Bryx Station Alerting Network/Firewall Configuration

Question:

-How do I setup my FireWall and Network to support Bryx Station Alerting

Answer:

Network Traffic:

The station control unit does not need access to, and will not access, any internal network or intranet of

the department, agency, or municipality that it’s installed in. All access required to alert the station is

retrieved from the outside internet. As such, wherever possible, it is recommended to set up a private,

secure, VLAN for the Station Control Unit and open it up to all outbound traffic. If that is not possible,

then at a minimum the following domains/ports will be required. Because IPs are not fixed, and many

services utilize content delivery services, it is recommended that domains, not IP addresses be

whitelisted for HTTP/HTTPS traffic.

Recommended Router Configuration:

-Don't use "symmetric" NAT. Use "full cone" or "port restricted cone" NAT. Symmetric NAT is

extremely hostile to peer to peer traffic and will degrade VoIP, video chat, games, WebRTC, and

many other protocols as well as the Bryx secondary remote access VPN.

-No more than one layer of NAT should be present between the station control unit and the

Internet. Multiple layers of NAT introduce connection instability due to chaotic interactions

between states and behaviors at different levels.

-NATs should have a port mapping or connection timeout no shorter than 60 seconds.

-Place no more than about 16,000 devices behind each NAT-managed external IP address to

ensure that each device can map a sufficient number of ports.

These guidelines are consistent with the vast majority of typical deployments using commodity

gateways and access points