Slightly OT: Why can't RSLinx do this ?

Ken Roach

Lifetime Supporting Member + Moderator
Join Date
Apr 2002
Location
Seattle, WA
Posts
17,445
I have been tinkering with a little DIY remote access stuff lately, prompted by some recommendations and challenges on this forum.

To my surprise, I discovered that it is trivial to install the open-source network scanner NMAP on a computer running OpenWRT, a Linux distribution specifically for small router applications.

One of the things I haven't figured out how to do with OpenWRT is is what the RSLinx Classic Help file refers to as "enable a directed broadcast", which would enable the EtherNet/IP driver to magically discover devices on the "private" side of the router with a broadcast CIP List Identity command.

But I found that with minimal command-line syntax memorization, NMAP does a fine job of discovering the A-B controllers on the network, at least the ones that are logically on the same subnet.

nmap 192.168.1.0/24 -p 80,2222,44818

That command returns, in a matter of just a few seconds, the IP addresses of every Rockwell Automation device on the network.

Rhetorically: if nmap can do this that fast, why does RSLinx Classic not have a similar feature to TCP-scan a subnet ?

Anyhow: if you find yourself without RSLinx someday, and need to find the Rockwell nodes on a network, consider making NMAP part of your toolkit.


Code:
Connecting to [email protected]...
[email protected]'s password: 

BusyBox v1.33.2 (2022-02-16 20:29:10 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02.2, r16495-bf0c965af0
 -----------------------------------------------------
root@OpenWrt:~# [COLOR="Red"][B]nmap 192.168.1.0/24 -p 80,2222,44818[/B][/COLOR]
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-14 03:52 UTC
Nmap scan report for [COLOR="blue"]192.168.1.101[/COLOR]
Host is up (0.0016s latency).

PORT      STATE  SERVICE
80/tcp    open   http
2222/tcp  closed EtherNetIP-1
44818/tcp open   EtherNetIP-2
MAC Address: 00:00:BC:3A:91:23 (Rockwell Automation)

Nmap scan report for [COLOR="blue"]192.168.1.103[/COLOR]
Host is up (0.00088s latency).

PORT      STATE  SERVICE
80/tcp    open   http
2222/tcp  closed EtherNetIP-1
44818/tcp open   EtherNetIP-2
MAC Address: 00:00:BC:22:C1:92 (Rockwell Automation)

Nmap scan report for [COLOR="blue"]192.168.1.106
[/COLOR]Host is up (0.0019s latency).

PORT      STATE  SERVICE
80/tcp    open   http
2222/tcp  closed EtherNetIP-1
44818/tcp open   EtherNetIP-2
MAC Address: 00:00:BC:33:A8:09 (Rockwell Automation)

Nmap scan report for [COLOR="blue"]192.168.1.131[/COLOR]
Host is up (0.012s latency).

PORT      STATE SERVICE
80/tcp    open  http
2222/tcp  open  EtherNetIP-1
44818/tcp open  EtherNetIP-2
MAC Address: 00:00:BC:30:2F:7A (Rockwell Automation)

Nmap scan report for OpenWrt.lan ([COLOR="blue"]192.168.1.250[/COLOR])
Host is up (0.00021s latency).

PORT      STATE  SERVICE
80/tcp    open   http
2222/tcp  closed EtherNetIP-1
44818/tcp closed EtherNetIP-2

Nmap done: 256 IP addresses (5 hosts up) scanned in 3.33 seconds
root@OpenWrt:~#
 
Last edited:
This is right up my alley, thanks for posting. There are instances where I thought FactoryTalk linx was better at this discovery process than rslinx. Now I need to do my homework to see if this is true or not.
 
The directed broadcast works out of the box - so long as the router(s) along the path are configured to support the feature (i.e. UDP relays, relay agents, etc).

Your instance of nmap (on host 192.168.1.250) is performing the broadcast on its local subnet (192.168.1.0/24) using standard TCP/IP, so it differs from RSLinx:
- An RSLinx host is a soft CIP device. As such, ARP probing is baked in to the EtherNet/IP driver.
- Linx produces instances of the Identity, TCPIP Interface, and Ethernet Link objects to reflect the local machine and behaves like any other CIP device on the network.
- Once the RSLinx ARP probe (EtherNet/IP-spec'd discovery feature) is returned, RSLinx queries hosts for their CIP identity, rather than by nmap's "simpler" ip/port to filter out and list CIP devices.

However they are alike in that both will fail at directed broadcasts if the router chain doesn't support them.
 
Last edited:
The challenge, of course, is to have a router that supports directed broadcasts and knowing how to enable the feature. I haven't found a way to do it in OpenWRT yet but I'm eager to learn !

A note on why I use the -p option to specify those three ports:

TCP Port 80 is good old non-secured HTTP. Most A-B devices have a simple diagnostic webserver enabled, so examining Port 80 tells you if it's turned on.

TCP Port 2222 is the legacy A-B Client-Server Protocol (CSPv4). 20+ year old PLC-5, SLC-5/05, and Pyramid Integrator devices will support only that protocol, while more modern PLC-5E and SLC-5/05 will support both CSPv4 and CIP.

TCP Port 44818 is EtherNet/IP's messaging port. Any device that accepts incoming connections on TCP Port 44818 has a running EtherNet/IP stack and will reply to a List Identity command.

My goal is to be able to drop a Raspberry Pi into a workcell without needing to reconfigure anything else, and get secure remote access over the Internet.

Yes, I know there are commercial products that do this sort of thing.
 
I use pfSense regularly, so I'm also eager to try this Linx feature out (finally).

That said, the RPi would have to be able to build a tunnel between an external network and act as the router on the plant's local subnet. So site-to-site VPN. And its internal router would need to support the directed broadcast.
 
Last edited:

Similar Topics

I need a little sanity check and hopefully advice from some experienced users. I have a mechanism that we're driving with a JVL MAC3000...
Replies
4
Views
1,128
Looking for an economic way to monitor kWh and kVARh on multiple circuits (up to 10) in a single distribution board. The Square D Power Logic...
Replies
3
Views
1,701
Does anyone make a "positioning cylinder" like the Festo DDPC but with a digital encoder feedback ? I have an application where a 0.0005 mm...
Replies
5
Views
1,741
This is a little OT, but I would like some general input. I have an machine control cabinet with an HMI as well as numerous standalone LED-bulb...
Replies
15
Views
6,442
How do I calculate wire and breaker size for 2 motors starting simultaneously? Thanks
Replies
7
Views
2,348
Back
Top Bottom