In my testing and configuration of our various Industrial Security Appliance offerings, I have observed that certain functionality implementation differs between Hirschmann, Moxa, and Endian. The majority of these differences likely stem from the fact that the Endian appliance comes from a more commercial background and applications where its primary function is to serve as an Internet Gateway for the private customer network. While this function can be applied to Hirschmann and Moxa, it certainly is not always the primary function. The following are the differences I have noted to date:
H = Hirschmann, M = Moxa, E = Endian
Incoming Firewall:
M – explicit any:any rule in place out of the box
H,E – implicit deny rule out of the box
Outgoing Firewall:
H,M – explicit any:any rule in place out of the box
E – explicit rules allowing only common ports out: http/s, ftp, smtp, imap, icmp, etc. (Note beyond the shown ICMP rule, there is an additional non-editable system rule allowing outbound ICMP type 8 and 30 from ANY. Blocking outbound ICMP therefore requires an explicit block all in addition to allow rules.)
IP Masquerading/Source NAT (LAN to WAN):
H,M – nothing in place out of the box. For LAN to WAN connectivity, user would need to add explicit config for LAN subnet to WAN IP or similar
E – implicit rule in place out of the box for LAN subnet to Primary WAN IP
E - can NAT from any Source IP to any Endian LAN interface IP (either primary or additional LAN interface IP assigned solely for this purpose)
H – all configuration completed on 1:1 NAT page including checkbox for "Invert Direction." Can NAT to any available LAN IP (doesn't have to be assigned as interface IP like with Endian)
M – function not available
IP Masquerading/Source NAT (WAN to LAN):
E - can NAT from any Source IP to any Endian LAN interface IP (either primary or additional LAN interface IP assigned solely for this purpose)
H – all configuration completed on 1:1 NAT page including checkbox for "Invert Direction." Can NAT to any available LAN IP (doesn't have to be assigned as interface IP like with Endian)
1:1 NAT/Destination NAT (WAN to LAN):
H,M – one page/step configuration on dedicated page for such config
E – requires up to three steps: configuration of additional WAN IPs (currently this step requires a reboot after configuration), configuration of associated DNATs, and optional configuration of associated SNATs. SNATs only required if comm from LAN to WAN must be seen by WAN device as coming from unique addresses for each LAN devices; otherwise the default implicit SNAT will facilitate communication albeit from a common WAN IP for all LAN devices.
Double NAT (WAN to LAN) for use with 1:1 NAT:
Traditional 1:1 NAT is only a Destination NAT, meaning that target devices require a default gateway pointing back to the LAN interface of the firewall as the Source IP of the incoming request remains untranslated and from some "other" network. If however the target device does NOT have this default gateway assignment:
E - As stated previously can NAT from any Source IP to any Endian LAN interface IP (either primary or additional LAN interface IP assigned solely for this purpose)
H - The 1:1 NAT configuration has another optional checkbox for "Double NAT" which will SNAT the traffic as needed to accommodate similarly.
M – Two 1:1 NAT entries must be created: one to cover the required DNAT and another for the required SNAT. While the DNAT rule is obviously to a virtual IP, what is less obvious is that the SNAT is also to a virtual IP (NOT the LAN interface IP).
Double NAT (WAN to LAN) for use with 1:1 NAT:
Traditional 1:1 NAT is only a Destination NAT, meaning that target devices require a default gateway pointing back to the LAN interface of the firewall as the Source IP of the incoming request remains untranslated and from some "other" network. If however the target device does NOT have this default gateway assignment:
E - As stated previously can NAT from any Source IP to any Endian LAN interface IP (either primary or additional LAN interface IP assigned solely for this purpose)
H - The 1:1 NAT configuration has another optional checkbox for "Double NAT" which will SNAT the traffic as needed to accommodate similarly.
M – Two 1:1 NAT entries must be created: one to cover the required DNAT and another for the required SNAT. While the DNAT rule is obviously to a virtual IP, what is less obvious is that the SNAT is also to a virtual IP (NOT the LAN interface IP).
Initial Device Access:
H – Default 192.168.1.1 LAN IP out of the box (reachable at http://192.168.1.1).
M – Default 192.168.127.254 LAN IP out of the box (reachable at https://192.168.127.254)
E – Default 192.168.0.15 LAN IP out of the box (reachable at https://192.168.0.15:10443)
Links of Interest
