Remote access to my devices connected to the router (PLC, HMI,...)

Tutorial: Remote access to my devices connected to the router (PLC, HMI,...)

Notice

An industrial router (mbNET) could only establish the access to devices or machines.

If the mbNET has an internet connection and the device is signed in, the LED shines green in the status bar:

If you want a connection to a machine you have to click the „Connection“-Icon .

After the connection is established, the LED changes the color from green to orange. The “Connection”-Icon also changes its color from black to orange and rotates around its axis. Your connection to the machine is ready:

If you want to disconnect, you have to click the rotating “Connection”-Icon .

1. What must be considered if I want to access an ethernet component (e.g. PLC)?

2. Establish a connection to an HMI / PLC via Ethernet / Profinet using the TIA Portal

3. Connect to a Omron HMI / PLC

4. Connect to a Beckhoff TwinCAT PLC

5. Connect to a Stöber drive behind mbNET / mbNET.mini

6. Add and use LAN routes

1. What must be considered if I want to access an ethernet component (e.g. PLC)?

If you want to access an Ethernet component (e.g. PLC) via a mbNET / mbNET.mini, please observe the following generally:

The component must be reachable from the mbNET. You must ensure this on the mbNET web interface under "Diagnosis" ~> "Ping" with a ping-request:

The IP address of the component must be in the same Network segment as the LAN-IP address of the mbNET / mbNET.mini.

Example: LAN-IP of mbNET / mbNET.mini: 192.168.10.100/24 | IP address of the component: 192.168.10.10/24 =>> Network segment: 192.168.10.X/24

It can be possible that you must configure the LAN-IP address of the mbNET / mbNET.mini as a Gateway on the component. In this case, it's important to deactivate the function "SNAT (LAN)" in the Firewall settings of the mbNET / mbNET.mini, because SNAT (LAN) replaces the senders IP address of all outgoing (LAN) packages with the LAN-IP address of this router. Therefore, no Gateway settings for any devices behind the mbNET are needed. At some components this SNAT function is technically not possible. In this case, SNAT must be deactivated and the respective Gateway must be configured on the component. You can find SNAT in the device "Administration" under the menue "Firewall":

If possible, please configure a Timeout of 60 seconds at your component. Our tests showing that this is the optimal setting at the most components.

2. Establish a connection to an HMI / PLC via Ethernet / Profinet using the TIA Portal

If you cannot find your Siemens PLC or HMI panel in the TIA Portal or generally want to establish a connection in the TIA Portal via mbNET / mbNET.mini, please consider the following information first:

What must be considered if I want to access an ethernet component (e.g. PLC)?

Notice

You can establish and close an active VPN connection to your device with the help of the "lightning flash icon". When the active VPN connection is established, it is as if you are connected to the PLC / panel on site.

When connecting the HMI / PLC via Ethernet / Profinet, the IP of the HMI / PLC must be in the same network segment as the LAN IP of the mbNET. As gateway address you have to use the LAN IP of the mbNET. In the TIA® Portal you can enter this if "Use router" is activated:

"Connect online" must not be selected for loading data into the HMI / PLC. You have to select "Download to device" directly:

or:

Notice

The next part describes the procedure WITHOUT the SEARCHoverIP function. For more information about this, click here

To establish a connection, please select "Show devices with same addresses". Searching via the mbNET is a system-related, technical dead end:

After the HMI / PLC has been found, you can load your project into the corresponding component.

3. Connect to a Omron HMI / PLC

Please consider the following instructions, if you want to establish a connection to a Omron NS-series HMI or other Omron devices, such as PLC, through a mbNET / mbNET.mini generally:

Configuration of the Omron component:

The IP address of your component must be in the same network segment as the mbNET / mbNET.mini.

For example: LAN-IP address mbNET / mbNET.mini: 192.168.127.200/24 | IP address of component: 192.168.127.1/24 =>> network segment: 192.168.127.X/24

As default gateway you must configure the LAN-IP address of the mbNET / mbNET.mini. In the next section you can find HowTo deteremine the VPN-IP address 'of your computer'.

Determining VPN-IP address for Conversion Table:

Establish an VPN connection through mbDIALUP, by login into your user account.
Open the Command Prompt in Windows (CMD).
Type the command 'ipconfig' in and press 'Enter' on your keyboard.
Make note of the VPN-IP address at "Ethernet adapater mbDIALUP:". In this example it's 10.0.X.X (X = censored). This is the VPN-IP address of the user, with which you are logged in in mbDIALUP. So, this VPN-IP address will be assigned for the mbDIALUP "TAP-Windows Adapter V9" on your computer. This VPN-IP address is for every user unique. If many users are using the same computer to establish a VPN connection in mbDIALUP, please be aware that the VPN-IP address of a user may change.
Add the VPN-IP address of your computer to the Conversion Table. Therefore, configure any unused node address and remember it for the future.

Disabling SNAT:

To communicate with the Omron component, please deactivate the SNAT function on the mbNET / mbNET.mini. You can find SNAT in the device "Administration" under the menue "Firewall":

Communication settings for Omron component:

Please configure the communication settings for the Omron component as showed in the graphic below:

4. Connect to a Beckhoff TwinCAT PLC

If you want to establish a connection to a Beckhoff TwinCAT PLC, please note the following:

1. Deactivate SNAT (LAN) on the mbNET / mbNET.mini under the device Administration -> Firewall:

2. Enter the LAN IP address of the mbNET / mbNET.mini as Gateway in the PLC.

3. If you connect to the PLC via remote maintenance on the PC, it is required to configure the Routing in the PC from where you establish the remote connection and also in the PLC itself.

When you are selecting the Target system in TwinCAT (via the button ), the route must be added on the PC via "Search (Ethernet)..." in the "Add Route Dialog" as follows: Enter the IP address of the PLC, press "Enter" on the keyboard so that the PLC is listed in the list, select "IP Address" and finally press the button "Add Route":

This creates the respective Routing on the PC and in the PLC.

If the route is missing on the PLC, it must be created manually. To create or check the route in the PLC, right-click on the icon in the Taskbar to open the "Properties" and add the route to the PLC under the "AMS Router" tab as follows:

The VPN IP address of your user must be entered as "AMS Net Id" with ".1.1" at the end (e.g.: 10.X.X.X.1.1). Enter the actual VPN IP address of your user as "Address". Select as the "Transport" the "TCP/IP" protocol and set a checkmark in the "Slow Connection" box, if necessary.

If you have done this settings, the PLC must be restarted and the PC must be set in "Config Mode" finally.

In some cases, the following information on setting the "TwinCAT PLC Control.ini" can also be helpful:

The "TwinCAT PLC Control.ini" file is located in the ".. \ TwinCAT \ PLC" directory.

[TwinCAT PLC Control]

FileTransferBlockSize=16384

The default value is 1024 (even if there is no key in the INI file). With a CX9000 usually 16K are set to minimize the number of blocks.

If this parameter is not available, please just add it to the TwinCAT PLC Control list.

5. Connect to a Stöber drive behind mbNET / mbNET.mini

The above example shows a Stöber drive controller connected to an mbNET.mini router. This description explains which settings are necessary to access the drive controller remotely with the DriveControlSuite.

Requirements:

mbDIALUP (at least version 3.7R1.0) Software installed on the service computer
DriveControlSuite Version V6.2-G installed on the service computer
an mbCONNECT24 V2 account
mbNET (at least Firmware 3.7.0) or mbNET.mini (at least Firmware 1.9.0) Router configured and online in your mbCONNECT24 account
You are connected to mbDIALUP and the router

6. Add and use LAN routes

The machine networks are becoming more and more complex and segmented. The remote maintenance has so far been limited to only one network segment at the LAN interface. The ExtendedRouting function now offers the possibility to reach different networks via additional routers that are connected to the LAN interface. I.e. if there‘s already a Managed Switch with routing function in the facility, its network segments can be entered in the mbNET and the remote maintenance therefore knows which network segment can be reached over which Managed Switch/Router.

This document describes, HowTo add and use LAN routes in rsp.mbCONNECT24 (V2) for a mbNET (from version V3.7.0).

The network configuration is in this example as follows:

To add new LAN routes, you have to navigate to the device View and click on the symbol at „LAN“:
Please navigate to the section „Routes“ at the LAN settings:
Please add a new route with the symbol:

As „Network“ you have to configure the network address range in CIDR format, which you want to reach.
Under „Gateway“ you have to configure the IP address of the component, which knows the route in the other network segment and is able to forward this route (e.g. a Firewall or a Managed Switch / Router, like mbNETFIX).
Please confirm your settings with „Save“.

After downloading the configuration to the device, you are able to reach these networks after you established a VPN connection to the mbNET.

Revision: V1.1