Bryx Station Alerting Network/Firewall Configuration

Modified on Wed, 27 Mar 2024 at 10:35 AM

The station control unit does not need access to, and will not access, any internal network or intranet of the department, agency, or municipality in which it is installed. 


The SCU requires access to the outside internet to alert the station properly. As such, it is recommended to set up a private, secure, VLAN for the Station Control Unit and open it up to all outbound traffic. 


If that is not possible, then at a minimum, the following domains/ports will be required. Because IPs are not fixed, and many services utilize content delivery services, it is recommended that domains, not IP addresses be whitelisted for HTTP/HTTPS traffic.


Recommended Router Configuration:

-Don't use "symmetric" NAT. Use "full cone" or "port restricted cone" NAT. Symmetric NAT is

extremely hostile to peer-to-peer traffic and will degrade VoIP, video chat, games, WebRTC, and

many other protocols as well as the Bryx secondary remote access VPN.


-No more than one layer of NAT should be present between the station control unit and the

Internet. Multiple layers of NAT introduce connection instability due to chaotic interactions

between states and behaviors at different levels.


-NATs should have a port mapping or connection timeout of at least 60 seconds.


-Place no more than 16,000 devices behind each NAT-managed external IP address to

ensure that each device can map a sufficient number of ports.


These guidelines are consistent with the vast majority of typical deployments using commodity

gateways and access points

         

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article