Router to separate networks

Hi All,
I have just installed a router to separate our control network and the business network, but there are some PLC's that still have to be accessed via the business network (due to location), my concern is tht after installing the router and connecting to the business network (without any hassles), i started up the SCADA and checked comms from the PLC's on the business network and it was there!

but i tried pinging the SCADA PC from a PC on the business network and i could not. how is it possible that the PLC can just talk to the 192.168. network when it is on the 196.1. network, without telling the router that comms from that specific IP address is allowed?

I was under the impression that i would have to tell the router to allow certain ip addresses to send data to my network, but it seems i do not have to do that, but is it not a security threat?

Help I a confused... this is a D-LInk VPN 804HV router.

Engineer1 said:

Hi All,

I was under the impression that i would have to tell the router to allow certain ip addresses to send data to my network, but it seems i do not have to do that, but is it not a security threat?

Click to expand...

It sounds like you want to RESTRICT certain ip addresses, that might be the key. You can do that with a router.

Does the PLC use any non-(UDP/IP)/(TCP/IP) ethernet protocols?

The next question is based on things I have done, so don't take offense.

The router has a group of 4 ports a group of 1 port on the back side.
Did you plug both networks into the group of 4? If yes then the router is acting as a hub connecting the two networks. You should not be able to ping across subnets (192.168 to 196.1). However, IPX traffic would be able to travel across the hub.

Read carefully your router's manual about DMZ, ICMP forwarding...

Engineer1 said:

how is it possible that the PLC can just talk to the 192.168. network when it is on the 196.1. network, without telling the router that comms from that specific IP address is allowed?

Click to expand...

That’s what routers are designed to do. They route traffic from one network to another. The router will route your PLC traffic to your business network. In other words if your PLC wants to communicate with something on your business network, the PLC will communicate with the router, the router will communicate with the business network, and then the router will relay the data from the business network back to the PLC. Routers also block incoming traffic, unless you set it up to do otherwise.

If you could explain what your needs are then we can give you some direction on how to accomplish it.

Your router is a broadband router. It is usually default configured as a kind of one way pipe. That is why the SCADA computer can see the PLC's, but not vice versa. Like Tark said, it is doing what it is supposed to do.

Your router is aware of requests by the SCADA machine to the PLC, so it allows the replies thruough. Just like when you are on the internet. Only requested info (supposedly) gets through.

This sounds like how you would want it to be. More info would be good.

You might want to look into a managed switch, as well. Some of those will actually allow you to specify which ports have access to other ports.

thanks guys, the idea is to separate the two networks (control network 192.168. and business network 196.1.).

I know that the router's function is to route data from one network to another network, i do not want to block certain IP addresses from communicating to the 192.168 network, i want to block all addresses and allows specific addresses.

yes the system is currently doing what i want it to do, i just wanted to understand how it does it. So far my understaning is that i can communicate to the PLC's on the different network because i have specified their addresses on the SCADA configuration and i therefore need not specify them on the router

This may be totally irrelevant, but what the heh. The 196.1. range of addresses isn't part of the standard private address range. The ones I normally see are 010.000.000.000-010.255.255.255, 172.016.000.000-172.031.255.255 and 192.168.000.000-192.168.255.255. So maybe the router is treating it as an internet address rather than private.

Regards

Bryan