Routing multiple LAN clients that have same IP
-
-
@johnpoz said in Routing multiple LAN clients that have same IP:
@jknott @bingo600 you are both not getting it - clearly its a major safety concern to allow any sort of remote access other than the panel that is connected to it on an isolated network..
Your work a rounds will most likely get someone killed.. ;)
If any sort of remote access is a major safety issue:
Then the solution is easy.....DON'T do it
And i did mention one of the the possible hazards in my post.
-
I work in such a plant. We walk around with a laptop to read off PLCs instead of onlining equipment that's been air gapped for a reason.
-
@ljr I wasn't giving all the details of what we're doing, so I can see why some are thinking I should back off because of the safety claim. There is no safety issue if done right. We're not talking about putting these on the network in such a way where people can get into them. It's just a closed network so a telemetry kit can read PLC states only.
My workarounds aren't going to get anyone killed. It's uncooperative devs I need to get around - not safety or security. They could easily code around this. This is not an intentional air gap. Safety and security are always on my mind when doing things.
This is just so a telemetry kit running on one server that can read off the PLC's. The entire network or anything else cannot get into them. This is done all day long in a lot of other places with this software. The problem here is the proprietary HMI software.
-
@gbitglenn my get someone killed was meant as a joke ;) hehe
Use different software then.. Or hire different developers.. I agree with you.. all that is needed is ability to set a different IP, and it becomes easy with a source nat on pfsense. The device doesn't even need a gateway then.
If the device would answer when you set a static arp, that could be a work around as well. A pain in the ass to setup if you have 30 of them.. But as mentioned by @JKnott you could try the static arp thing.. and just use a different IP 192.168.1.2, 192.168.2.2, 192.168.3.2 for them, etc. On the different L2 they are connected too.
-
@gbitglenn
What about- 30 VM all running pfsense with NAT and port forward configured.
- LAN port on each pfsense VM connected to a unique VLAN from each VM to one PLC (trunk from hypervisor to level 2 switch)
- WAN port of each PLC pfsense VM bridged in the hypervisor and connected your test LAN
-
@patch said in Routing multiple LAN clients that have same IP:
30 VM all running pfsense with NAT and port forward configured.
Ouch!!!
That's a heck of a lot of effort, when static ARP might work.
-
@jknott no it wont. same IP different MACs.
-
@michmoor I don't think you got what his is suggesting..
Create network pfsense say 192.168.100.1/24 on pfsense, so create a static arp on pfsense that says the mac of plc1 on this L2 network is on 192.168.100.2 even though the plc IP is 192.168.0.2
Now repeat on 192.168.101.1/24 create a static arp for 192.168.101.2 for whatever the mac is for plc2
rinse and repeat your 30 times ;)
You would have to test is creating a static arp pointing to a different IP for the plc mac will work - it can, but then also depends on what the network stack on the plc is doing.
I had done that in the past to talk to ups to get it setup when didn't know what IP is was set too, but the card for the ups listed its mac address. Have not tried doing such a thing in years and years.. But was going to test it with say my printer when get a chance. And don't recall all the details of when I did that - might have only been doing that to find the ip - it was many years ago.
If that works and your plc answers, you could do a outbound nat on each interface that nats traffic to the pfsense interface.. So then you could talk to say 192.168.100.2 from anywhere and to the plc it would think 192.168.100.1 is talking to it, etc.
-
@johnpoz Ahh ok. Geez this is overly complicated but i understand a bit more.
When you have no choice this is the solution :)
Thanks for clarifying. -
J Jarhead referenced this topic on
-
J Jarhead referenced this topic on
