NAT 1:1 on Flexy not working

dewaldz · April 12, 2019, 3:13pm

Trying to get NAT 1:1 setup using Tim B’s great setup guide and not having luck.
I’m trying to access both a Siemens PLC and an Automation Direct C-more HMI behing the Flexy via the Wan side.

I can access the PLC and HMI remotely just fine thru the cloud, but my customer’s maintenance people want to get there also thru their plant WAN.

I have followed Tim’s guide exactly and can’t get it to work at all.

The Flexy’s Wan port is on a static address 192.168.40.1. It’s Lan ports are at 10.16.61.1.
The Siemens S7 PLC is on the Lan side as 10.16.61.10 and the HMI is 10.16.61.20.

I have Allow all traffic on Wan button checked.
I have Wan IP forwarding box checked.

I have Nat on Lan (Plug’n Route selected), and enable transparent forwarding checked.
I have Nat 1:1 on Wan mapping selected.

My Nat routes are:
Lan 192.168.40.10 mapped to 10.16.61.10 (PLC) and
Lan 192.168.40.20 mapped to 10.16.61.20 (HMI)

On the Wan side with my laptop (with laptop set to a 192.168.40.x subnet address, I can ping 192.168.40.1 (Ewon Wan IP) just fine, but I canot ping either 192.168.40.10 or 192.168.40.20, nor can I initiate a browser or other connection to either.

If I put the Laptop on the Lan side, I can do either and hit the devices just fine.
Seems my NAT is not routing thru the Ewon.

Oh, and FWRDtoWAN=1, WANITFPROT=2, NATITF=3 were already set when I looked in the tabular section.

Any ideas?

kyle_HMS · April 12, 2019, 3:16pm

You need to disable NAT on LAN (Plug n Route) and set it to NAT on WAN. This is the same as setting NATItf=2. Reboot and it should work fine.

kyle_HMS · April 12, 2019, 3:22pm

Also, keep in mind that after changing that setting, you will need to make sure that all of your LAN devices have the default gateway set to be the LAN address of the Flexy.

kyle_HMS · April 12, 2019, 3:32pm

I am sorry, I misunderstood that. Please disregard my previous posts. Is there a phone number we can reach you at and then take a look with Teamviewer?

dewaldz · April 12, 2019, 3:36pm

If I do this, do I then have to setup the Ewon as a gateway on both the PLC’s and HMI’s IP configurations?

kyle_HMS · April 12, 2019, 3:37pm

Which device and firmware are you running?

dewaldz · April 12, 2019, 5:10pm

Tried that and still nothing.

dewaldz · April 12, 2019, 5:10pm

Flexy 205 Firmware 13.2S1

Any configs or logs I can upload?

I can be reached by a cell phone and we can do a team viewer also but dont want to post it in a public forum if this isnt a private convo.

dewaldz · April 12, 2019, 5:10pm

Flexy 205 V13.2S1

kyle_HMS · April 12, 2019, 5:13pm

We remove any personal info before approving any post and we can also make it a private thread.

dewaldz · April 12, 2019, 8:29pm

I have teamviewer installed on my laptop.

dewaldz · April 12, 2019, 8:29pm

Ready whenever you are. I have teamviewer on my laptop.

kyle_HMS · April 19, 2019, 12:23pm

Hey Dave,

Sorry for the delay. Did you ever send me a backup of this device? I have been able to duplicate the issue with another Flexy this week, but have 2 other devices with the same firmware where it works, so I’m trying to figure out what the link is. If you can make a backup with support files and reply with it attached, it will be securely sent to me.

Kyle

dewaldz · April 19, 2019, 7:04pm

Yes you downloaded a backup via teamviewer when you were connected. If you have lost it I can probably find it on my laptop on Monday.

system · April 22, 2019, 12:24pm

kyle_HMS · April 22, 2019, 12:26pm

Hi Dave,

I’m unable to locate the backup so if you could send me a new one that would be great.

Please make sure to check “Include Support Files” in eBuddy.

Thanks,

Kyle

dewaldz · April 22, 2019, 6:45pm

Here’s the backup attached.

Let me know what you think.

Dave Ewaldz

Project Engineer

Martin Automatic Inc.

MOVED TO STAFF NOTE (180 KB)

kyle_HMS · April 22, 2019, 8:58pm

Please try switching the addresses. Your LAN address should be NAT11In1 and the WAN Address should be NAT11Out1.

dewaldz · April 23, 2019, 4:15pm

That’s how they were.

My company Wan is IP subnet 192.168.40.x

My machine Lan is 10.16.61.x

I tried swapping them as you suggest and no luck.

Two questions:

1.) Does NAT 1:1 pass pings to/from Wan to Lan?

2.) What ports should be passed automatically thru the NAT- all, or just port 80? Siemens PLC’s use tcp port 102 for connections.

I tried using the Networking Proxy feature to reach my HMI and PLC as described in KB-0149-00 “Reach your PLC via the eWON proxy feature” and of course that works,

but we don’t really want to do it this way as it is clumsy.

BTW- I put an A-B 1783-NATR in instead of the Ewon and things work just fine, so I know my devices and LAN/WAN work right if the NAT router does.

My customer would really like to get this playing with existing Ewon’s without having to buy an extra $1000 router.

kyle_HMS · April 23, 2019, 4:43pm

Hi Dave,

For some reason I thought you had them backwards.

NAT 1:1 will pass pings and all other traffic. That’s why it’s easier than using a proxy (or at least it should be). This should be working. I’ve set it up on a few different devices over the last few days and it’s worked, I only had problems with one Flexy 201 with a FLX3101 card, but it set up easy on the 205.

You are using the 205, right? Just using the 4 built in ports?

Kyle