User Documentation
Version 1.2 / August 2020 Page 68 / 102
A2 - Connecting 2 Ethernet networks with activated NAT masquerading
and using IP address forwarding
Application requirements:
There are 2 industrial Ethernet networks which are connected by the Router. Each network has its own IP
address range. For security reasons the IP addresses of network 1 shall be hidden against devices of net-
work 2. As an exception 2 devices (C and D) of network 1 should be accessible directly from devices of net-
work 2.
This application can be done with all router models. No special firewall filter rules shall be configured.
Solution:
1. Activating “NAT masquerading” at WAN port of the Router which is connected to network 2. As result the
sender IP addresses of any outgoing traffic at WAN port – initiated by devices of network 1 connect to LAN
port – will be translated to the IP address of the Router’s WAN port. From the perspective of the receivers
the sender is always the Router WAN port. The IP addresses of devices connected to the LAN port will be
hidden and are not visible.
2. To get access to the devices C and D of the hidden network 1 the Router’s “IP address forwarding” feature
can be used, which assigns devices C and D an additional and unused IP address from the range of network
2. Effectively the Router will have 3 IP addresses at WAN port (Physical WAN IP address and 2 virtual IP
addresses). This feature acts as a special kind of “port forwarding” using only IP addresses and omitting the
ports.
Note
Generally, “masquerading” only hides a sender IP address (e.g. outgoing from LAN to
WAN) but does NOT block the access to this LAN IP address from WAN network. This ex-
plicitly must be done by a firewall rule.
In this example the IP address ranges are set to
192.168.10.0 / 255.255.255.0 for network 1 and
192.168.20.0 / 255.255.255.0 for network 2
The Router interfaces will be set to
192.168.10.254 / 255.255.255.0 for LAN interface and
192.168.20.254 / 255.255.255.0 for WAN interface