You are not registered yet. Please click here to register!


 
 
plc storereviewsdownloads
This board is for PLC Related Q&A ONLY. Please DON'T use it for advertising, etc.
 
Try our online PLC Simulator- FREE.  Click here now to try it.

---------->>>>>Get FREE PLC Programming Tips

New Here? Please read this important info!!!


Go Back   PLCS.net - Interactive Q & A > PLCS.net - Interactive Q & A > LIVE PLC Questions And Answers

PLC training tools sale

Reply
 
Thread Tools Display Modes
Old December 6th, 2018, 11:20 AM   #1
damica1
Member
United States

damica1 is offline
 
Join Date: Aug 2015
Location: Illinois
Posts: 596
Programming Plc from the Internet behind a Router.

Just in case others may need or want this information.

So you have a Micro820 behind a router/firewall on the plant floor you need to reprogram with CCW from your house.

Here is the example:

Let's say the public IP of the router = 166.156.102.133

The LAN side of the router is 10.1.2.1 and the IP of PLC = 10.1.2.100.
You will have to port forward 44818 to 10.1.2.100.

Now in CCW add the "Ethernet Devices" driver (This driver allows CCW to see devices that are NOT on the same network)

Once this driver is added you will have to manually add the IP address of the device you want to communicate with (That will be the Public IP 166.156.102.133)

Now open up "setup connection path" and choose the new driver it will show the IP address you just added click on it so it is now in the BOX that holds the connection path. Then add a colon and 44818) this is the port number.

Click on connect and you will connect to PLC.

The AB-ETHIP driver will only communicate with device on the same network.

The AB-ETH driver will communicate will devices not on the same network.
__________________
David M. Camp

Marshall Electric / https://mei-tech.com/monitor-and-control

Please Download from our download section "Monitor and Control" .pdf.
  Reply With Quote
Old December 6th, 2018, 11:22 AM   #2
boneless
Lifetime Supporting Member + Moderator
United States

boneless is offline
 
Join Date: Feb 2008
Location: OKC
Posts: 1,474
This is great when in a pinch, but very dangerous. Any port-scanning script kiddy can now access your PLC.
  Reply With Quote
Old December 6th, 2018, 11:35 AM   #3
damica1
Member
United States

damica1 is offline
 
Join Date: Aug 2015
Location: Illinois
Posts: 596
Quote:
Originally Posted by boneless View Post
very dangerous. Any port-scanning script kiddy can now access your PLC.
I agree - should be used wisely!
__________________
David M. Camp

Marshall Electric / https://mei-tech.com/monitor-and-control

Please Download from our download section "Monitor and Control" .pdf.
  Reply With Quote
Old December 6th, 2018, 12:33 PM   #4
TL140
Lifetime Supporting Member
United States

TL140 is offline
 
Join Date: Jun 2014
Location: South Carolina
Posts: 131
Yeah, the best bet for this would be to speak with the IT department and create a VPN solution. Although we all know how that can go sometimes...

Logging into the VPN will allow you access to your company's network and should be a more secure option.

Port forwarding is generally frowned upon, but admittedly I've used it to because... well... it works.
__________________
"The best thing about a boolean is even if you are wrong, you are only off by a bit." -Anonymous

"A good programmer is someone who always looks both ways before crossing a one-way street." -Doug Linder
  Reply With Quote
Old December 6th, 2018, 02:37 PM   #5
sparkie
Lifetime Supporting Member
United States

sparkie is offline
 
Join Date: Nov 2014
Location: KS
Posts: 838
Quote:
Originally Posted by damica1 View Post
I agree - should be used wisely!
I'm going to go so far as to say that you should not use this at all, even temporarily.

The proper way to set this up is to use a VPN. VPN has a VPN specific subnet/address range. Then that VPN IP is forwarded to the subnet with your PLC device.

Example:

VPN IP pool: 10.1.7.xxx
PLC Address: 192.168.1.xxx

Port forward rule: 10.1.7.0 to 192.168.1.0

I can give hardware specific device if offered. I have a lot of experience and have had a ton of luck flashing wrt-based firmware onto any old router so that VPN functionality can be added to the hardware. I recently just realized that a wireless router I did this with for a friend of mine has been up for over 2 years.
  Reply With Quote
Old December 6th, 2018, 05:41 PM   #6
Ken Roach
Lifetime Supporting Member + Moderator
United States

Ken Roach is offline
 
Ken Roach's Avatar
 
Join Date: Apr 2002
Location: Seattle, WA
Posts: 14,295
There is a specialized search engine actively scanning worldwide looking for exactly this type of vulnerability; Shodan.io

It's worth the time and money to buy or build a VPN appliance or other VPN-based connection to get through any factory firewall.

The information about configuration of the Ethernet Devices driver is well-received, especially the part about specifying the TCP Port.

If you don't specify the TCP Port and have not connected previously to that specific PLC, then the Ethernet Devices driver will attempt to figure out if the PLC is a classic PLC5E/SLC-5/05 or a modern EtherNet/IP device. It tries to connect first to TCP Port 2222, and once it sees three connection refusals, then tries TCP Port 44818.

Somebody in the IT department cleverly called the three sequential connection refusals the "Judas Timeout".

I discovered once that some Cisco PIX firewalls consider multiple rapid connection attempts (with no intervening packets) to the same TCP Port number to be the signature of a cyber attack and will result in the firewall shutting down the port.

When you enter "192.16.1.180:44818" then the Ethernet Devices driver knows explicitly that the device uses EtherNet/IP and does not attempt to connect to TCP port 2222 first.
  Reply With Quote
Old December 6th, 2018, 05:56 PM   #7
lfe
Member
France

lfe is offline
 
Join Date: Jun 2007
Location: Barcelona
Posts: 309
Currently many companies have employees who work from home or from any place through a VPN.

You just have to tell the IT department of that plant that you are going to be one more.
__________________
Suppanel HMI
  Reply With Quote
Old December 6th, 2018, 06:15 PM   #8
James Mcquade
Member
United States

James Mcquade is offline
 
Join Date: Oct 2007
Location: Tennessee
Posts: 2,254
we purchased a login system that we route through into the plant.
we can then program / modify any plc / scada system.

if they are not on the network, we have maintenance connect their laptop and remote into it.

an open system like what you describe is too dangerous in my opinion.
you get a virus in the plant or get hijacked and your the one in serious trouble!

james
  Reply With Quote
Reply
Jump to Live PLC Question and Answer Forum

Bookmarks


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Topics
Thread Thread Starter Forum Replies Last Post
Festo PLC Programming Homam Al-Othman LIVE PLC Questions And Answers 5 April 10th, 2014 03:49 AM
Serial programming in TWIDO - Scneider PLC Nkiritsis LIVE PLC Questions And Answers 7 November 16th, 2012 09:53 AM
Access Mulitble PLC trough router eatualive LIVE PLC Questions And Answers 2 August 3rd, 2012 03:39 PM
Anyone experience with an internet connection to an S7-300 PLC with an CP343 lean mod Leonardo LIVE PLC Questions And Answers 0 January 8th, 2007 11:05 AM
PID control programming using PLC debojit LIVE PLC Questions And Answers 1 January 13th, 2006 02:33 AM


All times are GMT -5. The time now is 11:56 AM.


.