TLS | TCP/3001 TCP/3002 TCP/3003 | SLRC | haproxy | Check certificate validity on server side (only applicable to LRR version >= 2.8) |
| i8a | BASE STATION | OS | Unidirectional | ICMP | - | SLRC | OS | Ping (SLRC) |
| i10 | BASE STATION | OS | Unidirectional | DNS | UDP/53 | DNS service | service | DNS request. Note OPTIONAL, to be evaluated according to the access network. |
| i11 | BASE STATION | OS | Unidirectional | DHCP | - | DHCP service | service | DHCP request. Note OPTIONAL, to be evaluated according to the access network. |
| i11b | BASE STATION | Key installer (client) | Unidirectional | SFTP | TCP/22 | SLRC | key-installer (openssh) | SFTP access to download X.509 certificate |
| i9 | BASE STATION | OS | Unidirectional | SSH v2 (secure) | TCP/22 | SUPPORT | OS | Reverse LRR administration |
| i17 | BASE STATION | OS | Unidirectional | NTP | UDP/123 | NTP service | OS | LRR NTP request |
LRR flows when TLS is used
| # | From (system) | From (application) | Type | Protocol | Dest. Port | To (system) | To (application) | Description |
|---|---|---|---|---|---|---|---|---|
| i7a | BASE STATION | stunnel | Unidirectional | TLS | TCP/3001 TCP/3002 TCP/3003 | SLRC | haproxy | TLS tunnels to respectively LRC:2404 (i14), LRC:22 (i15b), SUPPORT:22 (i17d) |
| i8a | BASE STATION | OS | Unidirectional | ICMP | - | SLRC | OS | Ping (SLRC) |
| i10 | BASE STATION | OS | Unidirectional | DNS | UDP/53 | DNS service | service | DNS request. Note OPTIONAL, to be evaluated according to the access network. |
| i11 | BASE STATION | OS | Unidirectional | DHCP | - | DHCP service | service | DHCP request. Note OPTIONAL, to be evaluated according to the access network. |
| i11b | BASE STATION | Key installer (client) | Unidirectional | SFTP | TCP/22 | SLRC | key-installer (openssh) | SFTP access to download X.509 certificate |
| i9 | BASE STATION | OS | Unidirectional | SSH v2 (secure) | TCP/22 | SUPPORT | OS | Reverse LRR administration |
| i17 | BASE STATION | OS | Unidirectional | NTP | UDP/123 | NTP service | OS | LRR NTP request |
LRR flows when neither IPsec nor TLS is used
| # | From (system) | From (application) | Type | Protocol | Dest. Port | To (system) | To (application) | Description |
|---|---|---|---|---|---|---|---|---|
| i10 | BASE STATION | OS | Unidirectional | DNS | UDP/53 | DNS service | service | DNS request. Note Optional, to be evaluated according to the access network. |
| i11 | BASE STATION | OS | Unidirectional | DHCP | - | DHCP service | service | DHCP request Note OPTIONAL, to be evaluated according to the access network. |
| i9 | BASE STATION | OS | Unidirectional | SSH v2 (secure) | TCP/22 | SUPPORT | OS | Reverse LRR administration |
| i14 | BASE STATION | OS | Unidirectional | IEC 104 | TCP/2404 | LRC | server | LRR IEC 104 link: LRR commands and LoRa uplink/donwlink data and metadata exchange. |
| i15 | BASE STATION | OS | Unidirectional | FTP | TCP/21 | LRC | server | LRR sofware download LRR sofware configuration download. |
| i15b | BASE STATION | OS | Unidirectional | SFTP (secure) | TCP/22 | LRC | server | LRR sofware download LRR sofware configuration download. |
| i17 | BASE STATION | OS | Unidirectional | NTP | UDP/123 | NTP service | service | LRR NTP request |
| i17b | BASE STATION | OS | Unidirectional | ICMP | - | LRC | OS | LRR Ping |
| i17c | BASE STATION | OS | Unidirectional | FTP | TCP/21 | SUPPORT | OS | LRR rf scan upload LRR software configuration upload |
| i17d | BASE STATION | OS | Unidirectional | SFTP (secure) | TCP/22 | SUPPORT | OS | LRR rf scan upload LRR software configuration upload |
Basics™ Station flows (always with TLS)
| # | From (system) | From (application) | Type | Protocol | Dest. Port | To (system) | To (application) | Description |
|---|---|---|---|---|---|---|---|---|
| i10 | BASE STATION | OS | Unidirectional | DNS | UDP/53 | DNS service | service | DNS request. Note OPTIONAL, to be evaluated according to the access network. |
| i11 | BASE STATION | OS | Unidirectional | DHCP | - | DHCP service | service | DHCP request. Note OPTIONAL, to be evaluated according to the access network. |
| i11c | BASE STATION | Semtech Basics Station | Unidirectional | HTTPS/WSS | TCP/443 | SLRC | haproxy | LNS interface to LRC LNS-BRIDGE |
| i11d | BASE STATION | Semtech Basics Station | Unidirectional | HTTPS / TLS v1.2 (secure) | TCP/443 | PROXY_HTTP | proxy | CUPS interface to AS_RCA |
| i17 | BASE STATION | OS | Unidirectional | NTP | UDP/123 | NTP service | service | LRR NTP request |