Gumstix as a network gateway

Ross and I have been doing a fair bit of work at a sand mine recently. In particular looking at control improvements on the Dozer trap that is being used at a mineral sands mine down near Mildura. For a variety of reasons the trap hasn't been running too well and due to the remoteness of the site there have been difficulties getting the suitable people enough access to the machine to make significant improvements. Because of this and also to aid with remote monitoring of the operation of the dozer trap it was decided to get the dozer trap network connected up for remote access.

Fortunately the Momentum PLC and the Citect HMI interface were originally setup to communicate via an ethernet network. This decision allowed for a wide range of options when setting up remote connections. So a radio was fitted to the trap with a repeater within site at the top of the pit. Everyone who needs access has a VPN login to the site wide business network. At this point we could have connected the business network and the dozer trap network directly and changed each of the dozer trap ip addresses to fall within the business network range. This would have a few risks associated with it though. Whilst the two networks were connected together anyone on the business network would have had direct access to the PLC and other network enabled items within the dozer trap. If the operation of the PLC was compromised either through a direct interaction from someone on the business network or by an accidental ip conflict the operation of the dozer trap could be affected. To solve this problem we decided to place an ssh server in between the two networks.

For those that have not come into contact with ssh before have a read of the wikipedia page . In our setup we have installed a computer that has two ethernet ports in between the business network and the dozer trap network. One ethernet connection goes to each separate network. In this way the two networks aren't actually connected so the dozer trap devices don't need to change their ip addresses and they aren't directly accessible from the business network. We can then create tunnels between the two networks using the secure connections made using ssh.

The computer that we chose for this task had to be small, energy efficient and reliable. It needed multiple ethernet ports and an ssh server. As it turns out there is a computer that fits this bill exactly. We chose a Connex 400 with a net-DUO expansion board from Gumstix. These tiny computers run linux in flash on a 400MHz Intel (ARM licensed) processor. The net-DUO expansion board provides the two ethernet ports and the default linux installation includes an ssh server.



With the gumstix in place we have setup PuTTY sessions to tunnel VNC (port 5900) for viewing the HMI panel, Subversion (port 3690) for handling the program changes, Serial (port 10001) for communicating with the EDM via a lantronix XPort and Modbus (port 502) for programming the Momentum PLC via Concept. The connection has been fast, reliable and most importantly secure. Overall a resounding success.