Need some help integrating a modbus ring of PLCs to our BMS. Currently there are about 7 Siemens PLCs on a modbus bus ring. The master PLC writes to slave address 30 a series of modbus registers that we need to pull into our BMS system.

I have connected a Vlinx MESR301 on the 485 ring. I have attached an image of the modbus routing configuration I did to the gateway. My thought was if I can pick up the modbus data on 30 and route it out to the IP address of my server that hosts the topserver, I would be able to configure my topserver to see the data. I have also attached a screenshot of my topserver configuration. The IP there is the IP of my machine that hosts kepserver.

Any help or advice would be greatly appreciated. This is for a simplex fuel oil system at a data center installed around 2011.

 

So you have an existing Modbus RTU network consisting of 7 Siemens PLC's and either one of those is the master or you have an 8th PLC that is the master on the network. You want to integrate these Modbus devices into your BMS via Modbus/TCP. Is this understanding correct?

Is this for monitoring only, or do you want to be able to command the Modbus devices in addition to monitoring?

I'm not familiar with the Vlinx MESR gateways, but from what I can tell, it seems to be a Modbus RTU to Modbus/TCP router. This probably isn't what you need for this application (assuming my understanding above is correct). The way you seem to have things set up currently is that you have two slave address 30's on your Modbus RTU network - the PLC and the MESR gateway (since the MESR gateway is configured to route address 30 to your Modbus/TCP BMS system). You can't have two slaves with the same address on a Modbus network.

I think what you should use is a Modbus gateway that's capable of passively listening (i.e. sniffing) the Mobus RTU traffic and making that data available via Modbus/TCP. The ICC ETH-1000 gateway can do this. Details and pricing can be found here:
https://www.iccdesigns.com/millennium-series/10-eth-1000.html

 

Thank you so much for your quick response. So unfortunately I don't have the drawing package and I can't connect to the PLC's as they require specific software that I don't own. However, I do have the modbus register list that has the following information and how I know it is writing to address 30. I don't require any control this is monitoring only.

Simplex Pumps
Writing to Modbus Slave Address = 30
All analog scaling to be 1 : 1	Comm Settings 9600 BPS - 8,N,1
Point Type	Point Name	Description	Register
R/W	FOP 5A RUN	Fuel Oil Pump 5A Run	1​
R/W	FOP 5A FAIL	Fuel Oil Pump 5A Fail	2​
R/W	FOP 5A MODE	Fuel Oil Pump 5A Mode	3​
R/W	FOP 5B RUN	Fuel Oil Pump 5B Run	4​
R/W	FOP 5B FBIL	Fuel Oil Pump 5B Fail	5​
R/W	FOP 5B MODE	Fuel Oil Pump 5B Mode	6​
R/W	FOP 6A RUN	Fuel Oil Pump 6A Run	7​
R/W	FOP 6A FAIL	Fuel Oil Pump 6A Fail	8​
R/W	FOP 6A MODE	Fuel Oil Pump 6A Mode	9​
R/W	FOP 6B RUN	Fuel Oil Pump 6B Run	10​
R/W	FOP 6B FBIL	Fuel Oil Pump 6B Fail	11​
R/W	FOP 6B MODE	Fuel Oil Pump 6B Mode	12​
R/W	FOP 7A RUN	Fuel Oil Pump 7A Run	13​
R/W	FOP 7A FAIL	Fuel Oil Pump 7A Fail	14​
R/W	FOP 7A MODE	Fuel Oil Pump 7A Mode	15​
R/W	FOP 7B RUN	Fuel Oil Pump 7B Run	16​
R/W	FOP 7B FBIL	Fuel Oil Pump 7B Fail	17​
R/W	FOP 7B MODE	Fuel Oil Pump 7B Mode	18​

It is very possible that there is no PLC on address 30. If that were the case, would this still be doable? We have a different phase of the building that was built a year later and this exact configuration is being used there, I just can't seem to replicate it. I have checked both configurations of both the vlinx device and the kepserver settings.

 

Your setup with the Vlinx would only work if there is not already an existing device on the Modbus RTU bus using address 30.

Since you don't have access to the equipment to know what requests are being sent, and what slave addresses are actually present, on the Modbus network, you may want to use a PC, a USB to RS-485 adapter, and a serial capture program to analyze the existing traffic on the network. Here are some examples of serial port capturing software that support Modbus decoding:
https://www.eltima.com/modbus-sniffer.html
https://ioninja.com/
https://www.com-port-monitoring.com/

 

wo

Your setup with the Vlinx would only work if there is not already an existing device on the Modbus RTU bus using address 30.

Since you don't have access to the equipment to know what requests are being sent, and what slave addresses are actually present, on the Modbus network, you may want to use a PC, a USB to RS-485 adapter, and a serial capture program to analyze the existing traffic on the network. Here are some examples of serial port capturing software that support Modbus decoding:
https://www.eltima.com/modbus-sniffer.html
https://ioninja.com/
https://www.com-port-monitoring.com/

I have wireshark installed would that be a good option?

 

No, unfortunately Wireshark cannot capture serial traffic.
https://osqa-ask.wireshark.org/questions/23243/how-do-you-capture-serial-com-communications/
https://ask.wireshark.org/question/28935/can-wireshark-capture-serial-port-data/

 

wo



I have wireshark installed would that be a good option?

I don't believe there is a device on address 30. I will confirm with the serial capture program mentioned. I would just need a usb to 485 converter and tap in to part of the plc network, correct?

 

I would just need a usb to 485 converter and tap in to part of the plc network, correct?

Yes, you can either:
1. (Preferred Method) Connect the USB to RS-485 converter to one end of the RS-485 bus, by daisy-chaining new wires from the first or last device to the converter.
[Converter]------[First Device]------[Middle Device(s)]------[Last Device]
[First Device]------[Middle Device(s)]------[Last Device]------[Converter]

2. Insert the USB to RS-485 converter in the middle, between two other RS-485 devices, whereby you would disconnect one set of wires (the outgoing wires) from a device, connect new wires from that device to your USB to RS-485 converter, and then connect those previously disconnected wires to your RS-485 converter.
[First Device]------[Middle Device(s)]------[Converter]------[Middle Device(s)]------[Last Device]

 

I was able to confirm that nothing is on address 30. there are devices writing from address 1 -6 and 11.

 

I also have a moxa MGate MB3170 which seems to have a ton more options on the modbus protocol settings.

 

I was able to confirm that nothing is on address 30.

Can you elaborate on how you determined this? For example, is the master device sending read or write requests to address 30 and there are no responses?

there are devices writing from address 1 -6 and 11.

Again, please elaborate on what this means. There can only be one master on a Modbus RTU bus and masters are the only devices that can send write requests. Are you saying that you are seeing write requests from the master targeting addresses 1, 6 and 11 and that you are seeing responses to these write requests?

 

yes exactly no responses on requests from address 30. What I meant is that I found the modbus addresses of the other PLCs which were 1-6 and 11.

 

Thanks for confirming. Here's the next steps that I would try.

Modbus RTU Communication Confirmation

1. Download a Modbus slave simulator software tool that supports both Modbus RTU and Modbus/TCP, such as one of the following
   1. WinTECH - ModSim
   2. Witte Software - Modbus Slave
2. Connect your USB to RS-485 adapter between your computer and the Modbus RTU bus with the PLC's
3. Configure the Modbus slave simulator software for the same baud rate, parity, data bits, and stop bits as your Modbus RTU bus, set the slave simulator to address 30, and create holding registers 1 - 18 (I assume these are the registers being written by the master to address 30)
4. Connect to your adapter's COM port and confirm you see the values written by the master PLC for registers 1 - 18 to address 30 in the slave simulator

Modbus/TCP Communication Confirmation

1. Use the same Modbus slave simulator, with the same address and register definitions, but open a Modbus/TCP connection instead of opening a Modbus RTU connection on a COM port
2. Setup either the Vlinx or MGate to route the Modbus RTU messages for address 30 to Modbus/TCP to your computer's IP address
3. Confirm you see the values written by the master PLC for registers 1 - 18 to address 30 in the slave simulator

After you have successfully performed and confirmed the above tests are successful, then move on to trying to use your server with topserver, making sure to configure topserver the same as how you've configured the Modbus slave simulator (this assumes topserver can be configured as a Modbus/TCP server/slave device).