Skip to Content

Register Login

Industry Online Support

Technical Forum

Navigation

IOT as network router

Created by: faschmidt at: 3/12/2021 1:53 PM (7 Replies)

Rating (0)

Thanks 2

8 Entries

3/12/2021 1:53 PM	Rate (0)
faschmidt Experienced Member Joined: 4/17/2018 Last visit: 11/10/2023 Posts: 84 Rating: (5)	Hello forum, i would like to show you a small sketch of a network configuration. See attachment. My task is to connect two ip networks with the IOT as router. Shown is an automation network with fixed ip 192.168.0.0/24 and an office network with ip 192.168.178.0/24 which is connected to the internet. I would like to address two topics: a.) The IPC in the automation network should be able to reach the internet b.) The Office PC should be able to reach the CPU webservers of the automation network and should be possible to program the (and all coming) CPU1500. For the sake of simplicity we may leave alone security (firewall, port forwarding..) topics of the two networks as long as not needed to make this work. I use the IOT2050 with the downloadable "free" Debian. I know that this distro uses network-manager and its tools to setup the network connection. So far I succeeded. Now I am stuck between dnsmasq, route add... and ip route add ... What I need is a kick to the right path. T.i.a. Frank Attachment Mappe1.pdf (288 Downloads)

Suggestion To thank Quote Answer

3/18/2021 12:20 PM	Rate (0)
Fe_lipe Silver Member Joined: 12/12/2016 Last visit: 12/6/2023 Posts: 640 Rating: (60)	Hello Frank, To be honest it seems like an acchievable, but not very suitable task for the IOT2050 (EDIT: in case the network on the left hand side uses Safety). In this case a hardware firewall (e.g scalance) could be more suitable for complete isolation of the PROFINET network. If you want to go this way regardless, I think the easiest option is to work with iptables. It can be integrated into a newer version of the IOT2050 image, which you can build from the master branch. Notice that the iptables compatability was added in October 2020 so the example image from SIOS does currently not support it. Best Regards!
	Last edited by: Fe_lipe at: 03/18/2021 12:20:57 Last edited by: Fe_lipe at: 04/07/2021 13:28:45
Suggestion To thank Quote Answer

3/23/2021 8:42 PM	Rate (0)
faschmidt Experienced Member Joined: 4/17/2018 Last visit: 11/10/2023 Posts: 84 Rating: (5)	Hi, sorry for answering late. I always looked at the newer thread. And sorry for the double post. I did not notice that it had been moved in between. Anyway. Just for the record. That is what I did with a freshly built image from master branch: apt-get install iptables Now edit nano /etc/sysctl.conf And uncomment the line containing: net.ipv4.ip_forward=1 And from commandline do iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE to set ip masquarading. This works until reboot. I know how to make it persistent. Point is: I have to confess that I do not fully understand iptables. With the commands above I am able to reach any device on 192.168.0.0/24 from 192.168.178.0/24 if the devices in their networks have set the standard gateway accordingly. And vice versa. What I do not know is how to restrict the traffic to certain IP addresses.

Suggestion To thank Quote Answer

3/25/2021 6:52 AM	Rate (0)
kpkumajaya Regular Member Joined: 2/24/2018 Last visit: 2/16/2023 Posts: 24 Rating: (0)	Using ufw as firewall management interface on Ubuntu here but I got: ERROR: problem running ufw-init ip6tables-restore v1.8.4 (legacy): Couldn't load match `rt':No such file or directory Error occurred at line: 24 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. Problem running '/etc/ufw/before6.rules' Disable IPV6 in /etc/default/ufw solve the problem. To stop ufw flooding dmesg: ufw logging off

Suggestion To thank Quote Answer

4/7/2021 1:22 PM	Rate (0)
Fe_lipe Silver Member Joined: 12/12/2016 Last visit: 12/6/2023 Posts: 640 Rating: (60)	Hello Frank, So far I have come just as far as you with iptables. This rule you used: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE Allows me to access the internet and devices on the other network and vice versa but until now none of the rescrictions I added worked. I added a DROP rule for a different subnet but was still able to access the internet when changing my IP to this specific subnet. Will need some more time to investigate. If anybody on here has more experience, always highly welcome! Best Regards!

Suggestion To thank Quote Answer

4/9/2021 3:52 PM	Rate (0)
Fe_lipe Silver Member Joined: 12/12/2016 Last visit: 12/6/2023 Posts: 640 Rating: (60)	Hello Frank, We now had time for a closer look into your network setup and were able to configure iptables accordingly. Firstly, I recommend installing Webmin which provides a nice UI for handling Network and Firewall configuration. When installing Webmin over APT repository, dont forget to add the correct Architechture to /etc/sources.list nano /etc/apt/sources.list wget https://download.webmin.com/jcameron-key.asc apt-key add jcameron-key.asc apt-get update apt-get install webmin Afterwards the UI is reachable over https://<iot-ip>:10000, use root login of IOT! In the section Networking->Linux Firewall, enter the Dropdown Menu Showing IPtable (NAT): You should see your POSTROUTING rule below which you have already entered (for you the interface should be eth1) -> scroll right to see entire screenshot Now switching back to Dropdown Menu Packet filtering, we should now be looking at the FORWARD rules. Here, based on the drawing of your network we want to do two things: Only accept incoming packets from the IPC127E on eth0 (other packets shall be dropped) Only accept incoming packets from the PC on eth1 (other packets shall be dropped) For this we specify one accept rule for source address 192.168.0.3/32 on incoming interface eth0, one accept rule for source address 192.168.178.40/32 on incoming interface eth1, one drop rule for incoming interface eth0 and one drop rule for incoming interface eth1. In my case the configuration looks like this: Make sure the rules are also in this exact order. Afterwards, scroll down and select Apply Configuration and also select Activate at boot to make rules persistent: The configuration should now be working. In my case I did not specify any input rules. Ofc there is still room for improvement as e.g. adding input rules can save CPU consumption by dropping packets before they are forwarded. To double-check how these rules can also be entered in terminal nano /etc/iptables.up.rules Hope this helps! BR
	Last edited by: Fe_lipe at: 04/09/2021 15:54:42 Last edited by: Fe_lipe at: 04/09/2021 16:16:00 Last edited by: Fe_lipe at: 04/09/2021 16:18:53 typo
Suggestion To thank Quote Answer
This contribution was helpful to 2 thankful Users bergmanu faschmidt

4/20/2021 4:32 PM	Rate (0)
faschmidt Experienced Member Joined: 4/17/2018 Last visit: 11/10/2023 Posts: 84 Rating: (5)	Works fine ! Only problem left is that the configuration is not persistent. I check the radio button "YES" and click on the "Activate at boot" button. Something happens. Now the radio button reverts to "NO". I then check for the rules file. Everything is ok. I reboot. Rules are not applied. Rules file still is fine. iptables -L -n tells me that there is no rule but there are iptables-legacy rules present. iptables-legacy -L -n tells me that there is no rule... From the webinterface of Webmin I can apply the rules manually and then my rules work and also iptables-legacy shows the rules. iptables still not showing rules (other than accept on all rules). Edit: Webmin Linux Firewall gives incorrect information when using iptables-persistent [#70862] \| Virtualmin There you go. Next version of Webmin should handle it ....
	Last edited by: faschmidt at: 04/20/2021 16:52:36
Suggestion To thank Quote Answer

4/22/2021 7:57 PM	Rate (0)
kpkumajaya Regular Member Joined: 2/24/2018 Last visit: 2/16/2023 Posts: 24 Rating: (0)	kpkumajaya Using ufw as firewall management interface on Ubuntu here but I got: ERROR: problem running ufw-init ip6tables-restore v1.8.4 (legacy): Couldn't load match `rt':No such file or directory Error occurred at line: 24 Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information. Problem running '/etc/ufw/before6.rules' Disable IPV6 in /etc/default/ufw solve the problem. To stop ufw flooding dmesg: ufw logging off Beside the lack of IPV6 support that I believe because incomplete kernel netfilter support, ufw working great for me. I hope there are comments from Siemens about above error.

Suggestion To thank Quote Answer

|

Share this page:

Share this page on...

Follow us on