Overview
This article covers the network protocols, ports, endpoints, and bandwidth requirements for all XY Sense sensors and hubs. Use it to configure firewall rules and network access for any XY Sense installation.
All connections are initiated outbound from the sensor or hub to the XY Sense platform. No inbound connections are required.
XY Sense strongly recommends making internet access as open as possible for hardware devices. Requirements may change as third-party vendor dependencies evolve.
You can download a PDF at the end of this document
Network Topology Options
Your topology selection determines which requirements below apply to your installation.
| Option | Description |
|---|---|
| Option 1 | Cellular via XY Sense Hub. Not on the customer network. Fully managed by XY Sense. The requirements in this article do not apply to sensors in this configuration. |
| Option 2 | PoE supplied by the customer switch. Sensors receive an IP via DHCP. A PoE adapter (additional cost) allows one area sensor per PoE port. MAC addresses can be provided. |
| Option 3 | XY Sense primary hub (Layer 2, no internal router) plugged into a customer switch port. Multiple sensor MACs will appear from a single switch port. MAC addresses can be provided. |
| Option 4 | XY Sense gateway/primary hub with internal router (Layer 3) plugged into a customer switch port. Only the hub MAC is visible to the customer network. The hub requires access to all services for itself and all connected sensors. |
Area Sensor
Applies to all installations using area sensors, except Option 1.
| Application | Transport | Port | Endpoint | Purpose |
|---|---|---|---|---|
| MQTT | TCP | 8883 | a3iun0ocnfkxx9-ats.iot.ap-southeast-2.amazonaws.com | AWS IoT endpoint for sensor connectivity |
| MQTT | TCP | 443 | Same as above | Alternative to port 8883 |
| NTP | UDP | 123 | time1.google.com, time2.google.com, time3.google.com, time4.google.com | Time server. Can be overridden via DHCP in Options 2 and 3. |
| HTTPS | TCP | 443 | core-api.app.xysense.io | Configuration |
| HTTPS | TCP | 443 | hosted.mender.io, s3.amazonaws.com, c271964d41749feb10da762816c952ee.r2.cloudflarestorage.com, api.memfault.com, ota-cdn.memfault.com, device.memfault.com, memfault-tmp-production--use1-az4--x-s3.s3express-use1-az4.us-east-1.amazonaws.com, files.memfault.com, ingress.memfault.com, memfault-prod-east1.s3.amazonaws.com, memfault-tmp-production-us-east-1.s3.amazonaws.com, memfault-expires-never-production-us-east-1.s3.amazonaws.com | OTA update |
| DNS | UDP/TCP | 53 | Default DNS server provided by your network to DHCP clients | DNS resolution |
Entry Sensor
Applies to all installations using entry sensors, except Option 1.
Note: As of firmware 5.6.4, the default NTP time servers cannot be overridden via DHCP Option 42 on Entry Sensors.
| Application | Transport | Port | Endpoint | Purpose |
|---|---|---|---|---|
| NTP | UDP | 123 | time1.google.com, pool.ntp.org | Time server |
| HTTPS | TCP | 443 | in.app.xysense.io | HTTPS data push to XY Sense server |
| HTTPS | TCP | 443 | *.xovis.cloud, *.xovis.com | Remote management and OTA update |
Air Quality Sensor (Airthings)
Applies to all installations using Airthings air quality hubs, except Option 1. Connections are made outbound to the Airthings platform.
| Application | Transport | Port | Endpoint | Purpose |
|---|---|---|---|---|
| HTTPS | TCP | 443 | hub-api.airthin.gs | Remote Management Server |
| HTTP | TCP | 443 | hub-api.dev.airthin.gs | Development Remote Management Server |
| HTTPS | TCP | 443 | global-api.airthin.gs | HTTPS API access for sensors |
Presence Sensor
Applies to all installations using presence sensors, except Option 1. Two LoRaWAN gateway options are available with different endpoint requirements.
All gateway types
| Application | Transport | Port | Endpoint | Purpose |
|---|---|---|---|---|
| WWS | TCP | 443 | A3IUN0OCNFKXX9.lns.lorawan.ap-southeast-2.amazonaws.com | AWS IoT Core LoRaWAN endpoint (sensor connectivity) |
| TLS | TCP | 443 | A3IUN0OCNFKXX9.cups.lorawan.ap-southeast-2.amazonaws.com | AWS IoT Core LoRaWAN endpoint (config and updates) |
| NTP | UDP | 123 | time1.google.com, time2.google.com | Time server |
Milesight gateway only
| Application | Transport | Port | Endpoint | Purpose |
|---|---|---|---|---|
| HTTPS | TCP | 443 | ec2-54-206-255-171.ap-southeast-2.compute.amazonaws.com | OTA updates and remote management |
| HTTPS | TCP | 443 | api.memfault.com, ota-cdn.memfault.com | OTA updates and remote management |
MultiTech gateway only (US)
| Application | Transport | Port | Endpoint | Purpose |
|---|---|---|---|---|
| HTTPS | TCP | 5798 | ds.devicehq.com | OTA updates and remote management |
| HTTPS | TCP | 443 | www.devicehq.com | OTA updates and remote management |
Primary Hub (Layer 3, Option 4 only)
Applies only when using the Primary Hub with Internal Router (Option 4). XY Sense strongly recommends opening all ports and protocols for rms.teltonika.lt and 3.69.106.81.
| Application | Transport | Port | Endpoint | Purpose |
|---|---|---|---|---|
| DNS | UDP/TCP | 53 | Default DNS server from your network | Hub DNS resolution and connected sensors |
| Ping | ICMP | N/A | 1.1.1.1 | Internet connection health check |
| NTP | UDP | 123 | 0.pool.ntp.org, 0.openwrt.pool.ntp.org, 1.pool.ntp.org, 1.openwrt.pool.ntp.org | Time server |
| HTTP over SSH | TCP | 20080 | 18.192.27.240 | WebUI remote configuration access |
| SSH | TCP | 20022 | 18.192.27.240 | Remote reverse SSH tunnel and management |
| TCP | TCP | 15010, 15011, 15009, 15039, 15040, 15041-15100 | rms.teltonika.lt | Health analytics and remote management |
| OpenVPN | UDP | 30000-39999 | 3.69.106.81, 3.65.167.143 | Remote management of hub and install |
Estimated Monthly Data Usage
Area Sensor
| Purpose | Frequency | Application | Estimated Usage |
|---|---|---|---|
| XY Coordinate Messages | Every 2 sec | MQTT | 500KB to 1000KB per hour |
| XY Diagnostic Messages | Every 30 min | MQTT | 1KB to 2KB per hour |
| XY Configuration Messages | Every hour | MQTT | 1KB to 2KB per hour |
| Connectivity check | Every 5 min | ICMP | 2KB per hour |
| Time server sync | Every minute | NTP | 10KB per hour |
| Sensor configuration download | Once per day | HTTPS | 10KB per day |
| OTA Update Poll | Every 30 min | HTTPS | 20KB per hour |
| OTA Update Download | Once a month | HTTPS | 30MB per month |
| Estimated Monthly Total | 405MB to 760MB |
Entry Sensor (based on 200 people per day)
| Purpose | Frequency | Application | Estimated Usage |
|---|---|---|---|
| Connection to WebUI (remote) | Ad hoc / per login | HTTPS | 1MB per connection |
| Line count event | Per event | HTTPS | ~2KB per event (~400KB per 200 people) |
| Remote connection heartbeat | Every hour | 2KB per hour | |
| Time server sync | Every 5-10 min | NTP | 10KB per hour |
| OTA Update Download | Once a month | HTTPS | 30MB per month |
| Estimated Monthly Total | 250MB to 300MB |
Comments
0 comments