Home

Industrial Secure Router User`s Manual

image

Contents

1. Import Upload the crt Remote certificate on this page Label User defined name for this local certificate Name Subject Show the Name and subject when the certificate is imported successfully or the user selects a certificate from the list Certificate Upload Use the Browser to select a p12 file and press the Import button L2TP Server Layer 2 Tunnel Protocol L2TP is a popular choice for remote roaming users for VPN applications since an L2TP client is built in to the Microsoft Windows operating system Since L2TP does not provide an encryption function it is usually combined with IPSec to provide data encryption 9 11 Industrial Secure Router User s Manual Virtual Private Network VPN L2TP Configuration LZTP Server Server Setting WAN LTF Server Mode Disable Local IP 0 0 0 0 Offered IP Range 0 0 0 0 0 0 0 0 User Name testi Password test1 L2TP Account test test The Industrial Secure Router supports up to 10 accounts with different user names and passwords L2TP Server Mode Setting Description Factory Default Enable Disable Enable or Disable the L2TP function on the WAN 1 or WAN 2 Disable interface Local IP Description The IP address of the Local Subnet Factory Default IP Address 0 0 0 0 Offered IP Range Description Offered IP range is for the L2TP clients Factory Default 0 0 0 0 IP Address Login User Name Description Factory Default Max to xx character
2. Policy Configuration The Industrial Secure Router s Firewall policy provides secure traffic control allowing users to control network traffic based on the following parameters 8 2 Industrial Secure Router User s Manual Firewall Enable Targets ACCEPT Interface From All To All Source IP All Protocol AII X service P Filter sll Destination IP All bl Enable Enable or Disable Enable or disable the selected Firewall policy Enabled Interface From To Factory Default All WAN1 WAN2 LAN Select the From Interface and To interface From All to All WAN1 WAN2 Quick Automation Profile Refer to the Quick Select the Protocol parameters in this Firewall Policy None Automation Profile section Service IP Filter This Firewall policy will filter by IP address IP Filter MAC Filter This Firewall policy will filter by MAC address Factory Default The packet will penetrate the firewall when it matches this Accept firewall policy Drop The packet will not penetrate the firewall when it matches this firewall policy Source IP Factory Default All IP Address This Firewall Policy will check all Source IP addresses in the All packet Single IP Address This Firewall Policy will check single Source IP addresses in the packet Range IP Address This Firewall Policy will check multiple Source IP addresses in the packet Source Port All Port number This Firewall Policy will che
3. E Power 2 Transition Off On F E E EMERG A Dom E F E F EMERG F DI On Fi F F F EMERG E Config Change F F E EMERG E Auth Failure F E E EMERG Cold Start Power is cut off and then reconnected Warm Start Moxa industrial secure router is rebooted such as when network parameters are changed IP address subnet mask etc Power Transition On gt Off Moxa industrial secure router is powered down Power Transition Off gt On Moxa industrial secure router is powered up DI Off Digital input state is 0 DI On Digital input state is 1 Configuration Change Any configuration item has been changed Authentication Failure An incorrect password was entered 3 13 Industrial Secure Router User s Manual EDR 810 Series Features and Functions There are four response actions available on the EDS E series when events are triggered Action Description o O The industrial secure router will send notification to the trap server when event is triggered E Mail The industrial secure router will send notification to the email server defined in the Email Setting Syslog The industrial secure router will record a syslog to syslog server defined in Syslog Server Setting Relay The industrial secure router supports digital inputs to integrate sensors When event is triggered the device will automate alarms by relay output Severity Debug Debug level messages Port Event Settings Port Event
4. Enable Ring 1 Enabled Enable the Ring 1 settings Not checked Disabled Disable the Ring 1 settings Not checked Enable Ring 2 Enabled Enable the Ring 2 settings Not checked Disabled Disable the Ring 2 settings Note You should enable both Ring 1 and Ring 2 when using the Dual Ring architecture Set as Master Enabled Select this device as Master Not checked Disabled Do not select this device as Master Redundant Ports Setting Description Factory Default 1st Port Select any port of the device to be one of the redundant ports See the following table 2nd Port Select any port of the device to be one of the redundant ports See the following table Enable Ring Coupling Select this EDS as Coupler Not checked Do not select this EDS as Coupler Coupling Mode Dual Homing Select this item to change to the Dual Homing configuration See the following page table Ring Coupling Select this item to change to the Ring Coupling backup backup configuration page table Ring Coupling Select this item to change to the Ring Coupling primary primary configuration page table 6 5 Industrial Secure Router User s Manual Network Redundancy Layer 3 Redundant Protocols VRRP Settings VRRP Setting VRRP Enable Enable VRRP Interface Setting Entry Enable E Virtual IP 192 168 127 250 Virtual Router ID a 1 255 Priority 100 254 Preemption Mode Track Interface WAN L
5. Firewall Policy Enables or Disables the SettingCheck function when the Firewall policies change NAT Policy Enables or Disables the SettingCheck function when the NAT policies change Accessible IP List Enables or Disables the SettingCheck function when the Accessible IP List changes Timer 10 to 3600 sec The timer waits this amount of time to double confirm when the 180 sec user changes the policies For example if the remote user IP 10 10 10 10 connects to the Industrial Secure Router and changes the accessible IP address to 10 10 10 12 or deselects the Enable checkbox accidently after the remote user clicks the Activate button connection to the Industrial Secure Router will be lost because the IP address is not in the Industrial Secure Router s Accessible IP list W Enable the accessible IP list Disable will allow all IP s connection W LAN Enable Index IF Address Netmask 10 10 10 12 Aa a ee ee If the user enables the SettingCheck function with the Accessible IP list and the confirmer Timer is set to 15 seconds then when the user clicks the Activate button on the accessible IP list page the Industrial Secure Router will execute the configuration change and the web browser will try to jump to the SettingCheck Confirmed page automatically Because the new IP list does not include the Remote user s IP address the remote user cannot connect to the SettingCheck Confirmed page After 15 seconds the
6. Before accessing the Industrial Secure Router s web browser first connect the Industrial Secure Router s RJ45 Ethernet LAN ports to your Ethernet LAN or directly to your PC s Ethernet card NIC You can use either a straight through or cross over Ethernet cable The Industrial Secure Router s default LAN IP address is 192 168 127 254 Perform the following steps to access the Industrial Secure Router s web browser interface 1 Start Internet Explorer and type the Industrial Secure Router s LAN IP address in the Address field Press Enter to establish the connection E https 192 168 127 254 2 4 Industrial Secure Router User s Manual Getting Started 2 The web login page will open Select the login account Admin or User and enter the Password the same as the Console password and then click Login to continue Leave the Password field blank if a password has not been set Moxa EtherDevice Secure Router FDR G903 Username Password Load NOTE The default password for the EDR series with firmware v3 0 and later is moxa For previous firmware versions the default password is blank For greater security please change the default password after the first log in You may need to wait a few moments for the web page to be downloaded to your computer Use the menu tree on the left side of the window to open the function pages to access each of the router s functions MOXA EDR G903 Secure Router W
7. Items NOTE Now Active It shows which communication protocol is in use Turbo Ring V2 RSTP or none Ring 1 2 Status It shows Healthy if the ring is operating normally and shows Break if the ring s backup link is active Ring 1 2 Master Slave It indicates whether or not this EDS is the Master of the Turbo Ring This field appears only when Turbo Ring or Turbo Ring V2 modes are selected The user does not need to set the master to use Turbo Ring If master is not set the Turbo Ring protocol will assign master status to one of the EDS units in the ring The master is only used to determine which segment serves as the backup path Ring 1 2 1st Ring Port Status Ring 1 2 2nd Ring Port Status The Ports Status indicators show Forwarding for normal transmission Blocking if this port is connected to a backup path and the path is blocked and Link down if there is no connection Coupling Mode It indicates either None Dual Homing or Ring Coupling Coupling Coupling Port status It indicates either Primary or Backup 6 4 Industrial Secure Router User s Manual Network Redundancy Explanation of Settings Items Redundancy Protocol Turbo Ring V2 Select this item to Sateet a to the Turbo Ring V2 configuration page None RSTP IEEE 802 1W Select this item to Select tnis item to change to the RSTP configuration page to the RSTP configuration page 802 1D 2004 Ring redundancy is not active
8. Link on Link off IP change Link on Link off IP change Configuration change activated Authentication Fail Authentication Pass Enable Disable Power transition On gt Off 4 23 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Cold start coasa NOTE The maximum number of event entries is 1000 Syslog This function provides the event logs for the syslog server The function supports 3 configurable syslog servers and syslog server UDP port numbers When an event occurs the event will be sent as a syslog UDP packet to the specified syslog servers Syslog Setting Enable 7 Syslog Server 1 192 166 127 100 Fort Destination 514 1 65535 Enable Syslog Server Port Destination Enable syslog Server 3 Port Destination Activate Syslog Server 1 2 3 IP Address Enter the IP address of the Syslog Server used by your None network Port Destination Enter the UDP port of the Syslog Server 514 1 to 65535 4 24 gt Routing The following topics are covered in this chapter O Unicast Routing gt Static Routing gt RIP Routing Information Protocol gt Routing Table Industrial Secure Router User s Manual Routing Unicast Routing The Industrial Secure Router supports two routing methods static routing and dynamic routing Dynamic routing makes use of RIP V1 V1ic V2 You can either choose one routing method or combine the two methods to est
9. Some have experimented with using Modbus over UDP on IP networks which removes the overheads required for TCP The following table shows the Modbus TCP frame format Modbus Policy Setup The Industrial Secure Router provides Modbus policy inspection of Modbus TCP packets which allows users to control Modbus TCP traffic based on the following parameters Modbus Policy Policy Setting Enable 7 Targets ACCEPT x From ALL To ALL f Source IP All Protocol All x Destination IP AIl x UID 0 Ignore UID FunctionCode P Manual Address All Read Coils Read Discrete Inputs Read Holding Registers Read Input Register Write Single Coil EE write Singe Register __ Read Exception status Modbus List Diagnostic Get Com event counter TER Function Write Multiple Coils E E Write Muttipie Registers iz E E EE EE LSS SSS ae Report Slave ID Read File record Write File record Mask Write Register Read Write Multiple Registers Read FIFO queue v Add a Modbus TCP Filtering Rule Check the Enable checkbox and input the correspondent Modbus TCP parameters in the page and then click Add to add it into the Modbus Filtering Table Finally click Activate to activate the configuration Delete a Modbus TCP Filtering Rule Select the item in the Modbus Filtering Table then click Delete to delete the item Modify a Modbus TCP Filtering Rule Select the item in the M
10. User Name for L2TP connection NULL Login Password Description Factory Default NULL Max to xx character Password for L2TP connection Examples for Typical VPN Applications Site to Site IPSec VPN tunnel with Pre Shared Key The following example shows how to create a secure LAN to LAN VPN tunnel between the Central site and Remote site via an Intranet network 9 12 Industrial Secure Router User s Manual Virtual Private Network VPN oy wy UM Wl Ws LAN EDR G903 1 EDR G903 2 Central site Network Intranet Network Remote site Network 100 100 1 0 24 100 100 2 0 24 100 100 3 0 24 VIA NPN Secure Tunnel o Ethernet Switch VPN Plan e All communication from the Central site network 100 100 1 0 24 to the Remote site Network 100 100 3 0 24 needs to pass through the VPN tunnel e Intranet Network is 100 100 2 0 24 e The configuration of the WAN LAN interface for 2 Industrial Secure Routers is shown in the following table Ec Configuration Industrial Secure Router 1 Industrial Secure Router 2 EDR G903 WAN IP 100 100 2 1 100 100 2 2 Interface Setting LAN IP 100 100 1 1 100 100 3 1 Based on the requirement and VPN plan the recommended configuration for VPN IPSec is shown in the following table Same Seting uration Configuration Industrial Secure Router Coe Industrial Secure Router e aeaee Tunnel Setting Connection Connection Type Site to Site to Site Site to Site to Site Remote VPN 100 100 2 2 100 1
11. before setting the time Enable NTP SNTP Server Enable this function to configure the EtherDevice Router as a NTP SNTP server on the network Enable Server synchronize Enable this function to configure the EtherDevice Router as a NTP SNTP client It will synchronize the time information with another NTP SNTP server Time Server IP Name ist Time Server IP or Domain address e g 192 168 1 1 time stdtime gov tw None IP Name or time nist gov 2nd Time Server The EtherDevice Router will try to locate the 2nd NTP Server if IP Name the 1st NTP Server fails to connect 4 7 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions SettingCheck settingCheck Configuraiton Firewall Policy NAT Policy Accessible IP List Layer 2 Filter Only work in Bridge Mode Timer 180 sec SettingCheck is a safety function for industrial users using a secure router It provides a double confirmation mechanism for when a remote user changes the security policies such as Firewall filter NAT and Accessible IP list When a remote user changes these security polices SettingCheck provides a means of blocking the connection from the remote user to the Firewall VPN device The only way to correct a wrong setting is to get help from the local operator or go to the local site and connect to the device through the console port which could take quite a bit of time and money Enabling the SettingCheck function wil
12. several end stations at the same time but where broadcasting the traffic to all end stations would cause a substantial reduction in network performance Furthermore several industrial automation protocols such as Allen Bradley EtherNet IP Siemens Profibus and Foundation Fieldbus HSE High Speed Ethernet use multicast These industrial Ethernet protocols use publisher subscriber communications models by multicasting packets that could flood a network with heavy traffic IGMP Snooping is used to prune multicast traffic so that it travels only to those end destinations that require the traffic reducing the amount of traffic on the Ethernet LAN Multicast Filtering Multicast filtering ensures that only end stations that have joined certain groups receive multicast traffic With multicast filtering network devices only forward multicast traffic to the ports that are connected to registered end stations The following two figures illustrate how a network behaves without multicast filtering and with multicast filtering Network without multicast filtering Group 1 Multicast Stream Group 2 Multicast Stream All hosts receive the multicast traffic even if they don t need it me lt Sa B IGMP Group 2 IGMP Group 1 IGMP Group 2 IGMP Group 1 Network with multicast filtering Group 1 Multicast Stream Group 2 Multicast Stream Hosts only receive dedicated traffic from other hosts belonging to the same group TA auk Cy L p IGMP Gro
13. 255 255 255 0 20 20 20 2 Note If the OS is Linux the Next Hop is 20 20 20 1 DNS Doman Name Server optional setting for Dynamic IP and PPPoE types Server 1 2 3 Setting Description Factory Default IP Address The DNS IP Address NOTE The priority of a manually configured DNS will higher than the DNS from the PPPoE or DHCP server Detailed Explanation of Static IP Type WAN2 Configuration Connection Cones nh g E OMZ Enable Connect Type St atic IP Address Information IP Address 192 168 1 1 Gateway 0 0 0 0 PPTP Dialup PPTP Connection E Enable IP Address User Name Fassword DNS Optional for dynamic IP or PPPoE Type server 1 Server 2 Server 3 192 168 2 1 0 0 0 0 0 0 0 0 Address Information IP Address Setting Description FaoryDefault IP Address The interface IP address 4 17 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Subnet Mask IP Address The subnet mask Gateway Description IP Address The Gateway IP address Detailed Explanation of PPPoE Type WAN2 Configuration Connection Connect Mode Disable Enable Backup Connect Type PPPoE al PPPoE Dialup User Name Host Name DNS Optional for dynamic IP and PPPoE Type oerver 1 SEMET 2 192 168 2 1 0 0 0 0 PPPoE Dialup User Name Description Max 30 characters Host Name Description Max 30 characters User defined ho
14. 8082 OUT WAN 2015 01 14 16 27 33 System lt 0 gt Emergency Link On Port 1 Bootup 153 Startup 1d2h52m10s 4 2015 01 14 16 18 59 System lt 0 gt Emergency Link Off Port 1 Bootup 153 Startup 1d2h43m36s TCP Without SYN Scan DROP PROTO TCP SRC_IP 192 168 126 1 5 2015 01 14 16 16 39 Firewall lt 4 gt Warning SRC_PORT 41066 IN BRG DST_IP 192 168 1 72 DST_PORT 445 OUT WAN TCP Without S YN Scan DROP PROTO TCP SRC_IP 192 168 126 1 6 2015 01 14 16 16 37 Firewall lt 4 gt Warming SRC_PORT 41066 IN BRG DST_IP 192 168 1 72 DST_PORT 445 OUT WAN has repeated 6 times in past 10 seconds TCP Without SYN Scan DROP PROTO TCP SRC_IP 192 168 126 1 T 2015 01 14 16 16 27 Firewall lt 4 gt Warming SRC_PORT 41066 IN BRG DST_IP 192 166 1 72 DST_PORT 445 OUT WAN 8 2015 01 14 16 03 31 System lt 0 gt Emergency Link On Port 1 Bootup 153 Startup 1d2h26m6s 2015 01 14 14 56 36 System lt 0 gt Emergency Link Off Port 1 Bootup 153 Startup 1d1h23m13s TCP Without S YN Scan DROP PROTO TCP SRC_IP 192 168 126 1 10 2015 01 14 14 57 14 Firewall lt 4 gt Warming SRC_PORT 49302 IN BRG DST_IP 192 166 50 13 7 DST PORT 8062 OUT WAWN has repeated 5 times in past 10 seconds By default all event logs will be displayed in the table You can filter three types of event logs System VPN and Firewall combined with severity level 3 52 4 EDR G902 G903 Series Features and Functions Overview Configuring Basic Settings
15. Address The Gateway IP address Detailed Explanation of PPPoE Type WAN1 Configuration Connection icable Enable Connect Type PPPoE PPPoE Dialup User Name Password Host Name DNS Optional for dynamic IP or PPPoE Type server 2 server 3 192 168 2 1 0 0 0 0 PPPoE Dialup User Name Factory Default Max 30 characters The User Name for logging in to the PPPoE server None Host Name Description Factory Default Max 30 characters User defined Host Name of this PPPoE server None Password Description Factory Default Max 30 characters The login password for the PPPoE server None WAN2 Configuration includes DMZ Enable WAN2 Configuration Connection Connect Mode Disable Enable Backup connect Type Dynamic IP Connection Note that there are there are three different connection types for the WAN2 interface Dynamic IP Static IP and PPPoE A detailed explanation of the configuration settings for each type is given below Connection Mode Enable or Disable Enable or Disable the WAN interface None Enable WAN Backup mode DMZ Enable DMZ mode can only be enabled when the connection type is set to Static IP 4 15 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Connection Type Static IP Dynamic IP Configure the connection type Dynamic IP PPPoE Detailed Explanation of Dynamic IP Type WAN2 Configuration Connection Connect M
16. All IP Address This Modbus policy will check all Source IP addresses in the packet Single IP Address This Modbus policy will check single Source IP addresses in the packet Range IP Address This Modbus policy will check multiple Source IP addresses in the packet 8 11 Industrial Secure Router User s Manual Firewall Destination IP All IP Address This Modbus policy will check all Destination IP addresses in the All packet Single IP Address This Modbus policy will check single Destination IP addresses in the packet Range IP Address This Modbus policy will check multiple Destination IP addresses in the packet Unit identifier UID is used with Modbus TCP devices that are composites of several Modbus devices It may be used to communicate via devices such as bridges and gateways which use a single IP address to support multiple independent end units Function code defines the message type and the type of action required by the slave The parameter contains one byte of information Valid function codes are in the range 1 to 255 Not all Modbus devices recognize the same set of function codes The most common codes are supported for quick settings and user defined function codes are also supported Most function code addresses a single address or a range of addresses The Industrial Secure Router provides code for deep data inspection Common function codes The following table shows the various readin
17. Configuration Table Management VLAN ID 1 Access v 1 Access v Access v Access v Access v Access v Access v on o A A A WwW N a Access v Access v h M M aM IM 0 N Access v Management VLAN ID VLAN ID from 1 4094 Assigns the VLAN ID of this Moxa switch Port Type Port type is used to connect single devices without tags Access Select Trunk port type to connect another 802 1Q VLAN aware switch Hybrid Select Hybrid port to connect another Access 802 1Q VLAN aware switch or another LAN that combines tagged and or untagged devices and or other switches hubs PVID VLAN ID from 1 4094 Sets the default VLAN ID for untagged devices that connect to 1 the port Tagged VLAN VLAN ID from 1 4094 This field will be active only when selecting the Trunk or Hybrid None port type Set the other VLAN ID for tagged devices that connect to the port Use commas to separate different VIDs Untagged VLAN VLAN ID from 1 4094 This field will be active only when selecting the Trunk or Hybrid None port type Set the other VLAN ID for tagged devices that connect to the port and tags that need to be removed in egress packets Use commas to separate different VIDs Quick Setting Panel Click the triangle to open the Quick Setting Panel Use this panel for quick and easy configuration of VLAN settings 3 26 Industrial Secure Router User s Manual EDR 810 Series Features an
18. Drop is different For example two firewall policies are shown below Protocol SourceIP Destination IP 10 10 10 10 192 168 127 10 ACCEPT All 2 WAN2 LAN All 20 20 20 10 192 168 127 20 ACCEPT to 20 20 20 30 Suppose the user next adds a new policy with the following configuration Input _ Output_ Protocol_ SourceIP_ Destination IP Index Input Output 3 WAN2 20 20 20 20 192 168 127 20 DROP After clicking the PolicyCheck button the Industrial Secure Router will issue a message informing the user that policy 3 is masked by policy 2 because the IP range of policy 3 is smaller than the IP range of policy 2 and the Target action is different A rule 3 is masked by rule 2 8 8 Industrial Secure Router User s Manual Firewall Include Policy X ts included in Policy Y The Source Destination IP range or Source Destination port number of policy X is less than or equal to policy Y and the action target Accept Drop is the same In this case policy X will increase the loading of the Industrial Secure Router and lower its performance For example two firewall policies are shown in the following table Destination IP 10 10 10 10 192 168 127 10 ACCEPT I A 20 20 20 10 192 168 127 20 ACCEPT to 20 20 20 30 3 WAN2 an fai 20 20 20 20 192 168 127 20 ACCEPT After clicking the PolicyCheck button the Industrial Secure Router will issue a message informing the user that policy 3 is in
19. Functions Detailed Explanation of Static IP Type WAN Configuration VLAN ID Connection Connect Mode Disable Enable ConnectType StaticIP Address Information IP Address 0 0 0 0 Gateway 0 0 0 0 SubnetMask 0 0 0 0 PPTP Dialup PPTP Connection Enable IP Address User Name Password MPPE Encryption None Encrypt DNS Optional for dynamic IP or PPPoE Type Server 1 Server 2 Server 3 0 0 0 0 0 0 0 0 0 0 0 0 Address Information IP Address Description Factory Default IP Address The interface IP address None Subnet Mask Description Factory Default IP Address The subnet mask None Gateway Description Factory Default IP Address None The Gateway IP address Detailed Explanation of PPPoE Type WAN Configuration VLAN ID F Connection Connect Mode Disable Enable Connect Type PPPoE x PPPoE Dialup User Name Password Host Name DNS Optional for dynamic IP or PPPoE Type Server 1 Sever 2 Server 3 0 0 0 0 0 0 0 0 0 0 0 0 PPPoE Dialup User Name Setting Description Factory Default Max 30 characters The User Name for logging in to the PPPoE server None 3 38 Industrial Secure Router User s Manual EDR 810 Series Features and Functions LAN NOTE Host Name Max 30 characters User defined Host Name of this PPPoE server None Password Max 30 characters The login password for the PPPoE server None LAN Configuration LAN IP Configuration Name LAN En
20. G903 When the Industrial Secure Router is in Bridge Mode referring to section of Mode Configuration in Network Settings it provides an advanced Layer 2 firewall policy for secure traffic control which depends on the following parameters Enable Targets ACCEPT w Interface From All To All Ww Source WAC 00 90 e8 20 00 04 __ s Address ee Protocol Py4 ht Destination MAC Peres 00 90 e8 20 00 02 EtherType Interface From To Factory Default Select the From Interface and To interface None Protocol Refer to table Select the Layer 2 Protocol in this Firewall Policy None EtherType for Layer 2 Protocol for a more detailed description 8 4 Industrial Secure Router User s Manual Firewall EtherType 0x0600 to OxFFFF When Protocol is set to Manual you can set up EtherType None manually Target Accept The packet will pass the Firewall when it matches this Firewall None policy Drop The packet will not pass the Firewall when it matches this None Firewall policy Source MAC Address Mac Address This Firewall Policy will check all Source MAC addresses of the 00 00 00 00 00 00 packet Destination MAC Address Mac Address This Firewall Policy will check all destination MAC addresses of 00 00 00 00 00 00 the packet The following table shows the Layer 2 protocol types commonly used in Ethernet frames EtherType for Layer 2 Protocol 0x880B PPR Frame based ATM
21. Hash Algorithm in data exchange SHA1 MD5 SHA1 SHA256 Dead Peer Detection Dead Peer Detection is a mechanism to detect whether or not the connection between a local secure router and a remote IPSec tunnel has been lost Dead Peer Detection Action Hald wt 3 seconds Timeout seconds Action Action when a dead peer is detected Factory Default Hold this VPN tunnel Hold Reconnect this VPN tunnel Clear this VPN tunnel Disable Dead Peer Detection Delay Factory Default Delay time seconds The period of dead peer detection messages 30 sec Timeout Factory Default Timeout seconds Timeout to check if the connection is alive or not 120 sec 9 7 Industrial Secure Router User s Manual Virtual Private Network VPN IPSec Status The user can check the VPN tunnel status in the IPSec Connection List This list shows the Name of the IPSec tunnel IP address of Local and Remote Subnet Gateway and the established status of the Key exchange phase and Data exchange phase IPSec Connection List Data Exchange IPSec Phase Key Exchange Name Local Subnet Local Gateway Remote Gateway Remote Subnet IPSec Phase 1 im f X 509 Certificate X 509 is a digital certificate method commonly used for IPSec Authentication The Industrial Secure Router can generate a trusted Root Certification and then export import the certificate to the remote VPN gateway The diagram below indicates the 5 ste
22. II 7 UDP Group udpTable UdpStats MIB II 11 SNMP Group SnmpBasicGroup SnmpInputStats SnmpOutputStats Public Traps 1 Cold Start 2 Link Up 3 Link Down 4 Authentication Failure Private Traps 1 Configuration Changed 2 Power On 3 Power Off 4 DI Trap Industrial Secure Router User s Manual MIB Groups The Industrial Secure Router also provides a MIB file located in the file Moxa EDRG903 MIB my on the Industrial Secure Router Series utility CD ROM for SNMP trap message interpretation
23. Industrial Secure Router will roll back to the original Accessible IP List setting allowing the remote user to reconnect to the Industrial Secure Router and check what s wrong with the previous setting 3 17 Industrial Secure Router User s Manual ii The page cannot be displayed The page you are looking for is currently unavailable The Web site might be experiencing technical difficulties or you may need to adjust your browser settings Please try the following Click the Refresh button or try again later If you typed the page address in the Address bar make sure that itis spelled correctly To check your connection settings click the Tools menu and then click Internet Options On the Connections tab click Settings The settings should match those provided by your local area network LAM administrator or Internet service provider ISP See if your Internet connection settings are being detected You can set Microsoft Windows to examine your network and automatically discover network connection settings if your network administrator has enabled this setting Click the Tools menu and then click Internet Options On the Connections tab click LAN Settings Select Automatically detect settings and then click OK EDR 810 Series Features and Functions If the new configuration does not block the connection from the remote user to the Industrial Secure Router the user will see the SettingCheck Confirmed page sh
24. Mode and then go to the Network Redundancy gt WAN Backup setting page for the WAN Backup configuration Link Check Fing check IF Interval sec 1 1000 Retry 1 100 Timeout ms 100 10000 Link Check Setting Description Factory Default Enable or Disable Activate Backup function by checking the link status of WAN1 Disabled Ping Check Enable or Disable Activates the Backup function if unable to ping from the Disabled EtherDevice Router to a specified IP address IP IP address The EtherDevice Router will check the ping integrity of this IP None Address if the Ping Check function is Enabled NOTE The IP address for Ping Check function should be on the network segment of WAN1 Interval 1 to 1000 sec User can set up a different Ping Interval for a different network 180 sec topology Retry 1 to 100 User can configure the number of retries If the number of 3 continuous retries exceeds this number the EtherDevice Router will activate the backup path Timeout Setting Description Factory Default 100 to 10000 ms The timeout criterion of Ping Check 3000 ms 4 21 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Monitor You can monitor statistics in real time from the EtherDevice Router s web console Monitor by System Access the Monitor by selecting System from the left selection bar Monitor by System allows the user to view a graph that
25. None address WAN IP N 1 mode IP address The IP address of the user selected interface WAN1 WAN2 None and Auto in this N to 1 policy 7 5 Industrial Secure Router User s Manual Network Address Translation NOTE Add a NAT Rule Checked the Enable checkbox and input the correspondent NAT parameters in the page and then click New Insert to add it into the NAT List Table Finally click Activate to activate the configuration Delete a NAT Rule Select the item in the NAT List Table then click Delete to delete the item Modify a NAT Rule Select the item in the NAT List Table Modify the attributes and click Modify to change the configuration Activate NAT List Table After adding deleting modifying any NAT Rules be sure to Activate it The Industrial Secure Router will add an N 1 policy from the source IP 192 168 127 1 to 192 168 127 252 to the WAN1 interface after activating the Factory Default Port Forward If the initial connection is from outside the LAN but the user still wants to hide the Internal IP address one way to do this is to use the Port Forwarding NAT function The user can specify the port number of an external IP address WAN1 or WAN2 in the Port Forwarding policy list For example if the IP address of a web server in the internal network is 192 168 127 10 with port 80 the user can set up a port forwarding policy to let remote users connect to the internal web server
26. Router User s Manual Getting Started RS 232 Console Configuration 115200 None 8 1 VT100 NOTE Connection Caution We strongly suggest that you do NOT use more than one connection method at the same time Following this advice will allow you to maintain better control over the configuration of your Industrial Secure Router NOTE We recommend using Moxa PComm Terminal Emulator which can be downloaded free of charge from Moxa s website Before running PComm Terminal Emulator use an RJ45 to DB9 F or RJ45 to DB25 F cable to connect the Industrial Secure Router s RS 232 console port to your PC s COM port generally COM1 or COM2 depending on how your system is set up After installing PComm Terminal Emulator perform the following steps to access the RS 232 console utility 1 From the Windows desktop click Start gt Programs gt PCommLite1 3 gt Terminal Emulator T Java Web Start m Windows Live A Acrobat Distiller 7 0 TX Adobe Acrobat 7 0 Professional Adobe Designer 7 0 i Peomm Late Terl 3 a Library Programming Guide Library Reference E PComm Diagnostic N Feart o Ei Pomol Temiunal Emulator 2 Select Open in the Port Manager menu to open a new connection PComm Terminal Emulator Of x Profile Port Manager Help 3 The Communication Parameter page of the Property window will appear Select the appropriate COM port from the Ports drop down list 115200 for Baud Rate
27. Secure Router always use the same IP address The static DHCP list matches IP addresses to MAC addresses Static IP Assignment Enable m Name Device 01 MAC Address 00 09 ad 00 aa 01 Static IP 192 168 127 101 Netmask 255 255 255 0 Lease Time 60 minutes Default Gateway 192 168 127 254 DNS Server 1 192 168 127 201 DNS Server 2 192 168 127 202 NTP Server 192 168 127 203 EZE Static IP Pool 3 256 Device 01 00 09 ad 00 aa01 192 168 127 101 255 255 255 0 60 192 168 127 254 192 168 127 201 192 168 127 202 192 168 127 203 Device 02 00 09 ad 00 aa 02 192 168 127 102 255 255 255 0 60 192 168 127 254 192 168 127 201 192 168 127 202 192 168 127 203 Device 03 00 09 ad 00 aa 03 192 168 127 103 255 255 255 0 60 192 168 127 254 192 168 127 201 192 168 127 202 192 168 127 203 In the above example a device named Device 01 was added to the Static DHCP list with a static IP address set to 192 168 127 101 and MAC address set to 00 09 ad 00 aa 01 When a device with a MAC address of 00 09 ad 00 aa 01 is connected to the Industrial Secure Router the Industrial Secure Router will offer the IP address 192 168 127 101 to this device Static DHCP Enable Disable Description Factory Default Enable Disable Enable or disable Static DHCP server function Disable 3 42 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Name Description The name of the selected device in the Static DHCP list Factory De
28. System Identification Accessible IP Password Time SettingCheck System File Update by Remote TFTP System File Update by Local Import Export Restart Y Y Y Y VV VV WV Reset to Factory Default Network Settings Mode Configuration WAN1 Configuration WAN2 Configuration includes DMZ Enable Using DMZ Mode LAN Interface Vv VV WV Communication Redundancy gt WAN Backup EDR G903 only Monitor System Log gt EventLog gt Syslog Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Overview The Overview page is divided into three major parts Interface Status Basic function status and Recent 10 Event logs and gives users a quick overview of the EtherDevice Router s current settings s Overview Interface Status More Recenti0EventLog More Port 1 AN Wan 1 MIA Connect WAN link on 2010 4 7 16 50 49 Port 2 Opt Wan 2 MIA Disconnect WAN link off 2010 47 16 51 58 Port 3 LAN LAN NA Connect LAN link off 20104 16 521 WAN link on 2010 47 16 52 50 LAN link on 2010 47 16 52 54 5 7 MAT Configuration Change 2010 47 16 5432 Filter Configuration Change 2010 4 16 55 12 ai S Fiter configuration change 2010 47 16 55 27 DONS Disable Spain Dos Disable auth ok 2010 47 18 22 49 WAN Backup Disable admin auth ok 2010 47 18 38 5 Qos Disable Click More at the top of the Interface Status table to see detailed information about all interfaces Interface tatus Mo
29. Transport over Ethernet 8 5 Industrial Secure Router User s Manual Firewall Quick Automation Profile Ethernet Fieldbus protocols are popular in industrial automation applications In fact many Fieldbus protocols e g EtheNet IP and Modbus TCP IP can operate on an industrial Ethernet network with the Ethernet port number defined by IANA Internet Assigned Numbers Authority The Industrial Secure Router provides an easy to use function called Quick Automation Profile that includes 45 different pre defined profiles Modbus TCP IP Ethernet IP etc allowing users to create an industrial Ethernet Fieldbus firewall policy with a single click For example if the user wants to create a Modbus TCP IP firewall policy for an internal network the user just needs to select the Modbus TCP IP TCP or Modbus TCP IP UDP protocol from the Protocol drop down menu on the Firewall Policy Setting page Enable Targets ACCEPT 7 Interface From All l To All Source IP All l Protocol Modbus tcp ip TCP Service IP Filter 7 Destination IP M All Filter List BRR TA PARRER The following table shows the Quick Automation Profile for Ethernet Fieldbus Protocol and the corresponding port number Ethernet Fieldbus Protocol EtherCat port TCP EtherNet IP Messaging TCP 502 502 8 6 Industrial Secure Router User s Manual Firewall The Quick Automation Profile also includes the commonly used Ethernet protocols lis
30. a group of devices that can be located anywhere on a network but which communicate as if they are on the same physical segment With VLANs you can segment your network without being restricted by physical connections a limitation of traditional network design With VLANs you can segment your network into e Departmental groups you could have one VLAN for the marketing department another for the finance department and another for the product development department e Hierarchical groups you could have one VLAN for directors another for managers and another for general staff e Usage groups you could have one VLAN for email users and another for multimedia users 3 24 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Switch A Backbone connects multiple switches ah Switch B Department 1 VLAN 1 Department 2 VLAN 2 Department 3 VLAN 3 Benefits of VLANs The main benefit of VLANs is that they provide a network segmentation system that is far more flexible than traditional networks Using VLANs also provides you with three other benefits e VLANs ease the relocation of devices on networks With traditional networks network administrators spend much of their time dealing with moves and changes If users move to a different sub network the addresses of each host must be updated manually With a VLAN setup if a host originally on VLAN Marketing for example is moved to a port on
31. diagnose network systems The following topics are covered in this chapter O Ping O LLDP Industrial Secure Router User s Manual Diagnosis Ping Use Ping Command to test Network Integrity Interface WAN x IF address Name The Ping function uses the ping command to give users a simple but powerful tool for troubleshooting network problems The function s most unique feature is that even though the ping command is entered from the user s PC keyboard the actual ping command originates from the Industrial Secure Router itself In this way the user can essentially control the Industrial Secure Router and send ping commands out through its ports There are two basic steps required to set up the Ping command to test network integrity 1 Select which interface will be used to send the ping commands You may choose from WAN1 WAN2 and LAN 2 Type in the desired IP address and click Ping LLDP LLDP Function Overview Defined by IEEE 802 11AB Link Layer Discovery Protocol LLDP is an OSI Layer 2 Protocol that standardizes the methodology of self identity advertisement It allows each networking device such as a Moxa managed switch router to periodically inform its neighbors about itself and its configuration In this way all devices will be aware of each other LLDP Settings General Settings LLDP Enable x Message Transmit Interval 30 Port Events Neighbor ID Neighbor Port Neighbor Port Description Neighbo
32. enable SSH Selected Port 22 Enable HTTP Select Deselect Select the appropriate checkboxes to enable HTTP Selected Port 80 Enable HTTPS Select Deselect Select the appropriate checkboxes to enable HTTPS Selected Port 443 3 48 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Authentication Certificate Authentication Certificate SSL Certificate Created Date Expired Date Re Generate al SSH Key Created Date Re Generate SSL Certificate Re generate Select Deselect Enable the SSL Certificate Re generate Deselect SSH Key Re generate Select Deselect Enable the SSH Key Re generate Deselect Trusted Access The Moxa industrial secure router uses an IP address based filtering method to control access Trusted Access iS Enable the accessible IP list Disable will allow all IF s connection w Accept all connection from LAN Port Enable Index IP Address Netmask E 1 E 2 E 3 E E 5 E 6 E T Al 8 mal 9 E 10 You may add or remove IP addresses to limit access to the Moxa industrial secure router When the accessible IP list is enabled only addresses on the list will be allowed access to the Moxa industrial secure router Each IP address and netmask entry can be tailored for different situations Industrial Secure Router User s Manual EDR 810 Series Features and Functions e Grant access to one host with a specific IP address For example
33. ene iNEunE 4 3 ACCE SSIDIET P ii ETE E IT EEE EE E eea 4 4 PI SWO EE O A E E E A A S S 4 5 PNE e a E a EEE ENE S S E S S ccei tice 4 6 Seting 9 0 Geeeeee ere eter ee eee eee O er cree Cre N R 4 8 System File Update by Remote TF LP rriei EEn EEE e nee nent ene eee een neeeeeeeeneeeeeennseeeeetnneaenenenns 4 10 System File Update by Local IMpPOrt EXPO c1t i stiotheeederedeee adie weeesseae meres eaaessasse vad weamunts 4 10 SAO Gs Ge eee eh Oe SL AN ee eee ee ee ee ee eer ener E eer rrr nee r ere ere 4 11 POSE as 6 TON DI 7o10 oeereememreemrmrrmnrre rer errata crn er rn cree aererre Creer rrr ert nr amen EE trate arent O E 4 11 NetWork Selling S sintpsrvaindowninuni sted i wine wean cums compu Nap E nN NaN EE cRU NAN aa a eaan Ra eaa a eae tN eR oN RaRa RERS 4 12 Mode COnfiGuira ton cise cece tree cnc EEE EE E niece ncaa AAE EETA eae EREEREER 4 12 WANI CONHOUrAU ON meememteatteattae a atte we neat ees ae eee ee ee ae eee ee eee eee Tree errr rere reer errr err errr rr 4 13 WANZ Contiguration Cincluides DMZ Enable Jierdei 4 15 Jon ON ENII O A E E N EA ne tated 4 19 ANINA O eee nD ee ee ee ere eee eee te eee ere eet 4 19 COMMUNI ECAION REGUNGOANCY site iM ML Lh aN aE E 4 20 WAN Backup CEDR G903 ONY ig sesecss anne waneaneeenaranaareemnanieaatndndnea inna a a a a 4 20 PO LO ects tee cence tcc acces cee cectc cece cece ceed E E EE E E E E E E E E E A E acusath ett 4 22 SY SCM MOGuri2isi2cedesnar erin inin inte E E E nian aol E T A E E
34. enter IP address 192 168 1 1 with netmask 255 255 255 255 to allow access to 192 168 1 1 only e Grant access to any host on a specific subnetwork For example enter IP address 192 168 1 0 with netmask 255 255 255 0 to allow access to all IPs on the subnet defined by this IP address subnet mask combination e Grant access to all hosts Make sure the accessible IP list is not enabled Remove the checkmark from Enable the accessible IP list The following table shows additional configuration examples Hosts That Need Access Input Format Any host 192 168 1 120 192 168 1 120 255 255 255 255 192 168 1 1 to 192 168 1 254 192 168 1 129 to 192 168 1 254 RADIUS Server Settings RADIUS Setting RADIUS State Disable v 1st RADIUS 1st RADIUS 1812 1st RADIUS Sever Port Secret 2nd RADIUS 2st RADIUS 1812 2st RADIUS Sever Port Secret Radius Status Setting Description Factory Default Enable Disable Enable to use the same setting as Auth Server Server Setting Setting Description Factory Default RADIUS Server Specifies the IP name of the server RADIUS Port Specifies the port of the server 1812 RADIUS Secret Specifies the shared key of the server Monitor Interface Statistics Access the Monitor by selecting Monitor from the left selection bar Monitor by System allows the user to view a graph that shows the combined data transmission activity of all of the Moxa industrial secure router s ports Click one of the thre
35. from external IP address 10 10 10 10 through port 8080 The Industrial Secure Router will transfer the packet to IP address 192 168 127 10 through port 80 The Port Forwarding NAT function is one way of connecting from an external insecure area WAN to an internal secure area LAN The user can initiate the connection from the external network to the internal network but will not able to initiate a connection from the internal network to the external network 10 10 10 1 Ey Port 8080 a _ eee 192 168 127 10 Miny Port 80 WAN Network Production line Remote user Enable F Frotocol TCP NAT Mode Port Forward WAN Port Interface WAN LANIDMZ IP LAN DOM4 Part Enable Disable NAT policy Enable or Disable Enable or disable the selected NAT policy Enabled NAT Mode N 1 Select the NAT types N 1 1 1 Port Forward Interface Port Forward mode WAN1 Select the Interface for this NAT Policy WAN1 WAN2 7 6 Industrial Secure Router User s Manual Network Address Translation Protocol Port Forward mode Select the Protocol for NAT Policy WAN Port Port Forward mode 1 to 65535 Select a specific WAN port number None LAN DMZ IP Port Forward mode The translated IP address in the internal network None IP Address LAN DMZ Port Port Forward mode Description Factory Default 1 to 65535 The translated port number in the internal network None 7 7 The followin
36. l yi x yl End Date f l E yl Offset hr 0 xl System Up Time Indicates how long the Moxa industrial secure router remained up since the last cold start Current Time User specified time Indicates time in yyyy mm dd format Clock Source Setting ___ Description O o racor Defaut Time Zone Time zone Specifies the time zone which is used to determine the local GMT Greenwich time offset from GMT Greenwich Mean Time Mean Time Daylight Saving Time The Daylight Saving Time settings are used to automatically set the Moxa switch s time forward according to national standards Start Date Setting Description Factory Default User specified date Specifies the date that Daylight Saving Time begins End Date Setting Description Factory Default User specified date Specifies the date that Daylight Saving Time ends Offset User specified hour Specifies the number of hours that the time should be set None forward during Daylight Saving Time Changing the time zone will automatically correct the current time Be sure to set the time zone before setting the time 3 12 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Time Server IP Name IP address or name of The IP or domain address e g 192 168 1 1 None time server time stdtime gov tw or time nist gov IP address or name of The Moxa switch will try to locate the
37. line speed FDX Flow Ctrl This setting enables or disables flow control for the port when the port s Speed is set to Auto The final result will be determined by the Auto process between the Moxa switch and connected devices Enable Enables flow control for this port when the port s Speed is set to Disabled Auto Disable Disables flow control for this port when the port s Speed is set to Auto MDI MDIX Allows the port to auto detect the port type of the connected Auto Ethernet device and change the port type accordingly Choose MDI or MDIX if the connected Ethernet device has trouble auto negotiating for port type 3 21 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Link Aggregation Link aggregation involves grouping links into a link aggregation group A MAC client can treat link aggregation groups as if they were a single link The Moxa industrial secure router s port trunking feature allows devices to communicate by aggregating up to 4 trunk groups with a maximum of 8 ports for each group If one of the 8 ports fails the other seven ports will automatically provide backup and share the traffic Port trunking can be used to combine up to 8 ports between two Moxa switches or industrial secure routers If all ports on both switches are configured as 100BaseTX and they are operating in full duplex the potential bandwidth of the connection will be 1600 Mbps The Port Trunki
38. nits erent 9 12 Examples Tor Typical VPN ApPICAONS aeiee entre ere e ee ee eee be re e S 9 12 aK o MAR o eTe pe o R E wa ve waa E E E E T TT TTT 10 1 PING rikete IEE En EREEREER ER EE ER R E ok nbr k non shal eheheavana vans NAU NUNEN RUKN UN VENEEN U KRUNE N ENEEK UENEN VENUE EUER UE KTERE UKKA 10 2 ER O E d E Ace E E I PE E E E E E ETE EE EEE E EE T EN E E A E E E E ON 10 2 1 Introduction Welcome to the Moxa Industrial Secure Router series the EDR G902 EDR G902 and EDR 810 The all in one Firewall NAT VPN secure routers are designed for connecting Ethernet enabled devices with network IP security The following topics are covered in this chapter O Overview O Package Checklist O Features gt Industrial Networking Capability gt Designed for Industrial Applications gt Useful Utility and Remote Configuration Industrial Secure Router User s Manual Introduction Overview As the world s network and information technology becomes more mature the trend is to use Ethernet as the major communications interface in many industrial communications and automation applications In fact a entirely new industry has sprung up to provide Ethernet products that comply with the requirements of demanding industrial applications Moxa s Industrial Secure Router series is a Gigabit speed all in one Firewall VPN Router for Ethernet security applications in sensitive remote control and monitoring networks The Industrial Secure Router supports
39. one WAN one LAN and a user configurable WAN DMZ interface EDR G903 that provides high flexibility for different applications such as WAN redundancy or Data FTP server security protection The Quick Automation Profile function of the Industrial Secure Router s firewall supports most common Fieldbus protocols including EtherCAT EtherNet IP FOUNDATION Fieldbus Modbus TCP and PROFINET Users can easily create a secure Ethernet Fieldbus network from a user friendly web UI with a single click In addition wide temperature models are available that operate reliably in hazardous 40 to 75 C environments Package Checklist The Industrial Secure Routers are shipped with the following items If any of these items are missing or damaged please contact your customer service representative for assistance e 1 Moxa Industrial Secure Router e RJ45 to DBY console port cable e Protective caps for unused ports e DIN rail mounting kit attached to the Industrial Secure Router s rear panel by default e Hardware installation guide printed e CD ROM with user s manual and Windows utility e Warranty card Features Industrial Networking Capability e Router Firewall VPN all in one e 1 WAN 1 LAN and 1 user configurable WAN or DMZ interface e Network address translation N to 1 1 to 1 and port forwarding Designed for Industrial Applications e Dual WAN redundancy function e Firewall with Quick Automation Profile for Fieldbus proto
40. or Disable None SYN RST Scan Description Enable or disable the SYN RST Scan Factory Default Enable or Disable None 8 14 Industrial Secure Router User s Manual Firewall EW Without SYN Scan Enable or Disable Enable or disable the NEW Without SYN Scan protection ICMP Death Enable or Disable Enable or disable the ICMP Death defense Limit Packets Second The limit value to activate ICMP Death defense SYN Flood Factory Default Enable or Disable Enable or disable the Null Scan function Limit Packets Second The limit value to activate SYN Flood defense ARP Flood Enable or Disable Enable or disable the ARP Flood protection Limit Packets Second The limit value to activate ARP Flood protection aS Firewall Event Log The secure router supports real time event logs for Firewall DoS and VPN events You can configure the system to save these logs locally in the flash or send them to the Syslog server and SNMP Trap server Policy Setup Firewall Log Setting Malformed Packets Drop Malformed Packets i Severity lt Q gt Emergency Flash l Syslog b SNMP Trap i Policy Setting Enable wa Action DROP Severity lt 0 gt Emergency Y Flash Syslog SNMP Trap W Source IP All T Interface From BRG_LAN To LAN v ee i T Quick Destination IP All T sia Destination Port All Profile Service IP Filter Enable Logging Firewall Events To enable the overall event log functio
41. servers access all objects with read only permissions using the community string public default value SNMP V3 which requires that the user selects an authentication level of MD5 or SHA is the most secure protocol You can also enable data encryption to enhance data security SNMP security modes and security levels supported by the Industrial Secure Router are shown in the following table Select the security mode and level that will be used to communicate between the SNMP agent and manager Protocol Authentication Type Data Encryption Version SNMP V1 V2c V1 V2c Read Community string No Uses a community string Community match for authentication No SNMP V3 MD5 or SHA Authentication based Provides authentication based on MD5 or SHA on HMAC MD5 or HMAC SHA algorithms 8 character passwords are the minimum requirement for authentication MD5 or SHA Authentication based Data encryption Provides authentication based on MD5 or SHA key OnHMAC MD5 or HMAC SHA algorithms and data encryption key 8 character passwords and a data encryption key are the minimum requirements for authentication and encryption These parameters are configured on the SNMP page A more detailed explanation of each parameter is given below SNMP System Information SNMP Versions Disable 7 Admin Auth Type MDS Enable Admin Data Encryption Data Encryption Key User Auth Type MDS Enable User Data Encryption Data Encryption Key Community Community
42. setting leaves only port default priority active which results in all ingress frames being assigned the same priority on that port CoS Mapping Cos Mapping CoS Priority Queue of w M 2 Nema EE Normal Medium cf cs tm CoS Value and Priority Queues Low Normal Maps different CoS values to 4 different egress queues Low Medium High Normal Medium High 3 33 ToS DSCP Mapping Industrial Secure Router User s Manual ToS DSCP Mapping 0x00 1 Low 0x042 0x10 5 Low 0x14 6 0x209 Low 0x24 10 0x30 13 Low 0x34 14 0x40 17 Normal 0x44 18 Ox50 21 Normal 0x22 0x60 25 Normal 0x64 26 Ox 0 29 Normal 0xT4 30 0x80 33 Medium 0x84 34 0x90 37 Medium 0x94 38 Ow Awad Merdim z Ow AAA Level Low Low Low Low Normal Normal Normal Normal Medium Medium Medium EDR 810 Series Features and Functions E 0x08 3 Low Ox0C 4 Low 0x16 7 Low X 0x1C 8 Low 0x28 11 Low 0x2C 12 Low 0x33 15 Low Ox3C 16 Low 0x48 19 Normal 0x4C 20 Normal 0x58 23 Normal 0x5C 24 Normal 0x68 27 Normal 0x6C 28 Normal 0x78 31 Medium Ox7C 32 Normal 0x86 35 Medium r Ox8C 36 Medium 0x93 39 Medium Ox9C 40 Medium MARAN Madium MvACI4A Medium Y r T Mm ToS DSCP Value and Priority Queues Maps different TOS values to 4 different egress queues 1 to 16 Low 17 to 32 Normal 33 to 48 Medium 49 to 64 High Low Normal Medium High Rate
43. should change to a different state 6 2 Industrial Secure Router User s Manual Network Redundancy Hello time sec The root of the Spanning Tree topology periodically sends out a Numerical value input hello message to other devices on the network to check if the by user topology is healthy The hello time is the amount of time the root waits between sending hello messages Max Age sec If this device is not the root and it has not received a hello message from the root in an amount of time equal to Max Numerical value input Age then this device will reconfigure itself as a root Once two by user or more devices on the network are recognized as a root the devices will renegotiate to set up a new Spanning Tree topology Enable STP per Port Select to enable the port as a node on the Spanning Tree Enable Disable Disabled topology NOTE We suggest not enabling the Spanning Tree Protocol once the port is connected to a device PLC RTU etc as opposed to network equipment The reason is that it will cause unnecessary negotiation If the port does not receive a BPDU within 3 seconds the port will be in the forwarding state Once the port receives a BPDU it will start the RSTP negotiation process Force Edge The port is fixed as an edge port and will always be in the forwarding state The port is set as the normal RSTP port Port Priority Numerical value Increase this port s priorit
44. since the cost of transmitting through the satellite is greater than the cost of transmitting over the Ethernet Traditional solutions would use two routers to connect to the different ISPs In this case if the connection to the primary ISP fails the connection must be switched to the backup ISP manually The EtherDevice Router s WAN backup function checks the link status and the connection integrity between the EtherDevice Router and the ISP or central office When the primary WAN interface fails it will switch to the backup WAN automatically to keep the connection alive ISP A AN1 Ethernet Primary ISP B 77 Satellite WAN2 Center site Backup Field site When configuring the EtherDevice Router choose one of the two following conditions to activate the backup path e Link Check WAN1 link down e Ping Check Sends ping commands to a specific IP address e g the IP address of the ISP s server from WAN1 based on user configurable Time Interval Retry and Timeout When the WAN backup function is enabled and the Link Check or Ping Check for the WAN1 interface fails the backup interface WANZ2 will be enabled as the primary interface 4 20 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions WAN Backup Configuration WAN2 Configuration Connection Connect Mode Disable Enable Backup Connect Type Dynamic IP Select Backup for the WAN2 DMZ Connect
45. tnt aal TE a a a etre 3 22 PORE MINOC eee e eel e ES 3 24 Using NVU LAN sisesrsperrrrerereEre rere ere AE NRE EE EER ENEE EEEn eE a AA ER a ERa Ea EERE EEA Teh 3 24 TNE VLAN CONCEDE monec tin tata EESE EE EO O EE tai tod TE SES E 3 24 CoOnndurnNa Virtual CAN ss icsistereuieietstedudetsdedeie AEE EE ENEE EE EEE A 3 25 PAIE T a A A T a a ee eer eee 3 27 Lhe COneept or MUItCAaSE PINCHING irc tres inet ines bist lourinns naira En Sais EEVA VENNE ANA 3 27 IGMP SNOOP sitisetatetose tates rn pon REEE eR IIA EIA E OE EE EER Ee prea neeenebeu eee eet Tha teuaseees eee Tee tes 3 30 IGMP SNOOPNO SeN S srren ei e e ON ONENE E E auu uuu a suas ubtE htt 3 30 IGMP TaDle onini ena E E E E E E E AEE a ENE RE EARN 3 30 Shean TapE rea aa a er ee aaa 3 31 state MUtICISEUMA C fror EO E ee ere A 3 31 OOS and Rate COMTO leraren a E E E wa be wa tec A A een nae ame a eae er eee een cite 3 32 MOS Class INCA Ol tatatetann aad madaun EE niscae EE mene tune AIAG ea RAG aeGauat a ee aaanaas acaaseeane 3 32 Ololaal kels 0 gis aaa eee een ene ee ee Ce eee ne ee eee CRE REC ETE e Ter ere eer ere err ener errs cre eee rr 3 33 TOS DSCP Map DING stant wl ee uel re eth e on ebb S aul aula aE URE 3 34 Rate LUNO er ee eT eT ee ere crc reer eee rere rere reer reer ree ereee rere reer 3 34 MAC AGCECSS TaD le ei scncececncecncocenacncsricannuieredencunciecentenuseomenuneuntenamnncnid edad ceed tead aed aed iaue tana taae tea etude 3 35 TMC ACG frnttttebtctetrecsiietisentsettnettsedta
46. to an end station or a subset of end stations on a LAN or VLAN that belong to the multicast group Multicast group members can be distributed across multiple subnets so that multicast transmissions can occur within a campus LAN or over a WAN In addition networks that support IP multicast send only one copy of the desired information across the network until the delivery path that reaches group members diverges To make more efficient use of network bandwidth it is only at these points that multicast packets are duplicated and forwarded A multicast packet has a multicast group address in the destination address field of the packet s IP header Benefits of Multicast The benefits of using IP multicast are e Ituses the most efficient sensible method to deliver the same information to many receivers with only one transmission e It reduces the load on the source for example a server since it will not need to produce several copies of the same data e It makes efficient use of network bandwidth and scales well as the number of multicast group members increases e Works with other IP protocols and services such as Quality of Service QoS 3 27 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Multicast transmission makes more sense and is more efficient than unicast transmission for some applications For example multicasts are often used for video conferencing since high volumes of traffic must be sent to
47. 00 2 1 gateway Start in Initial O Local Network 100 100 1 0 100 100 3 0 Remote Network 100 100 3 0 100 100 1 0 L2TP for Remote User Maintenance The following example shows how a Roaming user uses L2TP over IPSec to connect to the remote site network WPH Secure Tunnel EDR G903 7 Roaming Internet Network Remote site Network No Fixed IP 100 100 3 0 24 fd NPH Secure Tunnel 0 Ethernet Switch 9 13 Industrial Secure Router User s Manual Virtual Private Network VPN VPN Plan e All communication from the Roaming user no fixed IP to the Remote site Network 100 100 3 0 24 needs to pass through the VPN tunnel e Communication goes through the Internet e The configuration of the WAN LAN interface for the Industrial Secure Router is shown in the following table ee Configuration Industrial Secure Router 1 EDR G903 WAN IP 100 100 2 1 Interface Setting LAN IP 100 100 3 1 Based on the requirement and VPN plan the recommended configuration for L2TP over IPSec is shown in the following table po Configuration Industrial Secure Router 1 L2TP Server Setting Tunnel Setting Site to Site Any Local Network 100 100 3 1 24 Same as LAN Interface Startup mode Wait for Connection Key Exchange Pre Shared Key 12345 Data Exchange Encryption Algorithm 3DES Harsh Algorithm SHA1 9 14 10 Diagnosis The Industrial Secure Router provides Ping tools and LLDP for administrators to
48. 20 1 The necessary configuration settings are shown in the following figure WAN IP WAN IP 61 32 10 10 72 51 30 30 PPTP IP Client PPTP IP Server 20 20 20 2 32 20 20 20 1 32 k WAN Tm i 10 10 10 10 24 30 30 30 10 24 Static Route Destination Address 10 10 10 0 255 255 255 0 20 20 20 2 Note Ifthe OS is Linux the Next Hop is 20 20 20 1 Static Route Destination Next Hop Address 30 30 30 0 255 255 255 0 20 20 20 1 DNS Doman Name Server optional setting for Dynamic IP and PPPoE types Server 1 2 3 Setting Description Factory Default IP Address The DNS IP address None NOTE The priority of a manually configured DNS will higher than the DNS from the PPPoE or DHCP server Detailed Explanation of Static IP Type WAN1 Configuration Connection Connell 8 Enable Connect Type Static IP Address Information IP Address 0 0 0 0 Gateway 0 0 0 0 Subnet Mask 0 0 0 0 PPTP Dialup PPTP Connection E Enable IP Address User Name Password DNS Optional for dynamic IP or PPPoE Type server 1 Server 2 Server 3 192 168 2 1 0 0 0 0 0 0 0 0 Address Information IP Address IP Address The interface IP address None Subnet Mask Setting Description CSCSCSC d Factory Default IP Address The subnet mask None 4 14 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Gateway IP
49. 3 22 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Port Trunking The Port Trunking Settings page is where ports are assigned to a trunk group Port Trunking Trunk Group Trki v Member Ports Pot Enable Description Name Speed FX Flow ctrl Available Ports Pot Enable Description Name Speed FX Flow ctrl 3 Enable 100TX RJ45 Auto Disable 4 Enable 100TX RJ45 Auto Disable 5 Enable 100TX RJ45 Auto Disable 6 Enable 100TX RJ45 Auto Disable T Enable 100TX RJ45 Auto Disable 8 Enable 100TX RJ45 Auto Disable F G1 Enable 1000FX miniGBIC 1G Full Disable m G2 Enable 1000FX miniGBIC 1G Full Disable Step 1 Select the desired Trunk Group Step 2 Select the desired Member Ports or Available Ports Step 3 Use Up and Down to modify the Group Members Trunk Group maximum of 4 trunk groups Trk1 Trk2 Trk3 Trk4 Specifies the current trunk group depends on switching chip capability some Moxa switches only support 3 trunk groups Trunking Status The Trunking Status table shows the Trunk Group configuration status Trunking Status Trunk Group Tre 1 SUCCESS 2 SUCCESS 3 Fail Trk 2 5 Fail 3 23 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Port Mirror The Port Mirror function can be used to monitor data being transmitted through a specific port This is done by setting up another po
50. 8 for Data Bits None for Parity and 1 for Stop Bits Communication Parameter Terminal File Transfer Capturing COM Options Ports Baud Rate Data Bits Output State DTA ON C OFF M RTS CTS M XON XOFF RTS ON OFF 2 2 Industrial Secure Router User s Manual Getting Started 4 Click the Terminal tab select VT100 for Terminal Type and then click OK to continue 5 The Console login screen will appear Use the keyboard to enter the login account admin or user and then press Enter to jump to the Password field Enter the console Password the same as the Web Browser password leave the Password field blank if a console password has not been set and then press Enter EDB G303 login admin Password M A EDP G903 5 NOTE The default password for the EDR series with firmware v3 0 and later is moxa For previous firmware versions the default password is blank For greater security please change the default password after the first log in 6 Enter a question mark to display the command list in the console Exit Exit Halt and Perform a Cold Festart Confiqure Terminal Page Length Import or Export File Save Bunning Configuration to Flash ping Send Echo Messages clear Clear Information show Show System Information confiqure Enter Confiquration Mode The following table lists commands that can be used when the Industrial Secure Router is in console serial or T
51. AN VRRP Interface Table ere Virtual ees Preemption Enable Interface IP Address Virtual IP z Priority Track Interface Router ID Mode WAN 192 168 3 5 IMIT 192 168 3250 1 100 Enable WAN E o neeaae t 192 168 127250 ee N o m Virtual Router Redundancy Protocol VRRP can solve the problem with static configuration VRRP enables a group of routers to form a single virtual router with a virtual IP address The LAN clients can then be configured with the virtual router s virtual IP address as their default gateway The virtual router is the combination of a group of routers and is also known as a VRRP group Enable VRRP Interface Setting Entry Enables VRRP entry Disabled Virtual IP L3 switches routers in the same VRRP group must be set to 0 0 0 0 the same virtual IP address as the VRRP ID This virtual IP address must belong to the same address range as the real IP address of the interface Virtual Router ID Virtual Router ID is used to assign a VRRP group The L3 switches routers which operate as master backup should have the same ID Moxa L3 switches routers support one virtual router ID for each interface IDs can range from 1 to 255 Priority Determines priority in a VRRP group The priority value range is 100 1 to 255 and the 255 is the highest priority If several L3 switches routers have the same priority the router with higher IP address has the higher priority The usable range is 1
52. CUOEOCOOCOCOCORCOSCOCOSCOOCOSOCTOSCOOOSCOCOSOOCOOCTOCOOOCTOSCOCOCOOCOOCOTOCOCOCOCeCOCCOOC COC CP er re 9 8 Industrial Secure Router User s Manual Virtual Private Network VPN Certificate Generation NOTE Certificate Request Country Name 2 letter z Certificate days 400 code State or Province Name Locality Name Moxa Organization Name Moxa Organizational Unit Name Moxa Common Name Moxa B Email Address SUppont moxa com Activate The user must fill in the following information to generate the Root certification Country name 2 Letter code Certificate Days State or Province Name Locality Name Organization Name Organization Unit Name Common Name Email Address After keying in all of the information press Activate to generate the Root Certification The default setting for Certificate Day is 0 which means that the certification will not be terminated unless modified by the user 9 9 Industrial Secure Router User s Manual Virtual Private Network VPN Certificate Setting Certificate Generate Certificate Request aniy Certificate Name 2 o O g letter code ay State or Name agg A Pg Name Unit Name A Doo y Name Address Apply RootCa Export Certificate Setting A 2g days Unit Name A y pO Name Address ee a Password PKCS 12 Export Certification Export Certificate List 0 10 Certificate days Organizational Unit Name Name Email Address Sa Password After Root Certifica
53. Connections tab click LAN Settings Select Automatically detect settings and then click OK If the new configuration does not block the connection from the remote user to the EtherDevice Router the user will see the SettingCheck Confirmed page shown in the following figure Click Confirm to save the configuration updates Press Confirm button to save the change Confirm E T ee 4 9 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions System File Update by Remote TFTP The EtherDevice Router supports saving your configuration file to a remote TFTP server or local host to allow other EtherDevice Router routers to use the same configuration at a later time or saving the Log file for future reference Loading pre saved firmware or a configuration file from the TFTP server or local host is also supported to make it easier to upgrade or configure the EtherDevice Router Upgrade Software or Configuration TFTP Server IP Name Configuration File Path and Name Firmware File Path and Name Log File Path and Name TFTP Server IP Name IP Address of TFTP The IP or name of the remote TFTP server Must be configured None Server before downloading or uploading files Configuration File Path and Name Max 40 Characters The path and filename of the EtherDevice Router s None configuration file in the TFTP server Firmware File Path and Name Max 40 Characters Th
54. G900 series supports WAN to LAN NAT only The EDR 810 series supports both WAN to LAN and LAN to LAN NAT 7 2 Industrial Secure Router User s Manual Network Address Translation 10 10 1 1 10 10 1 2 10 10 2 1 10 10 2 2 a i Ninyi 192 168 100 1 7 Miny 192 168 100 2 1 to 1 NAT Setting for EDR G903 in Production Line 1 NAT List 2 64 Protocol source IP pny Destination IP 4 192 168 100 1 10 10 1 1 Be 192 988 100 200 1 to 1 NAT Setting for EDR G903 in Production Line 2 NAT List 2 64 Protocol source IP 5 ai Destination IF 192 168 100 1 10 10 2 1 1 R Enable LANIDMZ IP NAT Mode 1 1 WAN IP Interface Enable Disable NAT policy Setting Description Factory Default Enable or Disable Enable or disable the selected NAT policy NAT Mode N 1 Select the NAT types None 1 1 Port Forward Interface 1 1 NAT type Select WAN1 WAN2 interfaces for NAT routing policy WAN1 Select Auto interface to automatically choose the routing policy Note Auto interface routing policy is default configured by selecting the WAN interface in the EDR 810 series 7 3 Industrial Secure Router User s Manual IP Address Select the Internal IP address in LAN DMZ network area None IP Address Select the external IP address in WAN network area Network Address Translation LAN DMZ IP 1 1 NAT type WAN IP 1 1 NAT type Factory Default None Bidirectio
55. Industrial Secure Router User s Manual Third Edition January 2015 www moxa com product MOXA 2015 Moxa Inc All rights reserved Reproduction without permission is prohibited Industrial Secure Router User s Manual The software described in this manual is furnished under a license agreement and may be used only in accordance with the terms of that agreement Copyright Notice Copyright 2015 Moxa Inc All rights reserved Reproduction without permission is prohibited Trademarks The MOXA logo is a registered trademark of Moxa Inc All other trademarks or registered marks in this manual belong to their respective manufacturers Disclaimer Information in this document is subject to change without notice and does not represent a commitment on the part of Moxa Moxa provides this document as is without warranty of any kind either expressed or implied including but not limited to its particular purpose Moxa reserves the right to make improvements and or changes to this manual or to the products and or the programs described in this manual at any time Information provided in this manual is intended to be accurate and reliable However Moxa assumes no responsibility for its use or for any infringements on the rights of third parties that may result from its use This product might include unintentional technical or typographical errors Changes are periodically made to the information herein to corre
56. LAN settings under Layer 2 Functions you should click on the Bridge Group checkbox to add the i 2 Ez K Ka K ni aowd Bua amp port into the Bridge Group Interface and then click Apply The system will automatically generate the VLAN for each port starting from 4040 This action will take about 60 to 90 seconds to complete do not take any other actions in the web console during the configuration stage Modify and Activate the Bridge Group Interface Bridge Interface Configuration Bridge IP Configuration Name BRG LAN Enable wt IP Address 192 168 126 254 Subnet Mask 255 255 255 0 BRGLAN B 192168128254 2552552550 To enable the interface checkmark the Enable checkbox You can modify the interface name IP address and Subnet Mask of the Bridge Group Interface To activate the setting click Modify and then Apply Industrial Secure Router User s Manual EDR 810 Series Features and Functions Network Service DHCP Settings Global Settings DHCP Server Mode Disable Dynamic Static IP Assignment Port based IP Assignment DHCP Server Mode Disable Select the DHCP Server Mode Disabled Dynamic Static IP Assignment Port based IP Assignment DHCP Server The Industrial Secure Router provides a DHCP Dynamic Host Configuration Protocol server function for LAN interfaces When configured the Industrial Secure Router will automatically assign an IP
57. Limiting In general one host should not be allowed to occupy unlimited bandwidth particularly when the device malfunctions For example so called broadcast storms could be caused by an incorrectly configured topology or a malfunctioning device Moxa industrial secure routers not only prevent broadcast storms but can also be configured to a different ingress rate for all packets giving administrators full control of their limited bandwidth to prevent undesirable effects caused by unpredictable faults Rate Limiting Ingress Policy Limit Broadcast 1 Not Limited 4100 Mbits sec Not Limited 100 Mbits sec 2 Not Limited 400 Mbits sec Not Limited 400 Mbits sec 3 Not Limited 400 Mbits sec Not Limited 100 Mbits sec 4 Not Limited 400 Mbits sec Not Limited 400 Mbits sec 5 Not Limited 400 Mbits sec Not Limited 400 Mbits sec 6 Not Limited 400 Mbits sec Not Limited 400 Mbits sec T Not Limited 400 Mbits sec Not Limited 100 Mbits sec 8 Not Limited 400 Mbits sec Not Limited 400 Mbits sec G1 Not Limited 1000 Mbits sec Not Limited 1000 Mbits sec G2 Not Limited 4000 Mbits sec Not Limited 4000 Mbits sec 3 34 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Ingress Policy Limit All Select the ingress rate limit for different packet types Limit Broadcast Limit Broadcast Multicast Flooded Unicast Limit Broadcast Multicast Limit Broadcast Ingress Egress Rate Ing
58. MAC Address This field shows the MAC address This field shows the type of this MAC address This field shows the port that this MAC address belongs to 3 35 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Interface WAN WAN Configuration VLAN ID Connection Connect Mode Disable Enable Connect Type Dynamic IP v VLAN ID Moxa Industrial Secure Router s WAN interface is configured by VLAN group The ports with the same VLAN can be configured as one WAN interface Connection Note that there are three different connection types for the WAN interface Dynamic IP Static IP and PPPoE A detailed explanation of the configuration settings for each type is given below Connection Mode Enable or Disable Enable or Disable the WAN interface Connection Type Static IP Dynamic IP Setup the connection type Dynamic IP PPPoE Detailed Explanation of Dynamic IP Type WAN Configuration VLAN ID Connection Connect Mode Disable Enable Connect Type Dynamic IP PPTP Dialup PPTP Connection Enable IP Address User Name Password MPPE Encryption None Encrypt DNS Optional for dynamic IP or PPPoE Type Server 1 Server 2 Server 3 0 0 0 0 0 0 0 0 0 0 0 0 PPTP Dialup Point to Point Tunneling Protocol is used for Virtual Private Networks VPN Remote users can use PPTP to connect to private networks from public networks PPTP Connection Factory Default En
59. Mode Pre Share Key 12345 Encryption Algorithm SDES w Hash Algorithm SHA DH Group DH 2 modp1024 Negotiation Times 0 O forever IKE Life Time Rekey Expire Time 9 min Rekey Furz Percent IKE Mode In Main IKE Mode both the Remote and Local VPN gateway MAIN will negotiate which Encryption Hash algorithm and DH groups can be used in this VPN tunnel both VPN gateways must use the same algorithm to communicate Aggressive In Aggressive Mode the Remote and Local VPN gateway will not negotiate the algorithm it will use the user s configuration only Authentication Mode Pre Shared Key The authentication mode of IPSec VPN Pre Shared Key X 509 In Pre Shared Key Mode the user needs to key in the same Pre Shared Key in the IPSec setting between the Local and Remote secure router Authentication Mode Pre Share Key In X 509 Mode the user needs to upload the Local and Remote certifications first and then select the certifications from the drop down list 9 5 Industrial Secure Router User s Manual Virtual Private Network VPN See the X 509 Certification section in this chapter for details Authentication Mode X 509 Local Moxa Cert A p12 1 Remote Moxa Cert B cer Encryption Algorithm DES Encryption Algorithm in key exchange 3DES AES 128 AES 192 AES 256 Hash Algorithm Any Hash Algorithm in key exchange MD5 SHA1 SHA256 DH Group DH1 modp 768 Diffie Hel
60. Name 4 Access Control 1 Read Write Community Name 2 ate Access Contral 2 Read Write Trap Community Trap Mode Trap V1 Trap Targets Target IP Address 1 Target IP Address 2 Target IP Address 3 3 45 Industrial Secure Router User s Manual EDR 810 Series Features and Functions SNMP Versions Disable Select the SNMP protocol version used to manage the secure Disable Vi V2c V3 or router V1 V2c or V3 only Auth Type MD5 Provides authentication based on the HMAC MD5 algorithms MD5 8 character passwords are the minimum requirement for authentication SHA Provides authentication based on the HMAC SHA algorithms 8 character passwords are the minimum requirement for authentication Data Encryption Enable Disable Enable Disable Enable of disable the data encryption Data Encryption Key Max 30 Characters 8 character data encryption key is the minimum requirement None for data encryption Community Name Setting Description Faactory Default Max 30 Characters Use a community string match for authentication Access Control Read Write Access control type after matching the community string Read Write Read only Public MIB T E No Access Target IP Address IP Address Enter the IP address of the Trap Server used by your network 0 0 0 0 3 46 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Dynamic DNS Dynamic DNS Domain Name Server allows y
61. POIC Y C ONCEDE aina E E E E 8 2 POC OVERVIEW aei e e e a ee e L NPN EA epee RONEN eN e EnA a AAAA AAIE ENEA AA 8 2 Policy COMMO Urat ON mrumemaeeen ees serumerw arc wae ra EAA eer eat eee eee ENSA 8 2 Layer 2 Policy Setup Only in Bridge Mode for EDR G902 G903 assssasassnsnrsnansnnnnnnsnnnnenanrnnnnnnsnnnnnn 8 4 OUK AOMA NON PIO le meae e eevee aanaa a eaee ee pean ane on eve ee eee ar aa pees aaa 8 6 0 GG pc Crete eer eer er etter ere r rer Merten mere ter cr tere a keene cet eee er ee mee ere cee een ee en 8 8 YT CN EIS UO carat nae eee eee meee tena oaaetanagciccsdanaugdcusciagucicesinacaccca 8 10 Denial oService DOS Defense r aeee erie eerie ul ele eee ier 8 14 Firewall Event LOG eree a ae taausudedeeud Meade sadududddetenududesueeandncemens 8 15 9 Virtual Private Network VPN cicscsicctccctccctecctsscnescsercteccteccscactacdsesersaccusedcaccecdsensweutaruswiwiniwimiwonswnmeewaue 9 1 VA sara aaron eccrine E at niastine inne aan aun tanen does 9 2 IIPS CC CONGU OM sxeutcentctat eat eat tute cet eaten ieadaaet aneedan cc hananed tnd tata sitrias este eases 9 2 GlIODal SeCtINGS 16a cerca dean e E eE E a a lau tatadided died awd aed AAAA NA 9 3 IPSEC SONOS air EAEE AE EENT EENT AEETI 9 3 PSEC Sta tU Ser GRG 9 8 KSOS C OFUHCA TE aar E E E ETOO OI O O E E E 9 8 L2TP Server Layer 2 Tunnel Protocol s assssussssnsnssnanansnnnnennnnsnannnnnnnnsnnnnennnrsnannnnnnnnnennnnenannnnnnunsnnnnan 9 11 EZ TPECONN GUFO aa E E ee E Ree reer eae
62. T T PET TET TET ET ETT 4 23 EVEMON E 4 23 SY SOG EE A A A A A AA A A E E O E O E E O E O E EE 4 24 Si ROUUGUING T 5 1 URICaSGROUUING itermenmeninaninneinneinneinaninesnenenennnennnennenenannnennrman meaniichuntiietinetinetenetinetinetinetenetenetenesmnmmnmmeens 5 2 Sta ROULING ctxinesieeen estan Tbe AMARA WN eee an ania ania a aa aa ana ana aaa a dann tuted tua sae 5 2 RIP ROUNO Information PrOtOCOl siuituensiravierneeieieebues boi ubbedbbabebs wee uy Earle ME A 5 3 5181016 ake lho 3 Ree ee ee et Ae te ee ee ee ee ee ee ee ee een 5 4 G Network REGUARGANCY oosiceseecetseeees es ureu eieeeeee rt eeeeeervetiedeveuiaeeveredeNevEteeneutandeutedeeenumdententueceueunemonemnbeds 6 1 Layer 2 Redundant Protocols EDR 810Series Only cxsesccucuets wets a a E a E E E E E E E 6 2 COMMIGUMING SITP RS ecean T E a a a 6 2 connguning TUrDO RING V2 secu Acie e e a e ae a AEAEE E EN OEA ESAE une ESETE E ERRIAN ANEA 6 4 Layer gt Redundant Protocols aww Ea re e U a lee E ES S 6 6 VRRP SELHNO Sorrki A rrr rere 6 6 Fi Network Address Translation iisisti KAK 7 1 NetWork Address Translation NAT ra aaa E a 7 2 NAT CONCEDE ai aE N AARE EE E EEEE EE E E T 7 2 TROR NA T iar e e e e e a E e a a eE a ERRA SARAAN E ER EAE ERAAN EA 7 2 Bidirectional ttost NAT eae ee eee ae aoe ae a 7 4 Netos L NAT arses sce seca et tne a Rata e a aaa aG 7 4 PONE ROPW AG voit ect mene E E meine nate E E AA EEA iacene ernie eer ase 7 6 o Firewall sisii a E a A A A be we ae ee 8 1
63. VPN Connection type and VPN network plan e Key Exchange Authentication for 2 VPN gateways e Data Exchange Data encryption between VPN gateways e Dead Peer Detection The mechanism for VPN Tunnel maintenance 9 2 Industrial Secure Router User s Manual Virtual Private Network VPN Global Settings NOTE IPSec Global Setting All IPSec Connection Enable IPSec NAT T Enable i VPN Event Log Enable Y Flash lst Syslog SNMP Trap The Industrial Secure Router provides 3 Global Settings for VPN applications All IPSec Connection Users can Enable or Disable all VPN services with this configuration The factory default setting is Disable so when the user wants to use VPN function make sure the setting is enabled IPSec NAT T Enable If there is an external NAT device between VPN tunnels the user must enable the NAT T NAT Traversal function VPN Event Log To enable the VPN event log function select the Enable option in Log Enable and click Flash Syslog or SNMP Trap You may also define the severity and record it in the event IPSec Settings IPSec Quick Setting NOTE The Industrial Secure Router s Quick Setting mode can be used to easily set up a site to site VPN tunnel for two Industrial Secure Router units Setting Quick Setting For EDR G903 connects to EDR G903 When choosing the Quick setting mode the user just needs to configure the following e Tunnel Setting e Security Setting gt Encrypti
64. WAN Port LAN IF Configuration Eo ei eeu Service Enable Connect Type e e i e E Dynamic IP o j i 5 t l 2 p PPTP Dialup EE PPT E nab ddres 2 Connection Enable IP Address EN F User Name Password AAAA a i E a a i i Connect Type Dynamic IP Get the WAN IP address from a DHCP server or via a PPTP Dynamic IP M alaaieiaiiaiaiaiaiaheail Static IP Set a specific static WAN IP address or create a connection to a Seer ie senar atna seana Ip matresa Dynamic IP Select WAN Pot LAN IF Configuration Bye Service Enable Connect Type ie PPTP Dialup Connection _JEnable IP Address User Name Password 3 3 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Static IP select WAN Port LAN IF Configuration Bye iii Service Enable Connect Type EES Address Information IP Address Gateway Subnet Mask PPTP Dialup PPTP User Name Password PPPoE select WAN Pot LAN IF Configuration Bynes Service Enable Connect Type ae PPPoE Dialup UserName Password Host Name Step 4 Enable services Check Enable DHCP Server to enable the DHCP server for LAN devices The default IP address range will be set automatically To modify the IP range go to the DHCP Server page N 1 NAT will be also enabled by default WAN Routing Quick Setting select WAN Port LAN IF Configuration WAN Configuratio
65. Ww moxa com Model EDR G903 Serial NO 1 Firmware V1 0 build 10031916 WAN1 MAC 00 90 e8 00 90 0b WAN2 MAC 00 90 e8 00 90 0a LAN MAC 00 90 e8 00 90 09 WAN 1 IP 192 168 2741 WAN2 IP 0 0 0 0 LAN IP 192 168 127 254 Overview Main Menu Overview Update Basic Setting Interface Status More Recent 10 EventLog More PPPoE Port 1 WAN Wan 1 NIA Connect LAN link off 2000 1 1 1 30 45 Routing Port 2 Opt Wan2 N A Disconnect LAN link on 2000 1 1 2 18 14 NAT Port 3 LAN LAN N A Connect LAN link off 2000 1 1 2 18 39 Firewall Poilcy LAN link on 2000 1 1 3 2 8 _ SNMP LAN link off 2000 1 1 3 2 12 AN link 141 3 2 Tratte Prioritzation Curent siaus MAMBA 2000 3213 LAN link off 2000 1 1 3 6 4 Auto Warning Wan 2 Backup Function Disable DDNS Disabl LAN link on 2000 1 1 7 12 40 Diagnosis isable i i 1111 8 14 Dos Disable admin auth ok 2000 1 1 8 14 37 Monitor admin auth ok 2000 1 1 8 43 41 Check Alive Disable m System Log QoS Disable Network Communication Redundancy Best viewed with IE 5 above at resolution 1024 x 768 2 5 In this chapter we explain how to access the Industrial Secure Router s configuration options perform 3 EDR 810 Series Features and Functions monitoring and use administration functions There are three ways to access these functions 1 RS 232 console 2 Telnet console and 3 web browser The web browser is the most user friendly way to configure the Indus
66. able T VLAN ID 1 IP Address 192 168 127 254 Subnet Mask 255 255 255 0 VLAN Interface List 2 16 SS eS ee VLAN ID IP Address Subnet Mask Modbus 3 10 0 0 254 255 255 255 0 Create aVLAN Interface Input a name of the LAN interface select a VLAN ID that is already configured in VLAN Setting under the Layer 2 Function and assign an IP address Subnet Mask for the interface Checkmark the Enable checkbox to enable this interface Delete a LAN Interface Select the item in the LAN Interface List and then click Delete to delete the item Modify a LAN Interface Select the item in the LAN Interface List Modify the attributes and then click Modify to change the configuration Activate the LAN Interface List After adding deleting modifying any LAN interface be sure to click Activate You can create up to 16 LAN interfaces by configuring each port with unique VLAN ID numbers Bridge Group Interface Bridge Interface Configuration Bridge IP Configuration Name BRG_ LAN Enable a IF Address 192 168 126 254 Subnet Mask 255 255 255 0 Modify Apply Name IP Address Subnet Mask B 192168126 254 285 285 285 0 3 39 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Adding Ports into the Bridge Interface 802 1Q VLAN Settings Quick Setting Panel VLAN ID Configuration Table Management VLAN ID i PVID Tagged VLAN Untagged VLAN mes ES o CN mess E o mess E In previous V
67. able or Disable Enable or Disable the PPTP connection None IP Address Factory Default IP Address The PPTP service IP address None 3 36 Industrial Secure Router User s Manual EDR 810 Series Features and Functions User Name Max 30 Characters The Login username when dialing up to PPTP service None Password Max 30 characters The password for dialing the PPTP service None MPPE Encryption None Encrypt Enable or disable the MPPE encryption None Example Suppose a remote user IP 10 10 10 10 wants to connect to the internal server private IP 30 30 30 10 via the PPTP protocol The IP address for the PPTP server is 20 20 20 1 The necessary configuration settings are shown in the following figure WAN IP WAN IP 61 32 10 10 72 51 30 30 PPTP IP Client PPTP IP Server 20 20 20 2 32 20 20 20 1 32 10 10 10 10 24 30 30 30 10 24 Static Route Static Route Destination Next Hop Destination Next Hop Address Address 30 30 30 0 255 255 255 0 20 20 20 1 10 10 10 0 255 255 255 0 20 20 20 2 Note If the OS is Linux the Next Hop is 20 20 20 1 DNS Doman Name Server optional setting for Dynamic IP and PPPoE types Server 1 2 3 Setting Description FactoryDefault IP Address The DNS IP address None NOTE The priority of a manually configured DNS will be higher than the DNS from the PPPoE or DHCP server 3 37 Industrial Secure Router User s Manual EDR 810 Series Features and
68. ablish your routing table A routing entry includes the following items the destination address the next hop address which is the next router along the path to the destination address and a metric that represents the cost we have to pay to access a different network Static Route You can define the routes yourself by specifying what is the next hop or router that the Industrial Secure Router forwards data for a specific subnet The settings of the Static Route will be added to the routing table and stored in the Industrial Secure Router RIP Routing Information Protocol RIP is a distance vector based routing protocol that can be used to automatically build up a routing table in the Industrial Secure Router The Industrial Secure Router can efficiently update and maintain the routing table and optimize the routing by identifying the smallest metric and most matched mask prefix Static Routing The Static Routing page is used to configure the Industrial Secure Router s static routing table Static Routing Enable E Name ISP 1 Destination Address 100 10 10 1 Netmask 295 255 2505 0 Next Hop 100 10 10 254 Metric 10 Static Routing 1 512 Destination Address n Netmask a en AE HOP B o SPH o10010404 2552552550 100 10 10 254 Enable Click the checkbox to enable Static Routing Name The name of this Static Router list Destination Address You can specify the destination IP address Netmask This
69. ackets that did not pass TCP IP s error checking algorithm The Total Packets option displays a graph that combines TX RX and TX Error RX Error Packets activity The graph displays data transmission activity by showing Packets s i e packets per second or pps versus sec seconds In fact three curves are displayed on the same graph Uni cast packets in blue Multi cast packets in red and Broad cast packets in amber The graph is updated every few seconds allowing the user to analyze data transmission activity in real time 3 51 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Monitor System Total Packets system Total Packets eiert System Total Packets g 450 KOO Unicast Multicast Broadcast SEL Format Total Packets Packets in previous 5 sec interval update interval of 5 sec 1 0 0 0 0 0 0 0 0 2 188634 10 0 0 12266 7 0 0 3 0 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 5 0 0 0 0 0 0 0 0 6 170 0 0 0 38 0 0 0 T 21984 23 0 0 2Ff46 23 0 0 5 0 0 0 0 0 0 0 0 G1 0 0 0 0 0 0 0 0 G2 0 0 0 0 0 0 0 0 Event Log Event Log Table All lt lt 7 gt Debug Page 1 40 Y ee ean TCP Without SYN Scan DROP PROTO TCP SRC _IP 1 0 0 0 i eer ent A cen SR eip SEP DST_IP 0 0 0 0 DST_IP 0 0 0 0 OUT LAN TCP Without SYN Scan DROP PROTO TCP SRC_IP 192 168 126 1 2 0114 11 23 09 26 34 Firewall lt 4 gt Waming SRC _PORT 57768 IN BRG DST_IP 192 168 50 137 DST _PORT
70. address to a Ethernet device from a defined IP range Dynamic IP Assignment Enable Pool First IP Address 0 0 0 0 Pool Last IP Address 0 0 0 0 Netmask 0 0 0 0 Lease Time minutes Default Gateway 0 0 0 0 DNS Server 1 0 0 0 0 DNS Server 2 0 0 0 0 NTP Server 0 0 0 0 Dynamic IP Pool 0 16 Only one pool for each subnet Enable Reece et Seales Netmask Lease Time ne i DNS Server 1 DNS Server 2 NTP Server Address Address Gateway Dynamic IP Assignment DHCP Server Enable Disable Enable Disable Enable or disable DHCP server function Pool First IP Address IP Address The first IP address of the offered IP address range for 0 0 0 0 DHCP clients Pool Last IP Address Setting o Description Factory Default IP Address The last IP address of the offered IP address range for 0 0 0 0 DHCP clients 3 41 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Netmask Netmask The netmask for DHCP clients 0 0 0 0 gt 5min The lease time of the DHCP server None IP Address The default gateway for DHCP clients 0 0 0 0 DNS Server IP Address The DNS server for DHCP clients 0 0 0 0 NTP Server IP Address The NTP server for DHCP clients 0 0 0 0 m O 9 WH J 3 NOTE 1 The DHCP Server is only available for LAN interfaces 2 The Pool First Last IP Address must be in the same Subnet on the LAN Static DHCP Use the Static DHCP list to ensure that devices connected to the Industrial
71. al sec Numerical value input Sets the query interval of the Querier function globally Valid 125 seconds by the user settings are from 20 to 600 seconds Enable IGMP Snooping Enable Disable Enables or disables the IGMP Snooping function on that Enabled if IGMP particular VLAN Snooping is enabled globally Querier Enable Disable Enables or disables the Moxa Industrial Secure Router s querier Disabled function V1 V2 and V3 V1 V2 Enables the Moxa Industrial Secure Router to send Checkbox IGMP snooping version 1 and 2 queries V3 Enables the Moxa Industrial Secure Router to send IGMP snooping version 3 queries Static Multicast Querier Port Select Deselect Select the ports that will connect to the multicast routers Disabled These ports will receive all multicast packets from the source This option is only active when IGMP Snooping is enabled NOTE If a router or layer 3 switch is connected to the network it will act as the Querier and consequently this Querier option will be disabled on all Moxa layer 2 switches If all switches on the network are Moxa layer 2 switches then only one layer 2 switch will act as Querier IGMP Table The Moxa industrial secure router displays the current active IGMP groups that were detected View IGMP group setting per VLAN ID on this page 3 30 Industrial Secure Router User s Manual EDR 810 Series Features and Functions IGMP Snooping IGMP Table VID 1 Au
72. al Secure Router User s Manual EDR 810 Series Features and Functions Quick Setting Profile WAN Routing Quick Setting The EDR 810 series supports WAN Routing Quick Setting which creates a routing function between LAN ports and WAN ports defined by users Follow the wizard s instructions to configuring the LAN and WAN ports Step 1 Define the WAN ports and LAN ports Click on the ports in the figure to define the WAN ports and LAN ports WAN Routing Quick Setting Stemi LAN IP Configuration WAN Configuration Service Enable a 4 3 Tt a fw J e wi E 1 dt wi amp Click on the ports to select WAN or LAN Next Step Step 2 Configure the LAN IP address of the EDR 810 and the subnet address of the LAN ports Configure the LAN IP address of the EDR 810 to define the subnet of the LAN ports on the secure router The default IP address of the EDR 810 on the LAN side is 192 168 127 254 and the default subnet address is 192 168 127 0 24 WAN Routing Quick Setting Select WAN Port BRC WAN Configuration Serice Enable IP Address 192 168 127 254 SubnetMask 2552552550 Industrial Secure Router Prev Step Next Step 3 2 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Step 3 Configure the WAN port type Configure the WAN port type to define how the secure router switch connects to the WAN WAN Routing Quick Setting Select
73. another part of the network and retains its original subnet membership you only need to specify that the new port is on VLAN Marketing You do not need to do any re cabling e VLANs provide extra security Devices within each VLAN can only communicate with other devices on the same VLAN If a device on VLAN Marketing needs to communicate with devices on VLAN Finance the traffic must pass through a routing device or Layer 3 switch e VLANs help control traffic With traditional networks congestion can be caused by broadcast traffic that is directed to all network devices regardless of whether or not they need it VLANs increase the efficiency of your network because each VLAN can be set up to contain only those devices that need to communicate with each other Managing a VLAN A new or initialized Moxa industrial secure router contains a single VLAN the Default VLAN This VLAN has the following definition e VLAN Name Management VLAN e 802 1Q VLAN ID 1 if tagging is required All of the ports are initially placed on this VLAN and it is the only VLAN that allows you to access the management software of the Moxa switch over the network Configuring Virtual LAN To configure 802 1Q VLAN on the Moxa switch use the 802 1Q VLAN Settings page to configure the ports 3 25 Industrial Secure Router User s Manual EDR 810 Series Features and Functions 802 1Q VLAN Settings 802 1Q VLAN Settings Quick Setting Panel Y VLAN ID
74. cations of different units Example Factory Switch 1 Router Location Max 80 characters This option is useful for differentiating between the locations of Device Location different units Example production line 1 3 8 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Router Description Max 30 characters This option is useful for recording a more detailed description of the unit Maintainer Contact Info Max 30 characters This option is useful for providing information about who is responsible for maintaining this unit and how to contact this person Web Configuration http or https Enable HTTP and HTTPS http or https https only Enable HTTPS only Web login message Login authentication failure message A Users can define the message that will show up on the login page and the message that will show up if login fails The maximum length of each message is 512 bytes User Account The Moxa industrial secure router supports the management of accounts including establishing activating modifying disabling and removing accounts There are two levels of configuration access admin and user The account belongs to admin privilege has read write access of all configuration parameters while the account belongs to user authority has read access to view the configuration only NOTE 1 In consideration of higher security level strongly suggest to change the default
75. ces For example 1 to 1 NAT makes it easy to duplicate or extend identical production lines The NAT function will check if incoming or outgoing packets match the policy It starts by checking the packet with the first policy Index 1 if the packet matches this policy the Industrial Secure Router will translate the address immediately and then start checking the next packet If the packet does not match this policy it will check with the next policy The maximum number of NAT policies for the Industrial Secure Router is 128 1 to 1 NAT If the internal device and external device need to communicate with each other choose 1 to 1 NAT which offers bi directional communication N to 1 and Port forwarding are both single directional communication NAT functions F Ey J 40 10 10 Remote user WAN Network zpi i line Winn 192 168 100 1 1 to 1 NAT is usually used when you have a group of internal servers with private IP addresses that must connect to the external network You can use 1 to 1 NAT to map the internal servers to public IP addresses The IP address of the internal device will not change The figure below illustrates how a user could extend production lines and use the same private IP addresses of internal devices in each production line The internal private IP addresses of these devices will map to different public IP addresses Configuring a group of devices for 1 to 1 NAT is easy and straightforward The EDR
76. change and the web browser will try to jump to the SettingCheck Confirmed page automatically Because the new IP list does not include the Remote user s IP address the remote user cannot connect to the SettingCheck Confirmed page After 15 seconds the EtherDevice Router will roll back to the original Accessible IP List setting allowing the remote user to reconnect to the EtherDevice Router and check what s wrong with the previous setting 4 8 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions ii The page cannot be displayed The page you are looking for is currently unavailable The Web site might be experiencing technical difficulties or you may need to adjust your browser settings Please try the following Click the Refresh button or try again later If you typed the page address in the sure that itis spelled correctly Gddress bar make To check your connection settings click the Tools menu and then click Internet Options On the Connections tab click Settings The settings should match those provided by your local area network LAM administrator or Internet service provider ISP See if your Internet connection settings are being detected You can set Microsoft Windows to examine your network and automatically discover network connection settings if your network administrator has enabled this setting 1 Click the Tools menu and then click Internet Options On the
77. ck all Source port numbers in the All packet Single Port number This Firewall Policy will check single Source Port numbers in the Range Port number _ This Firewall Policy will check multiple Source port numbers in 8 3 Industrial Secure Router User s Manual Firewall NOTE NOTE Destination IP All IP Address This Firewall Policy will check all Destination IP addresses in the All packet Single IP Address This Firewall Policy will check single Destination IP addresses in the packet Range IP Address This Firewall Policy will check multiple Destination IP addresses Pe items pe Daemons ates Destination Port All Port number This Firewall Policy will check all Destination port numbers in All the packet Single Port number This Firewall Policy will check single Destination Port numbers Pe ne oes nen eran Range Port number This Firewall Policy will check multiple Destination port T I a The Industrial Secure Router s firewall function will check if incoming or outgoing packets match the firewall policy It starts by checking the packet with the first policy Index 1 if the packet matches this policy it will accept or drop the packet immediately and then check the next packet If the packet does not match this policy it will check with the next policy The maximum number of Firewall policies for the Industrial Secure Router is 256 Layer 2 Policy Setup Only in Bridge Mode for EDR G902
78. cluded in policy 2 because the IP range of policy 3 is smaller than the IP range of policy 2 and the Target action is the same AD rule 3 is incduded in rule 2 Cross Conflict Policy X cross conflicts with Policy Y Two firewall policy configurations such as Source IP Destination IP Source port and Destination port in policy X and policy Y are masked and the action target Accept Drop is different For example two firewall policies are shown in the following table Index Input Output Protocol SourceIP___ Destination 1P WAN1 10 10 10 10 192 168 127 10 ACCEPT 2 WAN2 LAN All 20 20 20 20 192 168 127 25 ACCEPT to 20 20 20 30 Suppose the user next adds a new policy with the following configuration Index Input Output Protocol Source1P __ Destination IP 3 WAN2 LAN All 20 20 20 25 192 168 127 20 DROP ae a a ee ee The source IP range in policy 3 is smaller than policy 2 but the destination IP of policy 2 is smaller than policy 3 and the target actions Accept Drop of these two policies are different If the user clicks the PolicyCheck button the Industrial Secure Router will issue a message informing the user that policy 3 is in Cross Conflict with policy 2 A rule 3 is cross conflict with rule z2 8 9 Industrial Secure Router User s Manual Firewall Modbus TCP Policy Modbus TCP is a Modbus protocol used for communications over TCP IP networks connecting over port 502 by default
79. cols e Intelligent PolicyCheck and SettingCheck tools e 40 to 75 C operating temperature T models e Long haul transmission distance of 40 km or 80 km with optional mini GBIC e Redundant dual 12 to 48 VDC power inputs e IP30 rugged high strength metal case e DIN rail or panel mounting ability Useful Utility and Remote Configuration e Configurable using a Web browser and Telnet Serial console e Send ping commands to identify network segment integrity 1 2 2 Getting Started This chapter explains how to access the Industrial Secure Router for the first time There are three ways to access the router 1 serial console 2 Telnet console and 3 web browser The serial console connection method which requires using a short serial cable to connect the Industrial Secure Router to a PC s COM port can be used if you do not know the Industrial Secure Router s IP address The Telnet console and web browser connection methods can be used to access the Industrial Secure Router over an Ethernet LAN or over the Internet A web browser can be used to perform all monitoring and administration functions but the serial console and Telnet console only provide basic functions The following topics are covered in this chapter O RS 232 Console Configuration 115200 None 8 1 VT100 O Using Telnet to Access the Industrial Secure Router s Console O Using a Web Browser to Configure the Industrial Secure Router Industrial Secure
80. ct such errors and these changes are incorporated into new editions of the publication Technical Support Contact Information Moxa Americas Toll free 1 888 669 2872 Tel 1 714 528 6777 Fax 1 714 528 6778 Moxa Europe Tel 49 89 3 70 03 99 0 Fax 49 89 3 70 03 99 99 www moxa com su ort Moxa China Shanghai office Toll free 800 820 5036 Tel 86 21 5258 9955 Fax 86 21 5258 5505 Moxa Asia Pacific Tel 886 2 8919 1230 Fax 886 2 8919 1231 Table of Contents Lo STRUROGUCTION oatice ee ee see teve suave dea eed une lu ue eueeuvec ven uued eves Weuedlorduewuluaaienuianuueauyuauvauddawesuadvawsuunetuauuanee 1 1 CT I sccm eae aes tng tag dang dang dong ang douGaeucdeugaenGasciaiaiacady 1 2 PACE E CNE 4 cy Ta E ET EEA E E T E E E E EE EER EOE EE 1 2 FPeatUr ES ccir GAGN LNN ORANAN GG 1 2 industrial Networking Capability sie tices era ceeceencecmn eee E E EE ae eee eee EA EEE EAEE EUAS 1 2 Designed for TMGUStrial ADPICIONS eire O a dade 1 2 Useful Utility and Remote Configuration sssssssssssrrssrrrrssrrrnsnrrnsnrrrsnrrrnnnnrrnnnrnnnnrrnnnnrnnnnnrnennnrennnrne 1 2 2 Getting St rt d ssrin aaen 2 1 RS 232 Console Configuration 115200 None 8 1 VTIOO spc a ee aa 2 2 Using Telnet to Access the Industrial Secure Router s CONSOIE ccccceeeesssscceeeeeeeeeenessaaceeeeeeetttnaesnaaaeenaeees 2 3 Using a Web Browser to Configure the Industrial Secure Router cccceee cc ccceeee cette ee eeeseeeeeeeeeee
81. cta e e hs Dea n bi being E EEEE EEEO E E imams 3 36 WAN a E E E A E 3 36 PAR aa E E T EE EEE emer mare 3 39 Bridge Group INteraCe issesirerin inini iee eeen R Eeee EEE EEA IERE TETERE PUSET 3 39 INGUWORK SEVICE ciron e EEEE antennae Seve tensiasidtiadetaditiantiddiadinaaddietianeaaaeesautatatentec 3 41 DHCP SEMINO Secre ee EE ENNE ENEI EEA EEA EARS 3 41 SNMP SONIDOS medaia a E EE E eetaaenn bean eamineimnmncaamusaaunucuaiineaaniuentane 3 45 BYDE DNS aa a E E E E E EN EES 3 47 FCI E re ee ee en ee re re er mere errr ee 3 48 User INLeMace Manag CMe ict in Nee RUN 3 48 AUTHENTICATION Certificate xc 4 a eeecsec eee srere rexsre erence ieee eae rena erase ae aae aan eaeadacueas 3 49 yo Ey tat BOF Vc oi co sa es RTE r RE POET OO CREOLE ORL SOPOT TED SS ERY GTR PETE CoO Pe OD oR 3 49 RADIOS SEVO SEWING S asiain ee ee n nees tenphumpliasbubyhbaeeruteowtrereennbeiueniebeiinnwated 3 50 MONTON E Te NCE TN SER een eR OORT 3 50 IMVeraCe SUAlISUICS s1114ct 6xicd ict tag acet eatugeeceutacatetetetatetatetetutatatmiataec mma EERIE EA 3 50 POU SAUS Sena cata tain ee GaGa Guat Get EEEE EE ERE E E A sama AAAA ASANA AAAA TAADA A ADATAN 3 51 EVENTE O AEE EEEE EEEE 3 52 4 EDR G902 G903 Series Features and FUNCtIONS cccccccnnnnccccccceeeccscnneneeeeeeeeeeeeeennnneeeeeeeeeeenanannnunueneuennns 4 1 OST SN atest A E E aw sari aaa nt tia a cadet nian TO let NE SIO 4 2 CONMGUFING Basic SEUN S irer G 4 3 Syster Ident NCAM eers EEE ewe neeeumunem meumenunemnmennmemnnumnae
82. d Functions 802 1Q VLAN Settings Quick Setting Panel Y Port Type PVID Tagged VLAN Untagged VLAN Access v Set To Table Note 1 2 10 13 20 24 means the configuration will be copy to port 1 2 10 11 12 13 20 21 23 24 VLAN ID Configuration Table Management VLAN ID 1 PVID Tagged VLAN Untagged VLAN Access v 1 Access v Access v Access v Access v Access v on Oo oO A A U N a Access v o ab 1 1 1 1 Access v 1 1 1 Access v 1 1 Access v ep N Input multi port numbers in the Port column and Port Type Tagged VLAN ID and untagged VLAN ID and then click the Set to Table button to create VLAN ID configuration table VLAN Table VLAN Table 1 4 1 2 3 7 61 G2 2 2 45 3 zi 6 8 Use the 802 1Q VLAN Table to review the VLAN groups that were created Joined Access Ports Trunk Ports and Hybrid Ports and also Action for deleting VLANs which have no member ports in the list Multicast Multicast filtering improves the performance of networks that carry multicast traffic This section explains multicasts multicast filtering and how multicast filtering can be implemented on your Moxa industrial secure router The Concept of Multicast Filtering What is an IP Multicast A multicast is a packet sent by one host to multiple hosts Only those hosts that belong to a specific multicast group will receive the multicast If the network is set up correctly a multicast can only be sent
83. e Cold start e Warm start e Configuration change activated e Power 1 2 transition Off On Power 1 2 transition On Off e Authentication fail e Port link off on Relay Warning Status When relay warning triggered by either system or port events administrator can decide to shut down the hardware warning buzzer by clicking Apply button The event still be recorded in the event list Relay Warnning Status E Relay 1 Alarm Cut Off ACO Apply 3 16 Industrial Secure Router User s Manual EDR 810 Series Features and Functions SettingCheck SettingCheck Configuraiton Firewall Policy NAT Policy Accessible IP List Timer SettingCheck is a safety function for industrial users using a secure router It provides a double confirmation mechanism for when a remote user changes the security policies such as Firewall filter NAT and Accessible IP list When a remote user changes these security polices SettingCheck provides a means of blocking the connection from the remote user to the Firewall VPN device The only way to correct a wrong setting is to get help from the local operator or go to the local site and connect to the device through the console port which could take quite a bit of time and money Enabling the SettingCheck function will execute these new policy changes temporarily until doubly confirmed by the user If the user does not click the confirm button the Industrial Secure Router will revert to the previous setting
84. e VPN Gateway s IP Address None Connection Interface WAN1 The interface of the VPN Tunnel WAN1 WAN2 If the user enables the WAN backup function WAN1 would be Default Route the primary default route and WAN2 would be the backup route Startup Mode Start in Initial This VPN tunnel will actively initiate the connection with the Start in Initial Remote VPN Gateway Wait for Connecting This VPN tunnel will wait remote VPN gateway to initiate the M men nn ara emt NOTE The maximum number of Starts in the initial VPN tunnel is 30 The maximum number of Waits for connecting to a VPN tunnel is 100 9 4 Industrial Secure Router User s Manual Virtual Private Network VPN Local Network Netmask ID IP Address IP address of local VPN network IP address of LAN interface Subnet Mask Subnet Mask of local VPN network Netmask of LAN interface ID ID for indentifying the VPN tunnel connection None The Local ID must be equal to the Remote ID of the VPN Gateway Otherwise the VPN tunnel cannot be established successfully Remote Network Netmask ID IP Address IP address of Remote VPN network 0 0 0 0 Subnet Mask Subnet Mask of local VPN network 0 0 0 0 ID ID for indentifying the VPN tunnel connection None The Local ID must be equal to the Remote ID of the VPN Gateway Otherwise the VPN tunnel cannot be established Key Exchange IPSec phase I Key Exchange IPSec Phase 1 IKE Mode Main a Authentication
85. e options Total Packets TX Packets or RX Packets to view transmission activity of specific types of packets Recall that TX Packets are packets sent out from the Moxa industrial secure router and RX Packets are packets received from connected devices The Total Packets option displays a graph that combines TX and RX Packets activity The graph displays data transmission activity by showing Packets s i e packets per second or pps versus sec seconds The graph is updated every few seconds allowing the user to analyze data transmission activity in real time 3 50 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Monitor System Total Packets System Total Packets Packeticar system Total Packets 14 12 g G 3 0 0 150 300 450 BOO SEL Format Total Packets Packets in previous 5 sec interval update interval of 5 sec LAN 6681 35 7841 35 m m Port Statistics Access the Monitor by selecting Monitor from the left selection bar Monitor by System allows the user to view a graph that shows the combined data transmission activity of all of the Moxa industrial secure router s ports Click one of the four options Total Packets TX Packets RX Packets or Error Packets to view transmission activity of specific types of packets Recall that TX Packets are packets sent out from the Moxa industrial secure router RX Packets are packets received from connected devices and Error Packets are p
86. e path and filename of the EtherDevice Router s firmware file Log File Path and Name Factory Default Max 40 Characters The path and filename of the EtherDevice Router s log file After setting up the desired path and filename click Activate to save the setting Next click Download to download the file from the remote TFTP server or click Upload to upload a file to the remote TFTP server System File Update by Local Import Export Upgrade Software or Configuration Configuration File Export Log File Ez Upgrade Firmware import Upload Configure Data import Configuration File Click Export to export the configuration file of the EtherDevice Router to the local host 4 10 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Log File Click Export to export the Log file of the EtherDevice Router to the local host NOTE Some operating systems will open the configuration file and log file directly in the web page In such cases right click the Export button and then save as a file Upgrade Firmware To import a firmware file into the EtherDevice Router click Browse to select a firmware file already saved on your computer The upgrade procedure will proceed automatically after clicking Import This upgrade procedure will take a couple of minutes to complete including the boot up time Upload Configuration Data To import a configuration file to the EtherDevice Router click Br
87. eeeessagaaneneeees 2 4 3 EDR 810 Series Features and Functions ssssss2 25 2 25u 22 2220u22200uuu20uunnununnnnnnnnnnnnnnnnnnmnnnnnn nn 3 1 OUICK SetHUNO Proesa onari an EE E EE aa e eene eee a 3 2 WAN ROULING QUICK S CUING iereerrere ee eE EN E E A ANAS 3 2 BLOGERO QUICK SERING aerer e EEEE EErEE EENE EE TENE AA EAEE EEEE 3 5 SYSE a S 3 8 SyS da Oy ge ag ars 8 0 ee a a eee eee reece ee aA 3 8 US CI ACCOUMIM tcncutnanianctanctenctanctanmauemtueauemtuneunmiennuanunnennancuuibnaubnaubnhbnhubr marae narnai natures 3 9 Date and TIMO aa eee nce ee ee een a ee a ee ee eee eee err ee ener renee Tener errs ke eee 3 11 Miike Vata tome eld id ers hale gearemeae aerate ESEE EEEE crete aerate ee ste ee ee ere eee rr 3 13 SeINGERECK Geena eee ee eee eee NG 3 17 System File Update by Remote TFTP saasssssnnnuensnnnnannnnnnnnsnnnnsnannnnnnansnnnnenanrenannnsnnnnnsnantnnnnansnnnnen 3 18 System File Update by Local IMPDO EXPO wuvciccvinecnertmr ome mennemne earn EEEREN EE 3 19 BAIS Gs Pa ee eee emer CORN ERS CE Ry On Oe a ee A eee Renner eer reer errr eer kerr E 3 20 Rese lO Factory Defaul wie ee ieee Geta Quasi uate 3 20 POU totctrrrripotbnrhtiiiulieieiousdniedaiein rate iasarreereNNEer eee Ee uaN Rew Iu ONaN DeSean RE DeN aN ante ehuN ieee NSN ei aUubelblens 3 20 POR SetINOS eA A ei AGA N a T CE CE GE neve nem ae miaandennaunnnnan A A 3 20 Link AGGreGaviOn arerin ninn E O E E E EE ED 3 22 TOE POR TFUNKINO CONCOS Di rerni tet E E E E E E
88. elnet mode Login by Admin Account Command Description O o Configure Terminal Page Length Import or Export File Enter Configuration Mode Save Running Configuration to Flash Using Telnet to Access the Industrial Secure Router s Console You may use Telnet to access the Industrial Secure Router s console utility over a network To access the EDR s functions over the network by either Telnet or a web browser from a PC host that is connected to the same LAN as the Industrial Secure Router you need to make sure that the PC host and the Industrial Secure Router are on the same logical subnet To do this check your PC host s IP address and subnet mask By default the LAN IP address is 192 168 127 254 and the Industrial subnet mask is 255 255 255 0 for a Class C subnet If you do not change these values and your PC host s subnet mask is 255 255 0 0 then its IP address must have 2 3 Industrial Secure Router User s Manual Getting Started NOTE NOTE NOTE the form 192 168 xxx xxx On the other hand if your PC host s subnet mask is 255 255 255 0 then its IP address must have the form 192 168 127 xxx To use the Industrial Secure Router s management and monitoring functions from a PC host connected to the same LAN as the Industrial Secure Router you must make sure that the PC host and the Industrial Secure Router are connected to the same logical subnet Before accessing the console utility via Telnet fir
89. en press the Test button to verify that the settings are correct NOTE Auto warning e mail messages will be sent through an authentication protected SMTP server that supports the CRAM MD5 LOGIN and PAIN methods of SASL Simple Authentication and Security Layer authentication mechanism We strongly recommend not entering your Account Name and Account Password if auto warning e mail messages can be delivered without using an authentication mechanism 3 15 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Syslog Server Settings The Syslog function provides the event logs for the syslog server The function supports 3 configurable syslog servers and syslog server UDP port numbers When an event occurs the event will be sent as a syslog UDP packet to the specified syslog servers Each Syslog server can be activated separately by selecting the check box and enable it Syslog Setting Enable E Syslog Server 1 Fort Destination 514 1 685535 Enable E Syslog Server 2 Fort Destination 514 1 65535 Enable E Syslog Server 3 Port Destination 514 1 65535 Syslog Server 1 2 3 IP Address Enter the IP address of Syslog server 1 2 3 used by your None network Port Destination Enter the UDP port of Syslog server 1 2 3 514 1 to 65535 NOTE The following events will be recorded into the Moxa industrial secure router s Event Log table and will then be sent to the specified Syslog Server
90. ete a eee Delete Existing Account Select the existing account from the Account List table Press delete button to delete the account User Account anne Acie PARE Cary P2 Would you like to delete account tertuser User Name Old Password stn cancan Confirm Password lt 2 Account List a admin admin uger Le Delete a es Date and Time NOTE The Moxa industrial secure router has a time calibration function based on information from an NTP server or user specified time and date Functions such as automatic warning emails can therefore include time and date stamp The Moxa industrial secure router does not have a real time clock The user must update the Current Time and Current Date to set the initial time for the Moxa switch after each reboot especially when there is no NTP server on the LAN or Internet connection 3 11 Industrial Secure Router User s Manual EDR 810 Series Features and Functions NOTE Date and Time System Up Time Od0h49m40s Current Time 2013 07 05 16 47 05 Clock Source Local NTP SNTP Time Settings 6 Manual Time Settings Date YYYY MM DD ex 2002 11 13 Time HH MM SS z ex 04 00 04 Sync with Local Device 2013 07 05 16 47 10 NTP SNTP Server Settings NTP SNTP Server Enable TimeZone Settings Time Zone GMT Greenwich Mean Time Dublin Edinburgh Lisbon London x Daylight Saving Time Month Week Day Hour Min Start Date
91. evice Router after each reboot This is especially useful when the network does not have an Internet connection for an NTP server or there is no NTP server on the network 4 6 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Current Time User adjustable Time The time parameter allows configuration of the local time in None hh mm ss local 24 hour format Current Date User adjustable date The date parameter allows configuration of the local date in None yyyy mm dd format yyyy mm dd Daylight Saving Time Daylight Saving Time also know as DST or summer time involves advancing clocks 1 hour during the summer to provide an extra hour of daylight in the evening Start Date User adjustable date The Start Date parameter allows users to enter the date that None daylight saving time begins End Date User adjustable date The End Date parameter allows users to enter the date that None daylight saving time begins Offset User adjustable date The offset parameter indicates how many hours forward the None clock should be advanced System Up Time Indicates the ED G903 s up time from the last cold start The unit is seconds Time Zone User selectable time The time zone setting allows conversion from GMT Greenwich GMT zone Mean Time to local time NOTE Changing the time zone will automatically correct the current time You should configure the time zone
92. fault Max 30 characters None MAC Address Description The MAC address of the selected device Factory Default MAC Address None Static IP Description Factory Default IP Address The IP address of the selected device None Netmask Description Factory Default 0 0 0 0 Netmask The netmask for the selected device Lease Time Description Factory Default gt 5min The lease time of the selected device None Default Gateway Description Factory Default IP Address The default gateway for the selected device 0 0 0 0 DNS Server Description Factory Default 0 0 0 0 IP Address The DNS server for the selected device NTP Server Description Factory Default IP Address The NTP server for the selected device 0 0 0 0 Clickable Buttons dd Use the Add button to input a new DHCP list The Name Static IP and MAC address must be different from any existing list gt Delete Use the Delete button to delete a Static DHCP list Click on a list to select it the background color of the device will change to blue and then click the Delete button Modify To modify the information for a particular list click on a list to select it the background color of the device will change to blue modify the information as needed using the check boxes and text input boxes near the top of the browser window and then click Modify 3 43 Industrial Secure Router User s Manual EDR 810 Series Features and Functions IP Po
93. fic query b Leave group messages c Resends specific queries to verify leave message was the last one in the group d Querier election Compatible with V1 V2 and adds RFC 3376 a Source filtering accept multicast traffic from specified source accept multicast traffic from any source except the specified source Static Multicast MAC Some devices may only support multicast packets but not support either IGMP Snooping The Moxa industrial secure router supports adding multicast groups manually to enable multicast filtering Enabling Multicast Filtering Use the USB console or web interface to enable or disable IGMP Snooping and IGMP querying If IGMP Snooping is not enabled then IP multicast traffic is always forwarded flooding the network 3 29 Industrial Secure Router User s Manual EDR 810 Series Features and Functions IGMP Snooping IGMP Snooping provides the ability to prune multicast traffic so that it travels only to those end destinations that require that traffic thereby reducing the amount of traffic on the Ethernet LAN IGMP Snooping Settings IGMP Snooping Setting IGMP Snooping Enable V Query Interval 125 s IGMP Snooping Static Multicast Querier Port V Enable 1 2 3 5 6 7 1 1 V Enable viN2 8 G1 G2 v3 Enable IGMP Snooping Global Enable Disable Checkmark the Enable IGMP Snooping checkbox near the top of Disabled the window to enable the IGMP Snooping function globally Query Interv
94. fication Mac Address Port1 Port2 E Port3 Port 4 El Ports Port6 El Port7 F Ports El Port G1 E Port G2 Join Port Current Static Multicast MAC Address List 0 128 MAC Address SS SSS SS SS EES ESS ELL LS SS SS SSS Ee ee NOTE 01 00 5E XX XX XX on this page is the IP multicast MAC address Please activate IGMP Snooping for automatic classification MAC Address Integer Input the number of the VLAN that the host with this MAC None address belongs to 3 31 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Join Port Select Deselect Checkmark the appropriate check boxes to select the join ports None for this multicast group QoS and Rate Control QoS Classification QoS Classification Scheduling Mechanism Weight Fair 4 2 1 hd Inspect Tos Inspect CoS Port Priority 1 E Fi 3 Normal 2 F w a Normal 3 E E a Normal 4 E W 3 Normal 5 E E 3 Normal 6 E E Normal T E E a Normal 8 Ei w a Normal G1 El E Normal G2 E E 3 Normal The Moxa switch supports inspection of layer 3 ToS and or layer 2 CoS tag information to determine how to classify traffic packets Scheduling Mechanism Weight Fair The Moxa industrial secure router has 4 priority queues In the Weight Fair weight fair scheme an 8 4 2 1 weighting is applied to the four priorities This approach prevents the lower priority frames from being starved of opportunit
95. figuration Gateway IP Address Password PPPoE Connect Type a PPPoE Dialup UserName Host Name Select WAN Port LAN IP Configuration meee Service Enable Password Industrial Secure Router User s Manual EDR 810 Series Features and Functions Step 4 Enable services Check Enable DHCP Server to enable the DHCP server for LAN devices The default IP address range will be set automatically To modify the IP range go to the DHCP Server page N 1 NAT will be also enabled by default Bridge Routing Quick Setting Select WAN Port Bridge IP Configuration WAN Configuration s Enable DHCP Server Offered IP 192 168 126 1 Range 192 168 126 253 wa Enable N 1 NAT 192 168 126 1 LAN IP Range 192 168 126 254 a g a 4 a U oe a a a it E ia wi a Ta System The System section includes the most common settings required by administrators to maintain and control a Moxa switch System Information Defining System Information items to make different switches easier to identify that are connected to your network system Identification Router Name Firewall VPN Router 00769 Router Location Device Location Router Description Maintainer Contact Info Web Configuration http or https Router Name Setting Description Factory Default Max 30 characters This option is useful for differentiating between the roles or Firewall VPN Router appli
96. for the WAN1 interface Dynamic IP Static IP and PPPoE A detailed explanation of the configuration settings for each type is given below Connection Mode Enable or Disable Enable or Disable the WAN interface Connection Type Static IP Dynamic IP Setup the connection type Dynamic IP PPPoE Detailed Explanation of Dynamic IP Type WAN1 Configuration Connection Enable Connect Type Dynamic IP PPTP Dialup PPTP Connection C Enable IP Address User Name Password DNS Optional for dynamic IP or PPPoE Type server 1 server 2 Server 3 192 168 2 1 0 0 0 0 0 0 0 0 PPTP Dialup Point to Point Tunneling Protocol is used for Virtual Private Networks VPN Remote users can use PPTP to connect to private networks from public networks PPTP Connection Description Factory Default Enable or Disable Enable or Disable the PPTP connection None IP Address Description The PPTP service IP address Factory Default IP Address None User Name Description Factory Default Max 30 Characters The Login username when dialing up to PPTP service None Password Factory Default Max 30 characters The password for dialing the PPTP service None 4 13 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Example Suppose a remote user IP 10 10 10 10 wants to connect to the internal server private IP 30 30 30 10 via the PPTP protocol The IP address for the PPTP server is 20 20
97. g writing and other operations Physical Discrete Inputs Read Discrete Inputs 3 ca Read Coils Bit Access Internal Bits or Physical A Write Single Coil Coils A Write Multiple Coils Data Access Read Write Multiple Physical Output Registers i p Registers Write Single Register 6 _ 16 bit Access Internal Registers or i 23 File Record Access Diagnostic 8 Diagnostics Read Device 43 Identification a 8 12 Industrial Secure Router User s Manual Firewall NOTE Modbus TCP Filtering Modbus TCP Master Modbus TCP Slave Master Query Slave Response 0 Modbus Setting Global Setting Drop Multiple Function E Policy Setting Enable W Action ACCEPT From WAN To LAN Y Source IP All 7 Protocol All Destination IP All Y Slave ID 1 0 Ignore checking slave ID Function Code 3 Read Holding Registers v Command Type Master Query Y Address Range 40000 40005 PLC Address Base 1 s Modbus List 3 64 fans st own for ag men on tit S 3 Read 2 LAN WAN All 1 Holding ACCEPT Registers 3 ALL ALL All 0 All DROP Modbus TCP Filtering controls both directions of communication between Modbus Master and Modbus Slave Users need to set up two rules for the data transaction between Master and Slave One rule is to accept the Master commands and another rule is to accept the Slave response The main Firewall Policy rules are the first tier of fi
98. g Basic Settings The Basic Settings group includes the most commonly used settings required by administrators to maintain and control the EDR G903 System Identification The system identification section gives you an easy way to identify the different switches connected to your network System Identification Router Name Firewall VPN Router 00000 Router Location Device Location Router Description Maintainer Contact Info Web Configuration Activate Router name Max 30 Characters This option is useful for specifying the role or application of Firewall VPN router different EDR G903 units Serial No of this E g Factory Router 1 switch Router Location Max 80 Characters To specify the location of different EDR G903 units Device Location E g production line 1 Router Description Max 30 Characters Use this field to enter a more detailed description of the None EDR G903 unit 4 3 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Maintainer Contact Info Max 30 Characters Enter the contact information of the person responsible for None maintaining this EDR G903 Web Configuration http or https Users can connect to the EDR G903 router via http or https http or https protocol https only Users can connect to the EDR G903 router via https protocol only Accessible IP The EtherDevice Router uses an IP address based filtering method to control access to Et
99. g Delay 15 Max Age 20 False 128 200000 2 False hg 128 v 200000 3 False v 128 v 200000 False 126 v 200000 5 False v 128 v 200000 6 False X 128 v 200000 7 False X 128 v 200000 8 False X 128 v 200000 G1 False hg 128 v 200000 G2 False v 128 v 200000 At the top of this page the user can check the Current Status of this function For RSTP you will see Now Active It shows which communication protocol is being used Turbo Ring RSTP or neither Root Not Root This field only appears when RSTP mode is selected The field indicates whether or not this switch is the Root of the Spanning Tree the root is determined automatically At the bottom of this page the user can configure the Settings of this function For RSTP you can configure Redundancy Protocol Setting Description Factory Default Default Turbo Ring Select this item to change to the Turbo Ring configuration page None o RSTP IEEE Select this item to change to the RSTP configuration page None 802 1W 1D Bridge priority Setting pescripton FadtoryDefaut Increase this device s bridge priority by selecting a lower Numerical value number A device with a higher bridge priority has a greater selected by user chance of being established as the root of the Spanning Tree topology Forwarding Delay sec Numerical value input The amount of time this device waits before checking to see if it TC by user
100. g topics are covered in this chapter 0 0 0 u Policy Concept Policy Overview Policy Configuration gt Layer 2 Policy Setup Only in Bridge Mode for EDR G902 G903 gt Quick Automation Profile gt Policy Check Modbus TCP Policy Denial of Service DoS Defense Firewall Event Log 8 Firewall Industrial Secure Router User s Manual Firewall Policy Concept A firewall device is commonly used to provide secure traffic control over an Ethernet network as illustrated in the following figure Firewall devices are deployed at critical points between an external network the non secure part and an internal network the secure part d fs i ite a Wy F i ie UTE r _ T i F fy yy External or Unsecure area Internal or Secure area Firewall Policy Incoming Outgaing P MAC Protocal TCP UDP Source IP Part Destination IP Port Accept Drop Policy Overview The Industrial Secure Router provides a Firewall Policy Overview that lists firewall policies by interface direction Interface From To Filter List All All All LAN Destination IP All 5 n All Select the From interface and To interface and then click the Show button The Policy list table will show the policies that match the From To interface Interface From To Factory Default All WAN1 WAN2 LAN Select the From Interface and To interface From All to All WAN1 WAN2
101. herDevice Router units Accessible IP List Enable the accessible IP list Disable will allow all IP s connection 7 LAN Enable Index IP Address Netmask 4 9 3 4 5 6 T 5 g k oo Activate Accessible IP Settings allows you to add or remove Legal remote host IP addresses to prevent unauthorized access Access to the EtherDevice Router is controlled by IP address If a host s IP address is in the accessible IP table then the host will have access to the EtherDevice Router You can allow one of the following cases by setting this parameter e Only one host with the specified IP address can access this device E g enter 192 168 1 1 255 255 255 255 to allow access to just the IP address 192 168 1 1 e Any host on a specific subnetwork can access this device E g enter 192 168 1 0 255 255 255 0 to allow access to all IPs on the subnet defined by this IP address subnet mask combination e Any host can access the EtherDevice Router Disable this function by deselecting the Enable the accessible IP list option e Any LAN can access the EtherDevice Router Disable this function by deselecting the LAN option to not allow any IP at the LAN site to access this device E g If the LAN IP Address is set to 192 168 127 254 255 255 255 0 then IP addresses 192 168 127 1 24 to 192 168 127 253 24 can access the EtherDevice Router The following table shows additional configuration examples 4 4 Indus
102. ilable on EDR G903 LAN Interface A basic application of an industrial Firewall VPN device is to provide protection when the device is connected to a LAN In this regard the LAN port connects to a secure or trusted area of the network whereas the WAN1 and WAN2 DMZ ports connect to an insecure or untrusted area LAN LAN IP Configuration IP Address 192 168 127 254 ex 192 168 1 1 subnet Mask Activate 4 19 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions LAN IP Configuration IP Address IP Address The LAN interface IP address 192 168 127 254 Subnet Mask Communication Redundancy Moxa industrial secure router provides a communications redundancy function WAN backup EDR G903 only The industrial secure router has two WAN interfaces WAN1 is the primary WAN interface and WAN2 is the backup interface When the industrial secure router detects that connection WAN1 has failed Link down or Ping fails it will switch the communication path from WAN1 to WAN2 automatically When WAN1 recovers the major communication path will return to WAN1 WAN Backup EDR G903 only How Dual WAN Backup Works A power utility at a field site connects to a central office via two different ISPs Internet Service Providers ISP A uses Ethernet and ISP B uses satellite for data transmission with Ethernet used as the major connection and the satellite as the backup connection This makes sense
103. l execute these new policy changes temporarily until doubly confirmed by the user If the user does not click the confirm button the EtherDevice Router will revert to the previous setting Firewall Policy Enables or Disables the SettingCheck function when the Firewall policies change NAT Policy Enables or Disables the SettingCheck function when the NAT policies change Accessible IP List Enables or Disables the SettingCheck function when the Accessible IP List changes Layer 2 Filter Enable or disable the SettingCheck function when the Layer 2 filter changes Timer 10 to 3600 sec The timer waits this amount of time to double confirm when the 180 sec user changes the policies For example if the remote user IP 10 10 10 10 connects to the EtherDevice Router and changes the accessible IP address to 10 10 10 12 or deselects the Enable checkbox accidently after the remote user clicks the Activate button connection to the EtherDevice Router will be lost because the IP address is not in the EtherDevice Router s Accessible IP list Enable the accessible IP list Disable will allow all IP s connection LAN Enable Index IP Address Netmask Hal 10 10 10 12 3 If the user enables the SettingCheck function with the Accessible IP list and the confirmer Timer is set to 15 seconds then when the user clicks the Activate button on the accessible IP list page the EtherDevice Router will execute the configuration
104. lman groups DH2 modp 1024 DH2 modp 1024 the Key Exchange group between the Remote and VPN DH5 modp 1536 Gateways DH14 modp 2048 Negotiation Time Negotiation time The number of allowed reconnect times when startup mode is initiated If the number is O this tunnel will always try connecting to the remote gateway when the VPN tunnel is not created successfully IKE Lifetime IKE lifetime hours Lifetime for IKE SA 1 hr Rekey Expire Time Rekey expire time Start to Rekey before IKE lifetime expired 9 min minutes Rekey Fuzz Percent 0 100 The rekey expire time will change randomly to enhance the 100 security Rekey fuzz percent is the maximum random change margin of the Rekey expire time 100 means the rekey expire time will not change randomly 9 6 Industrial Secure Router User s Manual Virtual Private Network VPN Data Exchange IPSec phase ITI Data Exchange IPSec Phase 2 Perfect Forward Secrecy F SA Life Time 460 Encryption Algorithm 3DES Hash Algorithm SHAT Perfect Forward Secrecy Setting Description Factory Default Enable or Disable Uses different security key for different IPSec phases to Disable enhance security SA Lifetime Setting Description Factory Default SA lifetime minutes Lifetime for SA in Phase 2 480 min Encryption Algorithm DES Encryption Algorithm in data exchange 3DES 3DES AES 128 AES 192 AES 256 Hash Algorithm Any
105. ltering in the Network Layer and the Modbus Filtering rules are the second tier of filtering in both the Network Layer and Application Layer 8 13 Industrial Secure Router User s Manual Firewall Denial of Service DoS Defense The Industrial Secure Router provides 9 different DoS functions for detecting or defining abnormal packet format or traffic flow The Industrial Secure Router will drop the packets when it detects an abnormal packet format The Industrial Secure Router will also monitor some traffic flow parameters and activate the defense process when abnormal traffic conditions are detected DoS Deny of Service Setting Null Scan Xmas Scan NMAP Xmas Scan oYN FIN Scan FIN Scan NMAP ID Scan SYN RST Scan NEW Without S YN Scan ICMP Death Limit 4000 pkt s SY N Flood Limit 4000 pkts ARP Flood Limit 4000 pkt s Null Scan Description Factory Default Enable or Disable Enable or disable the Null Scan None Xmas Scan Description Factory Default Enable or Disable Enable or disable the Xmas Scan None NMAP Xmas Scan Description Enable or disable the NMAP Xmas Factory Default Enable or Disable None SYN FIN Scan Description Enable or disable the SYN FIN Scan Factory Default Enable or Disable None FIN Scan Description Enable or disable the FIN Scan Factory Default Enable or Disable None NMAP ID Scan Description Enable or disable the NMAP ID Scan Factory Default Enable
106. n select the Enable option in Log Enable Enable Firewall Rule Event log To enable the specific firewall event log click Flash Syslog or SNMP Trap You may also define the severity of the firewall rule and record it in the event 8 15 Industrial Secure Router User s Manual DoS Deny of Service Setting A A A A A AD A A y y yt DoS Log Setting Null Scan xmas Scan NMAP Xmas Scan SYN FIN Scan FIN Scan NMAP ID Scan SYNRST Scan NEW Without SYN Scan ICMF Death Limit 50 pkt s SY N Flood Limit 50 pktis ARP Flood Limit 50 pktis Firewall Enable Logging DoS Events To enable the DoS event log function select the Enable option in Log Enable and click Flash Syslog or SNMP Trap You may also define the severity of the DoS types and record it in the event 8 16 Virtual Private The following topics are covered in this chapter 0 o Overview IPSec Configuration gt gt gt gt Global Settings IPSec Settings IPSec Status X 509 Certificate L2TP Server Layer 2 Tunnel Protocol gt L2TP Configuration Examples for Typical VPN Applications 9 Network VPN Industrial Secure Router User s Manual Virtual Private Network VPN Overview In this section we describe how to use the Industrial Secure Router to build a secure Remote Automation network with the VPN Virtual Private Network feature A VPN provides a highly cost effective solution of establishing
107. n SEGi Enable DHCP Server Offered IP Range 192 166 127 1 ee 192 168 127 253 Enable N 1 NAT ag 1 J U k E g ol E ui a Industrial Secure Router User s Manual EDR 810 Series Features and Functions Step 5 Activate the settings Click the Activate button NOTE An existing configuration will be overwritten by new settings when processing WAN Routing Quick Setting Bridge Routing Quick Setting The EDR 810 series supports WAN Routing Quick Setting which creates a routing function between LAN ports and WAN ports defined by users Follow the wizard s instructions to configuring the LAN and WAN ports Step1 Define the WAN port and Bridge ports Click on the ports in the figure to define the WAN ports and Bridge ports Bridge Routing Quick Setting SA emis Bridge IP Configuration WAN Configuration Service Enable k F m e iT Tf a a a Zoe hot _ 5 i ut a Click on the ports to select WAN or LAN Next Step Step 2 Configure the Bridge LAN IP address of the EDR 810 and the subnet address of the Bridged ports Configure the Bridge LAN Interface IP address of the EDR 810 to define the subnet of the Bridge LAN ports on the secure router The default IP address of the EDR 810 on the Bridge LAN side is 192 168 126 254 and the default subnet address is 192 168 126 0 24 3 5 Industrial Secure Router User s Manual EDR 810 Series Features and Func
108. nal 1 to 1 NAT NOTE 1 to 1 NAT from LAN2to LAN1 a la Co as External ee eee weeerernee a SEB B EB communication P Es LAN1 Interface LAN2 Interface 10 0 0 1 24 lt 555100 iooieso1 gt ae 24 E a E EENEN ENNEN EEEEEEEEEEEEEEEI i 10 0 0 2 24 m EUU E RPI ENT ORGS SIR F Internal sen En communication 1 to 1 NAT from LAN1 to LAN2 a 4 A aj j 10 0 0 3 24 Network Address Translation Enable n Host IP 140 0 0 1 NAT Mode 1 1 Interface WAN 7 Interface IP 192 168 0 1 naa modiy pelete move NATList 3 128 Source IP Host IP Destination P Interface IP o 22 2 192 168 0 1 10 0 0 100 For some applications devices need to talk to both internal devices and external devices without using a gateway Bidirectional 1 to 1 NAT can do Network Address Translation in both directions without a gateway The Industrial Secure Router can obtain an IP address via DHCP or PPPoE However if this dynamic IP address is the same as the WAN IP for 1 to 1 NAT then the 1 to 1 NAT function will not work For this reason we recommend disabling the DHCP PPPoE function when using the 1 to 1 NAT function N to 1 NAT If the user wants to hide the Internal IP address from users outside the LAN the easiest way is to use the N to 1 or N 1 NAT function The N 1 NAT function replaces the source IP Address with an external IP address and adds a logical
109. network devices that support multicast filtering Moxa switches support IGMP version 1 2 and 3 IGMP version 1 and 2 work as follows e The IP router or querier periodically sends query packets to all end stations on the LANs or VLANs that are connected to it For networks with more than one IP router the router with the lowest IP address is the querier A switch with IP address lower than the IP address of any other IGMP queriers connected to the LAN or VLAN can become the IGMP querier e When an IP host receives a query packet it sends a report packet back that identifies the multicast group that the end station would like to join e When the report packet arrives at a port on a switch with IGMP Snooping enabled the switch knows that the port should forward traffic for the multicast group and then proceeds to forward the packet to the router e When the router receives the report packet it registers that the LAN or VLAN requires traffic for the multicast groups e When the router forwards traffic for the multicast group to the LAN or VLAN the switches only forward the traffic to ports that received a report packet IGMP version 3 supports source filtering which allows the system to define how to treat packets from specified source addresses The system can either white list or black list specified sources IGMP version comparison IGMP Version a Periodic query RFC 1112 V2 Compatible with V1 and adds RFC 2236 a Group speci
110. networks e Each interface WAN1 WAN2 and LAN has its own IP addresses amp different subnet e It provides Routing Firewall VPN and NAT functions e Default setting of EtherDevice Router Bridge Mode In this mode EtherDevice Router operates as a Bridge mode firewall or call transparent firewall in a single subnet Users could simply insert EtherDevice Router into the existing single subnet without the need to reconfigure the original subnet into different subnets and without the need to reconfigure the IP address of existing devices e EtherDevice Router only has one IP address Network mask and Gateway e VPN NAT WAN backup VRRP DHCP Dynamic DNS are not supported in this mode Network Mode Router Mode Router Firewall VPN NAT i i Bridge Mode Bridge Mode Firewall Address Information for Bridge Mode IP Address 192 168 127 254 subnet Mask 255 255 255 0 Gateway User could select the appropriate operation mode and press Activate to change the mode of EtherDevice Router Change operation mode would take around 30 60 seconds to reboot system If the webpage is no response after 30 60 seconds please refresh webpage or press F5 4 12 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions WAN1 Configuration WAN1 Configuration Connection Connect Mode Disable Enable Connect Type Dynamic IP x Connection Note that there are three different connection types
111. ng Concept Moxa has developed a port trunking protocol that provides the following benefits e Greater flexibility in setting up your network connections since the bandwidth of a link can be doubled tripled or quadrupled e Redundancy if one link is broken the remaining trunked ports share the traffic within this trunk group e Load sharing MAC client traffic can be distributed across multiple links To avoid broadcast storms or loops in your network while configuring a trunk first disable or disconnect all ports that you want to add to the trunk or remove from the trunk After you finish configuring the trunk enable or re connect the ports If all ports on both switch units are configured as 100BaseTX and they are operating in full duplex mode the potential bandwidth of the connection will be up to 1 6 Gbps This means that users can double triple or quadruple the bandwidth of the connection by port trunking between two Moxa switches Each Moxa industrial secure router can set a maximum of 4 port trunking groups When you activate port trunking certain settings on each port will be reset to factory default values or disabled e Communication redundancy will be reset e 802 1Q VLAN will be reset e Multicast Filtering will be reset e Port Lock will be reset and disabled e Set Device IP will be reset e Mirror will be reset After port trunking has been activated you can configure these items again for each trunking port
112. odbus Filtering Table Modify the attributes and click Modify to change the configuration Activate Modbus TCP Filtering Table After adding deleting modifying any Modbus TCP Filtering Rules make sure to click Activate to activate the item 8 10 Industrial Secure Router User s Manual Firewall Enable Disable Modbus Policy Enable or Disable Enable or disable the selected Modbus policy Enabled Interface From To All WAN LAN Select the From Interface and To interface From All to All AN Protocol All TCP UDP This Modbus Policy will check the UDP packet TCP packet or UID 1 to 255 Unit Identifier O indicate this Modbus policy will check all UIDs in the packet Function Code Refer to the Common Select the function code parameters in this Modbus policy All function codes section When the function code is set to Manual you can set up the on page 3 52 function code manually Address All Address Index This Modbus policy will check all Data Address Index in the All packet Single Address Index This Modbus policy will check single Data Address Index in the packet Range Address Index This Modbus policy will check multiple Data Address Indexes in the packet Target Accept The packet will penetrate the firewall when it matches this Accept Modbus policy Drop The packet will not penetrate the firewall when it matches this Modbus policy Source IP Factory Default
113. ode Disable Enable Backup Connect Type Dynamic IF PPTP Dialup PPTP Connection E Enable IP Address User Name Fassword DNS Optional for dynamic IP or PPPoE Type server 2 Server 3 192 168 2 1 0 0 0 0 PPTP Dialup Point to Point Tunneling Protocol is used for Virtual Private Networks VPN Remote users can use PPTP to connect to private networks from public networks PPTP Connection Description Factory Default Enable or Disable Enable or Disable the PPTP connection None IP Address Description Factory Default The PPTP service IP address IP Address None User name Description Factory Default Max 30 Characters The Login username when dialing up to PPTP service None Password Description Factory Default Max 30 characters The password for dialing the PPTP service None Example Suppose a remote user IP 10 10 10 10 wants to connect to the internal server private IP 30 30 30 10 via the PPTP protocol The IP address for the PPTP server is 20 20 20 1 The necessary configuration settings are shown in the following figure Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions WAN IP WAN IP 61 32 10 10 72 51 30 30 PPTP IP Client PPTP IP Server 20 20 20 2 32 20 20 20 1 32 10 10 10 10 24 30 30 30 10 24 Static Route Static Route Destination Next Hop Destination Netmask Address Address 30 30 30 0 255 255 255 0 20 20 20 1 10 10 10 0
114. on Strength Simple AES 128 Standard AES 192 Strong AES 256 gt Password of Pre Shared Key The Encryption strength and Pre Shared key should be configured identically for both Industrial Secure Router units IPSec Advanced Setting Click Advanced Setting to configure detailed VPN settings Setting Advanced Setting 9 3 Industrial Secure Router User s Manual Virtual Private Network VPN Tunnel Setting Tunnel Setting Enable Name LT2P tunnel VPN Connection Type Site to Site w Remote VPN Gateway 0 0 0 0 Connect Interface WAN1 Startup Mode Start in initial Local Network 192 166 127 254 Netmask 295 2755 755 0 ID Remote Network 0 0 0 0 Netmask 0 0 0 0 ID Enable or Disable VPN Tunnel Description Enable or Disable this VPN Tunnel Factory Default Enable or Disable Disable Name of VPN Tunnel Description Factory Default Max of 16 characters User defined name of this VPN Tunnel None NOTE The first character cannot be a number L2TP over IPSec Enable or Disable Description Factory Default Enable or Disable Enable or Disable IPSec tunnel over L2TP protocol function None VPN Connection Type Description Factory Default Site to Site VPN tunnel for Local and Remote subnets are fixed Site to Site Site to Site Any VPN tunnel for Remote subnet area is dynamic and Local subnet is fixed Remote VPN Gateway Setting Description Factory Default IP Address Remot
115. option is used to specify the subnet mask for this IP address Next Hop This option is used to specify the next router along the path to the destination Metric Use this option to specify a cost for accessing the neighboring network 5 2 Industrial Secure Router User s Manual Routing Clickable Buttons Add For adding an entry to the Static Routing Table Delete For removing selected entries from the Static Routing Table Modify For modifying the content of a selected entry in the Static Routing Table NOTE The entries in the Static Routing Table will not be added to the Industrial Secure Router s routing table until you click the Activate button RIP Routing Information Protocol RIP is a distance vector routing protocol that employs the hop count as a routing metric RIP prevents routing from looping by implementing a limit on the number of hops allowed in a path from the source to a destination The RIP Setting page is used to set up the RIP parameters RIP Setting RIP State Disable RIP Version RIP Version Iyi ye RIP Distribution Distribution Static RIP Enable Interface WAN LAN LAN 192 168 128 254 2 LAN4 192 168 129 254 A E RIP State Description Factory Default Enable Disable Enable or Disable RIP protocol Disable RIP Version Description Factory Default V1 V2 Select RIP protocol version V2 RIP Distribution Static Check the checkbox to enable the Redistrib
116. ort the configuration as an encrypted text based command line type configuration file click the Enable Password checkbox and fill in the user defined password and then click Apply The password is also used for decrypting when importing an encrypted configuration file 3 19 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Upload Text Based Configuration Data To import a configuration file into the Industrial Secure Router click Browse to select a configuration file already saved on your computer The upgrade procedure will proceed automatically after clicking Apply Download Text Based Configuration Data To export a configuration file click Export to export the configuration file from the Industrial Secure Router to the local host Restart This function will restart the system aca This function is used to restart the Industrial Secure Router Reset to Factory Default Reset to Factory Default This function will reset all settings to their factory default values Be aware that previous settings will be lost Activate The Reset to Factory Default option gives users a quick way of restoring the Industrial Secure Router s configuration settings to the factory default values This function is available in the console utility serial or Telnet and web browser interface NOTE After activating the Factory Default function you will need to use the default network settings to re es
117. ou to use a domain name to connect to the Industrial Secure Router The Industrial Secure Router can connect to 4 free DNS servers and register the user configurable Domain name in these servers Dynamic DNS Dynamic DNS Service Service Disable serwer Name i User Name Password Verify Password Domain Name Activate Cancel Service gt Disable Disable or select the DNS server Disable gt freedns afraid org gt www 3322 org gt members dyndns org gt dynupdate no ip com User Name Description Factory Default Max 30 characters The DNS server s user name None Password Description Factory Default Max 30 characters The DNS server s password None Verify Password Description Factory Default Max 30 characters Verifies the DNS server password None Domain name Description Factory Default Max 30 characters The DNS server s domain name None 3 47 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Security User Interface Management User Interface Management Enable Fd MOXA Utility E Telnet TelnetPot 23 W SSH SSH Port 22 Fi HTTP HTTP Port 80 Ei HTTPS oo L Port 443 Enable MOXA Utility Select Deselect Select the appropriate checkboxes to enable MOXA Selected Utility Enable Telnet Select Deselect Select the appropriate checkboxes to enable Telnet Selected Port 23 Enable SSH Select Deselect Select the appropriate checkboxes to
118. own in the following figure Click Confirm to save the configuration updates Confirm Press Confirm button to save the change System File Update by Remote TFTP The Industrial Secure Router supports saving your configuration file to a remote TFTP server or local host to allow other Industrial Secure Routers to use the same configuration at a later time or saving the Log file for future reference Loading pre saved firmware or a configuration file from the TFTP server or local host is also supported to make it easier to upgrade or configure the Industrial Secure Router TFTF Server IP Name Configuration File Path and Name Firmware File Path and Name Log File Path and Name Upgrade Software or Configuration Download TFTP Server IP Name IP Address of TFTP The IP or name of the remote TFTP server Must be configured None Server before downloading or uploading files Industrial Secure Router User s Manual EDR 810 Series Features and Functions Configuration File Path and Name Max 40 Characters The path and filename of the Industrial Secure Router s None configuration file in the TFTP server Firmware File Path and Name Max 40 Characters The path and filename of the Industrial Secure Router s None firmware file Log File Path and Name Max 40 Characters The path and filename of the Industrial Secure Router s log file After setting up the desired path and filename click Ac
119. owse to select a configuration file already Saved on your computer The upgrade procedure will proceed automatically after clicking Import Restart Restart This function will restart the system activate This function is used to restart the EtherDevice Router router Reset to Factory Default NOTE Reset to Factory Default This function will reset all settings to their factory default values Be aware that previous settings will be lost Activate The Reset to Factory Default option gives users a quick way of restoring the EtherDevice Router s configuration settings to their factory default values This function is available in the console utility serial or Telnet and web browser interface After activating the Factory Default function you will need to use the default network settings to re establish a web browser or Telnet connection with your EtherDevice Router 4 11 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Network Settings Mode Configuration Network Mode EtherDevice Router provides Router Mode and Bridge Mode operation for different applications Network Mode Router Mode Router Firewall VPN NAT Bridge Mode Bridge Mode Firewall Address Information for Bridge Mode IP Address 192 166 127 254 Subnet Mask 255 255 255 0 Gateway 255 255 255 255 Router Mode In this mode EtherDevice Router operates as a gateway between different
120. password after first log in 2 The user with admin account name can t be deleted and disabled by default 3 9 Industrial Secure Router User s Manual EDR 810 Series Features and Functions User Account Active Authority admin User Name Password Confirm Password Account List ST a admin admin user user Delete Checked The Moxa switch can be accessed by the activated user name Enabled Unchecked The Moxa switch can t be accessed by the non activated user Authority admin The account has read write access of all configuration admin C O a user The account can only read configuration but without any a amean a eman Create New Account Active Input the user name password and assign the authority to the new account Once apply the new setting the new account will be shown under the Account List table User Name User Name None Max of 30 characters Password Password for the user account None Minimum requirement is 4 characters maximum of 16 characters 3 10 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Modify Existing Account Select the existing account from the Account List table Modify the details accordingly then apply the setting to save the configuration User Account Active Authority admin User Name admin Old Password Password SNMPv3 requires 8 characters password Confirm Password Account List User Name user user Del
121. port number to identify the connection of this internal external IP address This function is also called Network Address Port Translation NAPT or IP Masquerading The N 1 NAT function is a one way connection from an internal secure area to an external non secure area The user can initialize the connection from the internal to the external network but may not be able to initialize the connection from the external to the internal network 7 4 Industrial Secure Router User s Manual Network Address Translation Network Address Translation Enable NAT Mode LAN IP Range 192 168 127 1 192 168 127 252 WAN IP 0 0 0 0 Port Forward NAT List 4 64 Source anor SE SS eerie OS ae ee activate Enable Disable NAT Policy Enable or Disable Enable or disable the selected NAT policy Enabled NAT Mode N 1 Select the NAT types N 1 1 1 Port Forwarding Interface N 1 mode Select the Interface for this NAT Policy The Industrial Secure Router provides a Dual WAN backup function for network redundancy If the interface is set to Auto the NAT Mode is set to N 1 and the WAN backup function is enabled the primary WAN interface is WAN1 If the WAN1 connection fails the WAN interface of this N 1 policy will apply to WAN2 and switch to WAN2 for N 1 outgoing traffic until the WAN1 interface recovers IP Range IP address Select the Internal IP range for IP translation to WAN IP
122. ps you should follow to use X 509 for IPSec authentication with two VPN gateways referred to as EDR G903 A and EDR G903 B in the diagram 1 Root Certificate generation Both EDR G903 A and EDR G903 B need to generate their own root certificates EDR G903 A and EDR G903 B can request new certifications based on their own Root Certificates Generate PKCS 12 local certificate with password p12 and Certificate file for remote VPN tunnel crt a EDR G903 A gt Moxa A p12 and Moxa A crt b EDR G903 B gt Moxa B crt and Moxa B crt Upload the PKCS 12 certificate to the Local Certification list a Moxa A p12 in EDR G903 A b Moxa B p12 in EDR G903 B Send the Certificate file crt to the remote VPN gateway and upload to the Remote certificate file a Upload Moxa B crt to EDR G903 A b Upload Moxa A crt to EDR G903 B EDR G903 B EDR G903 A 1 Create Root Certificate A 1 Create Root Certificate B 2 Generate Certification A 2 Generate Certification B 3 Generate 3 Generate PKCS 12 file Moxa A p12 and Certificate file Moxa A crt 4 Upload Local Certificate Moxa A p12 4 Upload Local Certificate Moxa B p12 5 Upload Remote Certificate Moxa B crt 5 Upload Remote Certificate Moxa A crt Local Moxa Cert A p12 x Remote Moxa Cert B cer w Local Moxa Cert B p12 x Remote Moxa Cert A cer x A A A A PKCS 12 file Moxa B p12 and Certificate file Moxa B crt PEPER EROSUO
123. r System oo The router s web interface can be used to enable or disable LLDP and to set the LLDP Message Transmit Interval Users can view each switch s neighbor list which is reported by its network neighbors LLDP Setting Enable LLDP Enable or Disable Enable or disable LLDP function Message Transmit Interval Factory Default 5 to 32768 sec Set the transmit interval of LLDP messages Unit is in seconds 30 sec 10 2 Industrial Secure Router User s Manual Diagnosis LLDT Table Port The port number that connects to the neighbor device Neighbor ID A unique entity that identifies a neighbor device this is typically the MAC address Neighbor Port The port number of the neighbor device Neighbor Port Description A textual description of the neighbor device s interface Neighbor System Hostname of the neighbor device 10 3 A MIB Groups The Industrial Secure Router comes with built in SNMP Simple Network Management Protocol agent software that supports cold start trap line up down trap and RFC 1213 MIB II The standard MIB groups that the Industrial Secure Router series support are MIB II 1 System Group sysORTable MIB II 2 Interfaces Group iffable MIB I1 4 IP Group ipAddrTable ipNetToMediaTable IpGroup IpBasicStatsGroup IpStatsGroup MIB II 5 ICMP Group IcmpGroup IcmpInputStatus IcmpOutputStats MIB II 6 TCP Group tcpConnTable TcpGroup TcpStats MIB
124. re PPPoE Port 1 VWAN Wan 1 BA Connect Port 2 Opt Wan BA Disconnect Port 3 LAN LAN NA Connect s Detail Interface Status Update WAN1 Connect Type Subnet Mask MAC Address DHCP_IP 192 168 2 106 255 255 255 0 00 09 ad 00 00 03 Disable 0 0 0 0 Disable Connect 531874 379333 FP nen 37464481 PPTP Gateway d 192 168 24 0 0 0 0 WAN2 P Address STATIC_IP 0 0 0 0 0 0 0 0 00 09 ad 00 00 02 Disable 0 0 0 0 Disable Disconnect Tx Packets 0 0 0 0 0 0 0 0 LAN STATIC_IP 192 168 127 254 255 255 255 0 00 09 ad 00 00 01 NIA N A Connect 386347 538273 41326230 751464253 0 0 0 0 0 0 0 0 0 0 DNS Server List 192 168 2 1 4 2 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Click More at the top of the Recent 10 Event Log table to open the EventLogTable page Recent10EventLog More WAN1 link on 2010 47 16 50 49 WAN1 link off 2010 4 7 16 51 58 LAN link off 2010 4 7 16 52 1 EventLog Table Page 36 36 System Startup Time 351 2010 4 7 16 52 1 Od0h13m7s LAN link off 352 63 2010 4 7 16 52 50 Od0h13m56s WAN link on 353 63 2010 4 7 16 52 54 Od0h14m0s LAN link on 354 63 2010 4 7 16 54 32 Od0h15m3 8s NAT Configuration Change 355 63 2010 4 7 16 55 12 O0d0h16m18s Filter Configuration Change 356 63 2010 4 7 16 55 27 O0d0h16m33s Filter Configuration Change 357 63 2010 4 7 18 22 49 O0d1h43m55s Login auth ok 358 63 2010 4 7 18 38 5 Od1h59m11s admin auth ok Configurin
125. ress Egress Rate Select the ingress egress rate limit of max Not Limited throughput for all packets from the following options Not Limited 3 5 10 15 25 35 50 65 85 MAC Address Table The MAC address table shows the MAC address list pass through Moxa industrial secure router The length of time Ageing time 15 to 3825 seconds is the parameter defines the length of time that a MAC address entry can remain in the Moxa router When an entry reaches its aging time it ages out and is purged from the router effectively cancelling frame forwarding to that specific port The MAC Address table can be configured to display the following Moxa industrial secure router MAC address groups which are selected from the drop down list All MAC Address List Age Time s 300 All Page 1 1 MAC Address 1 O0 90 e6 29 a0d 95 ucast l 2 2 O0 90 e8 2c019 6d ucast l 4 3 00 90 e8 2c 19 a8 ucast l 3 4 O0 90 e6 20 19 c3 ucast l 1 Drop Down List Select this item to show all of the Moxa industrial secure router s MAC addresses ALL Learned Select this item to show all of the Moxa industrial secure router s Learned MAC n ei ALL Static Select this item to show all of the Moxa industrial secure router s Static Static Lock esate in mne munens mac maremen nn ne reste tetas addresses Portx o Select this item to show all of the MAC addresses dedicated ports The table displays the following information
126. rt the mirror port to receive the same data being transmitted from or both to and from the port under observation Using a mirror port allows the network administrator to sniff the observed port to keep tabs on network activity Port Mirroring 1 3 4 5 Monitored port 6 g G1 lev Watch direction Bi directional Mirror Port _ Port Mirroring Settings Setting oeseri S S S S S S SSSS Monitored Port Select the number of the ports whose network activity will be monitored Multiple port selection is acceptable Watch Direction Select one of the following two watch direction options e Input data stream Select this option to monitor only those data packets coming into the Moxa industrial secure router s port Output data stream Select this option to monitor only those data packets being sent out through the Moxa industrial secure router s port Bi directional Select this option to monitor data packets both coming into and being sent out through the Moxa industrial secure router s port Select the number of the port that will be used to monitor the activity of the monitored port Using Virtual LAN Setting up Virtual LANs VLANs on your Moxa industrial secure router increases the efficiency of your network by dividing the LAN into logical segments as opposed to physical segments In general VLANs are easier to manage The VLAN Concept What is a VLAN A VLAN is
127. rt Binding Port based IP Assignment Enable Port Static IP 0 0 0 0 Netmask 0 0 0 0 Lease Time minutes Default Gateway 0 0 0 0 DNS Server 1 0 0 0 0 DNS Server 2 0 0 0 0 NTP Server 0 0 0 0 lt Static IP 0 10 Pool Static IP Netmask EERE DNS Server 1 DNS Server 2 NTP Server y IP Port Binding Enable Disable Enable Disable Enable or disable IP Port Binding function Port Description Factory Default IP Address Set the desired IP of the connected devices None Static IP Description Factory Default IP Address The IP address of the connected device None Netmask Description Factory Default Netmask The netmask for the connected device 0 0 0 0 Lease Time Description Factory Default gt 5min The lease time of the connected device None Default Gateway Description Factory Default IP Address The default gateway for the connected device 0 0 0 0 DNS Server Factory Default IP Address The DNS server for the connected device 0 0 0 0 NTP Server Description Factory Default IP Address The NTP server for the connected device 0 0 0 0 Client List Use the Client List to view the current DHCP clients Server 0O0 0E A6 09 7A 9E 192 168 127 1 32m 36s 3 44 Industrial Secure Router User s Manual EDR 810 Series Features and Functions SNMP Settings The Industrial Secure Router supports SNMP V1 V2c V3 SNMP V1 and SNMP V2c use a community string match for authentication which means that SNMP
128. s are related to the activity of a specific port Port Event Settings Port E Link On E Link Off Hona i Relay 1 1 E E E E E A EMERG m2 A E A E E E EMERG m3 M E E E E E EMERG m4 N E E E E E EMERG mM sS A E E E E E EMERG mM N E E E E E EMERG Af N E E E E E EMERG m E E E E E E EMERG Aa M E E E E E EMERG me A E E E E E EMERG Warning e mail is sent when Link ON The port is connected to another device Link OFF The port is disconnected e g the cable is pulled out or the opposing device shuts down 3 14 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Email Settings Email Setup Email Alert Configuration Mail Server P Name PORT 25 Account Name Password sender Email Address ist Recipient Email Address 2nd Recipient Email Address 3rd Recipient Email Address 4th Recipient Email Address Mail Server IP Name Description Factory Default IP address The IP Address of your email server None Account Name Setting ssi Description Factory Default Max 45 of charters Your email account None Password Setting Description Factory Default None Password The email account password Email Address Max of 30 characters You can set up to 4 email addresses to receive alarm emails None from the Moxa switch Send Test Email After you complete the email settings you should first click Apply to activate those settings and th
129. secondary NTP server if secondary time server the first NTP server fails to connect Enable NTP SNTP Server Enable Disable Enables SNTP NTP server functionality for clients Disabled Warning Notification Since industrial Ethernet devices are often located at the endpoints of a system these devices will not always know what is happening elsewhere on the network This means that an industrial secure router that connects to these devices must provide system maintainers with real time alarm messages Even when control engineers are out of the control room for an extended period of time they can still be informed of the status of devices almost instantaneously when exceptions occur The Moxa industrial secure router supports different approaches to warn engineers automatically such as email trap syslog and relay output It also supports one digital input to integrate sensors into your system to automate alarms by email and relay output System Event Settings System Events are related to the overall function of the switch Each event can be activated independently with different warning approaches Administrator also can decide the severity of each system event system Event Settings Action E Snmp Trap Bema E EGEA E Cold Start ial E F EMERG E Warm Start F F F EMERG E Power 1 Transition On Off E F F F EMERG E Power 2 Transition On Off F F F F EMERG E Power 1 Transition Off On F F F EMERG
130. secure tunnels so that data can be exchanged in a secure manner P h r Cu Center site Field site WMI VPN Secure Tunnel There are two common applications for secure remote communication in an industrial automation network IPSec Internet Protocol Security VPN for LAN to LAN Security Data communication only ina pre defined IP range between two different LANs L2TP Layer 2 Tunnel Protocol VPN for Remote roaming User Secure data communication for remote roaming users with dynamic IP L2TP is a popular choice for remote roaming users for VPN applications because the L2TP VPN protocol is already built in to the Microsoft Windows operating system IPSec uses IKE Internet Key Exchange protocol for Authentication Key exchange and provides a way for the VPN gateway data to be protected by different encryption methods There are 2 phases for IKE for negotiating the IPSec connections between 2 VPN gateways Key Exchange IPSec Phase 1 The 2 VPN gateways will negotiate how IKE should be protected Phase 1 will also authenticate the two VPN gateways by the matched Pre Shared Key or X 509 Certificate Data Exchange IPSec Phase 2 In Phase 2 the VPN gateways negotiate to determine additional IPSec connection details which include the data encryption algorithm IPSec Configuration IPSec configuration includes 5 parts e Global Setting Enable Disable all IPSec Tunnels and NAT Traversal function e Tunnel Setting Set up the
131. shows the combined data transmission activity of all the EtherDevice Router s 3 ports Click one of the three options Total Packets TX Packets or RX Packets to view transmission activity of specific types of packets Recall that TX Packets are packets sent out from the EtherDevice Router and RX Packets are packets received from connected devices The Total Packets option displays a graph that combines TX and RX activity The graph displays data transmission activity by showing Packets s i e packets per second or pps versus sec seconds The graph is updated every few seconds allowing you to analyze data transmission activity in real time Monitor System Total Packets System 5 Total Packets M Reset Total Packets Packetisec TX Packets 15 RX Packets 12 g System Total Packets 6 3 0 0 22f 454 Format Total Packets Packets in previous 5 sec interval update interval of 5 sec Port Tx Rx Pot a Wand 0 0 0 0 Wan2 1 0 0 Lan 10198 20 13359 20 Monitor by Port Access the Monitor by Port function by selecting the WAN1 WAN2 or LAN interface from the left drop down list You can view graphs that show All Packets TX Packets or RX Packets but in this case only for an individual port The graph displays data transmission activity by showing Packets s i e packets per second or pps versus sec seconds The graph is updated every few seconds allowing you to analyze data transmission activi
132. st connect the Industrial Secure Router s RJ45 Ethernet LAN ports to your Ethernet LAN or directly to your PC s Ethernet card NIC You can use either a straight through or cross over Ethernet cable The Industrial Secure Router s default LAN IP address is 192 168 127 254 Perform the following steps to access the console utility via Telnet 1 Click Start gt Run and then telnet to the Industrial Secure Router s IP address from the Windows Run window You may also issue the Telnet command from the MS DOS prompt Type the name of a program Folder document or A Internet resource and Windows will open it For vou Open telnet 192 168 127 254 Cancel Browse 2 Refer to instructions 6 and 7 in the RS 232 Console Configuration 115200 None 8 1 VT100 section on page 2 2 Using a Web Browser to Configure the Industrial Secure Router NOTE NOTE NOTE The Industrial Secure Router s web browser interface provides a convenient way to modify the router s configuration and access the built in monitoring and network administration functions The recommended web browser is Microsoft Internet Explorer 6 0 with JVM Java Virtual Machine installed To use the Industrial Secure Router s management and monitoring functions from a PC host connected to the same LAN as the Industrial Secure Router you must make sure that the PC host and the Industrial Secure Router are connected to the same logical subnet
133. st name for this PPPoE server Max 30 characters The login password for this PPPoE server Password The User Name for logging in to the PPPoE server Factory Default None Factory Default None Factory Default None Factory Default None Factory Default None Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Using DMZ Mode A DMZ demilitarized zone is an isolated network for devices such as data FTP web and mail servers connected to a LAN network that need to frequently connect with external networks The deployment of an FTP server in a DMZ is illustrated in the following figure DMZ l WANA IP i 7 i eee i Ey Local FTP server 4 IP 192 168 20 20 i Dei E EE Ege e sl 7 Sl as Secure LAN Network r r ln Local Device EDR G903 TTT IP 192 168 100 1 r I 1 l l I l l l Ta l Local Device 1 i LT A IP 192 168 100 2 l 2 l l i 1 I 1 I DMZ mode is configured on the WAN2 configuration web page Set Connect Mode to Enable Connect Type to Static IP and checkmark the DMZ Enable check box You will also need to input the IP Address and Subnet Mask Click the Activate button to save the settings Connection Connect Mode Disable Enable Backup W DMZ Enable Connect Type Address Information IF Address 192 768 127 172 Gateway Subnet Mask 255 255 255 0 NOTE WAN2 configuration and DMZ mode are only ava
134. tablish a web browser or Telnet connection with your Industrial Secure Router Port Port Settings Port settings are included to give the user control over port access port transmission speed flow control and port type MDI or MDIX 3 20 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Port Setting 1 7 100TX RJ45 Auto f Disable Auto 2 7 100TX RJ45 Auto x Disable Auto 3 7 100TX RJ45 Auto x Disable Auto x 4 7 100TX RJ45 Auto x Disable Auto 5 v 100TX RJ45 Auto 7 Disable 7 Auto 6 7 100TX RJ45 Auto f Disable Auto 7 7 100TX RJ45 Auto Disable Auto 8 v 100TX RJ45 Auto 7 Disable Auto G1 7 1000FX miniGBIC 1G Full Disable Auto G2 7 1000FX miniGBIC 1G Full Disable Auto Enable Setting Description Factory Default Checked Allows data transmission through the port Enabled Unchecked Immediately shuts off port access Media Type Media type Displays the media type for each module s port Description Max 63 characters Specifies an alias for the port to help administrators None differentiate between different ports Example PLC 1 Speed Allows the port to use the IEEE 802 3u protocol to negotiate with connected devices The port and connected devices will determine the best speed for that connection Choose one of these fixed speed options if the connected Ethernet device has trouble auto negotiating for
135. ted in the following table FTP data UDP FTP control TCP FTP control UDP SSH TCP SSH UDP wega w C E 8 7 Industrial Secure Router User s Manual Firewall Policy Check Policy Setup Enable M Targets ACCEPT x Interface From ALL To ALL r Source IP Al r Quick Automation All x Source Port All Profile Service IP Filter Destination IP All f Destination All Port CI oo om ooo Filter List 1 64 ENE Sas A Sa See Se Ee ee ae SSS ae Policy Check The Industrial Secure Router supports a PolicyCheck function for maintaining the firewall policy list The PolicyCheck function detects firewall policies that may be configured incorrectly PolicyCheck provides an auto detection function for detecting common configuration errors in the Firewall policy e g Mask Include and Cross conflict When adding a new firewall policy the user just needs to click the PolicyCheck button to check each policy warning messages will be generated that can be used for further analysis If the user decides to ignore a warning message the Industrial Secure Router firewall will run on the configuration provided by the user The three most common types of configuration errors are related to Mask Include and Cross Conflict Mask Policy X is masked by Policy Y The Source Destination IP range or Source Destination port number of policy X is smaller or equal to policy Y but the action target Accept
136. tion is activated the user can generate different certifications for different VPN Tunnels The user needs to fill in the following information and press Add and Activate to add the new certificate to the Certificate List e Certificate Days e Organization Unit Name e Certificate Name e Email Address e Certificate Password Certificate List 3 10 Certificate days Organizational Unit Name Name 100 Moxa Woxa B SUppont moxa com 100 Moxa Moxa suppot moxa com The user can then choose certificates from the list and press the PKCS 12 Export button to generate a p12 file for a local certificate and press Certificate Export to generate a crt file for certificates on a Remote VPN gateway 9 10 Industrial Secure Router User s Manual Virtual Private Network VPN Local Certificate Upload Label Name Subject PKCS 12 Upload Import Import Password Upload the p12 local certificate on this page The Password must be the same as the p12 certificate file If the password is not correct the certificate import process will fail Label User defined name for this local certificate Name Subject Show the Name and subject when the certificate is imported successfully or the user selects the certificate on the list PKCS 12 Upload Use Browser to select the p12 file and press the Import button Import Password The Password for the p12 certificate Remote Certificate Upload Label Name Subject Certificate Upload
137. tions Bridge Routing Quick Setting Select WAN Port BLD OER Beenie Mell WAN Configuration Service Enable IP Address 192 168 126 254 Subnet Mask 255 255255 0 mW c E a T hd a iy i del Ww gz E Next Step Step 3 Configure the WAN port type Configure the WAN port type to define how the secure router switch connects to the WAN Bridge Routing Quick Setting Select WAN Port Bridge IP Configuration iA Bennie cites Service Enable Connect Type fi Dynamic IP a i a g PPTP Dialup j PPTP me IP j I Connection peel Address User Name Fassword x a oe z a Gy Gi H SSS i a z z p S Next Step Connect Type Dynamic IP Get the WAN IP address from a DHCP server or via a PPTP Dynamic IP connection Static IP Set a specific static WAN IP address or create a connection to a PPTP server with a specific IP address PPPoE Get the WAN IP address through PPPoE Dialup 3 6 Industrial Secure Router User s Manual Dynamic IP EDR 810 Series Features and Functions Select WAN Pot LAN IP Configuration Connect Type ie T ek Ol ele Service Enable PPTP Dialup Connection E Enable IP Address User Name Password Static IP Connect Type EES Address Information IP Address subnet 7 Mask PPTP Dialup PPTP Connection Enable User Name eee Service Enable select WAN Porn LAN IP Con
138. tivate to save the setting Next click Download to download the file from the remote TFTP server or click Upload to upload a file to the remote TFTP server System File Update by Local Import Export Upgrade Software or Configuration Export Log File Import Firmware Browse Apply Import Configuration File Browse f Apply Text Based configuration file encryption setting EnablePassword Browse Import text based configuration file Export text based configuration file Log File Click Export to export the Log file of the Industrial Secure Router to the local host NOTE Some operating systems will open the configuration file and log file directly in the web page In such cases right click the Export button and then save as a file Upgrade Firmware To import a firmware file that is exported from firmware V3 3 or previous versions into the Industrial Secure Router click Browse to select a firmware file already saved on your computer The upgrade procedure will proceed automatically after clicking Import This upgrade procedure will take a couple of minutes to complete including the boot up time Upload Configuration Data To import a configuration file to the Industrial Secure Router click Browse to select a configuration file already saved on your computer The upgrade procedure will proceed automatically after clicking Import Text Based configuration file encryption setting To exp
139. to 255 Preemption Mode Determines whether a backup L3 switch router will take the Enabled authority of master or not Track Interface The Track Interface is used to track specific interface within the Disable router that can change the status of the virtual router for a VRRP Group For example the WAN interface can be tracked and if the link is down the other backup router will become the new master of the VRRP group 6 6 7 Network Address Translation The following topics are covered in this chapter O Network Address Translation NAT gt NAT Concept 1 to 1 NAT Bidirectional 1 to 1 NAT N to 1 NAT Vv Vv V WV Port Forward Industrial Secure Router User s Manual Network Address Translation Network Address Translation NAT NAT Concept NOTE NOTE NAT Network Address Translation is a common security function for changing the IP address during Ethernet packet transmission When the user wants to hide the internal IP address LAN from the external network WAN the NAT function will translate the internal IP address to a specific IP address or an internal IP address range to one external IP address The benefits of using NAT include e Uses the N 1 or Port forwarding Nat function to hide the Internal IP address of a critical network or device to increase the level of security of industrial network applications e Uses the same private IP address for different but identical groups of Ethernet devi
140. to Learned Multicast Router Port Static Multicast Router Port Querier Connected Port No The information shown in the table includes e Auto Learned Multicast Router Port This indicates that a multicast router connects to sends packets from these port s e Static Multicast Router Port Displays the static multicast querier port s e Querier Connected Port Displays the port which is connected to the querier e Act as a Querier Displays whether or not ths VLAN is a querier winner of a election e Group Displays the multicast group addresses e Port Displays the port which receive the multicast stream the port the multicast stream is forwarded to e Version Displays the IGMP Snooping version e Filter Mode Indicates the multicast source address is included or excluded Displays Include or Exclude when IGMP v3 is enabled e Sources Displays the multicast source address when IGMP v3 is enabled Stream Table This page displays the multicast stream forwarding status It allows you to view the status per VLAN ID IGMP Snooping Stream Table Stream Group Multicast group IP address Stream Source Multicast source IP address Port Which port receives the multicast stream Member ports Ports the multicast stream is forwarded to Static Multicast MAC Static Multicast MAC Address Add New Static Multicast MAC Address to the List 01 00 5E XX XX XX in here is IP multicast MAC address please activate IGMP Snooping for automatic classi
141. trial Secure Router since you can both monitor the Industrial Secure Router and use administration functions from the web browser An RS 232 or Telnet console connection only provides basic functions In this chapter we use the web browser to introduce the Industrial Secure Router s configuration and monitoring functions The following topics are covered in this chapter O Quick Setting Profile gt WAN Routing Quick Setting gt Bridge Routing Quick Setting 0 System gt System Information gt User Account gt Date and Time gt Warning Notification gt SettingCheck gt System File Update by Remote TFTP gt System File Update by Local Import Export gt Restart Reset to Factory Default O Port gt Port Settings gt Link Aggregation gt The Port Trunking Concept gt Port Mirror O Using Virtual LAN gt gt The VLAN Concept Configuring Virtual LAN O Multicast Y Y Y VV WV The Concept of Multicast Filtering IGMP Snooping IGMP Snooping Settings IGMP Table Stream Table Static Multicast MAC QoS and Rate Control gt ToS DSCP Mapping MAC Address Table Interface gt WAN gt LAN gt Bridge Group Interface Network Service gt DHCP Settings gt SNMP Settings gt Dynamic DNS Security gt User Interface Management gt Authentication Certificate gt Trusted Access gt RADIUS Server Settings Monitor gt Interface Statistics gt Port Statistics Event Log Industri
142. trial Secure Router User s Manual EDR G902 G903 Series Features and Functions Allowable Hosts Input Format Ay host 192 168 1 120 192 168 1 120 255 255 255 255 The Accessible IP list controls which devices can connect to the EtherDevice Router to change the configuration of the device In the example shown below the Accessible IP list in the EtherDevice Router contains 10 10 10 10 which is the IP address of the remote user s PC By a WAN Network Remote user IP 10 10 10 10 EDR G903 IP WAN1 10 10 10 11 The remote user s IP address is shown below in the EtherDevice Router s Accessible IP list W Enable the accessible IP list Disable will allow all IF s connection Fl LAN Enable Index IP Address Netmask 10 10 10 10 Password The EtherDevice Router provides two levels of access privilege admin privilege gives read write access to all EtherDevice Router configuration parameters and user privilege provides read access only You will be able to view the configuration but will not be able to make modifications Password Change Admin Old Password New Password Check Password Activate ATTENTION By default the Password field is blank If a Password is already set then you will be required to type the Password when logging into the RS 232 console Telnet console or web browser interface 4 5 Industrial Secure Router User s Manual EDR G902 G903 Series Features and F
143. ty in real time Monitor LAN Total Packets ILAN yw Total Packets x Packet sec TX Packets LAN Total Packets 15 RX Packets 12 9 6 3 0 0 227 454 Format Total Packets Packets in previous 5 sec interval update interval of 5 sec 0 0 wani 0 0 Wan2 1 0 0 Lan 1333425 16653 30 4 22 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions System Log The industrial secure router provides EventLog and Syslog functions to record important events EventLog EventLog Table Page 3 8 l System Startup Time 21 30 2010 2112 10 32 58 OdohOmi70s Power 2 Power transition Off On 22 30 2010 2892 10 32 59 OdohOm10s LAN link on 23 30 2010 2 12 10 33 8 OdohoOm19s Cold start 24 30 2010 2482 10 33 30 OdohoOm41s admin auth ok 30 2010 2 12 10 42 2 Odoh9mi13s LAN link off 26 31 2010 2121 12626 d h m s Power 2 Power transition Off gt On 27 31 2010 2 21 12 66 29 OdohoOm10s Cold start 26 31 2010 2 21 12 46 16 Odoh3s9m57s LAN link on 29 31 2010 2 21 12 47 28 Odoh4imgs admin auth ok 30 31 2010 2 21 13 49 55 Odih43m36s SNMP Enable Field Description o The date is updated based on how the current date is set in the Basic Setting page The time is updated based on how the current time is set in the Basic Setting page The following events will be recorded in the EtherDevice Router EventLog Table e Stat SSC SsSCS N Link on Link off IP change
144. unctions Time NOTE Account admin privilege allows the user to modify all configurations User user privilege only allows viewing device configurations Password Old password Type current password when changing the password None New password Type new password when changing the password None aeaa an aa ee Retype password If you type a new password in the Password field you will be None max 16 Characters required to retype the password in the Retype new password field before updating the new password The Time configuration page lets users set the time date and other settings An explanation of each setting is given below System Time Time Setting Curent Time z ex 0400 04 Current Date pra i ex 2002 91 13 Daylight Saving Time Month Start Date el End Date Offset 0 hour s Time Update system Up Time Od0hOm34s Time Zone GMT Greenwich Mean Time Dublin Edinburgh Lisbon London H Enable NTP SNTP Server E Enable Server synchornize ist Time_Server_IP Name nd Time _Server_lP Mame The EtherDevice Router has a time calibration function based on information from an NTP server or user specified Time and Date information Functions such as Auto warning Email can add real time information to the message The EtherDevice Router has a real time clock so the user does not need to update the Current Time and Current Date to set the initial time for the EtherD
145. up 2 IGMP Group 1 IGMP Group 2 IGMP Group 1 Multicast Filtering and Moxa s Industrial Secure Routers The Moxa industrial secure router has two ways to achieve multicast filtering IGMP Internet Group Management Protocol Snooping and adding a static multicast MAC manually to filter multicast traffic automatically 3 28 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Snooping Mode Snooping Mode allows your industrial secure router to forward multicast packets only to the appropriate ports The router snoops on exchanges between hosts and an IGMP device to find those ports that want to join a multicast group and then configures its filters accordingly Query Mode Query mode allows the Moxa router to work as the Querier if it has the lowest IP address on the subnetwork to which it belongs IGMP querying is enabled by default on the Moxa router to ensure proceeding query election Enable query mode to run multicast sessions on a network that does not contain IGMP routers or queriers Query mode allows users to enable IGMP snooping by VLAN ID Moxa industrial secure router support IGMP snooping version 1 version 2 and version 3 Version 2 is compatible with version 1 The default setting is IGMP V1 V2 IGMP Multicast Filtering IGMP is used by IP supporting network devices to register hosts with multicast groups It can be used on all LANs and VLANs that contain a multicast capable IP router and on other
146. uted Static Route Unchecked function The entries that are set in a static route will be re distributed if this option is enabled 5 3 Industrial Secure Router User s Manual Routing RIP Enable Interface Check the checkbox to enable RIP in the WAN interface pala Check the checkbox to enable RIP in the LAN interface RIP Interface Table EDR 810 series only Enable Disable Check the checkbox to enable RIP for each interface Unchecked Routing Table The Routing Table page shows all routing entries Page 1 1 All index Type Destination Address Next Hop Interface Name default 0 0 0 0 0 192 168 2 254 wan1 0 connected 100 100 100 0 2 100 100 100 254 lan 0 connected 192 168 2 0 24 192 168 2 74 want 0 All Routing Entry List 5 4 6 Network Redundancy The following topics are covered in this chapter O Layer 2 Redundant Protocols EDR 810 series only gt Configuring STP RSTP gt Configuring Turbo Ring V2 O Layer 3 Redundant Protocols gt VRRP Settings Industrial Secure Router User s Manual Network Redundancy Layer 2 Redundant Protocols EDR 810 series only Configuring STP RSTP The following figures indicate which Spanning Tree Protocol parameters can be configured A more detailed explanation of each parameter follows Communication Redundancy Current Status Root Not root Settings Redundancy Protocol RSTP IEEE 802 1D 2004 v Bridge Priority 32766 v Hello Time 2 Forwardin
147. y as a node on the Spanning Tree 128 selected by user topology by entering a lower number Port Cost Numerical value input Input a higher cost to indicate that this port is less suitable as a 500000 by user node for the Spanning Tree topology Port Status Indicates the current Spanning Tree status of this port Forwarding for normal transmission or Blocking to block transmission 6 3 Industrial Secure Router User s Manual Configuring Turbo Ring V2 NOTE Communication Redundancy Turbo Ring V2 Status Now Active Ring 1 Status Master Slave Master ID 1st Ring Port Status 2nd Ring Port Status Ring Coupling Coupling Mode Coupling Port Status Turbo Ring V2 Setting Redundancy Protocol V Enable Ring 1 V Set as Master Redundant ports Enable Ring Coupling Coupling Mode Primary Port Turbo Ring V2 Healthy Master 00 90 e8 34 dd a9 Up Forwarding Up Blocked None Primary Port Backup Port Turbo Ring V2 v 1st Port 1 v 2nd Port m a Y Dual Homing Backup Port A Network Redundancy Ring 2 Status Disabled Master Slave Master ID 00 00 00 00 00 00 1st Ring Port Status 2nd Ring Port Status Enable Ring 2 Set as Master Redundant ports 1st Port 2nd Port When using the Dual Ring architecture users must configure settings for both Ring 1 and Ring 2 In this case the status of both rings will appear under Current Status Explanation of Current Status
148. y for transmission with only a slight delay to the higher priority frames Strict In the Strict priority scheme all top priority frames egress a port until that priority s queue is empty and then the next lower priority queue s frames egress This approach can cause the lower priorities to be starved of opportunity for transmitting any frames but ensures that all high priority frames will egress the switch as soon as possible Inspect ToS Enable Disable Enables or disables the Moxa industrial secure router for Enabled inspecting Type of Service ToS bits in the IPV4 frame to determine the priority of each frame Inspect COS Setting Description CSCSCSC d Factory Default Enable Disable Enables or disables the Moxa industrial secure router for Enabled 3 32 Industrial Secure Router User s Manual EDR 810 Series Features and Functions inspecting 802 1p CoS tags in the MAC frame to determine the priority of each frame Port Priority Port priority The port priority has 4 priority queues Low normal medium 3 Normal high priority queue option is applied to each port NOTE The priority of an ingress frame is determined in the following order 1 Inspect CoS 2 Inspect ToS 3 Port Priority NOTE The designer can enable these classifications individually or in combination For instance if a hot higher priority port is required for a network design Inspect TOS and Inspect CoS can be disabled This

Download Pdf Manuals

image

Related Search

Related Contents

PDFファイル    Mimio Interactive  T2 User Manual in English  MEN178-FR version 1.1  APW Wyott BW-30 User's Manual  登録前に見舞金サービスの約款を確認する。  Trust Primo  MANUAL DE EXPLICACIONES Honda EX4D • EX5D  Weet-Bix MyCricket User Manual - Tiger Land  

Copyright © All rights reserved.
Failed to retrieve file