Traeger S7-Firewall Manuale utente

Söllnerstr. 9 92637 Weiden [email protected] +49 (0)961 48 23 0 0

S7-Firewall quick start guide 1 / 9 2021/02/28 20:29

S7-Firewall quick start guide

Documentation for die Version 1.19

Söllnerstr. 9 92637 Weiden [email protected] +49 (0)961 48 23 0 0

S7-Firewall quick start guide 2 / 9 2021/02/28 20:29

Introduction

S7 ﬁrewall is a scalable “PLC ﬁrewall”, which not only ﬁlters IP / MAC addresses, but also allows access to

arbitrary data areas of the PLC to be restricted / deﬁned. / S7-ﬁrewall detects the installation direction

automatically. Only conﬁgured connections are allowed.

Hardware

Standard hardware

In the standard version, S7 ﬁrewall is equipped with a WAN port and 4 LAN ports as a switch.

Operating modes S7-Firewall

Services DHCP Client/Server

NTP Client/Server

Connections 1x WAN

4x LAN-Port as Switch

Conﬁguration

The network settings, etc. can be parameterized in the conﬁguration. The input forms are usually self-

explanatory. However, we are happy to accept suggestions from users to make the operation even easier.

In the delivery state, the following IP addresses are set:

192.168.1.57

192.168.2.1

You have the following options to access S7 ﬁrewall via WEB browser.

On the PC, assign an IP address from the corresponding network segment (for example, 192.168.1.100 or

192.168.2.100) and connect the PC to LAN or WAN via Ethernet. In the browser, type http: //192.168.1.57,

or http: //192.168.2.1.

Or you make your PC to obtain IP address automatically and connect it to the LAN port of the S7 ﬁrewall.

S7 ﬁrewall automatically assigns an IP address to the PC. In the browser you can address the device with:

http: // S7 ﬁrewall.

System button, Reset system

Under the item System button, you have two options which are allowed when the button is pressed, at

least one option must be selected:

allow factory settings The device can be set to the delivery condition

Söllnerstr. 9 92637 Weiden [email protected] +49 (0)961 48 23 0 0

S7-Firewall quick start guide 3 / 9 2021/02/28 20:29

Allow start by default The device is set to the already stored basic settings

Attention!

Use one of the 4 switch ports to conﬁgure it because it may happen that the WAN port is no

longer accessible

Do not leave the unit in operation. Disconnect the device from the production network and

perform the reset in an autarkic environment. The conﬁguration computer and the device

should While not connected to the company network

No worries we do not take any work rest.

The button hides between WAN and LAN ports (small hole). Only the activated options are available.

Proceed as follows:

E.g. Oﬃce clamps

Make the device de-energized!

Insert the clasp in the hole

turn back on

When the four LED's go out and only the power LED is on, hold down the button with the oﬃce clip

until all four LEDs ﬂash fast

Release the button

Now appears a sort of selection. When the button is pressed in the desired state, the desired action

is performed

Basic setting

LED S3 (bottom right) ﬂashes

The device boots in the basic setting (network / IP addresses of the delivery state

are used). Now you can make the desired changes to the network settings.

However, these settings are not activated until the device is restarted.

Factory setting

LED Power and S3 ﬂash

All settings are deleted

Conﬁguration of the device

Parameter possible setting Routing direction / purpose

device name at will

language deutsch Sets the language of the operating level. Possibly. After

changing your WebBrowser, reload the page.

englisch

Standard Gateway ﬁx (as speciﬁed)

from WAN over DHCP

from WAN over PPPoE

from LAN over DHCP

from Modem over PPP

1. DNS

2. DNS

Routing Mode Oﬃce LAN → Routinginterface

Machine Routinginterface → LAN

Routinginterface

WAN/IP IP-Routing over WAN

Modem IP-Routing over Modem

WAN/PPPOE IP-Routing over PPPoE on WAN-Port

WAN/OVPN Routing over OVPN on WAN-Port

WAN/Bridge Ethernet-Routing on WAN-Port

Söllnerstr. 9 92637 Weiden [email protected] +49 (0)961 48 23 0 0

S7-Firewall quick start guide 4 / 9 2021/02/28 20:29

Network settings

Parameter Possible setting Purpose

Standard Gateway ﬁx (as deﬁned), over

DHCP

1. DNS

2. DNS

1-3. IP address

with Netmask IP address / Netmask

Netmask 0.0.0.0 automatically calculates netmask,

depending on A, B, C-B network.

e.g. 192.168.0.x → 255.255.255.0

10.x.x.x → 255.0.0.0

When using ﬁxed IP addresses, at least the 1st IP address

must be conﬁgured. Otherwise the device starts with the

factory setting

DHCP

no Do not use DHCP

The remaining DHCP parameters are not used

Client

The network interface is called a DHCP client and obtains

the IP address automatically from a DHCP server. The

remaining DHCP parameters are not used

Server The network interface operates a DHCP server. The

remaining DHCP parameters must be parameterized.

Start-IP Start-IP-Address Start IP address when operating as a DHCP server

End-IP End-IP-Address End IP address when operating as a DHCP server

Subnet Subnetaddress Address of the subnet for assigning the IP addresses as a

DHCP server

Domain Free Name of the domain when used as a DHCP server

Router-IP IP-Address Is the IP address, which is passed as a DHCP server as a

gateway during operation

The WAN / LAN port has shared IP addresses

Up to 3 diﬀerent IP addresses and subnets can be conﬁgured. The port can also be operated as a DHCP

server or client. The necessary data for the IP assignment is entered here. For the operation as DHCP /

server ﬁxed assignments MAC-IP address can be ﬁxed. (See “DHCP ﬁxed addresses). It also determines

which services are available at the port (Web Conﬁg), Ping, SSH (for developers only)

DHCP Fixed MAC / IP address assignment

If the built-in DHCP server (on the WAN or LAN) is operated, it can be useful to allocate the same IP

address to the IP addresses. Here you can specify which MAC address receives which IP address.

Söllnerstr. 9 92637 Weiden [email protected] +49 (0)961 48 23 0 0

S7-Firewall quick start guide 5 / 9 2021/02/28 20:29

Web-User

Here is the form for the input of the WEB-Interface users. Per user, diﬀerent authorizations can be

assigned. In principle, only one user can make changes with “SU”. U1 - U5 is only allowed to operate the

interface. In the S7 ﬁrewall expansion modules, “U1” - “U5” have more precisely speciﬁed operating rights.

S7-Firewall-settings

The PLC ﬁrewall connections result from the combination of HMI / PG station and PLC station

S7-Firewall operation

Modi Description

oﬀ no active Firewall

S7-Firewall Router WAN port and LAN ports have separate IP networks. All functions and purchased

options of the TeleR <4> / sup> can be used

S7-Firewall Classic

WAN port and LAN ports are an IP network. Only IP address ranges entered in the WAN

page are handled.

for example IP WAN 192.168.2.15

IP LAN: 192.168.3.3

If a device with the IP 192.168.3.6 is connected, this is not treated until a

192.168.3.xxx address is entered in the WAN

Enter the HMI / PG stations

Parameter Possible setting Purpose

Nr. Automatic consecutive number

Name Free from the user station name

active yes (x) Connections to this station are handled by the ﬁrewall

no () Connections to this station are not processed, i.e. they are blocked

IP-Address IP address of the

HMI / PG device Identiﬁcation of the sender Input is essential

MAC-Address

MAC address of

the HMI / PG

device

Identiﬁes the HMI / PG additionally via the MAC address. 00: 00: 00:

00: 00: 00 means that the MAC address is not checked. If the value is

not equal to 0, the MAC address of the station must match the input

Söllnerstr. 9 92637 Weiden [email protected] +49 (0)961 48 23 0 0

S7-Firewall quick start guide 6 / 9 2021/02/28 20:29

Parameter Possible setting Purpose

Connection

channel

Used channel of

the connection

In the Simatic S7 PG and OP channels are available. This channel is

used as an additional feature for identifying the sender. Both PG and

OP functions are possible on each of the two channels. Operating

units / WinCC etc. usually use OP channels. This channel is also

recommended for HMI devices. The Siemens PG software basically

uses the PG channel. Unfortunately, there is a variety of software on

the market that does not have the expertise to set this channel. This

can be found in the LOG ﬁle. A reasonable HMI software, or the

corresponding software driver, provides for the adjustability of this

channel. For example, (PG / HMI identical) from the same computer,

the PG / OP channel remains to identify the sender.

The PLC channel corresponds to the “other” or “other” channel in the

PLC

Input the PLC stations

Parameter Possible setting Purpose

Nr. automatic consecutive number

Name Free of the user Name of the Station

active

yes (x) Connections to this station are handled by the ﬁrewall

no() Connections to this station are not processed, i. They are

blocked

IP-Address IP address of the PLC station Identiﬁcation of the sender

Entry required

Enter the S7 ﬁrewall connections

The connections are made up of the combination HMI / PG station and PLC station. Each HMI / PLC station

can be used several times. If the Mac or IP address is changed, this must only be changed centrally in the

HMI / PG station or PLC station. Each connection is assigned a connection rule.

If “PG full function” is selected, this connection is a full access. In the future, this access can be divided

more closely (Read / write deﬁned blocks, PLC start / stop, reset, system data (read / write)).

Parameter Possible setting Purpose

Nr. automatic consecutive number

Name Free of the user Connection name Also serves as a “link” to open and edit the rule

script.

active yes (x) This connection is processed by the ﬁrewall

no () This connection is not processed, i. It is blocked

Allow PG Full

Function

(x) This connection is a PG connection and can carry out all functions

no ()

This connection is a Restricted Connection. Only accesses to the

shared function and data areas, as deﬁned in the associated rule

script, are permitted.

The rule script

In the rule script, the data areas or possible accesses for the respective connection are deﬁned. The script

can be reached via the link of the name of the connection.

Söllnerstr. 9 92637 Weiden [email protected] +49 (0)961 48 23 0 0

S7-Firewall quick start guide 7 / 9 2021/02/28 20:29

Syntax of the control script

ﬁrst Character Function Rest of the line

#The line is a comment free Text

Double slash

(No character, it equals

operand / range) The following section is only for reading (readonly)

Operand / Range see

below

w: The following area is only for writing (writeonly)

rw: The following area is readable and writable (read /

write)

In a RuleRow, a single operand, or I can enter a range.

Example for entering individual operands: (source from Siemens STEP-S7 PG software)

Allowed operand Data type Example(Mnemonik German) Example (Mnemonik English)

Input I Output I Flag BYTE EB 1 I AB 10 I MB 10 IB 1 I QB 10 I MB 10

Input I Output I Flag WORD EW 1 I AW 10 I MW 10 IW 1 I QW 10 I MW 10

Input I Output I Flag DWORD ED 1 I AD 10 I MD 10 ID 1 I QD 10 I MD 10

Periphery (Input I Output) BYTE PB 0 I PEB 0 I PAB 1 PB 0 I PIB 0 I PQB 1

Periphery (Input I Output) WORD PW 0 I PEW 0 I PAW 1 PW 0 I PIW 0 I PQW 1

Periphery (Input I Output) DWORD PW 0 I PED 0 I PAD 1 PD 0 I PID 0 I PQD 1

Timer TIMER T 1 T 1

Counter COUNTER Z 1 C 1

Data block BOOL DB1.DBX 1.0 DB1.DBX 1.0

Data block BYTE DB1.DBB 1 DB1.DBB 1

Data block WORD DB1.DBW 1 DB1.DBW 1

Data block DWORD DB1.DBD 1 DB1.DBD 1

Note: The entry of “DB0 …” is not allowed due to internal use.

Example for entering ranges, with number of units:

since Flag 60, 10 Byte: MB60, 10

since DB10, Data word 2, 5 words: DB10.DW2, 5

After the comma, the number of units required (depending on the address type, BOOL, BYTE, WORD,

DWORD)

Example for entering ranges from “from” to ”:“

Flag Byte 70 bis Flag Byte 200: MB 70 – MB 200

Output A 10.2 bis Output 14.7: A 10.2 – A14.7

Just after start operands with, -, specify the end operand (end address). The end address is included!

Söllnerstr. 9 92637 Weiden [email protected] +49 (0)961 48 23 0 0

S7-Firewall quick start guide 8 / 9 2021/02/28 20:29

Söllnerstr. 9 92637 Weiden [email protected] +49 (0)961 48 23 0 0

S7-Firewall quick start guide 9 / 9 2021/02/28 20:29

Table of Contents

Introduction 2 .......................................................................................................................................

Hardware 2 ...........................................................................................................................................

Standard hardware 2 ..........................................................................................................................................

Conﬁguration 2 .....................................................................................................................................

System button, Reset system 2 .........................................................................................................................

Conﬁguration of the device 3 ...............................................................................................................

Network settings 4 ...............................................................................................................................

DHCP Fixed MAC / IP address assignment 4 .........................................................................................

Web-User 5 ...........................................................................................................................................

S7-Firewall-settings 5 ...........................................................................................................................

S7-Firewall operation 5 .........................................................................................................................

Enter the HMI / PG stations 5 ...............................................................................................................

Input the PLC stations 6 .......................................................................................................................

Enter the S7 ﬁrewall connections 6 ......................................................................................................

The rule script 6 ...................................................................................................................................