Receiving Non Registered gateway uplink

sagarpatel · August 14, 2019, 12:22pm

i have 3 gateway and 2 gateways registered on lora-app-server.
All gateways are running and up
when i start node i also getting uplinks from non-registered gateways to lora-app-server in rxinfo

it’s bug or not i don’t know, but we need to stop unregistered gateway packet

can you please help us

Thank you

brocaar · August 14, 2019, 12:42pm

This is not a bug. Gateway authorization is not the responsibility of LoRa Server. When your gateway forward UDP data, then you need to setup firewall rules. If the Gateway Bridge is installed on the gateway, then you can setup MQTT ACLs for authorization.

sagarpatel · August 14, 2019, 1:23pm

Can we use MQTT ACLs for authorization on Gateway bridge is installed on server?

brocaar · August 14, 2019, 1:53pm

UDP packets can be spoofed, so the Gateway IDs will never be authenticated. You can however limit the topics to which LoRa Gateway Bridge publishes using ACLs.

sagarpatel · August 16, 2019, 12:15pm

Hii @brocaar

we also receiving downlink on unregistered gateway.

can we use filter features of lora-gateway-bridge v3.2.0?

Thanks

bconway · August 16, 2019, 1:09pm

You have no sufficiently described your setup. Where is LoRa Gateway Bridge running, is it installed on all 3 gateways? 2 of the gateways? 0 of the gateways and all 3 are pointed at a gateway bridge running across the network via UDP 1700?

sagarpatel · August 16, 2019, 1:41pm

we have installed Gateway-bridge on server and all gateways are pointing to Lora gateway bridge running across the network via UDP 1700

bconway · August 16, 2019, 2:01pm

In that case, your options are more limited. You can use NetID and JoinEUI filtering to prevent non-owned device data from crossing from the bridge onto MQTT, but you will still consume traffic getting it to the bridge (probably not a big deal). To prevent that traffic from hitting the bridge at all, your only real choices are firewalling (may not be practical if devices are spread across networks you don’t control) or VPNing the traffic (at the carrier level if using cellular, for example) between the gateways and the bridge.

Moving the gateway bridge onto the gateways, if possible, would allow you to filter at the gateway level, along with securing the traffic (MQTT ACL + TLS) earlier in the data flow.

cstratton · August 16, 2019, 3:53pm

Why do you have gateways pointed at the server if you do not want to hear from them?

You don’t really seem to be describing someone attacking you, and going to all the trouble of spoofing plausible looking traffic, but rather a situation where your own gateways are pointed someplace when you don’t want them to be…