MauroRiboniMX_0-1640129929859.png

How to use ctrlX CORE as a “router” using the Firewall App

MauroRiboniMX
Contributor
Disclaimer

In order to fully understand what is happening and to debug the setup it is necessary to have knowledge about networking and firewall rules. Furthermore the document is not a complete setup to a production case. It is a proof of concept which the user must be able to adapt it for his own case.

Overview

The idea is access devices that are locally accessible by the ctrlX CORE. For this tutorial we want to access the IndraControl XM22, as shown in the picture below.

Test LayoutTest Layout

 

Fig. 1.: Overview

Equipment used

The test has been done with:

  • ctrlX CORE release 21.11
  • eth0 set to IP address: eth0 set to 192.168.1.1, eth1 set to: 192.168.2.1
  • ctrlX App Firewall 1.12.0

 

Transfer data packets
Step 1: Forward data packets

In order to forward data packets it is necessary to allow it from the eth0 and eth1 interfaces:

Open IpforwardOpen Ipforward

 

 

Fig. 2.: Setting of eth0 and eth1

From firewall point of view it is also necessary to allow the packet forwarding (by default it is allowed).

 

Step 2: NAT Setting

While we can access the ctrlX CORE itself without problems, it is still not possible to also access the other devices in our network. Why is this? If a device in the local network (192.168.1.0/24) receives a packet from a device in our external lan, it still has as source IP the IP address of this device. As this is an IP address in the external network, how should the device know how to route the answer-packet back to our access device. There are two solutions for this:

  1. Setting the default gateway in the XM22 to the IP address of our ctrlX (192.168.1.1)
  2. By configuring a source NAT rule, what will be done in the following and explained below

 

Where is the snat?Where is the snat?

 

Snat rulesSnat rules

 

 

 Fig. 3.: NAT Settings

 

 

Step 3: PC routing

After everything has been set up in ctrlX CORE it is necessary to setup the right rules also inside the PC. Being the PC address 192.168.2.X and the ctrlX CORE eth1 address = 192.168.2.1 the rule to be entered is the following:

  • route add 192.168.1.0 mask 255.255.255.0 192.168.2.1

It means that when the PC tries to reach the 192.168.1.X it routes them through 192.168.2.1 which is the ctrlX CORE. It is possible to check if this work as assumed using the command "tracert".

windows routingwindows routing

 

 

Fig. 4.: PC settings and routing check.

 

Step 4: XM22 access

Now it is all set up!! When entering http://192.168.1.25  to the browser the XM22 WebAssistant page should be reachable!

XM web InterfaceXM web Interface

 Fig. 5.: WebAssistant

Now Even Indraworks should be able to program the XM22 passing through ctrlX.

 

XM accessXM access

 

 

Fig. 6.: XM22 programming

Explanation

 

The structure of the network packets is close to what is represented in the picture below:

My packetMy packet

 

 

 Fig. 7.: Data Packet

The image is just indicative, what is important to us is that our packet has:

  • A destination address (where the packet should arrive)
  • A source address (who is sending the packet)
  • A Payload ( the data exchanged)

The packet takes 3 main steps to get to destination and 3 also to get back. packet Flowpacket Flow

 Fig. 8.: ctrlX CORE Firewall structure

Setting the routing rules on our PC in step 3 we're able to send packets destined for 192.168.1.25 to ctrlX core. Here is where the trick is starting.

Once the packets are inside the ctrlX CORE we can do many things, first of all we could change the destination IP applying a Destination NAT in (Number 1 in Fig.8 but this is not our case, the packets are going directly to the the forward filter (Number 2 in Fig.8 )) . Here we must be sure that the packets are not being filtered!! To do that the step number 1 of the guide is mandatory, also it is good to check inside the "Forward Filter" part of the firewall that there are no other rules that may block the packets.

The last part is the most important, before the packets leave the ctrlX the packets are passing through a SNAT (Source NAT: number 3 in Fig.8 ). In this last step the source address of the packet that, till now, is something like 192.168.2.x is then changed to 192.168.1.1 which is the ctrlX CORE address of the interfaces that is connected to the XM22.

Why that? Once the XM22 receives the packet it answers to the address in the source field. Now the XM22 knows the address of the device which sent the packet to it, as it is the address of the ctrlX CORE and can thereby send the packet back to ctrlX CORE. The rules to setup this last part are explained in step 2.

The packets that have to come back from the XM22 to the PC are automatically translated by ctrlX CORE itself on they way back.

This tutorial does not have the aim to explain all routing capabilities the ctrlX can offer. We're just using a subset of features useful to obtain our goal. To fully understand what is behind the ctrlX firewall and routing configuration a basic knowledge on computer networks and firewall rules is necessary. Starting from iptables and  NFT tables.

Continues...

The settings and experience about routing coupled with a VPN will follow in an own blog.

MauroRiboniMX
MauroRiboniMX
Hello, I am Mauro a ctrlX DEVELOPR at night and an Application Engineer during the day 😎 . Ask me anything about ctrlX AUTOMATION but my best topics are IoT, AI, SDK and Communication!
2 Comments
Must Read
Icon--AD-black-48x48Icon--address-consumer-data-black-48x48Icon--appointment-black-48x48Icon--back-left-black-48x48Icon--calendar-black-48x48Icon--center-alignedIcon--Checkbox-checkIcon--clock-black-48x48Icon--close-black-48x48Icon--compare-black-48x48Icon--confirmation-black-48x48Icon--dealer-details-black-48x48Icon--delete-black-48x48Icon--delivery-black-48x48Icon--down-black-48x48Icon--download-black-48x48Ic-OverlayAlertIcon--externallink-black-48x48Icon-Filledforward-right_adjustedIcon--grid-view-black-48x48IC_gd_Check-Circle170821_Icons_Community170823_Bosch_Icons170823_Bosch_Icons170821_Icons_CommunityIC-logout170821_Icons_Community170825_Bosch_Icons170821_Icons_CommunityIC-shopping-cart2170821_Icons_CommunityIC-upIC_UserIcon--imageIcon--info-i-black-48x48Icon--left-alignedIcon--Less-minimize-black-48x48Icon-FilledIcon--List-Check-grennIcon--List-Check-blackIcon--List-Cross-blackIcon--list-view-mobile-black-48x48Icon--list-view-black-48x48Icon--More-Maximize-black-48x48Icon--my-product-black-48x48Icon--newsletter-black-48x48Icon--payment-black-48x48Icon--print-black-48x48Icon--promotion-black-48x48Icon--registration-black-48x48Icon--Reset-black-48x48Icon--right-alignedshare-circle1Icon--share-black-48x48Icon--shopping-bag-black-48x48Icon-shopping-cartIcon--start-play-black-48x48Icon--store-locator-black-48x48Ic-OverlayAlertIcon--summary-black-48x48tumblrIcon-FilledvineIc-OverlayAlertwhishlist