(Classic) Network requirements

This document presents a list of network ports on which communication of particular functionalities of VERTEX controllers takes place. In order for all functionalities to work correctly, you must ensure proper network rules for controllers.

Internal network (LAN)

Operator stations and all VERTEX controllers in the local area network must be set up according to the following rules.

Outbound to GLAMOX infrastructure (remote)

For proper operation of Glamox remote access and maintenance, it is required to allow outgoing traffic in accordance with the following rules.

Default policy

deny (incoming), allow (outgoing), deny (routed)

Opened ports

TO	Action	From	Desc	Local/remote

TO	Action	From	Desc	Local/remote
22/tcp	ALLOW IN	Anywhere	ssh	local
8080/tcp	ALLOW IN	Anywhere	swupdate*	local
127.0.0.1 8080/tcp	ALLOW IN	127.0.0.1	dnsmasq local	local
5269/tcp	ALLOW IN	Anywhere	prosody	local
1880/tcp	ALLOW IN	Anywhere	nodered	local
1883/tcp	ALLOW IN	Anywhere	mosquitto*	local
30333/tcp	ALLOW IN	Anywhere	ndiscovery_bot	local
5280/tcp	ALLOW IN	Anywhere	prosody	local
5222/tcp	ALLOW IN	Anywhere	prosody	local
80/tcp	ALLOW IN	Anywhere	lighttpd	local
127.0.0.1 53/udp	ALLOW IN	127.0.0.1	dnsmasq local	local
30005/udp	ALLOW IN	Anywhere	ndiscovery_bot beacon	local
1194/tcp	ALLOW IN	Anywhere	VPN	remote
443/tcp	ALLOW IN	Anywhere	https	local
502/tcp	ALLOW IN	Anywhere	modbus	local
30500-30600/tcp	ALLOW IN	Anywhere	Free TCP ports for our usage	local
9993/tcp	ALLOW IN	Anywhere	remote support	remote
22/tcp (v6)	ALLOW IN	Anywhere (v6)	ssh	local
8080/tcp (v6)	ALLOW IN	Anywhere (v6)	swupdate*	local
5269/tcp (v6)	ALLOW IN	Anywhere (v6)	prosody	local
1880/tcp (v6)	ALLOW IN	Anywhere (v6)	nodered	local
1883/tcp (v6)	ALLOW IN	Anywhere (v6)	mosquitto*	local
30333/tcp (v6)	ALLOW IN	Anywhere (v6)	ndiscovery_bot	local
5280/tcp (v6)	ALLOW IN	Anywhere (v6)	prosody	local
5222/tcp (v6)	ALLOW IN	Anywhere (v6)	prosody	local
80/tcp (v6)	ALLOW IN	Anywhere (v6)	lighttpd	local
30005/udp (v6)	ALLOW IN	Anywhere (v6)	ndiscovery_bot beacon	local
1194/tcp (v6)	ALLOW IN	Anywhere (v6)	VPN	remote
443/tcp (v6)	ALLOW IN	Anywhere (v6)	https	local
502/tcp (v6)	ALLOW IN	Anywhere (v6)	modbus	local
30500-30600/tcp(v6)	ALLOW IN	Anywhere (v6)	Free TCP ports for our usage	local
9993/tcp(v6)	ALLOW IN	Anywhere (v6)	remote support	remote

*Marked ports are not available in Vertex 2. They are used only with Vertex 3.

Detailed external service description

Source	Destination	Protocol	Port	Security	Description

Source	Destination	Protocol	Port	Security	Description
VERTEX access for Glamox
ANY VERTEX (Static IP Address)	sls.essystem.pl	HTTPS	443	TLS1.0AES256 RSA2048	Initial authorization of VERTEX in SLS service Sending compressed logs to the SLS service. At the request of the SLS operator.
ANY VERTEX (Static IP Address)	sls0.essystem.pl	MQTT 3.1	1883	TLS1.2AES256 RSA2048	Continuous connection, updating the luminaire and control units status
ANY VERTEX (Static IP Address)	ANY	OpenVPN 2.3.2 - 2.4.7	1194	TLS 1.0AES256 RSA2048	Outgoing connection: SLS-VPN. Operated during service work after detecting a failure. At the request of the SLS operator.
Automatic time synchronisation in Vertex (optional, the device has a RTC clock)
ANY VERTEX (Static IP Address)	0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org	NTP	123	-	Increasingthe accuracy of the clock in VERTEX If necessary, it is possible to set the NTP time server in the internal network infrastructure. For this purpose, individual configuration of each VERTEX over SSH by Glamox is needed.

TROUBLESHOOTING

Main WebApplication

The user interface and access to system functionality:

Displaying information from individual modules/luminaires, monitoring
Triggering actions on devices in the system
Communication with a user who is on the same network through the website page

Consequences resulting from lack of access to the service:

Lack of possibility to monitor the system
No possibility to trigger any actions in the system

LogicEditor WebApplication

Logic editing interface of the lighting system:

Graphical logic editor of lighting system operation
Using it to create a logic of the lighting system
Communication with a user who is on the same network through the website page

Consequences resulting from lack of access to the service:

Lack of possibility to adapt the logic of the lighting system operation

VERTEX2VERTEX InternalMessageBUS

Service launched on VERTEX control units that are in the same local network, responsible for:

exchange of messages between VERTEX control units
synchronization of data between VERTEX control units

Consequences resulting from lack of access to the service:

Total lack of control on lighting devices

VERTEX-DISCOVERY NeighbourhoodDISCO

The service is used to communicate with the netconfig application. The application is used for the initial configuration of VERTEX control units. The configuration is made once during the system setup or in emergency situations that require service.Enables changing:

The group in which Vertex works (1-8 or ungrouped)
The default gateway for each selected group
Subnets for each of the selected groups
DNS for each selected group
IP address for each device

Consequences resulting from lack of access to the service:

It is impossible to correctly start the VERTEX controller (change network parameters, remember addresses of modules/luminaires)

SSH-port

Service that allows direct service access to the VERTEX controllers. Login and access only by Glamox.

Consequences resulting from lack of access to the service:

There is no possibility to carry out service work remotely.

ServicePort

The service is used for local failure diagnostics. Login and access only by Glamox.

The consequences resulting from lack of access to the service:

There is no possibility to carry out service work remotely.