I am a software engineer. However, if we understand a bit of network engineering knowledge, we can solve some issues easily.
Today I would like to share about NAT-Network Address Translator. Before I talk about NAT, let me explain about the problem.
I have a robot which allows other system to access from same network subnet only. That’s mean different subnet, e.g. from internet, it cannot connect to the robot. See in below picture, R1 and R2 are gateway level routers. 192.168.8.XXX is one subnet and 10.8.0.XXX is different subnet. Robot is in 192.168.8.4, therefore 10.8.0.3 PC cannot connect to robot due to robot firewall.
Even we can do port forwarding from 10.8.0.3 all requests to 192.168.8.XXX, but robot refuse all request due to subnet different. This is robot level firewall rule.
We cannot change the robot firewall setting. Robot vendor not allow to access their robot OS level. Their robot accepts the command requests which are coming from same subnet address only. But I need to control that robot from internet. To prevent other unknown user and strange IP access, we will use with private VPN network as below system design.
So … How can we send the request from 10.8.0.3 to 192.168.8.4. Robot needs to accept from router as 192.168.8.1 IP which is a same subnet. There are two options I can start thinking.
Option one, create a proxy server which will sit within LAN network 192.168.8.XXX and forward all request coming from other subnet to robot.
Option two, do configuration at router level that change the all source network address to router LAN IP and forward to robot.
Option one is easily for software engineer. Just create a proxy server and deploy. But we need one more hardware component for proxy server. And man-days required to develop and deploy.
Option two could be bit difficult for software engineer who has no experience on network communication. I need to find in google and read about network engineering articles.
Now I want to share my experience about NAT - Network Address Translator which I used as option 2 for my case.
Every IP - Internet Protocol packages include Destination Address and Source Address information. Router level can do NAT-Network Address Translations such as DNAT and SNAT. DNAT stand for Destination Network Address Translator and SNAT stand for Source Network Address Translator. Its mean router can override DNAT value and SNAT value.
Typically DNAT is using from public to private communication with port forwarding. SNAT is private to public communication to share one public IP for all internal devices. After we use VPN layer for security reason, this is no public to private. This solution is one network to another network routing configuration.
I am using this knowledge and solve my problem easily. I configure my router to change the source network address to router IP address (LAN or WAN). Router will change the source IP of all request coming from 10.8.0.3 to 192.168.10.1 before sending to robot, 192.168.10.3. Therefore, robot will accept the request.
To do this experiment, we need a router which allows to configure the firewall setting, specially for SNAT. I use GL.iNET E750 router which allows to use OpenWRT (Open Wireless Router). GL.iNET E750 is already setup Luci configuration web interface for advanced user.
Luci web interface need user name and password. Default user name is “root”, password is router admin password. After you successfully login, you can go to Network > Firewall.
From the Firewall page, click on the NAT tab.
Click on the “Add” button to create SNAT rule. Configure SNAT settings. As per our requirement, Source address shall be 10.8.0.4 and Destination address shall be 192.168.10.4. Rewrite IP address shall be 192.168.10.1.
Click on the “Save” button. That’s all.
Now click on the “Save & Apply” button and update new SNAT configuration setting to router.
GL.iNET E750 router will do rewrite the source address to router IP 192.168.10.4 for all LAN request to destination address 192.168.10.4.
Now I can access my robot from different subnet from different location via VPN pipeline.
Enjoy with networking knowledge.
