PLC Layer 2 by VPN based on 3 routers

Good morning madam and gentlemen.

I just signed up on forum, because at first time not find working solution on my problem.

At first let me explain situation. I'm not IT Network guy. I'm PLC programmer with basic networks expirance, olso my expirance of linux is not too much.

Ok, now I show my problem. At work I get target to find some solution for remote service machine (covid etc.). Is existing company hardware solution but is so expensive, not for small group.

We need make conection between software on PC and hardware PLC on difrent location. Both location has access by LTE modem so no public IP. We have ISP provider with public IP (boss home) on location 3, and connection must by this server.
I buy 3 routers GL-iNet (based on openwrt) because it support for fast VPN connetion (based on wireguard). But in not solve my problem. Connetion betweent device is not by IP (L3) but by PROFINET protocol with is based on ethernet (L2?). Machine respond for PING but software can not find device.
I try to make some configuration (finds on internet) with GRETAP or VXLAN by this VPN connetion but is not work. Maybe is goodcloud do not make good config for VPN, maby Firewall is the problem. Like I say im not good for netweroking.

Can You help me to find good config for this?
It can be by openvpn, wireguard + L2, softether, everything with will working..

Actual situation is like this:

Machine PLC:
v connect to lan port
Router 'Machine'
DHCP is on
VPN: IP MASK (why?)

Router 'Serwer' (public IP)
LAN: IP (not alowed acces from VPN)
DHCP is on

Router "service"
LAN_1: IP MASK (is because we test some machine at work)
DHCP serwer is on
LAN_2: DHCP client (was for try to brigde by GRETAP or VXLAN but not working).
VPN: IP MASK (why?)
^ connect to lan_2 port
PC with software
LAN_2: DHCP client.

Or maybe other option, if is easer. How to configure virtual wire connection (pseudowire) between two device by router LAN_2 port without public ip with use third router with public ip. Just work like cable connect between two switch. Router client is GL-AR750S and GL-AR750, Router server is GL-MT300N-V2.

Switch1 <---------------------- virutal wire connecton -----------------------> Switch2
Switch1 <-->Router1 client<-->Rroute2 server<-->Router3 client<--> Switch2

It's complicated situation:

For Wiki there is something on L2 called TSN and you can't emulate it using L3.

Probably you should use OpenVPN L2 (TAP):

and to make ethernet bridging between all computers and devices.

But bridging is another kind of complications when you trying to mix various standalone devices (computers) and lans.

Probably easiest is to make test using OpenVPN L2 to see how it may works. Idea will be something like:
PLC device 1 <---> PLC LAN router 1 <---> BOSS VPN 1 <---> computer 1
PLC device 2 <---> PLC LAN router 2 <---> BOSS VPN 2 <---> computer 1

So computer need to dial BOSS VPN1 or BOSS VPN2 when need access to PLC1 or PLC2.


Computer do not need TSN for connect to PLC. TSN is used between PLC and IO device.

Probably i find reason why GRETAP or VXLAN not working in my situation.
At producer's page ( I find that "GoodCloud S2S (Site-to-Site) is a simplified SDN (Software-Defined Network)"
Now I search what is SDN and what difrent is to normal network. Mayby is some difrent setings for GRETAP or is never work on SDN?

For OpenVPN I find only example when PLC router is a server. But is don't have public IP. Is possible to do configuration when PLC Router is a client but is DHCP serwer, BOOS Router is only VPN serwer, Compter or second router is a VPN client and access by Layer2 to PLC Router network?

I will explain on OpenVPN because i don't know anything about GRETAP/VXLAN.

So PLC Router will be OpenVPN Client and will connect to BossVPN server. Your computer also will connect to BossVPN server.

This will make "virtual lan" and PLC Router plus it's devices (Machine PLC) will be in same Lan network with your PC. And this will allow your software from home to control Machine PLC at remote location.

1 Like

What about leaving a machine, running inside the company's network, and connect to it from outside by remote desktop through a VPN?

Not as elegant as having real access, but much easier to setup.

1 Like

Solution with remote desktop is oslo problematic because it need additional licence for software on the remote plant (TIA Portal V15) what is expensive.

For OpenVPN I will try do connection on this way. First I will start server and client at router, I use some example from Internet. Probably I should use TAP version? I must do bridge between lan interface and VPN connection on client router?

1 Like

Yes - only TAP version should be used.

Please take EXTREMELY attention on OpenVPN modes:

Because on your situation OpenVPN server should NOT USE DHCP!

1 Like

I spend some days to try find good configuration.
With OpenVPN is not working, maybe I do some wrong. Like I say I'm not Networking guy.
Working configuration with I found is GRETAP over Wireguard but not prowided by This S2S network must be off, otherwise is not working.
In aktual configuration Wireguard and GRETAP is on LAN firewall zone on all routers. Is working but propubly less safetys for boss and company network.
Question is how to configure firewall to work on separate zone with limited access for GRETAP only?

Use tcpdump/wireshark to identify the required traffic.
Set zone policies to reject and add rules to allow only traffic that you need.
You may need to set up bridge firewall if any bridges are involved.

The PLCs should have a separate network. Bad idea to merge them into an office LAN or give them any access to the Internet.

The firewall operates at layer 3, so the best way to segregate layer 2 operations is separate networks entirely.

See the image form first post. Router at office has two separate lan port. One is for normal office network, second is bridge only to PLC network on remote machine.
Layer 2 is necesery for access to PLC by Profinet protocol with is not working by L3.

For security I have plan to block internet access for IP address from x.x.x.1 to x.x.x.200 where is PLC and other machine hardware. Internet access will be (mayby limited) only for device from x.x.x.201 to x.x.x.254 with is a use for example service laptop when we are on place. It will be another question how do it, firewall? Or by routing to black hole?

Good day for everyone.

I'm also not IT guy and couple years ago I looked for similar solution and I found out it. For now it works pretty fine. Firts, PROFINET has two parts of functionality, one for commissioning, maintenance and upper level data exchange, second for real time machine control. L2 access need only for second part. Mechanism " io PLC - io device " works only over L2. But you do not need that. In TIA portal are two options when you try to connect to your remote PLС: "all compatible devices" and "only the same address". Option "only the same address" available since TIA v13 or maybe early and works over L3.

So, my solution is based on OpenVPN. Synology NAS with installed VPN packet works as central server. PLCs networks is connected by OpenWrt flashed routers model WR842ND. Staff notebooks connected to VPN as simple clients. Benefits of using NAS is central archive of PLCs configurations also. If several men deal maintenance it is very helpful. There are some restrictions and benefits also. All PLCs networks should be unique. No need enable gateway option in PLC's network settings. Each staff man has own VPN login and password, so you can see when and who was connected VPN in NAS log. No need white static IP for mill floor routers or staff notebooks. No need white static IP in center - Synology provides DDNS service for life. You need white IP in center for port forwarding or provider UPNP should works fine.

One explanation should be add. Why I choose OpenVPN. Only OpenVPN has elementary routing capabilities. Other VPN in fact are point to point bridges and need in additional routing tools. So, it is "all in one" solution.