Internet access and default gateway problem

nicolasstephan · April 20, 2023, 1:05pm

Hello,

I have this architecture:

I need access to both Device1 and Device2 from VPN. It works with the default settings.

But I also need Device2 to access a public IP like 8.8.8.8, so I tried
NatItf = 2
VPNRedirect = 0
FrwrdToWAN = 1
Changed default gateway of Device2 to the Ewon IP

I’m able to access Device2, and it is able to access 8.8.8.8
But I lost access to Device1 because its default gateway is 172.16.0.254 and CANNOT BE CHANGED.

Is there a way to give access to Device2 to 8.8.8.8 without losing access to Device1 ?

jack_hms · April 20, 2023, 9:19pm

The info here is helpful but I’m still confused about what exactly is going on if you could explain more about the problem you are solving with this application. Does the main router also have internet access? Since it says VPN access there, does that mean you are using the Cosy as a backup? What exactly are devices 1 and 2?

What were the conditions like that allowed Device1 to work properly?

Regards,
Jack

nicolasstephan · April 21, 2023, 3:01pm

Yes the Cosy is a backup here.

Device1 is an intelligent battery that runs a web server so we can monitor it. (managed by Company1)
Device2 is the SCADA server which we need to access to monitor the whole system, and which need to send data to our SFTP server.(managed by Company2 as the Cosy, I’m from Company2)

The main router should have internet access but currently, the VPN access doesn’t work and there are strict firewall rules on it that doesn’t allow us to send data through SFTP. (managed by Company3)

We know that it can take months for the Company3 to solve the VPN issue and to add a firewall rule (to our SFTP server). That’s why we want to use the Cosy instead.

So if I put NatItf = 3, Company1 and Company2 have access to Device1 and Device2 from the Cosy.
But, Device2 doesn’t have internet access so it cannot send data to our SFTP server. → Device1 work properly but not Device2

If I put NatItf = 2 (which disable Plug’N Route), and I change the gateway of Device2 to the Cosy IP, Device2 is still accessible, and now it have internet access. But Device1 become unreachable, because its default gateway is still the main router

My feeling is that it is impossible but maybe there is a way to enable Plug’N Route (to access Device1 without the gateway configured properly) and give internet access to Device2

jack_hms · April 21, 2023, 3:35pm

The issue is related to where the traffic is initiated from. With Plug ‘n’ Route, it’s still possible to have traffic go from WAN to LAN. When you want a LAN device to reach the WAN, you have to use NatItf = 2. So to allow a device to reach the the internet or anything on the WAN side, you will have to set the gateway address on that device.

Regards,
Jack

nicolasstephan · April 24, 2023, 5:00pm

Thank you for your response
According to this, I will have to keep NatItf=2 and fix the gateway of Device2 to the Cosy IP.

The Device1 has nothing to do with WAN side, it only need to be accessible from VPN. You seem to say that it doesn’t need the gateway, but for now I cannot access it from VPN. Is it right ?

Is there any other parameter that could play on the accessibility of Device1 when NatItf=2 ?

jack_hms · April 25, 2023, 9:58pm

The device has to do with the WAN side in the sense that it is trying to reach the internet. My point was that the connection between the device and the internet will require the gateway address because you have to set NatItff=2 which means no Plug and Route to handle the gateway automatically.

Regards,
Jack