Real-Time Measurement and Control

cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot access cRIO behind NAT firewall with MAX

The issue can be corrected in MAX. MAX should ignore the local address in the cRIO configuration, but use the external ip address that I specify when I use the "Remote Device (not on the local subnet)" search function.

 

0 Kudos
Message 11 of 25
(3,620 Views)

I agree with Theo.  The fact that we have already established the network connection manually and then MAX defaults to whatever the cRIO responds with is the issue.

0 Kudos
Message 12 of 25
(3,640 Views)

Whether the issue is from MAX or the cRIO is a "chicken and egg" problem.  I think I will try a hack work around when I get my system back online.  This is to set the local cRIO IP address to the same address as my remote router's static WAN side IP address.  If my low end router can handle the WAN and LAN address ranges being the same, this may work.  It is the only thing I can think may work at this point. 

 

 I am personally far more interested in getting the remote target (cRIO) to connect through a LabVIEW project than through MAX.  I have been using the MAX connection as the first step.

0 Kudos
Message 13 of 25
(3,630 Views)

Here is an excerpt from the response I got from NI about using a NI-9163 behind a NAT firewall and may be applicable to the cRIO issue as well.

 

"... The 9163 modules uses a Datagram Delivery Protocol (DDP) broadcast to communicate with MAX at any level deeper than purely being able to recognize the device.  With this sort of protocol, the actual address of the device, in this case the 9163, is embedded in the packet instead of the NAT address which is the only way that MAX would be able to interact with the device through the firewall.  Using the hardware you are using, we aren't sure that this device will be able to communicate through the NAT firewall..."

 

"... Our cDAQ 9181 and 9191 devices use a different protocol, mDNS, to communicate between the device and MAX.  The NAT firewall should not cause any issues with these devices..."

 

 

 

So I have to upgrade to get this to work, a solution I am willing to do.

 

 

 

 

 

Randall Pursley
0 Kudos
Message 14 of 25
(3,543 Views)

Hi Randall-

 

Hopefully the cDAQ-918x or cDAQ-9191 will be able to meet your needs.  One limitation you may want to be aware of, though, is that accessing the device across a NAT boundary does require forwarding all of the ports (indicated in the specifications for those chassis) to a specific IP 'inside' the NAT.  So, you wouldn't be able to hook up many cDAQ chassis across a NAT from your host and expect them all to work because the port selection isn't dynamic.

 

Before we released the cDAQ-9188 (8-slot ethernet), I took one home and hooked it up behind my home router and then forwarded all of the ports listed in the documentation to the cDAQ-9188 client.  After that, I could Add and Reserve it in MAX from my machine at the NI offices by pointing the DAQmx configuration at the IP address of my home router as assigned by my ISP.  But, we do not support dynamic port assignment for services or other protocols that might or might not allow using multiple chassis behind a NAT, unfortunately.

 

Hopefully this helps-

Tom W
National Instruments
0 Kudos
Message 15 of 25
(3,538 Views)

Randall and I are working together. 🙂

 

The firewall we are using is an enterprise class firewall.  We will configure it with a 1to1 NAT so no port forwarding is needed.  Then I will write rules to only allow the required traffic in to the device.

 

But yes depending on the hardware being used it could be a problem using port forwarding for multiple devices.

 

We will definitely keep this thread updated on our experience.

 

Thanks!

0 Kudos
Message 16 of 25
(3,536 Views)

I couldn't find a listing of specific ethernet ports required for the cRIO-9025 controller.  Can you point me in the right direction Tom?

0 Kudos
Message 17 of 25
(3,534 Views)

Ebnelson,

 

Please see this other discussion forum where it lists the ports. If you go to the solution it lists all the required ports for the firewall settings.

http://forums.ni.com/t5/Real-Time-Measurement-and/Exactly-what-ports-are-used-to-communicate-with-a-...

Kyle Hartley
Senior Embedded Software Engineer

0 Kudos
Message 18 of 25
(3,527 Views)

Except the "solution" fails to mention that port 44525 (Ethernet Target Device Discover) only used when the cRIO and PC are on the same subnet.  If we were all on a local subnet /w our cRIO targets, none of us would have had a problem.  What I'm hoping for is the port numbers and type of connection (TCP, UDP, ...) for all connections required to connect to a remote target, on the other side of a firewall, from a LabVIEW project.  If I have a chance to take a simple home router to work I may come with that list myself. 

 

Is the MAX discovery only process that changes ports if the target is on a local subnet vs. external WAN?

0 Kudos
Message 19 of 25
(3,525 Views)

@ericbnelson wrote:

Except the "solution" fails to mention that port 44525 (Ethernet Target Device Discover) only used when the cRIO and PC are on the same subnet.  If we were all on a local subnet /w our cRIO targets, none of us would have had a problem.  What I'm hoping for is the port numbers and type of connection (TCP, UDP, ...) for all connections required to connect to a remote target, on the other side of a firewall, from a LabVIEW project.  If I have a chance to take a simple home router to work I may come with that list myself. 

 

Is the MAX discovery only process that changes ports if the target is on a local subnet vs. external WAN?




Ebnelson,

you also have to forward the ports for the shared variables.

I personally forward all these ports:

80
44516
44525
21
20
3079
3580
3537
81
2343 (both TCP and UDP)
59110
62602
57616
51700

 

I found them using wireshark.

 

0 Kudos
Message 20 of 25
(3,516 Views)