Allowed IP address being ignored?

This is something I noticed while giving a remote demonstration of a system to a customer. I added their public IP address to our firewall to let it through, then also added it to the Gateway: Allowed Addresses field in System Properties in the Gateway Configurator.

This worked fine and they could launch the system. When I finished the demo I removed their IP address from the Allowed Addresses field and restarted the FactoryPMI server using the Restart button at the top of the Configurator page. I noticed continual activity on the web link - when I checked with Wireshark, their client (still running) was still asking for and being sent data. I then shut down FactorySQL, FactoryPMI and MySQL. The client was still asking for data but not getting a reply. When I restarted the software, it immediately started sending data back to the client! The only was I could stop it was to block the address in our firewall.

Can you confirm this behaviour? I thought restarting FactoryPMI would immediately block a removed address.


I have not observed this behavior before - could you check your Gateway logs? Maybe the restriction filter did not get installed correctly. Also, obvious question, but the filter list is meaningless unless the checkbox for restricting connections is checked.

Word to the wise, however: This feature is going away in the next major version - using FactoryPMI as a firewall is ill-advised - thats what firewalls are for.

I’ve checked the logs but can’t see anything untoward. How would I check whether the restriction filter did not get installed correctly?

Removing this functionality and relying on firewalls is fine between sites, but what about within customer sites? Customers will have to take quite a jump in the complexity of their networks, installing routers to pass data between different subnets etc. I do realise it is better to deal with this stuff at a ‘network’ level, although I have found there is a distinct lack of knowledge about Ethernet networking in the industrial space (myself included :wink: ). I am sure this situation will improve as Ethernet becomes more prevalent.

As an aside, I’ve often wondered about the following scenario: say only one person on the ‘office’ subnet is allowed access to the ‘plant’ subnet. How can you set this up in a router if the IP addresses on the office subnet are allocated dynamically?


Al -

You can setup the DHCP pool to assign the same ip address to a MAC address everytime if you need to.

Or you can do your filtering based on MAC addresses for your subnet availibility.

This sort of thing is precisely what authentication is for. Details like the ones you’re bringing up are a good reason why this sort of network level restriction is bad for what is really an authentication task.