Tutorial: #MB1V1 : Remote access to my devices connected to the router (PLC, HMI,...)
If the mbNET has an internet connection and the device is signed in, the LED shines green in the status bar.
If you want a connection to a machine you have to click the „Connection“-Icon .
After the connection is established, the LED changes the color from green to orange. The “Connection”-Icon also changes its color from black to orange and rotates around its axis. Your connection to the machine is ready.
If you want to disconnect, you have to click the rotating “Connection”-Icon .
If you want to access an Ethernet component (e.g. PLC) via a mbNET, please observe the following generally:
- The component must be reachable from the mbNET. You must ensure this on the mbNET web interface under "Advanced" ~> "Status" ~> "Diagnostics" ~> "Ping" with a ping-request.
- The IP address of the component must be in the same Network segment as the LAN-IP address of the mbNET.
Example: LAN-IP of mbNET: 192.168.10.100/24 | IP address of the component: 192.168.10.10/24 =>> Network segment: 192.168.10.X/24
- It can be possible that you must configure the LAN-IP address of the mbNET as a Gateway on the componet. In this case, it's important to deactivate the function "SNAT" in the Firewall settings of the mbNET, because SNAT replaces the senders IP address of all outgoing (LAN) packages with the LAN-IP address of this router. Therefore, no Gateway settings for any devices behind the mbNET are needed. At some components this SNAT function is technically not possible. In this case, SNAT must be deactivated and the respective Gateway must be configured on the component. You can find SNAT in the device "Administration" under the menue "Firewall":
- If possible, please configure a Timeout of 60 seconds at your component. Our tests showing that this is the optimal setting at the most components.
If you want to access one or more devices, which are connected to the mbNET / mbNET.mini via LAN, from the WAN side of a network, where a mbNET / mbNET.mini is located locally, you need one or more SimpleNAT rules.
With SimpleNAT, a network participant from the LAN network can be reached via a free WAN IP address directly. This WAN IP address will be added to the WAN interface and mirror to the entered LAN IP address 1:1. In this case it's important that a static IP address is configured for WAN.
The following network structure is used as an example:
Three network participants need to be accessed from one or more PCs from the WAN side via the mbNET / mbNET.mini.
The mbNET has the static WAN IP 10.10.0.100 and IP 192.168.0.100 configured as LAN IP.
The following network participants are available in the LAN:
Industrial-PC with IP 192.168.0.1 PLC with IP 192.168.0.2 HMI with IP 192.168.0.3
The following network participants are available in the WAN:
PC1 with 10.10.0.1 PC2 with 10.10.0.2 PC3 with 10.10.0.3
To configure the SimpleNAT rules in the device configuration, please navigate to the device Administration and click on Firewall:
You're in the firewall settings of the respective device now and must click on the button (top right) and select Create new SimpleNAT. This rule needs to be configured as follows:
Set a checkmark at Active.
At WAN IP please enter a free WAN Ethernet address from the WAN network (here: 10.10.0.11).
At LAN IP please enter the LAN-IP address that you want access (here: 192.168.0.1).
At Comment you can comment the rule for a better classification.
Due to the fact, that three devices behind the mbNET / mbNET.mini needs to be accessed, three SimpleNAT rules needs to be defined in this case:
This means, that a SimpleNAT rule must be defined for each device that needs to be reached.
The following network structure is used as an example:
A PC in the WAN need to access via the mbNET the PLC (IP: 192.168.0.112) and various services behind it (here: FTP and web server).
For this purpose, a Forwarding rule must be set up on the mbNET for FTP access, which forwards all requests from the IP address 172.25.15.90 and the fictitious port 2143 to the IP address 192.168.0.112 and port 21.
You also need another Forwarding rule for web access, which forwards all inquiries sent to the IP address 172.25.15.90 and the fictitious port 2146 to the IP address 192.168.0.112 and port 80.
The WAN IP address must be entered as the Destination IP, the fictitious port (here: Port 2143 and 2146) under Destination Port, the IP address of the PLC (here: 192.168.0.112) under Forward IP and Forward Port is the respective port of the service which needs to be reached (here: port 21 and 80). WAN ethernet must be selected as the Interface for the forwarding rules. If Source IP and Source Port are empty, any communication from all participants is allowed. If you want to allow the communication only for certain participants, you must enter the Source IP or Source Port accordingly.
If, for example, a connection to the FTP server of the PLC with FileZilla needs to be established, the WAN-IP of the mbNET (Server), the user name & password of the FTP server and the fictitious port (here: port 2143) must be entered in the FileZilla client:
The machine networks are becoming more and more complex and segmented. The remote maintenance has so far been limited to only one network segment at the LAN interface. The ExtendedRouting function now offers the possibility to reach different networks via additional routers that are connected to the LAN interface. I.e. if there‘s already a Managed Switch with routing function in the facility, its network segments can be entered in the mbNET and the remote maintenance therefore knows which network segment can be reached over which Managed Switch/Router.
This document describes, HowTo add and use LAN routes in rsp.mbCONNECT24 (V2) for a mbNET (from version V3.7.0).
The network configuration is in this example as follows:
- To add new LAN routes, you have to navigate to „Administration“ and click on the symbol at „LAN“:
- Please navigate to the section „Routes“ at the LAN settings:
- Please add a new route with the symbol:
As „Network“ you have to configure the network address range in CIDR format, which you want to reach.
Under „Gateway“ you have to configure the IP address of the component, which knows the route in the other network segment and is able to forward this route (e.g. a Firewall or a Managed Switch / Router, like mbNETFIX).
Please confirm your settings with „Save“.
After downloading the configuration to the device, you are able to reach these networks after you established a VPN connection to the mbNET.
Please consider the following instructions, if you can not find your Siemens PLC or Panel in the TIA portal or if you want to establish a connection to your component through a mbNET generally:
You have to ensure, that an active VPN connection to the mbNET was already established through mbDIALUP.
If your PLC or Panel is connected to the LAN side of a mbNET via ethernet, you must activate „Use router“ (in the „Properties“ of your component under „General“ -> „PROFINET interface“ -> „Ethernet addresses“) and enter at „Router address“ the LAN-IP of the mbNET:
At this example, the PLC-IP is „192.168.10.10“ and the LAN-IP of the mbNET is „192.168.10.101“.
Furthermore, the IP address of the Siemens component must be reachable from the mbNET. You can check that with a „ping“ request on the device webpage:
For mbNET: Under „Advanced“ -> „Status“ -> „Diagnostics“ -> „Ping“:
To load a project into your PLC or Panel, you must use the button „Load into device“.
Please do not use the „Connect“ button for that!
Please configure as „Timeout“ 60 seconds at the Panel / PLC. Our tests had the result, that this is the optimal setting.
Deactivate the option „Show all compatibles participants“ at the searching menue „Extended Loading“. To search through a mbNET is a technical deadlock.
After you have found your PLC, you can connect to it.
Please consider the following instructions, if you want to establish a connection to a Omron NS-series HMI or other Omron devices, such as PLC, through a mbNET / mbNET.mini generally:
Configuration of the Omron component:
The IP address of your component must be in the same network segment as the mbNET / mbNET.mini.
For example: LAN-IP address mbNET / mbNET.mini: 192.168.127.200/24 | IP address of component: 192.168.127.1/24 =>> network segment: 192.168.127.X/24
As default gateway you must configure the LAN-IP address of the mbNET / mbNET.mini. In the next section you can find HowTo deteremine the VPN-IP address 'of your computer'.
Determining VPN-IP address for Conversion Table:
- Establish an VPN connection through mbDIALUP, by login into your user account.
- Open the Command Prompt in Windows (CMD).
- Type the command 'ipconfig' in and press 'Enter' on your keyboard.
- Make note of the VPN-IP address at "Ethernet adapater mbDIALUP:". In this example it's 10.0.X.X (X = censored). This is the VPN-IP address of the user, with which you are logged in in mbDIALUP. So, this VPN-IP address will be assigned for the mbDIALUP "TAP-Windows Adapter V9" on your computer. This VPN-IP address is for every user unique. If many users are using the same computer to establish a VPN connection in mbDIALUP, please be aware that the VPN-IP address of a user may change.
- Add the VPN-IP address of your computer to the Conversion Table. Therefore, configure any unused node address and remember it for the future.
To communicate with the Omron component, please deactivate the SNAT function on the mbNET / mbNET.mini. You can find SNAT in the device "Administration" under the menue "Firewall":
Communication settings for Omron component:
Please configure the communication settings for the Omron component as showed in the graphic below:
The following should be noted if you are working with the Beckhoff TwinCAT PLC:
1. Deactivate SNAT on mbNET / mbNET.mini and enter the IP address of mbNET / mbNET.mini as a gateway in the control.
2. If you connect to the PLC via remote maintenance on the PC (Twincat), this connection is saved in the PLC. The PLC notes that there is a remote maintenance connection (IP: 192.168.10.200). If you then want to access it with another PC (Twincat) via remote maintenance, the PLC creates a connection again. The PLC now has two connections via remote maintenance (IP: 192.168.10.200), so the connection cannot be clearly determined and this does not work, either with the old or the new connection. If you delete all connections manually, you can then connect again using Twincat.
In some cases, the following information on setting the registry can also be helpful:
Setting options in the registry and TwinCAT PLC Control.ini:
The settings for data transmission via remote access are made in the registry and in the TwinCAT PLC Control.ini file. In the case of modem connections with a low transmission rate or poor line quality, it may make sense to reduce the data blocks to be transmitted. If a PLC project is to be transferred from the TwinCAT PLC Control to the controller via ADS via the modem connection, the size of the data blocks can be adjusted using the following settings:
HKEY_LOCAL_MACHINE\SOFTWARE\BECKHOFF\TwinCAT\Plc MaxBlockSize (DWORD)
The default (even if there is no key in the registry) is 16 KByte. The smallest block size is 512 bytes.
This means that large PLC projects to be loaded are divided into blocks.
Smaller blocks should be configured for slow connections.
HKEY_LOCAL_MACHINE\SOFTWARE\BECKHOFF\TwinCAT\Plc ConnectionTimeoutMSec (DWORD)
The default value is dec 8000 (corresponds to 8 seconds).
This value should be increased for slow connections.
TwinCAT PLC Control.ini
The "TwinCAT PLC Control.ini" file is located in the ".. \ TwinCAT \ PLC" directory.
[TwinCAT PLC Control]
The default (even if there is no key in the INI file) is 1024, with a CX9000 usually 16K are set to minimize the number of blocks.
The above example shows a Stöber drive controller connected to an mbNET.mini router. This description explains which settings are necessary to access the drive controller remotely with the DriveControlSuite.
- mbDIALUP (at least version 3.7R1.0) Software installed on the service computer
- DriveControlSuite Version V6.2-G installed on the service computer
- an mbCONNECT24 V2 account
- mbNET (at least Firmware 3.7.0) or mbNET.mini (at least Firmware 1.9.0) Router configured and online in your mbCONNECT24 account
- You are connected to mbDIALUP and the router
First Steps >> First-Steps_RSP-mbCONNECT24-V2-3-0_en.pdf
- The IP address of the drive controller must be in the same IP address range as the router. See also the example above. Both are in the network area 192.168.0.x/255.255.255.0.
- The SNAT function can also be used in the router. This means that no gateway entry is necessary in the drive controller. If SNAT is not used in the router, the router IP address must be entered as the gateway address in the drive controller.
Drive controller settings:
Set the parameters to match this example as follows:
You must make these settings locally on the drive controller, ideally during the commissioning phase of the controller.
Establish connection to the drive controller:
Connect to your account with mbDIALUP and select your router from the project which is connected to the drive controller.
To establish a transparent IP connection to the participants in the router LAN network, click on the lightning symbol.
When the connection is established, the circle color next to the router name changes to orange.
Start the DriveControlSuite software and select the menu item “Assignment”. Then click on "Connect online".
Then, the following window appears. Select "Direct connection (manual) and enter the IP address of the controller. In our example this is 192.168.0.10. Then click OK.
Afterwards, the connected drive controller appears in the "Assignment" menu. You can now perform all the usual functions as if you were connected locally.
Both PLCs should be accessible via PC2 via their own IP addresses. Port forwarding (DNAT) is not possible here because especially with a Siemens PLC, the port assignment cannot be made in PC2.
- Settings of the devices:
- SPS1: IP: 192.168.0.112/24, Gateway: -----
- SPS2: IP: 192.168.0.114/24, Gateway: -----
- PC2: IP: 172.25.15.74/16, Gateway: 172.25.15.90
- Set router IP-Addresses LAN and WAN.
- Make sure in the firewall settings that the SNAT (LAN) function is selected.
- Enable the ICMP protocol for each PLC device in the firewall settings.
Now the WAN-side PC2 can access or ping both LAN-side PLCs.