Accessing Ignition Over a WAN

Some users may wish to access their Ignition Gateway over the Internet or a WAN (wide area network).  With a little knowledge of networking practices and administrative access to your network, this capability is easily achievable.

Background

We're going to learn about TCP/IP and networking with Ignition by example. Our setup uses the address range 192.168.0.1-254. This is an example of a non-routable Class C IP network. Class C means that we have 255 addresses to deal with and a 24 bit subnet mask (255.255.255.0). Non-routable means that we're using addresses have been reserved for private (non-Internet) use. This means that Internet routers will ignore requests that use these addresses. Make sure that you use non-routable addresses when setting up private control networks! We have a router set up that has a single legal IP address and provides Internet access to our network with Network Address Translation (NAT). This article is relevant to any setup where you use NAT, port forwarding, or a DMZ (Demilitarized zone, a subnetwork that sits between the internal and external network).

Example Settings

The Ignition gateway uses the static (non-DHCP) address 192.168.0.2 and currently runs over port 8088

The router uses the LAN address 192.168.0.1

The router uses the WAN (Internet) address 69.19.188.26

Clients' addresses are assigned via DHCP in the range 192.168.0.100-150. They need to access the Ignition project

We want to be able to access our application over the Internet

Setup

Our first step to allow access to the Ignition gateway is by setting up a port forward rule in the router. It should specify that TCP traffic directed to 69.19.188.26 over port 8088 be forwarded to 192.168.0.2. You may also need to add an incoming firewall rule to support this with the same settings.

To test, open http://69.19.188.26:8088 in a web browser. If you see the default Ignition Gateway web site it worked. If not then you can try loosening up your firewall policy and using 192.168.0.2 as the DMZ host. Keep in mind that a home router DMZ host is not a true DMZ in terms of network segmenting - it is a feature that will pass all traffic to our Gateway, with the exception of certain attacks. This is much more wide open than a single port forward - more geared toward Internet games that require numerous ports to be open. Incrementally tighten back security as you determine what works.

Next make sure that your firewall doesn't block outbound TCP traffic from your local network over port 8088. In most cases it shouldn't, but our network is very secure so we'll set up an outbound firewall rule to allow TCP traffic from 192.168.0.x to 69.19.188.26 over port 8088. Without this rule, Internet users won't have a problem, but your local clients won't be able to access the system. Your clients should address 69.19.188.26 instead of 192.168.0.2 when using the Ignition runtime. Then restrict gateway configuration access to either 127.0.0.1 (localhost) or 192.168.0.*.

You should now be able to access your Ignition gateway via the internet and launch clients on remote systems.