Produced and Consumed tags between 2 PLC's that are behind a NAT switch

Killercal

Member
K
Join Date
Aug 2006
Location
Ontario
Posts
150
Ok, I've setup comms to PLC's that are behind a NAT switch before, but I have not had a PLC behind one NAT switch communicate with a second PLC behind a separate NAT switch.

Here is what I have:
PLC_A EN2T - 192.168.10.4
NAT_Switch_A LAN - 192.168.10.6 / WAN 10.50.10.100
PLC_B EN2T - 192.168.11.4
NAT_Switch_B LAN - 192.168.11.6 / WAN 10.50.10.200


PLC_A has an EN2T card in the second slot with an IP address of 192.168.10.4. This card is connected to the LAN port of NAT_switch_A. The WAN port of NAT_switch_A is connected to the WAN port of NAT_switch_B. The PLC_B has a EN2T card in the second slot with an IP address of 192.168.11.4 and is connected to the LAN port of NAT_switch_B.

Is is possible to have produced/consumed tags between the two PLC's here with this setup?

I get I need to set up masquerading to allow PLC_A to send packets from its 192.168.10.4 network to the WAN 10.50.10.4 network, but what would I do at NAT_siwtch_B to allow the connected to come through and go to PLC_B?

Thanks.
 
Last edited:
NAT is typically set up in a 1:1 fashion, one IP that a PLC addresses is translated to another in the NAT hardware. Nothing too involved and produce/consume does work.

If you are doing routing at layer 3 you will need to set up a route between subnets. Produce/Consume (and Class 1 connections generally) will also work across properly routed subnets.
 
JeremyM said:
NAT is typically set up in a 1:1 fashion, one IP that a PLC addresses is translated to another in the NAT hardware. Nothing too involved and produce/consume does work.

If you are doing routing at layer 3 you will need to set up a route between subnets. Produce/Consume (and Class 1 connections generally) will also work across properly routed subnets.
Click to expand...

Yeah, that is where my lack of networking skills fail me. I'm watching some videos on this at the moment....Hopefully it will help. I will post my results when finished.

Thanks for the response.
 
1) it will almost certainly need to configured for unicast, not broadcast.



2) Here is my attempt to explain NAT: https://github.com/drbitboy/nat


3) Are the NAT routers 1:1 or 1:many?

4) It's pretty easy to set up port forwarding for TCP port 44818 on the producer side, if that NAT router is 1:many.

4) I would assume there would also be a need to set up port forwarding for UDP port 2222 on the consumer side, if that NAT router is 1:many.


Then again, I've never done this, although I have done similar things (Modbus between PLCs behind separate 1:many routers).
 
This reminds me that I need to try setting up Produce/Consume between a controller and itself. I tried it once unsuccessfully, but this time around I’ve got 3 NICs with separate IPs onboard.
 
Ok, so I figured out a way to make this work.

Here is my setup:
I have 2 machines

Machine 1:
Phoenix Contact mGuard NAT
LAN side IP's:
NAT - 192.168.10.6
PLC - 192.168.10.4
WAN side IP's:
NAT - 10.50.10.100
PLC - 10.50.10.104 (Virtual IP)

Machine 2:
Phoenix Contact mGuard NAT
LAN side IP's:
NAT - 192.168.11.6
PLC - 192.168.11.4
WAN side IP's:
NAT - 10.50.10.200
PLC - 10.50.10.204 (Virtual IP)

I setup each NAT switch so I was able to connect to the PLC from the WAN side by adding a TCP connection in the firewall pointing to the PLC on the LAN side. I also made it so I could ping the PLC's. (not that important for what I'm looking to accomplish)

On the mGuard1, I setup a VPN tunnel to connect to the mGuard2. In the firewall of the VPN settings I allowed all communications from the LAN to the WAN and vise versa.

On the mGuard2 I setup a VPN tunnel to allow the the connection from mGuard1. Setup the same firewall settings as the mGuard1.

Turned on the VPN and the PLC could see each other.

If you need more info on how I set this up, let me know. I created a document on how to do this.

Thanks for all your help.
Scott
 
Last edited:
p.s. I tried to setup a regular 1:1 NAT and setup the Firewall to allow TCP and UDP connections, but it would not let the PLC's see each other.
 
James Mcquade said:
i have several questions.
your comms are set up on vm's and nat.
what is your host ip address?
subnet?
Gateway?
is this a private network or plant network?
james
Click to expand...

Hey James,

There are no VM's in this setup. The manual for the NAT switch shows "REAL NETWORK" for the LAN side of the switch and a "VIRTUAL" network for the WAN side. Sorry for any confusion.

Since I'm not using a VM, there is no host IP.

My subnet for the WAN is 10.50.10.xxx

The gateway on the WAN side is set to 10.50.10.1.

My setup has a one cable going from mGuard NAT1 WAN port to the mGuard NAT2 WAN port. I don't believe there will be anything else connected on this network so it is, in a sense, a private network (you may be thinking "why not just used the ethernet port on the processor?" That is what I asked but was told that it wasn't designed that way)
 
are you port forwarding ?
example

the PLCs use 24555 for CIP communication
so you would need to port forward / Virtual server the port 24555 on the remote end to the internal IP address of the PLC

Example
remote side router
port forward TCP --> 24555 --> 192.168.50.11 ( example PLC addresss)

on the other side that router would need the same
Port forward --> TCP -->24555 --> 192.168.2.33 ( example IP on other network)
 
that way to the other side
the WAN in of 10.50.10.204
will allow communication directly to 192.168.50.11 as if it was on the local network for port 24555


needs to be done on both sides for TCP and or UDP ports that the PLCS use to communicate so they can have 2 way communication

if you only do it at the remote end - it will go in - but never go back as it will be blocks


also ensure that outgoing ports are open on each router

some routers block all but basic ports
80,22,443,339 etc

so also open and outgoing port 24555 ( example port only) on each side
 
Last edited:
juddge said:
are you port forwarding ?
example

the PLCs use 24555 for CIP communication
so you would need to port forward / Virtual server the port 24555 on the remote end to the internal IP address of the PLC

Example
remote side router
port forward TCP --> 24555 --> 192.168.50.11 ( example PLC addresss)

on the other side that router would need the same
Port forward --> TCP -->24555 --> 192.168.2.33 ( example IP on other network)
Click to expand...

Yes I do have port forwarding setup on both NAT switches. I first allowed all IP addresses and all ports and that worked. My setup is strictly for these 2 PLC's to communicate and nothing else is on the network, or will ever be on this network.

Thanks,

Scott
 

Similar Topics

J
Adding Produced and Consumed Tags with redundant 1756-L71 controllers
Hello, I have a pair of redundant 1756-L71 controllers rev 24. These controllers currently have produced and consumed tag interfaces to 3 other...
Replies
2
Views
158
johnplatt55
J
J
Produced and Consumed Tags L71 V33.13 to L82E 33.11 error code (16#0203)
Hi I have been knocking my head against the wall trying to figure out why these two plcs won't talk with Produced and Consumed Tags data. The...
Replies
14
Views
471
Dayvieboy
Dayvieboy
ceilingwalker
Produced/Consumed tags for a second CompactLogix
Hello all. I have a 1769-L16 that I inserted a 1769-L35E into. I was expecting it to create module defined tags automatically in my controller...
Replies
10
Views
1,814
ceilingwalker
ceilingwalker
I
Produced/Consumed Tags vs Explicit Messaging
Hi, Can a tag configured as a Produced or Consumed tag be read or written to with Explicit Messaging? Context: we are retrofitting an AV system...
Replies
9
Views
2,234
ASF
A
ryangriggs
Are Rslogix 5000 produced/consumed tags bidirectional?
This is a stupid question but I'm not finding a clear answer in the Rockwell docs and I don't have 2 plcs to test on... In other words, if I...
Replies
4
Views
1,531
JeremyM
JeremyM
Back
Top Bottom