Skip to main content

Authorizing base station flows to and from ThingPark

This topic describes the required flows to authorize in your base station deployment environment, such as proxies, firewalls... These flows allow base stations to exchange traffic with ThingPark core network, as well as external time-synchronization servers.

For ThingPark SaaS deployments

Tip

For more information about the FQDN of SaaS nodes (SLRC, SLRC (LNS-BRIDGE), LRC, SUPPORT and PROXY_HTTP servers), see Per-platform FQDN list.

LRR flows when IPsec is used

#From (system)From (application)TypeProtocolDest. PortTo (system)To (application)Description
i6BASE STATIONstrongswan (client)BidirectionalIKE v2 (secure) MOBIKE v2 (secure)UDP/500 UDP/4500SLRCstrongswanIPsec IKE (UDP) / MOBIKE (UDP) ike=aes128-sha256-ecp256,aes128-sha384-ecp384,aes256-sha512-ecp521
i7BASE STATIONstrongswan (client)BidirectionalESP (secure)-SLRCstrongswanESP (protocol 50) ike=aes128-sha256-ecp256,aes128-sha384-ecp384,aes256-sha512-ecp521 esp=aes128gcm128,aes256gcm128
i7aBASE STATIONstunnelUnidirectionalTLSTCP/3001 TCP/3002 TCP/3003SLRChaproxyCheck certificate validity on server side (only applicable to LRR version ≥ 2.8)
i8aBASE STATIONOSUnidirectionalICMP-SLRCOSPing (SLRC)
i10BASE STATIONOSUnidirectionalDNSUDP/53DNS serviceserviceDNS request.
Note OPTIONAL, to be evaluated according to the access network.
i11BASE STATIONOSUnidirectionalDHCP-DHCP serviceserviceDHCP request.
Note OPTIONAL, to be evaluated according to the access network.
i11bBASE STATIONKey installer (client)UnidirectionalSFTPTCP/22SLRCkey-installer (openssh)SFTP access to download X.509 certificate
i9BASE STATIONOSUnidirectionalSSH v2 (secure)TCP/22SUPPORTOSReverse LRR administration
i17BASE STATIONOSUnidirectionalNTPUDP/123NTP serviceOSLRR NTP request

LRR flows when TLS is used

#From (system)From (application)TypeProtocolDest. PortTo (system)To (application)Description
i7aBASE STATIONstunnelUnidirectionalTLSTCP/3001 TCP/3002 TCP/3003SLRChaproxyTLS tunnels to respectively LRC:2404 (i14), LRC:22 (i15b), SUPPORT:22 (i17d)
i8aBASE STATIONOSUnidirectionalICMP-SLRCOSPing (SLRC)
i10BASE STATIONOSUnidirectionalDNSUDP/53DNS serviceserviceDNS request.
Note OPTIONAL, to be evaluated according to the access network.
i11BASE STATIONOSUnidirectionalDHCP-DHCP serviceserviceDHCP request.
Note OPTIONAL, to be evaluated according to the access network.
i11bBASE STATIONKey installer (client)UnidirectionalSFTPTCP/22SLRCkey-installer (openssh)SFTP access to download X.509 certificate
i9BASE STATIONOSUnidirectionalSSH v2 (secure)TCP/22SUPPORTOSReverse LRR administration
i17BASE STATIONOSUnidirectionalNTPUDP/123NTP serviceOSLRR NTP request

Basics Station flows (always with TLS)

#From (system)From (application)TypeProtocolDest. PortTo (system)To (application)Description
i10BASE STATIONOSUnidirectionalDNSUDP/53DNS serviceserviceDNS request. Note OPTIONAL, to be evaluated according to the access network.
i11BASE STATIONOSUnidirectionalDHCP-DHCP serviceserviceDHCP request. Note OPTIONAL, to be evaluated according to the access network.
i11cBASE STATIONSemtech Basics StationUnidirectionalHTTPS/WSSTCP/443SLRC (LNS-BRIDGE)haproxyLNS interface to LRC LNS-BRIDGE
i11dBASE STATIONSemtech Basics StationUnidirectionalHTTPS / TLS v1.2 (secure)TCP/443PROXY_HTTPproxyCUPS interface to AS_RCA
i17BASE STATIONOSUnidirectionalNTPUDP/123NTP serviceserviceLRR NTP request

Per-platform FQDN list

SaaS platformSLRC FQDNSLRC (LNS-BRIDGE) FQDNLRC FQDNSUPPORT FQDNPROXY_HTTP FQDN
EU-PRODslrc1.eu.thingpark.com
slrc2.eu.thingpark.com
lns.eu.thingpark.comlrc1-tpe-eu.thingpark.com
lrc2-tpe-eu.thingpark.com
support1.eu.thingpark.com
support2.eu.thingpark.com
thingparkenterprise.eu.actility.com
AU-PRODslrc1-au1.thingpark.com
slrc2-au1.thingpark.com
lns.au.thingpark.comlrc1-tpe-au1.thingpark.com
lrc2-tpe-au1.thingpark.com
support1-au1.thingpark.com
support2-au1.thingpark.com
thingparkenterprise.au.actility.com
US-PRODslrc1-us.thingpark.com
slrc2-us.thingpark.com
lns.us.thingpark.comlrc1-tpe-us.thingpark.com
lrc2-tpe-us.thingpark.com
support1-us.thingpark.com
support2-us.thingpark.com
thingparkenterprise.us.actility.com
ThingPark Communityslrc1-poc.thingpark.com
slrc2-poc.thingpark.com
lns.thingpark.comlrc1-dev.thingpark.com
lrc2-dev.thingpark.com
support1-poc.thingpark.com
support2-poc.thingpark.com
community.thingpark.io
EU-PREPRODslrc1.eu-preprod.thingpark.com
slrc2.eu-preprod.thingpark.com
lns.eu-preprod.thingpark.comlrc1-eu-preprod.thingpark.com
lrc2-eu-preprod.thingpark.com
support1-eu-preprod.thingpark.com
support2-eu-preprod.thingpark.com
thingparkenterprise-preprod.eu.actility.com
AU-PREPRODslrc1-au1-preprod.thingpark.com
slrc2-au1-preprod.thingpark.com
lns.au-preprod.thingpark.comlrc1-au1-preprod.thingpark.com
lrc2-au1-preprod.thingpark.com
support1-au1-preprod.thingpark.com
support2-au1-preprod.thingpark.com
thingparkenterprise-preprod.au.actility.com

For self-hosted deployments

LRR flows when IPsec is used

#From (system)From (application)TypeProtocolDest. PortTo (system)To (application)DescriptionSTANDALONEHIGH AVAILABILITY
i1BASE STATIONstrongswan (client)BidirectionalIKE v2 (secure) MOBIKE v2 (secure)UDP/500 UDP/4500TPEstrongswanIPsec IKE (UDP) / MOBIKE (UDP) ike=aes128-sha256-ecp256,aes128-sha384-ecp384,aes256-sha512-ecp521MUSTMUST
i2BASE STATIONstrongswan (client)BidirectionalESP (secure)-TPEstrongswanESP (protocol 50) ike=aes128-sha256-ecp256,aes128-sha384-ecp384,aes256-sha512-ecp521 esp=aes128gcm128,aes256gcm128MUSTMUST
i3BASE STATIONOSUnidirectionalICMP-TPEOSPing (TPE)MUSTMUST
i4BASE STATIONKey installer (client)UnidirectionalSFTPTCP/22TPEKey installer (server)SFTP protocolMUSTMUST
i5BASE STATIONOSUnidirectionalSSH v2 (secure)TCP/22TPEOSLRR admin (Reverse SSH)MUSTMUST
i38BASE STATIONOSUnidirectionalTLSTCP/3001TPEserverCheck certificate validity on server side (only applicable to LRR version ≥ 2.8)MUSTMUST
i39BASE STATIONOSUnidirectionalTLSTCP/3002TPEserverCheck certificate validity on server side (only applicable to LRR version ≥ 2.8)MUSTMUST
i40BASE STATIONOSUnidirectionalTLSTCP/3003TPEOSCheck certificate validity on server side (only applicable to LRR version ≥ 2.8)MUSTMUST
n1BASE STATIONOSUnidirectionalNTPUDP/123NTP serviceserviceNTP requests when TPE is not used for NTPOPTIONALOPTIONAL
n2BASE STATIONOSUnidirectionalDNSUDP/53DNS serviceserviceDNS requestsOPTIONALOPTIONAL
n3BASE STATIONOSUnidirectionalNTPUDP/123TPENTP serviceNTP requests when TPE is used for NTPOPTIONALOPTIONAL
n4BASE STATIONOSUnidirectionalDHCP-DHCP serviceserviceDHCP requestOPTIONALOPTIONAL

LRR flows when TLS is used

#From (system)From (application)TypeProtocolDest. PortTo (system)To (application)DescriptionSTANDALONEHIGH AVAILABILITY
i3BASE STATIONOSUnidirectionalICMP-TPEOSPing (TPE)MUSTMUST
i4BASE STATIONKey installer (client)UnidirectionalSFTPTCP/22TPEKey installer (server)SFTP protocolMUSTMUST
i5BASE STATIONOSUnidirectionalSSH v2 (secure)TCP/22TPEOSLRR admin (Reverse SSH)MUSTMUST
i38BASE STATIONOSUnidirectionalIEC 104 over TLS (secure)TCP/3001TPEserverLRR IEC 104 link: LRR commands and LoRa uplink/donwlink data and metadata exchange.MUSTMUST
i39BASE STATIONOSUnidirectionalSFTP over TLS (secure)TCP/3002TPEserverLRR sofware download LRR sofware configuration downloadMUSTMUST
i40BASE STATIONOSUnidirectionalSFTP over TLS (secure)TCP/3003TPEOSLRR rf scan upload LRR software configuration uploadMUSTMUST
n1BASE STATIONOSUnidirectionalNTPUDP/123NTP serviceserviceNTP requests when TPE is not used for NTPOPTIONALOPTIONAL
n2BASE STATIONOSUnidirectionalDNSUDP/53DNS serviceserviceDNS requestsOPTIONALOPTIONAL
n3BASE STATIONOSUnidirectionalNTPUDP/123TPENTP serviceNTP requests when TPE is used for NTPOPTIONALOPTIONAL
n4BASE STATIONOSUnidirectionalDHCP-DHCP serviceserviceDHCP requestOPTIONALOPTIONAL

LRR flows when neither IPsec nor TLS is used

#From (system)From (application)TypeProtocolDest. PortTo (system)To (application)DescriptionSTANDALONEHIGH AVAILABILITY
i3BASE STATIONOSUnidirectionalICMP-TPEOSPing (TPE)MUSTMUST
i5BASE STATIONOSUnidirectionalSSH v2 (secure)TCP/22TPEOSLRR admin (Reverse SSH)MUSTMUST
i6BASE STATIONOSUnidirectionalIEC 104TCP/2404TPEserverLRR IEC 104 link: LRR commands and LoRa uplink/donwlink data and metadata exchange.MUSTMUST
i7BASE STATIONOSUnidirectionalFTPTCP/21TPEserverLRR sofware download LRR sofware configuration download.MUSTMUST
i8BASE STATIONOSUnidirectionalFTPTCP/21TPEOSLRR rf scan upload LRR software configuration uploadMUSTMUST
n1BASE STATIONOSUnidirectionalNTPUDP/123NTP serviceserviceNTP requests when TPE is not used for NTPOPTIONALOPTIONAL
n2BASE STATIONOSUnidirectionalDNSUDP/53DNS serviceserviceDNS requestsOPTIONALOPTIONAL
n3BASE STATIONOSUnidirectionalNTPUDP/123TPENTP serviceNTP requests when TPE is used for NTPOPTIONALOPTIONAL
n4BASE STATIONOSUnidirectionalDHCP-DHCP serviceserviceDHCP requestOPTIONALOPTIONAL

Basics Station flows (always with TLS)

#From (system)From (application)TypeProtocolDest. PortTo (system)To (application)DescriptionSTANDALONEHIGH AVAILABILITY
i42BASE STATIONSemtech Basics StationUnidirectionalHTTPS/WSSTCP/4443TPEhaproxyLNS interfaceMUSTMUST
i43BASE STATIONSemtech Basics StationUnidirectionalHTTP+TLS v1.2 (secure)TCP/443TPERCACUPS interfaceMUSTMUST
n1BASE STATIONOSUnidirectionalNTPUDP/123NTP serviceserviceNTP requests when TPE is not used for NTPOPTIONALOPTIONAL
n2BASE STATIONOSUnidirectionalDNSUDP/53DNS serviceserviceDNS requestsOPTIONALOPTIONAL
n3BASE STATIONOSUnidirectionalNTPUDP/123TPENTP serviceNTP requests when TPE is used for NTPOPTIONALOPTIONAL
n4BASE STATIONOSUnidirectionalDHCP-DHCP serviceserviceDHCP requestOPTIONALOPTIONAL