Searching...
How to configure private networks for proper device operation
Overview of DNS and Firewall Considerations for AirVantage and ALMS
AirLink routers and Semtech cellular modules require access to firmware updates and work best within a managed environment. AirVantage is the management platform for Semtech modules, and AirLink Management Service (ALMS) provides additional functionality for managing AirLink routers and Semtech cellular plans. If your firewall cannot be configured for DNS-based destinations, then the IP address used must be dynamically updated through ongoing DNS resolution.
The following are the requirements for firewall rules and required DNS entries to support these products in a safe and secure manner. These are relevant to private cellular networks, and also to router operation within a full tunnel VPN environment where management traffic is restricted.
DNS Entries
The following DNS entries must be propagated to your internal DNS server(s) in order to support proper router behavior. The complete domains are required as most traffic is directed to specific subdomains, including for regional data center locations.
- airvantage.net
- m2mop.net
Firewall Rules
The following ports must be allowed for outbound access (from your private network outbound to the domains listed and their corresponding responses) to the appropriate regional domains to support router communication and management, including firmware upgrades. All AirVantage and ALMS traffic should be configured by name for best results in the event of an address change.
Note: In the case of routers that include out-of-band management (OOBM), only the Lightweight M2M (LwM2M) traffic is currently allowed through the OOBM link. Firmware downloads and log file uploads must be facilitated over a higher capacity WAN link, so firewall rules must be implemented on any private network link to support these services.
| DESTINATION PORT/PROTOCOL | DESTINATION NAME | FUNCTION | NOTES |
|---|---|---|---|
| UDP 5684/LwM2M | bs.airvantage.net | Bootstrap | No device operational data is sent during bootstrap. All data is encrypted. One single global address. |
| UDP 5686/LwM2M |
lw.na.airvantage.net lw.eu.airvantage.net lw.cad.airvantage.net |
Device management communications |
All data is encrypted. Traffic is sent only to the regional data center where your account is located.
|
| TCP 443/HTTPS |
na.airvantage.net na.m2mop.net eu.airvantage.net eu.m2mop.net cad.airvantage.net |
Firmware downloads and log file upload |
Download is from digitally secured repository. Log files are sent over secured link. Some DNS entries are required for supporting legacy devices, and so are not needed for the newest AV/ALMS instances. Traffic is sent only to the regional data center where your account is located.
|
| TCP 44900/M3DA |
na.airvantage.net eu.airvantage.net cad.airvantage.net |
ALEOS Application Framework (AAF) traffic |
Only required by ALEOS router customers using M3DA/AAF, including ALEOS vehicle telemetry. Traffic is sent only to the regional data center where your account is located.
|
| TCP 8883/MQTT over TLS |
na.airvantage.net eu.airvantage.net cad.airvantage.net |
Encrypted MQTT traffic |
Only required by ALEOS router customers who have AAF applications configured to report MQTT data to ALMS, including ALEOS vehicle telemetry. Unsecured MQTT (TCP/1883) should never be used. Traffic is sent only to the regional datacenter where your account is located.
|