PLC Networking / Remote Access

I have searched the forum, It looks like some people are doing a similar thing but I still have some questions.

I have a number or PLC's, most don't have any network connections, but they are connected to HMI'S that do. I'm using the built in web servers in the Hmi's to show some counters etc.

So I have my process network above, but I also have a business network with internet access. I would like to be able to to see my hmi's from the business network but I don't want to expose them to the www.

My best idea is to use an old pc with two NIC's together with team viewer.
Then I thought this could work remotely too which is great.

My main question is, is there no way of doing this with a vpn router?

Any thoughts or help appreciated.



Andy

We use these: http://****.biz/****-product/cosy-131

Replace the **** with e w o n (no spaces). For some reason e w o n gets blocked by the spambots here

Yes, we have used the above solution a few times with decent success. The free account is usually good enough for most applications too. The only downside to that is depending on how you're using the HMI webserver. If it's simply text based reading tag values, it's perfect. But if you're trying to do a full HMI screen remote view, it can be extremely slow.

You also need to be careful of your IP address blocks. You'll want your control network to be on some obscure subnet that won't have a chance of conflicting with the subnet you're accessing from remotely. Eg. HMI is 192.168.1.20/255.255.255.0, you won't be able to connect in from a network on the same 192.168.1.X subnet.

A big +1 for eWοn products. We use the network connected and 3G/GSM variants of their "Cosy" product for remote connection around the world. There are no monthly/annual server fees, so the only thing you have to do is make sure there is an internet connection, or make sure the SIM (3G) has credit.

Again for the eWοn. Other facilities, depending on the model, they have an RS232/RS485 port that will connect to your PLC, so you can monitor all values within the PLC. You can program the eWοn to collect and display data.

The only downside was that you had to run software on a PC to connect to the eWοn, now there is the facility to use m2web. So you can use quite a few protocols so long as your device has a web browser, http, vnc, rdp.....

Thanks, I'm still not sure what to do.

I'm thinking of using something like this

Netgear FVS318G 8 Port ProSafe Gigabit VPN Firewall

Has anybody done it this way?

Tried that, got the T shirt. The problem is that you have to have a known public facing IP address that can then pass incoming VPN connections to the Netgear. In my case that meant trying to get SIMs with public facing IP addresses from companies around the world, not a happy prospect. If you are only doing a 1-off via a DSL connection it is do-able, but you will end up chasing your tail to get everything working, and again when something breaks. If you want a simple life, go with something like the eWοn. If you enjoy a challenge, like to learn a lot about VPN settings, like to spend a lot of time surfing the Net doing research, and headaches then go with the Netgear.

Attached is a Netgear 'how to'. I had to .zip the .pdf to get it within the boards size limit.

AndEdtec said:

Thanks, I'm still not sure what to do.

I'm thinking of using something like this

Netgear FVS318G 8 Port ProSafe Gigabit VPN Firewall

Has anybody done it this way?

Click to expand...

Well nothing wrong with this method but as my friend in post # 8 said if you are using this on machines deployed to customers and they don't want to provide a hard network connection you will find yourself looking for SIM's with public facing IP's that give you coverage in the area the equipment is deployed and could possibly be quite a challenge depending on your diversity of customers.

Using something like the e.w.o.n will remove this pain but it depends on needs. If you need a 24x 7 365 connection you really need a hard connection and a firewall with site to site VPN functions like Cisco, Tofino, etc.

e.w.o.n is more for a connect once in a while monitor and service connection but is not a firewall. it's fairly safe and secure because it's using man in the middle connections and outbound tunneling much like dial back modems in the analog days to keep things secure.

If you do use e.w.o.n i would ask you to make sure and enable the 2 factor authentication with backup device for the best security.

from your original post I get that you are maybe in a facility and just trying to get remote access to all your assets? if this is the case then neither of these methods are correct ad it will be a very different discussion of which we can have if needed but please clarify your needs first.

No matter what I would avoid Netgear for this. You need a proven security device and Netgear just does not fit that in my opinion.

Yeah, for a log in every so often type of monitoring, an e.Won with a free account is perfect as you don't need any type of static public IP. If, however, you need 24/7 monitoring between multiple sites, we just deployed an eFive in conjunction with e.Wons. Stick the eFive at a central location (this one must have a static public IP) and then all the remote sites connect to it through their e.Wons which don't need a static public IP. All the machines will talk to eachother through this setup, and you can still log in from a remote computer and see each device individually.

Downside with that approach is that it doesn't work with m2web, but it is OpenVPN standard so there are other clients available that may do what you want.

PBuchanan said:

from your original post I get that you are maybe in a facility and just trying to get remote access to all your assets? if this is the case then neither of these methods are correct ad it will be a very different discussion of which we can have if needed but please clarify your needs first.

Click to expand...

I'm trying to get data back to my business network.

I could just put them all on the same subnet as the office but I don't want to do that.


I'm need to access my hmis from the office network and remotely.

I have seen a file on here by JesperMP describing a team viewer setup, maybe that would be better

Don't see any problem with a PC with two network cards to be honest. We have done this a few times before. One card on the industrial network and the other on the company Lan. Connect using the Logmein service with your phone, tablet or PC (or use alternatives like Teamviewer, Screenconnect etc).

Get your IT people to route you through the router to the PLC gear? And from externally surely they can provide you with a secure VPN?

Hi Andy, you can easily achieve secure remote access using an e W O N hardware device with the Free T A L K 2 M service. Using two NICs is generally regarded as legacy approach. Years ago, the industrial automation industry simply turned to IT solutions that were carried through to control systems. Luckily, this has since changed quite some time ago.

Let me know if you have any questions.

Disclosure: Yes, I work for e W O N however I came as an OEM, deploying many, many routers, devices and software applications for remote access and decided to finally join the best solution available.