NAT Many Private LANs to a "Public" LAN

kdcui

Lifetime Supporting Member
K
Join Date
Dec 2007
Location
USA
Posts
386
Hi all-

I have an application where:

- I have a fixed system with a pre-determined, static, network (say, 192.168.2.0/24).

- That system needs to have "peer to peer" communication to devices on mobile equipment with the constraint that we don't want to reconfigure the IP addresses each time.

- There will be up to 4 mobile systems with the same IP configuration.
These mobile systems will not always be the same, and will come and go. However, we can guarantee the private IP addresses will always be the same.

- There is an edge device on each system to aggregate data up to AWS (Edge device has a 4G Sim card) but that connection is segregated from the rest of the system.

I have the ability to reserve a physical switchport to each mobile system in order to differentiate. I'm thinking this would be an appropriate application to implement a NAT solution to reserve addresses on on "Fixed System" network for any device that plugs into the Fixed System switch (with a pre-determined "Private" address).

I have not encountered this "one to many" NAT scenario, so I am not sure how to implement it. I've always deployed NAT devices at the individual equipment level - but we can't do that since the mobile systems could be plugged into any port on the "Fixed" system.

Looking for some guidance to get pointed in the right direction. The end goal is to have these mobile systems plug into the fixed system network, and the fixed system recognizes the devices as we have NATed the connections, based on the incoming access port.

I've attached a diagram to help illustrate.

Thanks!

Ik27i.png
 
Update:
The only other solution I can think of is just buying communication modules specific to each of the 4 connections (programs will be identical) and handle it that way...
 
I don't think you want to use NAT. This would not give you a peer to peer network - the devices behind the NAT would always have to initiate the connection.

As far as I can see you would need a router with a unique address in the 192.168.2.x range in front of each mobile system. You would then have to set up port forwarding in each router so it gave access to the right device within each mobile system.

The devices within each mobile system would have to have a route to 192.168.2.x pointing to its router. Remember, to go between subnets you have to use routers.
 
AlThePal said:
I don't think you want to use NAT. This would not give you a peer to peer network - the devices behind the NAT would always have to initiate the connection.

As far as I can see you would need a router with a unique address in the 192.168.2.x range in front of each mobile system. You would then have to set up port forwarding in each router so it gave access to the right device within each mobile system.

The devices within each mobile system would have to have a route to 192.168.2.x pointing to its router. Remember, to go between subnets you have to use routers.
Click to expand...

lfe said:
It seems to me that it would be easier to think on a system based on VPN. ?
Click to expand...

Thanks - I basically arrived that I'd need a L3 switch, but where I am struggling is that the 4 systems will all have identical IP addresses. I can't just VLAN them because then the VLANs need to be on different subnets. We can't change the IP addresses for various reasons, so for this solution to work:
a) All 4 mobile systems need to have the same IP scheme.
b) All 4 mobile systems need to talk to the same destination PLC on the "Fixed System"

Honestly this is adding quite a bit of complexity to the networking - I could just buy (4) Ethernet (PROFINET in this case) modules, put in the "Fixed System" PLC rack, and run a dedicated connection (point to point) for one of the 4 systems to plug into. But this doesn't seem like the most elegant solution and those modules are expensive.

In case it matters, these are all S7-1500 controllers on PROFINET. I was planning as configured each system as an IO Device.

2022-12-02-175849.png
 
Last edited:
Can’t you out a NAT device on each piece of mobile equipment?
The LAPP NAT router is relatively small footprint & not super expensive either
 
lostcontrol said:
Can’t you out a NAT device on each piece of mobile equipment?
The LAPP NAT router is relatively small footprint & not super expensive either
Click to expand...

Thanks - doesn't that mean I need to pre-define the "public" IP addresses at the equipment?

ie: the NAT device at the mobile equipment would need to be prepopulated with the public IP list, and therefore that device would be limited to a specific location on the network.

There are more than 4 of these systems but 4 may be connected simultaneously. So they need to be able to "park" at any point and plug in (could be port 1 one day, port 4 another).

EDIT: But what I could do is put 4 NAT devices at the Fixed System and have each Mobile system plug in as needed.
 
Last edited:
mad4x4 said:
To me the only secure method of doing this is to put a local fire wall between the Private and Public Lan ( 1 per private network). We use the MGUARD 1102 for this very purpose. It will do NAT and Firewall rules so you can route traffic exactly where you need it. Has 3 modes - Simple, Normal, Advanced. Depending on what needs to talk to what.


https://www.phoenixcontact.com/en-gb/products/security-router-for-the-din-rail-fl-mguard-1102-1153079
Click to expand...

Thanks - another colleague suggested this as well.
Similar to my response to mad4x4 - I'm thinking one of these per system then, kind of like the attached?
This would ensure no matter which physical port one of the mobile systems plugged into, it would ensure it has a place on the network (as opposed to putting the NAT device on the mobile system, where it would limit where it could plug into).

2022-12-03-114609.png
 
lostcontrol said:
Will more than one of these be connected at the same time?
Can the mobile device not initiate the peer-peer instead?
Click to expand...

Yes, there will be up to 4 connected to the "Fixed System" at any given instance. There could be, theoretically, dozens of mobile systems in queue that will take the place of the next mobile system that disconnects and it would be infeasible to have a mobile system tied to a specific physical port.

I'm not sure what you mean by your last sentence - whether or not the mobile system initiates the communication it independent of having a reserved IP address on the network.

All that said, I think having the NAT device at the Fixed systems may solve the problem, short of having a dedicated communications card at the Fixed System PLC.
 
Sorry for the insistence, but using a VPN it can be resolved easily and much more securely.

Mobile devices will have assigned a private IP, as if they were devices on the VLAN

You would have to consult a system administrator from an IT department.
 
Last edited:
We put in a system that did almost exactly what you're trying to achieve. It was a bit more complicated because it ran on a VPN over the Internet but the basics were the same.

Your problems will be solved by putting a router in front of each mobile system (a layer 3 switch would work but is less functional). Your PLC will see each router on a unique IP address. Each router will implement NAT so your mobile systems all have standardised addresses. If you need to connect from the fixed system to a mobile system you can use port forwarding in each router - if the mobile systems always initiate connections you don't need this.

Whether you choose routers with firewall functionality is up to you. The line between routers and firewalls is fairly blurred nowadays.
 
Just a thought,

If you alterred the subnet mask to 255.255.248.0 then everyhting from X.X.0.0 to X.X.7.255 is then in the same network. Would that work?

Nick
 

Similar Topics

H
PLC NAT Suggestions.
I know this topic has been brought up a few times, but i had some specific questions. I have installed several 1783-NATR devices and they have...
Replies
6
Views
285
Cheeseface
C
P
Siemens Scalance SC636-2C NAT config
Hi all, I have some difficulties with programming a NAT config in my Scalance SC636-2C When programming the NAT-table i'm not able to reach my...
Replies
4
Views
195
goghie
G
I
Communications Through Stratix NAT
Hi Guys I am looking for some help to get communications going through a Stratix 5700 with a NAT rule in it. I did not set the stratix up but I...
Replies
2
Views
1,002
ian.smith7
I
moistcat
Moxa N-port Serial server 5110A - NAT
Hi All, I have set up a Moxa NPort serial server for an application. Unfortunately the environment requires NAT forwarding between 2 systems...
Replies
3
Views
812
Lare
L
C
AB 1783-NATR vs MOXA NAT-102
We've been using Allen-Bradley's 1783-NATR and find it is easy enough to work with. Unfortunately, it only allows 5 ports to be opened per IP...
Replies
2
Views
760
Ken Moore
Ken Moore
Back
Top Bottom