The IXrouter uses outgoing port(s) to establish a secure connection to the IXON Cloud. This means there is no need to open any incoming ports in your firewall.
Servers & domains
The IXrouter connects to different IXON servers: REST API, MQTT, and OpenVPN servers, which include the following domains:
- *.ixon.cloud
- *.ixon.net
- *.ayayot.com (phonetic IIoT)
Doing a DNS lookup (nslookup) at the following domain name always returns an up-to-date IP list of all current IXON servers:
- whitelist.ixon.cloud
Ports & protocols
Below is an overview of the ports and protocols that the IXrouter utilizes.
| Direction | Port | Transport | Application |
|---|---|---|---|
| Outbound | 443 | TCP | HTTPS, MQTT (TLS), OpenVPN(1) |
| Outbound | 8443(2) | TCP | HTTPS |
| Outbound | 53(3) | TCP & UDP | DNS |
| Outbound | 123(4) | UDP | NTP |
| Outbound | (no port)(5) | ICMP (Echo request) | - |
(1) The very first package may be considered unencrypted as the OpenVPN handshake takes place prior to the TLS handshake. For this reason an exception may be required on firewall rules that block non-SSL traffic over SSL-ports.
(2) Only used when stealth mode is activated for connectivity via a censored internet connection (i.e. when located in China).
(3) DNS requests are often handled by local DNS servers. In those cases the listed DNS port can be ignored.
(4) (Optional) Used to synchronize the time.
(5) Only used when failover is configured.
MAC or IP address filter
Internet access may be granted to specific devices, based on their MAC or IP addresses. The IXrouter's MAC address can be obtained from the label on the side of the IXrouter. The IP address can be set to a static IP address. However, by default the IP address is set to be assigned dynamically via DHCP.
How to grant the IXrouter access?
Easy method: automatic updates
You may create an exception in your firewall for the domain name and ports & protocols, mentioned below, to grant the IXrouter the access it needs.
With time, some servers may be removed or added to benefit the service. We strongly try to keep these changes to a minimum.
If we add a server, we simply add a DNS record. Your firewall will re-check the domain once the TTL expires. Within an hour your firewall will be up-to-date and allow traffic to the new IP address.
Likewise, if we remove a server, we will remove its DNS record, and your firewall will block any traffic to this IP address.
Alternative method: manual updates
You can execute a DNS lookup (nslookup) request at the domain name mentioned below, to get an IP list of all current IXON servers. You can then create exceptions to these IP addresses, in combination with the ports & protocols mentioned below, to grant the IXrouter the access it needs.
With time, some servers may be removed or added to benefit the service. We strongly try to keep these changes to a minimum.
Please keep your firewall rules/exceptions up-to-date by periodically performing a DNS lookup and checking for changes to maintain optimal remote service accessibility.