Can i connect to my CompactLogix PLC over internet?

thehoneybadger

Member
T
Join Date
Jul 2021
Location
perth
Posts
185
Hey all,
This question is identical to questions that have been asked by many many others before me. I am not happy with the answers i found over the internet, so i figure i might just ask this question again and hopefully find a more fulfilling answer.

I have a Compactlogix L32E at home that i program using RSLogix 5000 on my Windows 7 PC over LAN using RSLinx as a bridge. My PLC is connected to my LAN Router with an ethernet cable.

To make programming changes, or monitor the process, i open RSLinx and RSLogix5000, establish a link, then i go ahead and make changes or monitor. I do not open a webpage to do this. No VPN. I can do this over WiFi.

So the question i have is: Can i perform this same task over WAN. Say if i am on holiday in another country?

The most common answer to this question is to set up a local computer with RSlinx and RSLogix5000 installed in the computer and control the local computer using a remote computer through a VPN or Windows RDC.

This answer does not seem satisfactory to me seeing as i do not need to open a web page at home in order to program or monitor my PLC. I have my local LAN address; 192.168.1.123. My PLC is on the same network with an address of 192.168.1.124. We establish a link via the modem with an IP address of 192.168.1.1.

So if i have my WAN address, eg. 123.123.123.101, can i use this some how to communicate with my PLC the exact same as i would if i were at home? It only makes sense to me that i can...

Thanks all,
Ryan
 
Many routers have VPN ability built into them, what is the model of your router?

Well, I wouldn't recommend this but you could forward port 44818 in your router to your PLC's IP address, then connect to via the public address. This is one reason you don't want to do that:

https://www.shodan.io/search?query=rockwell

If your router doesn't have VPN ability, you could buy a raspberry pi and setup OpenVPN. I have it setup using the original raspberry pi 1, so you don't need much horsepower to do it.

https://www.ovpn.com/en/guides/raspberry-pi-raspbian
 
Hi DM. Thank you for your reply. I have an Asus DSL-AC68U router and it has a built in VPN functionality.

This said, i believe your answer regarding the port forwarding of 44818 is more inline with what i am looking for.

Regarding the risks around using this port, i do not imagine there would be too many risks around a hacker accessing my PLC. Call me naive, but even if they found the open port, how could they communicate with the PLC without RSLinx and RSLogix? Two programs that are difficult to acquire, let alone learn. Do i sound too naive...? I would appreciate constructive input around the security aspect of using this port as i would rather my network remain not hacked if possible.
 
I would definitely go through the trouble of setting up the VPN. Expose as little to the public internet as possible. I wouldn't be as worried about your PLC, more of your network in general.

The nice thing about VPN is you connect and it's as if you are at home on your network.

You may find that simply forwarding the port will be fine, but you'd hate to find out that it wasn't. Especially when your router has the exact tool for the job.
 
Last edited:
Many open source libraries can read and write tags in a CompactLogix. Let alone the hacker can theoretically flash the firmware of the PLC to a bogus one and take control of your network, even after you download a new program.
 
I assure you that espionage agencies and hackers have no trouble acquiring and and understanding Studio 5000. The CompactLogix L32E notably only got a signed firmware security feature in its very last version.

I made a mistake last week at work where I connected a control cabinet with a CompactLogix and a PC directly to an undefended Internet port that otherwise serves a quality VPN/firewall box.

Not only did I cut off a remote development team from their computers for a few hours, I exposed that CompactLogix and PC directly to the Internet. There were a dozen computers in China connected to my CompactLogix when I discovered the mistake and pulled the plug.

My atonement was a cold reinstall of Windows 10 onto the PC, then a careful USB reinstall of firmware to the CompactLogix and then the Kinetix servo drives.

Conversely, at home I have a MikroTik Routerbox with VPN built into it. It shows up in my available networks on Windows 10 and I just select "connect", and I'm connected to home via an encrypted safe channel, and can connect to the ship's computer, or the ControlLogix test bench, or my home printer. I've done it from 15 miles away and from 3000 miles.

Even for a test bench, even temporarily, a VPN connection is the minimum safe way to access anything remotely.
 
dmroeder said:
...a raspberry pi and setup OpenVPN. I have it setup using the original raspberry pi 1, so you don't need much horsepower to do it.

https://www.ovpn.com/en/guides/raspberry-pi-raspbian
Click to expand...


Hey @dmroeder, I looked this up, but did not find much explanation, I suspect because most people will follow scripts/procedures to set it up, and not want to understand it.

Say I wanted to do this for a PLC

  • on my home-office LAN (192.168.1.0/24),
    • which is behind my bog-standard router (WAN = 74.69.96.0/21),
      • which is in turn behind the cable modem of Spectrum, my ISP here in Rochester, NY.
    • So when I connect to https://www.whatismyip.com/, without a VPN, it tells me my IP address is 74.69.X.Y on 74.69.96.0/21 i.e. X is between 96 and 127.
    • Also, my router does not have a VPN server built-in.
  • And I want my brother in Fayetteville, GA,
    • in his home office behind his router and cable modem,
    • to be able to connect to my test-bench stable of PLCs on my LAN in Rochester.
So, a few questions:

  • The PLC does not know about the VPN e.g. it cannot rung some form of OpenVPN; is that right?
  • Does the Rpi then essentially become the router "to the VPN" for the PLC, or any other machine that cannot run OpenVPN itself?
    • Even though the Rpi itself uses an address on 192.168.1.0/24 and its default router is my router behind the cable mode?
      • Assume the VPN is e.g. 172.16.16.0/24
      • I am a little fuzzy here; I assume
        • The one Rpi ethernet interface would have two IP addresses,
          • one on 192.168.1.0/24 to get to the "cloud",
          • and one on 172.16.16.0/24 to pick up and tunnel traffic from the PLC?
        • And the PLC has an IP address on 172.16.16.0/23, and it's gateway is the Rpi's IP address on 172.16.16.0/24?
    • So anything could be that router instead of the Rpi e.g. one of my old HP laptops with a failed screen, running linux and OpenVPN?
  • And the VPN server could be anywhere "in the cloud?"
    • E.g. a commercial VPN provider like OVPN.com?
    • Or my DigitalOcean testbed, e.g. drbitb.oy?
  • And the Rpi on my LAN is running OpenVPN to connect to the VPN server
    • Tunneling 172.16.16.0/24 through 192.168.1.0/24 and 74.69.96.0/21?
  • And my brother's Windows laptop running RSLogix/Studio/TIA/CCW/whatever is running OpenVPN to connect to that same VPN server, using 172.16.16.0/24 tunneled through his router and cable modem??
Is that how it is all set up?


Or is the Rpi the VPN server any port1194/UDP is forwarded to the router?
 
Hi,
It is indeed possible to connect to your PLC over WAN. My company uses switches that come with their own VPN or so (I'm not really knowledgeable on the way it works). From my desk, I can connect to any of our machines around the world and modify programs through RSLogix 5000.
 
Ken Roach said:
Not only did I cut off a remote development team from their computers for a few hours, I exposed that CompactLogix and PC directly to the Internet. There were a dozen computers in China connected to my CompactLogix when I discovered the mistake and pulled the plug.
Click to expand...
This is scary...
 
geniusintraining said:
Its a big business, I sell a lot of PLC trainers to companies trying to hack into them and show either what they can do or protect, people are looking for holes that they can exploit
Click to expand...
Sounds like kind of Martin Bishop's job (Robert Redford) in the movie Sneakers, updated to the Internet era.
 
drbitboy said:
Hey @dmroeder, I looked this up, but did not find much explanation, I suspect because most people will follow scripts/procedures to set it up, and not want to understand it.

Say I wanted to do this for a PLC

  • on my home-office LAN (192.168.1.0/24),
    • which is behind my bog-standard router (WAN = 74.69.96.0/21),
      • which is in turn behind the cable modem of Spectrum, my ISP here in Rochester, NY.
    • So when I connect to https://www.whatismyip.com/, without a VPN, it tells me my IP address is 74.69.X.Y on 74.69.96.0/21 i.e. X is between 96 and 127.
    • Also, my router does not have a VPN server built-in.
  • And I want my brother in Fayetteville, GA,
    • in his home office behind his router and cable modem,
    • to be able to connect to my test-bench stable of PLCs on my LAN in Rochester.
So, a few questions:

  • The PLC does not know about the VPN e.g. it cannot rung some form of OpenVPN; is that right?
  • Does the Rpi then essentially become the router "to the VPN" for the PLC, or any other machine that cannot run OpenVPN itself?
    • Even though the Rpi itself uses an address on 192.168.1.0/24 and its default router is my router behind the cable mode?
      • Assume the VPN is e.g. 172.16.16.0/24
      • I am a little fuzzy here; I assume
        • The one Rpi ethernet interface would have two IP addresses,
          • one on 192.168.1.0/24 to get to the "cloud",
          • and one on 172.16.16.0/24 to pick up and tunnel traffic from the PLC?
        • And the PLC has an IP address on 172.16.16.0/23, and it's gateway is the Rpi's IP address on 172.16.16.0/24?
    • So anything could be that router instead of the Rpi e.g. one of my old HP laptops with a failed screen, running linux and OpenVPN?
  • And the VPN server could be anywhere "in the cloud?"
    • E.g. a commercial VPN provider like OVPN.com?
    • Or my DigitalOcean testbed, e.g. drbitb.oy?
  • And the Rpi on my LAN is running OpenVPN to connect to the VPN server
    • Tunneling 172.16.16.0/24 through 192.168.1.0/24 and 74.69.96.0/21?
  • And my brother's Windows laptop running RSLogix/Studio/TIA/CCW/whatever is running OpenVPN to connect to that same VPN server, using 172.16.16.0/24 tunneled through his router and cable modem??
Is that how it is all set up?


Or is the Rpi the VPN server any port1194/UDP is forwarded to the router?
Click to expand...

I think you fundamentally misunderstand the VPN. It is literally a virtual private network. Once you are logged in, it is as if you are connected to the network over ethernet. The PLC does not need to know anything about the VPN, only your laptop, the VPN hardware, and your Router/Modem need to know anything about it.

A VPN cannot be "in the cloud" (I hate that term it is so incorrect)
whatever hardware running your VPN software must be on the network behind your router/firewall. It will open a port that allows your computer to be on the "home network" but only with proper credentials (username/password) In theory the only port changes you will have to make will be in your router to allow the VPN to access the internet. Conversely you have the option to DMZ the VPN hardware so it is fully open to the internet but still cannot be accessed without the proper credentials.

Anybody disagree? I typed this in sessions.
 
ArcReactorKC said:
I think you fundamentally misunderstand the VPN. It is literally a virtual private network. Once you are logged in, it is as if you are connected to the network over ethernet. The PLC does not need to know anything about the VPN, only your laptop, the VPN hardware, and your Router/Modem need to know anything about it.
Click to expand...

d'Oh! Of course, I was trying to draw an analogy to NAT, which does not work. Thanks

ArcReactorKC said:
A VPN cannot be "in the cloud" (I hate that term it is so incorrect)
Click to expand...

Well, whatever we call it, there are some VPN-oriented services out "there," e.g. https://www.ovpn.com/, and if the VPN path is using them then the VPN goes through "it".

ArcReactorKC said:
whatever hardware running your VPN software must be on the network behind your router/firewall.
Click to expand...

Ah, thanks, this is what I was looking for. How to connect to that hardware, from outside, i.e. from the WAN side of my home-office router, is the part I wanted to understand e.g. port forwarding would be one way, but there are also those VPN services, that avoid the need to port-forward. It all depends on the reason for the VPN.
 

Similar Topics

L
Connect SLC 5/04 to CompactLogix
We currently have a system with a PLC5, SLC 5/04, and a panelview standard. They are all currently talking DH+. We are upgrading the PLC5 to...
Replies
8
Views
4,525
geniusintraining
geniusintraining
C
Connect wireless laptop to a Compactlogix network
I have a very simple wired network using a L32E processor, panelview plus, HP switch and my laptop. I would like advice on what hardware is needed...
Replies
3
Views
2,392
jacoffey85
J
D
Connect a 1794-AENT to a compactLogix, error 16#0203
Hi everyone! I am trying to connect a Flex I/O with one 1794-OW8 to it to a CompactLogix 1769-L24ER via Ethernet. It all went well except that...
Replies
1
Views
2,613
cuongvcs
C
K
How to Connect Panelview to Compactlogix
Hello, I am trying to enable the an L32-E PLC to communicate with a Panelview Plus 1000. I am reading that I don't need to add the Panelview in...
Replies
2
Views
3,363
kuriger9
K
D
Connect sick PIM60 to CompactLogix via Ethernet/IP
Hi there, We have a new sick PIM60 inspector camera and we are trying to make it talk to a compactLogix to send object number and trigger signal...
Replies
7
Views
4,661
johnnythomo
J
Back
Top Bottom