How to Connect Allen Bradley PLCs to a Corporate Network without RS-Linx Gateway

TheWaterboy expressed concern about SecOps frustration. I am attempting to replicate the functionality of RS-Linx Gateway software without the need for licenses. RS-Linx Gateway has long been used on networks for developing PLCs remotely from the lab. Our PLC network was the only one out of 5 locations that avoided a major ransomware attack, which severely impacted the other 4 locations for weeks and had lingering effects on both IT and OT networks. The separation between IT and OT is reviewed annually by third-party consultants who conduct thorough audits.

• 05-01-2025
• Dayvieboy

Ken Roach mentioned that NAT appliances are specifically designed for the functions you are describing. While a price range of $700 - $1000 per network may seem high, it is justifiable for devices with a 24V power supply and DIN rail mounting capabilities. For those on a tight budget with networking skills, a $40 travel router running OpenWRT can provide similar NAT functions. Alternatively, investing in a case of Ubiquiti Edgerouter X units for each site can offer a more professional solution. If budget constraints are solely due to the hassle of teaching remote users about networking, enabling routing in the Windows 10 Registry Editor and opening TCP Port 44818 in the firewall may suffice. Another option is to install software NAT on Windows PCs. In terms of building tools in different clean rooms with PLCs on separate subnets, it is important to adhere to the Plan of Record (POR) guidelines. Any additional hardware not included in the final design must be accompanied by a request for exemption and an engineering justification report. Tools should be wire-gapped when installed at the customer site to maintain security. To address the issue of locked Studio 5000 licenses in the clean room during experiments, implementing a software NAT solution like RS-Linx Gateway may be beneficial. This software acts as a virtual NAT, allowing developers to access PLC lab licenses without the need for additional licenses in the clean room. This can also streamline the process of keeping VMs up to date with firmware and other software components. Overall, the goal is to optimize networking capabilities while staying within budget constraints and minimizing the administrative burden. Thank you for your input, and further investigation into the Windows 10 registry route will be conducted.

• 05-01-2025
• Dayvieboy

Upon reading your post, I must say that I was pleasantly surprised by the level of sophistication and budget you have shared. Thank you for providing such detailed context. My main focus is finding a replacement for RS-Linx Gateway software, which appears to function as a software NAT within RS-Linx. RSLinx Gateway was specifically designed to enable access to hardware drivers such as DH485, DH+, and ControlNet over TCP/IP networks. It serves as a means of transporting RSLinx functions over a TCP/IP network for execution by a hardware driver. While it may not function as a traditional "NAT" or "router", it facilitates communication between networks, allowing for automation connections to PLCs on a separate network. To achieve your goal, you could consider configuring Windows Firewall, enabling TCPIP Routing, and setting up static routes via command line. However, it's important to consider security implications and limit the firewall exception to TCP Port 44818 to mitigate risks. I am intrigued by your use of virtual machines (VMs) and would like to understand more about how they are utilized in your setup. Are the Dell PCs in each workcell running a hypervisor with a Windows VM for engineering tools? Which hypervisor do you use - Microsoft Hyper-V, VirtualBox, VMWare Workstation, or another? What operating system is installed on these computers? Do your engineers in the "PLC Lab" utilize virtual machines, or do they have Studio 5000 on their desktop operating systems? It might be worth exploring Windows Remote Access and Management Tools, although it's outside my expertise in PC networking that goes beyond a contained environment. Overall, your setup presents exciting possibilities and challenges, and I look forward to further discussing and exploring solutions with you.

• 05-01-2025
• Ken Roach

Looking back to the early 90s, I remember the days of having a $1,200 KTX card in an ISA slot or the PCMCIA PCK card, which I still have in my collection of treasures. I am currently working on a project where each programmer logs into their own Studio5000 VM from either home or the office, each with its own Studio5000 pro license. Each machine comes with its own VM server that includes 3 VMs. With around 10 programmers and 6 or 7 machines being built simultaneously, the machines will be air gapped once installed at the customer site. For field troubleshooting on air gapped tools, Studio5000 Service Edition is installed for functions such as uploading, downloading, and viewing code. I am considering opening ports and exploring different approaches, such as purchasing Rs-Linx Gateway. It's interesting to note that I spent nine months at Pyramid Brewery in Berkeley, California during a startup in 1996 and did some work at the Seattle facility, where I conducted upgrades and a study on improving efficiency. Based on my findings and other factors, the production facility in Seattle was shut down and moved to Portland. I also had the opportunity to work at Atlas Casting (now Americast), where despite the dirty environment, they created impressive products. Furthermore, I have worked multiple times at Metagenics in Gig Harbor.

• 05-01-2025
• Dayvieboy