We just had a control system installed via a 3rd party, it has 4 devices connected together via ethernet using a Mikrotik RB951G-2HnD. It’s already connected through our internal PLC network and goes out to the internet. That works since we can access their Seimens HMI’s through their 3rd party website… We can’t integrate it the way we like with our SCADA system. Their setup tech wasn’t very helpful and said there wasn’t much he could do, he didn’t even have a laptop with him.
I can ping the IP of the router and that’s it.
Looks like I might need to make a new entry in Firewall > NAT which I did. Seems like this should have allowed commuication to our network.
Sorry but all those devices you mention do not mean anything to me (or us), we have no idea what this system is. You need at least a connection diagram and the desired objective, what should connect where, and what doesn’t work
Aren’t the PLC devices supposed to be managed by the controller (HMI) on the internal bus or do you need to access them separately? This is usually done through a separate gateway which sometimes is built into the controller.
As for the technician not bringing his own laptop, unfortunately that’s not too uncommon. Many process technicians have pretty limited knowledge of networking in general and can often only manage to install and configure devices using the controller from the same manufacturer (usually where they work).
When it comes to the configuration regarding the firewall, it would be better if you describe what you want to achieve with a brief explanation that includes a simple network topology including addresses for the different subnets.
Here’s a diagram. I’d like to be able to access the HMI screens in Cabinets 1,2,3 from their web interface like 2 similar Simatic HMIs in our building. These can be accessed already be accessed via a 3rd party website. But we’d like to show on our SCADA system. Right now it takes seven clicks to navigate to an HMI screen on these cabinets when the others processes only need one.
Ideally it’d be better if we could just access the PLC directly and pull tags, but that’s a discussion for a different forum.
The laptop is connected to 10.20.101.x where all the computers connect to. It can currently access all the ethernet connected devices on 10.20.101.x through 10.20.111.x (except the devices on this router).
Each cabinet has it’s own router, they are wired in series like the diagram shows
What subnet is 100.20.101.x ? I can’t find it on the diagram…
Are the ports bridged/switched or routed between them?
[/quote]
10.20.100.x are for routers/switches
10.20.101.x are for desktop/laptop and printers
10.20.104.x are for PLC/HMI control devices
10.20.106.x are for VFD’s
I can connect to all those devices using my laptop from my 10.20.101.x subnet
Alright, let me make sure I’ve got this straight: all the devices on the control network (where the laptop is) are on the same subnet (10.20.x.x/16) connected to the “IDF1 PLC Network Switch” but their IP addresses are organized by equipment type.
So, back to the original issue: since all the cabinets PLC LANs are using the same subnet, you can’t just address individual PLC units or other devices by their IP address alone. Instead, you’ll need to use a combination of port numbers and the router’s IP address using port forwarding (dst-nat).
For example, if you want to access the web page for the SIMATIC HMI (ip 10.20.120.11) in cabinet 1 (ip 10.20.120.1) using HTTPS (port 443) you’d need to set up port forwarding something like this in the cabinet 1 router: ‘add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 (or/and dst-address=10.20.120.1) protocol=tcp to-addresses=10.20.120.11’. This way you can access it using 10.20.120.1:443 that is forwarded internaly to 10.20.120.11:443. You can of course map it to a different dest port and use src-address to restrict access.
If want to access other devices on the same LAN, you’ll need to do the same with other port numbers. Just make sure the port numbers don’t clash with the internal port numbers of the router you might need.
BTW, if all the devices had the same IP address setup in all cabinets, you could use the exact same configuration for all the cabinet routers. Just wondering since you’re already reusing the same subnet, why don’t you? I mean, if you did, you could preconfigure cabinets with all devices only needing to change the IP address on the router connecting to the control network. Otherwise, you might as well just use unique subnets so you can address all devices directly using regular routing.
Because this network was setup this way way before I started working here and these new devices were setup the way they are when they arrived.
I think they just changed the IP/Gateway for our network.
I can tell you how everything is setup now, but I don’t know much about what I’m doing when it comes to setting up a network myself, which is an honest answer.
I’ll try doing like you suggested to forward the ports
You can skip “in-interface=bridge-local”, you should get a match just using “dst-address=10.20.104.54” and “dst-port=443”. Btw, you are sure you can reach 10.20.104.54 by pinging it, which btw I asume is one of the cabinet routers?
Ah sorry, all the ports should get forwarded to the router IP? A different port for each device I? 10.20.100.15 is the router in that case and it’s pingable.
Reply from 10.20.100.15: bytes=32 time<1ms TTL=64
Reply from 10.20.100.15: bytes=32 time<1ms TTL=64
Reply from 10.20.100.15: bytes=32 time<1ms TTL=64
Reply from 10.20.100.15: bytes=32 time<1ms TTL=64
dst-address=10.20.104.54 => IP address on the controller network side of the router. If that’s the router in cabinet 1, shouldn’t it be 10.2.120.1?
to-addresses=10.2.120.11 => IP address of the SIMATIC HMI.
