Remote access to a Siemens S7-1200 via a 4G router can transform how you support machines in the field. With a Teltonika RUT241 you can securely reach the PLC for diagnostics, online testing, program updates, and even data collection, without exposing industrial services to the public internet. This article explains why security matters, outlines practical connection methods, and walks through the essential configuration from the router to TIA Portal—using clear, step-by-step narrative instead of lists.
Links
https://account.rms.teltonika-networks.com
Why remote access—and why security comes first
A secure link to your S7-1200 lets you resolve faults quickly, verify cycle times, adjust parameters, and push program changes without waiting for a site visit. It also opens a path to streaming data into historians or cloud services. The catch is that protocols like S7Comm on TCP port 102 were never meant to be reachable from the open internet. The guiding principle is simple: never publish PLC ports to the WAN. Instead, place the PLC behind a private LAN and reach it through a trusted tunnel such as Teltonika RMS VPN or your own VPN.
Hardware and network baseline
A typical setup includes a Siemens S7-1200 CPU on the machine network, a Teltonika RUT241 with an active data SIM, and an engineering laptop running TIA Portal. The RUT241 provides the cellular WAN on one side and a protected LAN on the other. A clean IP plan avoids confusion later. For example, set the PLC to 192.168.10.10/24 and the RUT241 LAN to 192.168.10.1/24. Whether you use static addressing or DHCP reservations, keep the scheme consistent and record it in your project notes. On the WAN, the router uses LTE and the APN from your mobile provider. If the carrier places you behind CGNAT—which is common—you will not be able to accept inbound connections. In that case you must use either Teltonika RMS or an outbound VPN tunnel.
Teltonika RMS for the simplest secure path
Teltonika’s Remote Management System is the quickest way to get a secure session to a site even when it sits behind CGNAT. You add the RUT241 to an RMS account, enable RMS on the router, and confirm it checks in. From the RMS portal you can open the router’s WebUI and, more importantly, join an RMS VPN that extends your laptop into the router’s LAN. With the VPN active you can reach the PLC by its local IP, for instance 192.168.10.10, and then use TIA Portal’s online functions as if you were plugged in on site. RMS also gives you role-based access and an audit trail. The trade-off is that it consumes credits and requires internet reachability to the RMS cloud, but the speed and reliability often justify the cost.
Siemens S7-1200 project notes
In TIA Portal set the CPU’s IP address to the machine LAN, keep the web server disabled unless strictly required, and never bind it to the WAN. When you are ready to connect, open Online Access and ensure the PG/PC interface is the VPN adapter. If Accessible devices does not find the PLC, test basic network reachability with a ping, verify the route to 192.168.10.0/24 is present on your laptop, and confirm the RUT241 firewall allows traffic from the VPN interface into the LAN.
OPC UA and MQTT over the tunnel
If you intend to export data, decide whether the PLC or an external edge gateway will speak to your broker or server. Keeping the endpoint reachable only across the VPN simplifies security and avoids public exposure. Bind OPC UA or MQTT clients to the LAN IPs and use VPN addresses for servers, then manage certificates and time synchronisation carefully to avoid handshake failures.
Security practices that actually get used
The winning pattern is to keep industrial services private, concentrate ingress through a single, well-managed tunnel, and log who connects and when. Use strong keys and certificates, rotate them, and enable multi-factor authentication where portals support it. Separate engineering access from routine monitoring by using distinct credentials and, when possible, read-only roles. Back up the router configuration and keep a known-good image of the PLC program so you can roll back quickly if needed.
Troubleshooting in the field
When TIA Portal refuses to go online, first verify the network path. If a ping to 192.168.10.10 fails, look at the VPN status on both ends and check that the 192.168.10.0/24 route is pushed to your laptop. If RMS reports the device offline, confirm the APN, data usage, signal quality, and system time. If the VPN shows as connected but you cannot reach the PLC, inspect firewall rules on the RUT241 and ensure the VPN interface has permission to access the LAN. If you suspect CGNAT, note whether the router’s WAN address is private, such as 10.x, 100.64.x, 172.16–31.x, or 192.168.x. In that case switch to RMS or an outbound VPN.
A practical end-to-end flow
Commission the RUT241 on the bench with the SIM and firmware up to date. Configure the LAN and the PLC IP, then bring up RMS or your VPN and confirm that you can ping the PLC from your laptop across the tunnel. Bind TIA Portal to the VPN adapter and perform a quick online test. Once on site, mount the router, verify mobile signal, and repeat the ping and online test before you leave. From then on you have a secure, repeatable path to support the machine, push changes responsibly, and expand into data services when ready.
By keeping the S7-1200 behind the RUT241’s LAN, using RMS or a proper VPN for reachability, and treating firewalling and time synchronisation as non-negotiables, you end up with a remote-support setup that is both dependable and defensible. If you share your exact CPU model and SIM provider details, I can fold in an example APN, a router backup profile, and a TIA Portal project template with the network parameters preconfigured.