Internet Access Through WAN Port When Using Cellular Modem?

We currently use an eWon Flexy 205 for remote access to our equipment through a 4G cellular modem extension card, which works great.

I am now trying to add a device to our system which requires two separate ethernet connections. One connection for internet access, and a second connection to the LAN network to connect to our PLC.

Is it possible to connect this device to a WAN port on the flexy for an internet connection through the flexy’s cellular modem, and the other to a LAN port or the flexy which is also connected to our PLC?

I have read many topics about bridging LAN to WAN for internet access, but nothing about using the WAN port(s) for internet access. Is this possible? I do not want any other devices on the LAN to have an internet connection, but I need to be able to access these devices through the remote VPN connection.

Hi,

You can only have one connection to the internet at a time. You can set up 2 WAN connections, but only for failover.

You can also change all of the ports on the device to be LAN interfaces, if you want to use the current WAN port for internet access, but by definition a “WAN” port needs to connect to the Wide Area Network, or internet connected network, and does not connect to a single device.

What type of PLC do you have that requires the two ethernet connections? Most devices use a single cable for both LAN access and internet access.

Basically, you can probably set this up to satisfy your needs by allowing outbound internet access on the LAN side and using DNS or static routing to prevent the other devices from being able to access the internet. That way you can still access all the device from the VPN, and only the one device has internet access.

Kyle

Hi Kyle,

Thank you for the reply.

The device I am trying to connect is a Siemens MindSphere Nanobox (basically a specialized PC for IIoT). This device has one ethernet interface for its internet connection and a separate ethernet interface for its connection to the local network, where it will gather data to be pushed to the cloud. These ports can both be connected to the same network but both must be used and given their own addresses.

As you mentioned, I would like to have access to all devices on the LAN of the flexy through the VPN connection, but only allow internet access to the Nanobox. Is there a write-up somewhere on how to setup DNS or static routing on the flexy 205?

All you would need to do, is configure your LAN devices with static IP addresses and the default gateway (which will be the LAN address of the eWON) and then for the ones you do not want accessing the internet, set an unused IP address on the LAN subnet as the DNS address. Remember, the eWON is still behind a firewall, so unsolicited traffic from the internet is dropped.

You will also need to configure the eWON to allow WAN access to LAN:

Hi Kyle,

Thanks for your advice, this seems to be working as intended.

Do you have a recommendation for the WAN protection level for this application? It is currently set to “Allow All Traffic (no protection)”.

You should be ok to leave Allow All because there aren’t any other devices sharing that WAN connection. You carrier should have you segregated behind a firewall. If you want to give me the WAN IP address, I can check for you.

Kyle,

I thought we were in the clear, but I am having difficulty accessing my IPCs running Siemens WinCC Runtime Advanced when connected through the VPN. I have added the gateway IP to the ethernet interface of the PCs, but I am unable to reach them through the VPN. Any ideas?

Connection to PLC is working through VPN.

That’s odd. They should be accessible if the network settings are correct. How are you trying to communicate? Ping? Http? Rdp? Can you communicate with them from another device on the LAN?

I am trying to download a program to WinCC Runtime Advanced running on a PC using “Extended download to device” (see attached image from TIA Portal).

When I am plugged into the local network I can connect and download to this PC, but when using the eWon VPN I can not. I can, however, connect and download to my Siemens PLCs through the VPN so I know my connection is good.

I have added the eWon LAN address as the gateway in both the PC ethernet interface and the network settings of my WinCC runtime advanced program that is running on the PC, with no success.

I was able to connect to this PC before changing the “NAT on LAN (Plug’n Route)” parameter on the eWon. Any ideas?

Hi dfernley,

Can I jump on Teamviewer and take a look at this device/setup?

Thanks,
Tim

Hi Tim,

While tinkering this morning I discovered that if I turn off Windows firewall on the PC I am attempting to connect with through the VPN I am able to ping the PC, which I could not do yesterday.

This tells me that my VPN setup is working correctly and the issue is on the Siemens side of things, correct? If that is the case, would it still be of any benefit for you to view the setup through TeamViewer or should I turn my focus towards getting support from Siemens?

Thanks.

Are you still able to ping the Siemens PLC when you’re connected to the Flexy?

Yes. I can connect and download to my Siemens PLC just like I would if connected directly to the LAN, that part is working nicely.

Is there any other method of providing an internet connection to my MindConnect Nano without having to disable the Plug’n route feature? I was able to connect to the runtime PC before I changed that setting to set up internet access for the MindConnect Nano.

If you would still like to login to teamviewer and see the set up please let me know and I will download the application.

Unfortunately we don’t have another way to give internet access without having the Plug’n route disabled.

But I would like to try and take a look at the device on teamviewer if possible. Are you free today to try and work on this or would tomorrow work better?

I tried a few things yesterday and was actually able to get this to work by running my TIA portal software as administrator on my machine. After running as admin I was able to download to the PC through the VPN connection.

My next question, which incoming firewall rules do I need to enable in order to connect to the PC on the LAN side of the eWon through the VPN without completely disabling windows firewall on the machine?

Do you mean trying to do a remote desktop kind of thing on the PC?

Seems to be working for me, not sure if someone fixed it or not, but you can find all the docs here as well:

https://www.ewon.biz/technical-support/pages/all-documents

Ok, I messaged you through the website of the real problem I’m trying to take care of.

image001.png

You need to make sure:

NATItf = 2
FwrdToWAN = 1
VPNRedirect = 0
(in comcfg.txt - Setup > System > Storage > Edit COM cfg)

AND you are using the Ewon LAN address as the default gateway of your LAN devices, like your PC.

That will give you internet access.

Kyle

Not sure if online message was posted.

This may be a PC setting, although I have the firewall turned off and have tried various knowledgebase stuff here to get this working. I need to have a vendor be able to connect to a PC behind my 205 and have internet access when RDP into
that PC. I can connect through M2Web. I can’t ping the PC, but I can RDP into it. When I get there the PC does not have internet access (even locally it doesn’t). I believe I have gateway/dns set up correctly. Would you be able to Teamviewer/similar in
to take a look?

image001.png