Access to a Device Behind the Router via IP Forwarding (1:1 NAT) - icom OS Routers

  • Updated on Dec 19, 2024
  • Published on Jul 29, 2024

IP forwarding (1:1 NAT) enables access to devices in other networks of the INSYS router.

Situation

A device in the local network of the router is to be accessed from a device that is in the WAN network of the router. The local network of the router is not accessible from the WAN network via routing.

Solution

A additional IP address will be defined in the WAN network and a NAT rule will be added in the router, which will forward requests directed to this IP address to the IP address of the target device.

In the following overview image, the target device has the address 192.168.2.22 in the IP network net2 of the router. The additional IP address in the IP network net3 of the router has the address 192.168.3.222.

cg m3 ip forwarding

  1. Open the user interface of the router: https://insys.icom

  2. Click on the Network → Interfaces page under IP networks in the row of IP net net3 on to edit it.

  3. Click in the Static IP addresses section on to add a static IP address (make sure to use a free IP address in this network):

    • IP address: 192.168.3.222 / 24

    • Description: NAT to LAN address
      cg en m3 ip forwarding 01

  4. Click on SUBMIT.

  5. Click on the Network → Firewall / NAT page under Destination NAT on to add a destination NAT rule: and configure this accordingly:

    • Description: DNAT rule for IP forwarding from net3 to net2

    • Type: Destination NAT

    • Protocol: All

    • Input interface: net3

    • Destination IP address: 192.168.3.222 / 32

    • Destination NAT to address: 192.168.2.22
      cg en m3 ip forwarding 02

  6. Click on SUBMIT.

  7. [Optional] Click on the Network → Firewall / NAT page under Source NAT on plus to add a source NAT rule that enables to start the connection also from the other end, i.e. from net2 and configure this accordingly:

      • Description: SNAT rule for IP forwarding from net2 to net3

      • Type: Source NAT

      • Protocol: All

      • Output interface: net3

      • Source IP address: 192.168.2.22 / 32

      • Source NAT to address: 192.168.3.222
        cg en m3 ip forwarding 03

  8. Click on SUBMIT.

  9. Click on the Network → Firewall / NAT page under IP filter on to add an IP filter rule that enables the transmission of data packets from IP network net3 to IP address 192.168.2.22 in IP network net2 if IP filters are activated and configure this accordingly:

    • Description: Traffic from net3 to 192.168.2.22

    • Packet direction: FORWARD

    • IP version: All

    • Protocol: All

    • Input interface: net3

    • Output interface: net2

    • Destination IP address: 192.168.2.22 / 32
      cg en m3 ip forwarding 04

  10. Click on SUBMIT.

  11. [Optional] Click on the Network → Firewall / NAT page under IP filter on to add an IP filter rule that enables the transmission of data packets from IP address 192.168.2.22 to IP network net3 if IP filters are activated and a source NAT rule has been configured and configure this accordingly:

    • Description: Traffic from 192.168.2.22 to net3

    • Packet direction: FORWARD

    • IP version: All

    • Protocol: All

    • Input interface: net2

    • Output interface: net3

    • Source IP address: 192.168.2.22 / 32

    • Destination IP address: 192.168.3.0 / 24
      cg en m3 ip forwarding 05

  12. Click on SUBMIT.

  13. Activate the profile with a click on ACTIVATE PROFILE .

Result testing

  1. Open a terminal on a PC in IP network net3, type ping 192.168.3.222 and observe if the remote terminal responds.

Troubleshooting

  • Disable the IP filters for IPv4 in the Network → Firewall / NAT menu under Settings IP filter to check whether incorrect filter settings are the reason for connection problems.

  • Proceed as follows to ensure that ping requests are not responded to by the router, but by the addressed device:

    • Open a terminal on a PC in the remote network net3 and type ping 192.168.3.222.

    • Click in the Administration → Debugging menu on OPEN DEBUG TOOLS , select the tool TCP-Dump, enter the parameter -i net3 and click on SEND. This TCP dump enables you to verify that the ICMP packets are incoming at the router.

    • Type ping 192.168.3.222 again in the terminal.

    • Start a TCP dump again, this time with the parameter -i net2. This TCP dump enables you to verify that the ICMP packets of the PING request are also forwarded to the IP network net2 and NAT is working.

  • Check whether you have set the IP address of the router in the IP network net2 as default gateway address for your end device or alternatively a static route to the IP network net3 in your end device. If not, you need to create a Masquerade source NAT rule for IP network net2.