FLX S on a company LAN / Network - Wifi & Wired ?

[MatthewD]

Hello, 

All throughout the FLX S manual it says, "NB: FLX S should not be connected to the Internet" 

Why is this so?

I have about 5x FLX S's that are intended to sit on an educational network spanning many buildings, [10.x.y.z, where x = 1 to 20 subnets] and I need to:-

1. have remote control of the consoles within in the venues over Wifi (on the same LAN), eg via Android and iOS.
2. have remote monitoring from within the AV Office, (on the same LAN, but wired).

The main option for a network is the college's LAN, which is highly Firewall-ed internally.  However, it is connected the the Internet.

I would also need to add a few ArtNet nodes onto the same LAN, to also be controlled and monitored by a PC, Smartphone, and sometimes an FLX S.

 

Can anyone please explain the risks of this situation and reasons why I should or shouldn't go ahead with this idea?

Thanks in advance.

[Edward Z88]

Hi Matthew,

FLX S consoles have not been designed to be connected to the Internet. There is no reason why the network setup you describe wouldn't work, but could reduce stability of FLX S and introduces the risk of security threats.

Feel free to drop me an email if you'd like to discuss your system further.

Any queries let me know,

Edward

[MatthewD]

Thank Edward,

So the company LAN consists of 18 buildings each with a different subnet address.  ie 10.Building_ID.VLAN_ID.Device_ID

The following devices will be connected to a network switch in one building:-

1. Zero88 FLX S48 (via ethernet port, art-net protocol)
2. Crestron Room Processor 
   1. Pro2 (or DMPS3)
   2. via Art-Net
3. Enttec Datagate Mk2 
   1. ie https://www.enttec.com/products/network-and-distribution/dmx-management/datagate-mk2/

The Datagate Mk2 will then merge the FLX S and the Crestron Art-Net streams, plus merge the DMX input port from some DMX keypads around the venue.  (So a three way merge in the Datagate Mk2.) Then output a single DMX port to the dimmers.  (There will also be internal software switches and priority merges utilised inside the Datagate.  And we may also use RDM to query the dimmers.)

However, remote iPad control of the FLX (and Crestron) system is required via the WAP in the same building.  (And this works well, btw, already tested 🙂

But from all other buildings via wired connections and WAP / Wifi connections, we need to be able to monitor and control the FLX for AV remote venue support.  Again this is tested, and seems to work.

 

The company LAN is fairly wide (18x buildings), and there is a gateway, such that our VLAN has access to the internet.  So the FLX is on an internet accessible network, however, through a gateway with a strong firewall.

 

 

There will also be up to 5 or more FLX S's on the whole network, as we roll out lighting console upgrades.

 

So does the above network structure seem like a suitable and stable setup to you, Edward?

 

Thanks very much in advance,

Regards Matthew

[Jon Hole]

Hi Matthew,

There are two key "angles" for why ZerOS consoles should be connected to a dedicated LAN:

1. Guaranteeing "show critical" data: Ethernet based DMX protocols (Art-Net, sACN) have very little security or error correction which means we can't guarantee the smooth running of your show if another device chooses to join the network and output conflicting packets.
2. Cybersecurity: In the background, ZerOS is running a distribution of Linux. This has not been developed to guarantee the relevant Cybersecurity requirements to sit on an internet connected network. For example, two years from now, we can't guarantee you're console is running software with the latest patches to be secure.

Eaton take Cybersecurity very seriously - you can read more about this here: eaton.com/fr/en-gb/company/news-insights/cybersecurity

All the best,

Jon

[MatthewD]

Thank you for your response.  And sorry for my delayed response.

So there's no hard fault in doing this, just a reliability and security issue.

Thanks again.

Matthew