HTTPS Request through Ewon?

MichelL · April 13, 2023, 12:09pm

Hi all,

At one of our machines we’re using a Beckhoff iPC as PLC. As it is Beckhoff, this iPC is running Windows 10 and a real-time PLC runtime. I will call this iPC the ‘device’ below.

Current situation;
Currently this device is hooked up to the customers LAN network and constantly communicating with a server database using HTTPS requests (put & get). The device sets up a http client connection and sends out a URL. As a response it receives a Json file from the server.
The device is set to DHCP and the server’s IP addresses are unknown (DNS server).
The device is connected to the Internet over the same connection.

Desired situation:
We want to isolate the device from the customers LAN network to get it off the internet. At the same time we want to add a Ewon for remote access. Thus far no problems.
But is the Ewon capable to keep the HTTP connection between device and server alive? In my opinion we cannot use the NAT function as the server’s IP address is unknown and the Ewon WAN port will be set to DHCP? Or is this a matter of port-forwarding?

kyle_HMS · April 17, 2023, 1:10pm

Are both the client and the server on the same network currently?

MichelL · April 17, 2023, 3:27pm

Hi Kyle,

That I don’t know. As I wrote below the client is set to DHCP and the server is requesting a HTTPS Url. Server IP range is unknown.

The current client IP-address is known but can be changed by the IP department over DHCP, so we can’t relay on IP based routing.

kyle_HMS · April 17, 2023, 8:27pm

As long as the communication is initiated by the device, which is sounds like, it should work, as long as you give the device a good DNS server address (that can resolve the database server’s address), set the default gateway to be Ewon’s LAN address, and set NATitf to 2 in the comcfg.txt settings (System > Setup > Storage > Edit COM cfg). You shouldn’t need to do NAT 1:1 or port forwarding unless the communication is initiated by the database server.

MichelL · April 18, 2023, 12:49pm

Thanks for the answer.

One doubt that I have; Won’t setting NatItf to 2 (NAT and TF on WAN) enable internet access to the LAN devices?
I understand that it’s mantadory for HTTP requests, but one of the goals is to get the Windows client PLC off the internet and stop forced microsoft updates.

kyle_HMS · April 19, 2023, 1:33pm

It won’t allow internet access to the LAN devices, but it will allow traffic from the LAN to the WAN, so yes, they would be able to reach out to Microsoft update servers. The Ewon isn’t really a configurable firewall, which is what it sounds like you need if you want to block access to certain sites. You could also use a DNS server which “blackholes” Microsoft’s update servers or only has the hosts you need in the lookup table.