0
  • I have an industrial machine. The vendor has added an industrial VPN box (device A below) and has set all the devices on the LAN to use it as the gateway.
  • The vendor is extremely security conscious and will not set up (if possible) NAT rules to allow me to communicate with the devices on the machine LAN. This prevents me collecting machine data as well as giving remote support from the office or from home.

enter image description here

What is the correct terminology or name for device B that would feature,

  • A WAN and LAN port.
  • Ability to set multiple WAN addresses and tie or forward requests to these addresses to specific LAN addresses.
  • Make the requests appear as local so that the response doesn't require the use of the gateway (which would send the response off in the wrong direction).

Is it a class of reverse proxy? I presume that this problem has been solved many times before and that a Linux configuration could help. What search terms should I use?

Many thanks.

Improve this question
9
  • Do you have complete configuration control over both routers?
    – Ramhound
    Commented May 31, 2022 at 11:36
  • Either eliminate B or put it underneath A. I suggest eliminating it and ensuring A can do all you need. Just have one entry point to the internet and then you will just have one gateway. Keep it simple.
    – anon
    Commented May 31, 2022 at 11:53
  • 'A' being a VPN Server presumably, what exactly prevents you from connecting to its VPN to access the machine LAN for "collecting machine data as well as giving remote support from the office or from home"?
    – xenoson
    Commented May 31, 2022 at 12:25
  • @Ramhound, no. I have control over B but the vendor has control over A.
    – Transistor
    Commented May 31, 2022 at 12:57
  • @John, that wouldn't work if A is firewalling inbound traffic and I need separate NAT forwarding rules for 1:1 WAN-LAN addresses.
    – Transistor
    Commented May 31, 2022 at 12:58

1 Answer 1

Reset to default
0

a) It really sounds a lot like a regular router (aka gateway). All features you've listed are the usual NAT (SNAT and DNAT) that routers are typically capable of.

For example, the 2nd item is regular DNAT (aka "port forwarding"), only with more specific match parameters – what you need is a router that allows matching on "external IP" in the DNAT rules, which many actually do. Similarly, the 3rd item is the same kind of SNAT (aka "masquerading") that many routers already do on the WAN interface, only in your case it's done exiting the LAN interface instead.

So the main thing to look for is whether the router's firmware is flexible enough, i.e. what you want is not the specific "home/office wireless" kind of router that assumes a fixed use case, but a more generic "enterprise router" that lets you build its behavior from scratch. (I don't know if that's actually the right term – it doesn't have to be enterprise-priced, of course – but really the problem is that it is just a generic router. Sometimes "enterprise firewall" might also fit.)

As a specific example, devices with RouterOS or OpenWRT should have the necessary capabilities. A computer with two Ethernet ports running an OS capable of routing and NAT (e.g. any Linux with nftables/iptables, or some BSD variant with pf) would also do the job fine.

b) That being said, everything could also be done with a "reverse proxy", the main difference is that proxies work at higher layers, e.g. instead of raw IP packets they deal with TCP connections or even individual HTTP requests, so you need to choose it based on what kind of communications you'll be performing.

But this actually means your 3rd feature is "built in" to all reverse proxies, as internally the proxy would establish a whole new connection from its own LAN address – instead, preserving the source address would be harder.

Reverse proxies also somewhat overlap with "load balancers" (many advertise themselves as both). They aren't necessarily dedicated devices or appliances, commonly they're just software running on a general computer such as Nginx, HAproxy, or relayd.

So if your requests are all HTTP-based, then an HTTP reverse proxy would work (it could even add HTTPS on the WAN side while still talking plaintext HTTP internally), but many proxies/balancers can do raw TCP as well. (I think generic UDP support is less common though, but not nonexistent.)

In both cases, I think "WAN and LAN ports" isn't really what you're looking for. I'd say quite the opposite – an enterprise router that doesn't have such ports pre-defined (and just has Ethernet1, Ethernet2, etc.) is more likely to be flexible enough for your purposes than a router which does.

Improve this answer
3
  • Thank you for your detailed considerations. I think "masquerading" is the term I'm looking for! My traffic isn't just HTTP - it will include industrial protocols and VNC, etc. I think I need to avoid any kind of port forwarding for now.
    – Transistor
    Commented May 31, 2022 at 18:31
  • @Transistor: "Ability to set multiple WAN addresses and tie or forward requests to these addresses to specific LAN addresses" is basically what people call "port-forwarding".
    – grawity_u1686
    Commented May 31, 2022 at 18:32
  • OK. I've only seen it used where a user has one Internet IP address so forwards inbound on port 80 to host1:80 and forwards inbound on port 81 to host2:80 (or that kind of setup). I'll dig deeper. I need individual WAN addresses mapped to individual LAN addresses.
    – Transistor
    Commented May 31, 2022 at 18:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .