LaundryCard Firewall Functionality Requirements

Overview

This page includes the configuration and setup information required for full utilization of the LaundryCard firewall, including credit card processing and remote operator access.

Connection Configurations

There are two general configuration options for the LaundryCard network, as outlined below.  Card Concepts Inc. is not responsible for network configuration beyond the information provided here or the configuration of LaundryCard Firewall devices.

Connection via Internet Modem

The current LaundryCard Firewall is designed to be connected directly to an Internet Service Provider's (ISP) modem. The ISP connection should provide a static Internet Protocol (IP) address. This provides an IP address that does not change over time. Note that non-static IP addresses normally and most often provided by an ISP may be changed dynamically by the ISP at any time.  Therefore, a static IP is required to provide the store owner with a fixed address to access to the store LaundryCard system.

A modem does not inspect or act on any of the traffic that goes to and from the internet. The modem provided by the ISP will pass all the traffic coming from the internet and send it to the LaundryCard Firewall. Conversely, all traffic transmitted by the LaundryCard Firewall will be directed out to the internet.

One result of attaching the LaundryCard Firewall directly to an ISP supplied modem is that other devices cannot easily be attached to the same internet connection.  Another result is that the security of the LaundryCard Firewall is enhanced, as the LaundryCard Firewall is not accessible to other devices in the store environment.

The LaundryCard Firewall has the necessary and sufficient firewall rules for protecting the LaundryCard network from undesirable internet traffic.

Connection via Internet Modem and Router (or Modem/Router Combination Device)

The advantage of this configuration is that the owner may decide to interface other internet devices using the same internet connection to reduce his costs.  However, there are several disadvantages to this configuration, including:

  1. These additional devices will impact, perhaps severely, the throughput available to the LaundryCard Firewall

  2. These devices may produce traffic at the interface to the LaundryCard Firewall that is best undesirable or at worst debilitating to satisfactory LaundryCard network operation.

  3. The router device (or router portion of the combined modem/router) will require special configuration by the customer.

There are a large number of routers and modem/routers available commercially. Some routers can be satisfactorily configured to operate in a LaundryCard configuration. However, a number of routers do not have sufficient features or throughput to support LaundryCard Firewall operation.

The following documentation is provided in order to help customers (and their ISPs) with their router configuration.

Router Configuration

If a customer router is to be implemented, it must have – at a minimum – the following features and configuration:

  1. The router must be set up to have a single ethernet interface for connection to Port 1 of the LaundryCard Firewall.

  2. A single fixed (static) IP address must be designated for use by the LaundryCard Firewall.

  3. Port Forwarding must be enabled and implemented such that traffic received from the internet and destined to the LaundryCard Firewall static IP address will be forwarded as follows:

    1. The router will forward all TCP traffic with several specific TCP ports to the designated Ethernet interface connected to the LaundryCard Firewall.

    2. The router will forward all UDP traffic several specific UDP ports to the designated Ethernet interface connected to the LaundryCard Firewall.

    3. The router will forward all GRE traffic (protocol 47) to the designated Ethernet interface port connected to the LaundryCard Firewall.

    4. The router will forward all IPSEC-ESP traffic (protocol 50) to the designated Ethernet interface port connected to the LaundryCard Firewall.

  4. All traffic from the LaundryCard Firewall must be forwarded by the router to the modem interface on the router.

Port and Protocol Usage

The following is current list of protocols and port usage of the LCRF (LaundryCard Router/Firewall). 

  • GRE (protocol 47)  - Required for implementation of VPN using PPTP. It is a separate protocol from TCP/IP. Forwarding of this protocol is often configured from a separate menu from TCP/IP port forwarding.

  • IPSEC-ESP (protocol 50)  -   Required for implementation of VPN using L2TP. It is a separate protocol from TCP/IP. Forwarding of this protocol is often configured from a separate menu from TCP/IP port forwarding. This protocol is required for support of Virtual Private Networking (VPN) from late version of Apple devices . If the router does not forward this protocol properly, VPN using L2TP will not be supported.

Protocol

Port

Usage

Notes

TCP

80

WWW

 Web Access (non-secure Hypertext Transfer Protocol) 
Used by Authorize.Net interface

UDP

123

NTP

Network Time Protocol

TCP

443

SSTP/HTTP

Secure Socket Tunneling Protocol / Secure Hypertext Transfer Protocol 
Used by Authorize.Net interface

UDP

500

IKE

 Internet Key Exchange

UDP

514

Syslog

 System Logging

UDP

1701

L2TP

 Layer 2 Tunneling Protocol

TCP

1723

PPTP

 Point-to-Point Tunneling Protocol

UDP

1812

Radius

 Remote Authentication Dial-In User Service

UDP

1813

Radius

 Remote Authentication Dial-In User Service

TCP

2222

Multi-Store

Multistore data requests

UDP

4500

L2TP

 Layer 2 Tunneling Protocol

UDP

5556

Hamachi

Hamachi direct connect requests

UDP

5678

MNDP –

 Mikrotik Network Discovery Protocol

UDP

8291

Winbox

Mikrotik Windows Management interface

TCP

12975

Hamachi

Hamachi Initiator Port

UDP

15252

Cloud Time, DDNS

Mikrotik Cloud Services

TCP

32976

Hamachi

Hamachi Session Port

GRE (47)

—

PPTP

 Point-to-Point Tunneling Protocol

IPSEC-ESP (50)

—

L2TP/IPsec

 Layer 2 Tunneling Protocol / Internet Protocol Security

Related Documents