🇬🇧 UK's Leading Multi-Network IoT SIM Provider

Why Your BMS Is Burning Through 4G/5G Data — and How to Stop It (Teltonika RUTX50 Guide)

Posted on October 22, 2025 by Peter Green in BMS, Fixed IP SIM, IoT, IoT SIM, Public IP SIM
BMS Controller with Fixed IP SIM using alot of data
TL;DR: Public IP SIM + chatty BMS polls = 10–20 GB/day. Enable all RUTX50 Attack Prevention, raise polls to 60–300 s, use COV with deadbands and batch telemetry. Target: 200–400 MB/day on typical sites.

BMS data usage calculator

Set payload to 1000 KB and interval to 5 s to see why a single job hits ~17 GB/day. Adjust to mirror your site.

0 MB
Per day
0 GB
Per week
0 GB
Per month

Why usage explodes on cellular

Most BMS/SCADA stacks ship with aggressive commissioning defaults. If nobody dials them back you get constant polling, verbose payloads, busy discovery and heavyweight cloud sync. On Ethernet it’s invisible; on 4G/5G you pay for every byte.

Aggressive polling

Commissioning leaves 1–10 s polls in place. Use 60–300 s for slow points (temperature, energy) and prefer Change-of-Value with sensible deadbands so only meaningful change transmits.

Verbose payloads

Uncompressed JSON with long keys, frequent TLS handshakes and one-point messages. Batch points, compress if supported, and keep TLS sessions alive.

Cloud sync

Full historian uploads instead of deltas. Schedule overnight or over a non-cellular backhaul. Push aggregates rather than raw streams.

Remote desktop

RDP/VNC idles at 50–150 kbps. Always use VPN, set timeouts, and avoid leaving sessions connected all day.

The maths: 1 MB every 5 s ⇒ 12/min ⇒ 720/hour ⇒ ~17.28 GB/day (decimal). That’s from a single chatty job.

Public IP SIMs: why idle still costs money

A fixed public IP with port forwarding is convenient and noisy. Global scanners probe every reachable IP all day. Even if the firewall drops them, inbound packets still traverse your data plan: SSH brute force, HTTP(S) floods, ICMP sweeps, port scans and SYN floods.

RUTX50 Attack Prevention (what each filter does)

Open Firewall → Security → Attack Prevention. These kernel-level filters block abuse before it hits services or logs. For public IP SIMs, enable them all.

Teltonika RUTOS Attack Prevention settings showing SYN flood, port scan, and ping flood enabled on a RUTX50 router
RUTX50 Attack Prevention: enable SYN Flood, Port Scan and Ping Flood at minimum; ideally enable all six for public exposure.
Attack typeWhat it blocksWhy it matters on public IPDefault advice
SYN Flood Limits half-open TCP sessions Common flood; fills connection tables and wastes inbound data Leave ON always (all zones)
Port Scan Sequential rapid connection attempts Culls internet scanners quickly ON for public IP
Ping Flood Excess ICMP echo requests Drops ping storms at the edge ON for public IP
HTTP/HTTPS Flood Request bursts to web UI TLS floods are expensive; blocks early ON (or disable WAN UI entirely)
SSH Flood Rapid SSH attempts Stops brute-force noise ON if SSH on WAN (better: disable)

Expected savings: Unprotected public IP routers often idle at 500–1000 MB/day of junk. With Attack Prevention enabled, idle inbound typically drops to 20–80 MB/day; behind private APN/VPN it’s usually <10 MB/day.

What to check in router logs and counters

Status → Data usage

Daily totals per interface. Watch for high inbound when the BMS is quiet. Configure caps with 50% and 80% alerts.

Status → Realtime traffic

Live throughput. If LAN is idle but WAN inbound ticks rhythmically, you’re seeing scans/floods.

System/KERNEL logs

Look for “flood”, “scan”, “drop”, “invalid”. A steady pattern post-enable is normal and desirable.

Firewall & Port Forwards

Audit forwards; remove anything unused. Change management/UI ports; restrict by source IP where possible.

Best practice (public IP with port forwarding)

  1. Enable all Attack Prevention filters. Keep SYN Flood on at all times.
  2. Default-deny inbound. Disable WAN UI/SSH. If unavoidable, move to high ports and restrict by source IP.
  3. Port-forward only what you must. Avoid 22/80. Prefer VPN; if not, use hardened 443 or a jump host.
  4. BMS hygiene. COV with deadbands (≈0.3 °C / 2% RH). Polling 60–300 s where required. Batch telemetry; keep TLS alive.
  5. Keepalives. 60–120 s. Do not stack multiple watchdogs.
  6. Kill background chat. Disable speed tests, TR-069 diagnostics and OS updates over the SIM.
  7. Segment LAN. Keep CCTV/staff devices off the BMS VLAN.
  8. RF quality. Use all 4 antennas (4×4 MIMO), short low-loss coax, good placement (aim RSRP > −90 dBm, SINR > 10 dB).

Frequently asked questions

Why is my BMS using so much mobile data?

Polls too fast, logs too detailed, cloud sync too frequent. One mis-set job can consume 17 GB/day. Fix intervals, enable COV, batch messages.

How much is “normal” per site?

Most tuned sites: 200–400 MB/day. If you’re far above that, it’s configuration or public exposure noise.

What should I enable on the RUTX50?

All Attack Prevention filters. Also default-deny firewall, remove unnecessary forwards, and prefer VPN/private APN.

Public IP vs Private APN?

Public IP is workable but noisy and higher-risk. Private IP/CGNAT with VPN is cleaner, cheaper in data, and easier to secure.

Do the boring basics well and your SIM stops bleeding. The router stays quiet. Alarms stand out. Finance stops panicking.

Leave a Reply

Your email address will not be published. Required fields are marked *