¶ Technical Manual – Network and Communications
Updated: May/2026
Connectivity requirements, firewall rules, and validation procedures for the Darwin platform and EASi products. Intended for IT and network teams.
1. Darwin - Servers and Infrastructure
¶ 1. Darwin - Servers and Infrastructure
¶ 1.1. Routing and NAT (Critical)
The solution operates with persistent sessions (WebRTC, MQTT, HTTP/3). The source IP must not change during a session, or the server will drop the packets.
Restrictions:
- Do not use Load Balancing (L4/L7), intermediate proxy, balanced SD-WAN, or DNS round-robin for
*.easi.live - Do not use symmetric NAT (breaks STUN/ICE)
Expected behavior:
- Packets within the same session must exit through the same public IP (a fixed IP between sessions is not required - only consistency within each session)
- Persistent (sticky) NAT: NAT port preserved throughout the session
- No route changes while a session is active
Failover: active-passive only. Existing sessions must be restarted after a link switch.
Multiple active paths are not supported. Symptoms: video freezing, MQTT reconnecting in short cycles, intermittent API failures despite a stable link.
¶ 1.2. Ports and Domains
| Domain / Address | Port(s) | Transport | Protocol | Notes |
|---|---|---|---|---|
*.easi.live |
443 | TCP / UDP | HTTPS / HTTP/3 | Main communication |
api.easi.live |
443 | TCP | HTTPS | API |
storage.easi.live |
443 | TCP | HTTPS | CloudFront (dynamic IP) |
remote.easi.live |
443 | TCP | HTTPS | Remote access |
mqttv2.easi.live |
8883 | TCP | MQTT TLS | Telemetry |
mqttv2.easi.live |
1883 | TCP | MQTT TLS | Compatibility - TLS terminated at AWS LB (see note) |
stun.br.easi.live |
3478 | TCP/UDP | STUN | WebRTC |
ntp.easi.live, a.ntp.br |
123 | UDP | NTP | Time sync (mandatory) |
easilive.s3.amazonaws.com, s3-1-w.amazonaws.com |
443 | TCP | HTTPS | S3 (dynamic IP) |
archive.ubuntu.com, security.ubuntu.com, ppa.launchpad.net |
443 | TCP | HTTPS | Ubuntu updates |
download.docker.com, hub.docker.com, registry-1.docker.io, production.cloudflare.docker.com, auth.docker.io, index.docker.io |
443 | TCP | HTTPS | Docker |
quay.io (optional) |
443 | TCP | HTTPS | Alternative registry |
monitore.svc.easi.live |
10051 | TCP | Zabbix | Monitoring |
<VoIP Server IP> |
80, 443, 9001 | TCP | HTTP/HTTPS | VoIP - access and API |
<VoIP Server IP> |
8222 | TCP | Proprietary | Telephony control |
<VoIP Server IP> |
5060 | UDP | SIP | VoIP signaling |
<VoIP Server IP> |
10000–20000 | UDP | RTP | Voice media |
<Phones Network> |
80, 443 | TCP | HTTP/HTTPS | Phones ↔ server |
* |
1024–65535 | UDP | RTP | WebRTC / DVR - dynamic ports |
| POS → Darwin (internal) | 23454 | UDP | Proprietary | POS events |
Port 1883 on
mqttv2.easi.liveoperates with TLS enabled (terminated at the AWS LB), even though the IANA standard defines it as plain MQTT. Treat it as TLS traffic when configuring the firewall.Validation:
curl -vI https://mqttv2.easi.live:1883→ TLS 1.2 handshake completes, certificate issued byAmazon RSA 2048 M01.
¶ 1.3. FQDN Allowlisting (Mandatory for Cloud Services)
AWS-hosted services (CloudFront, S3, ELB) do not have fixed IPs. DNS resolution returns different addresses over time depending on region, load balancing, and availability.
Operational consequence: a firewall rule based on a fixed IP will stop working once AWS reallocates the address. This is expected AWS behavior and does not indicate any change in the Inwave system.
Rules:
- Allowlist by FQDN, never by IP
- For explicit proxies, add the FQDN to the allowlist
- Do not apply SSL inspection / DPI on
*.easi.live(breaks WebRTC, MQTT, and HTTP/3) - SD-WAN must resolve the FQDN at connection time, without long caching
Domains that require FQDN allowlisting: *.easi.live, storage.easi.live, easilive.s3.amazonaws.com, s3-1-w.amazonaws.com, *.docker.io, download.docker.com, production.cloudflare.docker.com.
¶ Alternatives (use with caution)
When the firewall or proxy does not support wildcard/FQDN allowlisting for the main domains, the following addresses can be used as alternatives:
| Service | Main domain (preferred) | Alternative |
|---|---|---|
| CloudFront | storage.easi.live |
d2tjwffk8hi2j5.cloudfront.net |
| S3 | easilive.s3.amazonaws.com |
s3-1-w.amazonaws.com |
Warning:
s3-1-w.amazonaws.combroadens access to all AWS S3 buckets, not just Inwave's. Assess the security impact before adopting.- The domain
d2tjwffk8hi2j5.cloudfront.netmay change due to maintenance or cloud infrastructure updates, without prior notice.- Whenever possible, keep allowlisting on the main domains (
storage.easi.liveandeasilive.s3.amazonaws.com).
¶ 1.4. Connectivity Validation
ping (ICMP) is not valid for cloud services - AWS and intermediate devices frequently drop ICMP regardless of the application state. Always validate on the application's port.
¶ Test commands
| Service | Command | Expected result |
|---|---|---|
| HTTPS | curl -v https://storage.easi.live |
TLS handshake, HTTP response |
| MQTT TLS | openssl s_client -connect mqttv2.easi.live:8883 |
Certificate presented, connection established |
| Generic TCP | nc -zv api.easi.live 443 |
succeeded / open |
| STUN (UDP 3478) | stunclient stun.br.easi.live 3478 |
Mapped Address returned |
| Zabbix | nc -zv monitore.svc.easi.live 10051 |
succeeded / open |
| NTP | sntp a.ntp.br or chronyc sources |
Offset reported in ms/seconds |
| Docker | docker pull hello-world |
Image pulled with no TLS error |
UDP tests using
nc -zumay produce false positives on firewalls with silent drop. For reliable UDP validation, usestunclient(STUN) andsntp(NTP).
¶ Interpretation
| Scenario | Diagnosis |
|---|---|
ping fails + curl/nc succeeds |
Normal - ICMP blocked, application operating |
ping succeeds + curl/nc fails |
Firewall blocking the port - review FQDN rule |
curl/nc fails on AWS domain |
Likely legacy IP-based rule - switch to FQDN |
| TLS handshake fails (invalid cert, reset) | SSL/DPI inspection in path - add exception for *.easi.live |
docker pull fails with TLS error |
SSL inspection on Docker CDN - add exception |
| STUN without Mapped Address | UDP 3478 blocked or symmetric NAT |
| NTP with high offset or no response | UDP 123 blocked or redirected |
¶ 1.5. HTTP/3 (QUIC)
Negotiated automatically when UDP 443 is open. Falls back to HTTP/2 (TCP 443) if blocked.
- TCP 443 - mandatory
- UDP 443 - recommended (enables HTTP/3)
- TCP 80 - HTTPS redirect
¶ 1.6. NTP - Time Synchronization
Functional prerequisite. Without NTP, TLS, WebRTC, authentication, and auditing fail silently.
- UDP 123 allowed (outbound) to
ntp.easi.liveanda.ntp.br - Do not intercept, redirect, or apply DPI on NTP traffic
- Maximum accepted offset: 5 seconds
Failure symptoms: TLS error despite a valid certificate chain, intermittent login failures, WebRTC unable to complete handshake, inconsistent event timestamps.
¶ 1.7. Telephony (VoIP)
Requirements:
- Voice VLAN enabled on switch ports where phones will be connected
- Stable site-to-site VPN between store and VoIP servers
Site-to-site VPN allowlisting:
| Source → Destination | Ports |
|---|---|
| Store → Phones | TCP 80, 443 |
| Store → VoIP Servers | TCP 80, 443, 8222, 9001 / UDP 5060 |
| VoIP Server ↔ Phones | TCP 80, 443 / UDP 5060 / UDP 10000–20000 |
RTP uses a wide UDP port range. A misconfigured SIP ALG causes one-way audio. Configure it properly or disable it according to the equipment.
¶ 1.8. Local Integrations
| Source → Destination | Port | Protocol |
|---|---|---|
| Darwin → MGV7 (scale) | 8080 | HTTP |
| MGV7 → Scale | 9000 | TCP |
| Darwin → Local EAS (optional) | 9000 | TCP |
Internal store communication. No additional internet allowlisting required.
¶ 1.9. Recommended Bandwidth
| Service | Recommendation |
|---|---|
| MTU | 1500 |
| Full HD Video | 256 Kbps per POS |
| HD Video | 128 Kbps per POS |
| Operator | 2048 Kbps |
| VoIP | 10 Mbps + QoS |
| EAS | 25 Kbps per device |
Values are per concurrent session. Size the link according to expected peak.
¶ 1.10. References
- Network validation checklist - run at least 5 business days before deployment
- Full video communication flow - WebRTC, STUN/TURN, NAT
2. EASi (EAS)
¶ 2. EASi (EAS)
.png)
| Domain | Port | Transport | Protocol |
|---|---|---|---|
webenable.easi.live, webenable.inwavetech.com |
9000 | TCP | Proprietary |
- Minimum bandwidth: 25 Kbps per device
- Avoid Wi-Fi in high-interference environments
- FQDN-based allowlisting
3. EASiGuard
¶ 3. EASiGuard
| Domain | Port | Transport | Protocol |
|---|---|---|---|
*.easi.live |
443 | TCP | HTTPS |
storage.easi.live |
443 | TCP | HTTPS |
remote.easi.live |
443 | TCP | HTTPS |
mqtt.easi.live, mqttv2.easi.live |
8883 | TCP | MQTT TLS |
ntp.easi.live, a.ntp.br |
123 | UDP | NTP |
FQDN and validation rules from section 1 apply.
Darwin Support Team