The WAN (corporate network) and LAN (machine network) side of the StrideLinx router are separated by the internal firewall. However, you can allow local WAN to LAN traffic by adding a 1:1 NAT rule. This way you can access the machine from inside the local corporate network, without having to establish a VPN connection first. For security reasons, 1:1 NAT does not work for the cellular connection. This is to prevent your machine from being directly exposed to the internet.
How it works: when you are inside the local corporate network, you access the virtual IP address used in the 1:1 NAT rule. The StrideLinx router's 1:1 NAT rule will then forward the network traffic to the destination IP address, resulting in a connection from your computer to the machine.
1:1 NAT or Port forwarding, what's the difference?
There are technical differences between the two, but 1:1 NAT and Port forwarding both serve the same purpose: being able to connect to the machine from inside the local corporate network. The most important differences are compared below.
If you're unsure which communication port is used or if multiple ports are used, 1:1 NAT is easier to configure. With Port forwarding, you are required to specify a communication port, which only allows traffic through that uses that port. With 1:1 NAT, you are allowed to specify a communication port, but you are not required to.
If you're looking to communicate with with more than 1 device behind the StrideLinx router, it's again easier to set this up using 1:1 NAT. With Port forwarding, each rule requires the use of a different external port. This in turn means that your computer's software needs to use a custom port to communicate with the other devices behind the StrideLinx router. With 1:1 NAT, this is not required and your software can just use its default communication port.
Configure 1:1 NAT
Follow the steps below to configure 1:1 NAT.
- You may need to consult the local IT in preparation for 1:1 NAT:
- If you only need to access 1 device in the machine network and have configured a static WAN IP address, you can use that IP address in the 1:1 NAT configuration. Continue with configuring 1:1 NAT below.
- If you only need to access 1 device in the machine network and you have not configured a static virtual IP address, consult the local IT about which IP address you can use for your 1:1 NAT rule. The local IT needs to reserve this IP address to prevent it from being used by other devices and cause an IP conflict.
- If you need to access more than 1 device in the machine network, consult the local IT on which IP addresses you can use for your 1:1 NAT rules. The local IT needs to reserve these IP addresses to prevent them from being used by other devices and cause an IP conflict.
- Go to Fleet Manager > Devices and click on your device name.
- In the left menu, go to Network > Firewall.
- Under WAN to LAN, you can add 1:1 NAT separately for a wired WAN connection (click on Add Ethernet 1:1 NAT rule) and a wireless WAN connection (click on Add Wi-Fi 1:1 NAT rule), depending on how you have your StrideLinx router connected to the local corporate network.
- Enter the requested information (details below) and click on Add.
Field Description Virtual IP address This IP address needs to be within the WAN network and will be mapped to the destination IP address. Make sure to check step 1 to see if you need to consult the local IT for an available IP address. Source IP address (optional) Only allow network traffic coming from this IP address. This prevents other devices from being able to access your machine. Leave empty to allow traffic from all devices. To allow traffic from multiple devices, create an identical 1:1 NAT rule with a different source IP address. Destination IP address This is the IP address of the machine (PLC, HMI, or other). Protocol Select the allowed communication protocol. Destination port (optional and only available if protocol "tcp" or "udp" is selected) Only allow network traffic that uses this communication port. This prevents devices from being able to access your machine using other communication ports. Leave empty to allow traffic over all ports. To allow traffic over multiple ports, create an identical 1:1 NAT rule with a different destination port. Description (optional) Enter a description for this specific 1:1 NAT rule.
- Repeat step 4 for every device you need to access.
You have now made the changes in the StrideLinx Cloud, but these are not yet active in your device. You will need to push your changes to your device for them to take effect.
Temporary disconnectAfter this next step, the config push, the device may temporarily disconnect and LAN communication may be temporarily interrupted while it's applying the new settings. This only takes a moment.
- Click on Push config to device in the top right corner.