Which firewall rules are to be configured in SCALANCE S if a Virtual Private Network (VPN) is set up over the internet between two SCALANCE Ss and the nodes should also be able to access the internet from the internal network?
This entry describes which firewall rules are to be configured in SCALANCE S if a Virtual Private Network (VPN) is set up over the internet between two SCALANCE Ss and the nodes should also be able to access the internet from the internal network A.
Entry ID 24968210 includes the instructions for configuring a VPN set up between two SCALANCE Ss.
The SCALANCE S 612 A searches a route to send the messages. When the VPN is set up, the messages are sent coded from the internal network A over the VPN.
If the VPN is not set up, there is no route to the VPN and the messages are sent uncoded to the Internet Router A and are then forwarded from there into the external network (internet).
Without any further configuration the firewall of the SCALANCE S lets these messages through and saves a corresponding "State", which ensures that the answer and identically addressed messages can be processed faster.
This "State" has a higher priority than the configured firewall rules. In this way all messages continue to be forwarded uncoded to the external network even after the VPN is set up again.
This behavior can lead to continuous connection failures in particular with devices with cyclic keep-alives.
To prevent this you must configure a Drop rule in addition to the Allow rule which permits access from the internal network A (192.168.1.0 / 24) to the external network.
The Drop rule prevents messages for the internal network B (192.168.10.0 / 24) from reaching the external network uncoded through the firewall if the VPN is not set up.
- If multiple VPNs are set up or additional nodes exist behind the VPN, then you must create a Drop rule accordingly for each subnetwork and for each node.
- The Drop rules must be inserted in front of the Allow rule so that they can be used.
The NAT option "Allow all internal nodes access to the outside" must be enabled so that nodes of the internal network can communicate with the internet.
Note on security
The functions and solutions described in this article confine themselves predominantly to the realization of the automation task. Furthermore, please take into account that corresponding protective measures have to be taken in the context of Industrial Security when connecting your equipment to other parts of the plant, the enterprise network or the internet. More information is available in Entry ID: 50203404.
Detailed information about the SCALANCE S Industrial Security is available in the manuals and applications below.
|Manual / Application||Entry ID|
|SIMATIC NET Industrial Ethernet Security Basics and Applications Configuration Manual||61630777|
|SIMATIC NET Industrial Ethernet Security Getting Started||60166939|
|SIMATIC NET Industrial Ethernet Security SCALANCE S V3.0 Installation and Commissioning Manual||56576669|
|Industrial Security with SCALANCE S modules through IPSec VPN tunnel||22056713|