Port and Services Matrix
This matrix provides a full inventory of physical and logical interfaces on the RI‑EC‑PRO device. It outlines default states, associated protocols, security controls, and whether the service can be disabled by users or integrators.
This supports regulatory compliance by fulfilling RED 3(3)(d) (network protection), 3(3)(e) (personal data security), and UK PSTI transparency requirements regarding secure default configurations and remote access pathways.
Default Ports and Services Overview
Cloud Platform Communication
Used for Cloud Platform communication and for OTA firmware updates.
See Software Udate Policy for more information.
Interface | Protocol | Default State | Authentication / Security | Disable Option |
---|---|---|---|---|
Ethernet (WAN) 1 | TCP/IP | Enabled | Token Auth + AES128 Encryption | No |
4G LTE-M (WAN) 2 | TCP/IP | Enabled | Token Auth + AES128 Encryption | Partially3 |
2G (WAN) 2 | TCP/IP | Enabled | Token Auth + AES128 Encryption | Partially3 |
Interfaces
1: Applies only to gateways equipped with Ethernet port (RI-EX-series and RI-EC128-PRO 4G)
2: Applies only to gateways equipped with 4G modem with 2G fallback (RI-EC-series)
Disable option
3: Modem allows three Wireless Data Service modes:
- Auto (2G and 4G enabled)
- 4G only
- 2G only
Firewall setup guide
For more information and guidance see Firewall setup guide
Other Port and Services
Interface / Port | Protocol / Service | Default State | Authentication / Security | Disable Option |
---|---|---|---|---|
RS-485 | Modbus RTU Master | Enabled (passive) | Addressed only | No |
Ethernet (LAN) 4 | Modbus TCP Master | Enabled (passive) | Addressed only | Yes |
Ethernet (LAN) 4 Ethernet (WAN) 4 |
UDP port 53 DNS Client |
Enabled | Not applicable | Yes |
Ethernet (LAN) 4 | DHCP Client | Enabled | Not applicable | No |
Ethernet (LAN) 4 | ICMP | Disabled | Not applicable Rate limited |
Yes |
Extension Port 5 | Modbus RTU, IDBUS | Enabled (passive) | Addressed only | No |
USB | Local CLI | Enabled | Physical Only Unique per-device password for level 1-2 access |
Partially |
SMS 6 | Initial setup (e.g. APN) |
Enabled | Credentials Time limited Sender whitelist |
Yes |
4: Applies only to gateways equipped with Ethernet port (RI-EX-series and RI-EC128-PRO 4G)
5: Applies only to gateways equipped with Extension Port (PRO-series)
6: Applies only to gateways equipped with 4G modem with 2G fallback (RI-EC-series)
Notes & Compliance Context
- Cloud Platform Communication over LTE-M (WAN) / 2G (WAN) / Ethernet (WAN) is enabled by default for remote telemetry/control. Token-based authentication and AES128 encryption are enforced. This interface is essential for cloud integration and cannot be fully disabled, so its security posture is critical to RED 3(3)(d)-(f) compliance.
- Ethernet (LAN / WAN) has DNS client enabled by default for resolving hostname to IP address of Cloud Platform servers. This interface is essential for cloud integration and cannot be fully disabled.
- Ethernet (LAN) has DHCP client enabled by default to make initial setup easy. Recommended to use static IP configuration and disable it once gateway is setup.
- Ethernet (LAN) has ICMP disabled by default and rate limited when enabled. It is used to provide a network monitoring feature and can be enabled by user.
- RS-485 and Ethernet (LAN) is enabled by default and used for industrial fieldbus integration. While no encryption is available for Modbus RTU/TCP, device addresses are required to communicate, offering basic logical segmentation. Recommended to restrict physical access or segment RS-485/Ethernet networks. It is enabled by default, however it does not send or receive any commands until the configuration or command is provided by user via Cloud Platform.
- Extension Port is enabled by default and used for industrial fieldbus integration. While no encryption is available for Modbus RTU and IDBUS, device addresses are required to communicate, offering basic logical segmentation. Recommended to restrict physical access or segment networks.
- USB provides local access for maintenance. Access is gated by physical control and requires technician presence. Default access level is read-only. Higher access levels require password, which is unique per gateway. Disablement is partial (e.g. higher access levels can be locked).
- SMS provides a way for configuration of modem APN and troubleshooting (e.g. reading signal strength information) during setup/installation. Default unique access code is time scoped and valid within 10 minutes of boot. Once credendials are changed by user the boot behaviour is disabled. SMS interface can by disabled by user by turning on phone numbers whitelist with zero entries. See SMS commands for more information.