HTTP Port Forwarding
We have several sites that we access through a cellular modem. Each site has a PLC, HMI, VPN router, and of course the modem. We have been using a Cisco VPN router but wanted to try a Cosy 131 because we have been having issues with the Cisco. I have been able to configure the Cosy to do everything we need thus far with one exception, I need to be able to access the HMI using the public IP address without going through Talk2m. The Cisco allows us to set up port forwarding from the public static IP address to the IP address of the HMI on the LAN. I have already changed the settings in the Cosy that allows WAN to LAN but how do achieve the HTTP forwarding?
-
We normally accomplish this using NAT 1:1 to create an IP for the LAN device that can be accessed via the WAN, but that would only work if you had another public IP address available, which you probably don't. So in this case you should be able to accomplish the port forwarding configuration by setting up a proxy connection to the HMI. There are instructions here:
AM-1007-00 - Define Proxy for Port Forwarding.pdf (405.3 KB)
You would need to choose a different port than 80, which is what the eWON is using and forward that to your HMI.
I hope you have also considered the security implications of this, as you are leaving your HMI exposed to the internet. Make sure you at least have a strong password set.
Kyle
0 -
Kyle,
Thanks for the info. I'm still a little unsure about setting this up. The article isn't exactly clear to me. Here is what I set up. I realize I'm not supposed to use Port 80 but you didn't tell me what to use instead. I'm just wanting to confirm that I have all the settings correct. The IP address, 10.0.23.11, is what I am wanting to forward to. Please see attached screen shot.
Randy
0 -
Hi Randy,
That looks correct. It doesn't really matter what port you use, as long as it doesn't conflict with something else, so 8080 is fine. That port number will be used in the URL when you are trying to reach the internal webserver, for example, if you WAN IP address is 172.16.10.10 you would enter 172.16.10.10:8080.
Kyle
0 -
Kyle,
Well for some reason I am still not able to connect. Any ideas?
Randy
0 -
Hi Randy,
Please send me your configuration so I can check. Use eBuddy Backup/Restore and do a backup with Support Files and attach that file to your response.
Thanks,
Kyle
0 -
Backup file is attached.
MOVED TO STAFF NOTE (18.5 KB)
0 -
Can you try setting NAT and TF to "NAT on LAN (Plug'n Route)' and disabling NAT 1:1 as shown below, then reboot the eWON and try again?
0 -
Kyle,
I don't have any of those options under Networking. See attached screen shot.
Randy
0 -
I'm sorry, I used a screenshot from the Flexy. I think I figured out why this isn't working though. I was under the impression that you were using an eWON with an internal cellular modem, but it looks like you are using an external cellular modem. Is this the same modem that you used with the Cisco router? And is it configurable? Can you let me know the model?
0 -
Yes we are using a separate cellular modem. It is a Sierra Wireless. We have used different versions of this modem. For this application we are using the Airlink LS300. Yes this is the modem we used with the Cisco and it is configurable.
0 -
OK - Please change NATItf to 3
The rest of the settings look good and if the modem was already configured to be bridged to the Cisco, it should work with the Cosy. Reboot the Cosy and try again. If you still aren't able to connect, try a different port, like 8081 and try again and let me know if it works.
Kyle
0 -
Sorry you also need to change:
"ProxySrvPort1' should be "80'
"ProxyPort1' should be "8080'0 -
Kyle,
I can now access the HMI via web interface so that now works. I can also connect to my PLC using RSLinx. However it seems changing the NATltf from 2 to 3 is blocking alarm emails from being sent out by the Red Lion HMI. I used the KB article that said to change the settings to the following:
NatItf = 2 (Nat and TF on WAN)
VPNRedirect = 0 (Allow traffic outside the VPN tunnel)
FwrdToWAN = 1 (Forward LAN traffic to WAN)
Randy
0 -
Randy, try changing NATItf back to 2, rebooting, and see if it still works. If not, we can probably come up with an alternative.
0 -
Kyle,
I changed NATltf back to 2 and I am still able to access the HMI web interface. I was able to generate a couple of alarms but now it seems that the HMI has lost connection to the PLC and I am not seeing any more alarms being sent out. Maybe eventually I'll get everything working at the same time. Lol
Randy
0 -
One of the issues we had with the Cisco was we were using the built in ethernet switch and devices on the LAN tended to lose connection. I'm wondering if the Cosy may have the same issue. Do you think it would be a good idea to add a separate ethernet switch?
0 -
Hi Randy,
I don't think the settings changing are related to the connection issue between the HMI and PLC. If we check the event logs, we can see if there are any errors involving the switch. It's hard to say at this point if adding a switch would help or not, but it wouldn't hurt. It would introduce another device that could potentially malfunction, but the chances are low.
Let's check the logs first and see what we find. You can look at the logs in the web interface and if you want to make a backup with support files I'll take a look as well.
Kyle
0 -
Backup file attached.
MOVED TO STAFF NOTE (175 KB)
0 -
Good Morning Randy,
Taking a look at the logs there are a few different errors that may be related to the communication problem:
1555672606 19/04/2019 11:16:46 eip-receive socket error during read/write eip 79324 27802 1555622870 18/04/2019 21:27:50 smbs-Serial port not opened mbsio 79305 22332 1555678902 19/04/2019 13:01:42 mbgw-Rx frame error, invalid header mbsgw 79304 22410 1555685314 19/04/2019 14:48:34 stdsrv-Socket Bind error eproxy 79340 33003 1555689873 19/04/2019 16:04:33 stdios-Inter process gateway request timeout (FINS) finsgw 79333 26802 1555689918 19/04/2019 16:05:18 epxy-Maximum sessions per port reached eproxy 79340 33106So if you change "ProxyMaxSocks' from [5] to [100] that should take care of at least one of those.
The other errors mainly involve Modbus TCP and Ethernet-IP socket and port issues. The HMI and PLC are both on the LAN, right? It seems like there might be a communication issue between them, or at least the Cosy is having issues forwarding the traffic between them, which is odd. What are the models and are they using Modbus TCP to communicate with each other? Have you had any issues before with the communication between the PLC and HMI? What is the make/model of each?
Kyle
0 -
Kyle,
-
Thanks for the info. I think I mentioned this in an earlier email but the main reason we switched to the Cosy was because we thought the connection issues we were having were related to the built-in switch in the Cisco VPN router. The Cisco had a 4-port switch and sometimes the HMI would lose connection to the PLC and the guys at the location could get everything back communicating by power cycling the router. Sometimes moving the Ethernet cables to different ports would achieve the same thing.
-
Okay, so all weekend all I have occasionally tried to connect to the HMI web interface and it has connected every time and I was able to see data in the HMI indicating that it is communicating to the PLC. However this morning after changing the ProxyMaxSocks to [100] I rebooted the Cosy and now my HMI has lost connection to the PLC. It's strange because I can still access the HMI web interface and I can even make changes to the HMI configuration and download to it but the data connection between the HMI and the PLC is broken. This same thing happened last Friday but after 2 or 3 hours the connection was restored. Maybe that is what you are seeing in the logs.
-
To answer your questions, as I related in item 2 we have had issues with the data connection between the HMI and PLC. Not sure how to answer about the Modbus TCP because to my knowledge there is nothing in the HMI or PLC that is using Modbus. The PLC and HMI are both connected to the Cosy LAN switch. The PLC we are using is an Allen-Bradley Micrologix 1400, Model 1766-L32AWA. The HMI is a RedLion G3, Model G306A000.
-
I was wanting to mention another issue which I believe I have a solution for but wanted to get your take anyway. The control panel where all this hardware is located is in a mobile water system. So being a mobile system the power is not on constantly and thus when the trailer is moved to a customer site the power is reconnected and operational checks are done to verify everything is working properly. One of the things I noticed about the Cosy is that if it is powered up at the same time as the cellular modem it does not connect to Talk2M and will not unless it is power cycled after the modem is connected to the cell service. So what I plan to do is connect the power to the Cosy through an output on the PLC and delay it powering up for a minute or two to allow time for the cellular service to be fully operational.
-
I have attached a current backup. It may look similar to the last one I sent due to the broken data connection between the PLC and HMI. If I see that the connection becomes reestablished I will do another backup and sent it to you.
Randy
MOVED TO STAFF NOTE (175 KB)
0 -
-
Hi Randy,
About the device not connecting to the internet when first powered on, it could be an issue between the Cosy and the modem, but usually the Cosy will connect as soon as an internet connection is Restored though. Your idea to delay powering on the Cosy will work.
There are some strange errors in the logs and I'd like to take a closer look at the device if we can arrange a Teamviewer session or if you can provide a temp account I can use. Please let me know if that's possible this afternoon.
Thanks,
Kyle
0 -
How would I set up a temporary account?
0 -
You can just go into the Flexy and under Setup < Users, add a new user and password and send me the info. It will be kept confidential and once I'm done you can delete the account.
0 -
This is a Cosy, not a Flexy. In our Talk2M account we had previously set up an Ewon support user login but have since deactivated it. Maybe it would be easier to do the Teamviewer.
0 -
Right, my mistake. Let me know when you are available, we are going to be done for today in less than an our, but will be back at 8:30 AM Estern.
0 -
Let's plan on doing it in the morning if that works for you.
Randy
0 -
Kyle,
I may have discovered my issue or part of my issue. There is a setting in the Red Lion HMI called "Comms Delay". It was set to 0 ms. The manual states in regards to this setting, "The Comms Delay option specifies a delay that will be inserted between any two comms transactions for this device. It is useful when working with remote devices that are unable to keep up with Crimson's performance, or when a lower comms priority is to be given to a device." I changed this setting to 1000 ms and I immediately started getting data from the PLC displayed on the HMI. I have attached another backup file. Let me know if you see a difference.
Randy
MOVED TO STAFF NOTE (173 KB)
0 -
Randy,
The logs look a lot better. Those errors are gone and the only errors since it last rebooted yesterday were a couple for unsupported S7 commands at around 2 a.m.
Let me know how it goes today and if there is anything else I can do to help. Also, please make sure the device has a very strong password as it's accessible from the web and not just through the VPN server.
Kyle
0 -
Kyle,
Sounds good. I did want to follow up once more about the issue with the Cosy not connecting to the internet through the cell modem if both are powered on at the same time. Yesterday someone disconnected the power to the control panel so I had to go and reconnect it. As expected the Cosy would not connect to the internet until I cycled power to it after the modem showed it was connected to the cell service. I actually had to cycle power a second time before it connected. I had mentioned in an earlier email that I planned to address the issue by delaying the powering up of the Cosy by connecting the power through an output on the PLC. Is there any setting in the Cosy that can help with this issue? Is this typical? I had done an earlier test to see if the Cosy would eventually connect but it never did even after several hours. I still had to cycle power. Any thoughts?
Randy
0 -
Yes, there should be a "watchdog" running that will restart the WAN port if there is no internet connection. It may actually be due to the modem. Can you try setting the IP address as static, using the same settings for default gateway, subnet mask, and DNS that are currently set and see if that makes a difference?
0
Please sign in to leave a comment.
Comments
39 comments