Dear Experts,

I want to learn how to communicate to a ModbusTCP slave device using a ModbusTCP master (SCADA) that are not on the same network over internet. The slave may have a GSM/GPRS modem or 3G dongle to connect to internet. One possible way I know of is using VPN, but I don't know how to exactly do it.

Can anyone show me the procedure or pointers on how to communicate to ModbusTCP Slave using ModbusTCP master over VPN. A big question to my mind is, how to setup VPN for the ModbusTCP slave? or how to find out the (dynamic) IP of the slave?

Thanks in Advance. This will help me in learning such things.

 

VPN can be horribly complex, however to answer last question, one reason to use a VPN is that any dynamic IP are hidden from you and you use a FIXED IP for the slave.

Simple example:

1) start with a cellular or broadband router with VPN end-point (not pass through) support.

2) you'd likely configure the router to connect BACK to a central VPN host/server.

3) so field router has a 'who cares' any kind of IP and the VPN host has a fixed IP.

4) At this point your MB/TCP master might have the IP 192.168.10.10 and you might define the remote slave subnet as 192.168.100.x and all routing is hidden within the VPN.

However, VPN are not really do-it-yourself. If you are clever with internet, ip, and security you can figure it out, but I'm not sure if your colleagues could take over the system if you left.

Alternatively, if you are using cellular, most cellular carriers can offer you VPN where THEY manage the VPN host. So you run a VPN client on our MB/TCP master computer and link into the carrier. At that point they give you a fixed IP for the remote cellular device despite it NOT having a fixed IP - the VPN hides the true IP from you. There's usually a one-time charge to set up a VPN with a carrier, then there may (or may not) be monthly charges beyond that.

- Lynn

 

Actually, there is another method if you have a cellular or broadband NAT router which supports DDNS. They allow you to use a third party tool to assign a DNS name to your dynamic IP. One example is http://dyn.com/

This would only work if the dynamic IP is public-routable (so like 166.x.x.x and not like 10.x.x.x).

So you might be able to treat your slave as johnsmith_plc23.mydns.net. The domain (like mydns.net) would owned & managed by the provider, and the first name is something YOU select which is unique to that domain.

Anytime the router detects a change in IP, it updates the DDNS service. This means there will be a minor delay between when IP changes and when DNS updates.

Most Digi.com cellular routers/gateways support the DDNS at dyn.com (old DynDns.org)

However, two warnings:
1) Modbus/TCP on port 502 is dangerous to open on the internet if any writing is supported, as anyone connecting to your IP on port 502 with Modbus could just (for fun or laughs) write a 0 to every registers which accepts a write. The VPN protects you from this!

2) if your NAT/router is assigned a private (non-routeable) IP like 10.x.x.x, then DDNS is never an option and you'll have to go with VPN.

 

Thanks for your reply.