Showing results for 
Search instead for 
Did you mean: 

Guide for using ctrlX core as a "router" with firewall app and VPN client

Guide for using ctrlX core as a "router" with firewall app and VPN client

Community Moderator
Community Moderator

Is there a guide for using ctrlX core as a "router" with firewall app and VPN client available?



Hi to everyone,

This is not a question but is actually a sort of guide created from the experiences that me and @TheCodeCaptain have collected about the topic together.

"Disclamer: this procedure is not addressed to the basic user, in order to fully understand what is happening and to debug the setup it is necessary a good knowledge about IPtables, networking and VPNs. Furtermore the guide is not a complete setup to a production case, is just a proof of concept that, the user, must be able to develop in order to fit his own case"


Objective: we would like to login inside the XM22 passing trough the ctrlX core. Just like the picture below.

The test has been done with:

  • ctrlX core release 21.11 eth0:, eth2:
  • App Firewall 1.12.0


Step1: Get the possibility to forward packets.

In order to forward packets it is necessary to allow it from the eht0-1 interfaces:


From firewall point of view it is also necessary to allow the packet forwarding (by default it is allowed).

Step2: SNAT

Now it should be possible to connect to the PLC but  it is necessary to set up the XM22 Gateway: it must be the ctrlX core IP address, in this case being the xm address it must be Otherwise the connection wouldbe dropped by the PLC.

In order to avoid this configuration for the PLC or the others devices on the machine network it is possible to setup a simple SNAT routing rule. Assuming again tath the ctrlX core address from the machine point of view is here is my configuration adopted.



Step3: PC routing

Now that anything has been set up in ctrlX it is necessary to setup the right rules also inside the PC.Being the PC address 192.168.2.X and the ctrlX coro eth1 address = the rule to be entered is the following:

route add mask

It means that we're trying to reach a 192.168.1.X address passing trough which is the ctrlX It is possible to check the connection using the command "tracert".


The Experience with the VPN will follow.