I have a customer who wants me to be able to go online over the internet to his CompactLogix for fault finding/diagnostics/editing.
He also has a Weintek HMI on Ethernet, which I may need to download new revisions to.
He only has a typical "domestic" style 4-port modem/router/access point, and is willing to run an ethernet cable to the PLC panel.
This area is not my forte, so I have lots of...
Questions...
Will this work ?
Yes.
Forewarning, everything else can be done below inexpensively or even free. And there is a good chance I'll make it sound more difficult than it is.
Will there be any need for VPN technology ?
Possibly. It depends on A) the security that AB provides (I have zero experience with AB products) B) if the customer is willing to expose the CompactLogix to the internet with no additional security other than what AB provides.
If AB provides decent security with a login and password, you would simply give the PLC a static IP address outside of the DHCP range (I usually start my DHCP pools at x.x.x.100), then port forward whatever port(s) AB uses to that static address. Rinse and repeat the same steps for the HMI.
Changing the DHCP pool is trivial in nearly every router in existence. You would want to change it to a higher value so that the DHCP server doesn't give out the same IP that the PLC or HMI would be using, in the case that their are offline. IE, you assign the PLC a static address of 10.1.10.20. PLC is offline, employee comes in, their phone jumps on the network and the DHCP server hands out the address of 10.1.10.20. Now the PLC comes online with the same address, you have an IP conflict.
If the customer isn't willing to expose the PLC to the internet without a VPN, it's quite possible their router has a VPN option built in. Even low end consumer routers are including that now. You'll need to create the VPN on their router, as well as make a VPN connection on your computer to access their VPN. This is the most secure option (depending on the type of VPN being used, PPTP VPN's still send the password in clear text).
Will he need to fix his IP address with his provider ?
Again, possibly. If the customer has a dynamic IP with their provider, they could sign up with a dynamic DNS service like noip.com ($25/year) or Dyn's "Remote Access" ($40/year). The services are basically identical for your uses. If his router supports noip.com, by all means, use that. A lot of them do now. If it doesn't, just about every router made in the last decade will support Dyn.com (aka DynDns.com). Either one of these services will give you a domain (such as "yourcustomer.noip.com) that will always redirect to their actual IP.
Some software supports the use of a domain address, some don't. Automation Direct's Productivity software for example requires the numeric IP address. This is easy to get around, I just pull open a command prompt, and ping "yourcustomer.noip.com" which will resolve my numeric IP, which I punch into my PLC software.
Alternately, nearly every internet provider (at least here in the US) offers a static IP for even consumer accounts. For most consumer accounts or low-tier business accounts in here in the states, the average going rate for a static IP is $20/month, making it a bunch more expensive than a $25 or $40/year service. I still prefer dynamic dns services (even when I have a static IP at one of my locations) for the simple fact that it is easier for me to remember mycompany.city.noip.com than 77.211.90.138.
How "secure" can we make it ?
With a VPN or VPN-in-a-box, very secure. Without a VPN, as secure as AB will allow.
The **** devices make some of it easy (specifically the VPN portion), but they don't address the static / dynamic IP issue. They are also very, very expensive for what they do. The base model unit for ethernet-only communication is a little under $700.
You could replace the customers router (in the case that it does not support VPN) with a EdgeRouter Lite for $100 (which is a FANTASTIC low cost router) and have it do everything the **** does. Of course, that option comes with more setup time on your end. But, it's still cheaper for the customer and if you're billing by the hour, more money in your pocket.
