Skip to end of banner
Go to start of banner

LaundryCard Firewall Functionality Requirements

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

Overview

This page includes the configuration and setup information required for full utilization of the LaundryCard firewall, including credit card processing and remote operator access.


Card Concepts Inc. is not responsible for network configuration beyond the information provided here or the configuration of LaundryCard Firewall devices.

Connection Configurations

As of LaundryCard Version 9, all updated firewalls communicate and establish a secure connection with the LaundryCard Data Center.

When a Firewall is set up for a Dynamic IP Configuration, communication for store access is done through our LaundryCard Live service at https://live.laundrycard.com. This is typically the case for most LaundryCard Version 9 systems.

When a Firewall is set up for a Static IP Configuration, which is typically found in LaundryCard Version 8 and earlier systems (and some older LaundryCard Version 9 configurations), there are two general configuration options for the LaundryCard network. 

Static Connection via Internet Modem

A LaundryCard Firewall is designed to be connected directly to an Internet Service Provider's (ISP) modem. For static configurations, the ISP connection should provide a static Internet Protocol (IP) address. This provides an IP address that does not change over time. Note that non-static IP addresses normally and most often provided by an ISP may be changed dynamically by the ISP at any time.  Therefore, a static IP is required to provide the store owner with a fixed address to access to the store LaundryCard system.

A modem does not inspect or act on any of the traffic that goes to and from the internet. The modem provided by the ISP will pass all the traffic coming from the internet and send it to the LaundryCard Firewall. Conversely, all traffic transmitted by the LaundryCard Firewall will be directed out to the internet.

One result of attaching the LaundryCard Firewall directly to an ISP supplied modem is that other devices cannot easily be attached to the same internet connection.  Another result is that the security of the LaundryCard Firewall is enhanced, as the LaundryCard Firewall is not accessible to other devices in the store environment.

The LaundryCard Firewall has the necessary and sufficient firewall rules for protecting the LaundryCard network from undesirable internet traffic.

Static Connection via Internet Modem and Router (or Modem/Router Combination Device)

The advantage of this configuration is that the owner may decide to interface other internet devices using the same internet connection to reduce his costs.  However, there are several disadvantages to this configuration, including:

  1. These additional devices will impact, perhaps severely, the throughput available to the LaundryCard Firewall
  2. These devices may produce traffic at the interface to the LaundryCard Firewall that is best undesirable or at worst debilitating to satisfactory LaundryCard network operation.
  3. The router device (or router portion of the combined modem/router) will require special configuration by the customer.

There are a large number of routers and modem/routers available commercially. Some routers can be satisfactorily configured to operate in a LaundryCard configuration. However, a number of routers do not have sufficient features or throughput to support LaundryCard Firewall operation.

The following documentation is provided in order to help customers (and their ISPs) with their router configuration.

Router Configuration

If a customer router is to be implemented, it must have – at a minimum – the following features and configuration:

  1. The router must be set up to have a single ethernet interface for connection to Port 1 of the LaundryCard Firewall.
  2. A single fixed (static) IP address must be designated for use by the LaundryCard Firewall.
  3. Port Forwarding must be enabled and implemented such that traffic received from the internet and destined to the LaundryCard Firewall static IP address will be forwarded as follows:
    1. The router will forward all TCP traffic with several specific TCP ports to the designated Ethernet interface connected to the LaundryCard Firewall.
    2. The router will forward all UDP traffic several specific UDP ports to the designated Ethernet interface connected to the LaundryCard Firewall.
    3. The router will forward all GRE traffic (protocol 47) to the designated Ethernet interface port connected to the LaundryCard Firewall.
    4. The router will forward all IPSEC-ESP traffic (protocol 50) to the designated Ethernet interface port connected to the LaundryCard Firewall.
  4. All traffic from the LaundryCard Firewall must be forwarded by the router to the modem interface on the router.

Port and Protocol Usage

The following is current list of protocols and port usage of the LCRF (LaundryCard Router/Firewall). 

With a Dynamic configuration, while exclusively forwarding individual ports is not necessary, it is strongly recommended that users do not block the individual ports/protocols below.


Protocol

Port

Usage

Notes

TCP

80

WWW

Web Access (non-secure Hypertext Transfer Protocol) 

UDP

123

NTP

Network Time Protocol

TCP

443

SSTP/HTTP

Secure Socket Tunneling Protocol / Secure Hypertext Transfer Protocol 

UDP

500

IKE

Internet Key Exchange

UDP

514

Syslog

System Logging

UDP

1701

L2TP

Layer 2 Tunneling Protocol

TCP

1723

PPTP

Point-to-Point Tunneling Protocol

UDP

1812

Radius

Remote Authentication Dial-In User Service

UDP

1813

Radius

Remote Authentication Dial-In User Service

TCP

2222

Multi-Store

Multistore data requests

UDP

4500

L2TP

Layer 2 Tunneling Protocol

UDP

5556

UDP

5678

MNDP –

Mikrotik Network Discovery Protocol

UDP

8291

Winbox

Mikrotik Windows Management interface

TCP

12975

UDP

15252

Cloud Time, DDNS

Mikrotik Cloud Services

TCP

32976

GRE (47)

PPTP

Point-to-Point Tunneling Protocol

IPSEC-ESP (50)

L2TP/IPsec

Layer 2 Tunneling Protocol / Internet Protocol Security

Related Documents


  • No labels