Tag: technology

Double Nattering……..

Well, stepped far out of the world that I’m allowed to exist in.

I’ve said before that I really don’t particularly care about computers.

Didn’t say that I didn’t understand them, just that I didn’t particularly care about them.

Recently one of the last remaining electro-mechanical elevators was modernized at the hospital. Due to a misunderstanding there was no provision for connecting the elevator to the existing monitoring system to allow the shift engineers to be notified when an elevator breaks down or when someone accidentally presses the alarm button but doesn’t stay to answer the operator, the engineer can prioritize responding to the elevator depending on if the system says the car is out of service or if the car is in service.

Anyways, to run a direct line from the elevator controller to the computer in the engineer’s office was going to cost about $10k to run the shielded CAT6 cable in conduit with about four holes that would need radiographs and coring.

Existing hospital network to the rescue.

The entire hospital is covered with CAT6. Each subnet on the network is basically a switch or gang of switches. The switches in use have 48 ports on them and the switches can be physically uplinked together giving the hospital at least 6 switches per subnet which is 288 ports, 286 when you take away the broadcast and gateway for the subnet. That’s 254 subnet ports + 32 ports that can be used by other VLANS.

So, lots of room for a measly elevator controller to traverse the network.

Isolation Meets Legacy Monitoring: A Practical NAT Story

For the sake of illustration, I’ll use the following fictional IP addressing:

NAT 1 (Engineer’s Office)
  WAN uplink: 1.2.2.3
  Monitoring gateway (LAN): 2.2.1.1
  Monitoring workstation: 2.2.1.2

NAT 2 (Comox Building Elevator Closet)
  WAN uplink: 1.2.3.4
  Elevator B11 gateway (LAN): 2.2.2.1
  Elevator controller: 2.2.2.2

My goal was straightforward: keep the elevator controllers off the main hospital user network, while still allowing structured monitoring traffic to traverse it. To solve this, I deployed a pair of Moxa NAT‑102 devices as dedicated Network Address Translation gateways between the monitoring workstation and the elevator controller domains.

Though NAT devices live in private space internally, they behave more like protocol-opinionated security routers than plug-and-play default gateways. Their firewalls operate in a default-deny, stateful inspection mode: inbound traffic is rejected unless it matches an existing outbound session or a specifically declared rule. In this architecture, flows are permitted because they originate from the monitoring workstation (the client) and are expected by the controller (the host) — not because broad inbound access was opened.

Here’s the packet walk:

  1. The monitoring workstation (2.2.1.2) sends an outbound request for controller data, addressed to the remote NAT’s WAN (1.2.3.4) using the local closet NAT (2.2.1.1) as its next hop.
  2. NAT 1 modifies only the source address, replacing the original host IP 2.2.1.2 with its own egress IP 1.2.2.3, and forwards the packet across the backbone to NAT 2.
  3. NAT 2’s firewall permits the packet because a rule exists to allow flows from NAT 1’s WAN IP (1.2.2.3) into its routing table.
  4. NAT 2 routes the session internally to the Elevator controller LAN (2.2.2.2) via its local gateway interface (2.2.2.1).
  5. The elevator controller processes the request and replies with the requested data. The reply is not blindly broadcast across the LAN — it is returned inside the NAT session state table, allowing NAT 2 to map the translated session back to NAT 1.
  6. NAT 2 applies NAT in the same direction as the reply flow: replacing its own source 2.2.2.1 with its WAN 1.2.3.4, and sends the packet back across the backbone.
  7. NAT 1 permits the inbound packet because it matches an expected reply from NAT 2 and then delivers it back to the original client (2.2.1.2) through its LAN interface.

This design keeps critical OT equipment segmented, predictable, and unscannable from the wider network, while still allowing exactly one channel of monitoring truth to pass in and out. It’s not glamorous, but it works — and that’s often the most important engineering KPI in a 24/7 healthcare environment.

And thus the elevator LAN is isolated from the hospital LAN and vice versa even though they are directly connected to each other

The engineers can see the status of elevator B11 and can receive emergency email notifications when it breaks down.

Bobbie, you must be so proud of yourself!!!!!

For what?

As my father always said, it’s not like I built this shit. So why the fuck am I taking credit for something that somebody else created and made possible?

I didn’t build the fucking Moxa NATs.

I didn’t create the idea of using NATs to hide one private network from another private network.

I didn’t write the software on the monitoring computer.

I didn’t write the software on the elevator controller.

I didn’t create the Transmission Control Protocol / Internet Protocol.

I’m not a genius.

I’m not a geek.

I’m just doing something that anyone can do.

Two little resistors, so much headache.

Every now and again something pops up that brings Richard back with full force.

I will be so very happy when I am finally freed of Richard.

I started getting into BACnet at the hospital back around 2019 when the outside contract management was replaced with in house management.

Our plant was so far in the dark ages. Pneumatics still make up the vast majority of our controls.

One of the first thing that I started doing when I became the Chief engineer was to start nibbling away at a lot of the inadequacies of our ancient automation systems. And this is where BACnet came in.

I’ve never used BACnet prior to this position. Networking I’ve done. I’ve worked with RS-485 networks before. I’ve got decent knowledge of controls. I’ve also learnt that proprietary licenced controllers are no longer the only way to accomplish automation.

One of the reasons that I’ve taken a shine to ABB drives over the last few years is that they can run by themselves without the need for expensive proprietary controllers that can only be programmed with expensive proprietary software developer kits, proprietary interfaces, and exorbitant licencing fees.

I’ve also installed various other devices that further expand the monitoring capabilities of the system.

But, there was always one piece of equipment that I could never get to work reliably.

With RS-485 networks, the network is supposed to be laid out in one continuous daisy chain. The network is not supposed to have stars or stubs.

Daisy Chain is good.

Stars, rings, backbone with stubs, backbone with stars are bad.

That’s where repeater hubs come in to play.

Or at least so I thought.

Some of the equipment would work fine on a hub, some equipment would work at super slow baud rates, and some equipment absolutely refused to operate at all.

I could never figure out what was going wrong. I thought that my dream of expanding BACnet all over the hospital was a dying dream.

Recently I happened across some documents from Texas Instruments talking about recommended design of circuits using their RS-485 transceiver chips used in communication equipment.

Up to this point in time I had always used MSA Fieldserver BACnet routers as the interface for the network loops. On the router are switches for each port.
Bias (+)
Bias (-)
Term

I had always set the positive and negative bias on, and of course the terminator resistor was turned on. I would also set the terminator resistor at the end of the loop to be on as well.

Well, being the complete idiot that I am, I never noticed that the hubs that I was using, and I’ve tried three different brands, had termination resistors, but they had no bias resistors.

I should have clued into the fact that the outputs of these hubs are galvanically isolated.

To be galvanically isolated, the outputs can’t be tied high to a common power supply nor can the outputs be tied low to a common ground. And this is why they couldn’t have biasing resistors.

This means that while the network was terminated, the 0 and 1 levels were not being defined properly and they’d go all over the place due to common mode voltage.

Some equipment like my ABB drives could handle the floating loop, but other equipment obviously expected the loop to not only be terminated, but to be biased. Equiment like the ABB drives can actually supply the bias voltages for the loop. Most of my other equipment can’t supply the bias voltages.

So, with the knowledge of my lack of knowledge in hand, and with Richard laughing widely in my brain, I soldered up a pair of 4.7k resistors with some hookup wire and some heat-shrink.

The resistors that were missing were the RFS1 and RFS2 which form the bias for the network. The two RT resistors are the termination resistors.

With this diagram as a reference, RFS1 = 4700 ohms, RT = 120 ohms, and RFS2 = 4700 ohms.

As soon as I connected RFS1 from the DC power rail to terminal (A) the LED on the port actually illuminated and started flickering on and off indicating data transmission. And once RFS2 was connected from (B) to ground the intensity of the LED changed the flashing was more defined. A check of my laptop showed that all communication errors on this node went away and all of the devices were back on line.

Why did some equipment work while others didn’t?

Simple.

The ABB, Yaskawa, and Schneider variable speed drives that I have in use at the hospital all have the capability to inject bias on to the loop.

Other equipment that I have such as the flow meters and the actuators typically don’t have the ability to inject bias into the network, and so the network common mode voltages will go all over the place. If the network is allowed to float all over the place the transceivers get confused.

But Bobbie, people make mistakes all the time, you caught this one.

No, the one problem that I face is that I have no paperwork, therefore when I make a mistake it’s because I’m an outright moron. When people with degrees and certificates create massive mistakes, fuhgeddaboudit, don’t worry about it.

It’s actually quite funny, but in a sad and tragic way.

Trades, certificate programs, diploma programs, they’re all made for people without scars. You got scars? Piss off and get outta here.

Well Bobbie, it’s your own damn fault, you should have taken a real trade when you were younger, don’t bitch at us.

Back in my day, to get into the trades you needed either the support of your family or the support of social services.

That wasn’t going to happen.

Being a military dependent is odd in the sense that because you’ve moved amongst the provinces, you’re the other province’s issue.

When I found myself unemployed during Alberta’s recession in 1991, Alberta was willing to give me a bus ticket back to Ontario.

When I first moved to Vancouver in 1992, BC Social Services was more than willing to give me a bus ticket back to Alberta.

When I moved out to Toronto in 1993, Ontario wanted to buy me a bus ticket back to Nova Scotia. Sure, I was born in Nova Scotia. Ain’t got any family out there. My father just happened to the stationed at Canadian Forces Base Shearwater when I popped out.

Your father’s employed with the Canadian Armed Forces, you don’t qualify for this aid program.

You’re a military brat, surely the Canadian Forces is the place for you.

This training program only covers you if you meet these criteria points.

You have no collateral.

You’re gonna need somebody to co-sign a loan for you.

Can’t you get a job where your employer will let you take paid time off whenever you need too?

Find your mother, she’ll fund you.

Tell your father you’re sorry for fucking with his military career when you got abused by Captain McRae and maybe he’ll give you some money.

Why don’t you shack up with someone and let them pay your bills.

What about finding a program that takes your knowledge into account?

Those programs typically existed back in the ’70s and ’80s, but they don’t exist any longer. Basically you’d have to interrupt your entire life and take a full-on trade program that may or may not give you any credit for your adult experience.

I am so looking forward to this…….

As I’ve said before, I will be so devastated if the Government of Canada falls through on implementing Medical Assistance in Dying for reasons of Mental Health.