Communication and Networking to The Things Cloud

Purpose of the document

This sheet summarizes the network recommendations (firewall & router) required for the proper operation of the Gateway Light.
It is intended for IT teams to correctly configure the network infrastructure.

Basic Principles

• The gateway initiates all its communications to the cloud (*outbound only*).
• No incoming ports need to be opened.
• Protocols used: MQTT over TLS, HTTPS, NTP, DNS.

Network recommendations

Firewall

• Allow the gateway to connect outbound on TCP 443 (HTTPS) to *.thethings.network, *.thethings.industries and *.cloud.thethings.industries
• Allow the gateway to connect outbound on TCP 8883 (or fallback 443) for secure MQTT (mTLS) traffic
• Allow the gateway to connect outbound on UDP 123 to NTP servers
• Allow the gateway to connect outbound on UDP 53 to the configured DNS servers (internal or public)
• We recommend whitelisting the listed domains in the firewall to avoid blocking

Addressing

• In DHCP, ensure the gateway correctly receives network parameters: default gateway, DNS
• In Static IP, configure parameters properly and set DNS if needed to 8.8.8.8 (Google DNS)

DNS

• The gateway must be able to resolve domain names via internal or public DNS servers
• Example: access possible to 8.8.8.8 port 53 (Google DNS)
• The domains *.thethings.network and *.thethings.industries must be reachable

Proxy

• If an HTTPS proxy is used, it must allow the gateway to communicate with the listed domains without TLS inspection
• Authenticated proxies are not supported