06/30/2025
How-to| ctrlX CORE | Firewall

Firewall Basic, a practical guide

Disclaimer

This guide is not intended to be a substitution of the official documentation. The guide refers to the official Firewall app from version 3.6.2 and above, available from RM25.07. This release introduces this new code: R911430062 that unlocks just the firewall basic view. The other license (R911400505) includes both advanced and basic view.

Requirements

  • ctrlX OS device such as the ctrlX CORE X3, X5, X7..

  • The firewall app

  • Firewall Basic or advanced license

The new Interface & use cases:

The new web interface has 3 new sections:

  • Filter

  • Routing

  • Directional interfaces

Which are working in parallel to the "Advanced" view that is the old web interface available by clicking in the top right over the word "Advanced"

New web interface

Modern networks require internet access, directional connections, filtering, routing,
and even more:

  • Directional interfaces, internet connection, LANs segmentation: it is important that the device can be easily connected to internet and, that the interface connected to internet is then protected against incoming connections.

  • Routing: many times, like in the remote access usage, it is important to use the core to implement the DNAT, SNAT and Masquerade functions in order to be able to remote access the devices in the LAN.

  • Filtering: probably the most basic of the operations: allow or deny the use of a certain port/service.

Directional interfaces, Internet connection, LANs segmentation.

One of the most basic operations when we are using the core as a remote access router or IIoT gateway is the eventuality that the device is connected to internet. One typical configuration is the following:

Suggested configuration

The configuration shows that:

  • XF10 is connected to the machine network

  • XF50 is connected to the company network

  • XF51 is connected to internet and configured as unidirectional

Beware that:

  • This is just an example

  • If more interfaces are needed then ctrlX OS devices with more interfaces are available to be purchased

  • Every interface can be set as a unidirectional interface

Here is the setting needed to be implemented to set an interface to be unidirectional, in this case the interface selected is the XF50.

XF50 as unidirectional interface

Selecting:

  • "Prevent user interface lockout" the web UI is always available to be contacted from the selected physical interface. We suggest to keep it activated during the setup and commissioning to avoid to be locked out and then deactivate it when the setup is done.

  • "Reject (or drop) all except established connection" the device will be able to:

    • be connected to internet, VPNs and external services and servers

    • Mount a remote directory

    • contact remote servers

    It won't be able to:

    • Accept MQTT connections from such interfaces

    • Accept OPCUA connections from such interfaces

    • Everything similar

Routing

This section is enclosing the information contained in the following how-to:

We suggest to read at least one time the guides previously mentioned. Now with this new firewall version it is really simple to set a ctrlX OS device to be the router for a network or a device port.

Routing settings example

The previous image shows what is needed to set the core to be the router for the 192.168.2.0/24 machine network:

  1. First step, not shown, the interfaces involved should have the "IP Forward" option active, see under Settings > Network

  2. Add in Firewall > Routing A new rule setting "192.168.2.0/24" as Destination and "Masquerade" as NAT Type

  3. Adapt the previous setting for the needed network(s)

Optionally, if we need some external device interface to be shown from the ctrlX OS device itself we can set a Destination NAT rule as shown in the picture. For example the "DnatXM" rule is setting the port 8234 to be forwarded to the port 80 of 192.168.2.25 the means that the ctrlX OS device port 8234 will show the XM22 web interface.

Filtering

The user can set simple Forward, Input or Output rules like most used firewalls.

Filtering

Types
How-to
Products
IOT
HMI
IPC
PLC
Services

Latest published/updated articles