Amper Learning Hub
Connectivity: IT Configuration Requirements
👨‍💻

Connectivity: IT Configuration Requirements

If opting for Wi-Fi devices, there are a few steps your IT team will need to take to ensure our devices can properly connect to your network.

Amper Wi-Fi Gateway IT Requirements

Network Requirements

In order to connect Amper Gateways, your network will need to be configured for the following:

  • Network must be 2.4 GHz (Our devices do NOT support 5GHz-only networks).
  • Supported network types are WPA2 (most common), WPA, WEP, and Unsecured/Open. Devices do NOT support WPA-2 Enterprise or WPA3.
  • Hidden SSID networks are NOT supported.
  • Amper Gateways do NOT support networks that require a captive portal log-in (such as a guest network that requires logging in).
  • If your network restricts access either to the internet or access point using MAC addresses, contact support@amper.xyz to obtain your device Device MAC Addresses to provide to your Network Administrator. They can also be downloaded as a CSV from your Hardware Settings page in the app.
  • DHCP is required - devices do NOT support static IP assignment. If you wish to assign a device to use a specific IP address, you must allocate one in your network’s DHCP settings based on the device’s MAC addresses.

Firewall Requirements

Please ensure that the following domains and ports are whitelisted in your firewall.

  • Note that all domains resolve to a dynamic ip pool that will change over time. As such, you must whitelist using the domain and NOT the resolved IP address.
  • All device connections are outbound. There are NO inbound connections.
Protocol
Destination
Port
Notes
UDP
*.udp.particle.io
5684
Dynamic IP Pool
TCP
a1z2vcintpz3vi-ats.iot.us-west-2.amazonaws.com
8883
Dynamic IP Pool
TCP
device.tcp.particle.io
5683
Dynamic IP Pool. Only required for legacy gateways (no button)

Common Issue Troubleshooting

There are some common issues you may encounter - here are some steps you can take if you do. If you don’t find your issue here or need more help, please reach out at support@amper.xyz.

Gateway can’t find network during scan

  • You may be out of range of the network - try to get closer to an access point.
  • Your network may not meet Amper’s requirements. Double check them above.

Gateway finds network, but won’t connect to it

  • You may have entered the wrong password / the password for a different network.
  • The network may be only allowing connections from whitelisted MAC addresses. See more details above.

Gateway connects to access point (green signal LED) but flashes white or red (status LED)

  • The device cannot connect to one of the required services.
  • This may be caused by a network with no internet access.
  • This may be caused by the network firewall not allowing the required traffic specified above.

Devices disconnect every X minutes or hours

  • Check to see if there are any rules enforcing a maximum connection duration or DHCP lease duration.
  • If disconnections are 7-10 minutes apart, it may be because the device is restarting due to not being able to reach one of the required services. Double check the firewall configuration.
‣

Known Meraki IT Issues (expand for details)

We have identified a few specific issues that may sometimes arise for Meraki users and have the applicable guidance listed below.

Traffic must be allowed on BOTH Content Filtering and Layer 3 Firewall rules

This mostly applies when the Content Filtering is setup as a whitelist-only filter. Even if you have allowed the required traffic in your Layer 3 Firewall rules, if your URL blocking in Content Filtering is setup with a universal wildcard (” * “), you likely will have to ALSO add the required domains to the Content Filtering Whitelisted URL Patterns field.

For reference see Layer 3 and 7 Firewall Processing Order.

SNORT Threat Detection Incorrectly Flags Some AWS IP Pool Addresses

SNORT is part of Meraki’s threat detection. There are a number of different SNORT rules, but SID 1:45199 sometimes incorrectly flags good IP addresses. Whenever a SNORT update is released, the list of IP addresses that may get flagged by this rule may also change. Because Amper uses an AWS domain for one of our services, if one or more of the IP addresses in that pool has been reported due to some other user of that AWS service, it may be blocked by this rule.

The issue is that SNORT actually will OVERRIDE your other firewall settings. Even if you completely whitelist a device, SNORT can still block part of the traffic if it is enabled and one such issue is occurring.

To determine if this is causing an issue, check your logs in Security Center. The alert message for this rule is “SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt”. Note that you may see a domain name that is DIFFERENT than the domain we have set up in the firewall. This is because SNORT seems to hardcode that name in and some IP addresses rotate between various AWS services over time. Instead, if you see that message, check the SOURCE IP addresses to see if it matches one of the Amper devices. Any outbound connection to port :8883 from an Amper device is to the domain listed in the firewall requirements.

To allow this traffic, the only workaround is to add the rule to the SID rule allow list:

  1. Navigate to Security & SD-WAN -> Threat Protection
  2. Under Intrusion Detection -> click Add SID rule to Allow List
  3. Type: "1:45199" and select the rule (name is “SERVER-OTHER limited RSA ciphersuite list - possible Bleichenbacher SSL attack attempt 1:45199”)

Note that changes to SNORT rules will only affect NEW traffic flows, so it may take 10 minutes or so for a device having an issue to reset its connection to a fresh one.

MR Series equipment and MX firmware ≤ v13.3 don’t support Layer 3 domain destinations

If you are using MR Series Meraki equipment, there are additional limitations on where you can apply firewall rules that apply to domain names instead of IP addresses. Specifically, the MR Series does NOT support domain name / FQDN destinations in the Layer 3 Firewall rules.

If you want to whitelist the domains, you must do so in the Content Filtering settings instead of the Layer 3 Firewall settings.

If you want to also whitelist the ports, you must whitelist the port with a destination of “Any” when setting up your Layer 3 Firewall rules.

If any of the above information seems confusing or daunting, do not worry! These are standard IT configurations that your factory's IT team will be familiar with. For requirements & recommendations related to the Gateway configuration process, please also see the relevant section

Web & Tablet App Access

In order to fully access Amper’s web and tablet app from a computer, TV, or phone your network must be configured for the following:

  • TCP Ports Open (Outbound Traffic)
    • 443
    • 80
  • Domains Open (Outbound Traffic)
    • *amper.xyz
    • sentry.io
    • *looker.com
    • *.lookercdn.com