Sign in to follow this  
Followers 0
slcman

Remote acces thru internet

12 posts in this topic

Hi all, I would like to connect to M1100 and panelview component thru internet. I have 1 micrologix 1763L16BWA, Panel View component C600 and Dlink router EBR-2310 (nothing is connected to WAN port at this time). I never did it, I don't know where to start...any idea? Did I have to setup a VPN? I only have RSLink lite, it will work or I need gateway? My custumoer must have a fix Ip adress or not? Thanks for your help

Share this post


Link to post
Share on other sites
The answer to your question is multi-faceted. There are ways you can do what you describe that work and ways you can do it that are robust and follow best practice. For the sake of my post and further discussion I am going to assume the following: 1. Your M1100 is at Site A and can access the internet through a router and modem. 2. Your C600 is as Site B and can access the internet through a router and modem. 3..Sites A and B are not on the same Intranet or Corporate Network. Answer A - The it works, but isn't robust If you open the proper ports {see help files or AB knowledgebase for the two ports you need} then the ML can see the PV and communicate. You'll either need fixed addresses or use a Dynamic DNS service and address the Ml and PV by their Domain name rather than IP address. The problem to this approach is that it leaves two ports of your local network open to the world and any hack can access your PV and ML also. Answer B - More robust better approach Use a small VPN and connect the two sites. The VPN handles maintaining the connection and the ML and PV think there on the same local subnet. The improvement here is that no ports to the internet world as a whole remain open for hack exploitation. I've done both and know of operations doing both. It is a matter of cost vs risk vs reward. You make the call.
1 person likes this

Share this post


Link to post
Share on other sites
When I use a pc, I can enter the login and password by how I can do it with PLC & HMI?

Share this post


Link to post
Share on other sites
I interpreted the question differently; I assume the MicroLogix and PanelView Component are installed on the same machine and communicate locally, and slcman wants to be able to maintain and reconfigure them remotely using the Internet as the connection. While Port Forwarding can technically do what he needs, I very strongly recommend against it because it provides no security. The PanelView Component listens for connections on the well-known TCP Port 80 (HTTP) and will be overwhelmed by malicious software within minutes if it is connected directly to the Internet. I have been disappointed with the reliability and ease-of-use of several consumer-grade "VPN Routers"; most are either built to go appliance-to-appliance or require that you install a specific client software package on your PC. Business-class and industrial VPN appliances are often overkill; I need 1 client, not fifty. If you have a Windows XP PC as part of the system, you can use it to create a VPN connection. Windows XP includes a VPN client, and can be the VPN server for a single connection. This, of course, means you have to be concerned about the security of that Windows PC, too. Just yesterday I did an installation of a tiny Linux-based firewall called m0n0wall on an old PC in my office. I haven't set up or tested the VPN Server included in it, but I was impressed by how easy it was to install and how effectively it replaced my Linksys router. If you have the space to install an old PC (maybe in the server room with the Internet connection), that might be a neat way to provide the VPN and Firewall protection you need to connect this system to the Internet safely.

Share this post


Link to post
Share on other sites
Exactly why I stated my assumptions before I offered an answer. His original question was very open to interpretation. Thanks for the alternative viewpoint Ken.

Share this post


Link to post
Share on other sites
You're right Ken, the MicroLogix and PanelView Component are installed on the same machine and communicate locally, and I wants to be able to maintain and reconfigure them remotely using the Internet as the connection. I don't space to put a pc in cabinet! If use the router with port fowarding like you say, my customer can disconnect internet connection (unplug cable) when he didn't need remote assitance and I can put password in plc and HMI, it's more safe. What are you thinking of my idea? Second question, RSLink Classic can do the job for connect to the plc? I use ETH-IP driver, so witch Ip I put in the driver (router, plc?) Should I use another driver? I don't know what I have to type in explorer adress bar for get access in the panelview. Like Bob say, I found Ethernet port AB use. I left the file in the forum if someone need it. thanks guy for your help... Ethernet_port.pdf

Share this post


Link to post
Share on other sites
The "EtherNet/IP" driver in RSLinx Classic uses a broadcast packet to browse the local subnet. Most routers and VPNs will not pass that packet on to the remote network, so the EtherNet/IP driver usually does not work across a VPN connection. Instead, use the "Ethernet Devices" driver. For that driver, you enter the IP address of the target device (the MicroLogix 1100) into a table of station number / hostnames. You can append ":EIP" to the IP address to indicate to RSLinx Classic to use TCP Port 44818. If you are using Port Forwarding, the IP address of the MicroLogix 1100 as viewed from the Internet will be the Wide Area Network (WAN) address reported by the D-Link Router. Let me re-state this very clearly: Port Forwarding is not secure. While the potential for someone with malicious intent and RSLinx/RSLogix to find your installation is very small, the potential for malicious software that is trying to find and infect Windows computers to interfere with your remote connection effort is almost certain. A password will prevent somebody or something from modifying your PLC or PanelView application. The real concern is that trojan/zombie/bot software will crowd the controller's TCP connectivity and prevent you from having successful connections. I realize that an application using PanelView Component and MicroLogix 1100 won't have room in the cabinet for a white-box PC. But your customer's connection to the Internet is probably connected in a server closet somewhere on the premises, where a shelf and a pair of Ethernet cables will be available.

Share this post


Link to post
Share on other sites
SInce the ML and C600 are communicating locally and you want to access them across the internet for maintenance the most secure approach I am aware of is a VPN. The VPN mnodule can be as small a footprint as a router or switch. Others can probably recommend good hardware. If it were my application this would be my leaning.

Share this post


Link to post
Share on other sites
Here is an example of an industrial router with VPN that should fit in your cabinetry? http://www.industrialnetworking.com/Catego...-TX-TX-Firewall You simply connect the untrusted side to the internet and login to it remotely from your PC. Once you've connected, the port (and LAN) on the other side appears to be a relatively local LAN to you. Using the Ethernet/IP driver (broadcast mode) probably won't work (it's not supposed to according to the Ethernet/IP spec) but you can use the standard Ethernet driver to connect right up. Here is a modem->Ethernet device (if you are using dialup and not some sort of network access at the other end): http://www.sixnet.com/department/dialup-eh...t-modems-45.cfm There are also several Cisco routers that will work. They are not nearly as compact as the above $1200 Hirschmann one though because they're designed for rack mount equipment. You also haven't specified how you are going to connect to the internet (T1, Cable, DSL, corporate LAN, etc.), which will have a lot to do with how you connect your equipment.

Share this post


Link to post
Share on other sites
Internet will come from corporate LAN. I think I'll have some documentation to read and few test do to....it's not a easy job! Like everybody says, I'll try to do VPN connection. I tried to use LAN modem from AB 9300-RADES, work well but need phone line and its slow. I want to install remote ethernet far away, so my phone bill will increase a lot each time I'll use the connection. This is the reason why I want to try VPN connection. I don't understand why AB don't have ant product for do VPN connection to AB product... thanks all

Share this post


Link to post
Share on other sites
AB is a late comer to the Ethernet world, especially in terms of I/O. They outsourced the entire infrastructure business to the market leader, Cisco. And for their part, I think Cisco has screwed AB at every turn. Take one look at their Stratus product line (what little they have) and compare it to the Cisco product line for a comparison and you'll see what I mean. As with all vendors, don't assume that just because product line A is good that products B & C will also be good. All in all, I'd say that 95% of AB's product line is pretty darned good. The exceptions would be their HMI panels and their Ethernet infrastructure offerings. If you want this stuff, you need to go elsewhere.

Share this post


Link to post
Share on other sites
I'd add an exception to your exception. we're using 6186 displays for our HMI terminals and they hold up quite well in our washdown environments. Just don't seem to tolerate broom handles and screwdriver end points to the touchscreen.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0