I have an issue with 5 ancient devices that are not able to change their ip address.
So I was wondering if its possible to do NAT based on interface on a network device.
I think I heard some juniper devices could do this but I’m not sure.
I’d rather not get 5 firewalls just for NAT.
Any advice?
Edit: just to be clear the 5 devices have the same default unchangeable IP
Yeah i know thats why i need to NAT it.
If you want some background , they are tankgauging-data aggregators for the oil and gas industry.
Usually they communicate over modbus rtu, a serial protocol used in the industry.
But the newer models have an ethernet connection for service .
Setup will be 5 of those to 2 redundant plc’s trough modbus and another 5 connections to a service pc that’ll communicate with the plcs in case of emergency
You’d have to get a switch that could have duplicate VLANs with the same subnet. It’s not a NAT, because you’re going to have interference on the internal network layer not just the application layer. I found an article that goes over IEEE 802.1Q but it would have to be support by your network. https://www.cisco.com/c/en/us/support/docs/lan-switching/8021q/17056-741-4.html It’s kind of bear from what I’ve read so far. I think you might be better off find a way to change the IPs.
p.s. I fully admit there could be a solution I’m not aware of, but this is what I found.
Ill read over the documentation tomorrow, thanks.
We have contact with the manufacturer of the devices, its impossible to change the ip according to them.
Theres defniatly no available interface for us.
We’re talking ancient technology here, as is typical in these kind of devices in oil&gas… sadly…
If you connect all these devices to separate interfaces on a Linux machine, either using physical NICs or VLANs and a switch, then you can configure iptables to have a set of new IPs which each port forward to one of these devices. Although doing this will probably make anything which relies on broadcast traffic not work, so keep that in mind.
Remember: Just because you CAN does not mean you should… band-aid upon band-aid will only cause future @AnotherEpicName or his colleague/successor more problems in future.
I’d be pushing back that these devices are EOL and should be retired.
You’re dealing with oil and gas budget presumably (everyone i know in O&G flies business, etc.). These devices are EOL…
I’m sure you can be creative with a safety related scenario that could arise due to confusion or whatever…
Swapping PLCs would be ideal, but @AnotherEpicName seems to indicate that these devices, as retarded as they may be, are new. It could be that the new solution would require going through a new procurement process and so on and so forth, might not solve their problem.
Which is why I’m leaning towards a solution where someone would deploy a $20 router per PLC (I think there’s a model with poe passthrough for a bit more). Think of them as network adapters. They could spend a day getting familiar with it (write it up as “designing deployment”), they could spend a day deploying, another day writing up documentation, and a day every three months testing and upgrading or something aka. “safety maintenance”. You’d end up with a device that behaves properly on your network as a result, and has updates even if it is a somewhat non off the shelf solution.
But yes, more money we can squeeze out of oil and gas industry, the better, … please support wind/solar/and energy storage industry.
A current solution at a different customer is putting firewalls that just do the NAT at every device.
I find this a very ugly solution and it keeps me up at night.
To be honest I don’t know enough about Linux to write a custom solution that way, its far from my area of expertise.
Another thing to keep in mind is this: The solution is most likely going to be implemented in an electrical cabinet in the middle of nowhere and won’t be touched for the next 20 years.
I’m more looking for protocols to use so I can then find a device that supports those protocols and that reaches the required environmental specs.
Think Cisco IE series, Siemens SCALANCE, AB Stratix, Hirschmann RSP
At the moment from what I’ve read I’m thinking of this:
-vlan/device, I read that its possible to have multiple vlans on the same device using the same ip range.
-NAT vlan to an IP, not sure if this works but I read you can use ‘ip nat inside’ on a vlan interface
That would mean all I need is a device supporting vlan’s and NAT, so a Layer 3 switch I assume?
The devices I’m talking about are the new solution for an EOL product, ethernet is kind of new for these kinds of devices. Replacing the whole system (there is a shit ton of sensors connected to it only compatible with that system) would mean a several million euro investement, and just isn’t going to happen.
We’re asked to build a 2nd, newer network next to their existing one and then gradually migrate everything to our system because no downtime is allowed.
At the same time as this network upgrade they decided to upgrade their tank-gauging system
The $20 dollar solution just isn’t going to happen xD it doesn’t even mention a mean time in between failure.(MTBF should be at least 15 years)
These are the exact reasons I’d be strongly trying to avoid such bastardized hackery.
Lets say you make it work.
You leave. If keeps working for 3 years. Then 4 years down the track someone has to un-fuck the setup and/or figure out what is going on.
I misunderstood perhaps: these NEW devices can’t have their IP changed?
Damn… when i said replace, i meant those 5 monitoring boxes… but if these are the replacement…
But yeah a layer 3 switch would maybe(?) do it (edit: actually no, i think 1:1 NAT pools in Cisco IOS are only via ACL/IP address? You can overload but that is 1:many only unless i am mistaken). but damn… I’ve seen some dumb shit networking before, but this takes the cake (the vendor, i mean).
You have my sympathies.
edit:
the “Cheap” solution (o&g price wise - and for simplicity in terms of configuration) may indeed be 5x CISCO ASA 5506X boxes (as fucking retarded as that sounds).
At least you’ll have the full CISCO support to go with the rest of your CISCO stuff on site. You won’t have a second vendor involved, they’re fanless, can be under the same support agreement, etc.
Linux boxes, pfsense, or other “cheap” firewalls are just going to open you up to getting shafted when it breaks. If it is Cisco with everything else, it will be much more supportable by the business in future whether or not you’re the one still dealing with it.
I misunderstood perhaps: these NEW devices can’t have their IP changed?
exactly.
They can get away with this kind of fuckery because its O&G.
As far as I know they have 1 competitor and they also have issue’s, different issue’s but bullshit nonetheless.
None of this ‘the default ip can’t be changed’ is in any of the documentation by the way. You have to find out after you buy it.
At least we’ve already encountered this problem so we know about it.
I thought/hoped you could set a vlan as source aswell
A vendor of PLC-equipement that also makes switches/routers is coming to visit today to answer some questions, I’ll see if they have a solution.
If not then its just back to the 5x Firewall solution.
Yeah, on the plus side the 5506Xs are cheap (say 400-500 US each? likely less than a Cisco layer 3 switch).
The config on them will be easy. The guys on site will be able to spin one up by backing a working one up and restoring the config then changing its “real” IP address.
Will be much more resilient and easily maintained than a single box solution, imho.
Sometimes brain-damaged stupid way (well… maybe thats a little harsh, as per below explanation) is best.
We had a control network (well, ALL of the networks on this site were physically split actually) out at a remote mine site that was physically seperated on different fibre from the other networks. Why? Because in a pinch the guys could just grab a switch from the warehouse with default vlan setup on it to replace a broken one in a pinch (24/7 remote site). Sure remote management wouldn’t work until someone configured it, and spanning tree may not be optimal, but production would be back up immediately.
VLANs would be a lot cheaper and require far less fibre, switching, etc. But when downtime costs you $100k or more per hour, having the ability to have a sparky just plug something in and get back up at 2am on a sunday is a thing…
The problem you’re going to have is that if each of these devices has the same IP you need to have a NAT device for each of these devices otherwise there’s no way for it to work. If you have a single NAT device you can’t tell it which device to forward to because they all have the same IP.
If this is going on a box and being forgotten about then I think a bunch of simple NAT firewall boxes will be the easiest and most reliable way to do it. There may be a complicated firewall box that can do this but I’m not really sure.
I suggested the 5506X as it sounds like the guys are already a Cisco shop with other Cisco network gear. It will all be common vendor support, etc…
If you were penny pinching you could do it with a (well, 5x) pfsense/Netgate (officially supported hardware) box. They do a tiny little hardware device. But then you’re dealing with another vendor/supplier/etc.
That will just be a pain in the butt from a future maintenance perspective. To save what… $1600 on a million dollar setup…
Don’t be that guy who puts in the odd-one-out hardware
True that
At the moment its pretty much Cisco vs Siemens, Siemens has a similar product just 700 instead of 500. but cost is kind of irrelevant.
@Dexter_Kane yeah probably have to do the initial plan anyway…
I didn’t think it would have to be complicated just to say:
192.168.0.1 on Fa1/1 becomes 10.200.0.1 on Gi1/1
192.168.0.1 on Fa1/2 becomes 10.200.0.2 on Gi1/1
and the other way around
10.200.0.1 on Gi1/1 becomes 192.168.0.1 on Fa1/1
10.200.0.2 on Gi1/1 becomes 192.168.0.1 on Fa1/2
To me it seemed kind of simple, a Layer 3 device knows the ip and should know on what interface it received the frame.
At least I learned something more about NAT
Actually you could maybe(?) do it with a router on a stick (or layer 3 switch) that supports VRFs. As it will have its own routing (and maybe NAT state? not sure on that) table per VRF?
But no… just no…
edit:
i haven’t actually had a use for VRFs yet and NAT is usually defined in the global config so maybe it won’t work. in any case. ugly hack is ugly, etc…
By complicated firewall I mean a single box with multiple interfaces and firewalls. You would need something which has an interface to connect each of these devices to, either physical or virtual, and then another set of interfaces to give the new IPs to. Then have firewalls in the middle doing NAT. As far as I can figure, whether you do it in one device or many you need to have two interfaces and a NAT firewall in beteen for each of theses devices. That’s the only way I can think to do it with NAT.
If there’s a better way of doing it I don’t know what it is, I’m not sure this is something a layer 3 switch does as (I don’t think) they do any firewalling, but I’m really not sure.
layer 3 CISCO switches can do routing and NAT and ACLs. so they can sort of do firewalling
but yeah. your assessment of the situation is pretty on the money IMHO as there is a shared NAT state table with source IP and re-written IP pairs in it. if you’re doing 1:1 NAT with the same IP for multiple devices on the side to be re-written well… i don’t believe you can do that. i don’t think the NAT table includes an interface column…
all VRFs do is spin up another virtual routing instance. Not even sure if they get their own NAT state table. but IF they did… and you get your own NAT state table per VRF, well a VRF is bound to an interface. So you’ve essentially put another virtual router/firewall on that interface. but VRFs are complicated and you just don’t want to make it that much of a head fuck to deal with. Not when you can have a much, much simpler setup with 5 (cheap) devices.
in any case you’re such a networking config edge case at that point, that even if it might work in theory, you’re flying well into bug-city at a guess, so don’t go there I’ve run into enough Cisco bugs in the past couple of years that I’d not be pushing my luck that far.
Hence: one firewall per box. brain dead but it will actually work, and if it doesn’t, the configuration is very easy to troubleshoot. it’s NAT 101.