Skip to main content

Deploying the Gateway

The Breakwater Gateway combines Collector (discovery/monitoring) + Channel (secure remote access) + Coastal IDS in a single on-site appliance. It is designed for DIN-rail mounting inside control panels alongside industrial equipment.

Hardware Options

Bosch ctrlX CORE

The Breakwater Gateway runs on Bosch Rexroth ctrlX CORE — an industrial-grade, DIN-rail mountable compute platform purpose-built for OT environments. Part of the ctrlX AUTOMATION ecosystem, it provides a hardened Linux-based OS with CE, UL, and IEC 61131 certifications.

ModelForm FactorTargetCoastal IDSPrice
Gateway X3ctrlX CORE X3 CompactSmall/medium sites (up to 200 devices)Yes$1,699
Gateway X5ctrlX CORE X5 ModularLarge/enterprise sites (200+ devices)Yes$4,599

Both models include all protocol licenses (OPC UA, EtherNet/IP, EtherCAT) and the Container Engine for running Breakwater services.

FeatureGateway X3Gateway X5
PlatformctrlX CORE X3 CompactctrlX CORE X5 Modular
Form FactorDIN-rail mountDIN-rail mount (modular expansion)
OSctrlX OS (hardened Linux)ctrlX OS (hardened Linux)
ProtocolsOPC UA, EtherNet/IP, EtherCATOPC UA, EtherNet/IP, EtherCAT
Coastal IDSIncludedIncluded
Container EngineIncludedIncluded
EnvironmentIndustrial temp, vibration-resistantIndustrial temp, vibration-resistant

BYOD Requirements

Run the Gateway software on your own hardware:

  • CPU: x86_64
  • Memory: 4 GB+ RAM
  • Storage: 64 GB+
  • Network: 2+ network interfaces
  • OS: Ubuntu 22.04 / 24.04 or Debian 12 (other glibc ≥ 2.28 distros likely work — RHEL 8+, Debian 10+, Ubuntu 18.04+)
  • Outbound firewall: UDP 51820 (encrypted tunnel) + HTTPS 443. No inbound ports required.

Pair the Gateway in 3 Steps

Breakwater uses a pairing-code flow that mirrors what you'd expect from a modern device: install the agent, it shows a short code, you type that code into the portal, done. The agent generates its own WireGuard keypair locally — the private key never leaves the gateway.

Step 1: Install the agent

Gateway X3 / X5 (ctrlX CORE): Power on and connect to your network. The Breakwater app is pre-loaded; skip to Step 2.

BYOD (Linux):

curl -fsSL https://breakwater.techgonecoastal.com/downloads/install.sh | sudo bash

That's the entire install command — no flags, no copy-pasting secrets. The installer:

  • Drops the agent at /opt/breakwater-gateway
  • Creates breakwater-gateway.service (native systemd unit)
  • Brings the agent up in setup mode, which opens a small local web UI on :9080
  • Logs to journalctl -u breakwater-gateway

The agent then generates a fresh WireGuard keypair on the device, registers its public key with the cloud, and displays a 6-character pairing code formatted ABC-123.

Step 2: Find the pairing code

Open a browser on the same network as the gateway and visit:

http://<gateway-ip>:9080

The pairing code is displayed prominently. Codes expire after 15 minutes — if you wait too long, just refresh the page to generate a new one.

The agent then long-polls the cloud, waiting for the code to be claimed.

Step 3: Claim the code in the Breakwater portal

In the Breakwater portal:

  1. Channel → Gateways → Add Gateway
  2. Type the 6-character code (e.g. K7B-XQ4)
  3. Select the Site the gateway belongs to
  4. Click Pair

The cloud allocates a tunnel IP from 10.200.0.0/16, adds the gateway's public key as a WireGuard peer, and writes the gateway record. The agent's next poll (within ~2 seconds) receives the peer details, writes /etc/wireguard/wg0.conf, and brings up the tunnel.

The local :9080 UI flips to "Connected ✓" and the gateway status in the portal flips from Provisioning to Connected. The supervisor then exec's the main agent automatically.

Security notes
  • The pairing-register call is unauthenticated (the agent can't prove it's "yours" yet), but the claim call requires an authenticated admin in your org — so an attacker who happens to register a stale code can't bind it to your tenant.
  • The WireGuard private key is generated on the gateway and is never transmitted or stored centrally. Re-pairing always rotates the keypair.
  • Pairing codes use the alphabet A-Z 2-9 (32 chars, no 0/O/1/I confusables) and are formatted with a hyphen for legibility.

Step 4: Verify

# Tunnel up?
sudo wg show wg0

# Agent running?
systemctl status breakwater-gateway

# Reach the cloud?
ping -c 3 10.200.0.1

# Recent logs
journalctl -u breakwater-gateway -n 50 --no-pager

Step 5: Register Devices

Add OT devices accessible through this gateway in the Channel UI:

  • Device name and IP address
  • Allowed protocols
  • Recording policy

Re-pair / Reset

If you need to wipe enrollment and start fresh — moving the gateway to a different site, after a hardware swap, or recovering from a misconfiguration:

sudo systemctl stop breakwater-gateway
sudo rm -f /etc/breakwater/config.yaml /etc/wireguard/wg0.conf /var/lib/breakwater/wg-private.key
sudo systemctl start breakwater-gateway

The agent will generate a new keypair, register a new pairing code, and the :9080 UI will be ready for a fresh claim.

Operations

sudo systemctl status   breakwater-gateway
sudo systemctl restart breakwater-gateway
sudo systemctl stop breakwater-gateway
sudo journalctl -u breakwater-gateway -f

Network Configuration

Internet

[Firewall] ← Allow UDP 51820 + HTTPS 443 outbound only

[OT Network Switch]
├── Port 1: Gateway (management interface)
├── Port 2: Gateway (OT network interface)
├── Port SPAN: → Gateway (IDS mirror port)
├── PLC 1
├── PLC 2
├── HMI
└── ...

Firewall Rules

The gateway needs outbound only — no inbound ports:

DirectionProtocolPortDestinationPurpose
OutboundUDP51820207.246.81.247Encrypted tunnel
OutboundTCP443breakwater.techgonecoastal.comAPI + telemetry
InternalUDP161OT devicesSNMP polling

Pairing setup also needs short-term LAN access to the gateway's :9080 UI from your admin workstation — that port is local-only and not reachable from the internet.

Coastal IDS

On all Gateway models (X3 and X5), Coastal IDS monitors OT traffic passively:

Rulesets

  • ET Open — General ICS/SCADA rules (Modbus, DNP3, S7, EtherNet/IP)
  • Custom Coastal — Site-specific rules generated from your Manifest inventory
  • CISA-derived — Rules auto-generated from ICS-CERT advisories via Lookout

SPAN Port Configuration

Configure your OT switch to mirror traffic to the gateway's IDS interface:

! Cisco example
monitor session 1 source interface Gi1/0/1 - 24
monitor session 1 destination interface Gi1/0/48

IDS alerts flow into the Lookout module for correlation with CVE data and threat actor profiles.

Advanced: Legacy Enrollment (provision-then-paste)

Earlier versions of the gateway used a flag-driven enrollment where the cloud generated keys + tunnel config and the operator pasted them into the install command. This path is still supported for automation use cases (Ansible / Terraform), but the pairing-code flow above is the recommended path for interactive installs.

# Legacy: provision in portal first, copy values, then:
curl -fsSL https://breakwater.techgonecoastal.com/downloads/install.sh | sudo bash -s -- \
--gateway-id YOUR_GATEWAY_ID \
--tunnel-ip YOUR_TUNNEL_IP \
--server-pubkey YOUR_SERVER_PUBKEY \
--endpoint 207.246.81.247:51820 \
--mode gateway

The legacy path generates the WireGuard private key in the cloud (transmitted once over TLS); the pairing-code path generates it on-device. For new installs, prefer the pairing-code flow.