Modbus routing – part 1

When designing and commissioning Modbus serial buses, we sometimes encounter situations where it would be advantageous to switch from a serial link to an Ethernet network and transmit data over it. These are in particular:

- Ethernet connects two locations between which can no longer lead the next serial line;

- the terminal device (computer or PLC) no longer has a free serial port and we need to connect a modbus device communicating via the serial line;

- it is not yet known where the terminal equipment will be located, while structured cabling is and will be available everywhere;

- we want to use the network as the main line.

A serial line device, which may be an air conditioner or a fan coil controller, will be called a slave (in a network environment also a server) because it provides data for a Modbus query. The query is sent by a master (usually called a client in a network environment), such as a process controller (PLC), a graphic terminal (HMI), or a visualization program (SCADA) in a computer.

Wide choice of converters with two interfaces – Ethernet and RS485 – is available on the market. But the question is how they actually transmit data on the network. Upon closer examination, we find that there are more and differ in how data from the serial link is “packed” into network packets and interpreted at the other end. Even “unpacking” requires some hardware or software that must be supported on the other end of the line. The most commonly used modes are:

  • Terminal server (virtual COM port), eg in Domat R035 converter called RealPort;
  • Serial bridge;
  • Modbus router, in Domat R035 converter called Industrial Automation.

In the following, we will look at each mode in more detail and show specific examples of topologies and their advantages and disadvantages.

Virtual COM port and terminal server

A virtual COM port is actually a software driver that is installed on a computer. The driver is supplied by the converter manufacturer, which is called the terminal server.

There are many manufacturers of terminal servers and it is always necessary to use the driver supplied by its own manufacturer. Communication protocols between the virtual COM port and the terminal server may vary.


Fig. 1: Virtual COM port in operating system settings (with Domat R035 converter)

In addition, the virtual serial port needs to be configured: we need to determine at least what IP address the hardware converter will find in order to establish a connection with it. However, other parameters of serial communication (speed, parity, number of stop bits…) are also important, which are then transferred to the converter and set the serial port. To do this, either the web interface of the converter or the menu in Device Manager – see above in Serial adapters with multiple ports.

On the network, the driver finds the converter from the serial line to the Ethernet, connects to it and opens the data transfer channel. Everything that programs in the PC write to the virtual port, the driver sends to the converter and the converter writes the data to the serial port. Data coming to the serial port, on the other hand, is sent to the PC by the converter, where the driver writes it to the virtual COM port. The packet is usually closed and sent after some time of inactivity on the line, this time can be adjustable. The whole system does not solve at all what data is sent along the line, ie what the individual bytes mean. This is basically an advantage, the terminal server can theoretically be used to transmit any communication protocol. But there are a few hooks, as we’ll see below.

Network communication between the virtual COM port and the terminal server is manufacturer specific. Nowhere is standardized what the data transfer should look like; In addition to the serial data itself, control signals, commands for setting up the terminal server, etc. are also communicated over the network. The advantage of the terminal server is that the data transmission is usually encrypted so that it is not possible to intercept the communication between the program and serial devices over the network. It is also recommended – if possible – to set the terminal server to accept connections only from the IP address of the virtual COM port (or in the serial bridge connection from the IP address of the opposite terminal server), which increases network security.


Fig. 2: Terminal server topology

This solution looks simple and universal, but it has features that can significantly reduce its use:

There is a delay in transmission. In the case of direct interconnection of two serial devices, the packet delay is determined only by the signal propagation rate over the cable. However, in the case of a terminal server, it is necessary to take into account the time needed for data processing in the driver and the terminal server, waiting for the end of the packet (see above), but especially the delay in transmission in the network infrastructure. The total delay can be up to hundreds of milliseconds. This can be evaluated by the client program as a timeout – communication error, leading to outages and error messages.

It is a fact that when operating in a local network, a delay problem usually does not occur: the response time in the network is in the order of ms, while the timeout tolerance is adjustable in hundreds of ms. However, the assumption is that this is a question-answer communication, such as the M-Bus protocol for reading energy meters. If we tried to connect two parts of a serial bus in this way, which, for example, uses a collision detection communication protocol to access the line, it is unlikely to work properly.

It is point-to-point communication. Only one virtual COM port or serial bridge counterpart can be connected to one terminal server. Of course, it has its logic. If we want to access the server from two clients, it must also allow communication protocol, as we will see below. This is really just a tunnel to transfer data between two serial ports.

The client must be a PC with a suitable operating system to install the virtual COM port on it. If we have a PLC or other device on which the driver cannot be installed, we can use the following mode – serial bridge. The terminal server usually does not solve the situation when we do not have a serial port on the PLC, because “there is no way to get data through the PLC Ethernet port to the serial protocol driver in the runtime PLC”.

Serial bridge (also Serial tunnel)

For a device that has a free serial port, two back-to-back terminals can be connected and configured to create a transmission channel. This configuration is called a serial bridge because the serial link “bridges” the network and the serial devices can communicate with the PLC as if they were connected directly by the serial link. However, the timing problem described above exacerbates this. In addition, there are double hardware costs.

So finally we get to full routing:

Modbus router

This mode at the application level already works with the protocol we know, converting Modbus TCP to Modbus RTU and back. Unlike the Terminal Server mode, where Modbus RTU would still be packed (and possibly encrypted) in TCP packets on the Ethernet side, in the case of a Modbus router on the network interface, we find Modbus TCP. The converter therefore also solves protocol conversion and works with data at the Modbus protocol level. So it has to understand Modbus, it’s no longer just “shifting anonymous data”.

How does it work?

Modbus query and response on a serial line (called Modbus RTU) looks like this:

Temperature reading from register 17 of functions F03, station address 1

Query (master):
01 03 00 10 00 01 85 CF
Response (slave):
01 03 02 07 9E 3B DC

Values are a hexadecimal representation of transmitted bytes. In this form, they are provided by a serial monitor, the so-called port monitor. This is either a client device function (PLC, SCADA) or an external program that monitors the bus operation via a serial converter.

If we disassemble the data according to the description of the Modbus protocol (and it is not difficult), we find the following:

Query (master):

01 station address – line address in the range 1… 255, the device with this address is queried by the master for data
03 Modbus function 03 – Read multiple registers – method of data reading
00 10  starting address – 16 decimal for reading register 17 (addresses are numbered from 0, registers from 1), in which we know that the current temperature is in a particular device
00 01  the number of registers to read, one in this case
85 CF at the end is the CRC – the checksum of the previous data

Response (slave):

01 station address – the response is repeated as in the query
03 Modbus function 03 – in the response is repeated as in the query
02 number of bytes that follow (except the checksum)
07 9E  value: 079E hex = 1950 decimal = 19.5 ° C (in order to get decimal places, the integer value must be divided by 100 – this and more can be found in the Modbus table from the station manufacturer)
3B DC at the end is the CRC – the checksum of the previous data

The checksum should be used by each side as a telegram integrity check. If the received CRC does not agree with the actual calculation based on the previously received data, something has been transmitted incorrectly and the entire query needs to be repeated.

The same Modbus TCP query is a little more extensive. The picture shows the communication recorded in Wireshark. It can analyze some protocols down to the application level, as we can see in the middle part of the window. In the upper part there are two Modbus TCP queries and two answers, below is the detail of the second one.


Fig. 3: Modbus TCP communication in Wireshark

The blue part of the telegram is the Modbus TCP query itself. We are only interested in the left, hexadecimal interpretation; in the right part are the same data as text, which does not make sense for Modbus. The black and white part at the beginning of the telegram is actually a transport envelope of the lower layers of communication, including the TCP / IP protocol. We could say that a cargo – a Modbus TCP telegram – loaded in a wagon TCP / IP – is traveling on the network. We will only deal with a part of Modbus TCP:

Query (client):
04 B7 00 00 00 06 01 03 00 10 00 02

Response (server):
04 B7 00 00 00 05 01 03 02 08 7E

We will analyze the telegram again according to the Modbus TCP standard.

Query (client):

04 B7 transaction ID, usually an increasing number, is used by the client to match a query and a response
00 00 protocol identifier: 0 = Modbus, there are always zeroes in these two positions
00 06 the number of bytes that follows
01 station address (called unit identifier)
03   functions (same as Modbus RTU)
00 10   register; 16 dec for reg. 17 (same as Modbus RTU)
00 01   number of registers to read

Response (server):

04 B7 transaction ID, taken from request
00 00 protocol identifier: 00 = Modbus
00 05 the number of bytes that follow
01 address
03 function
02   number of data bytes (seemingly redundant value, see third line, but it is there for full compatibility of this part of the telegram with Modbus RTU)
08 7E   08 7E hex = 2174 dec = 21.74 ° C, the temperature has risen somewhat during experimentation

The lines in bold are common to both Modbus RTU and Modbus TCP. Modbus TCP is missing a checksum, which is unnecessary to count and transmit, because the integrity of the telegram is guaranteed by the “envelope” – TCP protocol. On the contrary, there are the first three lines: Transaction ID, protocol identifier, and the number of following bytes.

When converting a query from Ethernet to a serial line, the Modbus router takes pure content (transmitted data without TCP overhead) from the TCP telegram, removes the first six bytes, calculates and adds a checksum, and sends it all to the serial line. Upon receiving the response, it removes the checksum from the serial packet, adds the Transaction ID from the Modbus TCP query, the Protocol identifier and the number of bytes of the remainder of the telegram – and returns the Ethernet response as a Modbus TCP telegram.

Routing Modbus RTU to Modbus TCP (Serial Slave)

This means that “behind the router” is a serial line with one or more serial devices. We can communicate with several serial devices via one IP address of the Modbus router. You only need to know the bus configuration and prepare the client program accordingly. The devices are connected according to the topology picture on the left.

When creating a topology, we must always be aware of which device is the server and which client. In the figure to the right there is a seemingly similar connection, “Modbus device with serial link – Modbus router – Modbus device with Ethernet interface”, but the router functions differ significantly. Connection according to the picture on the right will be discussed in the next part of the article, now we are interested in a serial device as a slave.


Fig. 4: Topology for Modbus routing

If we have multiple serial lines in the system with multiple modbus routers, their link address ranges may overlap. The Modbus device is uniquely determined by the combination of the router’s IP address and the device’s link address. The Modbus TCP client will simply address each Modbus TCP device separately via its IP address. Thus, both addressing methods in the figure below are possible.


Fig. 5: Line address ranges on serial lines

A number of parameters can be set in the Modbus router using the web interface or the configuration program. For example, for a Domat R035 router, it is necessary to determine at first that the device should work as a Modbus router. The converter must be set to Industrial Automation mode and in the Industrial Automation Settings section check that the current protocol is Modbus RTU Serial Slave. This corresponds to the topology in the picture on the upper left, the device on the serial line is slave (server). (The second option, Serial Master, is shown in the second part.)


Fig. 6: Setting the Domat R035 converter

In addition to network settings and serial line parameters (speed, parity…), this is actually the only configuration you need to enter in the router. Other parameters can be left in the default values.

In the next section we will look at several cases of more complex topologies and their solutions.