8393 questions

9873 answers

15658 comments

14146 members

0 votes
141 views 5 comments
by

Hello.

I have 6 separate RUT240 routers in a private APN LTE network and Android tablet with the same private APN SIM card. The range of WAN addresses is: 192.168.0.1-7 (192.168.0.1-6 for RUT240 routers and 192.168.0.7 for Android tablet)

Each RUT240 has a LAN address 192.168.x.10 and has 5 devices connected via unmanaged switch with addresses 192.168.x.1-5.

x = network number

I'm able to reach a device located in each network from Android tablet using port forwarding set on RUT240 routers, but I'm not able to reach any device using a device behind RUT240 (in LAN).

I would like to read Modbus TCP on port 502 that is given by S7-1200 PLC in network x (192.168.x.2) using the device (WebHMI) from other network (192.168.y.1). WebHMI reads Modbus TCP on port 502. I've forwarded all requests from WAN on port 502 to 192.168.x.2 (PLC) on port 502 but it doesn't work.

I hope you can help me to resolve this issue...

Here is an example of network topology for these devices: Network topology

1 Answer

0 votes
by
Hello,

Regarding the port-forwarding did you specify different external ports rather than running it all in 502 port? Because the external port could be used once per redirection. Let say port 81 -> 502 for lan: 192.168.1.1 then port 82 -> 502 for lan: 192.168.1.2

Kindly double-check and let me know.

Regards,

Mellow
by

Screen with new port forwarding settings: --- RUT240 settings (static WAN: 192.168.0.2) ----

If I undertood you correctly every request should be using a different external port?

Please see above link with settings.

  1. WebHMI rule is for connecting to web SCADA on port 80 (http) from Android tablet. The tablet is in private APN network like the rest of RUT240 routers and directly uses its WAN addres (192.168.0.7). For connecting to this particular RUT240 I use 192.168.0.2:1080 which connects me to web SCADA to 192.168.2.1 on port 80.
    This forwarding rule works with no issues.
  2. PLC rule should allow devices from other "islands" to read data from local PLC on port 502. Each of these "islands" sends request on different ports (601-606). For example: 
    • 192.168.1.1 sends request to 192.168.0.2 on port 601 and should be forwarded to 192.168.2.2 on port 502
    • 192.168.2.1 sends request directly to PLC's LAN address 192.168.2.2 on port 502
    • 192.168.3.1 sends request to 192.168.0.2 on port 603 and should be forwarded to 192.168.2.2 on port 502
    • 192.168.4.1 sends request to 192.168.0.2 on port 603 and should be forwarded to 192.168.2.2 on port 502
    • 192.168.5.1 sends request to 192.168.0.2 on port 603 and should be forwarded to 192.168.2.2 on port 502
    • 192.168.6.1 sends request to 192.168.0.2 on port 606 and should be forwarded to 192.168.2.2 on port 502

Same for each of the "islands" - every request from WAN to ports 601-606 should be forwarded to local PLC ip address 192.168.x.2 on port 502.

Unfortunatelly it doesn't work.

One more thing I've noticed: LAN devices (including my laptop) cannot reach outisde LAN. For example requesting 192.168.0.2:1080 works perfectly from tablet (because it is directly in private APN) but not from devices in LAN behind RUT240.

by

Hello,

One more thing I've noticed: LAN devices (including my laptop) cannot reach outside LAN. For example, requesting 192.168.0.2:1080 works perfectly from a tablet (because it is directly in private APN) but not from devices in LAN behind RUT240.

In private APN networks, you cannot access the LAN devices directly to do so you may need to implement routing or use a VPN solution. It's better to double-check everything via ping if it is reachable just to confirm. 

Now for the port-forwarding, it would be best to test it with a PC/Laptop running an HTTP server and test if the rule is getting executed. Here is a good software to test HTTP service: HFS ~ HTTP File Server (rejetto.com)

Let me know the results

Regarsd,
Mellow


 

by

Now for the port-forwarding, it would be best to test it with a PC/Laptop running an HTTP server and test if the rule is getting executed. Here is a good software to test HTTP service: HFS ~ HTTP File Server (rejetto.com)

I'm now able to connect to remote devices using devices behind the RUT240 - it was enough to enter a gateway 192.168.x.10 in devices (RUT240 LAN ip address) so now they are using RUT240 as a default dateway. I'm also able to ping every RUT240 in APN. 

So one step further...

In private APN networks, you cannot access the LAN devices directly to do so you may need to implement routing or use a VPN solution. It's better to double-check everything via ping if it is reachable just to confirm. 

I was not considering VPN because this solution needs a server. I need all these "islands" to be independent, so if one breaks/shuts down, the other can still communicate with each other. Shutting down the server would break whole communication. Am I wrong?

About routing - it would be great if you could help me with one pair and guide me through configuration. Let's use this pair of islands:

  1. Island no. 1 (public static IP: 192.168.0.1):
    • 192.168.1.1 - WebHMI: 
      - WebHMI shares a web SCADA, that is accessible from WAN and LAN. For this I have created a port forwarding rule redirecting wan requests on external port 1080 to its LAN ip address on port 80. And this works fine.
      - WebHMI also needs to read Modbus TCP from local PLC in LAN (192.168.1.2:502), which works fine and from PLC in island no. 2 (192.168.0.2:602) which doesn't work at all. For this I have created a port forwarding rule in each RUT240, redirecting wan requests on external ports 601-606 to PLC's LAN ip address on port 502.
      - WebHMI uses local RUT240 ip address as a gateway: 192.168.1.10
    • 192.168.1.2 - PLC:
      WebHMIs (local and from other islands) need to read Modbus TCP on port 502 from this PLC.
      Do I need to set a gateway here as well?
    • 192.168.1.10 - RUT240:
      Has a static WAN public address: 192.160.0.1
  2. Island no. 2 (public static IP: 192.168.0.2):
    • 192.168.2.1 - WebHMI:
      - WebHMI shares a web SCADA, that is accessible from WAN and LAN. For this I have created a port forwarding rule redirecting wan requests on external port 1080 to its LAN ip address on port 80. And this works fine.
      - WebHMI also needs to read Modbus TCP from local PLC in LAN (192.168.2.2:502), which works fine and from PLC in island no. 1 (192.168.0.1:601) which doesn't work at all. For this I have created a port forwarding rule in each RUT240, redirecting wan requests on external ports 601-606 to PLC's LAN ip address on port 502.
      - WebHMI uses local RUT240 ip address as a gateway: 192.168.2.10
    • 192.168.2.2 - PLC:
      WebHMIs (local and from other islands) need to read Modbus TCP on port 502 from this PLC.
      Do I need to set a gateway here as well?
    • 192.168.2.10 - RUT240:
      Has a static WAN public address: 192.160.0.2
by
Hello,

For the routing part here are some documents that you can review:

https://mega.nz/file/uk0QSQKC#MCPLcy_VzM0-TiQ1VbDttOgMGdzPpMOopwh4aJ2WRhY
https://mega.nz/file/agkCCTiA#J8HrpzqakphBoWpgwV_XKCeozX_q3Sg0ErkAI7iTTYM|
https://mega.nz/file/eg8m2LTL#oKP2vPV6HqAzkvp5CVRA0BA_Xm_wtoaosds7CJS6lIw

You can decide if what dynamic routing protocol are you going to use.

Also in order for the port-forwarding rule to work properly the connected device behind RUT240 must specify the default gateway IP address pointing to the RUT240 LAN IP.

I hope this helps.

Regards,
Mellow
by
Hello again.

Thank you for the hints.

I have found the source of these issues. The port forwarding works fine and the problem lies in Modbus TCP protocol itself.

I turns out that reading data from 1 Modbus TCP server by more than 1 device at the time is not possible. That's why I couldn't access the data while other device was reading at the same time.

Getting smarter every day... I wonder if there is a way to solve these issues? Maybe the router can handle request traffic periods internally?