vpn connection to plc in LAN

macgioo2

Member
Join Date
Oct 2009
Location
Cambridge
Posts
98
Hi guys,


I have a question, I want to create a vpn for remote access for maintanance to a plc.

I have a designated broadband connection to the HMI (Windows XP) which has two network cards.

1 for WLAN and 1 for LAN.

The PLC is on the LAN obviously, I can acess the PC WAN remotely but how do I get from the PC WAN to the PC LAN to see the PLC.

Any help or guidance would be much appreciated
Thanks
 
sounds like your talking a pass through connection. to answer this question we would need the make and model of the PLC and the HMI
 
Well the PLC is AB Control Logix 1769 L35E and the HMI is factorytalk se on a windows xp machine.

The pc is 192.168.0.167 for LAN and 192.168.1.169 for WAN

the plc is 192.168.0.159, I can get as far as 192.168.1.169 but I cant see anything after that.

If you need anything else please ask, I'm really stuck with this and I'm on-site with the customer

and will be until its fixed!!

thanks
 
Last edited:
Your ip packets dont know where to go

Attached is image that tries to illustrate some of your problem.

There is programming pc you connect by vpn trough internet to that HMI. Those devices between are firewalls and routers, those dont matter if vpn connection is established and working.

What matters is that hmi pc is in two subnets: 192.168.0.x for factory network and 192.168.1.x for (I presume) office network, its the one that is used to go trough to internet.

Now when you ping 192.168.1.169 yout programming pc sends sertain packet on network and then device at ip address 192.168.1.169 answers with ack message to ip of that pc that send ping packet. All is well, as device targetet with ping knows where that sending machine is. So it can reply.

Now when you try to ping 192.168.0.159 the packet does not know where it should go as pingin machine has no idea where subnet 192.168.0.x is.

So what you need to do is setup routes. These must be placed atleast on HMI pc, details depend lot to local application and vpn in use. So I suggest if you have it department, have a call to them.
 
how do you connect to the windows XP PC remotely? Is there a router before the PC? What is the router IP address? All you need to do is to set the router IP address same range as the PLC and PC. EX 192.168.0.1 Then set the gateway address of the PC and the PLC as 192.168.0.1. You will find this as the same place as you set the IP address and the Subnet mask. You do not need 2 network cards on the PC.
 
XP shares the same core as Server 2003. You can change a setting in the registry and enable routing services.
HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Services\Tcpip \Parameters IPEnableRouter = 1 (the default is 0) It's unsupported by MS but it works. You'll just need to set up the routes. A reboot will also be required. It's been quite some time since I've used it but it wasn't that hard to do.
 
Yes I realize that the simple solution is to change the ip of the router so that all devices are in the same range, 192.168.0.xx.

However the customer is adamant that he does not want the plc on the internet.

I have no option but to jump from the WAN to the LAN.

I'm using netsupport to connect to the router/pc from outside.

I don't even know how to route from WAN into LAN!

Is there a handy guide?
 
What you're looking for is IP forwarding. The service exists in XP, it's just not advertised. Googling "xp as a router" or "routing with xp" is one staring point for setting up. You can also look at the docs for server 2003 regarding the routing service for more indepth configurations.
 
I'm afraid not, advice I've been given tells me I'm just a few steps away from realizing the concept. But I lack the knowledge to execute.

Question. Is it really a matter for this company. I own the ASDL connection.

I can connect to the router/pc from outside.

I own the PC and both NIC's in it.

I own the PLC and local switches.

The bridge I'm trying to build is between the two network cards inside the PC.

As suggested before, is it not a local route inside the PC i'm trying to create!

Or am I missing the basic concept??
 
Why bother with two NIC's ?
I suppose you can bridge between them, but then you effectively have a single network again, so I fail to see the advantage.

Bob

I think he is trying to use the HMI pc as a Jumpbox http://techrepublic.com.com/5208-12849-0.html?forumID=102&threadID=325058&tag=content;leftCol

http://www.derkeiler.com/Newsgroups/comp.security.ssh/2008-07/msg00047.html

We used to have a couple of those setups here.

This http://www.****.biz/is the best solution for a customer like this. Everthing is already done. It is secure and you really do not need any help from the it dept if they customer does not have one.
 
All Macgioo2 wants to do is communicate with another subnet utilizing existing hardware. He could also have taken any standard $40 DLink wan/lan router and tweaked it to do the same thing. If you're a walmart diehard then don't bother, as their stuff is missing 20% of the features , that's why it cost 20% less, you got what you paid for. There's really no need to buy an expensive dongle to do what he already can do, more cost effectively. If he were to buy something that requires absolutely no intelligence to set up, what would he be implying about himself? What would he have learned, or gained?
Another option would be a multi-nic pc setup headless with no mouse, monitor, or kb. Install the free HyperV core with a virtual 'nix variant (also free) config'd as a vlan. Set bios for auto on if power failure and virtual to auto start on recovery.
The path you choose to go from point A to point B is based on your abilities and perception.
 

Similar Topics

Hi everyone, Im about to start a project in which I will use AB Compactlogix PLC. It will be a simple installation including -CompactLogix PLC...
Replies
4
Views
2,284
Hey there everyone. What I am trying to complete is deploying this PI in the field with a service tech. They will connect the PI to a local switch...
Replies
5
Views
4,060
I have had a PC setup for me with two NIC’s installed, the native one is connecting through our corporate network to the internet and the second...
Replies
7
Views
2,478
I've recently tried to setup a vpn connection for remote access for a customerwith a dsl modem router with Frontier as provider specifically a...
Replies
6
Views
5,454
I have a client site with a network of S7-400 PLCs on a LAN (CP 443's) about 400 km from my office. My client's IT people have set up a Citrix VPN...
Replies
8
Views
15,715
Back
Top Bottom