Routing multiple LAN clients that have same IP
-
@gbitglenn said in Routing multiple LAN clients that have same IP:
hard-set to all have the same IP address. (192.168.0.2)
get with the maker of said plc - and ask them how to change it.. defaulting a device to a specific IP is fine - but no possible way to change it would just be completely utterly moronic!
How would a customer ever have more than 1 of these plcs if they all had the same IP?
-
To be honest ..this is a solution for BGP/EVPN. With VXLAN.
But that’s not in scope here -
@johnpoz Politics. It's not the PLC vendor it's the custom software running on the PLC, that runs the plant. It's all the same software they just load on all the machines - and the IP is hardcoded since they didn't expect anyone to want to get into them over the network.
The fact is they just can't be bothered to build into their code usage of a local config file on each of the machine's panels that will contain specific settings for each machine. And with that, a screen to allow IP configuration.
So yea, it is moronic. I'm trying to come up with an IT solution to get around bonehead developers in another branch of the company I have no say over. Their answer is to just go buy 30+ routers.
-
@gbitglenn How is that cost effective for a simple code change - if they set an IP on them clearly they thought that it needs to talk on a network.. If you can write the code to give it a 192.168.0.2 address, then you can easy edit the code to put a different IP on it.
30 routers is not a solution - its a hack to a stupid moronic thoughtless idiot that would think that oh let me put an IP on this so we can talk to it over a network. But not allow for changing the IP.. gateway, mask, etc.
can't be bothered to build into their code usage
Is normally fixed with some sort of incentive, be it cash or - guess we won't be using your software any more, etc.
-
@gbitglenn said in Routing multiple LAN clients that have same IP:
Any ideas?
Have you considered static ARP? That way you could assign a device whatever address you want, regardless of what it's configured for.
-
@johnpoz The problem is the developers are the ones who are in charge of the coding that controls all the machines across all branches - and there are a couple of hundred of said machines. The internal IP's are there for the PLC to communicate with the HMI (the human interface panel).
They don't want to make the change and to avoid doing it they've convinced Sr. Management it's due to safety reasons. (Not security - safety). It's just not going to happen. Again, all politics. They don't want to do it and came up with an excuse containing a scary word so Management would be on their side.
We just need to read data off the PLC's - they don't need outbound.
Oh well. I was really hoping to stick it to them.
-
@gbitglenn well clearly then their suggested 30 router method would create a safety problem.. And can not be used either - you can only access the plc via the panel..
Guess your off the hook for providing remote access as well - or someone could get hurt or die, etc. Since its such a safety issue..
-
@johnpoz lol, love it!
-
@jknott I haven't actually. Note this would be just for inbound traffic to the PLC's. So perhaps this along with @michmoor 's above suggestion of using ports would work. But now it's getting into a complex level of networking I haven't had to think about in years and don't really remember. Perhaps something on the managed switch can be set up as well.
So basically what I'm saying is sure I'll try anything at this point but I may need a little more handholding for that.
-
-
@gbitglenn sounds to me like lazy is all. But sure ok - Not exactly sure what these plcs control - but sure guess there could be safety or even security concerns when you network something vs just local access/control
So no matter how you allow for remote access/control - be it natting or changing the IPs or routers would clearly be a safety issue if remote access is the safety problem.
Guess the matter is closed, if the developers say they can not provide remote access for safety reasons - then no matter how you came up with a way around their nonsense you would be unsafe.
-
@gbitglenn said in Routing multiple LAN clients that have same IP:
We just need to read data off the PLC's - they don't need outbound.
If it's an occational "read off" aka. emptying a log or so ....
You could do a "kludge" .....Effectively you are making a 1:30 Selectable Network Mux.
Get a cheap 48-port switch that is SNMP controllable.
Shutdown the first 30 ports.
Connect the 30 x PLC to switch - port 1..30.FOR X= 1 to 30
LOOP:
SNMP enable switch portX , wait 10 sec for link establishment.
Read out the desired PLC data, from (via) a MGMT-PC
SNMP disable switch portX, wait 5 sec for port shutdown
X=X+1
ENDYou might have to "Clear ARP for 192.168.0.2" on the MGMT-PC, after port shutdown , in the loop.
And it would be desirable to have dual netcards in the MGMT-PC , one for the PLC-LAN , and one for the "Mgmt/Corp Control lan"
Not an "Online" solution , but a "Batch" solution ....
Might be better than maintaining 30 "Nat routers".Security Note:
If two (or more) ports on the switch is open at the same time ....
HMI-1 might see data from PLC-2 , or the other way around ...
As you now have "duplicate IP's" on the switch Vlan.
Prob both HMI & PLC dup's.Don't do that
/Bingo
-
You can set up static arp in DHCP static mappings. This way, instead of doing an arp for the MAC address, it's already there. When an incoming packet is looking for the device, the static arp MAC will be used. I had to use static arp a few years ago, to set up some security cameras. It was either that or the configuration app and static arp worked better.
Give it a try and see what happens. You will still need to use port forwarding as usual, behind NAT. -
-
@johnpoz said in Routing multiple LAN clients that have same IP:
@jknott @bingo600 you are both not getting it - clearly its a major safety concern to allow any sort of remote access other than the panel that is connected to it on an isolated network..
Your work a rounds will most likely get someone killed.. ;)
If any sort of remote access is a major safety issue:
Then the solution is easy.....DON'T do it
And i did mention one of the the possible hazards in my post.
-
I work in such a plant. We walk around with a laptop to read off PLCs instead of onlining equipment that's been air gapped for a reason.
-
@ljr I wasn't giving all the details of what we're doing, so I can see why some are thinking I should back off because of the safety claim. There is no safety issue if done right. We're not talking about putting these on the network in such a way where people can get into them. It's just a closed network so a telemetry kit can read PLC states only.
My workarounds aren't going to get anyone killed. It's uncooperative devs I need to get around - not safety or security. They could easily code around this. This is not an intentional air gap. Safety and security are always on my mind when doing things.
This is just so a telemetry kit running on one server that can read off the PLC's. The entire network or anything else cannot get into them. This is done all day long in a lot of other places with this software. The problem here is the proprietary HMI software.
-
@gbitglenn my get someone killed was meant as a joke ;) hehe
Use different software then.. Or hire different developers.. I agree with you.. all that is needed is ability to set a different IP, and it becomes easy with a source nat on pfsense. The device doesn't even need a gateway then.
If the device would answer when you set a static arp, that could be a work around as well. A pain in the ass to setup if you have 30 of them.. But as mentioned by @JKnott you could try the static arp thing.. and just use a different IP 192.168.1.2, 192.168.2.2, 192.168.3.2 for them, etc. On the different L2 they are connected too.
-
@gbitglenn
What about- 30 VM all running pfsense with NAT and port forward configured.
- LAN port on each pfsense VM connected to a unique VLAN from each VM to one PLC (trunk from hypervisor to level 2 switch)
- WAN port of each PLC pfsense VM bridged in the hypervisor and connected your test LAN
-
@patch said in Routing multiple LAN clients that have same IP:
30 VM all running pfsense with NAT and port forward configured.
Ouch!!!
That's a heck of a lot of effort, when static ARP might work.
