Control Subnet Overview
Our control system architecture provides a dedicated Control Subnet (eth1), ensuring secure and optionally isolated communication between AV devices and the control system without interference from outside network traffic.
Key Features of the Control Subnet
• Dedicated Network Isolation:
The Control Subnet is an independent network segment designed exclusively for controlling AV devices.
• Built-in DHCP Server:
IP addresses are assigned dynamically to devices on the Control Subnet.
• Firewall Protection:
Traffic between the Control Subnet and other networks are by default restricted to prevent unauthorized access.
• No Internet Dependency:
The Control Subnet does not require internet access, ensuring local device communication is uninterrupted.
⚠️ CAUTION: Do not connect the Control Subnet (eth1) to the LAN (eth0) port or to the client network. By default, the Control Subnet runs a DHCP server and must remain isolated from non-AV devices. It is intended solely for communication with AV devices and should not be exposed to external traffic without strict port forwarding rules. To update firmware or establish a remote SSH connection to the Control Subnet, use NAT port mapping and interface forwarding.
Overview
In this setup, the eth1 10/100 interface is dedicated to the Control Subnet, which is defined by the network 192.168.9.0/24. The processor acts as the router/DHCP server for this subnet.
Network Configuration
• Control Subnet: 192.168.9.0/24
• Network Address: 192.168.9.0 (reserved)
• Broadcast Address: 192.168.9.255 (reserved)
• Processor (eth1) Static IP (Control Subnet Router): 192.168.9.254/24 (This IP serves as the default gateway for devices on the Control Subnet)
• DHCP Pool Range (for devices on eth1): 192.168.9.1 to 192.168.9.253
• Lease Time: 12 hours
(For devices requiring static IPs, reservations can be manually configured using console commands – coming soon)
Firewall Routing
• Control Subnet (eth1): 192.168.9.0/24
• Wi‑Fi AP (wlan0): 192.168.10.0/24
Routing Behavior
• wlan0 → eth1: ✅
Devices connected to the Access Point (wlan0) can communicate with devices on the Control Subnet (eth1) by default.
• eth0 → eth1: ✅
By default traffic on eth0 can not access eth1 without enabling interface forwarding and creating specific port map.
• eth1 → eth0: ❌
Communication from the Control Subnet to the LAN is blocked. eth1 can only reply to established eth0 connections.
• wlan0 → eth0: ❌
Communication from the Wi‑Fi network to the LAN is blocked.
Default Firewall Rules
Direction, Port(s), Rule Description
Inbound from LAN, 22, Allowed SSH access to CPU:
Inbound from LAN, 80, 443, Allowed Web server access (if enabled):
Inbound from LAN, 1880, 1883, Allowed Node-RED communication
Isolation Mode:
By default, the Control Subnet cannot communicate with the external network (eth0) to prevent security vulnerabilities.
Why?
• Prevents interference with client LAN.
• Ensures stability by keeping external traffic from interfering with control signals.
• Protects against unauthorized remote access.
Wireless Access (wlan0) Configuration
The system provides a dedicated 5ghz Wi‑Fi access point (wlan0) for Parallax Control devices requiring wireless access to the Control Subnet. This wireless access point can be used by the programmer to access the device.
• SSID: CM4-[MAC Address]
• Subnet: 192.168.10.0/24
• Router (Default Gateway): 192.168.10.254 (static IP for wlan0)
• DHCP Range: 192.168.10.1 – 192.168.10.253
Note: Wireless clients are allowed to communicate only with devices on the Control Subnet. Internet access is disabled by default.
Security Considerations
• The access point is protected with WPA2-PSK.
• The password is dynamically generated using the last 8 digits of the device’s CPU serial number.
• Wireless clients cannot access eth0 (LAN/Internet).
Best Practices & Recommendations
• Keep the Control Subnet Isolated:
Do not physically bridge eth1 to eth0; this will cause loops and conflicts.
• Do Not Modify Firewall Rules Unless Necessary:
The preconfigured firewall settings provide optimal security and performance for most environments.
• Reboot After Network Changes:
Restart the control system to apply network changes effectively.
• DHCP preferred:
DHCP is preferred for devices residing on the control subnet. DHCP host reservation instructions coming soon.
FAQ
1. Can I connect the Control Subnet (eth1) to the internet?
No. The Control Subnet is designed for internal communication only. NAT port mapping is required in non isolation mode to allow remote updates to devices on cs.
2. Why can’t my laptop access the internet through the WiFi access point?
By default, wlan0 is restricted to only communicate with eth1 (Control Subnet).
3. How can I check connected devices?
Run the following command to view DHCP leases:
showdhcplease
NAT port mapping allows devices on eth0 to access specific devices on eth1 by an external port. The NAT route then translates the external port to the internal port on the eth1 control subnet, granting the user access to the device. This is typically used for creating an SSH connection to remotely configure av devices on the control subnet.
Example: Create port map to allow ssh access from eth0 to a device on eth1. We use high numbered external port 60444. Traffic will be directed to eth1 at ip address 192.168.9.161.
Command:
createportmap 60444 192.168.9.161
Using nmap on our local laptop (attached to eth0) we can test to see if the port is available:
(base) bruce@Bruces-MacBook-Pro ~ % sudo nmap -e en0 -Pn -p- 192.168.1.156
Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-16 17:29 EST
Nmap scan report for 192.168.1.156
Host is up (0.0043s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
1880/tcp open vsat-control
MAC Address: E4:5F:01:B6:FD:75 (Raspberry Pi Trading)
As you can see, the newly created route for port 60444 is not shown in the list. This is because by default, interface forwarding is disabled!
eth0 interface forwarding into the control subnet (eth1) is disabled by default.
In this example we enable all interfaces to access eth1, this includes eth0 and wlan0.
Command:
isolationmode allow_all