Skip to content

Port and Services Matrix

This matrix provides a full inventory of physical and logical interfaces on the RI‑EC‑PRO device. It outlines default states, associated protocols, security controls, and whether the service can be disabled by users or integrators.

This supports regulatory compliance by fulfilling RED 3(3)(d) (network protection), 3(3)(e) (personal data security), and UK PSTI transparency requirements regarding secure default configurations and remote access pathways.

Default Ports and Services Overview

Cloud Platform Communication

Used for Cloud Platform communication and for OTA firmware updates.
See Software Udate Policy for more information.

Interface Protocol Default State Authentication / Security Disable Option
Ethernet (WAN) 1 TCP/IP Enabled Token Auth + AES128 Encryption No
4G LTE-M (WAN) 2 TCP/IP Enabled Token Auth + AES128 Encryption Partially3
2G (WAN) 2 TCP/IP Enabled Token Auth + AES128 Encryption Partially3

Interfaces

1: Applies only to gateways equipped with Ethernet port (RI-EX-series and RI-EC128-PRO 4G)

2: Applies only to gateways equipped with 4G modem with 2G fallback (RI-EC-series)

Disable option

3: Modem allows three Wireless Data Service modes:

  • Auto (2G and 4G enabled)
  • 4G only
  • 2G only

Firewall setup guide

For more information and guidance see Firewall setup guide

Other Port and Services

Interface / Port Protocol / Service Default State Authentication / Security Disable Option
RS-485 Modbus RTU Master Enabled (passive) Addressed only No
Ethernet (LAN) 4 Modbus TCP Master Enabled (passive) Addressed only Yes
Ethernet (LAN) 4
Ethernet (WAN) 4
UDP port 53
DNS Client
Enabled Not applicable Yes
Ethernet (LAN) 4 DHCP Client Enabled Not applicable No
Ethernet (LAN) 4 ICMP Disabled Not applicable
Rate limited
Yes
Extension Port 5 Modbus RTU, IDBUS Enabled (passive) Addressed only No
USB Local CLI Enabled Physical Only
Unique per-device password for level 1-2 access
Partially
SMS 6 Initial setup
(e.g. APN)
Enabled Credentials
Time limited
Sender whitelist
Yes

4: Applies only to gateways equipped with Ethernet port (RI-EX-series and RI-EC128-PRO 4G)

5: Applies only to gateways equipped with Extension Port (PRO-series)

6: Applies only to gateways equipped with 4G modem with 2G fallback (RI-EC-series)

Notes & Compliance Context

  • Cloud Platform Communication over LTE-M (WAN) / 2G (WAN) / Ethernet (WAN) is enabled by default for remote telemetry/control. Token-based authentication and AES128 encryption are enforced. This interface is essential for cloud integration and cannot be fully disabled, so its security posture is critical to RED 3(3)(d)-(f) compliance.
  • Ethernet (LAN / WAN) has DNS client enabled by default for resolving hostname to IP address of Cloud Platform servers. This interface is essential for cloud integration and cannot be fully disabled.
  • Ethernet (LAN) has DHCP client enabled by default to make initial setup easy. Recommended to use static IP configuration and disable it once gateway is setup.
  • Ethernet (LAN) has ICMP disabled by default and rate limited when enabled. It is used to provide a network monitoring feature and can be enabled by user.
  • RS-485 and Ethernet (LAN) is enabled by default and used for industrial fieldbus integration. While no encryption is available for Modbus RTU/TCP, device addresses are required to communicate, offering basic logical segmentation. Recommended to restrict physical access or segment RS-485/Ethernet networks. It is enabled by default, however it does not send or receive any commands until the configuration or command is provided by user via Cloud Platform.
  • Extension Port is enabled by default and used for industrial fieldbus integration. While no encryption is available for Modbus RTU and IDBUS, device addresses are required to communicate, offering basic logical segmentation. Recommended to restrict physical access or segment networks.
  • USB provides local access for maintenance. Access is gated by physical control and requires technician presence. Default access level is read-only. Higher access levels require password, which is unique per gateway. Disablement is partial (e.g. higher access levels can be locked).
  • SMS provides a way for configuration of modem APN and troubleshooting (e.g. reading signal strength information) during setup/installation. Default unique access code is time scoped and valid within 10 minutes of boot. Once credendials are changed by user the boot behaviour is disabled. SMS interface can by disabled by user by turning on phone numbers whitelist with zero entries. See SMS commands for more information.