A diagram illustrating the challenge of PLC remote access when multiple machines in different locations share the same static IP address.

When all the on-site PLCs use the same static IP, how can secure subnet mapping achieve accurate maintenance and reliable PLC remote access?

Written by: Bill Chen

|

Published on

|

Time to read 5 min

Bill Chen,Technical Support Engineer at Robustel

Bill Chen is a senior industrial Internet technical support expert, focusing on solution design and network troubleshooting. Proficient in industrial network protocols, good at OT/IT integration architecture optimization, quickly locating and solving problems such as device connection and data anomalies. With more than 10 years of experience, we serve more than 100 customers in manufacturing, energy and other industries, and help companies stabilize production and increase efficiency with efficient solutions.

Summary

Machine builders often standardize their products by using the exact same static IP address for the PLC in every machine, which creates a significant challenge for PLC remote access. When multiple machines with duplicate IPs are in the field, a traditional VPN cannot distinguish between them.

RobustVPN's subnet mapping feature solves this by assigning a unique virtual subnet to each machine's router within the RCMS platform. This allows engineers to connect to a specific PLC using a unique virtual IP address, which RobustVPN then translates to the correct on-site static IP. 

This enables precise, error-free remote troubleshooting and programming while preserving the massive efficiency benefits of IP standardization in production.

Introduction

In my conversations with machine builders, one topic comes up constantly: the power of standardization. To build machines efficiently and at scale, you create a master design—a template. The electrical drawings are identical, the cabinet layout is the same, and, crucially, the PLC is flashed with the exact same program and the exact same static IP address (say, 192.168.10.50) every single time. This is a brilliant manufacturing strategy.

But this production dream becomes a post-sales nightmare. You have 50 machines in the field at 30 different customer sites, and every single PLC has the IP address 192.168.10.50. A customer calls with an issue. You establish a VPN connection, but now what? How do you tell the network which specific machine you want to talk to? It's like trying to mail a letter to a country where every house has the same street address. Let's be clear: this "duplicate IP" problem has been a major barrier to efficient PLC remote access for years.

The Machine Builder's Dilemma: The Curse of Standardization

The very practice that makes you efficient in the factory—using a single, unchanging PLC configuration—cripples your ability to provide remote support. A standard VPN can get you onto the remote network, but it can't solve the fundamental problem of IP address conflicts.

This leaves you with two terrible options:

  • Abandon Standardization: Create a unique IP scheme and a custom PLC configuration for every single machine you ship. This is a logistical nightmare that destroys your production efficiency, increases the risk of human error, and complicates documentation.
  • Fly On-Site: Stick with the traditional, inefficient model of flying an engineer to the site for every software-related issue, costing you thousands of dollars and days of downtime for your customer.

Neither of these is a good choice. You need a third option that allows you to keep your standardized production methods while enabling precise and efficient PLC remote accesss.

A diagram illustrating the challenge of PLC remote access when multiple machines in different locations share the same static IP address.

The Solution: Subnet Mapping for Seamless PLC Remote Access

This is where a purpose-built industrial VPN platform shows its value. RobustVPN, a core feature of our RCMS cloud, has a powerful function designed specifically for this problem: Subnet Mapping.

Instead of trying to change the PLC's "real" IP, we create a unique "virtual" IP for it that only exists within the VPN.

How It Works: A Virtual Address for Every Machine

The process is managed centrally in RCMS and is remarkably straightforward:

  1. On-Site Setup: Each machine is shipped with an embedded Robustel router connected to its PLC. The router is on the PLC's local network (e.g., the PLC is 192.168.10.50, the router is 192.168.10.1).
  2. Central Mapping: In the RCMS platform, you create a mapping rule for each router.
    • The router for Machine #001 is assigned the virtual subnet 10.10.1.0/24.
    • The router for Machine #002 is assigned the virtual subnet 10.10.2.0/24.
    • The router for Machine #157 is assigned the virtual subnet 10.10.157.0/24.

  1. Remote Connection: The remote engineer connects their laptop to RobustVPN. Now, to access the PLC in Machine #157, they don't use its real IP. Instead, they point their PLC programming software to the unique virtual IP address: 10.10.157.50.

The RobustVPN platform acts as an intelligent traffic director. It sees the request for 10.10.157.50, knows that this address belongs to Machine #157's router, and forwards the traffic through the secure tunnel to that specific router. The router then translates the request to the PLC's real IP address, 192.168.10.50. The PLC responds, and the process happens in reverse.

To the engineer, it feels like they are on a massive, perfectly organized network where every machine has a unique, logical address.

A diagram explaining how RobustVPN subnet mapping provides PLC remote access by translating unique virtual IP addresses to duplicate real static IP addresses.

The Practical Benefits for Remote O&M

This subnet mapping feature is the key that unlocks a hyper-efficient remote service model.

  • Pinpoint Precision: You can connect to a specific machine with 100% certainty. This eliminates the catastrophic risk of accidentally connecting to and programming the wrong customer's machine.
  • Keep Your Standardization: Your manufacturing team can continue to produce hundreds of identical machines with the same IP scheme, preserving production speed and simplicity. No more custom software loads for each order.
  • Scalable Management: All IP mappings are managed in a single cloud interface. Onboarding a new machine for remote PLC maintenance is as simple as adding its router to RCMS and assigning the next virtual subnet. The system is built to handle tens of thousands of devices.
  • Ironclad Security: The PLC’s real IP address is never exposed to the internet. Access is tightly controlled through the virtual IP, which can be enabled or disabled on-demand from the RCMS platform, ensuring the customer's OT network remains secure.

This approach has been proven to help machine builders cut annual travel expenses by 80% and resolve 90% of service tickets remotely.

A mockup of the RCMS interface for RobustVPN subnet mapping, showing how users can easily assign unique virtual subnets for PLC remote access.

FAQ

Q1: Is the subnet mapping feature difficult to configure?

A: No. The entire process is managed through the intuitive, web-based RCMS platform. There are no complex command-line configurations required. You simply create a mapping rule that associates a router with a virtual subnet.

Q2: Can I access other devices on the machine's local network, like an HMI?

A: Yes. The feature maps the entire subnet. If your PLC is at 192.168.10.50 and an HMI is at 192.168.10.60, and you've mapped that machine to the virtual subnet 10.10.157.0/24, you would simply access the HMI at the virtual address 10.10.157.60.

Q3: Does this require a special, expensive SIM card with a fixed IP from the carrier?

A: No. This is a significant advantage of the RobustVPN platform. The router only needs a standard SIM card that can get any kind of public IP address from the carrier (it does not need to be static). Our cloud platform handles the rest, making the device accessible from anywhere without the high cost and complexity of fixed IP SIMs.