Communicating with PLC through NAT

wllewis84

Member
Join Date
Aug 2012
Location
Colorado
Posts
8
Hello again all,

This is sort of a follow-up to my last question a few months ago.
Here is my situation:

I have a LAN with an IP scheme of 192.168.127.xxx.

I have a small PLC network with a scheme of 10.56.1.xxx (Compactlogix & PointIO)

I have a Moxa NAT-102 device which I am hoping to use to make this exchange. I am building a SCADA system that needs to live on the LAN, but view tags on the PLC network.

I can configure the NAT ports to match their respective networks (internal=PLC netowrk=10.56.1.200, external=LAN=192.168.127.250).

I can ping and communicate with the NAT easily. But I have no idea how to get RSLinx to talk through the NAT and view the PLC IPs on the network. For that matter, I can't even ping them through the NAT.
The Moxa dashboard shows that I have the two NAT ports assigned and that they are both active. When I unplug the PLC network from the NAT, the dashboard responds accordingly.

Any thoughts on how to communicate and/or ping the PLCs through the NAT? I'm at a loss here....

Thanks in advance, this form has been a fantastic resource thus far.

Cheers!
 
Have you set up the routing table in the NAT device?

Also make sure you set the gateway address on the PLC to the NAT device's address (same with any other devices that need to communicate with the outside network).
 
Last edited:
I set up the routing table (correctly I hope), but have not yet set the gateway address on the PLC. I will check this.
Thanks!
 
Why would you want the whole SCADA in the Corporate (IT) Lan and PLC in a separate LAN?

The easiest way would be to dual host the Scada Server ( 2 NIC Cards) one to the PLC LAN and One to the Corporate Lan. Then you only have to open the ports on the Scada server Firewall specifically for the Scada Clients. This is usually documented. To make really secure you could put a firewall between the Corporate and the Scada Server instead of using the Servers SW firewall.

Ideally, though the Scada Clients should not even be near the IT network, OT and IT should rarely mix as IT usually muck everything up.
 
Last edited:
In general, NAT devices are a simplified router. They can have lots of other features, but the most common one is called "1 to 1 NAT", which represents the actual IP addresses of devices on the "private/internal" side as though they were different addresses on the "public/external" side.

We are mis-using the terms public and private a little here: both of those are "private IP subnets", rather than "public" Internet addresses. They're just different classes of subnet. I'm trying to get across the idea of the "internal" PLC LAN and the "external" enterprise LAN. To twist our heads a little more, wllewis84 has a more common corporate network address range (10.x.y.z) on the "internal" network and more common small network range (192.168.y.z) on the "external" network. But the IP addresses themselves should be just fine: they're two different IP ranges, on two physically different Ethernet LANs.

1-to-1 NAT is pretty well described on page 8-8 of the user manual for the Moxa NAT-102.

If these are your IP addresses on the internal PLC network:

10.56.1.10 CompactLogix
10.56.1.11 POINT Adapter
10.56.1.12 PanelView Plus

The NAT device represents those on the external network as a different IP address:

192.168.172.10 CompactLogix
192.168.172.11 POINT Adapter
192.168.172.12 PanelView Plus


It is typical when you're using Class C networks (only the final octet differs) for that "host number" to be the same on the external and internal sides.

That's just one of the common ways that NAT devices are used. They can also be used as more ordinary routers, or as part of a VLAN.

The "default gateway" setting on a PLC or other embedded device is often the first hurdle in getting remote access to it. If the Moxa is your only remote access to the workcell, then it's PLC-side administrative IP address (you mentioned 10.56.1.200) should probably be what you configure the CompactLogix and POINT Adapter and other devices for in their "default gateway" field. Remember that is changed using RSLinx, not in the user program like it is with PLC-5/SLC-500/MicroLogix, and requires a power cycle or reset to take effect.

I'm not actually sure that is necessary, because a 1-to-1 NAT router might masquerade as a true private-side IP address, rather than presenting the actual your-PC-out-on-the-wider-enterprise-network as the source IP address.

PING is a bit of a crude instrument for troubleshooting this sort of system. You *shouldn't* be able to PING the 10.1.72.x addresses of the automation devices from outside the workcell, because they aren't exposed to that network.

I don't know if this MOXA device will properly handle the broadcast packets used by the RSLinx EtherNet/IP driver, so I would recommend trying the ordinary Ethernet Devices driver first.

And take a little time this morning to read up on the Windows PowerShell feature "Test-NetConnection" or "tnc". When I'm testing connectivity to a ControlLogix, I use "tnc [Logix IP address] - p 44818" to make sure TCP connections are possible on TCP Port 44818 (EtherNet/IP).

When troubleshooting routers and control devices, I use TNC, and web browsers, and other tools to verify the basic TCP/IP connectivity before I start trying to use RSLinx.

Be sure to post back with your results !
 
Last edited:
Thanks for the answers, everyone. I really appreciate the help.
I'm still spinning my wheels though. I'm sure these questions seem asinine, but I'm pretty new to networking.
I have dumbed down the system to a single PLC, a NAT, and my PC.

At the risk of repeating myself and inducing ridicule, here is how I have set up my system:

1: PLC IP is 10.56.1.200 (see controller properties attachment)

2. I configured the NAT to have an internal port of 10.56.1.201 and an external port of 192.168.127.254. The external schema is the same as my PC (see network config attachment).

3. I configured the NAT settings
to be 1-1, with the translated port of 10.56.1.200 and a destination port of 192.168.127.200 (see NAT settings attachment).

I have tried contacting Moxa tech support to no avail. Apparently a purchase of an $800 NAT is not enough to get their attention (big company, I get it).

With the above settings, I can use a broswer window to configure the NAT, but am still unable to see the translated IP of 192.168.127.200. Let alone in Linx.
Thanks again for all the help. This site is an amazing resource.

I'm going to be pulled in other directions for the rest of the day, but I will check in and (again) follow all the mentioned tips this evening.

controller properties.PNG network config.PNG nat setting.PNG
 
The "default gateway" setting on a PLC or other embedded device is often the first hurdle in getting remote access to it. If the Moxa is your only remote access to the workcell, then it's PLC-side administrative IP address (you mentioned 10.56.1.200) should probably be what you configure the CompactLogix and POINT Adapter and other devices for in their "default gateway" field. Remember that is changed using RSLinx, not in the user program like it is with PLC-5/SLC-500/MicroLogix, and requires a power cycle or reset to take effect.

This ^^^^

(Though gateway needs to be 10.56.1.201, not 1.1, if the PLC is 1.200 per the screenshot)
 
Thanks for the details !

This sort of discussion is often very educational, and I appreciate your willingness to go through all the basics.

>I can use a browser window to configure the NAT

Excellent. Which side do you connect to (i.e. which IP address do you put in the browser address field) ?

One thing I would try is changing the Default Gateway address for the PLC from 10.56.1.1 to 10.56.1.201 (the internal-side address of the NAT-102). It may require a power cycle to take effect.
 
Ken & Mispeld; I changed the PLC gateway address from 10.56.1.1 to 10.56.1.201. No luck though, even after a power cycle. When using the browser to access the NAT configuration page, I use the external port and the IP of 192.168.127.254.
Thanks again for all the responses. I'm really beating my head against the wall here...
 
Also, not sure if this was mentioned. RSLinx's Ethernet/IP driver would likely not work for anything that goes through a router or NAT device. Use Ethernet Device driver and manually put in the IP address.

If your RSLinx is on the "outside" then the device IP address you enter in RSLinx Ethernet Device driver should be in the "192.168.127.xxx" subnet.
 
Disclaimer: I am unfamiliar with the MOXA device, with NAT experience limited to the A-B/RA products. In that context the configuration looks good. The one thing I see is no entries under the "Protocol" and "Incoming Interface" columns on the NAT settings. Is it possible to set them to "Any" or "All" like some of the other settings. This is admittedly a stretch.
 
Hi all,
Finally got it sorted out thanks to the good advice found here.
As was mentioned several times, I needed to change my PLC gateway address.
But the final piece of the puzzle was to add a secondary IP address. I thought that by using the NAT setup function within the wizard, this was being done. But I was incorrect.
I had to manually go into the layer 3 interface and add a secondary IP address. I simply selected the internal port (PLC 10.56.1.200) and added a second IP (192.168.127.200). This fixed the issue and I am off to the races! Linx even shows both IPs in the tree!
Thanks again to all who answered. I cant overstate how much I appreciate it!
Cheers!

linx.PNG
 

Similar Topics

Please help me in configuring my PLC and Internet setting. I have uploaded system architecture, please check out. Thank guys.,.,:(
Replies
0
Views
1,154
Dear All Please help me about Below picture problem.PLC not communicating proper.
Replies
4
Views
162
Hi All I'm trying to connect two zebra printers to th PLC through Ethernet. I can ping the Printer through my laptop connected to the private...
Replies
0
Views
340
I'm not sure exactly what is going on. I am attempting to communicate with my plc and my HMI, but I am unable to go online with either one. I am...
Replies
2
Views
1,423
Hello, friends. I've programmed a ControlEdge 900 PLC (900CP1-0200) and I now have to make an HMI application for a 900 Control Station...
Replies
2
Views
2,015
Back
Top Bottom