Difference between revisions of "XUELK-TN-001: Configuring SBC Lynx as industrial router"
(→Network topology) |
|||
| Line 25: | Line 25: | ||
*192.168.0.209:8080 <-> 192.168.11.239:80 | *192.168.0.209:8080 <-> 192.168.11.239:80 | ||
| − | [1] For simplicity, secondary interface has been implemented with an USB/Ethernet adapter ( | + | [1] For simplicity, secondary interface has been implemented with an USB/Ethernet adapter (MOSCHIP 7830/7832/7730 usb-NET adapter) connected to USB port. For a real-world production environment, it is recommended the use of both iMX6UL Ethernet MAC controllers. To do that, a plugin board connected to the one piece connector (J45/J52) can be used. For more details please refer to [mailto:sales@dave.eu sales department]. |
==Implementation== | ==Implementation== | ||
To enable routing functionality, the well known netfilter/iptables packet filtering framework has been added and configured to default software provided along with XUELK. | To enable routing functionality, the well known netfilter/iptables packet filtering framework has been added and configured to default software provided along with XUELK. | ||
| − | + | Make sure to correctly setup static IP for the two ethernet interfaces on SBC Lynx: | |
| + | <pre> | ||
| + | root@sbc-lynx:~# ifconfig eth0 192.168.0.209 | ||
| + | root@sbc-lynx:~# ifconfig eth0 | ||
| + | eth0 Link encap:Ethernet HWaddr 00:50:C2:B9:CF:82 | ||
| + | inet addr:192.168.0.209 Bcast:192.168.0.255 Mask:255.255.255.0 | ||
| + | inet6 addr: fe80::250:c2ff:feb9:cf82/64 Scope:Link | ||
| + | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | ||
| + | RX packets:64117 errors:0 dropped:0 overruns:0 frame:0 | ||
| + | TX packets:19470 errors:0 dropped:0 overruns:0 carrier:0 | ||
| + | collisions:0 txqueuelen:1000 | ||
| + | RX bytes:25075518 (23.9 MiB) TX bytes:3398088 (3.2 MiB) | ||
| + | |||
| + | root@sbc-lynx:~# ifconfig eth1 192.168.11.209 | ||
| + | root@sbc-lynx:~# ifconfig eth1 | ||
| + | eth1 Link encap:Ethernet HWaddr 00:D0:10:03:26:0A | ||
| + | inet addr:192.168.11.209 Bcast:192.168.11.255 Mask:255.255.255.0 | ||
| + | inet6 addr: fe80::2d0:10ff:fe03:260a/64 Scope:Link | ||
| + | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | ||
| + | RX packets:3541 errors:0 dropped:186 overruns:0 frame:0 | ||
| + | TX packets:2023 errors:0 dropped:0 overruns:0 carrier:0 | ||
| + | collisions:0 txqueuelen:1000 | ||
| + | RX bytes:1840061 (1.7 MiB) TX bytes:555670 (542.6 KiB) | ||
| + | |||
| + | </pre> | ||
| + | |||
| + | Before proceding on port forwarding rules setting, the forwarding capability must be enabled on both ''eth0'' and ''eth1'' interfaces: | ||
| + | <pre> | ||
| + | root@sbc-lynx:~# sysctl net.ipv4.conf.eth0.forwarding=1 | ||
| + | net.ipv4.conf.eth0.forwarding = 1 | ||
| + | root@sbc-lynx:~# sysctl net.ipv4.conf.eth1.forwarding=1 | ||
| + | net.ipv4.conf.eth1.forwarding = 1 | ||
| + | </pre> | ||
| + | |||
| + | The following ''iptables'' commands are used to enable 192.168.0.209:80 <-> 192.168.11.241:80 port forwarding: | ||
| + | <pre> | ||
| + | iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.11.241:80 | ||
| + | iptables -A FORWARD -p tcp -d 192.168.11.241 --dport 80 -j ACCEPT | ||
| + | iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.11.241 -o eth1 -j SNAT --to-source 192.168.11.209 | ||
| + | </pre> | ||
| + | |||
| + | And the following enables 192.168.0.209:80 <-> 192.168.11.241:80 port forwarding: | ||
| + | <pre> | ||
| + | iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to-destination 192.168.11.239:80 | ||
| + | iptables -A FORWARD -p tcp -d 192.168.11.239 --dport 80 -j ACCEPT | ||
| + | iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.11.239 -o eth1 -j SNAT --to-source 192.168.11.209 | ||
| + | </pre> | ||
| + | |||
| + | In details the 192.168.0.209:80 <-> 192.168.11.241:80 port forwarding rules are: | ||
| + | * <code>iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.11.241:80</code> | ||
| + | ** All TCP packets on port 80 in input from ''eth0'' interface are modified with destination ip adddress ''192.168.11.241'' port 80 | ||
| + | * <code>iptables -A FORWARD -p tcp -d 192.168.11.241 --dport 80 -j ACCEPT</code> | ||
| + | ** This rule tells forward chain in the filter table to accept TCP packets on port 80 with destinadion IP address equal to ''192.168.11.241''. This rule is not strictly neccessary, because by default filter tables accepts all packets. But it is usefull for logging and packet statistic (see [[XUELK-WP001:_Configuring_SBC_Lynx_as_industrial_router#Enabling_logging | Enabling_logging]]) | ||
| + | * <code>iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.11.241 -o eth1 -j SNAT --to-source 192.168.11.209</code> | ||
| + | ** This rules translate the source IP address of all the TCP packets on port 80 in output on ''eth1'' interface with destination IP address equal to ''192.168.11.241'' | ||
| + | |||
| + | Now on the PC side (192.168.0.28) it is possible to get access to either managed switch and access point web servers by using an web browser. | ||
| + | |||
===Enabling logging=== | ===Enabling logging=== | ||
TBD | TBD | ||
Revision as of 07:37, 10 August 2016
| HOME | SOMs | SBCs | ToloMEO Embedded Assistant |  GET A QUOTE
|
 ONLINE HELPDESK
|
| Roadmap | IoT Services | ML/AI services | Embedded Design Services |
Introduction[edit | edit source]
Nowadays IP networks are become popular in industrial environments. To limit infrastructure costs, these networks are often built ased on-trivial routing configurations are needed
This article shows how to configure SBC Lynx to implement a router that manages data packet forwarding between two different LANs.
Network topology[edit | edit source]
The following image shows a simplified block diagram of the network topology that has been used for testing this configuration.
There are two LANs:
- main LAN (192.168.0.0/24)
- secondary LAN (192.168.11.0/24).
The following devices are connected to these LANs:
- a PC connected to the main LAN (IP address = 192.168.0.28)
- main LAN switch
- SBC Lynx equipped with two Ethernet interfaces
- primary interface (eth0) connected to main LAN (IP address = 192.168.0.209)
- secondary interface (eth1) connected to secondary LAN (IP address = 192.168.11.209) [1]
- secondary LAN managed switch (IP address = 192.168.11.239)
- WiFi access point connected to secondary LAN (IP address = 192.168.11.241)
Secondary LAN managed switch and access point integrate a web server, accessible at port 80. Two IP forwarding rules have been be set up in order to make web servers accessible at 192.168.0.209:80 and 192.168.0.209:8080:
- 192.168.0.209:80 <-> 192.168.11.241:80
- 192.168.0.209:8080 <-> 192.168.11.239:80
[1] For simplicity, secondary interface has been implemented with an USB/Ethernet adapter (MOSCHIP 7830/7832/7730 usb-NET adapter) connected to USB port. For a real-world production environment, it is recommended the use of both iMX6UL Ethernet MAC controllers. To do that, a plugin board connected to the one piece connector (J45/J52) can be used. For more details please refer to sales department.
Implementation[edit | edit source]
To enable routing functionality, the well known netfilter/iptables packet filtering framework has been added and configured to default software provided along with XUELK.
Make sure to correctly setup static IP for the two ethernet interfaces on SBC Lynx:
root@sbc-lynx:~# ifconfig eth0 192.168.0.209
root@sbc-lynx:~# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:50:C2:B9:CF:82
inet addr:192.168.0.209 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::250:c2ff:feb9:cf82/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:64117 errors:0 dropped:0 overruns:0 frame:0
TX packets:19470 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:25075518 (23.9 MiB) TX bytes:3398088 (3.2 MiB)
root@sbc-lynx:~# ifconfig eth1 192.168.11.209
root@sbc-lynx:~# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:D0:10:03:26:0A
inet addr:192.168.11.209 Bcast:192.168.11.255 Mask:255.255.255.0
inet6 addr: fe80::2d0:10ff:fe03:260a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3541 errors:0 dropped:186 overruns:0 frame:0
TX packets:2023 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1840061 (1.7 MiB) TX bytes:555670 (542.6 KiB)
Before proceding on port forwarding rules setting, the forwarding capability must be enabled on both eth0 and eth1 interfaces:
root@sbc-lynx:~# sysctl net.ipv4.conf.eth0.forwarding=1 net.ipv4.conf.eth0.forwarding = 1 root@sbc-lynx:~# sysctl net.ipv4.conf.eth1.forwarding=1 net.ipv4.conf.eth1.forwarding = 1
The following iptables commands are used to enable 192.168.0.209:80 <-> 192.168.11.241:80 port forwarding:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.11.241:80 iptables -A FORWARD -p tcp -d 192.168.11.241 --dport 80 -j ACCEPT iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.11.241 -o eth1 -j SNAT --to-source 192.168.11.209
And the following enables 192.168.0.209:80 <-> 192.168.11.241:80 port forwarding:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 8080 -j DNAT --to-destination 192.168.11.239:80 iptables -A FORWARD -p tcp -d 192.168.11.239 --dport 80 -j ACCEPT iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.11.239 -o eth1 -j SNAT --to-source 192.168.11.209
In details the 192.168.0.209:80 <-> 192.168.11.241:80 port forwarding rules are:
iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 192.168.11.241:80- All TCP packets on port 80 in input from eth0 interface are modified with destination ip adddress 192.168.11.241 port 80
iptables -A FORWARD -p tcp -d 192.168.11.241 --dport 80 -j ACCEPT- This rule tells forward chain in the filter table to accept TCP packets on port 80 with destinadion IP address equal to 192.168.11.241. This rule is not strictly neccessary, because by default filter tables accepts all packets. But it is usefull for logging and packet statistic (see Enabling_logging)
iptables -t nat -A POSTROUTING -p tcp --dport 80 -d 192.168.11.241 -o eth1 -j SNAT --to-source 192.168.11.209- This rules translate the source IP address of all the TCP packets on port 80 in output on eth1 interface with destination IP address equal to 192.168.11.241
Now on the PC side (192.168.0.28) it is possible to get access to either managed switch and access point web servers by using an web browser.
Enabling logging[edit | edit source]
TBD
