The WAN (corporate network) and LAN (machine network) side of the CloudVPN router are separated by its internal firewall.
However, when you are on-site you may, for example, need internet access to look up user manuals or to have the machine send e-mails. You may also need access to the corporate network, for example, when a PLC needs to store data on a local FTP server.
There are 3 types of scenario to choose from:
- Allow ALL access to corporate network
- Allow ALL access to internet
- Allow LIMITED access to corporate network and internet
In our network we have a PLC that is connected to the CloudVPN router via the LAN ports and on the WAN side (Corporate Network) there is the Corporate Router which provide the Internet, a file server and Database Server.
Allow ALL access to corporate network
When you set the allow ALL access to the corporate network, the PLC in the example network will be able to access all the devices in connected in the WAN network (Corporate Router, Database Server, File Server).
This is an simple and effective method to allow access of the devices in the LAN network to access devices in the corporate network however it does with additional risks involved as this method essentially opens up all forms of communication to the corporate network. If you wish to make it more secure use the Limited Access method.
Follow this section of our guide to learn how to enable ALL access to the corporate network.
Allow ALL access to internet
In our example network, if you set to allow ALL access to the internet, the PLC would get internet access, this is the simplest way to allow your devices on the LAN network to have internet. A common reason why this is required is your PLC is connected to a public mail server hosted on the internet and you need access to the internet to send our email reports.
Allowing full access to internet is a simple click away however if you do want to implement better security you can use the Allow Limited access to have finer controls on what kind of access you give.
Follow this section of our guide to learn how to enable ALL access to the internet.
Allow LIMITED access to corporate network and internet
To ensure a safe and protected network within the machine, you may not want to give full internet access to all devices on the LAN of the CloudVPN router, but rather only give internet access to devices that actually need it.
Limited access gives access to both the corporate network and the internet. It allows you to specify a source device (IP address or MAC address), a protocol, and a destination port. A source or destination is required.
If we take the example network again in this case "rule" 1 on the list, the PLC on the LAN network is trying to access the Database Server on the Corporate Network.
While "rule" 2 is setup for our PLC on the LAN network to connect to the SMTP Mail server that is residing on the internet behind the Corporate Internet Router.
When you set the example network like this you are only allowing outgoing connections from the PLC on the LAN network with destination port of 3306 (MySQL Server) and 587 (SMTP Mail Server). All other connections are blocked.
Follow this section of our guide to learn how to enable LIMITED access to corporate network and internet.
- Allow all access and Allow limited access are both configured, then Allow all access will have priority over Allow limited access. As a result, all devices will have access to the internet or corporate network, regardless of the access list from Allow limited access.
- Allowing limited access do not differentiate between the Corporate network and the Internet in the settings.