Minimal MQTT ACLs for gateway bridge

h.wagner · October 21, 2022, 8:14am

Hallo,

I am trying to restrict the access of a deployed Chirpstack LoRaWAN Gateway to the MQTT backhaul as much as possible. In the past I had tried using

user gatewayuser
topic readwrite gateway/xxxxxxxxxxxxxxxx/event/#
topic readwrite gateway/xxxxxxxxxxxxxxxx/state/#
topic readwrite gateway/xxxxxxxxxxxxxxxx/command/#

in /etc/mosquitto/acl

I thought this still was a bit too broad because e.g. the gateway wouldn’t be required to read from state but only write to it etc. but already this seems to have resulted in problems especially for joining of new devices to the network. I have now relaxed it back to topic readwrite gateway/# which is of course not nice, because gateways could influence each other.

What is the minimal set of MQTT ACLs necessary for a fully operational gateway bridge?

Cheers in advance!

martin · October 21, 2022, 8:47am

Interesting, I’ve been using the defaults:

user chirpstack_gw
topic write gateway/+/event/+
topic read gateway/+/command/+

I just realized that I don’t even have state topic enabled, but I did not notice any problems with device joins…

brocaar · November 4, 2022, 4:42pm

Have you seen this guide: Mosquitto TLS configuration - ChirpStack open-source LoRaWAN® Network Server documentation?

It explains how you can configure Mosquitto to use client-certificates to isolate gateways and application integrations to their own MQTT topics