Tutorial: Access to individual services behind the firewall
Related Documents:
- User Manual mbNETFIX: https://downloadportal.mbconnectline.com/en/mbnetfix.html
Example:
SPS1 (Programmer port 102) and HMI1 (Webserver port 443) should be accessible via PC2.
1. Settings of the devices
- SPS1: IP: 192.168.0.112/24, Gateway: -----
- HMI1: IP: 192.168.0.114/24, Gateway: -----
- PC2: IP: 172.25.15.74/16, Gateway: -----
2. Settings of mbNETFIX NF1
- Set it to Gateway Mode.
- Set IP-Addresses LAN and WAN.
- Activate the WAN to LAN function at SNAT. This replaces the sender address of each IP packet that goes from WAN to LAN with the LAN IP address.
- Enter port forwarding assignments. Here the destination address and the destination port are rerouted to another destination address and destination port.
Specifically for the above case, each packet that has the destination 172.25.15.90, TCP 102 is rerouted to the destination 192.168.0.112, TCP102. The same occurs for 172.25.15.90 , TCP 443 to 192.168.0.114, TCP 443. This ensures that the PLC and the HMI are each accessibly via their own port of the firewall WAN IP.
Here, the advantage in comparison with other systems is that port 443 is not used as a web service in the firewall and thus is available if such routing is required.
Notice
Packet Filter: No setting is required here as all DNAT entries bypass the packet filter, as they already contain all necessary filter functions. In principle, however, a DROP can be entered, for example, for defined MAC addresses.
Revision: V1.0 |
---|