Overview
This document describes the firewall rules that must be in place should customers elect to utilize MarketSpark M-Series equipment across their Ethernet / Data networks.
When MarketSpark M-Series equipment is utilized in its primary, standard fashion - across our cellular connection - these affordances do not need to be undertaken by customers.
Notice
Before any customer engagement involving the use of MarketSpark M-Series equipment across a customer’s Ethernet / Data network, customer must ensure that the following firewall rules are in place. Without these rules in place, MarketSpark will be unable to properly deliver its service offering.
MarketSpark’s primary mode of operation is across our built-in cellular connection. When that connection is utilized, customers do not have to make these affordances.
Firewall Rules
Rules for M-Series solutions are shown in the following table:
Provider |
Service |
Domain |
IP |
Port |
Protocol |
Direction |
Description |
---|---|---|---|---|---|---|---|
General Use, Shared Settings |
|||||||
|
NTP |
pool.ntp.org |
|
123 |
UDP |
Out |
FQDN for Shared NTP |
|
DNS |
n/a |
1.1.1.1 |
53 |
UDP |
Out |
All DNS services utilized |
|
ICMP |
n/a |
1.1.1.1 |
n/a |
ICMP |
Out |
ICMP Failure Checks for WAN Verification (may need to be allowed for ingress if ICMP is blocked by default) |
Voice Network |
MarketSpark’s Soft Switch Infrastructure |
||||||
|
Voice |
n/a |
66.33.176.64/26 |
1024-65535 |
UDP/TCP |
In / Out |
General Communications (Signaling and Media) |
Please ensure SIP-ALG is DISABLED on the provided Network |
|||||||
ATA |
|||||||
|
|
*.gdms.cloud |
|
|
|
Out |
Use “*.gdms.cloud” to encapsulate all rules found below if FQDN is an option - IPv4 Addresses are also listed but are subject to change without notice |
|
GDMS (Cloud) |
account.gdms.cloud |
54.185.115.131 |
443 |
TCP |
Out |
General GDMS cloud portal connectivity (TLS) |
|
GDMS (Cloud) |
www.gdms.cloud |
35.161.51.90 |
443 |
TCP |
Out |
GDMS web portal, firmware and provisioning (TLS) |
|
GDMS (Cloud) |
us.download.gdms.cloud |
144.202.94.88 |
443 |
TCP |
Out |
Firmware Download (TLS) |
|
GDMS (Cloud) |
acs.gdms.cloud |
35.161.51.90 |
443 |
TCP |
Out |
Communication data between GDMS servers and ATG / Client Devices (TLS) |
|
GDMS (Cloud) - STUN |
stun1.gdms.cloud |
34.215.167.138 |
3478 |
UDP |
Out |
STUN traffic |
InHand Routers |
|||||||
|
|
*.inhandnetworks.com |
54.215.114.78 |
|
|
|
Use "*.inhandnetworks.com " to encapsulate all rules found below if FQDN is an option - IPv4 Addresses are also listed but are subject to change without notice |
|
InHand Specific NTP |
n/a |
114.80.81.1 |
123 |
NTP |
Out |
NTP for InHand Devices |
|
InConnect Service(Cloud) |
*.inhandnetworks.com |
54.215.114.78 |
8883 |
TCP |
Out |
Encrypted MQTT |
|
OpenVPN Server |
www.hostvpn.cloud |
54.215.114.78 |
N/A |
N/A |
Out |
Overlay VPN Client used in ICS VPN |
|
InConnect Service(Cloud) |
*.inhandnetworks.com |
54.215.114.78 |
8200 |
TCP |
Out |
ICS Firmware Upgrade |
|
InConnect Service(Cloud) |
*.inhandnetworks.com |
54.215.114.78 |
82 |
TCP |
Out |
ICS Management path via VPN |
Cradlepoint Routers |
|||||||
|
|
*.cradlepointecm.com |
|
|
|
|
Use "*.cradlepointecm.com " to encapsulate all rules found below if FQDN is an option - IPv4 Addresses are available upon request |
|
NetCloud Manager Web UI / API |
www.cradlepointecm.com |
|
443 |
TCP |
Out |
NCM Web UI / API Capabilities |
|
NetCloud Manager Stream Protocol |
stream.cradlepointecm.com |
|
8001 |
TCP |
Out |
Primary Protocol which sync's the router with NetCloud Manager (NCM) |
|
NetCloud Manager Speedtest (netperf) |
speedtest.net |
N/A |
8080 |
TCP/UDP |
Out |
Speedtest functionality |
|
NetCloud OS (Router) / Modem Firmware |
www.cradlepoint.com |
|
443 |
TCP |
Out |
NetCloud OS (NCOS) and Modem Firmware Accessibility |
|
NetCloud Manager Remote Connect |
remoteconnect.cradlepointecm.com |
|
30000 |
TCP |
Out |
Remote Connect feature accessibility |