Many machines, one VPN tunnel
How to add oven, mixers, compressors, and sensors behind the same bakery VPN tunnel — without reconfiguring or touching the Mikrotik.
Many machines, one VPN tunnel
A common confusion: customers believe each machine needs its own VPN tunnel. Not true. A VPN tunnel is one physical site — not one machine. Behind that tunnel you can hang as many devices as you want, of different protocols, without touching the VPN router.
What this case is for
To get the right mental model before scaling a bakery, factory, or office from 1 to N connected machines. People coming from the "one VPN per vendor" world expect to configure a tunnel per machine — we work the opposite way: one tunnel per site, N sources per tunnel.
How it works
The WireGuard tunnel carries arbitrary IP packets. When our worker sends Modbus to 192.168.1.51:502, your Mikrotik router:
- Receives the packet on the
rela-vpninterface. - Checks its routing table:
192.168.1.0/24lives onether1(your LAN). - Forwards it to the switch, which delivers it to the right PLC.
To the PLC, it's a normal TCP connection from 10.200.7.2 (the VPN IP assigned to your site). It doesn't know or care there's a tunnel in between.
If you want to read 15 PLCs in parallel, the worker opens 15 different TCP connections — all crossing the same tunnel. Aggregate bandwidth is typically under 1 Mbps: Modbus and OPC UA are light traffic.
┌─────────────────────────┐
[Rela AI Worker] ─────▶│ WireGuard tunnel (UDP) │
└──────────┬──────────────┘
│
┌─────────▼──────────┐
│ Mikrotik hAP ac3 │
│ (your plant) │
└─────────┬──────────┘
│ LAN 192.168.1.0/24
┌────────────┬───────────┼───────────┬────────────┐
▼ ▼ ▼ ▼ ▼
Chamber Oven Mixer Compressor Temp sensor
Modbus TCP Modbus TCP S7comm EtherNet/IP OPC UA
.50 .51 .52 .53 .60Benefits
| One contract with your IT | No fighting "another open port, another VPN". Mikrotik is set up once, forever. |
| Scales without touching production | Adding a machine is assigning a fixed IP and creating a source in the dashboard — zero downtime. |
| Multi-protocol transparent | Modbus + OPC UA + S7 + EtherNet/IP coexist in the same tunnel. |
| One observability point | One peer, one handshake, one log. Troubleshooting concentrated. |
| Reuses existing infra | If the bakery already has Mikrotik/pfSense/OPNsense, marginal cost is $0. |
When ONE tunnel is enough
| Scenario | One tunnel? |
|---|---|
| Bakery with 5 devices in the same plant | ✅ Yes |
| Production line with 20 sensors/PLCs on the same LAN | ✅ Yes |
| Modbus + OPC UA + S7 coexisting in a building | ✅ Yes |
| Two floors of the same factory, same main switch | ✅ Yes |
| Up to ~50 PLCs polling at 5 seconds | ✅ Yes (bandwidth cap) |
When you need MULTIPLE tunnels
| Scenario | Tunnels needed |
|---|---|
| Bakery with 2 locations in different cities | 2 (one per location) |
| Brewery with production + remote distribution center | 2 |
| Chain of 8 franchise plants | 8 |
| Same plant with VLANs isolated without a route between them | 2 (one per VLAN) |
The rule: one tunnel = one physical site with a shared LAN. If the networks don't physically connect, you need one tunnel per each.
Step by step — Add a machine to the existing tunnel
Assuming you already have the proofing chamber running over VPN. Now you want to monitor the rotary oven too.
1. Assign fixed IP to the oven (10 min)
From the oven's panel (or manufacturer software), give it a static IP on the same subnet as the chamber:
- IP:
192.168.1.51 - Mask:
255.255.255.0 - Gateway: ISP router's IP (same as the chamber)
2. Verify reachability from the Mikrotik
From the Mikrotik console:
/tool ping count=4 address=192.168.1.51All 4 pings should succeed. If they don't:
- The oven doesn't have Modbus/OPC UA service active — check equipment config.
- There's an internal plant firewall between switches — consult IT.
3. Identify the oven's protocol
Industrial ovens usually speak:
- Modbus TCP (90% of cases post-2015).
- OPC UA (premium equipment, e.g. Miwe or Revent smart panels).
- S7comm (Siemens specifically).
Check the manual or PLC label. If you don't know, try Modbus TCP first — fails fast.
4. Dashboard → New source
| Field | Value |
|---|---|
| Name | Rotary oven |
| Protocol | Modbus TCP (or whichever applies) |
| Host | 192.168.1.51 |
| Port | 502 |
| Unit ID | 1 |
| Deployment mode | cloud_direct (same as the chamber) |
Don't change anything on the Mikrotik. The same tunnel already covers 192.168.1.0/24, so the new IP rides the same path.
5. Register map
If the oven exposes chamber temperature and heater state:
| Register | Address | Data type | Suggested name |
|---|---|---|---|
| Holding | 0 | uint16 | oven.chamber_temperature |
| Holding | 2 | uint16 | oven.temperature_setpoint |
| Coil | 0 | boolean | oven.heaters_on |
| Coil | 1 | boolean | oven.fan_on |
6. Create a differentiated agent
Create a separate agent for the oven:
- Name:
Oven Agent - Min severity:
warning - Specific rules:
oven.chamber_temperature > 280 during 2min→ high (dangerous over-temperature).oven.chamber_temperature < 150 AND oven.heaters_on == true during 10min→ warning (power problem).oven.fan_on == false AND oven.chamber_temperature > 200→ critical (fan dead under load).
7. Validate
Turn the oven on. Within 30 seconds you should see oven.chamber_temperature events in the inbox with rising values. If you do, you're done.
Plan limits and peers
| Plan | Max peers (sites) | Machines per peer |
|---|---|---|
| Essential | 1 | No practical limit (~50 with 5s polling) |
| Enterprise | 5 | No practical limit |
| Custom | N+ | No practical limit |
A bakery with 1 location + 50 machines is on Essential. A 5-bakery chain with 10 machines each, on Enterprise. A 20-bakery chain, custom pricing.
Multi-machine specific troubleshooting
I added a new source but the test fails
Try from the Mikrotik:
/tool ping count=4 address=<new-machine-IP>If ping fails, the problem is in your LAN (segregated VLAN, plant firewall, wrong IP). If ping works but the Modbus test fails, check the register map and unit_id.
All sources show connected but one doesn't reach the inbox
That specific source has its own problem. Most common causes:
- Emit policy
threshold_crossedand the value never crosses the threshold. - Assigned agent has
min_severity=criticaland events areinfo. - Poll interval too long (e.g. 60s) — not enough events yet.
Latency grows as I add machines
Each source's polling is independent and asynchronous. Adding 10 machines to a VPN doesn't add significant latency to each — unless they saturate the tunnel's bandwidth (>10 Mbps sustained).
If you see latency rising, the bottleneck is usually the slow PLC, not the VPN. Check Prometheus timings modbus_poll_latency_seconds{source_id="<id>"}.
Limitations
- Fixed VPN subnet: your site has
10.200.X.0/24assigned permanently. We can't change it without removing and recreating the peer. - Routing from Mikrotik to all OT LANs: if your plant has multiple OT subnets (
192.168.1.0/24,192.168.2.0/24,10.10.0.0/24), the Mikrotik needs routes to all of them. - Multicast does NOT go through: WireGuard only carries unicast. Multicast-based protocols (BACnet broadcast, EtherNet/IP discovery) don't cross the tunnel — each device must have a directly reachable IP.
See also: VPN Connectivity — technical guide, Bakery from scratch, Modbus TCP connection.
Heterogeneous fleet — 3 PLC brands under one VPN tunnel (Modbus TCP)
A bakery has a Schneider mixer, a Carel proofer and a WAGO oven. All speak Modbus TCP but with different quirks. How to wire them in a single Rela AI tenant without losing hours debugging byte order.
Case: Unified Inbox — 1 spike, 1 alert
The same physical event that used to generate 3 red rows on the board now consolidates into a single line with source_systems = [anomaly, energy, prognostics]. One action closes the incident.