WAN to LAN access

Startseite > mbACADEMY > mbCONNECT24 > WAN to LAN access

Tutorial: WAN to LAN access

1. Access to one or more devices behind mbNET via SimpleNAT

2. Access to one or more devices behind the mbNET via port forwarding

3. Access to one or more devices behind mbNET / mbNET.mini via a gateway entry

 

1. Access to one or more devices behind mbNET via SimpleNAT

If you want to access one or more devices, which are connected to the mbNET / mbNET.mini via LAN, from the WAN side of a network, where a mbNET / mbNET.mini is located locally, you need one or more SimpleNAT rules.

With SimpleNAT, a network participant from the LAN network can be reached via a free WAN IP address directly. This WAN IP address will be added to the WAN interface and mirror to the entered LAN IP address 1:1. In this case it's important that a static IP address is configured for WAN.


The following network structure is used as an example:
Three network participants need to be accessed from one or more PCs from the WAN side via the mbNET / mbNET.mini.

The mbNET has the static WAN IP 10.10.0.100 and IP 192.168.0.100 configured as LAN IP.

The following network participants are available in the LAN:

Industrial-PC with IP 192.168.0.1                           PLC with IP 192.168.0.2                           HMI with IP 192.168.0.3

The following network participants are available in the WAN:

PC1 with 10.10.0.1                           PC2 with 10.10.0.2                           PC3 with 10.10.0.3

*The addresses 10.10.0.11/12/13 are the NAT-addresses

To configure the SimpleNAT rules in the device configuration, please navigate to the device Administration and click on Firewall:

You're in the firewall settings of the respective device now and must click on the button (top right) and select Create new SimpleNAT. This rule needs to be configured as follows:

 

   Set a checkmark at Active.

   At WAN IP please enter a free WAN Ethernet address from the WAN network (here: 10.10.0.11).

   At LAN IP please enter the LAN-IP address that you want access (here: 192.168.0.1).

   At Comment you can comment the rule for a better classification.

 


Notice

After the settings has been saved, please transfer the configuration to the device.

Due to the fact, that three devices behind the  mbNET / mbNET.mini needs to be accessed, three SimpleNAT rules needs to be defined in this case:

This means, that a SimpleNAT rule must be defined for each device that needs to be reached.

2. Access to one or more devices behind the mbNET via port forwarding

The following network structure is used as an example:

A PC in the WAN need to access via the mbNET the PLC (IP: 192.168.0.112) and various services behind it (here: FTP and web server).

For this purpose, a Forwarding rule must be set up on the mbNET for FTP access, which forwards all requests from the IP address 172.25.15.90 and the fictitious port 2143 to the IP address 192.168.0.112 and port 21.

You also need another Forwarding rule for web access, which forwards all inquiries sent to the IP address 172.25.15.90 and the fictitious port 2146 to the IP address 192.168.0.112 and port 80.

The WAN IP address must be entered as the Destination IP, the fictitious port (here: Port 2143 and 2146) under Destination Port, the IP address of the PLC (here: 192.168.0.112) under Forward IP and Forward Port is the respective port of the service which needs to be reached (here: port 21 and 80). WAN ethernet must be selected as the Interface for the forwarding rules. If Source IP and Source Port are empty, any communication from all participants is allowed. If you want to allow the communication only for certain participants, you must enter the Source IP or Source Port accordingly.

If, for example, a connection to the FTP server of the PLC with FileZilla needs to be established, the WAN-IP of the mbNET (Server), the user name & password of the FTP server and the fictitious port (here: port 2143) must be entered in the FileZilla client:


Notice

Please do not use a standardized port as a fictitious port.

 

3. Access to one or more devices behind mbNET / mbNET.mini via a gateway entry

Both PLCs should be accessible via PC2 via their own IP addresses. Port forwarding (DNAT) is not possible here because especially with a Siemens PLC, the port assignment cannot be made in PC2.

  1. Settings of the devices:
    1. SPS1: IP: 192.168.0.112/24, Gateway: -----
    2. SPS2: IP: 192.168.0.114/24, Gateway: -----
    3. PC2: IP: 172.25.15.74/16, Gateway: 172.25.15.90
  2. Set router IP-Addresses LAN and WAN.

  3. Make sure in the firewall settings that the SNAT (LAN) function is selected.
  4. Enable the ICMP protocol for each PLC device in the firewall settings.

Now the WAN-side PC2 can access or ping both LAN-side PLCs.

 

Revision: V1.0

 

 

Aktualisiert:

Anderer Artikel

und 3 mehr...