Siemens PLC -Uploading and downloading using netPI & VPN

[Armin@netPI]

You need the key for the tosibox registry hosted by google.

The key/password is

Code:

{ "type": "service_account", "project_id": "tosibox-oy", "private_key_id": "46904dc689f2458b8e0986415ca20b00d3450ed1", "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDBl3AUXI+xzYcZ\nWlop7iRUKywgmKvPe/hC/NKa8dU/9okHi7yh7oLywQvNTsC7VyP55gknDR1TTqim\nkpMi7wtQRpWS4DcoWKLMv2IIM9wgmQR0ywd7J5SiJ+MVkpT9Q5mG00pDJkWoRFoD\n7Al1pvSM9E1Tm3aaDEy5VYQPF9cwvzTSh2A9a5mVYq4IrTYqVopkQL6B3wGmXOZS\nGuO/lvS/YBcaTPg+r80ozI7evUoGB3ElpteTpgjsdXmBHDrxWFlALliOYHk8bgHW\nCLHBb3I5Lx1YNIeOcKBr2RkDLeIk6vkxFtFLoIdfPJo9Qi1HCUcccHGhIECrQ87H\n5Xx377O9AgMBAAECggEAJ/HJ2AGzSpIoXpRUh1NSXqWb0Mv/o2umcZf+Eqd0g2Ko\nqoxsKxNuJI2tlDq8LMuRqkYLPGoJ038m8FvNDUe6k2FFCo3GA8aqLMoOfbfJo1Y/\nY6Pi0sf7dKv7QJ/CqzFQE9A0Af/7HnmgAzAoUYTV7+GWtPoecjG4gQNCoOSf67gk\nVlhbrqh3Y7xVvSHCRQe7Wk2I7Y6EbCRN0gcrNA1/FoHi38yVxmjekXc8K7chmt0V\n+HrP+Zz2YGv/SoimOFhLVUOHkgKUVSmqzw9MpOsnIEQy6DKGVQ0TdjzvwBdzNiyy\nrhkaBeVmClUTBIcBGhsHlZFG3EMHkR72XeJe5l9S5wKBgQDj/RFHyYT/EI7McJn1\nCJshM/wizCM87NVcE2OnsXuPvro6zsmrLNqUU5HiHdIgTOtuwgOxuYSUroYtZVEu\nuQggzqzrMjFKQlbT26Pvbsp3QkL5zB+XZPuSPEX0+OMp3rwYFd6qvqQxf5HPb2P0\nlVJXFEZ56TnJ412EDmptuarAawKBgQDZYHr9H/wIdY4jbbwzP+PIyqCcS4d/zUog\nkrIZjGUI+hRFUD8b1EPlPCTh1pRzeHIQsM5LHEmlSTOKfxbrhomlQpFXmQISq3zB\nshLUXD8cDHg8y1Bh1/f+iHgY9JB1F/uT9ImBi2p17f7+E/YQKPOb9KX11X38GjtS\nkxLmq5lGdwKBgQChelLM96ydQ8sAfhhtdyT5BWrl8pRayJvt1UXWNlz/2OTqViB8\nfw5p1C8Vam2ztwdhsUUQkgeXj201pfc0EpXxNrE+/JPwtr/s2jpokZ4RjfsGFk+h\n2UJdtxcNhWLP+xRaMtM9OD3vWR2bQJgZWdGyH4gzPL9TgRhxOgyjnseT9QKBgC70\nFBzQ59O78LPeZCR9zGn2urKH7gDBCx32EdpK5RgHTJGcP8V3GCNP1nehrfczMRBB\n4I2A0reNFED6Kq09JkY4FsThG/2EZTJBkKemNUuNtfsLv5Ui3UJxn99kFD/2qjTP\nQVRmFNzcR5QCI8hh0B0Dv0VWlBv8Xov7kL2am0UJAoGAHl2zdLqSpmfEOku9wbim\nfaU4odoRNZ01fjqLXAlKxB4C9cssVNPeqAy2y4QPrYdjuO0HjQp49/rHux6zD4oE\nerGQ/njBRwZvhbHuepc4owb2VgEkXowB3EH6VgsRkUOPcU+4tlv7kgLK4CdULJ0w\nSatJzLHj6YqfkET+8UdsPlo=\n-----END PRIVATE KEY-----\n", "client_email": "softx-image-puller@tosibox-oy.iam.gserviceaccount.com", "client_id": "108813524093408648050", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/softx-image-puller%40tosibox-oy.iam.gserviceaccount.com" }

Use it as password when defining the cusotom registry in portainer's web UI.

[Armin@netPI]

In general I want to highlight that 3rd party software is not supported by this forum and threads.

Tosibox alone is responsible for their software and not Hilscher. So any support has to go through Tosibox support team.

[MGharat]

Hello Armin,

yes, we got key from Tosibox.

which I entered as below while creating registry. attached screenshot as authentication enabled.
•Username - _json_key

•Password - 1b3semqfVvcYES8edSUGI1v78  

Then I am trying to pull the image which gives error..

---

In general I want to highlight that 3rd party software is not supported by this forum and threads.

Tosibox alone is responsible for their software and not Hilscher. So any support has to go through Tosibox support team.

ok Armin, we will check with Tosibox .

Thanks & BR
Madhumati

[Armin@netPI]

The password you sent is not the same as my password posted previously.

[MGharat]

yes Armin, I was doing wrong.

Thanks for password key, image is pulled now.

[Armin@netPI]

I intensified my tests with Tosibox "Lock for Container" product on a netPI RTE 3 along with a Siemens S7-1200 PLC.

First I configured netPI to join a Wifi network as a client to get connected to an internet router. This creates the route how the deployed Tosibox container connects to the central Tosibox internet remote server.

Using Wifi made me "free" during my tests to configure any static IP address on either netPI's single or the dual Industrial Ethernet ports to let it match the IP subnet my S7-1200 PLC was previously configured to while in parallel netPI has internet access.

My PLC had an IP address of 10.11.5.253. To let Tosibox container reach this IP address respectively a whole IP range and route it fine I had to configure an additional routing path for the network 10.11.0.0 with subnet mask 255.255.0.0. This is all I had to do.

Then I was doing the usual Tosibox internet pairing/matching procedure between the netPI as Tosibox server and my maintenance notebook hosting the Tosibox client software and I was able to ping the PLC immediately after the remote tunnel connection was established clicking "connect" in the client software.

After that I started my Siemens Engineering software TIA portal on my notebook and prepared a simple PLC program to be downloaded to the PLC. Since the Tosibox connection was already established well I was using exactly the 10.11.5.253 IP address during my TIA network configuration and continue as if the remote PLC was connected to my notebook locally.

There is a feature in TIA software that is called "Update accessible devices" that is able to scan your computer's onboard ethernet interfaces for PLCs. This is a feature that Tosibox product "Lock for Container" does not support to tunnel since Ethernet multicast and unicast mechanism and telegrams are used here. So don't be astonished that this doesn't work here.

So when TIA asks for the target device during your "going online" click do the following like the picture illustrates:

   

Select "Show devices with the same addresses" and then click "Start search". Instead of using the usual boardcast Ethernet messages now TIA is directly addressing the PLC over the configured IP address and hence it gets it scanned. After clicking "GoOnline" I was able to get connected to the PLC over the Tosibox tunnel. Here is a screen shot I made of reading PLC values from the inner program logic:

   

So it is proven Tosibox can be used to remote access Siemens S7 PLC from anywhere in the world using netPI.

[SAhire@hilscher.local]

"I had to configure an additional routing path for the network 10.11.0.0 with subnet mask 255.255.0.0."

Please share the screen shot for this setting.

BR,
Sandip Ahire

[Armin@netPI]

It is in accordance to the paper you already received from TOSIBOX team named "Lock for Container - Static Routec R0.1. docx". Just two values need to be entered, and "save" needs to be clicked. After this setting a restart of netPI is necessary.

   

During this test setup the netPI eth0 IP address was set to 10.11.5.252 at 255.255.0.0 subnet mask.
During this test setup the PLC IP address was set to 10.11.5.253.

This is all you need.

Thx
Armin

[SAhire@hilscher.local]

For my setup netPI  eth0 IP address was set to 192.168.253.1 at 255.255.255.0 subnet mask.

&  NL 50 MPI IP 192.168.253.5 at 255.255.255.0 subnet mask, but NL 50 MPI IP Showing the red     .I had to configure an additional routing path for the network 192.168.0.0 with subnet mask 255.255.255.0    

My docker container bridge network     

BR,
Sandip 

[Armin@netPI]

I see you setup a "tbnet" network of 192.168.0.0. It might be bad if your eth0 is set to IP address 192.168.251.1 at the same time which is in the same subnetk. I don't know exactly since I am no IT expert, but it might be possible.

Here is what I recommend to you and to your customer always: do not use an extra network like "tbnet" at all. For customers and you it is easier to use standard "brigde" network always that comes with Docker by default. It is not needed to define extra network even if the documentation tells it. I am doing it the same always. In this case Docker automatically assigns the TOSIBOX container automatically a network and IP address and range. It is easier to setup.

So stop and remove your current container and redeploy it and during deployment use standard "bridge" mode instead of "tbnet". This is how I tested it with my S7-1200 PLC as well. After that setup a static route to 192.168.253.0 at subnetmask 255.255.255.0. This is all you need to do.

I see you setup also a NL50MPI extra. This is also not necessary. Once you setup the routing and restart netPI again then automatically the network 192.168.253.0 - 255 is available on your remote machine and you can ping your PLC over netLINK MPI at 192.168.253.5 immediately.