Use in isolated networks |

In some deployments, it is desirable to operate a Wi-SUN network in complete isolation from the broader IP network(s) to which the border router is connected. In these scenarios, the XBee Hive for Wi-SUN acts as a strict boundary between the Wi-SUN mesh and any upstream IPv4 or IPv6 networks (such as corporate LANs, the Internet, or cloud environments). There is no direct IP connectivity or routing between the Wi-SUN network and these upstream networks; the two remain entirely separate at the network layer.

Use cases for isolated networks

Security-sensitive environments: In industrial, utility, or critical infrastructure settings, isolating the Wi-SUN network can help reduce the attack surface by preventing external access to field devices.
Lab and test deployments: For development or QA purposes, isolating the Wi-SUN network ensures that test nodes do not inadvertently interact with production systems or external services.
Temporary or standalone installations: In scenarios where the Wi-SUN network is deployed in a location without reliable upstream connectivity, or where the network is intended to operate autonomously (such as at a remote site or during field trials), isolation may be required.

Practical implications and caveats

When the Wi-SUN network is isolated from upstream IP networks, the following features are inaccessable:

Direct Internet or LAN access: Devices on the Wi-SUN network cannot communicate with external servers, cloud services, or any devices outside of the Wi-SUN network. Certain features that rely on upstream connectivity (such as over-the-air firmware updates from a remote server, or remote device management) will not function unless the XBee Hive for Wi-SUN itself provides these services locally.
Transparent routing or bridging: The XBee Hive for Wi-SUN does not forward packets between the Wi-SUN and upstream networks. Any integration or data exchange must be explicitly implemented at the application layer.

Any communication and data transfer between the Wi-SUN network and the outside world must be handled by applications running directly on the XBee Hive for Wi-SUN or another device. For example, the XBee Hive for Wi-SUN might run a custom application to collect data from Wi-SUN nodes and forward it to an external system via a controlled interface.

Isolating the Wi-SUN network in this way can provide strong security and operational boundaries, but it also places responsibility on the border router and its applications to mediate all necessary interactions with external systems.

Configure the XBee Hive for Wi-SUN to isolate the Wi-SUN network

By default, XBee Hive for Wi-SUN includes the following firewall rules:

Allow all outgoing IPv6 traffic from Wi-SUN.
Allow incoming IPv6 traffic to Wi-SUN from trusted networks.

To isolate the Wi-SUN network, disable both of these firewall rules.

Select the device in Remote Manager and click Actions > Open Console, or log in locally as an Admin.
Enter Admin CLI (type admin if prompted).
Enter configuration mode:
```
> config
(config)>
```

Determine the index numbers of the packet filtering rules you want to disable:

(config)> show firewall filter
0
    action accept
    dst_zone any
    enable true
    ip_version any
    label Allow all outgoing traffic
    protocol any
    src_zone internal
1
    action accept
    dst_address6 any
    dst_zone any
    enable true
    ip_version ipv6
    label Allow all outgoing IPv6 traffic from Wi-SUN
    protocol any
    src_address6 any
    src_zone wisun
2
    action accept
    dst_address6 any
    dst_zone wisun
    enable true
    ip_version ipv6
    label Allow incoming IPv6 traffic to Wi-SUN from trusted networks
    protocol any
    src_address6 any
    src_zone internal

Disable the rules:

(config)> firewall filter 1 enable false
(config)> firewall filter 2 enable false

Save the configuration and apply the change.
```
(config)> save
Configuration saved.
>
```
Type exit to exit the Admin CLI.

Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device.

Access the device configuration:

Method	Steps
Remote Manager	Locate your device. From the menu, click Devices to display a list of your devices. Use the Filter bar to locate the device you want to manage. For example, to search by type of device: Click the Advanced Search button. Click in the Filter bar. Enter in the type of device you’re looking for (for example, XBee Hive for Wi-SUN). Select the Device ID. Select Settings. Select to expand Config.
Local Web UI	On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.

Method

Steps

Remote Manager

Locate your device.
1. From the menu, click Devices to display a list of your devices.
2. Use the Filter bar to locate the device you want to manage. For example, to search by type of device:
  1. Click the Advanced Search button.
  2. Click in the Filter bar.
  3. Enter in the type of device you’re looking for (for example, XBee Hive for Wi-SUN).
Select the Device ID.
Select Settings.
Select to expand Config.

Local Web UI

On the menu, click System. Under Configuration, click Device Configuration.

The Configuration window is displayed.

Click Firewall, then click Packet filtering.
Click Allow all outgoing IPv6 traffic from Wi-SUN to expand the rule, then click Enable to toggle the rule between enabled and disabled.
Click Allow incoming IPv6 traffic to Wi-SUN from trusted networks to expand the rule, then click Enable to toggle the rule between enabled and disabled.
Click Apply to save the configuration and apply the change.