Disclaimer
This guide is not intended to be a substitution of the official documentation. The guide refers to the official Firewall app from version 3.6.2 and above, available from RM25.07. This release introduces this new code: R911430062 that unlocks just the firewall basic view. The other license (R911400505) includes both advanced and basic view.
Requirements
ctrlX OS device such as the ctrlX CORE X3, X5, X7..
The firewall app
Firewall Basic or advanced license
The new Interface & use cases:
The new web interface has 3 new sections:
Filter
Routing
Directional interfaces
Which are working in parallel to the "Advanced" view that is the old web interface available by clicking in the top right over the word "Advanced"
Modern networks require internet access, directional connections, filtering, routing,
and even more:
Directional interfaces, internet connection, LANs segmentation: it is important that the device can be easily connected to internet and, that the interface connected to internet is then protected against incoming connections.
Routing: many times, like in the remote access usage, it is important to use the core to implement the DNAT, SNAT and Masquerade functions in order to be able to remote access the devices in the LAN.
Filtering: probably the most basic of the operations: allow or deny the use of a certain port/service.
Directional interfaces, Internet connection, LANs segmentation.
One of the most basic operations when we are using the core as a remote access router or IIoT gateway is the eventuality that the device is connected to internet. One typical configuration is the following:
The configuration shows that:
XF10 is connected to the machine network
XF50 is connected to the company network
XF51 is connected to internet and configured as unidirectional
Beware that:
This is just an example
If more interfaces are needed then ctrlX OS devices with more interfaces are available to be purchased
Every interface can be set as a unidirectional interface
Here is the setting needed to be implemented to set an interface to be unidirectional, in this case the interface selected is the XF50.
Selecting:
"Prevent user interface lockout" the web UI is always available to be contacted from the selected physical interface. We suggest to keep it activated during the setup and commissioning to avoid to be locked out and then deactivate it when the setup is done.
"Reject (or drop) all except established connection" the device will be able to:
be connected to internet, VPNs and external services and servers
Mount a remote directory
contact remote servers
It won't be able to:
Accept MQTT connections from such interfaces
Accept OPCUA connections from such interfaces
Everything similar
Routing
This section is enclosing the information contained in the following how-to:
We suggest to read at least one time the guides previously mentioned. Now with this new firewall version it is really simple to set a ctrlX OS device to be the router for a network or a device port.
The previous image shows what is needed to set the core to be the router for the 192.168.2.0/24 machine network:
First step, not shown, the interfaces involved should have the "IP Forward" option active, see under Settings > Network
Add in Firewall > Routing A new rule setting "192.168.2.0/24" as Destination and "Masquerade" as NAT Type
Adapt the previous setting for the needed network(s)
Optionally, if we need some external device interface to be shown from the ctrlX OS device itself we can set a Destination NAT rule as shown in the picture. For example the "DnatXM" rule is setting the port 8234 to be forwarded to the port 80 of 192.168.2.25 the means that the ctrlX OS device port 8234 will show the XM22 web interface.
Filtering
The user can set simple Forward, Input or Output rules like most used firewalls.