MODBUS TCP (Port Forwarding of GSM Router)


Thread Starter

Ayman Imbabi

Can I use Port Forwarding feature in the GSM routers to enable Modbus TCP servers (which connected to GSM router thru Ethernet cables) send to / receive data from Modbus TCP client which is connected to another GSM router thru Ethernet cable?

I know that Modbus TCP server(s) and Clients would be connected to each other if both are on the same IP network, we can use Ping command to check the connectivity.

In my case the Modbus TCP server(s) are ethernet wired connected to GSM router and Modbus TCP client(s) are ethernet wired connected to another GSM router, both router are using the same GSM 4G network. both router has a one static IP address.

Is Modbus TCP support port forwarding feature which is existing in GSM routers?

Lynn August Linse

Modbus TCP won't care - as long as the server (slave) has a fixed IP, then forwarding TCP port 502 is all you need.

However, some carriers do not allow mobile-to-mobile within their own networks UNLESS you prearrange this. Since port 502 is a well-known value and Modbus has no security, you do risk some kid finding your server and changing your register values. Also, opening the TCP socket over cellular likely takes up to 5 seconds (due to how cell towers allocate resource to previously idle devices), and some Modbus TCP client tools will timeout the CONNECT in 1 second (or I saw one timeout in 0.1 sec!) So your client will never connect unless you can slow down the timeout. While connected, you'll also need to move traffic at least every 5 minutes, or the socket aborts in mysterious ways. So either connect & poll at least every few minutes - or connect, poll, then close gracefully.
SO I need to consider the security of Modbus TCP. and I need to get confirmation that my Modbus TCP Client (Modbus TCP-OPC server) can handle timeout up to 5 sec at least.
Yes, also consider asking your cellular carrier for a "Private APN", which means you'll need to VPN into the carrier from a PC, but then they can assign you a 'cheap' fixed IP like 172.x.x.x (maybe at no extra cost). Often you need to pay a fixed one-time setup fee (like us$500 per accout) to set this up, but then likely you DO NOT need to pay the extra $$ per month for a fixed public IP. Make sure they allow "spoke to spoke" communications, so your Modbus 'master' at site A can link to your Modbus 'slave' at site B.

Besides protecting your Modbus/TCP, this also can cut potentially HUGE bills should someone decide your fixed PUBLIC IP address looks "interesting". You pay for all access, so even if someone tries a dictionary attack on your device's web server ... YOU PAY! I've had customers hit with over us$2000/month surprise bills because of this. Last time I looked at the rejected traffic on an AT&T 166.x.x.x fixed IP, it was seeing about 40 probes a day for things like SQL, FTP, RDP, HTTP, and so on. None likely do any harm - except that YOU will be billed for about 1/2K of traffic per probe. The Private APN prevents this, and to be honest the carriers LIKE you to use the private APN because it costs them less headache (they know darn-well you'll complain & try to get out of paying a $2000 bill when you expect a $9 bill!)

>SO I need to consider the security of Modbus TCP. and I
>need to get confirmation that my Modbus TCP Client (Modbus
>TCP-OPC server) can handle timeout up to 5 sec at least.

Would you be interested in discussing security use cases s.a. for ModbusTCP?

I'm working on implementing these in my lab using F5 BIG-IP iRules and ModbusTCP simulators.

If you are interested, I can walk you through the demos and provide remote access to the lab.

Thanks and kind regards,