Routing multiple LAN clients that have same IP

gbitglenn · Dec 9, 2022, 8:11 PM

I have a weird situation where there are 30 pieces of industrial equipment that have their internal controllers (PLC's for those who care) hard-set to all have the same IP address. (192.168.0.2). Yes this is a stupid design and I cannot change it.

They want to be able to access all those PLC from the network. That means I need to connect them to the network however since they all have the same IP address, well that won't work.

My thought was to create 30 VLANs for each switch port these will be connected to, and have the IP address of each port 192.168.0.1. Then NAT each VLAN to the LAN subnet 10.10.0.0/16.

But naturally, I can't seem to have the same IP for different VLANs even though I thought the point of a VLAN was separation.

Any ideas? Thanks!

Bob.Dig · Dec 9, 2022, 9:04 PM

@gbitglenn This can't be done with pfSense.

viragomann · Dec 9, 2022, 9:07 PM

@gbitglenn
There is no way to connect these devices to a single router. Routing will not be possible.

You can put additional router in front of each and nat IP address on them. This could be don witch VMs, but it might take some work.

gbitglenn · Dec 9, 2022, 9:39 PM

@viragomann Yea I was really hoping to avoid having 30 routers, so this sucks. In theory this should work with VLANs is this just a PFSense limitation?

Jarhead · Dec 9, 2022, 9:44 PM

@gbitglenn said in Routing multiple LAN clients that have same IP:

@viragomann Yea I was really hoping to avoid having 30 routers, so this sucks. In theory this should work with VLANs is this just a PFSense limitation?

How would that work with vlans??
Every vlan would be the same address.
The only way is with a routers and NAT as said.

viragomann · Dec 9, 2022, 9:48 PM

@gbitglenn
I cannot imaging that any other router is capable to handle this. Even if you do nat, the OS has to access the devices IPs at the end. And how should this work if there are 30 equals.

michmoor · Dec 9, 2022, 9:52 PM

Maaaaybe this could be done by having each IP use a static source port and STATIC NAT that.
192.168.0.2:6441
192.168.0.2:6442

But then the challenge is ARP. The MAC address and IP will look like it’s flapping as it’s known across different ports. Communication would fail.

Maybe a combination of VRFs and Virtual Switching…

Either way this design fault is something pfsense can’t work around

gbitglenn · Dec 9, 2022, 10:51 PM

@viragomann I was envisioning having 30 separate virtual LANs that NAT to the actual network. Like having 30 actual separate LANs (routers) but virtual. Each VLAN can be its own IP in PFSense. VLAN 3 could be 192.168.0.103, VLAN4 could be 192.168.0.104 etc. Each port on the switch would be tagged to each VLAN, and the PLC device connected to that port would gateway to that VLAN's IP.

EG:

PLC 1 IP: 192.168.0.2 VLAN3 GW 0.103
- VLAN3 on PFSense NAT to local 10.10.0/16 LAN.
PLC 2 IP: 192.168.0.2 VLAN4 GW 0.104
- VLAN4 on PFSense NAT to local 10.10.0/16 LAN

Jarhead · Dec 10, 2022, 12:12 AM

@gbitglenn All devices are .2.
If you use multiple vlans they would have to be different networks, so having .103 as the gateway for .2 would require a /24 or /25.
You would still end up with them being on the same network.

johnpoz · Dec 10, 2022, 12:29 AM

@gbitglenn said in Routing multiple LAN clients that have same IP:

hard-set to all have the same IP address. (192.168.0.2)

get with the maker of said plc - and ask them how to change it.. defaulting a device to a specific IP is fine - but no possible way to change it would just be completely utterly moronic!

How would a customer ever have more than 1 of these plcs if they all had the same IP?

michmoor · Dec 10, 2022, 12:43 AM

To be honest ..this is a solution for BGP/EVPN. With VXLAN.
But that’s not in scope here

gbitglenn · Dec 10, 2022, 1:52 AM

@johnpoz Politics. It's not the PLC vendor it's the custom software running on the PLC, that runs the plant. It's all the same software they just load on all the machines - and the IP is hardcoded since they didn't expect anyone to want to get into them over the network.

The fact is they just can't be bothered to build into their code usage of a local config file on each of the machine's panels that will contain specific settings for each machine. And with that, a screen to allow IP configuration.

So yea, it is moronic. I'm trying to come up with an IT solution to get around bonehead developers in another branch of the company I have no say over. Their answer is to just go buy 30+ routers.

johnpoz · Dec 10, 2022, 1:53 AM

@gbitglenn How is that cost effective for a simple code change - if they set an IP on them clearly they thought that it needs to talk on a network.. If you can write the code to give it a 192.168.0.2 address, then you can easy edit the code to put a different IP on it.

30 routers is not a solution - its a hack to a stupid moronic thoughtless idiot that would think that oh let me put an IP on this so we can talk to it over a network. But not allow for changing the IP.. gateway, mask, etc.

can't be bothered to build into their code usage

Is normally fixed with some sort of incentive, be it cash or - guess we won't be using your software any more, etc.

JKnott · Dec 10, 2022, 2:40 AM

@gbitglenn said in Routing multiple LAN clients that have same IP:

Any ideas?

Have you considered static ARP? That way you could assign a device whatever address you want, regardless of what it's configured for.

gbitglenn · Dec 10, 2022, 7:20 PM

@johnpoz The problem is the developers are the ones who are in charge of the coding that controls all the machines across all branches - and there are a couple of hundred of said machines. The internal IP's are there for the PLC to communicate with the HMI (the human interface panel).

They don't want to make the change and to avoid doing it they've convinced Sr. Management it's due to safety reasons. (Not security - safety). It's just not going to happen. Again, all politics. They don't want to do it and came up with an excuse containing a scary word so Management would be on their side.

We just need to read data off the PLC's - they don't need outbound.

Oh well. I was really hoping to stick it to them.

johnpoz · Dec 10, 2022, 7:22 PM

@gbitglenn well clearly then their suggested 30 router method would create a safety problem.. And can not be used either - you can only access the plc via the panel..

Guess your off the hook for providing remote access as well - or someone could get hurt or die, etc. Since its such a safety issue..

gbitglenn · Dec 10, 2022, 7:22 PM

@johnpoz lol, love it!

gbitglenn · Dec 10, 2022, 7:25 PM

@jknott I haven't actually. Note this would be just for inbound traffic to the PLC's. So perhaps this along with @michmoor 's above suggestion of using ports would work. But now it's getting into a complex level of networking I haven't had to think about in years and don't really remember. Perhaps something on the managed switch can be set up as well.

So basically what I'm saying is sure I'll try anything at this point but I may need a little more handholding for that.

Bob.Dig · Dec 10, 2022, 7:35 PM

It should be possible with a router supporting VRF but not this one.

MikroTik RouterOS should do.

johnpoz · Dec 10, 2022, 7:30 PM

@gbitglenn sounds to me like lazy is all. But sure ok - Not exactly sure what these plcs control - but sure guess there could be safety or even security concerns when you network something vs just local access/control

So no matter how you allow for remote access/control - be it natting or changing the IPs or routers would clearly be a safety issue if remote access is the safety problem.

Guess the matter is closed, if the developers say they can not provide remote access for safety reasons - then no matter how you came up with a way around their nonsense you would be unsafe.