How to configure private networks for proper device operation
Overview of DNS and Firewall Considerations for AirVantage and ALMS
AirLink routers and Semtech cellular modules require access to firmware updates and work best within a managed environment. AirVantage is the management platform for Semtech modules, and AirLink Management Service (ALMS) provides additional functionality for managing AirLink routers and Semtech cellular plans. If your firewall cannot be configured for DNS-based destinations, then the IP address used must be dynamically updated through ongoing DNS resolution.
The following are the requirements for firewall rules and required DNS entries to support these products in a safe and secure manner. These are relevant to private cellular networks, and also to router operation within a full tunnel VPN environment where management traffic is restricted.
Initializing Table Of Contents...DNS Entries
The following DNS entries must be propagated to your internal DNS server(s) in order to support proper router behavior. The complete domains are required as most traffic is directed to specific subdomains, including for regional data center locations.
- airvantage.net
- m2mop.net
Firewall Rules
The following ports must be allowed for outbound access (from your private network outbound to the domains listed and their corresponding responses) to the appropriate regional domains to support router communication and management, including firmware upgrades. All AirVantage and ALMS traffic should be configured by name for best results in the event of an address change.
Note: In the case of routers that include out-of-band management (OOBM), only the Lightweight M2M (LwM2M) traffic is currently allowed through the OOBM link. Firmware downloads and log file uploads must be facilitated over a higher capacity WAN link, so firewall rules must be implemented on any private network link to support these services.
| DESTINATION PORT/PROTOCOL | DESTINATION NAME | FUNCTION | NOTES |
|---|---|---|---|
| UDP 5684/LwM2M | bs.airvantage.net | Bootstrap | No device operational data is sent during bootstrap. All data is encrypted. One single global address. |
| UDP 5684/LwM2M | bsds.airvantage.net | Dual-stack bootstrap (see Dual stack (IPv4 and IPv6) Support below) | No device operational data is sent during bootstrap. All data is encrypted. One single global address. |
| UDP 5686/LwM2M |
lw.na.airvantage.net lw.eu.airvantage.net lw.cad.airvantage.net lw.au.airvantage.net |
Device management communications |
All data is encrypted. Traffic is sent only to the regional data center where your account is located.
|
| UDP 5686/LwM2M |
lwds.na.airvantage.net lwds.eu.airvantage.net lwds.cad.airvantage.net lwds.au.airvantage.net |
Dual-stack device management communications |
All data is encrypted. Traffic is sent only to the regional data center where your account is located.
|
| TCP 443/HTTPS |
na.airvantage.net na.m2mop.net eu.airvantage.net eu.m2mop.net cad.airvantage.net au.airvantage.net |
Firmware downloads and log file upload |
Download is from digitally secured repository. Log files are sent over secured link. Some DNS entries are required for supporting legacy devices, and so are not needed for the newest AV/ALMS instances. Traffic is sent only to the regional data center where your account is located.
|
| TCP 443/HTTPS |
dm.na.airvantage.net dm.eu.airvantage.net dm.cad.airvantage.net dm.au.airvantage.net |
Dual-stack-enabled firmware downloads and log file upload |
Download is from digitally secured repository. Log files are sent over secured link. Traffic is sent only to the regional data center where your account is located.
|
| TCP 44900/M3DA |
na.airvantage.net eu.airvantage.net cad.airvantage.net au.airvantage.net |
ALEOS Application Framework (AAF) traffic |
Only required by ALEOS router customers using M3DA/AAF, including ALEOS vehicle telemetry. Traffic is sent only to the regional data center where your account is located.
|
| TCP 8883/MQTT over TLS |
na.airvantage.net eu.airvantage.net cad.airvantage.net au.airvantage.net |
Encrypted MQTT traffic |
Only required by ALEOS router customers who have AAF applications configured to report MQTT data to ALMS, including ALEOS vehicle telemetry. Unsecured MQTT (TCP/1883) should never be used. Traffic is sent only to the regional datacenter where your account is located.
|
Dual stack (IPv4 and IPv6) Support
AirVantage now supports both IPv4 and IPv6 connectivity, allowing you to connect and manage your AirLink routers, modules or other devices across different network configurations. IPv6 support includes bootstrap provisioning, device management communications (over LWM2M only), firmware downloads, and log file uploads.
Supported Features
When using the new endpoint, the following operations are supported on AirLink OS devices running AirLink OS 6.0 or later:
- Device bootstrap and registration
- Device management communications (over LWM2M only)
- Firmware over-the-air (FOTA) downloads
- Device log file uploads
Device Compatibility
IPv6 support is available on newer Semtech routers and modules that support dual-stack (IPv4/IPv6) networking. To verify whether your specific device model supports IPv6, please consult the documentation for your router or module product line.
Supported AirLink Routers
- RX400 and EX400: AirLink OS 6.0 or later
- XR90, XR80, XR60 and RX55: AirLink OS 6.1 (release date TBA) or later
Connectivity Options
AirVantage supports the following connectivity scenarios.
| CONNECTIVITY SCENARIO | NETWORK REQUIREMENT | PLATFORM ENDPOINT | CONFIGURATION REQUIRED |
|---|---|---|---|
| IPv4-Only Networks (Legacy) | IPv4 connectivity | IPv4 bootstrap and device management | No change to the current network configuration, as described on this page |
| IPv6/Dual-stack with DNS64/NAT64 Translation | IPv4+IPv6 or IPv6 with DNS64/NAT64 translation enabled | IPv4 bootstrap and device management (accessed via translation) | Configure your network for DNS64/NAT64. |
| IPv6/Dual-Stack without Translation layer |
IPv4+IPv6 (dual-Stack) or IPv6 only Internet connectivity. No (or dynamic) IP-based filtering on new AirVantage Endpoints DNS |
Dual-Stack Device-Management Endpoints |
Company must be enabled for IPv6 on platform (contact support). Optional: Manual device configuration to use dual-bootstrap endpoint url (IPv6-only scenario).
|
Enabling IPv6 for Your Devices
To use native IPv6 connectivity:
- Ensure your device is an Airlink OS device with firmware versions above 6.0.0.
- Contact Semtech support to request IPv6 enablement for the associated company.
- Deploy devices on your IPv6 or dual-stack network.
Once enabled, devices will automatically connect to the new device management endpoint after successful bootstrap.
Network Configuration
Proper network configuration is essential for successful device connectivity to AirVantage. This includes DNS resolution and firewall rules to allow communication between your devices and the platform endpoints.
For detailed information on DNS configuration, firewall requirements, port configurations, and private network setup for both IPv4 and IPv6 connectivity, see Firewall Rules above.
Backward Compatibility
All existing IPv4 deployments continue to function without modification. Devices connecting to the original IPv4 bootstrap endpoint will continue using IPv4 for all platform communications, ensuring zero disruption to current operations.
Support
For assistance with IPv6 enablement or configuration questions, please contact Semtech support.