Routing multiple LAN clients that have same IP
-
@johnpoz lol, love it!
-
@jknott I haven't actually. Note this would be just for inbound traffic to the PLC's. So perhaps this along with @michmoor 's above suggestion of using ports would work. But now it's getting into a complex level of networking I haven't had to think about in years and don't really remember. Perhaps something on the managed switch can be set up as well.
So basically what I'm saying is sure I'll try anything at this point but I may need a little more handholding for that.
-
-
@gbitglenn sounds to me like lazy is all. But sure ok - Not exactly sure what these plcs control - but sure guess there could be safety or even security concerns when you network something vs just local access/control
So no matter how you allow for remote access/control - be it natting or changing the IPs or routers would clearly be a safety issue if remote access is the safety problem.
Guess the matter is closed, if the developers say they can not provide remote access for safety reasons - then no matter how you came up with a way around their nonsense you would be unsafe.
-
@gbitglenn said in Routing multiple LAN clients that have same IP:
We just need to read data off the PLC's - they don't need outbound.
If it's an occational "read off" aka. emptying a log or so ....
You could do a "kludge" .....Effectively you are making a 1:30 Selectable Network Mux.
Get a cheap 48-port switch that is SNMP controllable.
Shutdown the first 30 ports.
Connect the 30 x PLC to switch - port 1..30.FOR X= 1 to 30
LOOP:
SNMP enable switch portX , wait 10 sec for link establishment.
Read out the desired PLC data, from (via) a MGMT-PC
SNMP disable switch portX, wait 5 sec for port shutdown
X=X+1
ENDYou might have to "Clear ARP for 192.168.0.2" on the MGMT-PC, after port shutdown , in the loop.
And it would be desirable to have dual netcards in the MGMT-PC , one for the PLC-LAN , and one for the "Mgmt/Corp Control lan"
Not an "Online" solution , but a "Batch" solution ....
Might be better than maintaining 30 "Nat routers".Security Note:
If two (or more) ports on the switch is open at the same time ....
HMI-1 might see data from PLC-2 , or the other way around ...
As you now have "duplicate IP's" on the switch Vlan.
Prob both HMI & PLC dup's.Don't do that
/Bingo
-
You can set up static arp in DHCP static mappings. This way, instead of doing an arp for the MAC address, it's already there. When an incoming packet is looking for the device, the static arp MAC will be used. I had to use static arp a few years ago, to set up some security cameras. It was either that or the configuration app and static arp worked better.
Give it a try and see what happens. You will still need to use port forwarding as usual, behind NAT. -
-
@johnpoz said in Routing multiple LAN clients that have same IP:
@jknott @bingo600 you are both not getting it - clearly its a major safety concern to allow any sort of remote access other than the panel that is connected to it on an isolated network..
Your work a rounds will most likely get someone killed.. ;)
If any sort of remote access is a major safety issue:
Then the solution is easy.....DON'T do it
And i did mention one of the the possible hazards in my post.
-
I work in such a plant. We walk around with a laptop to read off PLCs instead of onlining equipment that's been air gapped for a reason.
-
@ljr I wasn't giving all the details of what we're doing, so I can see why some are thinking I should back off because of the safety claim. There is no safety issue if done right. We're not talking about putting these on the network in such a way where people can get into them. It's just a closed network so a telemetry kit can read PLC states only.
My workarounds aren't going to get anyone killed. It's uncooperative devs I need to get around - not safety or security. They could easily code around this. This is not an intentional air gap. Safety and security are always on my mind when doing things.
This is just so a telemetry kit running on one server that can read off the PLC's. The entire network or anything else cannot get into them. This is done all day long in a lot of other places with this software. The problem here is the proprietary HMI software.
-
@gbitglenn my get someone killed was meant as a joke ;) hehe
Use different software then.. Or hire different developers.. I agree with you.. all that is needed is ability to set a different IP, and it becomes easy with a source nat on pfsense. The device doesn't even need a gateway then.
If the device would answer when you set a static arp, that could be a work around as well. A pain in the ass to setup if you have 30 of them.. But as mentioned by @JKnott you could try the static arp thing.. and just use a different IP 192.168.1.2, 192.168.2.2, 192.168.3.2 for them, etc. On the different L2 they are connected too.
-
@gbitglenn
What about- 30 VM all running pfsense with NAT and port forward configured.
- LAN port on each pfsense VM connected to a unique VLAN from each VM to one PLC (trunk from hypervisor to level 2 switch)
- WAN port of each PLC pfsense VM bridged in the hypervisor and connected your test LAN
-
@patch said in Routing multiple LAN clients that have same IP:
30 VM all running pfsense with NAT and port forward configured.
Ouch!!!
That's a heck of a lot of effort, when static ARP might work.
-
@jknott no it wont. same IP different MACs.
-
@michmoor I don't think you got what his is suggesting..
Create network pfsense say 192.168.100.1/24 on pfsense, so create a static arp on pfsense that says the mac of plc1 on this L2 network is on 192.168.100.2 even though the plc IP is 192.168.0.2
Now repeat on 192.168.101.1/24 create a static arp for 192.168.101.2 for whatever the mac is for plc2
rinse and repeat your 30 times ;)
You would have to test is creating a static arp pointing to a different IP for the plc mac will work - it can, but then also depends on what the network stack on the plc is doing.
I had done that in the past to talk to ups to get it setup when didn't know what IP is was set too, but the card for the ups listed its mac address. Have not tried doing such a thing in years and years.. But was going to test it with say my printer when get a chance. And don't recall all the details of when I did that - might have only been doing that to find the ip - it was many years ago.
If that works and your plc answers, you could do a outbound nat on each interface that nats traffic to the pfsense interface.. So then you could talk to say 192.168.100.2 from anywhere and to the plc it would think 192.168.100.1 is talking to it, etc.
-
@johnpoz Ahh ok. Geez this is overly complicated but i understand a bit more.
When you have no choice this is the solution :)
Thanks for clarifying. -
J Jarhead referenced this topic on
-
J Jarhead referenced this topic on
