Legacy Open Mesh: How Do I Configure My Firewall to Allow Access to CloudTrax?

Question

How do I configure my firewall to allow access to CloudTrax?

Environment

  • CloudTrax

Answer

CloudTrax

Access Points connect to the following CloudTrax server via HTTPS(port 443):

  • cloud_ap.cloudtrax.com

Switches connect to the following CloudTrax server via HTTPS(port 443):

  • cloud-switch.cloudtrax.com

Routers connect to the following CloudTrax server via HTTPS(port 443):

  • router.cloudtrax.com

Legacy access points using 4xx firmware utilize the following server via HTTP(port 80):

  • checkin.cloudtrax.com

Note: Our servers are behind load balancers. Configure your firewall with the DNS name(if possible) because the resolved IP addresses can change any time.

Access Point Fallback

In case the access points cannot reach the main CloudTrax servers, they will revert to the fallback server. Please ensure the following domain and IP address are allowed through your firewall.

  • checkin-fallback.cloudtrax.com
  • 54.245.251.231

Switch Fallback

In case the switch cannot reach the main CloudTrax servers, they will revert to the fallback server. Please ensure the following domain and IP address are allowed through your firewall.

  • 54.245.115.10

Router Fallback

In case the router cannot reach the main CloudTrax servers, they will revert to the fallback server. Please ensure the following domain and IP address are allowed through your firewall.

  • 54.68.39.120

CloudTrax Connection Keeper

All devices use an always-on background connection to receive reconfiguration events more quickly. To do this, they need access to the following server via HTTP(port 80):

  • connkeeper.cloudtrax.com
  • 35.165.84.99
  • 35.163.125.115
  • 35.162.249.62

Network Time Protocol

All devices need access to the following time servers via NTP(port 123):

  • pool.ntp.org
  • 0.openwrt.pool.ntp.org
  • ntp.cloudtrax.com

Firmware Updates

Firmware updates require access to the following file servers via both HTTP(port 80) and HTTPS(port 443)

  • dev.cloudtrax.com
  • files-mirror.cloudtrax.com

Advanced Troubleshooting

To debug hard-to-track problems right in your network, our access points are equipped with a tunnel software allowing technical support to connect via SSH tunnel(TCP Port 18991):

  • vpn.cloudtrax.com

To deny access, it suffices to block outbound requests to vpn.cloudtrax.com.

Firewall Timeout

Ensure your firewall TCP and HTTP timeout settings are set to at least 10 minutes(600 seconds). Short duration timeouts could cause the Connection Keeper connection to drop unexpectedly.

Special Notes

NOTE: There is a known issue with Cisco router models RV350/RV345/RV345P/RV340W that are running firmware release 1.0.01.17 or older that causes it's content filtering system to block all communications to the Cloudtrax servers. To resolve this issue, please update your routers firmware to the beta release 1.0.01.1702 or other newer version.