mbNETFIX - Industrial Firewall

nbNET image

The mbNETFIX is an industrial firewall ideally suited for automation applications. It is a self-learning, easy-to-configure firewall that can be operated in bridge mode or gateway mode.

In Bridge Mode, it is ideal for retrofitting existing networks. It can be installed out of the box, without introducing changes in the network (it does not have an IP address), and once installed protects the network immediately. It protects data transfer between the WAN and LAN ports.


nbNET dashboard image

Example diagram of Bridge Mode

In Gateway Mode, selected areas of a network can be separated. WAN and LAN interfaces get separate IP addresses, thus segmenting the network. With this configuration, functions such as NAT and Forwarding can be used to route data traffic to secondary networks. Meanwhile the packet filter manages data exchange between the LAN and WAN. Using the learning mode, the creation of filter tables is greatly simplified.


nbNET dashboard image

Example diagram of Gateway Mode

The design concept of the mbNETFIX is based on “Security by Design” right from the start. In order to keep attack vectors as small as possible, a web interface was deliberately disregarded. The firewall is configured using configuration software via the USB port. For IT experts, an optional SSH interface is available.

Key benefits include:


Avoid address conflicts when installing new machines. Integrating a new machine in an existing production network can yield address conflicts, making machine installation longer and more expensive. mbNETFIX simplifies and shortens machine installation while preserving the internal network conventions.
Easily access devices in an isolated network segment. Accessing machines in isolated Network segments can be difficult or sometimes impossible. With the simple NAT Feature, the mbNETFIX easily forwards Addresses from the WAN to the LAN side. Simply fill out the mapping table to accomplish the forwarding.
Secure new machine internal network.Industry 4.0 is about seamless data flow. No one wants Potential threats from a HMI, a USB stick or a PC are prevented from spreading to the factory floor. The mbNETFIX filters allowed and forbidden traffic and thus preserves communication flows, while ensuring cybersecurity.
Isolate network segments with heavy traffic. Modern machine communication protocols use a lot of broadcast communications. mbNETFIX, can be used to isolate network segments, so overhead traffic remains local and factory network bandwidth is preserved.
Secure machines already installed on the network. Raising the level of cybersecurity of existing machines without introducing a change in the network can be a costly and significant challenge. Using the mbNETFIX‘s bridge mode, this challenge is easily and affordably met. Simply plug it and add it to a network, and traffic is controlled while no changes to existing machines or switches.
Secure sensitive network components. To ensure an ongoing decent level of cybersecurity, PLCs would have to be updates constantly. To do so would cause ongoing dramatic disruptions and in practice is just not feasible. By enabling the mbNETFIX as external cybersecurity guard, the cybersecurity level can be raised easily without patching the PLCs.


The mbNETFIX’s integrated learning function monitors the traffic and the user can explicitly release or block the connections among the IP devices directly from a learned packet table. The built-in learning feature simplifies commissioning and does not require special IT skills.

With the integrated packet filter, the mbNETFIX protects networks. It blocks or releases traffic between WAN and LAN on both sides. Using the configuration software, users can use simple filter tables to determine which communications to allow or prohibit.

The mbNETFIX also has various NAT functionalities that can be configured via the configuration software. Thus, the firewall can be used to connect different networks, even if the IP address ranges are different. The device includes Simple NAT, Network NAT, DNAT (Port Forwarding), SNAT and Static Routes.

The configuration tool generates an RSA key pair during commissioning and transmits it to the mbNETFIX. The RSA key authentication replaces the classic password method and secures mbNETFIX from brute force attacks. Lastly, the convenient user role management, allows assignment of four user levels that have different rights.


Part #
Manufacturer Part # (mbConnect Line)