×
Siemens Industry Online Support
Siemens AG
Entry type: FAQ Entry ID: 31525978, Entry date: 12/15/2008
(1)
Rate

Which firewall rules should you configure for the EGPRS router MD741-1 in order to have access to the Internet with the PG/PC from the LAN of the MD741-1?

  • Entry
  • Associated product(s)

Configuration Notes:
This entry is a supplement to Configuration 9 "Secure Remote Access to SIMATIC Stations via Internet using EGPRS router MD741-1 and SCALANCE S612". Configuration 9 is available for downloading in the Internet in Entry ID: 24960449.

Configuration 9 describes the configuration of a VPN tunnel between the SCALANCE S and EGPRS router MD741-1 via the Internet. This enables communication between the protected automation cells.

If you have used the EGPRS router MD741-1 to set up a VPN tunnel to a SCALANCE S via the Internet, then initially only communication between the protected automation cells works. In order to be able to access the Internet with a PG/PC from the local network of the MD741-1 via EGPRS, you must configure specific firewall rules for the EGPRS router MD741-1. Proceed as follows. Access to the Internet is possible here via the VPN tunnel in parallel to an existing communication.

Adapting the network parameters of the PG/PC
First of all, in the Windows network settings, in the properties of your LAN connection, you adapt the network parameters of the PG/PC you wish to use to access the Internet to the settings of the MD741-1 (START -> Settings -> Network connections -> Double-click on the network card (e.g. LAN connection) -> Properties -> Double-click on Internet Protocol). If you have not yet changed the settings of the MD741-1, the default IP address is 192.168.1.1 and the associated subnet mask is 255.255.255.0.
If you have already changed the settings of the MD741-1, for example as described in Configuration 9, then you must adapt the settings of the network parameters of your PG/PC to the relevant network.
If you have assigned the MD741-1 the IP address 140.70.0.1 used in Configuration 9 and the subnet mask 255.255.0.0, then the following settings of your PG/PC's network parameters would be a valid configuration.


Fig. 01

 
PG/PC parameters SCALANCE S in Bridge Mode
IP address Address from the complete local network specified manually or via DHCP, for example 140.70.0.69.
Subnet mask Must be assigned to match the IP address, for example 255.255.0.0.
Default gateway The IP address of the MD741-1, for example 140.70.0.1.
DNS server The IP address of the MD741-1, for example 140.70.0.1.

Since the IP address of the MD741-1 has been entered as default gateway and as DNS server, the PG/PC addresses the MD741-1 for website queries.

Logging on to the web interface of the MD741-1
Log on to the web interface of the MD741-1. You reach the web interface via an Internet browser, Internet Explorer for example, and the following input:

  • https:// followed by the IP address of the MD741-1 (in this example, https://140.70.0.1)

The user name is "admin" and the default setting for the password is "sinaut".

Check the default settings of the MD741-1
Under the menu item Local Network -> Basic Settings -> DNS, make sure that the default settings shown in Fig. 02 are active. Thus the address assigned by the mobile phone provider for the DNS server is used to process website queries.


Fig. 02

Create firewall rules
Now create a firewall rule to permit access to the Internet. For this you select the menu item External Network -> Security -> Packet Filter. Insert the new outgoing firewall rules and then click on "New". Select TCP for "Protocol" and in the "To port" field you enter 80 as shown in the figure. Apply the settings with "Save".


Fig. 03

This rule now permits access by all nodes from the local network to all addresses in the Internet via Port 80.

If you wish to activate access for just one single node, for example for your PG/PC, you can do this through a specific firewall rule.


Fig. 04

This rule permits access of only the node with the IP address 140.70.0.69 to all addresses in the Internet via Port 80.

Configure MD741-1 as DHCP server
Alternatively you can also configure the MD741-1 as a DHCP server so that IP address, subnet mask, default gateway and DNS server are assigned automatically to your PG/PC.

  • For this you switch to the web interface of the MD741-1 and select the menu item Local Network -> Basic Settings -> DNS.
  • Start the DHCP server. The MD741-1 is Default Gateway and DNS server itself. Therefore, here the IP address 140.70.0.1 of the MD741-1 is specified as Default Gateway and DNS server. Enable the dynamic address pool and define an address range from which the IP address is to be assigned to the PG/PC or other network nodes, for example, 140.70.0.20 to 140.70.0.80. Apply the settings with "Save".
  • When using DHCP make sure that the whole address range specified for dynamic assignment is also activated for access to the Internet via a firewall rule.


Fig. 05

Now, so that your PG/PC is able to obtain an IP address dynamically from the DHCP server, in the Windows network settings in the Properties of your LAN connection, you must set the network parameters of the PG/PC that you want to use to access the Internet as follows.


Fig. 06

Security information
In order to protect technical infrastructures, systems, machines and networks against cyber threats, it is necessary to implement – and continuously maintain – a holistic, state-of-the-art IT security concept. Siemens’ products and solutions constitute one element of such a concept. For more information about cyber security, please visit
https://www.siemens.com/cybersecurity#Ouraspiration.