Firewall / Remote Connect to EtherNet/IP

[Bob A. 1]

Hi Guys, I use a network scheme in my development area that has the same range of addresses that I typically use in the field. Now that I have moved the system to the field location, I would like to bring the two parts together occasionally. The Internet provider is Comcast and the firewall on the field end is Sonicwall. The connection is fast and easy to get, but very little can be accomplished with it. Most of the remote network is EtherNet/IP components many having webservers. I can connect to a few of those, but none of the control components. There is a Stratix 8000 managed switch in default setup (nothing special yet) that pulls everything together. The IT guy thinks that the firewall doesn't like the fact that both networks have the same range of addresses (all unique) and has advised that I change one end or the other to a different subnet. I don't want to have to do this just to find out that it is not the solution. Any opinions ?? Thanks, Bob A.

[Ken Roach 194]

Use the older "Ethernet Devices" driver, and add the suffix ":EIP" to the end of each IP address. The modern EtherNet/IP driver won't browse through a VPN or through any sort of router, as it uses a broadcast packet to identify devices on the network and that won't carry through a router. Also, I've had trouble with the old driver because it first attempts to connect to Port 2222 (the old PLC/SLC protocol) and requires that the device reply with a "Port Closed" message three times before it will switch to Port 44818 (modern EtherNet/IP). Some tunnels and firewalls consider requesting a TCP connection to a Port Number for which you've just been told "Port Closed" to be a Port Scanning attack and block the second and third replies. Ergo, no switching to EtherNet/IP and talking to ControlLogix. The ":EIP" notation tells RSLinx to not attempt to connect using Port 2222 and just proceed directly to 44818.

[Ken Roach 194]

This is also an appropriate time to mention one of my favorite network utilities: TCPING. http://www.elifulkerson.com/projects/tcping.php It does the same essential function as PING, but by requesting a TCP Port Connection. If a device replies to TCPING at Port 44818, I know I'm talking successfully to an EtherNet/IP device. If not, I concentrate on the network and tunnel.

[Bob A. 1]

Hi Ken, Hoping to get some time to work on this. I did the TCPING download but when I try to execute it, I get a blink of a shell window and then it is gone. Hopefully the firedrill will taper off a bit and then there will be some time to pick up the pieces. Thanks for your replies. Bob A.

[RussB 22]

With tcping there is no GUI. Go to a command window (cmd.exe) then either make sure that tcping is in the path (like c:\windows\system32) or navigate to the directory you stored it and run it from there.