EVOK TCP-Modbus only responding to loopback address



  • Hi!

    After enabling "allow_register_access" I can access port 502 with telnet locally, but all other connections are not responded to. This used to work, but after an upgrade it seems to binding to the loopback interface only.
    evok.conf:

    [NEURON_1]
    global_id = 1                                                   ; Mandatory, REQUIRED TO BE UNIQUE
    allow_register_access = True
    scan_frequency = 10                                             ; Optional, 10 default, scanning frequency in [Hz]
    scan_enabled = True
    

    Output from netstat -lptu

    root@L513-sn24:/home/pi# netstat -lptu
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
    tcp        0      0 0.0.0.0:http            0.0.0.0:*               LISTEN      1001/nginx: master  
    tcp        0      0 0.0.0.0:http-alt        0.0.0.0:*               LISTEN      773/python          
    tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      997/sshd            
    tcp        0      0 localhost:502           0.0.0.0:*               LISTEN      867/unipi_tcp_serve 
    tcp6       0      0 [::]:http-alt           [::]:*                  LISTEN      773/python          
    tcp6       0      0 [::]:ssh                [::]:*                  LISTEN      997/sshd            
    udp        0      0 0.0.0.0:bootpc          0.0.0.0:*                           982/dhcpcd          
    udp        0      0 0.0.0.0:48767           0.0.0.0:*                           899/avahi-daemon: r 
    udp        0      0 0.0.0.0:mdns            0.0.0.0:*                           899/avahi-daemon: r 
    udp6       0      0 [::]:mdns               [::]:*                              899/avahi-daemon: r 
    udp6       0      0 [::]:58202              [::]:*                              899/avahi-daemon: r
    


  • BTW: Version is Repository:evok ActiveBranch:[master] PrecedingRelease:v.2.0.7b PrecedingRevision:326(aacb3a9) LatestCommit:Mon Sep 10 11:39:34 CEST 2018


  • administrators

    Hello @alydersen
    yes, this a security feature, because ModbusTCP doesn't have any autentization.

    The unipitcp service is maintained by systemd and the startup parameters are defined in /lib/systemd/system/unipitcp.service. You can modify the ExecStart attribut in this file and add -l 0.0.0.0 to start the service listening on all IP address, not just default loopback.

    The result should look like this:

    [Unit]
    Description=Unipi Neuron/Axon Modbus/Tcp Server
    Before=mervisrt.service
    Before=evok.service
    
    [Service]
    Type=simple
    Environment="FIRMWARE_UPDATE=1"
    EnvironmentFile=-/etc/default/unipi-modbus-tools
    ExecStartPre=/bin/sh -c 'if [ "${FIRMWARE_UPDATE}" = "1" ]; then /opt/unipi-bin/fwspi --auto; fi'
    ExecStart=/opt/unipi-bin/unipi_tcp_server -p 502 -l 0.0.0.0
    TimeoutStopSec=3
    SyslogLevel=debug
    SyslogIdentifier=unipi
    WorkingDirectory=/opt/unipi-bin
    
    Restart=always
    
    [Install]
    WantedBy=unipispi.target
    

    Then reload the systemd: systemctl daemon-reload
    And reload the unipitcp service: systemctl restart unipitcp

    Regards,
    Martin



  • @martin-kudláček Thanks! That worked! Maybe you could update your docs?


  • administrators

    @alydersen That will be a tough decision where to put it, but I'll think of something.

    Thanks for the feedback,
    Martin


  • administrators

    @martin-kudláček Already noted on the prepared knowledge base.