Announcement

Collapse
No announcement yet.

PC to DL06 communication via Internet

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts


  • PC to DL06 communication via Internet

    The goal is to be able to get information and change the programming of the PLC remotely in order to give remote troubleshooting.

    It is using the H0-ECOM100 module, ethernet connected to the modem. So far it has been possible to connect correctly within the local network, but I have problems when it comes to accessing from another network.

    I have already checked the FAQ of ECOM and DirectSOFT, and according to FAQ0016, and since we don't have a registered IP address, I'm trying to connect using Method #2, I think the problem starts at step 2.b the UDP Port number, apparently the modem has some UDP ports open, but DirectSOFT isn't finding it.

    Help on this topic will be appreciated.


  • #2
    is your router port forwarding correctly?
    can you telnet to the port?

    Comment



    • #3
      In case of the router, it's a Thomson 585 v6, I have made a new application of open ports for the PLC to use, but it seems that the PLC doesn't appear as connected on the router page even when it is (see attached images).

      In case of the telnet I haven't tried it, I don't know if SSH would be better.
      Attached Files

      Comment



      • #4
        looks like you are forwarding TCP, but need to forward UDP?

        if this is UDP, forget what I said about using telnet

        Comment



        • #5
          The way we do it is to use a vpn router at the remote site and a vpn client on the laptop. No port forwarding or hacker problems for the customer. After the vpn is connected over the Internet it like setting on the local network. We also let our customers look at the C-more screen (they can change set points and adjust speeds but not start the equipment) over the Internet with the vpn client on their laptop. With this setup we can troubleshoot problems run the equipment and make changes to the plc and the screen over the Internet.

          JW

          Comment



          • #6
            JW raises a very good point!

            Open ports sitting out on the internet is really not a good idea.

            Even though, as I understand it, DirectSoft does offer some password protection, I wouldn't trust the PLC password as the sole barrier between your PLC and the entire world.

            Comment



            • #7
              Originally posted by Gabsol View Post
              The goal is to be able to get information and change the programming of the PLC remotely in order to give remote troubleshooting.
              Other than VPN, (possibly remote PC control software w/end customer having DirectSOFT installed), there is no way to do this securely.

              If you knew you had a very tech-savvy end-customer, they could open the port on their company's server temporarily while you were getting information or changing the program, then close the port after you were done.

              I'm guessing, though, that this could be pulled off 1 in 100 installations because the end-customer's IT people are never going to open up a port for an outside party to get remote access to their internal network, especially their PLCs.
              There are 10 kinds of people in this world, those who know binary, and those who do not.

              Comment



              • #8
                Originally posted by jwbaker3 View Post
                The way we do it is to use a vpn router at the remote site and a vpn client on the laptop. No port forwarding or hacker problems for the customer. After the vpn is connected over the Internet it like setting on the local network. We also let our customers look at the C-more screen (they can change set points and adjust speeds but not start the equipment) over the Internet with the vpn client on their laptop. With this setup we can troubleshoot problems run the equipment and make changes to the plc and the screen over the Internet.

                JW
                Ok, so let me get this straight,

                Main Office
                PC or Laptop
                connected to Internet
                VPN Client

                Remote Location
                PLC Ecom100 --> Router

                So, on the main office side it is enough to have a computer with Internet and VPN client.
                On the remote location, there's the PLC with the ECOM connected to the vpn router.
                With this installed, I should be able to check the PLC status and modify the program using DirecSOFT, with no PC for the Remote Location side.

                Thank you all for your help.
                Just one question.
                It's necessary for the Internet service provider to be in this procedure?
                Last edited by Gabsol; 06-11-2010, 05:18 PM.

                Comment



                • #9
                  That's about it. No P.C. required on the customer side, we password our programming to protect the system from changes unless we make them. So a P.C. at the PLC with directsoft on it would not work without the password anyway. You will have to setup the VPN to make the connection (I have not been able to get the VPN to work over a Hughes net satellite connection Skyblue satellite works OK but slow) The only thing I get from the ISP is a static IP for the internet connection for the router (it's just easier that way) and most larger customers have static anyway. I have a couple customers that have Sonicwall Routers and the IT department set up the VPN so the only part of the network I can see is the plant control ethernet with the PLC's, HMI's, drives and servo's.

                  I connect to the router by clicking on the correct customer's VPN file on my laptop, (most of the time in a hotel or wireless hotspot, I am on the road a lot) start directsoft after the VPN is connected and connect to the PLC just like I would setting at the ethernet switch the PLC is connected too. (I use an unmanaged ethernet switch to connect the PLC, C More, and the router) For smaller companies without IT departments we use Netgear FV318 VPN routers, they cost about $109 and have worked well for us. The only glitch I have found is the VPN client from Netgear will not run on windows 7 64 bit, so I have to use XP mode on windows 7 and works fine. I have some sites where we don't have an internet connection at the equipment so we use 802.11 B G N radio's to bridge the connection up to 6 miles (so far). The hardest part on the first one was setting up the VPN. The customer had Hughes net, that is when I found out it would not work. (after 4 hours on the phone with tech support) That was also the first radio 4 mile from the office to the equipment site. Please send me an email if I can help. (I'll try)

                  JW

                  Comment



                  • #10
                    VPN is the most reliable way to connect to the a plc from the internet. I have had to types of setup that work almost without any issues. The first set up is where I supply a VPN device, usually a router, and have it is connected to an external static ip address. Then I have my pc setup in the office behind another VPN device. The two devices setup and handle the tunnel. It is like having the plc on the desk next to me. The other set up is to have the IT department set up a VLAN for my PLC cmores to sit on, and then set me up as a VPN client.
                    On a side note, I do not know of a way to mess around with a plc without directsoft, or dnloader. So even if someone hacked the network, the plc should remain safe. The cmore however can be hacked if the FTP server is on. So be careful with that. If anyone knows of other security risk’s, please share.

                    Comment



                    • #11
                      We are more concerned with the computers and the C-More on the system than the PLC as far as hackers. If we leave a hole for a hacker to get onto the customers network, and it happens we have most likely lost that customer and caused them a huge problem. (even if their IT department set it up, it's easer to point at the outsider) That is way we insist on a VPN for remote access to the control network. (if we have any input we try to get the customer to have a control network not connected to their office network) If the customer will not allow the VPN then we travel to the job site or over the phone to troubleshoot the system if needed. (99.9% of the time it is an input problem with a sensor or switch/photo eye/prox and we can help the customer fix the problem in a few minutes) On jobs that will not allow the remote we make troubleshooting screens on the c-more with all of the analog values and inputs/outputs so we can do phone support and try to keep the customer out of the plc cabinet. (it's easier than trying to make sure the switch is in the right place to read the lower 8 inputs on a 16 input card) We operate with the thinking that any time you have any electronics that have access to the internet there is a risk, we use every means of reducing that risk for the customer and ourselves.

                      JW

                      Comment



                      • #12
                        Thank you for your help.

                        I'll try to use the router way.

                        Comment



                        • #13
                          See our whitepaper on the subject.
                          If you have an urgent issue, please contact AutomationDirect's Technical Support team.

                          AutomationDirect.com Technical Support: 1(800) 633-0405 or (770) 844-4200 Email Tech Support

                          Comment



                          • #14
                            Originally posted by Daniels
                            What would you suggest as additional protection?
                            I would suggest using scissors to cut the wires between your PLC and the internet.

                            Comment



                            • #15
                              I went through a number of solutions and companies not wanting to open ports or maybe not allow access at all except through a dial-up.
                              I found an industrial router/modem that can be setup using a dial-up or Internet access with no ports except 80 to be open.
                              They act as a middle-man on the connection. The connection is free or for a faster connection you can pay a yearly fee. The free connection is about 4 times the speed of a dial-up.
                              If using a the Internet for the connection, you create an account for each customer through this service. Once you access your account online, you see each connection you have created for your customers. Once you select the customer you want to connect to, the VPN tunnel is created.
                              Having the option of dial-up or Internet connection on the same device comes in handy.
                              On the security side, I usually have my customers just pull the RJ45 cable out of the WAN port when finished. Just as good a cutting the cable.
                              The website link is
                              http://www.ewon.us/us/usa/home.html

                              Comment

                              Working...
                              X