Newly added in EPIC firmware 3.3.1 : manage unsecured devices on-prem or at remote sites through secure, on-demand connections.
Last week in the OptoBlog, Ben Orchard shared an overview of what's included in the latest groov EPIC firmware update 3.3.1. One of the highlights was a new networking tool: Port Redirect.
If you've updated to 3.3.1 and you're itching to try this new feature out, here's a step-by-step outline on how it works on a groov EPIC (GRV-EPIC-PR1 or GRV-EPIC-PR2).
What is it?
Port redirection, also known as port forwarding, allows remote computers or mobile devices on one network segment to connect to a specific computer or service within a private LAN through a specific port. Usually, it pokes a “pinhole” in your firewall that packets of information can pass through. This kind of port forwarding is unsecure and not recommended, especially when the remote computer is on a public LAN like the Internet.
However, using port redirects over a VPN is secure and provides a conduit between the two network segments that can be very useful. For example, if you anticipate having to update a PLC’s program on a private network from your PC at remote site, you can place a groov EPIC on the PLC’s network and use a VPN and port redirect to establish a conduit, securely accessing your PLC to make the change.
Using Port Redirect
Here’s an example of setting up port redirection over a VPN. This scenario involves a PC (running a PLC vendor’s software) on one network and a PLC on a different network with a groov EPIC. With port redirection over a VPN, the PC can securely update the PLC’s software via groov EPIC.
- On the untrusted network where the groov EPIC is connected to the PLC, find out the PLC’s IP address and the required ports to access its software.
- Configure the VPN client on the PC (your IT department can help).
- Configure the VPN client on groov EPIC following steps in the groov EPIC User’s Guide.
- Configure a port redirect rule on the groov EPIC using groov Manage. NOTE: Adding or changing firewall rules (which effectively opens ports in the firewall) does not start any listening services that may be behind those ports. If you encounter problems accessing those services, check that the services are on and listening.
- Log in with a user ID that has system level privileges.
- Click Network > Port Redirect. groov Manage displays the Port Redirect page:
- Click Add Rule: groov Manage displays the New Rule page:
- Fill out the fields with the information described in "Collecting Information for Port Forwarding" in the groov EPIC User's Guide.
- Click OK. If groov Manage reports any errors, fix those errors and click Save. Otherwise, groov Manage displays a message that it will restart the network connections.
- Click Save.
- Log in with a user ID that has system level privileges.
A few more notes:
- If you have more than one PLC or device you need to access through the groov EPIC, configure a port redirect rule for each one. Important: Each rule has to have a different external port number going to a different IP address. Otherwise, the EPIC cannot differentiate between them.
- When finished accessing the PLC or device, remove the port redirect rule. It is best practice to not leave persistent conduits between zones.
- You can also create and tear down port redirects programmatically using Node-RED and groov Manage's RESTful API.
Testing Communication
You’re now ready to test communication between your two networks.
- Confirm that both the PC and groov EPIC can connect to the correct VPN server. Both locations and both devices must be connected to the same VPN server.
- Make sure the port redirect in EPIC is enabled.
- Confirm that the PC running the PLC vendor’s software can access the PLC.
Troubleshooting:
If you have any problems connecting, see the groov EPIC User’s Guide. groov Manage also includes networking tools to help troubleshoot connections.
And of course, our team of engineers is always ready to answer your questions. Contact us or drop us a line in the OptoChat.