PI S7-Firewall Manual de usuario
S7-Firewall
user manual
(english)
Art.Nr. 9373-S7-FIREWALL
17.05.2019
© PI 2019
Content
1 Installation ........................................................................................................................................3
1.1 Power connection ......................................................................................................................3
1.2 LAN-connector .........................................................................................................................3
1.3 intro uction ...............................................................................................................................3
1.4 har ware execution ...................................................................................................................3
1.4.1 stan ar har ware execution .............................................................................................3
1.5 configuration .............................................................................................................................4
1.6 configuration .............................................................................................................................4
1.7 network configuration ...............................................................................................................5
1.8 DHCP fixe MAC /IP a ress mapping ...................................................................................7
1.9 NTP client .................................................................................................................................7
1.10 web user ..................................................................................................................................7
1.11 S7 firewall settings ..................................................................................................................8
1.12 entering of the HMI / PG station ............................................................................................8
1.13 entering of the SPS station ......................................................................................................8
1.14 entering of the S7 firewall connections ..................................................................................9
1.15 The rulescript ..........................................................................................................................9
2 Technical ata .................................................................................................................................10
2.1 pin assignment power supply ..................................................................................................10
2.2 Pinning Ethernet .....................................................................................................................10
Han book S7-Firewall Page 2 of 12
1 Installation
1.1 Power connection
For the power supply to the evice is either the inclu e AC a apter or an existing local power
supply with min. 24V DC 350mA power connecte to the 3-pin green plug. In the inclu e AC plug
a apter the power poles are marke with colore sleeves.
The PLUS-pole with the color "re ", the MINUS pole with the color "blue". Connect the
POSITIVE pole of the left screw terminal an the NEGATIVE pole on the right (outer) screw
terminal. The mi le connector is use to groun an must be connecte to PE.
1.2 L N-connector
This connector is an autosensing 10/100 Mbit/s connector. For the connection to a Hub or a network
connector, you shoul use a socalle patch-cable (both si e RJ-45, 1to1, shiel e ).
1.3 introduction
The S7 firewall is a scalable "SPS firewall", which not only filters IP / MAC a resses. For user-
efine connections the access can be restricte to any ata areas of the SPS or be set. The S7
firewall can be incorporate between any SPS an operating / programming level. The S7 firewall
automatically etects the installation irection. There are only configure connections permitte .
1.4 hardware execution
1.4.1 standard hardware execution
In the stan ar execution the S7 firewall is equippe with a WAN port an 4 LAN ports configure
as a switch.
Page 3 of 12 Han book S7-Firewall
1.5 configuration
In the configutation the network settings etc. can be configure . The entry forms are
self-explanatory in general. But we will like to receive suggestions from users to
make operation even easier.
In elivery the following IP a resses are set:
192.168.1.57
192.168.2.1
You have the following options, to a ress the S7 firewall via web browser:
On the PC an IP a ress from the correspon ing line segment awar e (eg 192.168.1.100 or
192.168.2.100) an connect the correspon ing PC with LAN or WAN via Ethernet. Enter
http://192.168.1.57, bzw. http://192.168.2.1 in your web browser. Or set your computer to
automatically obtain IP a ress an connect him to the LAN port of the TeleRouter. TeleRouter
automatically tells the PC an IP a ress. In your browser, you can use the evice with
http://telerouter
That the S7 always starts with these basic settings without the ma e settings get lost, procee as
follows:
•place a paper clip or something similar rea y to operate the factory reset button. Do not
worry, we make no factory reset. The button is hi en between WAN an LAN ports. There
is a small hole. There, insert the paper clip.
•unplug the evice
•turn power back
•When the four LED's go out an only the Power LED is on, hol own the button with the
paper clip until all 4 LEDs flash quickly.
•release the button
•If the LED S3 (bottom right) lights press the button again.
Then the evice will boot in the efault settings. Now, the esire changes to the Network settings
can be ma e. These settings are only after restart the evice active.
1.6 configuration
Han book S7-Firewall Page 4 of 12
parameters possible settings purpose
evice name "as esire "
language eutsch
english
specifies the language of the user level
Maybe after the change relo the page
in the web browser
stan ar gateway as specifie
from WAN via DHCP
from WAN via PPPoE
from LAN via DHCP
from mo em via PPP
1. DNS
2. DNS
routing mo e office LAN -> routing interface
Maschine routing interface -> LAN
routing interface WAN/IP IP routing via WAN
mo em IP routing via mo em
WAN/PPPOE IP routing via PPPoE at the WAN-Port
WAN/OVPN routing via OVPN at the WAN-Port
WAN/Bri ge ethernet routing at the WAN-Port
1.7 network configuration
Page 5 of 12 Han book S7-Firewall
parameters possible setting purpose
stan ar gateway as esire via DHCP
1. DNS
2. DNS
1-3. IP a ress with
netmask IP a ress / netmask
If the netnask is 0.0.0.0 the
netmask will automatically calculate
epen ing to A, B, C-B network.
e. g.
192.168.0.x -> 255.255.255.0
10.x.x.x -> 255.0.0.0
When using fixe IP a resses
at least 1 IP a ress is to
configure. Otherwise the evice starts
with the factory settings.
DHCP
no
kein DHCP verwen en
The remeaining DHCP parameters
will not be use
client
The network interface is
a client an obtains the IP
a ress automatically from a
DHCP server.
The remeaining DHCP parameters
will not be use
server
The Netzwerkinterface provi es a
DHCP server. The remeaining DHCP
parameters will be use .
start IP start IP a ress start IP a ress when operating as a
hcp server
en IP en IP-A resse en IP a ress when operating as a
hcp server
subnet subnet a ress a ress of the subnet for the awar
of IP a resses as a DHCP server
omain free name of the omain by using
the DHCP server
router IP IP a ress Is the IP a ress that the operation
as a DHCP server as a gateway is passe
The WAN / LAN port has share IP a resses. Up to 3 ifferent IP a resses an subnets are
configure . The port can also be use as a DHCP server or client. The necessary ata for the IP
assignment to be entere here. For the operation as a DHCP / server there can be set fixe
assignments MAC IP a ress (See below "DHCP fixe MAC /IP a ress mapping"). Further
efines what services are available at the port (Web config), ping, SSH (for evelopers only)
Han book S7-Firewall Page 6 of 12
1.8 DHCP fixed M C /IP address mapping
If the built-in DHCP server (at the WAN or LAN) is operate , it can be useful, to allocate specific
IP stations always the same IP a ress. Here you can specify which MAC a ress is replace by
which IP a ress.
1.9 NTP client
So that TeleRouter always runs at the current time, we have implemente an NTP client. So
TeleRouter can automatically via internet or by any other available in the network time server
synchronize the ate an time.
paramters possible settings purpose
NTP client
operation
yes
no Turns the NTP client on or off.
service name
IP a ress /
omain name of the NTP
servers
Enter the IP a ress or the omain
name of the NTP server. Make sure that
theses
servers through the specifie routing path
is accessible
time zone time zone, in which the TeleRouter
is operate
necessary, for the correct local time at the
TeleRouter
1.10 web user
Here the mask for entering the web user interface. Different permissions can be assigne per user.
Generall, only one user is allow to make "SU"-changes. U1 - U5 only can use the interface. In the
TeleRouter expansion mo ules "U1" - "U5" have more precisely specifie operation rights.
Page 7 of 12 Han book S7-Firewall
1.11 S7 firewall settings
The SPS firewall connections consits of the HMI/PG station an the SPS station
1.12 entering of the HMI / PG station
parameters possible setting purpose
No. automatically ongoing number
name freely entere by
the user name oft the station
active
yes (x) connections with this station are processe by the firewall
no () connections with this station will not be processe , i. e. they are
blocke
IP a ress IP a ress of the
HMI / PG evice i entification of the sen er input necessarily necessary
MAC
a ress
MAC a ress of
the HMI / PG
evice
I entifies the HMI / PG a ition on the MAC a ress.
00:00:00:00:00:00 means that the MAC a ress is not cheke .
When equal to 0, the MAC a ress of the station must match to
the input.
connecting
con uit
use channel of
communication
In Simantic S/ PG an OP channels are available. This channel is
use as an a itional characteristic for i entification of the
sen er. On each of two channels in both PG an OP functions are
possible. HMIs / WinCC etc. typical use OP channels. The
Siemens PG software always uses the PG channel. Unfortunately,
ifferent software on the market is in use, which oes not have
the know-how to set this channel. To figure that out, you have to
Han book S7-Firewall Page 8 of 12
check the logfile.
A reasonable HMI software, respectively, the correspon ing
software river provi es the a justability of this channel. Shoul
for example from the same computer the PG an HMI (IP / MAC
i enticial to PG / HMI) running, remeans only the PG / OP
channel to i entify the sen er.
1.13 entering of the SPS station
1.14 entering of the S7 firewall connections
The connections are forme from the combination of HMI /PG station an SPS station. Each HMI /
SPS station can be use repeate ly. By changing from MAC or IP a ress, you must only be chang
this in the HMI / PG station an SPS station. Every connection is organize to a connection rule. If
"allow PG full-function" is selecte , this connection has full access. In the future, this access is to
be ivi e in more etail (rea / write efine blocks, SPS start / stop, general reset, rea / write
system ata).
parameters possible setting purpose
No. automatically ongoing number
name freely entere by
user
name of the connection
also serves as a "link" to open an e it the control script
active
yes (x) connections with this station are processe by the firewall
no () connections with this station will not be processe , i. e. they are
blocke
Page 9 of 12 Han book S7-Firewall
allow PG full
function
yes (x) This connection is a PG connection an can be perform all
functions
no ()
This connection is a limite connection. There are only accesses
to the share functional an ata areas allows, as efinie in the
accompanying control script.
1.15 The rulescript
In the rule script, the ata areas or possible requests for that connection are efine . The script can
be accesse via the link of the name of the connection.
syntax of the rule script
first signs function rest of the line
# the line is a comment free text
//
(no sign it follows the same
operan / area) The following area is only to rea (rea
only)
operan / area (see
below)
r:
w: The following area is only to write (write
only)
rw: The following area is to rea an to write
(rea /write)
Han book S7-Firewall Page 10 of 12
Tabla de contenidos
