Managed Switch or Router

OkiePC

Lifetime Supporting Member
Join Date
Mar 2005
Location
ENE of Nowhere Oklahoma
Posts
11,762
I have a customer who will want to access his HMI at a remote station via the internet. He has gotten internet service installed and has asked for a fixed IP address to facilitate this.

This little control system will have a Micrologix 1400 and Red Lion Graphite HMI.

I expect I could give the HMI the fixed IP address, but then I'd have to connect to the PLC via a different port. I think it might make more sense to use a router in the panel, keep the HMI and PLC addresses private, and let the router do the network address translation to and from the fixed IP address.

Can a managed switch do this or do I need a router?

Any suggestions for a reasonably priced DIN rail mount router?

There will only be one other device using Ethernet at this station, two if I am plugged into the local network with a laptop for commissioning, so 4 ports is enough.

Thanks,
Paul
 
I've also been investigating these same questions recently so I'm interested to hear any and all suggestions.

To use a managed switch I think you need one that supports "one-to-one NAT" (Google it). This allows you to directly translate WAN-side IP addresses to those on the LAN (I think). Since you only have one WAN IP in your setup, and multiple devices, I think a router is the way to go and just use port forwarding. RSLinx and Crimson both allow you to change the connection port number, although you probably wouldn't need to for your application. Most of the DIN rail type routers I've seen are very expensive. I've used the EdgeRouter X from Ubiquiti ($50) in factory settings and it works well.
https://www.ubnt.com/edgemax/edgerouter-x/

It's a commercial grade unit and can be powered from 24vdc so you just snip off the wall wart and wire directly into your TB. Port forwarding is very easy to set up.
 
Last edited:
I would not do it with a simple router or even a managed switch. There is very little security in doing that. It's one thing to allow connections from a client's wider-area internal network (beyond the manufacturing zone) to a machine but an entirely different beast if one side is Internet-facing. At the very least you need VPN (virtual private networking).
 
There is very little security in doing that.
With the default settings, I would agree. But in addition to the normal firewall rules, you can restrict access to a specific MAC or IP address. The port numbers used by the Micrologix and HMI are quite rare so it's unlikely that a hacker would be targeting those. Still, with some routers (including the Edgerouter) you can translate a WAN-side port number to a different one on the LAN. Pick oddball port numbers and couple it with MAC/IP filtering, and I think it would be pretty secure. (Maybe not for a nuclear power facility or the White House but I doubt that's what the OP is dealing with.)

I am interested in learning more about VPNs however.
 
I would advise not using VPN. If you dont do it properly using encryption you open a big vulnerability. Services like logmein.com are made for this type of situation. You dont need to do any configuration on the network and it works over standard ssl ports. I would recommend using 2 factor authentication.
 
Okie nothing will beat an E.W.O.N Cosy for the situation you have when all things are considered meaning Price, Complexity, Security and usability.

https://****.biz/products/****-cosy

This will do a inside out connection and will traverse any firewalls or routers without any configuration as it uses port 80 and 443 which is used for HTTP and HTTPS (internet browser traffic)

Your customer will only need to go to the E.W.O.N website and put in his username and password to connect.
 
+1 on the Cosy.
Yes they cost you a fair bit more, but the time and head-ache savings is well worth it. And no need for a static IP address from your ISP.
They are easy to configure and once you've done one, they honestly only take 5 minutes to configure the router.
 
The e Won is the solution I would recommend.
The added feature I really appreciate is the Talk 2 m servers/functionality.
Its basically a cloud based industrial connectivity service accessible from just about any web browser (including mobile). Customers will have easy access through their PC, tablet, or smartphone.

You can use the e Won VPN connection (PC only) or the browser based e w o n access to view/control the HMI. Tested device compatibility list for e w o n is here: "https://e w o n.biz/support/product/m2web-device-compatibility/device-compatibility"
If yours is not on the list then testing would dbe in order or get one on the list.

Everything with VNC access is compatible with the e Won VPN.
With their servers spread out all over the world this solution is pretty reliable and easy to set up.
 
Last edited:
Hmmm. Interesting choices. The $60 router seems too good to be true. I have some other Ubiquiti products in industrial settings that are surprisingly robust and very inexpensive.

The cosy is only ten times the price from what I can tell, but has many recommendations for ease of use plus security and time is money, although I would rather not depend on a third party server it seems that is the way the world is turning.

Can't seem to find a cost on the Spectrum Controls unit but I have had good experience with their other products and it appears to have similar features to the ewok.

I gave the cosy maker my email address. I guess I can expect more info from them about cost and availability.

I also looked at a Red Lion RAM router that is even more money and is simply a nice looking industrial din rail mounted router.

Do the cosy or the webport require any sort of annual fee to use their products or do they just get it all out of you up front?
 
I would strongly advise against port forwarding using a router without a VPN connection as was mentioned above. Doing so exposes your PLC or HMI to the internet.

Even if you use ports that are not common there are bots out there constantly scanning for open ports and trying to find vulnerabilities, potentially opening up yourself to a DDoS attack or other issues that may affect communications between PLC/HMI.
 
I got an e wo n cosy 131. My partner set up an account and we have tested it. It was pretty simple. We used eCatcher software to establich the VPN connection.

My customer will undoubtedly want to use his smartphone browser to access the Red Lion webserver feature. Can this be done? Is there an app for that?
 
Enable VNC functionality in the Redlion.
Write down user name and password you choose for Redlion, if any.

Log into ecatcher.
Highlight the **** in question.
Click the "properties" button.
Click on "Configure LAN Devices and Firewall"
Click "add LAN device"
Fill in name and IP of Redlion
Select "all protocols" bubble
Select "Visible in M2Web" check box
Select "VNC" from "using" drop down
Click OK button

You Redlion is now configured for M2Web access
Google M2Web, use the link to login using your ecatcher credential
You will see a link for your Redlion.
Click, enjoy.
 

Similar Topics

I have a managed ethernet switch with a tested/good configuration and the only device it can't reach is a Simatic S7-1500. If I connect my PC...
Replies
11
Views
2,732
I've never used a managed switch before, and I've never configured a DLR before. On my current extruder rehab project, I'm thinking about both...
Replies
16
Views
4,951
Hi, I am looking for an unmanaged network switch (IP67) that can be powered by POE. Any suggestions?
Replies
7
Views
1,686
Other than Allen Bradley. Who else makes EtherNet/IP prioritized switches? I am looking for 5, 8, 12 Port 1000Base (1 gig) Unmanaged Wago and...
Replies
4
Views
1,592
I have an interesting machine project with a rotating assembly for which the builder is providing a slipring that claims to support "up to 50 Mb/s...
Replies
3
Views
2,639
Back
Top Bottom