Press ESC to close · Ctrl+K to open
HomeSCADASIEMENSArticle

Network Segmentation - S7 1500 & WinCC Unified

Jose Manuel Luque Mar 08, 2025
WinCC WinCC WinCC Unified WinCC Unified
Network Segmentation - S7 1500 & WinCC Unified

Proposed objective: A laboratory for practicing network segmentation, following the diagram below and approaching compliance with regulations such as IEC 62443


For the development of this, we will implement it with TIA Portal V20, for programming and configuring PLCSim Advanced v7 & WinCC Unified RT.

For practice, we have the following virtual machines:
VM: Engineering Station
VM: PLCSim Advanced
VM: WinCC RT Unified
VM: Firewall (PfSense)

A reference document that you should not miss in your documentation is the following
Network concept for discrete manufacturing

As I do not have a physical firewall, I have based it on PfSense which you can download and create a virtual machine for your laboratory.

The one we are going to use is the following that I have already prepared, with the different interfaces to simulate the different "VLANs" for the various rules that we will apply.


PLC and WinCC RT Unified Configuration with TIA Portal

Following our diagram, we are going to configure according to it: we assign the IP to our PLC S7-1500 and configure the use of a router with the corresponding gateway. By default, I have left 10.0.VLAN.254. for all gateways.


In WinCC RT Unified, we will perform the same steps and connect it in the same logical bus to create the link.


The example would be as shown in the following image:


Our link between the PLC (S7-1500) & SCADA (WinCC Unified RT)


That is the easiest part; now we need to direct the traffic according to the different rules and ports.
To familiarize yourself with troubleshooting, I recommend installing Wireshark.

With the following captures, I analyzed the traffic with Wireshark and it shows that port 102 is used to upload the project from the engineering station to the PLC.


And in turn, we need port 20008 to upload from the engineering station to our WinCC RT Unified server.


Firewall Rules Configuration

With that information, we can now create the following basic rules for our tests and of course, we add other rules to be able to see the ping (Protocol -> ICMP). 😉


For communication between the PLC and the SCADA. We add the following rule :-)


If we check the status of the different interfaces, we will be able to see how our communication between the SCADA and the PLC is, what protocol and ports are being used.


And here is our testing screen :-) Tested with WinCC Unified RT & WinCC v8.1


PfSense is an excellent tool for learning and deepening the topic of networks and security. We will continue learning ... ;-)

"The more I learn, the more I realize how much I don't know."

Jose Manuel Luque

Industrial Automation Technician.