How to setup a LAN device to have Internet Access

I’m interested in using a Cosy131 with cellular to allow ‘restricted’ access to the internet by a LAN device. I want only this device (not the entire LAN) to be allowed outgoing traffic. Is this possible with the Cosy? If so, is there an application note that can help me with the setup.

Mike

Hello Mike,

I’ll look into this and get back to you with some more information.

For the time being here is a post covering allowing internet thought he cosy. Sending emails using HMI

Regards,
Deryck

Thanks for the feedback. I had a look at the link. It would get me by, but would be a security risk for the entire LAN. At this point, I’ll wait to see if there is an alternative solution with either the Flexy or a different configuration with the Cosy. Thanks for looking into it.

Mike

We might have an option using NAT on the flexy that would allow you to limit the access to once device. I need to look into it a little bit more to make sure it will work as expected.

Deryck

Hello @mcoppola,

We have tested a few options but it looks like we can’t reliably allow only one device to access the internet. The only options will be to allow internet on the LAN which will provide access to all the devices.

One option while not perfect, would be to not set the gateway on the other LAN devices this will prevent them from knowing the can reach the internet via the eWon. This will also prevent you from being able to connect to them through eCatcher.

Deryck

Thanks for looking into it. I’ll have to look into other options for now.

Mike

Is this still not possible?

Unfortunately no, this is not possible. The only workaround would be not giving the devices you don’t want to access the internet a good DNS server so that they cannot resolve domain names. They would however, still be able to use IP addresses.

What is the use case? What are you trying to prevent?

In my case the network behind the cosy 131 contains:

  • Windows IOT PC
  • B&R PLC’s
  • Raspberry pi

The only device that needs internet is the Raspberry pi.
I already let internet through the Cosy 131.
I dont want the Windows IOT PC to update automaticly, so i turned that off. But the computer and PLC have internet.
I am worried that the PC/PLC is easyly to be hacked.

OK, so keep in mind that giving them internet access is not the same as exposing them to the internet. Only outbound communication is allowed. I would recommend leaving the DNS setting blank, or setting a fake DNS address, like 10.10.10.10, for example, so that they can not reach out to domains on the internet. The only remaining risk would be that they reach out to an IP address and they will not do that unless programmed to do so.

You could change the default gateway on the devices which would prevent them from being able to access the internet, but that will also make them inaccessible through eCatcher. This would only be a good solution if you don’t need remote access to them.

Thanks for your response, leaving the standard gateway blank is not really a solution if you want to access the devices. Anyway i think the risk is not very big so i leave it this way.