What protocols does SiteConduit support for building automation remote access?

SiteConduit supports BACnet/IP (UDP 47808), Modbus/TCP (TCP 502), Niagara Fox (TCP 4911, 5011), HTTP/HTTPS (TCP 80, 443), and ICMP. The protocol allowlist is configurable per site, and a default-deny bridge filter blocks everything not explicitly permitted.

How does SiteConduit prevent unauthorized lateral movement on building networks?

Every session runs behind a protocol-level firewall with a default-deny bridge filter. Only approved BAS protocols are permitted. Technicians can reach their BACnet controllers and Niagara stations but cannot access file servers, printers, or IT infrastructure. Sessions are also bandwidth-limited to prevent data exfiltration.

Does SiteConduit support compliance and audit requirements?

SiteConduit generates detailed compliance reports with full session history including technician identity, session times, protocols used, and data transferred. Reports export to CSV and are designed to support industry compliance frameworks, insurance renewals, and vendor risk assessments.

How long does it take to deploy SiteConduit at a building site?

Minutes, not months. SiteConduit ships a pre-configured CPE device to your site. Your facilities team plugs it into the building automation network. The device auto-provisions via Zero Touch Provisioning with no on-site IT support required.

Can building owners terminate remote access sessions immediately?

Yes. SiteConduit provides a one-click kill switch that terminates any session in seconds. The encrypted tunnel is disabled, credentials are revoked, and the network bridge is destroyed. Bulk termination is available per-site or across all sites in your organization.

BACnet Firewall Rules: Ports to Open and Block

BACnet Protocol Ports Reference

The following table lists every port and protocol combination used by BACnet communications. Keep this as your reference when building firewall rules or ACLs.

Service	Protocol	Port	Direction	Notes
BACnet/IP (all traffic)	UDP	47808 (0xBAC0)	Bidirectional	IANA-registered default. Source and destination port are both 47808.
BACnet/IP (alternate ports)	UDP	47809–47823	Bidirectional	Alternate ports for multiple BACnet networks on same host. Rare in production.
BBMD unicast forwarding	UDP	47808	BBMD ↔ BBMD	Forwarded-NPDU and Original-Broadcast-NPDU between BBMDs.
Foreign Device Registration	UDP	47808	FD → BBMD	Register-Foreign-Device request from field tool to BBMD.
BACnet/SC (Secure Connect)	TCP (TLS/WSS)	443 (default)	Node → Hub	WebSocket over TLS. Port configurable but 443 is the standard default.
BACnet/SC (alternate)	TCP (TLS/WSS)	Vendor-specific	Node → Hub	Some implementations use custom ports (e.g., 8443, 12345). Check vendor docs.

Key detail: BACnet/IP uses the same port (47808) for both source and destination. This matters for stateful firewalls—you cannot restrict by source port alone because both ends use 47808.

BACnet/IP Firewall Rules

BACnet/IP traffic falls into three categories, each requiring its own firewall treatment: local subnet broadcasts, unicast communication, and cross-subnet BBMD forwarding.

Local Subnet Broadcast (WHO-IS / I-AM)

Device discovery relies on UDP broadcast to the subnet's broadcast address on port 47808. On the local BACnet VLAN, you must allow:

UDP destination port 47808 to the subnet broadcast address (e.g., 10.1.10.255 for a /24)
UDP source port 47808 from any host on the BACnet subnet

If your firewall sits between the BACnet VLAN and the rest of the network, you typically block BACnet broadcasts from leaving the VLAN. Broadcast containment is the whole point of segmentation—BBMDs handle cross-subnet discovery via unicast.

Unicast Communication (ReadProperty, WriteProperty, COV)

Once devices discover each other, all ongoing communication (point reads, writes, COV subscriptions, alarm notifications) uses unicast UDP on port 47808. For devices within the same VLAN, this traffic flows freely. For devices on different subnets communicating through a BAS head-end or gateway, you need firewall rules that permit UDP 47808 between the specific IP addresses involved.

Rules to Block

Equally important is what to block. BACnet has no built-in authentication in its IP transport (that's what BACnet/SC addresses), so limiting access by IP address is your primary defense:

Block UDP 47808 from untrusted networks (guest Wi-Fi, public internet, general office VLANs)
Block BACnet broadcasts at VLAN boundaries—let BBMDs handle cross-subnet discovery
Block all BACnet traffic to/from the internet—there is no legitimate reason for BACnet/IP to traverse a WAN link without a VPN

BACnet/SC Firewall Rules

BACnet Secure Connect (BACnet/SC), defined in Addendum BJ to ASHRAE 135-2020, replaces the unencrypted UDP transport with TLS-secured WebSocket connections. This fundamentally changes firewall requirements.

BACnet/SC uses a hub-and-spoke topology. Each BACnet/SC node opens an outbound TLS WebSocket connection to a primary hub (and optionally a failover hub). The hub relays traffic between nodes. Because connections are outbound from the node, firewall rules are simpler than BACnet/IP:

Allow TCP 443 outbound from BACnet/SC nodes to the hub's IP address
Allow TCP 443 inbound to the hub from authorized BACnet/SC node addresses
No UDP 47808 required—BACnet/SC does not use BACnet/IP's UDP transport at all
No BBMD required—the hub provides broadcast message distribution natively over TLS

If your facility runs BACnet/SC alongside legacy BACnet/IP devices (the most common transitional scenario), you need firewall rules for both protocols. The BACnet/SC hub device often also acts as a BACnet/IP-to-SC router, so it needs access to UDP 47808 on the BACnet/IP side and TCP 443 on the SC side.

BACnet/SC requires X.509 certificates for mutual TLS authentication. The firewall does not need to inspect certificate content—TLS negotiation handles authentication—but you may need to allow outbound HTTPS (TCP 443) or OCSP/CRL traffic if your certificate infrastructure uses online revocation checking.

BBMD and Foreign Device Firewall Rules

When BACnet/IP spans multiple subnets, BBMDs relay broadcast messages as unicast UDP between each other. This is the traffic most commonly blocked after a network segmentation project.

BBMD-to-BBMD Rules

Each BBMD must reach every other BBMD via UDP 47808. The minimal rule set for a three-subnet deployment:

# BBMD addresses:
#   Subnet A: 10.1.10.5
#   Subnet B: 10.1.20.5
#   Subnet C: 10.1.30.5

# Allow BBMD-to-BBMD traffic (UDP 47808, both directions)
PERMIT  UDP  src 10.1.10.5/32  dst 10.1.20.5/32  port 47808
PERMIT  UDP  src 10.1.10.5/32  dst 10.1.30.5/32  port 47808
PERMIT  UDP  src 10.1.20.5/32  dst 10.1.10.5/32  port 47808
PERMIT  UDP  src 10.1.20.5/32  dst 10.1.30.5/32  port 47808
PERMIT  UDP  src 10.1.30.5/32  dst 10.1.10.5/32  port 47808
PERMIT  UDP  src 10.1.30.5/32  dst 10.1.20.5/32  port 47808

These rules use /32 (host-only) source and destination addresses. This is intentional—only the BBMD devices need cross-subnet access on port 47808. Avoid blanket rules like "permit UDP 47808 from any to any," which defeat the purpose of segmentation.

Foreign Device Rules

If technicians use laptops with BACnet tools (such as YABE or BACnet Explorer) and register as foreign devices, you need rules allowing their IP addresses to reach the target BBMD on UDP 47808. Options:

Static rule: If the technician VLAN uses a known subnet (e.g., 10.1.99.0/24), permit UDP 47808 from that subnet to the BBMD address only.
Per-session rule: For tighter control, add a temporary rule for the technician's specific IP address and remove it after the service call.

# Allow foreign device registration from technician VLAN to BBMD on Subnet A
PERMIT  UDP  src 10.1.99.0/24  dst 10.1.10.5/32  port 47808

Sample Firewall Rule Sets

Linux iptables

For a Linux host acting as a firewall between BACnet VLANs, or a Linux-based BAS server that needs to send and receive BACnet traffic:

# --- BACnet/IP: Allow local subnet BACnet traffic ---
iptables -A INPUT  -p udp --dport 47808 -s 10.1.10.0/24 -j ACCEPT
iptables -A OUTPUT -p udp --dport 47808 -d 10.1.10.0/24 -j ACCEPT

# --- BACnet/IP: Allow BBMD-to-BBMD cross-subnet ---
iptables -A FORWARD -p udp --dport 47808 -s 10.1.10.5/32 -d 10.1.20.5/32 -j ACCEPT
iptables -A FORWARD -p udp --dport 47808 -s 10.1.20.5/32 -d 10.1.10.5/32 -j ACCEPT
iptables -A FORWARD -p udp --dport 47808 -s 10.1.10.5/32 -d 10.1.30.5/32 -j ACCEPT
iptables -A FORWARD -p udp --dport 47808 -s 10.1.30.5/32 -d 10.1.10.5/32 -j ACCEPT
iptables -A FORWARD -p udp --dport 47808 -s 10.1.20.5/32 -d 10.1.30.5/32 -j ACCEPT
iptables -A FORWARD -p udp --dport 47808 -s 10.1.30.5/32 -d 10.1.20.5/32 -j ACCEPT

# --- BACnet/IP: Block all other BACnet traffic between VLANs ---
iptables -A FORWARD -p udp --dport 47808 -j DROP

# --- BACnet/SC: Allow outbound TLS to SC hub ---
iptables -A FORWARD -p tcp --dport 443 -s 10.1.10.0/24 -d 10.1.10.100/32 -j ACCEPT
iptables -A FORWARD -p tcp --dport 443 -s 10.1.20.0/24 -d 10.1.10.100/32 -j ACCEPT

# --- Foreign Device: Allow technician VLAN to reach BBMD ---
iptables -A FORWARD -p udp --dport 47808 -s 10.1.99.0/24 -d 10.1.10.5/32 -j ACCEPT

Linux nftables

The nftables equivalent using a dedicated BACnet chain:

table inet filter {
  chain bacnet_forward {
    # BBMD-to-BBMD cross-subnet forwarding
    ip saddr 10.1.10.5 ip daddr 10.1.20.5 udp dport 47808 accept
    ip saddr 10.1.20.5 ip daddr 10.1.10.5 udp dport 47808 accept
    ip saddr 10.1.10.5 ip daddr 10.1.30.5 udp dport 47808 accept
    ip saddr 10.1.30.5 ip daddr 10.1.10.5 udp dport 47808 accept
    ip saddr 10.1.20.5 ip daddr 10.1.30.5 udp dport 47808 accept
    ip saddr 10.1.30.5 ip daddr 10.1.20.5 udp dport 47808 accept

    # Foreign device access from technician VLAN
    ip saddr 10.1.99.0/24 ip daddr 10.1.10.5 udp dport 47808 accept

    # BACnet/SC hub access
    ip daddr 10.1.10.100 tcp dport 443 accept

    # Drop all other BACnet cross-VLAN traffic
    udp dport 47808 drop
  }

  chain forward {
    type filter hook forward priority 0; policy drop;
    jump bacnet_forward
    # ... other forwarding rules ...
  }
}

Cisco IOS Access Control List (ACL)

For managed switches or routers between BACnet VLANs:

ip access-list extended BACNET-INTER-VLAN
 ! --- BBMD-to-BBMD traffic ---
 permit udp host 10.1.10.5 host 10.1.20.5 eq 47808
 permit udp host 10.1.20.5 host 10.1.10.5 eq 47808
 permit udp host 10.1.10.5 host 10.1.30.5 eq 47808
 permit udp host 10.1.30.5 host 10.1.10.5 eq 47808
 permit udp host 10.1.20.5 host 10.1.30.5 eq 47808
 permit udp host 10.1.30.5 host 10.1.20.5 eq 47808
 ! --- Foreign device registration from tech VLAN ---
 permit udp 10.1.99.0 0.0.0.255 host 10.1.10.5 eq 47808
 ! --- BACnet/SC to hub ---
 permit tcp any host 10.1.10.100 eq 443
 ! --- Block remaining BACnet between VLANs ---
 deny   udp any any eq 47808
 ! --- Allow other traffic per site policy ---
 permit ip any any

! Apply to inter-VLAN routing interface
interface Vlan10
 ip access-group BACNET-INTER-VLAN in
interface Vlan20
 ip access-group BACNET-INTER-VLAN in
interface Vlan30
 ip access-group BACNET-INTER-VLAN in

Common BACnet Firewall Mistakes

Blocking UDP 47808 entirely after segmentation. This is the most frequent cause of "BACnet stopped working after the network upgrade." When IT segments the OT network into VLANs, default deny policies block all inter-VLAN traffic—including BBMD forwarding. The fix is explicit permit rules for UDP 47808 between BBMD addresses, not a blanket allow-all that undoes segmentation.
Opening UDP 47808 from any to any. The opposite extreme. Allowing unrestricted BACnet traffic between all VLANs means any compromised device on any VLAN can discover and write to every BACnet controller in the building. Restrict rules to specific BBMD-to-BBMD host pairs and known BAS workstation addresses.
Forgetting the source port. BACnet/IP uses port 47808 as both source and destination port. Some firewalls or ACLs configured with only dst-port 47808 may still work because stateful inspection handles the return traffic. But stateless ACLs (common on switch interfaces) need rules covering both directions, or you must match on destination port in both the inbound and outbound direction.
Not accounting for BACnet/SC when upgrading. Facilities adding BACnet/SC devices to an existing BACnet/IP network often forget that BACnet/SC uses TCP 443 instead of UDP 47808. If the firewall only has UDP 47808 rules, the new SC nodes cannot reach their hub. Add TCP 443 rules for SC hub addresses during the migration.
Blocking ICMP between BACnet subnets. While not a BACnet protocol requirement, ICMP (ping) is essential for troubleshooting connectivity between BBMDs and controllers. Many technicians diagnose firewall issues by pinging the remote BBMD first. Overly aggressive firewall policies that block ICMP make troubleshooting significantly harder without meaningfully improving security.

Platform and Version Compatibility

These firewall rules apply to any device or platform that implements BACnet/IP per ASHRAE 135 Annex J. The port numbers are defined in the standard and are consistent across vendors. BACnet/SC port requirements follow Addendum BJ to ASHRAE 135-2020.

Protocol	Standard	Port(s)	Compatibility Notes
BACnet/IP	ASHRAE 135, Annex J	UDP 47808	All BACnet/IP devices since the 1999 standard revision. Universal across vendors.
BACnet/SC	ASHRAE 135-2020, Addendum BJ	TCP 443 (default)	Requires devices with SC support. Available on newer controllers from Johnson Controls, Siemens, and others as of 2023+.
BACnet/IP (alternate)	ASHRAE 135, Annex J	UDP 47809–47823	Used when multiple BACnet networks share a host. Uncommon. Check device configuration if using non-default ports.

NAT considerations: BACnet/IP embeds the device's IP address inside the application layer payload (the B/IP header). NAT devices that only rewrite Layer 3/4 headers will break BACnet communication because the embedded address no longer matches the translated address. If you must NAT BACnet/IP traffic, use a BACnet-aware NAT proxy or consider migrating those segments to BACnet/SC, which does not embed IP addresses in the payload.

Source Attribution

This guide draws on technical documentation from the following sources:

Johnson Controls — BACnet/SC Firewall and Network Configuration (Metasys Technical Bulletin)
Events2HVAC — BACnet/IP Protocol Overview and Port Reference
Contemporary Controls — BACnet Networking Technical Notes (BBMD, Firewalls, and Network Design)
Contemporary Controls — BBMD Configuration and Firewall Requirements
ASHRAE Standard 135-2020 — BACnet, Annex J (BACnet/IP) and Addendum BJ (BACnet/SC)
IANA Service Name and Transport Protocol Port Number Registry — Port 47808 (bacnet)