Enhancing Industrial Automation: The Vital Role of NAT Routers in Secure Remote Access and Communication
A standard IPv4 address is a 32-bit number that identifies the network interface on a device and makes it routable on the Internet. IPv4 addresses are registered, public, and typically purchased or leased through a service provider. They are also in short supply but more on that later.
Unlike an IPv4 address, the IP addresses on a LAN are private and unregistered. This allows data packets to be transmitted between devices and applications on the LAN yet nowhere else. This is a problem for obvious reasons. Today, every enterprise needs access to the Internet. Operational data on the LAN, for instance, needs to be sent over the Internet to be received at far-flung locations where it can be analyzed and stored. Employees with individual private addresses also may need to visit websites during the day.
For local network traffic to be routed over the Internet, the inside device’s non routable IP address needs to be translated (mapped) to a publicly-routed global IPv4 address, a process performed by a NAT router, gateway, firewall or a server, that alters the network address data in the IP header of the data packet. Otherwise, a data packet sent by a local source with an unregistered address will be discarded by the router at the network edge.
NAT stands for Network Address Translation. Along with translating local to global IPv4 addresses for Internet access, NAT also provides an additional layer of security by only translating IP addresses of its internal hosts, therefore hiding the true endpoint of an internal host on a private network. In this way, NAT works as a firewall guarding the LAN network against any kind of unwanted or unusual traffic.
IPv6 is the Future
NAT was originally developed to help prevent (or slow) the depletion of IPv4 addresses by broadcasting only one public IP address to the Internet on behalf of an entire internal network. Introduction of the newer IPv6 addressing system was prompted by IPv4 address exhaustion. In the future, as IPv6 is adopted, the need for NAT will diminish and eventually disappear. Whereas IPv4 has approximately 3.2 million publicly available addresses for use, IPv6 leverages 128-bit addressing creating potentially 340 trillion trillion trillion public addresses (not a typo), enough for every machine on Earth to have its own. But until IPv6 is fully adopted, NAT remains a networking reality.
NAT Protocol Types
· Static NAT:
Rarely used outside of industrial control applications, static NAT is a one-on-one mapping of the same local IP address to the same publicly-routed IPv4 address, meaning there will be a consistent public address. Only the IP addresses and the header checksum are altered among the overall network address. The major downside of Static NAT is that if you have 45 devices on your LAN with 45 private IP addresses, you’ll also need 45 unique public IPv4 addresses for translations.
· Dynamic NAT:
Dynamic NAT is a one-to-many mapping of a local address to a global address that a router dynamically picks from an available pool of global addresses not currently assigned. After a period of inactivity, the assigned global IP address expires, allowing it be used for new translations. A limitation of Dynamic NAT is that an enterprise’s pool of available addresses can be exhausted resulting in NAT overload.
· Port Address Translation (PAT, Port Forwarding or NAT Overloading):
PAT is an advanced, more flexible type of dynamic NAT that maps several private IP addresses to a single public address by means of the router changing its source port number (TCP or UDP) with other port numbers. One use for PATs is when a business wants all employees’ activity to use a single IP address under the oversight of a network administrator.
Simple NAT Example
As an example of NAT, let's say a PC (10.20.10.2:1666) on a private LAN needs to send data outside to a destination web server address (192.134.20.2:80). The data packet from the PC goes first to a NAT router at the network edge that learns the source IP address of the packet and checks its NAT table as to whether it meets translation conditions. If it does, the router translates the local IP address (10.20.10.2:1666) to its inside global IPv4 address (192.100.10.25). This translation is saved in the router’s NAT table containing the Inside Local, Inside Global, Outside Local, and Outside Global addresses. The request is then routed to the outside destination via the Internet. Once the outside destination receives and responds to the request, that packet is sent over the Internet back to the global IP address (192.100.10.25) of the router. Next, the router will locate on its NAT table the translated IP address corresponding to the global address. It then changes the global address (192.100.10.25) to the inside local address (10.20.10.2:1666) so the data packet can be correctly routed to the PC.
NAT Routers in Industrial Automation
What we have described so far is largely confined to NAT as it is applied in home, office or small-scale manufacturing networks that need access to the Internet or a WAN.
NAT in Industrial Automation and Control Systems (IACS) is somewhat different, more varied in its applications, and more complex although the overall concept remains the same: NAT converts addresses so that devices on separate networks can communicate with each other while keeping the networks private and isolated. A unique bonus to the industry is that NAT is protocol independent so it will work on the IACS whether the network is ProfiNet, Ethernet/IP or Modbus TCP.
In IACS, NAT is primarily about gaining access to information that is buried within a system outside of your own. Consider a situation where a higher-level network in the plant, say the IT department, needs to have access to data located on a separate lower-level network or subnet in the OT department consisting of a 12-port industrial Ethernet switch connecting PLCs, motor drives, IP cameras, and I/O devices. For the purpose of illustration, let’s also assume there is a preventive maintenance application on a PC in the IT department seeking data such as heat, energy and cycle times from the motor drive to analyze its maintenance needs. Since the two networks are on different addresses, the IT department’s PC is prevented from “talking” to the motor drive.
In this situation, an industrial NAT router can be deployed that gives you the ability to assign a new IPv4 public address solely for the PC’s messages. Keep in mind this new address is not the private IP address of the PC itself. When a data packet is sent from the PC, the NAT knows to convert it to the motor drive’s address, therefore bridging the gap. When the motor drive responds with the requested data, the NAT subsequently converts the drive’s address back to the PC message address which in turn is sent to the PC.
The above describes a straightforward example of the one-to-one Static NAT protocol. In IACS, as with home and commercial networks, the PAT version of the dynamic NAT protocol is often required when multiple devices are involved but only one IPv4 address is available. So, let’s assume the same situation as above. Now, however, we need data from the motor drive as well as from three additional PLCs. Since we only have one IPv4 address we’ll need to assign a port number to each device’s IP addresses by adding a colon, i.e., 192.155.100.18 to 192.155.100.18:3 where the “3” indicates the port. When the PC sends a message requesting information from one of the three PLCs or the drive, the NAT router reads the address and knows to send it to whatever device is assigned to port 3, although all the devices share the same IPv4 address.
For an OEM machine maker, NAT is equally valuable. NAT allows an OEM to reuse IPv4 addresses without introducing a duplicate IP address error into the network architecture. For example, an OEM may use NAT for the replication of multiple control systems on skids and machines, including IP addressing, to help to reduce development and commissioning costs. This way, the end-user can have multiple machines on the same line configured with identical network settings and be able to perform remote support through a VPN connection.
Like other industrial network devices, industrial NAT routers must be hardened to operate in environments where they will be subjected to extreme temperatures, heavy vibration, and electromagnetic interference. Antaira's wired routers and wireless industrial routers are ruggedly engineered to IP30 rating standards, plus ensure a long service life with fanless cooling, shock and vibration resistance, and a wide operating temperature range. Many also have additional features that add value to your network. A case in point is the Antaira ARS-7235-PSE-AC-T. This industrial dual radio IEEE 802.11a/b/g/n/ac wireless LAN access point has added NAT/VPN router capabilities.
Unveiling NAT Router Applications
1. Control Rooms or Network Cabinets: Many industrial facilities have control rooms or network cabinets where networking equipment is housed. This is a common location for NAT routers, along with other networking components such as switches, firewalls, and communication gateways. The NAT router in this context would provide a gateway between the local industrial network and the external network (e.g., the internet).
2. Remote Monitoring Stations: Industrial facilities might have remote monitoring stations where engineers and technicians can access and monitor industrial processes from a distance. These stations might be equipped with NAT routers to facilitate secure remote access to the industrial network.
3. Communication Gateways: In complex industrial systems, there are often communication gateways that connect different protocols and networks. These gateways might incorporate NAT routing functionality to manage communication between different parts of the system and the outside world.
4. IoT and Edge Devices: As industrial IoT devices become more prevalent, NAT routers can be integrated into edge devices to manage communication between these devices and central servers or cloud platforms. This helps ensure that IoT devices can securely send data to and receive commands from remote locations.
5. Robotics and Manufacturing Cells: In manufacturing environments that utilize robotic systems or individual manufacturing cells, NAT routers can be used to provide remote access for maintenance and troubleshooting, as well as to facilitate data collection and analysis.
6. Energy Monitoring and Control Systems: Industries like energy production and distribution might employ NAT routers to enable remote monitoring and control of power generation, distribution, and consumption.
7. Process Control Systems: In industries such as chemical manufacturing, food and beverage production, and pharmaceuticals, NAT routers can be used to securely access and control critical processes remotely.
8. Water and Wastewater Treatment Plants: Facilities responsible for water treatment and wastewater management may use NAT routers to enable remote monitoring and control of pumps, valves, sensors, and other equipment.
9. Mining and Extraction Operations: Industries involved in mining, oil extraction, and natural resource management can use NAT routers to establish secure connections for remote management and optimization of operations.
10. Transportation and Logistics: In sectors like transportation and logistics, NAT routers can be employed to enable remote tracking and management of fleets, as well as for maintaining communication with vehicles and sensors.
Remember that the specific location and implementation of NAT routers in industrial automation setups can vary depending on the complexity and requirements of the system. The primary goal is to ensure secure, efficient, and reliable communication between industrial devices and external networks.
The Antaira technical support team is here to help you with your NAT router challenges so you can optimize your industrial networks. Call us today at 1-714-671-9000.