MikroTik Router as a SCADA Serial Server

MikroTik Router as a SCADA Serial Server

A large number of MikroTik Router models have a serial port that can be used to configure the device. The serial port can also be configured as an IP-based serial server. This is article I will show you how to configure a MikroTik Router to all TCP connects that get mapped to a serial connected SCADA device.

Background

Historically, a dedicated hardware serial server such as the Lantronix EDS2100 would be deployed to connect a SCADA control to the network. At most of these sites, we already have a MikroTik router in the enclosure that provides backhaul IP networking and traffic encryption. By utilizing the existing MikroTik Router as a serial server we can eliminate the dedicated serial server. One caveat to the approach is that the Router only has one serial port so if the SCADA control device requires multiple serial ports we still install a dedicated serial server.

MikroTik Serial Server Configuration

We will touch two sections of the RouterOS configuration to accomplish our task. The first section is System > Console. By default, the Mikrotik router attachs a tty terminal to the physical serial port. This is what allows you to connect to and configure the router via an attached serial cable. We must remove the terminal configuration before we setup remote access.

The terminal configuration can also be remove from the CLI with this command.

The next configuration section we will touch is System > Ports. Here on the Ports tab we can configure the baud rate, parity, flow control of the physical rs232 serial port. Your configuration may vary but the majority of SCADA connected devices are set to 9600, 8, N, 1, flow control off.

Moving over to the Remote Access tab we will finally define our serial server configuration. We need to define what TCP Port the serial server will listen on and the Local Address the TCP server will bind to. If we leave the Local Address undefined, the router will listen for TCP connects on all configured local IP addresses. Optionally, we can restrict access to the TCP server from a specific IP address or IP Subnet by populating the Allowed Addresses field. In my application, the Protocol is raw but depending on the connected device you can also choose rfc2217 mode.

Here is an example of my finally configuration. The serial server is listening on TCP port 4001 on the local IP 1.1.1.4. Access is restricted to one single source IP of 192.168.1.100. I used putty to test the connection to 1.1.1.4:4001 and you can see that Remote Address: is now populated showing my active connection.

Wait, it gets better!

Some of these remote control devices have very limited space inside so there is no way to fit a RB1100 or RB2011 rack mount router with a dedicated RS232 port. Some of the smaller RB9xx and hAP series routers have a USB port on the side. The router will recognize a connected USB-to-Serial cable such as the Startech USB-to-Serial FTDI null modem cable.

hAP AC router with connected FTDI USB-to-Serial Cable

Reference


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.