Documentation for die Version 1.19
S7 firewall is a scalable “PLC firewall”, which not only filters IP / MAC addresses, but also allows access to arbitrary data areas of the PLC to be restricted / defined. / S7-firewall detects the installation direction automatically. Only configured connections are allowed.
In the standard version, S7 firewall is equipped with a WAN port and 4 LAN ports as a switch.
Operating modes | S7-Firewall |
Services | DHCP Client/Server |
NTP Client/Server | |
Connections | 1x WAN |
4x LAN-Port as Switch |
The network settings, etc. can be parameterized in the configuration. The input forms are usually self-explanatory. However, we are happy to accept suggestions from users to make the operation even easier.
In the delivery state, the following IP addresses are set:
192.168.1.57
192.168.2.1
You have the following options to access S7 firewall via WEB browser.
On the PC, assign an IP address from the corresponding network segment (for example, 192.168.1.100 or 192.168.2.100) and connect the PC to LAN or WAN via Ethernet. In the browser, type http: //192.168.1.57, or http: //192.168.2.1.
Or you make your PC to obtain IP address automatically and connect it to the LAN port of the S7 firewall. S7 firewall automatically assigns an IP address to the PC. In the browser you can address the device with: http: // S7 firewall.
Under the item System button, you have two options which are allowed when the button is pressed, at least one option must be selected:
allow factory settings | The device can be set to the delivery condition | |
---|---|---|
Allow start by default | The device is set to the already stored basic settings |
Attention!
Use one of the 4 switch ports to configure it because it may happen that the WAN port is no longer accessible
Do not leave the unit in operation. Disconnect the device from the production network and perform the reset in an autarkic environment. The configuration computer and the device should
While not connected to the company network
No worries we do not take any work rest.
The button hides between WAN and LAN ports (small hole). Only the activated options are available.
Proceed as follows:
Parameter | possible setting | Routing direction / purpose |
---|---|---|
device name | at will | |
language | deutsch | Sets the language of the operating level. Possibly. After changing your WebBrowser, reload the page. |
englisch | ||
Standard Gateway | fix (as specified) from WAN over DHCP from WAN over PPPoE from LAN over DHCP from Modem over PPP | |
1. DNS | ||
2. DNS | ||
Routing Mode | Office | LAN → Routinginterface |
Machine | Routinginterface → LAN | |
Routinginterface | WAN/IP | IP-Routing over WAN |
Modem | IP-Routing over Modem | |
WAN/PPPOE | IP-Routing over PPPoE on WAN-Port | |
WAN/OVPN | Routing over OVPN on WAN-Port | |
WAN/Bridge | Ethernet-Routing on WAN-Port |
Parameter | Possible setting | Purpose |
---|---|---|
Standard Gateway | fix (as defined), over DHCP | |
1. DNS | ||
2. DNS | ||
1-3. IP address with Netmask | IP address / Netmask | Netmask 0.0.0.0 automatically calculates netmask, depending on A, B, C-B network. e.g. 192.168.0.x → 255.255.255.0 10.x.x.x → 255.0.0.0 When using fixed IP addresses, at least the 1st IP address must be configured. Otherwise the device starts with the factory setting |
DHCP | no | Do not use DHCP The remaining DHCP parameters are not used |
Client | The network interface is called a DHCP client and obtains the IP address automatically from a DHCP server. The remaining DHCP parameters are not used | |
Server | The network interface operates a DHCP server. The remaining DHCP parameters must be parameterized. | |
Start-IP | Start-IP-Address | Start IP address when operating as a DHCP server |
End-IP | End-IP-Address | End IP address when operating as a DHCP server |
Subnet | Subnetaddress | Address of the subnet for assigning the IP addresses as a DHCP server |
Domain | Free | Name of the domain when used as a DHCP server |
Router-IP | IP-Address | Is the IP address, which is passed as a DHCP server as a gateway during operation |
The WAN / LAN port has shared IP addresses
Up to 3 different IP addresses and subnets can be configured.
The port can also be operated as a DHCP server or client.
The necessary data for the IP assignment is entered here.
For the operation as DHCP / server fixed assignments MAC-IP address can be fixed. (See “DHCP fixed addresses).
It also determines which services are available at the port (Web Config), Ping, SSH (for developers only)
If the built-in DHCP server (on the WAN or LAN) is operated, it can be useful to allocate the same IP address to the IP addresses.
Here you can specify which MAC address receives which IP address.
Here is the form for the input of the WEB-Interface users. Per user, different authorizations can be assigned.
In principle, only one user can make changes with “SU”. U1 - U5 is only allowed to operate the interface.
In the S7 firewall expansion modules, “U1” - “U5” have more precisely specified operating rights.
The PLC firewall connections result from the combination of
HMI / PG station and PLC station
Modi | Description |
---|---|
off | no active Firewall |
S7-Firewall Router | WAN port and LAN ports have separate IP networks. All functions and purchased options of the TeleR <4> / sup> can be used |
S7-Firewall Classic | WAN port and LAN ports are an IP network. Only IP address ranges entered in the WAN page are handled. for example IP WAN 192.168.2.15 IP LAN: 192.168.3.3 If a device with the IP 192.168.3.6 is connected, this is not treated until a 192.168.3.xxx address is entered in the WAN |
Parameter | Possible setting | Purpose |
---|---|---|
Nr. | Automatic | consecutive number |
Name | Free from the user | station name |
active | yes (x) | Connections to this station are handled by the firewall |
no () | Connections to this station are not processed, i.e. they are blocked | |
IP-Address | IP address of the HMI / PG device | Identification of the sender Input is essential |
MAC-Address | MAC address of the HMI / PG device | Identifies the HMI / PG additionally via the MAC address. 00: 00: 00: 00: 00: 00 means that the MAC address is not checked. If the value is not equal to 0, the MAC address of the station must match the input |
Connection channel | Used channel of the connection | In the Simatic S7 PG and OP channels are available. This channel is used as an additional feature for identifying the sender. Both PG and OP functions are possible on each of the two channels. Operating units / WinCC etc. usually use OP channels. This channel is also recommended for HMI devices. The Siemens PG software basically uses the PG channel. Unfortunately, there is a variety of software on the market that does not have the expertise to set this channel. This can be found in the LOG file. A reasonable HMI software, or the corresponding software driver, provides for the adjustability of this channel. For example, (PG / HMI identical) from the same computer, the PG / OP channel remains to identify the sender. The PLC channel corresponds to the “other” or “other” channel in the PLC |
Parameter | Possible setting | Purpose |
---|---|---|
Nr. | automatic | consecutive number |
Name | Free of the user | Name of the Station |
active | yes (x) | Connections to this station are handled by the firewall |
no() | Connections to this station are not processed, i. They are blocked | |
IP-Address | IP address of the PLC station | Identification of the sender Entry required |
The connections are made up of the combination HMI / PG station and PLC station. Each HMI / PLC station can be used several times. If the Mac or IP address is changed, this must only be changed centrally in the HMI / PG station or PLC station. Each connection is assigned a connection rule.
If “PG full function” is selected, this connection is a full access. In the future, this access can be divided more closely (Read / write defined blocks, PLC start / stop, reset, system data (read / write)).
Parameter | Possible setting | Purpose |
---|---|---|
Nr. | automatic | consecutive number |
Name | Free of the user | Connection name Also serves as a “link” to open and edit the rule script. |
active | yes (x) | This connection is processed by the firewall |
no () | This connection is not processed, i. It is blocked | |
Allow PG Full Function | (x) | This connection is a PG connection and can carry out all functions |
no () | This connection is a Restricted Connection. Only accesses to the shared function and data areas, as defined in the associated rule script, are permitted. |
In the rule script, the data areas or possible accesses for the respective connection are defined. The script can be reached via the link of the name of the connection.
Syntax of the control script
first Character | Function | Rest of the line |
---|---|---|
# | The line is a comment | free Text |
Double slash | ||
(No character, it equals operand / range) | The following section is only for reading (readonly) | Operand / Range see below |
r: | ||
w: | The following area is only for writing (writeonly) | |
rw: | The following area is readable and writable (read / write) |
In a RuleRow, a single operand, or I can enter a range.
Example for entering individual operands: (source from Siemens STEP-S7 PG software)
Allowed operand | Data type | Example(Mnemonik German) | Example (Mnemonik English) |
---|---|---|---|
Input I Output I Flag | BYTE | EB 1 I AB 10 I MB 10 | IB 1 I QB 10 I MB 10 |
Input I Output I Flag | WORD | EW 1 I AW 10 I MW 10 | IW 1 I QW 10 I MW 10 |
Input I Output I Flag | DWORD | ED 1 I AD 10 I MD 10 | ID 1 I QD 10 I MD 10 |
Periphery (Input I Output) | BYTE | PB 0 I PEB 0 I PAB 1 | PB 0 I PIB 0 I PQB 1 |
Periphery (Input I Output) | WORD | PW 0 I PEW 0 I PAW 1 | PW 0 I PIW 0 I PQW 1 |
Periphery (Input I Output) | DWORD | PW 0 I PED 0 I PAD 1 | PD 0 I PID 0 I PQD 1 |
Timer | TIMER | T 1 | T 1 |
Counter | COUNTER | Z 1 | C 1 |
Data block | BOOL | DB1.DBX 1.0 | DB1.DBX 1.0 |
Data block | BYTE | DB1.DBB 1 | DB1.DBB 1 |
Data block | WORD | DB1.DBW 1 | DB1.DBW 1 |
Data block | DWORD | DB1.DBD 1 | DB1.DBD 1 |
Note: The entry of “DB0 …” is not allowed due to internal use.
Example for entering ranges, with number of units:
since Flag 60, 10 Byte: MB60, 10
since DB10, Data word 2, 5 words: DB10.DW2, 5
After the comma, the number of units required (depending on the address type, BOOL, BYTE, WORD, DWORD)
Example for entering ranges from “from” to ”:“
Flag Byte 70 bis Flag Byte 200: MB 70 – MB 200
Output A 10.2 bis Output 14.7: A 10.2 – A14.7
Just after start operands with, -, specify the end operand (end address). The end address is included!