profile

Néstor's Blog
X aka Twitter Github
Go Back

IoT Gateway

IoT Gateway View source

Over the past few months, I’ve been working with Raimon and Oriol on something we’re really excited about - IoT Gateway. It’s an industrial IoT platform that completely changes how you deploy and manage edge systems. Let me walk you through what we built and why I think it’s pretty special.

The Problem We Set Out to Solve

If you’ve ever deployed IoT systems in industrial settings, you know the pain. You’re constantly juggling USB drives, manually configuring each device, and praying everything stays connected. When something breaks at 2 AM (and it always does), you’re either driving to the site or walking someone through complex troubleshooting steps over the phone.

We wanted to fix this. Our goal was simple: make deploying and managing industrial IoT systems as easy as spinning up a cloud server. No USB drives, no manual configuration, just plug it in and it works.

How We Made It Happen

The magic starts with network boot. When you power on a device, it doesn’t need any local OS or configuration. Instead, it boots directly from the network using iPXE. This might sound complex, but here’s what actually happens:

  1. Device powers on and asks for an IP address
  2. Our DHCP server responds with network boot instructions
  3. Device downloads a lightweight live environment
  4. System automatically configures itself based on your requirements

The beauty is that this works with pretty much any x86-64 hardware that supports network boot - no special equipment needed.

The Architecture That Makes It Work

Let me break down how we architected this thing. We divided everything into four main parts:

The Provisioning System handles getting new devices online. We built this on top of iPXE and Clonezilla because they’re rock-solid and work everywhere. When a device boots, it loads our custom environment that includes everything needed to configure the system.

The Control System is where the configuration magic happens. We use Ansible Forms (which dynamically generates web interfaces from Ansible playbooks) combined with Git for version control. This means you get a nice UI for configuration, but everything is still code under the hood. Every change is tracked, reversible, and reproducible.

The Application Layer runs your actual workloads. We went with Docker containers managed by Dockge because it gives you flexibility without complexity. Need to run Node-RED for automation flows? MQTT brokers for device communication? Custom applications? Just define them in a compose file and deploy.

The Monitoring Stack keeps tabs on everything. We integrated Grafana’s entire ecosystem - Alloy for collection, Mimir for metrics, Loki for logs. This gives you enterprise-grade observability without the enterprise price tag.

What Makes Our Approach Different

Instead of building yet another monolithic platform, we focused on composability. Everything is modular - you can use just the provisioning system, or add monitoring, or go all-in with the complete stack.

We also made some opinionated choices that I think pay off:

  • OpenWRT as the base OS: It’s tiny (100MB!), battle-tested, and designed for embedded systems
  • GitOps everywhere: Every configuration is in Git, making disaster recovery trivial
  • Layer 2 VPN support: We use ZeroTier in bridge mode, which means you can extend your network to non-IP industrial devices
  • Network-based recovery: If something breaks, you can restore from backup without touching the device

Real-World Implementation Details

Let me share some implementation details that make this work in practice.

For MQTT, we set up a hierarchical broker system. Each edge location runs Mosquitto locally for low-latency communication. Then we bridge selected topics to a central EMQX broker. This gives you the best of both worlds - local automation keeps working even if the internet dies, but you still get centralized visibility.

The backup system was interesting to implement. We use Duplicati with a clever twist - backups are stored remotely (S3, cloud storage, wherever), but restoration happens through the same network boot system used for provisioning. Device won’t boot? No problem - it’ll automatically load the recovery environment and restore itself.

For configuration management, Ansible Forms turned out to be a game-changer. Instead of writing web interfaces, we just write Ansible playbooks. The UI generates itself based on the playbook structure. Change a variable? Add a new package? Just update the playbook and the UI adapts automatically.

Performance and Practical Considerations

Here’s what you can expect in real deployments:

  • Systems boot in under 30 seconds from cold start
  • The base image is around 100MB, with typical runtime memory usage around 512MB
  • We’ve tested up to 10,000 MQTT messages per second on modest hardware
  • Full system backups complete in under 5 minutes

These numbers matter because industrial sites often have limited bandwidth and older hardware. We optimized for these constraints from day one.

The Security Story

Security in industrial environments is tricky. You need strong protection but can’t break existing workflows. Here’s how we handle it:

Every device gets a unique ZeroTier identity and joins encrypted networks. No VPN configuration needed - it just works. The firewall runs in default-deny mode with explicit rules for allowed traffic. All management interfaces require authentication, and secrets are encrypted at rest.

For compliance, every configuration change is tracked in Git with full audit trails. Backups are AES-256 encrypted before leaving the device. System updates are atomic and can be rolled back if something goes wrong.

See It In Action

I’ve recorded a series of videos walking through each component of IoT Gateway. These demos show real deployments and actual workflows - no marketing fluff, just how things actually work.

Infrastructure & Networking

Network Architecture Overview - Here’s how we implement ZeroTier VPN with bridged networking for OT device connectivity

System Provisioning - Watch the iPXE network boot process and base image deployment in action

Configuration Management - This shows how Ansible Forms provides the UI for centralized system configuration

Operations & Recovery

Backup and Restore - Our automated backup process with network-based restoration

Live Rescue System - Remote debugging capabilities through the Clonezilla live environment

System Management Interface - Tour of OpenWRT LuCI, web terminal (ttyd), and SSH access

Application Stack

Container Orchestration - Docker stack management with GitOps and Dockge

Observability Platform - How we integrate Grafana Alloy for logs, metrics, and OpenTelemetry support

Service Monitoring - Uptime Kuma deployment with Grafana integration

Data & Integration

Backup Telemetry - Duplicati with Telegraf metrics collection to InfluxDB

MQTT Architecture - Setting up Mosquitto to EMQX bidirectional bridge configuration

Flow Automation - Node-RED with Git-based flow management

Development

Base Image Creation - The Ansible-driven OpenWRT image build process

Core Team

IoT Gateway is developed and maintained by Industry 4.0 Systems:

Raimon Figueras - System Architecture
Nestor Lopez - Platform Development
Oriol Rius - Industrial Integration

If you’re dealing with industrial IoT deployments and tired of the traditional approaches, give IoT Gateway a try. We built this because we needed it ourselves, and I think you might find it useful too.

For technical details and deployment guides, visit the GitHub repository or contact the team at [email protected].

Feel free to reach out if you have questions or want to discuss industrial IoT architectures. I’m always happy to talk shop about edge computing, automation, and making industrial systems less painful to manage.