Configure Proxy to Allow Traffic to 3rd Party Server

patrick_dmc · January 22, 2020, 10:04pm

Hello,

I am setting up a Cozy 131 (4g - North America variant) to allow remote access to industrial equipment. While we are using the cozy in the traditional VPN sense, our application demands 2-way TCP traffic on a continuous basis to a specific port of a device on the LAN.

I found this message: HTTP Port Forwarding , and the linked KB https://hmsnetworks.blob.core.windows.net/www/docs/librariesprovider10/downloads-monitored/manuals/knowledge-base/kb-0138-00-en-define-proxy-entries-on-cosy.pdf

We have followed all steps in this KB, but cannot establish a connection (in either direction) to the device behind the EWON.

The NAT 1:1 settings, as a debug step seem to have an issue where the settings don’t apply until WAN reconnect. So an IP address supplied at configuration time, is invalid on the next WAN reconnect.

I am not interested in exposing the entire device IP to the internet, I would simply like to establish port forwarding through from WAN to LAN, and LAN to WAN, for a specific TCP connection?

Is this possible with the Cozy 131? Is the KB above the proper documentation? Is there a better way to achieve this configuration?

Tim_hms · January 22, 2020, 10:04pm

Hi Patrick,

I’ll look into this and let you know what I can find out.

Best Regards,
-Tim

patrick_dmc · January 23, 2020, 1:27pm

To add more context, here is an image of what we are trying to do:

I would like to reiterate the NAT 1:1 doesn’t function for us with Cellular WAN, as we cannot enforce static IP assignment. So event as a debug step, I can’t open a path to the PLC behind eWON that is a known good route to test.

kyle_HMS · January 23, 2020, 1:30pm

Hi Patrick,

It sounds like you are simply trying to do port forwarding to the PLC. Those are the correct instructions your referenced above and they are the best way to achieve this. Make sure that you have followed all of the instructions and also set the default gateway of the PLC to be the Cosy’s LAN address. If you are still having issues, can you send me a backup of the Cosy (including Support files)?

Thank you,

Kyle

patrick_dmc · January 23, 2020, 3:16pm

Couple of follow up questions, I can get the support files shortly:

Are there specific parameters not mentioned in that document, that need to be set to allow non VPN traffic to work?
For example, the thread above in the comments mentions these ->
NatItf = 2 (Nat and TF on WAN)
VPNRedirect = 0 (Allow traffic outside the VPN tunnel)
FwrdToWAN = 1 (Forward LAN traffic to WAN)

Do these need to be set as well?
Are there other undocumented settings that need to be applied to the configuration?

kyle_HMS · January 23, 2020, 3:18pm

That’s correct. If you want the traffic to go thru the WAN and not VPN you would set those 3 settings and it’s also important to set the default gateway on the LAN device and DNS server if necessary.

patrick_dmc · January 23, 2020, 5:06pm

Hi Kyle,

Applying these settings allowed our application to work. Thank you. I would maybe suggest a revision to the PDF KB to include these other settings, I can’t imagine proxy being very useful with an already established VPN. It seems to only apply to the case where you want things exposed to the wider internet intentionally.

Second set of questions, now that our POC device is running. What’s the recommended way to handle scale up? We are anticipating a growing volume of these devices that require this configuration, I saw a note regarding being careful about backup restore because of crosslinking Talk2M settings. Is there an elegant way to instruct service technicians on setting up a new device as part of initial commissioning? (Aside from getting them into the full weight and force of the COM cfg parameter list?

Thanks again.

kyle_HMS · January 23, 2020, 5:18pm

I agree that the documentation process is not very complete for this. I will get it re-written for future users. Thank you for pointing it out.

I would recommend the USB provisioning for a quick and easy way for technicians to set these up. They can insert a USB drive with the comcfg.txt file and T2M.txt which will automatically import the settings and the Talk2m account information needed. (you can also use a complete backup of a device by including the backup.tar file, but make sure to make the backup before adding the device to the Talk2m account, as this will create a duplicate device and cause problems.)