Community discussions

MikroTik App
 
NE555
just joined
Topic Author
Posts: 2
Joined: Mon Jul 12, 2021 8:35 am

Siemens PLC, KEpware, cant get destination NAT working

Mon Jul 12, 2021 9:30 am

Hello

I have a following problem which I would be very thankfull, if someone can tell me what I am doing wrong.

I have a Siemens Sinumerik CNC controller and we want to get into it with Kepware server to get data off it.
If I go with Kepware installed on my laptop and plug into Sinumerik directly and set LAN card IP in the same IP range, the Kepware on my laptop server will see data and start collecting it.
Now sinumerik acts on outside same as a plc so I have at the moment improvised setup with s7-1200 plc to which I can connect directly with mentioned IP 172.30.1.2 but after putting mikrotik in between it stops working.
And yes, I did change IP settings of Kepware to try to get to 192.168.2.80 now and yes I changed IP settings of my LAN card.

I need to do the following:
Link public 192.168.2.80 on port 1 WAN to internal IP 172.30.1.2 which is connected to bridge on port 2.

I have RB760iGS. I am using default configuration.
From default configuration I have changed:
- Removed DHCP Client on WAN port.
- Added IP address 192.168.2.80 to the WAN port
- Changed IP on bridge to 172.30.1.5
- Disabled DHCP server on Bridge

I did:
/ip firewall nat add chain=dstnat dst-address=192.168.2.80 action=dst-nat \
to-addresses=172.30.1.2

/ip firewall nat add chain=srcnat src-address=172.30.1.2 action=src-nat \
to-addresses=192.168.2.80

I do not need any firewall or protection at all as it is part of internal network, which has no access to the internet.
Would I have to delete any of the firewall rules?

From pictures in attachments, you can see I get packets on Nat-DST, those packets I get when I start the Kepware server
And the second picture is from filter rules and it does not seem like anything would be rejected.

in attachments is also export of configuration.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: Siemens PLC, KEpware, cant get destination NAT working  [SOLVED]

Mon Jul 12, 2021 12:42 pm

Does the PLC device know to use 172.30.1.5 as default gateway (or at least for specific subnet where KEpware host resides)? If not, then you'll have to add src-nat for KEpware traffic:
/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.30.1.2
so that packets will appear to originate from mikrotik to PLC device.

BTW, the src-nat rule you have does only work for connections originally initiated by PLC device and probably does nothing in redard to KEpware connectivity.

BTW2: you will eventually want to narrow down the dst-nat rule only to map needed protocols and ports ... you'll have to find out which ports the PLC devices uses for incoming connections and only port forward those. As the rule stands now, it forwards just everything (including e.g. winbox over IP connections), not sure you want to have it this way.
 
NE555
just joined
Topic Author
Posts: 2
Joined: Mon Jul 12, 2021 8:35 am

Re: Siemens PLC, KEpware, cant get destination NAT working

Mon Jul 12, 2021 1:58 pm

Thank you, your suggestion worked.
BTW, the src-nat rule you have does only work for connections originally initiated by PLC device and probably does nothing in redard to KEpware connectivity.
Most likely, i just put it there because better safe then sorry.
BTW2: you will eventually want to narrow down the dst-nat rule only to map needed protocols and ports ... you'll have to find out which ports the PLC devices uses for incoming connections and only port forward those. As the rule stands now, it forwards just everything (including e.g. winbox over IP connections), not sure you want to have it this way.
You mean port forwarding?
i will mostly likely try that, because its a better sollution.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: Siemens PLC, KEpware, cant get destination NAT working

Mon Jul 12, 2021 3:06 pm

Yes, I was thinking of port forwarding. Example: if PLC is accepting connections on TCP port number 8123, and you only want to forward connections from single management machine, then you actually need NAT rule like this:
/ip firewall nat
add action=dst-nat chain=dstnat src-address=10.20.30.40/32 dst-address=192.168.2.80 protocol=tcp dst-port=4321 to-addresses=172.30.1.5 to-ports=8123

I've added a few items:
  • src-address : IP address of management machine. If you want to allow a few source IP addresses, then you can construct address list (in /ip firewall address-list) and replace the src-address=X.Y.Z.W with src-address-list=name_of_address_list.
  • protocol: if you don't specify it, it's assumed to be any which will port forward all IP protocols with port numbers (that's TCP and UDP)
  • dst-port: only forwards packets, sent to this particular port.
  • to-ports: forwards packets to destination server to this port. If dst-port and to-ports is same, then you don't have to specify to-ports. If they are different, you need to specify both.
    Use case is: if you had multiple PLCs behind single mikrotik, you could arrange port forwarding for all of them ... only difference would be dst-port setting (e.g. 4321 for PLC1, 4322 for PLC2, ...). The remote management application has to accept setting of port (in addition to IP address) though.
 
ammarabbasi
just joined
Posts: 12
Joined: Wed Oct 04, 2017 8:34 am
Location: Lahore

Re: Siemens PLC, KEpware, cant get destination NAT working

Sat Oct 09, 2021 2:03 pm

Hi good day, having similar issue with plc.

Plc(192.168.1.42)----ether1(192.168.1.1) {R} (10.250.20.62)ether3----- (10.250.20.60)PC.

Requirement is to access plc (192.168.1.42) on 10.20.20.62. From pc.

Currently configured:
Ether1 : 192.168.1.1
Ether3 : 10.250.20.62

Nat config :
Action=Dst-nat to address 192.168.1.42 chain=Dst-nat dst-address 10.250.20.62.
Action=Masquerade chain=src-nat dst-address 192.168.1.42

Counter working but can not fetch data.
Any hints.

Thanks in advance.
 
ammarabbasi
just joined
Posts: 12
Joined: Wed Oct 04, 2017 8:34 am
Location: Lahore

Re: Siemens PLC, KEpware, cant get destination NAT working

Sat Oct 09, 2021 10:43 pm

Thanks, the above Configurations are correct, the device got reset on its own, power fluctuation perhaps changed its IP to 192.168.0.1 automatically. while I was testing on 1.42.
got a hint from torching ether1 and saw where this 0.1 coming from! :?

Changed IP and it worked.

Who is online

Users browsing this forum: cmmike, DanMos79, hatred, tangent and 36 guests