/
Firewall Setup

Firewall Setup

Owned by Nikolay Abrosimov
Last updated: Mar 13, 2024

Base station communicates to a few services, that must be allowed in the network firewall. In most cases, the station starts working right after connection to a network with access to the Internet. However, some networks are more secure and block traffic to needed hosts and ports. If the firewall blocks any traffic and your station is not online after a few minutes of running, we recommend checking firewall settings and allowing needed ports.

Required hosts and ports

The full list of hosts and ports used by the station:

  • [critical] host: z.nwave.io (54.195.232.12); port: tcp/10051

  • [critical] host: wireguard.nwave.io; port: tcp/5<Station-ID> (port 51234 for station with ID 1234)

  • [critical] host: wireguard.nwave.io; port: udp/41194 (this port must be available for inbound traffic)

  • [critical] host: a2j317pelpvu7-ats.iot.eu-west-1.amazonaws.com; port: tcp/443

  • host: 104.192.136.0; port: 21

  • host: 185.166.140.0; port: 22

  • host: 18.205.93.0; port: 25

  • host: 18.234.32.128; port: 25

  • host: 13.52.5.0; port: 25

  • [critical] udp/123

  • udp/53

Some of the ports are marked as [critical]. These ports are crucial for the station’s functionality. Other ones are used for secondary functionality(automatic software updates, for example).

Diagnostics

If the station has been connected to the local network but is Offline on the Base Stations page, you can do the following diagnostics steps to determine the issue reason.

All the following steps require login into the base station command shell. Login and password for logging in can be requested by email to support@nwave.io or yb@nwave.io

DNS/Internet availability check

The first step is to check the availability of Domain Name Service:

nslookup nwave.io

The correct result:

$ nslookup nwave.io Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: nwave.io Address: 88.99.85.48

Result when DNS is unavailable or the Internet is not reachable:

$ nslookup nwave.io Server: 127.0.0.53 Address: 127.0.0.53#53 ** server can't find nwave.io: NXDOMAIN

Monitoring endpoint availability check

telnet z.nwave.io 10051

The correct result:

$ telnet z.nwave.io 10051 Trying 54.195.232.12... Connected to z.nwave.io. Escape character is '^]'. Connection closed by foreign host.

The result when monitoring host/port is unavailable is hanging the command execution on the following output:

~$ telnet z.nwave.io 10051 Trying 54.195.232.12...

Press Ctrl+C to stop the command execution.

Remote diagnostics availability check

General availability check

telnet 54.171.138.93 41194

The command shows the following rows if the endpoint is available. Press Ctrl+C to stop the command execution.

$ telnet 54.171.138.93 41194 Trying 54.171.138.93... Connected to 54.171.138.93. Escape character is '^]'.

When the remote diagnostics host/port is unavailable, the command is hanging execution on the following output:

$ telnet 54.171.138.93 41196 Trying 54.171.138.93...

Press Ctrl+C to stop the command execution.

UDP allowance check

The command above tests the port availability for TCP traffic. The diagnostics port must be available for UDP traffic. Run the following command to check the UDP availability:

nc -z -v -u 54.171.138.93 41194

The result if UDP is allowed:

$ nc -z -v -u 54.171.138.93 41194 Connection to 54.171.138.93 41194 port [udp/*] succeeded!

Inbound traffic allowance check

Even if UDP port is open for outbound traffic, it can be blocked for inbound.

The following command shows the traffic statistics. It asks to enter the same password that was used for logging in to the command shell.

sudo systemctl status wg-quick@wg0

The remote diagnostics channel works well when transfer and receive traffic counters show non-zero values:

$ sudo wg show interface: wg0 public key: 1234567890ABCDEF1234567890ABcdef= private key: (hidden) listening port: 50795 peer: 1234567890ABCDEF1234567890ABcdef= endpoint: 54.74.54.47:41194 allowed ips: 10.10.0.0/16 latest handshake: 22 seconds ago transfer: 54.53 MiB received, 54.28 MiB sent persistent keepalive: every 25 seconds

Data endpoint availability check

$ telnet a2j317pelpvu7-ats.iot.eu-west-1.amazonaws.com 443

The command shows the following rows if the endpoint is available. Press Ctrl+C to stop the command execution.

$ telnet a2j317pelpvu7-ats.iot.eu-west-1.amazonaws.com 443 Trying 52.49.83.47... Connected to a2j317pelpvu7-ats.iot.eu-west-1.amazonaws.com. Escape character is '^]'.

When the data diagnostics host/port is unavailable, the command is hanging execution on the following output:

$ telnet 54.171.138.93 41196 Trying 54.171.138.93...

Press Ctrl+C to stop the command execution.

Time sync service check

When the time synchronization service is inaccessible, the station is displayed as Online Unhealthy. This means that the station is connected to the Nwave Platform but can not transfer messages to it due to time synchronization issues.

The command for checking the synchronization service status:

timedatectl status

The result when time synchronization works fine:

$ timedatectl status Local time: Wed 2024-03-13 16:42:56 UTC Universal time: Wed 2024-03-13 16:42:56 UTC RTC time: n/a Time zone: Etc/UTC (UTC, +0000) System clock synchronized: yes NTP service: active RTC in local TZ: no

If there is an issue with time synchronization the command above prints the row System clock synchronized: No.