Community discussions

MikroTik App
 
wildbill
just joined
Topic Author
Posts: 1
Joined: Wed May 20, 2020 8:05 pm

Using CRS354-48G-4S+2Q+ to NAT Translate Allen Bradley PLCs: Full Setup

Wed May 20, 2020 9:25 pm

Hey guys,

Automation Eng here with limited network knowledge. And would really appreciate any guidance and knowledge the community can spare. I don't need it done for me. Just pointed in the right direction. See attached for the diagram.
network.pdf
Picked up a Switch/Router to try and get this job done. If we can get it to work. We've saved over 30k from a traditional setup. Using a 500$ switch.

I have 28 Allen Bradley PLCs that are getting added to a SCADA network. These PLC's have their own Ethernet/IP network. Complete with robots and field devices. They are nearly identical copies of each other.

Questions:

What is the best strategy for the isolation of interfaces/ports from one another?
-- So machine 1 can't send packets to machine 2. This would be bad.

What is the best strategy for doing NAT?
-- Do I need both SRC and DST nat rules?
-- Do i need MAC addresses off the PLC's NICs
You do not have the required permissions to view the files attached to this post.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Using CRS354-48G-4S+2Q+ to NAT Translate Allen Bradley PLCs: Full Setup

Thu May 21, 2020 4:35 pm

What is the best strategy for the isolation of interfaces/ports from one another?
-- So machine 1 can't send packets to machine 2. This would be bad
.

Given that PLCs/SCADA won't be sending Gbps of traffic, the most straightforward method I'd use is setting same horizon value on all the ports of the bridge:

Set the same value for group of ports, to prevent them from sending data to ports with the same horizon value. Split horizon is a software feature that disables hardware offloading.
What is the best strategy for doing NAT?
-- Do I need both SRC and DST nat rules?
-- Do i need MAC addresses off the PLC's NICs
Why NAT? You're concerned about PLCs communicating with each other, but will expose each to the internet?

Much simpler, cleaner, safer, better control, and best practice: setup a VPN server (you have several to choose within ROS) , and connect via VPN to the CRS354, then straight to the local PLCs IPs.

Tip: Set the bridge arp mode to proxy-arp, this way you could assign IPs from same LAN range to VPN connections, no need for NAT nor setting routes on client VPNs.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum

Who is online

Users browsing this forum: solar77 and 35 guests