NetID Filtering on Tektelic gateways

This guide will help create a NetID filter for Tektelic gateways on both Tektelic CORE NS (via MQTT) and AWS (via BSTN)

Tektelic gateways feature a configurable NetID filter that filters out traffic from roaming devices. This can save on unnecessary and often expensive data consumption on gateways, particularly those using metered cellular backhaul.

Currently, Tektelic gateways support two methods of NetID filtering:

• Tektelic CORE NS/MQTT connection.
• AWS/BSTN connection.

---

Filtering is done with two types of filtering:

• NetID/DevAddr → allows screening of regular device uplinks on the gateway since every uplink contains the Devaddr field as part of its header. This is employed for the OTAA and ABP activation process.
• JoinEUI/DevEUI → applied to Join Requests (employed for the OTA activation process)

Below is an explanation of these four values:

• NetID → 24-bit identifier that is assigned to LoRaWAN network providers by the LoRa Alliance. (Alternative link)

• DevAddr → 32-bit end-device identifier assigned by the LNS and is derived from the NetID. 
• JoinEUI (a.k.a AppEUI) → 64-bit identifier that represents a Join Server (JS) in the LoRaWAN network.
• DevEUI → Similar 64-bit identifier but for the end devices.

---

Filtering rule concepts

1. Checking starts on top of the list, at the rule with the lowest ID

2. If a DevAddr respective of DevEUI/JoinEUI matches a rule, this rule is applied immediately and no more rule checking is performed.

3. If a DevAddr respective of DevEUI/JoinEUI does not match the range of the rule, the next rule is checked.

4. The last rule shall cover the complete range. If no rule has matched, an implicit ALLOW rule is assumed.

Filtering file

1. Filtering rules are saved under: /var/lib/tektelic-lora-hal/uplink-filter-list

2. If no rule is configured, all uplink packets will be accepted and all devices will be joined.

---

NetID filtering via Tektelic CORE NS/MQTT - Prerequisites

Before you can implement a NetID filter on a Tektelic gateway, you will require the following:

• The following software installed on your gateway:
  • tektelic-gateway-bridge 1.9.4-r81
  • tektelic-lora-hal 5.2.1-r5
  • NOTE: This software can be found on Universal BSP 7.1.2 and above.
• Configured gateway on Tektelic CORE NS
• Configured devices (OTAA/ABP activated) on Tektelic NS
• Access to Swagger API

To determine the software version of your gateway, there are two methods:

• Entering the command system_version on your gateway.
• On Tektelic CORE NS, select your gateway to check its connectivity and status. Then, under SW Management tab, click BSP status to read the software version.

---

Configuring NetID filter

The simplest way to configure a NetID filter is by editing this file template.

Replace the highlighted text with the DevAddr/DevEUI/JoinEUI of your choice.

You will need two separate rules for your devices as:

• Rules pertaining to DevAddr ONLY affect uplink traffic.
• Rules pertaining to DevEUI and JoinEUI ONLY affect join requests.

Creating a rule for DevAddr but not DevEUI/JoinEUI  (or vice versa) for your devices may lead to unexpected packet loss.

To find the DevAddr, click on your device to open Device Details, then select the Activation tab.

Once the file is edited to your liking, save the file and its contents for later.

---

NetID filtering via Tektelic CORE NS/MQTT - Procedure

1. Ensure that you have your gateways/devices set up and online/connected.
2. Obtain an authentication token from the following guide.
3. Use the authentication token on Swagger UI.
4. Configure gateway via gw-json-configuration-controller API.

When you have the authentication token ready, enter it into Swagger API here:

Then, under gw-json-configuration-controller, select PUT

Then select Try it out

Fill out the fields accordingly:

• For Example Value, copy and paste the contents of the newly edited example-netid-filter.txt
• For entityType, enter w/o quotes "GATEWAY"
• For entityId, enter the entityId of your gateway.

To find the entityId of your gateway, this can be found under the gateway details:

Once the fields have been configured, click Execute and your gateway will generate a new NetID filter!

---

NetID filtering via AWS/BSTN - Prerequisites

Before you can implement a NetID filter on a Tektelic gateway, you will require the following:

• The following software installed on your gateway:
  • tektelic-bstn 1.9.4-r81
  • tektelic-lora-hal 5.2.1-r5
  • NOTE: This software can be found on Universal BSP 7.1.2 and above.
• Configured gateway on AWS IoT Core
• Configured devices (OTAA/ABP activated) on AWS IoT Core

To determine the software version of your gateway, enter the command system_version on your gateway.

---

NetID filtering via AWS/BSTN

To enable NetID filter, you can add it during the process of creating a gateway or by editing an existing one. In either case, the options for configuring the filter will be under LoRaWAN Configuration - optional

AWS only filters by NetID from a manufacturer rather than a set range of DevAddr. To find out the NetID of your device, please click here. (Alternative link)

When creating a filter on AWS, there are a couple of things to note:

• When clicking Save, BSTN on the gateway will restart and receive the new configuration.
  • If the filters do not save, please try using a different browser such as Chrome.
  • To see your gateway receive new NetID rules, run the following command and then save the filters: tail -f /var/log/bstn.log

• There is no UI support to provide ‘devEUI’. By default it considers the complete range instead. (deveui_start = 0, deveui_end = ffffffffffffffff)

• Rules provided are considered as ‘ALLOW’

• By default as a last rule, there is a ‘DENY’ rule with a complete range for both NetID and joinEUI

  • NetID - [start = 0, end = ffffffff]

  • joinEUI - [deveui_start = 0, deveui_end = ffffffffffffffff, joineui_start = 0, joineui_end = ffffffffffffffff]