Automation in the food industry is a big issue for the fish experts at Greenland Seafood in Wilhelmshaven, Germany, as well. The measures taken by the company to automate were a success, but they were confronted by a common problem: it looked like they were going to run out of IP addresses on the production network. A solution which was both secure and straightforward was provided by Helmholz in the form of the WALL IE Industrial NAT Gateway/Firewall.
- produces 1.3 million fish meals per day on ten high-tech production lines with over 400 employees at its factory on Jade Bay.
Naturally, automation plays a central role when it comes to quantities of this magnitude. That’s why the decision-makers had already set out on the path to Industry 4.0 several years ago. In addition to the ramped-up collection and utilization of data from the production network, this process also involves increasing networking of machines and components via Ethernet.
Less is more, at least when it comes to IP addresses
With all its advantages, such a plethora of networked individual elements also means that IP addresses on the higher-level production network will start to run out at some point.
Joachim Gerken, who works on automation technology at the Wilhelm - shaven site, illustrated this using the following calculation: “For example, just the production line for fish sticks alone has seven or eight frequency converters, plus a large number of other components. If each one has its own IP address, 20 to 30 addresses are used up for each line.
If there are 10 lines, that’s already 300 addresses,” explained Gerken. Also keep in mind that the production network is only designed for a maximum of 255 IP addresses.
A complete conversion or expansion of the production network would have been very complex and time-consuming, though. That’s why we quickly realized that it wouldn’t work – we needed another alternative.
With support from independent drive and controller specialist Schultz+Erbse GmbH, a practical and future-proof solution was ultimately found: the components of a machine or an entire line are grouped together as a machine network and incorporated into the production network over a single IP address. Here, the machine network functions as a LAN (Local Area Network) and the production or company network as a WAN (Wide Area Network). In the past, the only way to securely implement the interface between the two was in a roundabout way using complex and accordingly expensive firewall solutions.
Since 2015, however, the WALL IE Industrial NAT Gateway/Firewall from Helmholz has provided a straight- forward alternative for this task – it protects both networks by precisely regulating which subscriber may exchange data with which device. The specifications involved here can be defined for a specific user. The prerequisite for this is created by a packet filter function.
As a consequence, this means that “we save a very large number of IP addresses,” said Joachim Gerken in summarizing the end result. Thanks to the innovative new firewall, no more than three IP addresses are occupied for each line: one for the CPU, one for the operating field (HMI), and one for WALL IE, behind which the entire machine network is located. If the CPU and HMI run on a shared address, then it’s only two.
Secure and easy access
Another special feature is that WALL IE can be used in both the NAT operating mode and as a bridge. In the bridge operating mode, it acts as a layer 2 switch. In contrast with normal switches, however, packet filtering is also possible in this operating mode. The packet filter enables the limitation of access between the production network and the respective machine or line. For example, it can be configured that only certain subscribers from the production network may exchange data with defined subscribers from the automation cell. Otherwise, the data packet would be rejected or discarded. To expert Joachim Gerken and his colleagues, this means “we can precisely determine the scope in which someone can access the machine network
from the outside and make it possible with a single click in the system.” On the one hand, this increases cyber-security, as there’s additional protection for the machine network thanks to the firewall of the production network. On the other hand, this function also offers very practical advantages, such as error handling and (preventive) maintenance. With the appropriate access authorization, the manufacturer of the machines can also access individual parts or all the parts of the machine network securely – and cost-effectively as well.
© Greenland Seafood Europe GmbH
WALL IE has another advantage as well. On existing systems, certain IP addresses have already been issued, but they can’t be read by the production network because the production and machine networks occupy different address ranges (external IP/ internal IP). With WALL IE on the other hand, the user can easily use the respective external IP address to ping the corresponding internal address. This is because WALL IE supports the two NAT functions – Basic NAT and NAPT – in the router operating mode.
Greenland Seafood uses Basic NAT (also known as “1:1 NAT” or “Static NAT”). This enables the translation of both individual IP addresses and entire address ranges as well. The translation takes place exclusively at the IP level, which means that all ports can be addressed without explicit forwarding.
All addresses of the machine or line are translated into a single address of the production network. The sender addresses of packets from the automation cell are replaced by them.
© Greenland Seafood Europe GmbH