SLC 5/05 Remote Access

[dutch4892]

Scenario:

Customer has a remote site with a SLC and a Panelview hooked up. They want to be able to have another Panelview at the main site with the same app that looks at the remote SLC. Since both sites have internet my initial thought is to connect the two sites with a VPN between the routers. Problem is that the routers aren't capable of this (cheap-o DSL company).

Question:

Can I use a dynamic DNS hostname by way of forwarding ports to connect to my SLC processor from the other site over the internet so my Panelview can see it.

Obvious answer to this problem is to just put in a radio at the main site, but I guess that wasn't in the budget.

 

[Ken Roach]

Welcome to the Forum, and thanks for the interesting question !

Are these old PanelView Standard or modern PanelView Plus ?

In general a PanelView Standard is going to use an IP address as its target, and won't try to resolve a hostname. I'm not sure about the PV+.

So you'll have to periodically ping the hostname, change the IP address for the target PLC in the PanelView application, and restart.

There's also the issue of relatively rapid two-way comms over the Internet; most Internet connections are heavily weighted in favor of download. You'll probably have to change the PanelView application to use a slower update rate.

The two TCP Ports you'll need to forward are Port 2222 (Classic A-B Ethernet) and Port 44818 (EtherNet/IP). I would have to experiment to learn for sure when PanelView Standard uses one over the other for an SLC-5/05 (which supports both).

The security issues of exposing your controller to the Internet are pretty well known. What's less well understood but more practical is that Web crawlers will rapidly attach to undefended controllers and use up all of their TCP connection resources, leaving nothing left for the legitimate users. This happens in a matter of minutes to hours for installations that leave Port 80 open, but can also happen to installations that just leave the less-well-known Ports 2222 and 44818 open.

Point-to-point VPN appliances would be the best compromise, I think. The DSL routers don't need to be involved, and the VPN can operate in a gateway-to-gateway mode. The Linksys RV042 has a reputation for being cheap and dependable for this sort of thing.

 

[dutch4892]

Thanks for the reply. Very helpful. If I go the VPN route would I have to turn off the router functionality on the existing router/modem combo boxes and add the VPN appliance, or would I have to completely eliminate them and go to a standalone modem with a VPN appliance?

The remote is a PV+ and the local will be a standard PV

 

[Saffa]

Definitely do not just expose those ports to the world. Anyone "war dialing" for open ports could access all features of your processor. While this sort of activity isn't that common at the moment, expect it to become more so in the future.

A fixed IP from your ISP is a relatively cheap option here, not sure about there. Dynamic DNS is just one extra thing to go wrong. Just the head office site needs a fixed IP; the remote can initiate.

Draytek do some very good routers capable of VPN. Use L2TP over IPsec as a minimum.

I would also suggest installing a micrologix 1100 or something similar and use it to pull the data from the SLC using MSG instructions. Then set up your panelview to look at the ML1100. This will give you much better control of how much data is being sent across the internet. I also often use an output and a relay to be able to power cycle the router automatically if i lose connection for more than half an hour . .. we have some shocking lines here and sometimes the only way to get a modem back up is to do the ol' "IT department standard solution #1".

 

[Phil Buchanan]

You should not need to make any changes to the existing Router / Modem to setup a VPN to your remote site. But if you are using an ISP provided modem / router in any kind of industrial business where you would have a remote site that is kind of frightening from a security perspective.

My recommendation would be a Tofino industrial Firewall with the VPN LSM module found here https://www.tofinosecurity.com/

Tofino Firewalls are purpose built for industrial applications with PLC's, HMI's and other equipment in mind as well as built to handle industrial protocols.

Doing Dynamic DNS would not be a problem but static IP addresses are cheap compared to the extra possible problems and complexity of doing Dynamic DNS.

As Saffa said you may want to have some kind of Out of Band solution to deal with things at the remote site like to reset your internet connection or a secondary connection like a cellular modem or other methods to prevent driving out to the remote site to deal with these issues.

As others have said making remote industrial systems both functional and secure is not an easy task and IMHO you may be wise to get some help with this from someone well versed in industrial security.

 

[dutch4892]

I'm going to attempt the VPN solution in the office as a test. I'm getting some cell modems for another job and I'm going to see if I can get everything talking through routers and two Sonicwall TZ105's. Apparently I can just forward all traffic to the Sonicwall's local IP and everything should be good. When I know more I'll post some configurations in case anyone goes looking for this

 

[Phil Buchanan]

Not sure what you mean by forward all traffic to sonicwall local IP? If you have 2 sonicwall units just make a new vlan on each end and setup the IP Sec VPN and you are done. The PLC and HMI equipment will think it's all sitting on the same desk plugged into the same switch.

Are the Sonicwall units what you will have between your main site and your remote site?