BGAN M2M Firewall Traffic Rules

The BGAN M2M firewall traffic rules are located at the BGAN satellite teleports and are designed to block all traffic except for what is listed in the whitelist of allowed IP addresses provided to Ground Control.

By default, all outgoing traffic from the BGAN terminal is permitted, but all incoming “initiated” traffic from the internet is blocked. However, incoming initiated traffic can be allowed if a BGAN M2M SIM card is assigned a public IP address, which incurs an additional cost of $20 per SIM per month, or if it is using IPSec VPN.

With M2M, if a public IP is not being used, a firewall can restrict unauthorized outgoing BGAN usage by limiting the connected device’s IP addresses that may communicate. If no firewall is in place, any destination on the internet is accessible. It’s worth noting that many clients prefer the default outgoing open setting.

If an M2M is using a public IP, Ground Control will need a whitelist of approved IP addresses that can communicate with the device linked to the M2M terminal. Restricting incoming initiated traffic to this whitelist protects the BGAN terminal from malicious incoming scans that could result in financial liability for the subscriber.

Simply ask your sales rep or write to support@groundcontrol.com with how you wish to use the BGAN firewall with your M2M service.

BGAN M2M Firewall Rule Possibilities

  • Allow/deny any IP address or range of IP addresses for Whitelist/Blacklist.
  • Allow/deny Email by SMTP and/or POP3 and/or IMAP and/or secure SMTP
  • Allow/deny TCP, UDP, ICMP, SKIP, GRE, ESP, and IP protocols
  • Allow/deny HTTP (Web Browsing), and/or HTTPS
  • Allow/deny FTP (File Transfer Protocol)
  • ALL other traffic will be denied from the list of rules chosen above.

Creating BGAN M2M Firewall Traffic Rules

To quickly understand how this service works, the below screen shows how one (or more) traffic rules would be created for each individual BGAN M2M SIM card.



Multiple firewall rules will establish a more complete whitelist or blacklist. Above is a typical whitelist that allows limited traffic from the Internet to the BGAN terminal. Whitelists are a common rule since they limit traffic to certain IP addresses, such as between a remote BGAN terminal IP address and a corporate server IP address.

There are four possible traffic types that can be configured:

  • Whitelist to allow listed IP traffic from the internet to the BGAN terminal
  • Whitelist to allow listed IP traffic from the BGAN terminal to the internet
  • Blacklist to deny listed IP traffic from the internet to the BGAN terminal
  • Blacklist to deny listed IP traffic from the BGAN terminal to the internet

To establish firewall rules for your BGAN SIM card or for more information regarding setting up traffic rules, please email your firewall whitelist, your Ground Control account number, and the BGAN SIM card number to support@groundcontrol.com.

Other BGAN M2M Security Options

Ground Control provides many ways to secure your BGAN connection, such as IPSec VPN, co-location, point-to-point, and private networks.

Would you like to know more?

Ground Control specializes in connecting people and machines in remote and hard-to-reach locations. If you have a remote asset with connectivity challenges, we can help. Our expertise in this field dates back to 2002.

Please reach out to us by phone or email, or complete the form on our website, and let us know about your project. Our team of experts will provide you with impartial advice and guidance to help you find the best solution for your needs. We are committed to helping you overcome any connectivity challenges you may be facing and to ensuring that you stay connected no matter where you are.