Skip to main content

Deploying the Gateway

The Breakwater Gateway combines Collector (discovery/monitoring) + Channel (secure remote access) + optional Coastal IDS in a single on-site appliance. It is designed for DIN-rail mounting inside control panels alongside industrial equipment.

Hardware Options

Bosch ctrlX CORE

The Breakwater Gateway runs on Bosch Rexroth ctrlX CORE — an industrial-grade, DIN-rail mountable compute platform purpose-built for OT environments. Part of the ctrlX AUTOMATION ecosystem, it provides a hardened Linux-based OS with CE, UL, and IEC 61131 certifications.

ModelForm FactorTargetCoastal IDSPrice
Gateway X3ctrlX CORE X3 CompactSmall/medium sites (up to 200 devices)Yes$1,699
Gateway X5ctrlX CORE X5 ModularLarge/enterprise sites (200+ devices)Yes$4,599

Both models include all protocol licenses (OPC UA, EtherNet/IP, EtherCAT) and the Container Engine for running Breakwater services.

FeatureGateway X3Gateway X5
PlatformctrlX CORE X3 CompactctrlX CORE X5 Modular
Form FactorDIN-rail mountDIN-rail mount (modular expansion)
OSctrlX OS (hardened Linux)ctrlX OS (hardened Linux)
ProtocolsOPC UA, EtherNet/IP, EtherCATOPC UA, EtherNet/IP, EtherCAT
Coastal IDSIncludedIncluded
Container EngineIncludedIncluded
EnvironmentIndustrial temp, vibration-resistantIndustrial temp, vibration-resistant

BYOD Requirements

Run the Gateway software on your own hardware:

  • x86_64 processor
  • 4GB+ RAM, 64GB+ storage
  • 2+ network interfaces
  • Ubuntu 22.04 / Debian 12 or Docker-capable Linux
  • Outbound: UDP 51820 (encrypted tunnel) + HTTPS 443

Gateway Setup

Step 1: Provision in Breakwater

  1. Open Channel from the portal
  2. Click New Gateway
  3. Enter name, select hardware model, assign to a site
  4. The wizard generates:
    • Encrypted tunnel configuration file
    • Install script
    • Gateway credentials

Step 2: Install on Hardware

Gateway X3 / X5 (ctrlX CORE): Power on and connect to your network. The Breakwater app is pre-loaded. The first-boot wizard will prompt for your gateway credentials. See ctrlX CORE Deployment for detailed instructions.

BYOD:

curl -fsSL https://breakwater.techgonecoastal.com/install.sh | sudo bash -s -- \
  --gateway-id YOUR_GATEWAY_ID \
  --tunnel-ip YOUR_TUNNEL_IP \
  --server-pubkey YOUR_SERVER_PUBKEY \
  --endpoint 207.246.81.247:51820 \
  --mode gateway

Manual tunnel setup:

/etc/wireguard/wg0.conf
[Interface]
PrivateKey = your-gateway-private-key
Address = your-tunnel-ip/32
DNS = 1.1.1.1

[Peer]
PublicKey = server-public-key
Endpoint = 207.246.81.247:51820
AllowedIPs = 10.200.0.0/16
PersistentKeepalive = 25
# Start tunnel
sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

# Verify connection
sudo wg show wg0

Step 3: Verify Connection

The gateway status in Channel should change from Provisioning to Connected within 30 seconds.

# Check encrypted tunnel status
sudo wg show wg0

# Test connectivity to Breakwater
ping -c 3 10.200.0.1

Step 4: Register Devices

Add OT devices accessible through this gateway in the Channel UI:

  • Device name and IP address
  • Allowed protocols
  • Recording policy

Network Configuration

Internet

[Firewall] ← Allow UDP 51820 + HTTPS 443 outbound

[OT Network Switch]
    ├── Port 1: Gateway (management interface)
    ├── Port 2: Gateway (OT network interface)
    ├── Port SPAN: → Gateway (IDS mirror port)
    ├── PLC 1
    ├── PLC 2
    ├── HMI
    └── ...

Firewall Rules

The gateway needs outbound only — no inbound ports:

DirectionProtocolPortDestinationPurpose
OutboundUDP51820207.246.81.247Encrypted tunnel
OutboundTCP443breakwater.techgonecoastal.comAPI + telemetry
InternalUDP161OT devicesSNMP polling

Coastal IDS

On all Gateway models (X3 and X5), Coastal IDS monitors OT traffic passively:

Rulesets

  • ET Open — General ICS/SCADA rules (Modbus, DNP3, S7, EtherNet/IP)
  • Custom Coastal — Site-specific rules generated from your Manifest inventory
  • CISA-derived — Rules auto-generated from ICS-CERT advisories via Lookout

SPAN Port Configuration

Configure your OT switch to mirror traffic to the gateway's IDS interface:

! Cisco example
monitor session 1 source interface Gi1/0/1 - 24
monitor session 1 destination interface Gi1/0/48

IDS alerts flow into the Lookout module for correlation with CVE data and threat actor profiles.