I want to put a firewall hardware product (brand called Tofino) between an RTU and PLC to block some Modbus (just Modbus, not Modbus TCP) functional codes (e.g. write coil, read coil) for device testing. This firewall product is able to do deep packet inspection on the Modbus protocol. The RTU and PLC are actually industrial legacy devices, which have been used for 15-20 years.
This firewall hardware has two ethernet (RJ45) ports, IN and OUT. But the Modbus uses serial buses (should be RS485) between the RTU and PLC. Hence, to solve this issue, can I use two ethernet – RS485 converters to connect firewall hardware between the RTU and PLC? Is there any possible issue?
Best Answer
TL;DR: It is impossible to answer your question (as currently written). Frankly, I am tempted to close the question because there really isn't enough information to answer it (i.e you aren't providing any vendor/model numbers or enough detail).
Generally speaking, an Ethernet interface will not be able to speak to a serial interface. So if you are talking about a something that allows you to simply plug a RS485 connection into an RJ45 port (i.e. something goofy like cutting one end off a RJ45 cable and connecting the individual wires to the terminals), then no this will not work.
If you are talking about an actual device (at least $50+ draws it's own power via power supply or PoE) that will convert the serial signal into Ethernet data and back on the other end, then the answer is maybe.
There are two types of Modbus that I am aware of, Modbus serial and Modbus TCP. If your firewall says it can do DPI of Modbus, it may be speaking strictly of Modbus TCP. If you converters are converting Modbus serial to Modbus TCP, then this may work. If your devices are converting the serial to Ethernet in any other way (as one example, a proprietary format that encapsulates serial data in encryption for security), then the answer is at best back to a big question mark and quite possibly no.
Even if we assume that your firewall can actually understand the Modbus information in the Ethernet traffic, it still doesn't mean the answer is that it will work. Just because a firewall can identify it as Modbus traffic doesn't necessarily mean it will be able to filter out specific Modbus function codes based on this information. Without knowing what firewall you are talking about, we are again back to the issue that you haven't provided enough information.