Industrial Secure Router User`s Manual
Contents
1. Adobe Designer 7 0 fa PConm Late Vexl 3 l D Linai 9 Library Reference E Pon Texminal Emulator 2 Select Open in the Port Manager menu to open a new connection y PComm Terminal Emulator mix Profile Port Manager Help Open Ctil Alt O 3 The Communication Parameter page of the Property window will appear Select the appropriate COM port from the Ports drop down list 115200 for Baud Rate 8 for Data Bits None for Parity and 1 for Stop Bits Communication Parameter Terminal File Transfer Capturing COM Options Ports Baud Rate Data Bits Parity Stop Bits Flow Control RTS CTS Output State DTR ON OFF XON XOFF RTS ON C OFF 2 2 Industrial Secure Router Getting Started Click the Terminal tab select VT100 for Terminal Type and then click OK to continue 5 The Console login screen will appear Use the keyboard to enter the login account admin or user and then press Enter to jump to the Password field Enter the console Password the same as the Web Browser password leave the Password field blank if a console password has not been set and then press Enter EDEB G303 login admin Password HORA EDR G3O3 xit Command Line Interfac xit Command Line Interfac Halt and Perform a Cold rminal Confiqure Terminal Page py Import or Export File A m rt T n OH ct ID m r3 W ri a m 4 T re Save Bunning2. LLDT Table Port The port number that connects to the neighbor device Neighbor ID A unique entity that identifies a neighbor device this is typically the MAC address Neighbor Port The port number of the neighbor device Neighbor Port Description A textual description of the neighbor device s interface Neighbor System Hostname of the neighbor device 3 75 Industrial Secure Router Features and Functions Using Monitor You can monitor statistics in real time from the Industrial Secure Router s web console Monitor by System Access the Monitor by selecting System from the left selection bar Monitor by System allows the user to view a graph that shows the combined data transmission activity of all the Industrial Secure Router s 3 ports Click one of the three options Total Packets TX Packets or RX Packets to view transmission activity of specific types of packets Recall that TX Packets are packets sent out from the Industrial Secure Router and RX Packets are packets received from connected devices The Total Packets option displays a graph that combines TX and RX activity The graph displays data transmission activity by showing Packets s i e packets per second or pps versus sec seconds The graph is updated every few seconds allowing you to analyze data transmission activity in real time Monitor System Total Packets System le Total Packets B System Total
3. Address Information for Bridge Mode IP Address 192 168 127 254 subnet Mask 255 2552550 Gateway 255 255 255 255 Router Mode In this mode the Industrial Secure Router operates as a gateway between different networks e Each interface WAN1 WAN2 and LAN has its own IP address and different subnets e Provides Routing Firewall VPN and NAT functions Bridge Mode In this mode the Industrial Secure Router operates as a Bridge mode firewall or call transparent firewall on a single subnet Simply connect the Industrial Secure Router to an existing single subnet you do not need to reconfigure the original subnet into different subnets and do not need to reconfigure the IP address of existing devices e The Industrial Secure Router only has one IP address Network mask and Gateway e VPN NAT WAN backup VRRP DHCP and Dynamic DNS are not supported in this mode Network Mode Router Mode Router Firewall VPN NAT le Bridge Mode Bridge Mode Firewall Address Information for Bridge Mode IP Address 192 168 127 254 subnet Mask 255 255 255 0 Gateway Select the appropriate operation mode and press Activate to change the mode of the Industrial Secure Router After changing the operation mode it may take 30 to 60 seconds to reboot system If the webpage does not respond after 60 seconds refresh webpage or press F5 3 21 Industrial Secure Router Features and Functions WAN1 Configuration WAN1 Configu
4. Maintainer Contact Info http or https v Web Configuration E 3 6 Industrial Secure Router Features and Functions Router name Max 30 Characters This option is useful for specifying the role or application of Firewall VPN router different Industrial Secure Router units Serial No of this E g Factory Router 1 switch Router Location Max 80 Characters To specify the location of different Industrial Secure Router Device Location units E g production line 1 Router Description Max 30 Characters Use this field to enter a more detailed description of the None Industrial Secure Router unit Maintainer Contact Info Max 30 Characters Enter the contact information of the person responsible for None maintaining this Industrial Secure Router Web Configuration http or https Users can connect to the Industrial Secure Router router via http or https EN mn a S https only Users can connect to the Industrial Secure Router router via https protocol only Accessible IP The Industrial Secure Router uses an IP address based filtering method to control access to Industrial Secure Router units Accessible IP List Enable the accessible IP list Disable will allow all IP s connection y LAN Enable Index IP Address Netmask 1 2 3 4 5 b T g 10 E Accessible IP Settings allows you to add or remove Legal remote host IP addresses to prevent unauthorized access Access to
5. Max 30 characters User defined host name for this PPPoE server None Password Description Factory Default Max 30 characters The login password for this PPPoE server None Using DMZ Mode A DMZ demilitarized zone is an isolated network for devices such as data FTP web and mail servers connected to a LAN network that need to frequently connect with external networks The deployment of an FTP server in a DMZ is illustrated in the following figure i DMZ I WANA IP l i SERES i By Local FTP server 1 IP 192 168 20 20 i Les sm nee AAA ee ee ee m OES Secure LAN Network r l i j Local Device EDR G903 LITT IP 192 168 100 1 r I I l l l l I Local Device i i LT Ip 192 168 100 2 i l l a i l I I I 3 27 Industrial Secure Router Features and Functions DMZ mode is configured on the WAN2 configuration web page Set Connect Mode to Enable Connect Type to Static IP and checkmark the DMZ Enable check box You will also need to input the IP Address and Subnet Mask Click the Activate button to save the settings Connection Connect Mode Connect Type Address Information IP Address 192 166 127 172 Subnet Mask 255 255 255 0 Disable Enable Backup v DMZ Enable NOTE WAN2 configuration and DMZ mode are only available on EDR G903 LAN Interface EDR G902 G903 A basic application of an industrial Firewall VPN device is to
6. Static Routing ahd Dvunarmic ROUTING 3532 3 ente o haa nese tans ta au aeu eu nee 3 35 Sae ROUL O oros 3 35 RAP ROUUNG Information PTO TO CO Aeon dea rh AA AA ens Viva VADE PN Ren 3 36 ROUUNG Table e 3 37 NetWork Address Translator NAT verse sear uuu ou Eo eus ous evo es VUL nee TOES DEL eee n EE OE VOUL ELO CNN 3 37 NAT COnCeDEUns vesc tu bisa te VEEEEDUD URP SVVVPNEVEMUPS UVP E DVEPI AOS 3 37 Netos LINA Toro SHa 3 37 Port Forwarding NAT Mode OPUS 3 39 ERO ENAT Era a a ia A ia a Di id 3 40 Firewall Sekt Ihesus ain ner MODULE DUDAS QUNM HO HDD GUTER UELLE o eR ce meee Ree Rrra oe 3 42 Firewall Policy COncePDliaiaa aaa 3 42 EIpeweall Poliev OVS aaa ie ace oc cat ae ce tre ec en re 3 42 Fire Wall Poley Configuratio atadas 3 43 Layer 2 Policy Setup Only in Bridge Mode for EDR G902 G903 cece ccc cceeeee cette meme nnns 3 44 OUICK AUILOMAIONGPIONIG a eect RR UE EE MR M E EL LLL EU LL ML IE 3 46 Pole y B ole de TM 3 48 MadgbUS TEPPO AE ONE E dla Den mA 3 50 ModbUs Policy Setups id oesbssc oe ee vEsioer iii 3 50 Dentalo Ser ce DOS UNC asa 3 53 VPN Virtual Private Network EDR G902 G903 and EDR 810 VPN only 000ccccccccccccccccncccnnnccnn cnc 3 54 OVeLVIG VW oana i xat ROUEN PEIPER CI OE TI O O O O O A O E DO E A E E dun INEA 3 54 lis a e o AAA no A TT RIE RT nen ERO ET eran ne CETTE Rn eran nt ane a 3 5
7. 2 Letter code Certificate Days State or Province Name Locality Name Organization Name Organization Unit Name Common Name Email Address After keying in all of the information press Activate to generate the Root Certification NOTE The default setting for Certificate Day is 0 which means that the certification will not be terminated unless modified by the user Certificate Setting Certificate Setting Certificate days 1100 Organizational Unit Mame Certificate Name Moxa Cert A Email Address Certificate Password 112345 E3 Em Moxa supportiimoxa com After Root Certification is activated the user can generate different certifications for different VPN Tunnels The user needs to fill in the following information and press Add and Activate to add the new certificate to the Certificate List Certificate Days Organization Unit Name Certificate Name Email Address Certificate Password Certificate List 3 10 100 Moxa Maxa C supportimaoxa com suppartiimoxa com The user can then choose certificates from the list and press the PKCS 12 Export button to generate a p12 file for a local certificate and press Certificate Export to generate a crt file for certificates on a Remote VPN gateway 3 61 Industrial Secure Router Features and Functions Local Certificate Upload Label LL Name Subject PKCS 2Upload p Import Password Upload the p12 local certificate on t
8. TCP 1090 FF System Management TCP FF System Management UDP FF LAN Redundancy Port TCP FF LAN Redundancy Port UDP LonWorks TCP PROFInet Context Manager UDP DNP TCP 20000 DNP UDP 20000 Features and Functions The Quick Automation Profile also includes the commonly used Ethernet protocols listed in the following table Cd m wmm m 3 47 Industrial Secure Router Features and Functions PolicyCheck Policy Setup Enable v Targets ACCEPT Interface From ALL To ALL x Source IP Al E Quick Automation All x Source Port All Profile Service IP Filter x Destination IP All Destination All Port Filter List 1 64 ENT AA ES ES EE ESOS eee O ELS AC Policy Check The Industrial Secure Router supports a PolicyCheck function for maintaining the firewall policy list The PolicyCheck function detects firewall policies that may be configured incorrectly PolicyCheck provides an auto detection function for detecting common configuration errors in the Firewall policy e g Mask Include and Cross conflict When adding a new firewall policy the user just needs to click the PolicyCheck button to check each policy warning messages will be generated that can be used for further analysis If the user decides to ignore a warning message the Industrial Secure Router firewall will run on the configuration provided by the user The three most common types of configuration e
9. if this dynamic IP address is the same as the WAN IP for 1 to 1 NAT then the 1 to 1 NAT function will not work For this reason we recommend disabling the DHCP PPPoE function when using the 1 to 1 NAT function 3 41 Industrial Secure Router Features and Functions Firewall Settings Firewall Policy Concept A firewall device is commonly used to provide secure traffic control over an Ethernet network as illustrated in the following figure Firewall devices are deployed at critical points between an external network the non secure part and an internal network the secure part WAN T dur al Itt dr S Se l f Uy External or Unsecure area Internal or Secure area Firewall Policy Incoming Outgoindg P MAC Protocol TCP UDP source IP Port Destination IP Port Accept Drop Firewall Policy Overview The Industrial Secure Router provides a Firewall Policy Overview that lists firewall policies by interface direction Interface From LAN Ta Filter List f Source Enable Index Input Output Protocol Source IF Port 5 All All All All G LAN Destination IP All Select the From interface and To interface and then click the Show button The Policy list table will show the policies that match the From To interface All WAN1 WAN2 LAN Select the From Interface and To interface From All to All Interface From To WAN1 WAN2 3 42 Industrial Secur
10. topology Retry 1 to 100 Users can configure the number of retries If the number of 3 continuous retries exceeds this number the Industrial Secure Router will activate the backup path Timeout 100 to 10000 ms The timeout criterion of Ping Check 3000 ms 3 33 Industrial Secure Router Features and Functions Virtual Router Redundancy Protocol VRRP VRRP Settings VRRP Setting VRRP Enable Enable VRRP Interface Setting Entry Enable virtuale 192 168 127 250 VirtusiRouteriD 1 jt 255 Priority Hoo 1 254 Preemption Mode e Track Interface WAN LAN VRRP Interface Table m Virtual E Preemption Enable Interface IP Address Virtual IP Priority Track Interface Router ID Mode WAN 19218835 IMIT 192 188 3250 1 100 Enable WAN E ve seeen 0 mo 192 168 127 250 wm Eae 5 EN 3 O Virtual Router Redundancy Protocol VRRP can solve the problem with static configuration VRRP enables a group of routers to form a single virtual router with a virtual IP address The LAN clients can then be configured with the virtual router s virtual IP address as their default gateway The virtual router is the combination of a group of routers and is also known as a VRRP group Enable VRRP Interface Setting Entry Enables VRRP entry Disabled Virtual IP L3 switches routers in the same VRRP group must be set to 0 0 0 0 the same virtual IP address as the VRRP ID This virtual IP
11. 127 254 SubnetMask 2552552550 a y Y E a a a An m a one w q i m E p EL p p E Er z E a ESI AE ES ali E E lt Gt 3 f Z w Prev Step Step 3 Configure the WAN port type Configure the WAN port type to define how the secure router switch connects to the WAN WAN Routing Quick Setting select WAN Pot LAN IF Configuration Bennie service Enable Connect Type Dynamic IP PPTP Dialup PPTP Conon Enable IP Address Industrial Secure Router UserName Password Prev Step Next Step Connect Type Dynamic IP Get the WAN IP address from a DHCP server or via a PPTP Dynamic IP connection Static IP Set a specific static WAN IP address or create a connection to a PPTP server with a specific IP address PPPoE Get the WAN IP address through PPPoE Dialup 3 4 Industrial Secure Router Dynamic IP Features and Functions Select WAN Port Connect Type Dynamic T PPTP Dialup PPTP cis 7 Enable User Name LAN IF Configuration Service Enable WAN Configuration IP Address Password Static IP Connect Type EES gt Address Information IP Address Subnet Mask PPTP Dialup PPTP Connection 7 Enable Select WAN Port LAN IP Configuration User Name Service Enable W
12. Configuration to Flash ping clear Send Echo Messages Clear Information show Show System Information configure Enter Configuration Mode The following table lists commands that can be used when the Industrial Secure Router is in console serial or Telnet mode Login by Admin Account Command Description exit Exit Command Line Interface Show System Information Enter Configuration Mode Using Telnet to Access the Industrial Secure Router s Console You may use Telnet to access the Industrial Secure Router s console utility over a network To access the EDR s functions over the network by either Telnet or a web browser from a PC host that is connected to the same LAN as the Industrial Secure Router you need to make sure that the PC host and the Industrial Secure Router are on the same logical subnet To do this check your PC host s IP address and subnet mask By default the LAN IP address is 192 168 127 254 and the Industrial subnet mask is 255 255 255 0 for a Class C subnet If you do not change these values and your PC host s subnet mask is 255 255 0 0 then its IP address must have the form 192 168 xxx xxx On the other hand if your PC host s subnet mask is 255 255 255 0 then its IP address must have the form 192 168 127 xxx NOTE To use the Industrial Secure Router s management and monitoring functions from a PC host connected to the same LAN as the Industrial Secure Router you must make sure that the PC host and the
13. Industrial Secure Router are connected to the same logical subnet 2 3 Industrial Secure Router Getting Started NOTE NOTE Before accessing the console utility via Telnet first connect the Industrial Secure Router s RJ45 Ethernet LAN ports to your Ethernet LAN or directly to your PC s Ethernet card NIC You can use either a straight through or cross over Ethernet cable The Industrial Secure Router s default LAN IP address is 192 168 127 254 Perform the following steps to access the console utility via Telnet 1 Click Start gt Run and then telnet to the Industrial Secure Router s IP address from the Windows Run window You may also issue the Telnet command from the MS DOS prompt UNE lx z Type the name of a program Folder document or Internet resource and Windows will open it For vau Open telnet 192 168 127 254 Cancel Browse 2 Refer to instructions 6 and 7 in the RS 232 Console Configuration 115200 None 8 1 VT100 section on page 2 2 Using a Web Browser to Configure the Industrial Secure Router NOTE NOTE NOTE The Industrial Secure Router s web browser interface provides a convenient way to modify the router s configuration and access the built in monitoring and network administration functions The recommended web browser is Microsoft Internet Explorer 6 0 with JVM Java Virtual Machine installed To use the Industrial Secure Router s management and monitoring function
14. Industrial Secure Router to change the configuration of the device In the example shown below the Accessible IP list in the Industrial Secure Router contains 10 10 10 10 which is the IP address of the remote user s PC WAN Network Remote user IP 10 10 10 10 EDR G903 IP WAN1 10 10 10 11 The remote user s IP address is shown below in the Industrial Secure Router s Accessible IP list Y Enable the accessible IP list Disable will allow all IF s connection W LAN Enable Index IP Address Netmask y 1 10 10 10 10 255 255 255 2 2 3 3 8 Industrial Secure Router Features and Functions Password The Industrial Secure Router provides two levels of access privilege admin privilege gives read write access to all Industrial Secure Router configuration parameters and user privilege provides read access only You will be able to view the configuration but will not be able to make modifications Password Change Admin Old Password Mew Password Check Password Activate ATTENTION By default the Password field is blank If a Password is already set then you will be required to type the Password when logging in to the RS 232 console Telnet console or web browser interface Account admin privilege allows the user to modify all configurations Admin user privilege only allows viewing device configurations Password Old password Type current password when chan
15. List Modify the attributes and then click Modify to change the configuration Activate the VLAN Interface List After adding deleting modifying any VLAN interface be sure to click Activate DHCP Server The Industrial Secure Router provides a DHCP Dynamic Host Configuration Protocol server function for LAN interfaces When configured the Industrial Secure Router will automatically assign an IP address to a Ethernet device from a defined IP range DHCP DHCP Configuration pan Lease E Enable 4 Time 50 min DNS Server IP for Client 0 0 0 0 0 0 0 0 Offered IP Range 192 168 127 1 192 168 127 252 DHCP configuration DHCP Server Enable Disable Enable or Disable Enable or Disable DHCP server function Enable Lease Time The lease time of the DHCP server 60 min Industrial Secure Router Features and Functions NOTE DNS Server IP for Client IP Address The DHCP server s IP address Offered IP Range IP address The offered IP address range for the DHCP server 192 168 127 1 to 192 168 127 252 1 The DHCP server is only available for LAN interfaces 2 The Offered IP address range must be in the same Subnet on the LAN Static DHCP List Use the Static DHCP list to ensure that devices connected to the Industrial Secure Router always use the same IP address The static DHCP list matches IP addresses to MAC addresses static DHCP Enable W Name Device 01 static IP 182 168 127 101 MA
16. Packets Packetsec TX Packets 2 RX Packets n 12 9 B 3 i 22f 454 Format Total Packets Packets in previous 5 sec interval update interval of 5 sec Wand 0 0 0 0 Wianz 1 0 4 0 Lan 10198 20 13359 20 Monitor by Port Access the Monitor by Port function by selecting the WAN1 WANZ2 or LAN interface from the left drop down list You can view graphs that show All Packets TX Packets or RX Packets but in this case only for an individual port The graph displays data transmission activity by showing Packets s i e packets per second or pps versus sec seconds The graph is updated every few seconds allowing you to analyze data transmission activity in real time Monitor LAN Total Packets Total Packets r Packetisec ITX Packets 15 RX Packets LAN v LAN Total Packets j Bu 454 Format Total Packets Packets in previous 5 sec interval update interval of 5 sec Wand 0 0 0 0 Wanz 1 0 0 Lan 1333825 18555330 3 76 Industrial Secure Router Features and Functions Using System Log The Industrial Secure Router provides EventLog and Syslog functions to record important events Using EventLog EventLog Table Page 3 8 System Startup Time 271 30 2010 2112 10 32 58 d h mT s Power 2 Power transition Off On 22 30 2010 2892 10 32 59 d h m1 s LAN link an 23 30 2010 22 10 33 8 d h m18s Cold start 24 30 2010 2412 10 33 30 d h m41s admin auth
17. SNMP V2c use a community string match for authentication which means that SNMP servers access all objects with read only permissions using the community string public default value SNMP V3 which requires that the user selects an authentication level of MD5 or SHA is the most secure protocol You can also enable data encryption to enhance data security SNMP security modes and security levels supported by the Industrial Secure Router are shown in the following table Select the security mode and level that will be used to communicate between the SNMP agent and Authentication Type Data Encryption Version SNMP V1 V2c 1 V1 V2c Read Community string Uses a community string Community match for authentication SNMP V3 MD5 or SHA Authentication based Provides authentication based on MD5 or SHA on HMAC MD5 or HMAC SHA algorithms 8 character manager Protocol UI Setting passwords are the minimum requirement for authentication Provides authentication based onHMAC MD5 or HMAC SHA algorithms and data MD5 or SHA Authentication based Data encryption on MD5 or SHA key encryption key 8 character passwords and a data encryption key are the minimum requirements for authentication and encryption These parameters are configured on the SNMP page A more detailed explanation of each parameter is given below 3 69 Industrial Secure Router Features and Functions SNMP Read Settings System Information SNMP Vers
18. Secure Router since you can both monitor the Industrial Secure Router and use administration functions from the web browser An RS 232 or Telnet console connection only provides basic functions In this chapter we use the web browser to introduce the Industrial Secure Router s configuration and monitoring functions The following topics are covered in this chapter Overview Quick Setting Profile EDR 810 only Configuring Basic Settings Configuring Ports EDR 810 series only Using Port Trunk EDR 810 series only Using Virtual LAN EDR 810 series only Configuring Virtual LAN EDR 810 Only Network Settings LAN Configuration EDR 810 only Network Redundancy Static Routing and Dynamic Routing Network Address Translation NAT Firewall Settings VPN Virtual Private Network EDR G902 G903 and EDR 810 VPN only Traffic Prioritization Configuring SNMP Using Auto Warning Using Diagnosis Using Monitor Using System Log Using HTTPs SSL DO 000000000 000 Do 0o0 00 O00s0 Industrial Secure Router Features and Functions Overview The Overview page is divided into three major parts Interface Status Basic function Status and Recent 10 Event Log and gives users a quick overview of the Industrial Secure Router s current settings s Overview Interface Status More Recent 10 Event Log More PPPoE Port 10 VAM Wan 1 PLA Connect WANT link on 2010 4 7 16 50 49 Port 2 Opt Wan 2 NIA Disconnect WANA l
19. Static Route Destination Destination Address Address 30 30 30 0 255 255 255 0 20 20 20 1 10 10 10 0 255 255 255 0 20 20 20 2 Note If the OS is Linux the Next Hop is 20 20 20 1 DNS Doman Name Server optional setting for Dynamic IP and PPPoE types Server 1 2 3 IP Address The DNS IP Address NOTE The priority of a manually configured DNS will be higher than the DNS from the PPPoE or DHCP server Detailed Explanation of Static IP Type WAN2 Configuration Connection Enable Backup E DM Enable Address Information IP Address 192 168 1 1 Gateway 0 0 0 0 PPTP Dialup PPTP Connection E Enable IP Address User Name Password DNS Optional for dynamic IP or PPPoE Type Server 1 Server 2 Server 3 192 158 2 1 0 0 0 0 0 0 0 0 Address Information IP Address IP Address The interface IP address None Subnet Mask IP Address The subnet mask None Industrial Secure Router Features and Functions Gateway IP Address The Gateway IP address Detailed Explanation of PPPoE Type WAN2 Configuration Connection ConnectMode Disable Enable Backup IF DMZ Enable Connect Type PPPoE e PPPoE Dialup User Name Fassword Host Name DNS Optional for dynamic IP and PPPoE Type Server 1 Server 2 192 158 2 1 0 0 0 0 PPPoE Dialup User Name Max 30 characters The User Name for logging in to the PPPoE server None Host Name Description Factory Default
20. Using HTTPs SSL To secure your HTTP access the Industrial Secure Router supports HTTPS SSL to encrypt all HTTP traffic Perform the following steps to access the Industrial Secure Router s web browser interface via HTTPS SSL 1 Open Internet Explorer and type https lt Industrial Secure Router s IP address gt in the address field Press Enter to establish the connection dE https 192 168 127 254 2 Awarning message will appear to warn the user that the security certificate was issued by a company they have not chosen to trust Security Alert E x Information vau exchange with this site cannot be viewed or changed by others However there is a problem with the site s security certificate The security certificate was issued by a company you have nat chosen to trust Yew the certificate to determine whether vau want to trust the certifying authority e The security certificate date iz valid The name on the security certificate Is invalid or does not match the name af the site Do you want ta proceed Yez View Certificate 3 Select Yes to enter the Industrial Secure Router s web browser interface and access the web browser interface secured via HTTPS SSL 3 79 A MIB Groups The Industrial Secure Router comes with built in SNMP Simple Network Management Protocol agent software that supports cold start trap line up down trap and RFC 1213 MIB II The standard MIB groups th
21. WANT LAN DME IP LAN DMZ Part Enable Disable NAT policy Enable or Disable Enable or disable the selected NAT policy Enabled NAT Mode N 1 Select the NAT types N 1 1 1 Port Forward Interface Port Forward mode WAN1 Select the Interface for this NAT Policy WAN1 WAN2 3 39 Industrial Secure Router Features and Functions Protocol Port Forward mode Select the Protocol for NAT Policy WAN Port Port Forward mode 1 to 65535 Select a specific WAN port number LAN DMZ IP Port Forward mode IP Address The translated IP address in the internal network LAN DMZ Port Port Forward mode 1 to 65535 The translated port number in the internal network 1 to 1 NAT If the internal device and external device need to communicate with each other choose 1 to 1 NAT which offers bi directional communication N to 1 and Port forwarding are both single directional communication NAT functions E 10 10 10 1 m Remote user WAN Network Prod ueBoh line i ll 192 168 100 1 1 to 1 NAT is usually used when you have a group of internal servers with private IP addresses that must connect to the external network You can use 1 to 1 NAT to map the internal servers to public IP addresses The IP address of the internal device will not change The figure below illustrates how a user could extend production lines and use the same private IP addresses of internal devices in each production line The inter
22. address must belong to the same address range as the real IP address of the interface Virtual Router ID Virtual Router ID is used to assign a VRRP group The L3 switches routers which operate as master backup should have the same ID Moxa L3 switches routers support one virtual router ID for each interface IDs can range from 1 to 255 Priority Determines priority in a VRRP group The priority value range is 100 1 to 255 and the 255 is the highest priority If several L3 switches routers have the same priority the router with higher IP address has the higher priority The usable range is 1 to 255 Preemption Mode Determines whether a backup L3 switch router will take the Enabled authority of master or not Track Interface The Track Interface is used to track specific interface within the Disable router that can change the status of the virtual router for a VRRP Group For example the WAN interface can be tracked and if the link is down the other backup router will become the new master of the VRRP group 3 34 Industrial Secure Router Features and Functions Static Routing and Dynamic Routing The Industrial Secure Router supports two routing methods static routing and dynamic routing Dynamic routing makes use of RIP V1 V1c V2 You can either choose one routing method or combine the two methods to establish your routing table A routing entry includes the following items the destination address the next
23. ae Port Port Be SS SS Sie ree S wena AA activate Enable Disable NAT Policy Enable or Disable Enable or disable the selected NAT policy Enabled NAT Mode Select the NAT types 1 1 Port Forwarding Interface N 1 mode Select the Interface for this NAT Policy The Industrial Secure Router provides a Dual WAN backup function for network redundancy If the interface is set to Auto the NAT Mode is set to N 1 and the WAN backup function is enabled the primary WAN interface is WAN1 If the WAN1 connection fails the WAN interface of this N 1 policy will apply to WAN2 and switch to WAN for N 1 outgoing traffic until the WAN1 interface recovers IP Range IP address Select the Internal IP range for IP translation to WAN IP None address WAN IP N 1 mode IP address The IP address of the user selected interface WAN1 WAN2 None and Auto in this N to 1 policy 3 38 Industrial Secure Router Features and Functions NOTE Add a NAT Rule Checked the Enable checkbox and input the correspondent NAT parameters in the page and then click New Insert to add it into the NAT List Table Finally click Activate to activate the configuration Delete a NAT Rule Select the item in the NAT List Table then click Delete to delete the item Modify a NAT Rule Select the item in the NAT List Table Modify the attributes and click Modify to change the configuration Activate
24. and outgoing traffic LAN to WAN1 and LAN to WAN2 Incoming Traffic Configuration WAN1 2 to LAN Enable iv MAX Bandwidth 100 KByte s Default Priority Priority 3 Mi Priority 0 MIN BW 10 KByte s MAX BW 10 KByte s Priority 1 MIN BW 20 KByte s MAX BW 20 KByte s Priority 2 MIN BW 30 KByte s MAX BW 30 KByte s Priority 3 MIN BW 40 KByte s MAX BW 40 KByte s Outgoing Traffic Configuration LAN to WAN1 Enable y MAX Bandwidth 100 KByte s Default Priority Priority 3 Priority 0 MIN BW 10 KByte s MAX BW 10 KByte s Priority 1 MIN BW 20 KByte s MAX BW 20 KByte s Priority 2 MIN BW 30 KByte s MAX BW 30 KByte s Priority 3 MIN BW 40 KByte s MAX BW 40 KByte s Outgoing Traffic Configuration LAN to WAN2 Enable I MAX Bandwidth 100 KByte s Default Priority Priority 3 Priority 0 MIN BW 10 KByte s MAX BW 10 KByte s Priority 1 MIN BW 20 KByte s MAX BW 20 KByte s Priority 2 MIN BW 30 KByte s MAX BW 30 KByte s Priority 3 MIN BW 40 KByte s MAX BW 40 KByte s Traffic Prioritization Configuration EDR G902 G903 series Enable or Disable Enable or Disable Enable or disable the Traffic Prioritization function Disabled 3 66 Industrial Secure Router Features and Functions Max Bandwidth 1 to 1 000 000 The maximum bandwidth for total incoming or outgoing traffic 100 KBytes s KBytes
25. connection type Dynamic IP PPPoE Detailed Explanation of Dynamic IP Type WAN2 Configuration Connection Connect fad lisable O Enable C Backup Connect Type Dynamic IP v PPTP Dialup PPTP Connection E Enable IP Address User Mame Password DNS Optional for dynamic IP or PPPoE Type server 1 Server z Server 3 192 188 2 1 0 0 0 0 0 0 0 0 PPTP Dialup Point to Point Tunneling Protocol is used for Virtual Private Networks VPN Remote users can use PPTP to connect to private networks from public networks PPTP Connection Description Factory Default Enable or Disable Enable or Disable the PPTP connection None IP Address Description The PPTP service IP address Factory Default IP Address None User name Description Factory Default Max 30 Characters The Login username when dialing up to PPTP service None Password Description Factory Default Max 30 characters The password for dialing the PPTP service None Example Suppose a remote user IP 10 10 10 10 wants to connect to the internal server private IP 30 30 30 10 via the PPTP protocol The IP address for the PPTP server is 20 20 20 1 The necessary configuration settings are shown in the following figure 3 25 Industrial Secure Router Features and Functions WAN IP WAN IP 61 32 10 10 72 51 30 30 PPTP IP Client PPTP IP Server 20 20 20 2 32 20 20 20 1 32 10 10 10 10 24 30 30 30 10 24 Static Route
26. describe how to use the Industrial Secure Router to build a secure Remote Automation network with the VPN Virtual Private Network feature A VPN provides a highly cost effective solution of establishing secure tunnels so that data can be exchanged in a secure manner wona p IT X A Center site Field site WML VPN Secure Tunnel There are two common applications for secure remote communication in an industrial automation network IPSec Internet Protocol Security VPN for LAN to LAN Security Data communication only in a pre defined IP range between two different LANs L2TP Layer 2 Tunnel Protocol VPN for Remote roaming User Secure data communication for remote roaming users with dynamic IP L2TP is a popular choice for remote roaming users for VPN applications because the L2TP VPN protocol is already built in to the Microsoft Windows operating system IPSec uses IKE Internet Key Exchange protocol for Authentication Key exchange and provides a way for the VPN gateway data to be protected by different encryption methods There are 2 phases for IKE for negotiating the IPSec connections between 2 VPN gateways Key Exchange IPSec Phase 1 The 2 VPN gateways will negotiate how IKE should be protected Phase 1 will also authenticate the two VPN gateways by the matched Pre Shared Key or X 509 Certificate Data Exchange IPSec Phase 2 In Phase 2 the VPN gateways negotiate to determine additional IPSec connection details which
27. mGBIC1000 Auto Enable Auto Enable Checked Allows data transmission through the port Enabled Unchecked Immediately shuts off port access 3 15 Industrial Secure Router Features and Functions Description Media Type Displays the media type for each module s port Name Max 63 characters Specifies an alias for the port to help administrators None differentiate between different ports Example PLC 1 Speed Allows the port to use the IEEE 802 3u protocol to negotiate with connected devices The port and connected devices will determine the best speed for that connection 1G Full Choose one of these fixed speed options if the connected 100M Full Ethernet device has trouble auto negotiating for line speed 100M Half 10M Full 10M Half FDX Flow Ctrl This setting enables or disables flow control for the port when the port s Speed is set to Auto The final result will be determined by the Auto process between the Moxa switch and connected devices Enable Enables flow control for this port when the port s Speed is set to Auto Auto Disable Disables flow control for this port when the port s Speed is set to Auto MDI MDIX Allows the port to auto detect the port type of the connected Ethernet device and change the port type accordingly eas uto Choose MDI or MDIX if the connected Ethernet device has trouble auto negotiating for port type Using Port Trunk EDR 810 series only Li
28. ok 30 2010 22 10 42 2 d hS8m13s LAN link off 26 31 2010 2 21 12 6 28 d h msSs Power 2 Power transition Off gt On 27 31 2010 2 21 12 56 29 d h m10s Cold start 28 31 2010 2 21 12 46 16 d h38m57s LAN link an 29 31 2010 2 21 9 12 47 28 d h41m8sSs admin auth ok 30 31 2010 2 21 13 49 55 0d1h43m36s SNMP Enable mea 77 O OOOO O The following events will be recorded in the Industrial Secure Router EventLog Table Status Power transition On Off AAA Power transition Off gt On 3 77 Industrial Secure Router Features and Functions DI transition Off gt On DI transition On gt Off AAA Cold start A Factory default Warm start NOTE The maximum number of event entries is 1000 Using Syslog This function provides the event logs for the syslog server The function supports 3 configurable syslog servers and syslog server UDP port numbers When an event occurs the event will be sent as a syslog UDP packet to the specified syslog servers Syslog Setting Enable y Syslog Server 1 192 166 127 100 Port Destination 514 1 865535 Enable Syslog Server 2 Port Destination 1 65535 Enable Syslog Server 3 Port Destination Activate Syslog Server 1 2 3 IP Address Enter the IP address of the Syslog Server used by your None network Port Destination Enter the UDP port of the Syslog Server 514 1 to 65535 3 78 Industrial Secure Router Features and Functions
29. the ports 802 10 VLAN Settings 802 1Q VLAN Settings Quick Setting Panel Y VLAN ID Configuration Table Management VLAN ID 1 1 Access x 1 3 Access 1 5 Access o 3 ri Access 2 9 Access e 1 10 Access 1 trk1 Access x 1 trk2 Access 1 Management VLAN ID VLAN ID from 1 4094 Assigns the VLAN ID of this Moxa switch Port type is used to connect single devices without tags Access Select Trunk port type to connect another 802 1Q VLAN aware switch Port Type Select Hybrid port to connect another Access 802 1Q VLAN aware switch or another LAN that combines tagged and or untagged devices and or other switches hubs 3 19 Industrial Secure Router Features and Functions PVID VLAN ID from 1 4094 Sets the default VLAN ID for untagged devices that connect to 1 the port Fixed VLAN Tagged VLAN ID from 1 4094 This field will be active only when selecting the Trunk or Hybrid None port type Set the other VLAN ID for tagged devices that connect to the port Use commas to separate different VIDs Fixed VLAN Untagged VLAN ID from 1 4094 This field will be active only when selecting the Trunk or Hybrid None port type Set the other VLAN ID for tagged devices that connect to the port and tags that need to be removed in egress packets Use commas to separate different VIDs Quick Setting Panel Click the triangle to open the Quick Setting Panel Use this panel for qu
30. trend is to use Ethernet as the major communications interface in many industrial communications and automation applications In fact a entirely new industry has sprung up to provide Ethernet products that comply with the requirements of demanding industrial applications Moxa s Industrial Secure Router series is a Gigabit speed all in one Firewall VPN Router for Ethernet security applications in sensitive remote control and monitoring networks The Industrial Secure Router supports one WAN one LAN and a user configurable WAN DMZ interface EDR G903 that provides high flexibility for different applications such as WAN redundancy or Data FTP server security protection The Quick Automation Profile function of the Industrial Secure Router s firewall supports most common Fieldbus protocols including EtherCAT EtherNet IP FOUNDATION Fieldbus Modbus TCP and PROFINET Users can easily create a secure Ethernet Fieldbus network from a user friendly web UI with a single click In addition wide temperature models are available that operate reliably in hazardous 40 to 75 C environments Package Checklist The Industrial Secure Routers are shipped with the following items If any of these items are missing or damaged please contact your customer service representative for assistance e Moxa Industrial Secure Router e RJ45 to DB9 console port cable e Protective caps for unused ports e DIN rail mounting kit attached to the Industrial Sec
31. 17 16 5 2 1 16 52 50 16 52 54 16 54 32 16 55 12 16 55 27 18 22 49 18 38 5 2010 47 16 50 49 2010 47 16 51 58 2010 47 16 52 1 0d0h13m s 0d0h13m56s 0d0h14m0s 0d0h15m38s d h18m18s dO h15m33s 0d1h43m55s 0d1h59m11s System Startup Time LAN link off WAM link on LAN link on MAT Configuration Change Filter Configuration Change Filter Configuration Change Login auth ok admin auth ok Quick Setting Profile EDR 810 series only The EDR 810 series supports WAN Routing Quick Setting which creates a routing function between LAN ports and WAN ports defined by users Follow the wizard s instructions to configuring the LAN and WAN ports Step 1 Define the WAN ports and LAN ports Click on the ports in the figure to define the WAN ports and LAN ports Industrial Secure Router WAN Routing Quick Setting Saami LAN IP Configuration du Click on the ports to select WAN or LAN WAN Configuration Service Enable Next Step Industrial Secure Router Features and Functions Step 2 Configure the LAN IP address of the EDR 810 and the subnet address of the LAN ports Configure the LAN IP address of the EDR 810 to define the subnet of the LAN ports on the secure router The default IP address of the EDR 810 on the LAN side is 192 168 127 254 and the default subnet address is 192 168 127 0 24 WAN Routing Quick Setting Select WAN Port MESS MEA WAN Configuration Service Enable IP Address 192 168
32. 4 Global COMMGUFACIOM dd dica 3 55 AIHIPSec CODO ION visis as VM NT VV Mem UM MUN UMP MM MM MU M MU M EIE 3 55 IPSEC NAT E iia 3 55 IPSEC OGICK SeEEIDig isses n RARE FARA DRAUF EORR RRAEEA RR RR bss 3 55 IPSec Advanced Ser O mennaan 3 55 CIN ES AANA a EERE AIN AAAA oa 3 56 Key Exchange IP SOG Prase Iuris td AAAA ANAE 3 57 Data Exchange IPSec phase II ccc cecccce ccc ec eee nsec en ence iia aa aa a aa ss asas messa arai 3 59 Dead Peer DSC CEI ON gases icecream aa em MEM MM MM nee mm MM RM MU ULM 3 59 IPSEC Status aai AA oo A iaa oi Lodel aod rod un AIR Col dd ud CR Loos 3 60 X509 GOPEITIESEIOI oia 3 60 Sales cate Genera ean ener S V TU mem 3 61 Certificate Set reunen R w X X SX 3 61 fere TT ch i a UHIA att ett EN 3 62 Remote Certificate UplO dai dada dela 3 62 EZTP CPayer 2 Tutnel 4PEOLOCOl dto e onda gito nano 3 63 AT at OMG etsceccetat te actae nach aot pant yet ait a ame ee ee see 3 63 Examples for Typical VPN ADDIICAHONS iaa 3 64 Site to Site IPSec VPN tunnel with Pre Shared Key ssseeesen nnn rra rr rr rr 3 64 VPN Nui 3 64 E2EP TOF Remote User Maintelati6Gsuscsacc aM ORO De 3 65 MEN lee ee ee ee e eC eT ec TT Te 3 65 Trame PHOFEZ AMON esnscanssavanaiamspavaxananaadonnsasednnnopadnsapasaposasaseiannpapopnnadaaniesapasapmnapassausmprsadagnansasnausaausaeans 3 65 HOW r
33. 6 Layer 2 Policy Setup Only in Bridge Mode for EDR G902 G903 When the Industrial Secure Router is in Bridge Mode referring to section of Mode Configuration in Network Settings it provides an advanced Layer 2 firewall policy for secure traffic control which depends on the following parameters Enable Targets ACCEPT Interface From All w To All v Source MAC 00 90 e8 20 00 04 Address SS Ses Protocol Pye v E Destination MAC 5 50 68 20 00 02 Address EtherType 3 44 Industrial Secure Router Features and Functions Interface From To Setting Descipion O O Factory Default Select the From Interface and To interface None Protocol Refer to table Select the Layer 2 Protocol in this Firewall Policy EtherType for Layer 2 Protocol for a more detailed description EtherType 0x0600 to OxFFFF When Protocol is set to Manual you can set up EtherType None manually Target The packet will pass the Firewall when it matches this Firewall policy Drop The packet will not pass the Firewall when it matches this None Firewall policy Source MAC Address Setting Description Factory Default Mac Address This Firewall Policy will check all Source MAC addresses of the 00 00 00 00 00 00 packet Destination MAC Address Mac Address This Firewall Policy will check all destination MAC addresses of 00 00 00 00 00 00 the packet The following table shows the Layer 2 protocol types comm
34. AN Configuration Gateway IP Address Password PPPoE select WAN Part Connect Type ala gt PPPoE Dialup User Name Host Name LAN IP Configuration Service Enable WAN Configuration Password Industrial Secure Router Step 4 Enable services Features and Functions Check Enable DHCP Server to enable the DHCP server for LAN devices The default IP address range will be set automatically To modify the IP range go to the DHCP Server page N 1 NAT will be also enabled by default WAN Routing Quick Setting Select WAN Port 7 Enable DHCP Server LAN IP Configuration Offered IP Range v Enable N 1 NAT af Te r vo 7 EU NL E t E Lu E E E Prev Step WAN Configuration Service Enable Step 5 Activate the settings Click the Activate button NOTE Configuring Basic Settings An existing configuration will be overwritten by new settings when processing WAN Routing Quick Setting The Basic Settings group includes the most commonly used settings required by administrators to maintain and control the Industrial Secure Router System Identification The system identification section gives you an easy way to identify the different switches connected to your network system Identification Router Name Firewallf PN Router 00000 Router Location Device Location Router Description
35. C Address 00 08 ad 00 aa 01 Delete q A gt UA Static DHCP 3 256 List Static IP MAC Address Device 02 192 166 127 102 00 08 ad 00 aa 02 Device 03 192 168 127 103 00 08 ad 00 33 03 In the above example a device named Device 01 was added to the Static DHCP list with static IP address set to 192 168 127 101 and MAC address set to 00 09 ad 00 aa 01 When a device with MAC address of 00 09 ad 00 aa 01 is connected to the Industrial Secure Router the Industrial Secure Router will offer the IP address 192 168 127 101 to this device Enable or Disable Description Factory Default Enable or Disable Enable or Disable the selected device in the Static DHCP List Disabled Name Description Factory Default Max 30 characters The name of the selected device in the Static DHCP List None Static IP Address Description Factory Default IP Address The IP address of the selected device None MAC Address Description Factory Default MAC Address The MAC address of the selected device None 3 30 Industrial Secure Router Features and Functions Clickable Buttons Add Use the Add button to input a new DHCP list The Name Static IP and MAC address must be different than for the existing list Delete Use the Delete button to delete the Static DHCP list Click on a list to select it the background color of the device will change to blue and then click the Delete button Modify To modify the information for a particular li
36. CEPT to 20 20 20 30 Suppose the user next adds a new policy with the following configuration AE S NN Destination IP WAN2 LAN 20 20 20 20 192 168 127 20 ACCEPT After clicking the PolicyCheck oe the Industrial Secure Router will issue a message informing the user that policy 3 is included in policy 2 because the IP range of policy 3 is smaller than the IP range of policy 2 and the Target action is the same A rule 3 is included in rule 2 Cross Conflict Policy X cross conflicts with Policy Y Two firewall policy configurations such as Source IP Destination IP Source port and Destination port in policy X and policy Y are masked and the action target Accept Drop is different For example two firewall policies are shown in the following table Peer E Output ee T Destination IP i WAN1 D NN NN 10 10 10 10 10 10 10 192 168 127 10 ACCEPT WAN2 20 20 20 20 192 168 127 25 ACCEPT to 20 20 20 30 Suppose the user next adds a new policy with the following configuration E I ee SourceIP_ Destination IP WAN2 20 20 20 25 192 168 127 20 DROP to 192 168 127 30 The source IP range in policy 3 is smaller than policy 2 but the destination IP of policy 2 is smaller than policy 3 and the target actions Accept Drop of these two policies are different If the user clicks the PolicyCheck button the Industrial Secure Router will issue a message informing the user that policy 3 is in Cross Conflict with pol
37. IP address for this policy All Single IP Address Range IP Address Source Port Setting Descipion Factory Default Select the Source port number for this policy All Destination IP Setting Description O O Factory Default Select the Destination IP address for this policy All Destination Port Select the Destination port number for this policy The following table shows the management of outgoing traffic The maximum bandwidth from LAN to WAN is 100 Kbytes 10 Kbyte is reserved for traffic that matches the parameters of Priority O 20 Kbytes is reserved for traffic that matches the parameters of priority 1 and so forth Outgoing Traffic Configuration LAN to WAN1 Enable 2 MAX Bandwidth 100 KByte s ae Default Priority Priority 3 k Priority 0 MIN BW 10 KByte s MAX BW 100 KByte s Priority 1 MIN BW 20 KEte s MAX BW 100 KByte s Priority 2 MIN BW 30 KByte s MAX BW 100 KByte s Priority 3 MIN BW 40 KByte s MAX BW 100 KByte s Set up the outgoing policies as below 1 All WAN 1 192 158 127 10 All All All Priority 0 2 WANI All 192 168 127 11 All All All Friority 1 3 WANI All 192 158 127 12 All Priority 2 All All 4 WANT Al 192 968 2743 O A A O M Pity a 3 68 Industrial Secure Router The Industrial Secure Router will manage the bandwidth for outgoing packets Based on the four outgoing policies below when the source IP of the Ethe
38. Industrial Secure Router User s Manual First Edition February 2013 www moxa com pr t MOXA O 2013 Moxa Inc All rights reserved Reproduction without permission is prohibited Industrial Secure Router User s Manual The software described in this manual is furnished under a license agreement and may be used only in accordance with the terms of that agreement Copyright Notice Copyright 2013 Moxa Inc All rights reserved Reproduction without permission is prohibited Trademarks The MOXA logo is a registered trademark of Moxa Inc All other trademarks or registered marks in this manual belong to their respective manufacturers Disclaimer Information in this document is subject to change without notice and does not represent a commitment on the part of Moxa Moxa provides this document as is without warranty of any kind either expressed or implied including but not limited to its particular purpose Moxa reserves the right to make improvements and or changes to this manual or to the products and or the programs described in this manual at any time Information provided in this manual is intended to be accurate and reliable However Moxa assumes no responsibility for its use or for any infringements on the rights of third parties that may result from its use This product might include unintentional technical or typographical errors Changes are periodically made to the information herein to correct such er
39. NAT List Table After adding deleting modifying any NAT Rules be sure to Activate it The Industrial Secure Router will add an N 1 policy from the source IP 192 168 127 1 to 192 168 127 252 to the WAN1 interface after activating the Factory Default Port Forwarding NAT Mode option If the initial connection is from outside the LAN but the user still wants to hide the Internal IP address one way to do this is to use the Port Forwarding NAT function The user can specify the port number of an external IP address WAN1 or WAN2 in the Port Forwarding policy list For example if the IP address of a web server in the internal network is 192 168 127 10 with port 80 the user can set up a port forwarding policy to let remote users connect to the internal web server from external IP address 10 10 10 10 through port 8080 The Industrial Secure Router will transfer the packet to IP address 192 168 127 10 through port 80 The Port Forwarding NAT function is one way of connecting from an external insecure area WAN to an internal secure area LAN The user can initiate the connection from the external network to the internal network but will not able to initiate a connection from the internal network to the external network 10 10 10 1 4 Hr Port 8080 al 192 168 127 10 Ey 1000001 Port 80 WAN Network Production line Remote user Enable v Protocol TCP e NAT Mode Port Forward WAN Port Interface
40. O OBI less deut a a Sato satis aaO AA 3 19 S02 T VLAN SEINO S p e p ERE EU EU Ex AE AE EEE E AAA REIS 3 19 Quick Setting Panel ua ai 3 20 VLAN Manage nmn ent st PECUNIA ea ae le a UE 3 20 NetWork Settnds iscsssdaveri llas 3 21 MedeContigura tion EDR G9072 GIOS OY nas RR RA n 3 21 NEO MOGO ao al e o 3 21 NN 3 21 Brida el Mode tn 3 21 WANI1 Configuration dida 3 22 WAN 2 Configuration includes DMZ Enable EDR G903 only cssssssssseee nemen nnn 3 24 Using DMZ MOE seccatid iia 3 27 LAN Entertace EDR G9U02 90 By ereere adatti eaten da er ar 3 28 LEAN Contieuration EDR G LOSE SS only Virran NIENKE A A A ORNA QUA DIA DURER 3 29 LAN EC Olt QURAUIOM nat ae E 3 29 A S CEV aera eee MODDED MOR ae Ren ae ER DML REL O t a ar 3 29 Static DHCP Es m 3 30 DAGA ESascd USE e dd LUE UU 3 31 DYNAMIC DIS obese esa vade E ii o RNR Aub RU ENN RAN ASAE ANA OMNES 3 31 NebVoreRedundapieWsesadseuraa sev Pup DEM DE Dd DE eeu E np du aia DUE 3 32 WAN Backup CED RAG9O 3 Onl y km a o EON RUNI RU UR ORO oa 3 32 How Dual WAN Backup WOKS ssssssesszotorecexadassaasetuD c A A a ARE ATECUE E A V A AAA TUENDA A a S V M S CEDUDIMENA 3 32 WAN Backuipr Correos SS 3 33 Virtual Router Redundancy Protocol VRRP csssseeeeeeeeeeneenhhhhmnnhnnhhna ah rr rr rr 3 34 VRRP Ronenanwhahahahaiacnnannha nah anahanahanahanshanahanahanahanahanahanahanahanshanahanahanahanahanananahananss 3 34
41. Setting LAN IP 100 100 1 1 100 100 3 1 Based on the requirement and VPN plan the recommended configuration for VPN IPSec is shown in the following table so Configuration Industrial Secure Router 1 Industrial Secure Router 2 Tunnel Setting Connection Type Site to Site Site to Site Remote VPN 100 100 2 2 100 100 2 1 o Startup mode mode Wait for Connection Start in Initial Local Network 100 100 1 0 100 100 3 0 Remote Network 100 100 3 0 100 100 1 0 3 64 Industrial Secure Router Features and Functions L2TP for Remote User Maintenance The following example shows how a Roaming user uses L2TP over IPSec to connect to the remote site network Roaming User Internet Network Remote site Network No Fixed IP 100 100 3 0 24 VPN Secure Tunnel O Ethernet Switch el VPN Plan e All communication from the Roaming user no fixed IP to the Remote site Network 100 100 3 0 24 needs to pass through the VPN tunnel e Communication goes through the Internet e The configuration of the WAN LAN interface for the Industrial Secure Router is shown in the following table Configuration Industrial Secure Router 1 EDR G903 WAN IP 100 100 2 1 Interface Setting LAN IP 100 100 3 1 Based on the requirement and VPN plan the recommended configuration for L2TP over IPSec is shown in the following table SSCS Configuration industrial Secure Router 1 Local IP L2TP Server IP 100 100 4 1 Login User Pass
42. TCP Filtering Rule Check the Enable checkbox and input the correspondent Modbus TCP parameters in the page and then click Add to add it into the Modbus Filtering Table Finally click Activate to activate the configuration Delete a Modbus TCP Filtering Rule Select the item in the Modbus Filtering Table then click Delete to delete the item Modify a Modbus TCP Filtering Rule Select the item in the Modbus Filtering Table Modify the attributes and click Modify to change the configuration Activate Modbus TCP Filtering Table After adding deleting modifying any Modbus TCP Filtering Rules make sure to click Activate to activate the item 3 50 Industrial Secure Router Features and Functions Enable Disable Modbus Policy Enable or Disable Enable or disable the selected Modbus policy Enabled Interface From To All WAN LAN Select the From Interface and To interface From All to All Protocol All TCP UDP This Modbus Policy will check the UDP packet TCP packet or All UID 1 to 255 Unit Identifier O indicate this Modbus policy will check all UIDs in the packet Function Code Setting Description Factory Default Refer to the Common Select the function code parameters in this Modbus policy function codes section When the function code is set to Manual you can set up the on page 3 52 function code manually Address Setting Description Factory Default All Address Index This Modbu
43. Times o O forever IKE Life Time 1 hour Rekey Expire Time g min Rekey Fuzz Percent 100 w IKE Mode In Main IKE Mode both the Remote and Local VPN gateway MAIN will negotiate which Encryption Hash algorithm and DH groups can be used in this VPN tunnel both VPN gateways must use the same algorithm to communicate Aggressive In Aggressive Mode the Remote and Local VPN gateway will not negotiate the algorithm it will use the user s configuration only Authentication Mode Pre Shared Key The authentication mode of IPSec VPN Pre Shared Key X 509 In Pre Shared Key Mode the user needs to key in the same Pre Shared Key in the IPSec setting between the Local and Remote secure router Authentication Mode Pre Share Key 12345 In X 509 Mode the user needs to upload the Local and Remote certifications first and then select the certifications from the drop down list 3 57 Industrial Secure Router Features and Functions See the X 509 Certification section in this chapter for details Authentication Made X 509 Local Moxa Cert A p12 Remote Moxa Cert B cer Encryption Algorithm DES Encryption Algorithm in key exchange Hash Algorithm Any Hash Algorithm in key exchange MD5 SHA1 SHA256 DH Group DH1 modp 768 Diffie Hellman groups DH2 modp 1024 DH2 modp 1024 the Key Exchange group between the Remote and VPN DH5 modp 1536 Gateways DH14 modp 2048 Negotiation Time Nego
44. XA EDR G903 Secure Router www moxa com Model EDR G903 Serial NO 1 Firmware V1 0 build 10031916 WAN1 MAC 00 90 e8 00 90 0b WAN2 MAC 00 90 e8 00 90 0a LAN MAC 00 90 e8 00 90 09 WAN 1 IP 192 168 2 71 WAN2 IP 0 0 0 0 LAN IP 192 168 127 254 1 Overview Main Menu Update Overview Basic Setting a Interface Status More Recent 10 EventLog More Network au IN NETT PPPoE Communication Redundancy Port 4 WAN Wan 1 N A Connect LAN link off 2000 1 1 1 30 45 Routing Port2 Opt Wan 2 N A Disconnect LAN link on 2000 1 1 2 18 14 NAT Port LAN LAN NIA Connect LAN link off 2000 1 1 2 18 39 Firewall Poilcy y LAN link on 2000 1 1 3 2 8 SNMP LAN link off 2000 1 11 3 2 12 AN link M 3 2 Trafic Prioritization venen E hr N link o M 3 6 Auto Warning Wan 2 Backup Function Disable LAN link on 2000 111 7 12 40 Diagnosis DDNS Disable Ja admin auth ok 2000 1 1 8 14 37 Monitor pin meon admin auth ok 2000 1 1 8 43 41 V mi i 1111 8 43 Check Alive Disable System Log Qos Disable goahead WEBSERVER Best viewed with IE 5 above at resolution 1024 x 768 3 Features and Functions In this chapter we explain how to access the Industrial Secure Router s configuration options perform monitoring and use administration functions There are three ways to access these functions 1 RS 232 console 2 Telnet console and 3 web browser The web browser is the most user friendly way to configure the Industrial
45. ables the WAN backup function WAN1 would be Default Route the primary default route and WAN2 would be the backup route Startup Mode Start in Initial This VPN tunnel will actively initiate the connection with the Start in Initial Remote VPN Gateway Wait for Connecting This VPN tunnel will wait remote VPN gateway to initiate the connection NOTE The maximum number of Starts in the initial VPN tunnel is 30 The maximum number of Waits for connecting to a VPN tunnel is 100 3 56 Industrial Secure Router Features and Functions Local Network Netmask ID IP Address IP address of local VPN network IP address of LAN praise Preteen met Subnet Mask Subnet Mask of local VPN network Netmask of LAN parece rmm mem mates ol ID ID for indentifying the VPN tunnel connection The Local ID must be equal to the Remote ID of the VPN Gateway Otherwise the VPN tunnel cannot be established successfully Remote Network Netmask ID IP Address IP address of Remote VPN network 0 0 0 0 Subnet Mask Subnet Mask of local VPN network 0 0 0 0 ID ID for indentifying the VPN tunnel connection None The Local ID must be equal to the Remote ID of the VPN Gateway Otherwise the VPN tunnel cannot be established Key Exchange IPSec phase I Key Exchange IPSec Phase 1 IKE Mode Main M Authentication Mode Pre Share Key 12345 Encryption Algorithm 3aDES v Hash Algorithm SHA1 t DH Group DH 2 modp1024 Negotiation
46. age automatically Because the new IP list does not include the Remote user s IP address the remote user cannot connect to the SettingCheck Confirmed page After 15 seconds the Industrial Secure Router will roll back to the original Accessible IP List setting allowing the remote user to reconnect to the Industrial Secure Router and check what s wrong with the previous setting 3 12 Industrial Secure Router Features and Functions 1 The page cannot be displayed The page you are looking for is currently unavailable The Web site might be experiencing technical difficulties or you may need to adjust your browser settings Please try the following Click the Refresh button or try again later If you typed the page address in the Address bar make sure that itis spelled correctly e To check your connection settings click the Tools menu and then click Internet Options On the Connections tab click Settings The settings shauld match thase provided by your local area network LAM administrator or Internet service provider ISP See if your Internet connection settings are being detected You can set Microsoft Windows to examine your network and automatically discover network connection settings if your network administrator has enabled this setting 1 Click the Tools menu and then click Internet Options On the Connections tab click LAN Settings 3 Select Automatically detect settings and then cli
47. anie PFIOFIEIZdbEIOD NOT SOARES OT oe 3 66 Traffic Prioritization Configuration EDR G902 G903 Series ccce ec cceeeee eee eee nenne nennen nennen 3 66 CORONE NME ete tte e E 3 69 USIMO AUtO cmc ee ne o 3 71 Contigua ENSIWarnid cc TUNE 3 72 m sin Mol A meee err TE 3 72 acad cieli M er rrrr 3 73 Configuring Relay Map id Ses sr elo thts sl eh ge cr ed lh oe co trl ld 3 74 USING DIAQMOSIS arriti irii nindin aa aa AAAA AAAA AAAA AAAA AAAA AA 3 75 Aaa 3 76 MONITOR DY S YS CO RN oli deci 3 76 MOI y PO ooo 3 76 USINOS SUSI Odio 3 77 Using Event Og irere E 3 77 USING SY SOI poenitet m 3 78 USING HTITPS SSL 1 osos osesesesusctesesssecosesexezeseseswsescreseserevesesevescsevesEyeeveseseresusesexescseves a ocereseFerotesevsxdeds 3 79 A MIB Groups caco rana DDODO GU UU EDS E USE A 1 1 Introduction Welcome to the Moxa Industrial Secure Router series the EDR G902 EDR G902 and EDR 810 The all in one Firewall NAT VPN secure routers are designed for connecting Ethernet enabled devices with network IP security The following topics are covered in this chapter O Overview O Package Checklist O Features Industrial Networking Capability Designed for Industrial Applications Useful Utility and Remote Configuration Industrial Secure Router Introduction Overview As the world s network and information technology becomes more mature the
48. as two WAN interfaces WAN1 is the primary WAN interface and WAN is the backup interface When the Industrial Secure Router detects that connection WAN1 has failed Link down or Ping fails it will switch the communication path from WAN1 to WAN2 automatically When WAN1 recovers the major communication path will return to WAN1 WAN Backup EDR G903 only How Dual WAN Backup Works A power utility at a field site connects to a central office via two different ISPs Internet Service Providers ISP A uses Ethernet and ISP B uses satellite for data transmission with Ethernet used as the major connection and the satellite as the backup connection This makes sense since the cost of transmitting through the satellite is greater than the cost of transmitting over the Ethernet Traditional solutions would use two routers to connect to the different ISPs In this case if the connection to the primary ISP fails the connection must be switched to the backup ISP manually The Industrial Secure Router s WAN backup function checks the link status and the connection integrity between the Industrial Secure Router and the ISP or central office When the primary WAN interface fails it will switch to the backup WAN automatically to keep the connection alive ISP A WAN1 Ethernet Primary ISP B 7 l Satellite WAN2 Center site Backup Field site When configuring the Industrial Secure Router choose one of the two following conditions to activa
49. at the Industrial Secure Router series support are MIB II 1 System Group sysORTable MIB 11 2 Interfaces Group ifTable MIB 11 4 IP Group ipAddrTable ipNetToMediaTable IpGroup IpBasicStatsGroup IpStatsGroup MIB II 5 ICMP Group IcmpGroup IcmpInputStatus IcmpOutputStats MIB II 6 TCP Group tcpConnTable TcpGroup TcpStats MIB II 7 UDP Group udpTable UdpStats MIB II 11 SNMP Group SnmpBasicGroup SnmpInputStats SnmpOutputStats Public Traps 1 Cold Start 2 Link Up 3 Link Down 4 Authentication Failure Private Traps 1 Configuration Changed 2 Power On 3 Power Off 4 DI Trap Industrial Secure Router MIB Groups The Industrial Secure Router also provides a MIB file located in the file Moxa EDRG903 MIB my on the Industrial Secure Router Series utility CD ROM for SNMP trap message interpretation
50. cal production lines The NAT function will check if incoming or outgoing packets match the policy It starts by checking the packet with the first policy Index 1 if the packet matches this policy the Industrial Secure Router will translate the address immediately and then start checking the next packet If the packet does not match this policy it will check with the next policy The maximum number of NAT policies for the Industrial Secure Router is 128 N to 1 NAT If the user wants to hide the Internal IP address from users outside the LAN the easiest way is to use the N to 1 or N 1 NAT function The N 1 NAT function replaces the source IP Address with an external IP address and adds a logical port number to identify the connection of this internal external IP address This function is also called Network Address Port Translation NAPT or IP Masquerading 3 37 Industrial Secure Router Features and Functions The N 1 NAT function is a one way connection from an internal secure area to an external non secure area The user can initialize the connection from the internal to the external network but may not be able to initialize the connection from the external to the internal network Network Address Translation Enable LAN IP Range 192 168 127 1 192 168 127 252 NAT Mode WAN IP 0 0 0 0 Port Forward Modity NAT List 1 64 Source AA Sstinatic Enable Index Protocol Source IP ee Destination IP
51. ck K If the new configuration does not block the connection from the remote user to the Industrial Secure Router the user will see the SettingCheck Confirmed page shown in the following figure Click Confirm to save the configuration updates Confirm Press Confirm button to save the change System File Update by Remote TFTP The Industrial Secure Router supports saving your configuration file to a remote TFTP server or local host to allow other Industrial Secure Routers to use the same configuration at a later time or saving the Log file for future reference Loading pre saved firmware or a configuration file from the TFTP server or local host is also supported to make it easier to upgrade or configure the Industrial Secure Router Upgrade Software or Configuration TF TP Server IP Name Configuration File Path and Name Firmware File Path and Name Log File Path and Name ECCE LUE TFTP Server IP Name IP Address of TFTP The IP or name of the remote TFTP server Must be configured None Server before downloading or uploading files 3 13 Industrial Secure Router Features and Functions Configuration File Path and Name Max 40 Characters The path and filename of the Industrial Secure Router s None configuration file in the TFTP server Firmware File Path and Name Max 40 Characters The path and filename of the Industrial Secure Router s None firmware file Log File Pa
52. configure the Industrial Secure Router as an NTP SNTP server on the network Enable Server synchronize Enable this function to configure the Industrial Secure Router as an NTP SNTP client It will synchronize the time information with another NTP SNTP server Time Server IP Name 1st Time Server IP or Domain address e g 192 168 1 1 time stdtime gov tw None IP Name or time nist gov 2nd Time Server The Industrial Secure Router will try to locate the 2nd NTP IP Name Server if the 1st NTP Server fails to connect 3 11 Industrial Secure Router Features and Functions SettingCheck Firewall Policy NAT Policy Accessible IP List Layer 2 Filter Only wark in Bridge Mode Timer 180 sec SettingCheck is a safety function for industrial users using a secure router It provides a double confirmation mechanism for when a remote user changes the security policies such as Firewall filter NAT and Accessible IP list When a remote user changes these security polices SettingCheck provides a means of blocking the connection from the remote user to the Firewall VPN device The only way to correct a wrong setting is to get help from the local operator or go to the local site and connect to the device through the console port which could take quite a bit of time and money Enabling the SettingCheck function will execute these new policy changes temporarily until doubly confirmed by the user If the user does not click the confi
53. ctory Default All Port number This Firewall Policy will check all Source port numbers in the packet Single Port number This Firewall Policy will check single Source Port numbers in the preme Range Port number This Firewall Policy will check multiple Source port numbers in e memet mm TA IP Setting Description Factory Default Default All IP Address This Firewall Policy will check all Destination IP addresses in the All Pm lac Manat imet Single IP Address This Firewall Policy will check single Destination IP addresses in pore Leben renomination ein Range IP Address This Firewall Policy will check multiple Destination IP addresses em menda emm Destination Port All Port number This Firewall Policy will check all Destination port numbers in the packet Single Port number This Firewall Policy will check single Destination Port numbers in the packet Range Port number This Firewall Policy will check multiple Destination port numbers in the packet NOTE The Industrial Secure Router s firewall function will check if incoming or outgoing packets match the firewall policy It starts by checking the packet with the first policy Index 1 if the packet matches this policy it will accept or drop the packet immediately and then check the next packet If the packet does not match this policy it will check with the next policy NOTE The maximum number of Firewall policies for the Industrial Secure Router is 25
54. cur The Industrial Secure Router supports different approaches to warn engineers automatically such as by using email and relay output It also supports one digital input to integrate sensors with your system and automate alarms using email and relay output 3 71 Industrial Secure Router Features and Functions Configuring Email Warning The Auto Email Warning function uses e mail to alert the user when certain user configured events take place Three basic steps are required to set up the Auto Warning function 1 Configure Email Event Types Select the desired Event types from the Web Browser Event type page a description of each event type is given later in the Email Alarm Events setting subsection To configure the Industrial Secure Router s email setup from a browser interface enter your Mail Server s IP Name IP address or name Account Name Account Password the sender s email address and the email address to which warning messages will be sent 3 Activate your settings and if necessary test the email After configuring and activating your Industrial Secure Router s Event Types and Email Setup you can use the Test Email function to see if your e mail addresses and mail server address have been properly configured Event Type Email Warning Event Settings system Events Cold Start Warm Start Power Transition On Off E Power Transition Off On F DICO fe Dion Config Change I Auth Failure Port E
55. cxaEx inen onon encor o aan ccc RR AAAA OR c RO RE 3 1 OVET W SUR en occ M CR Pe Se DEN De OU CON ROE net pon nn ee hE Ee EOE ARN Sy Ee hE nT Emm EE ee rE QU Meme Sere rE REE DDE ADR DAR 3 2 Quick Setting Profile EDR 810 series Only xcisivisisivivicccieicinsannnresceteiiaeiennereedenrietaanianreereteaanenpreneeeees 3 3 CONTANDO et 3 6 System Identeca ON satanas bia a lotto ooo tt as 3 6 A RN 3 7 A UU secaieae a SERRA Nt eas M E EE Sv euet M eat dU i RE 3 9 I X M EE 3 10 A duca C 3 12 System File Update by Remote TFTP ssssssseeeeeeeeeeena eee enna eee AEE EEE ARR nahen a HERR saa aane aa nnn 3 13 System File Update by Local Import EXDOTE xs stu dur eda na cie aad dea aea a ad a a RE RR 3 14 a dM M SS 3 15 RESEU tO Factory Dea UE Reese 3 15 Gornfhguripg Ports EDR 8 10 Series OPly oue a A ARA RA URL RA dd de da O 3 15 Port SCUINGS E o 3 15 Using Port TruBK EDRSOTO series only CA AA a e ACSA ana ana a A a A a ana a A a A aO ll 3 16 POE AK Serna S aa a Moo ood onc aoo bua AS baud Dus MEAE EAE Cool odo MEAE E AS tenons 3 17 PORC Te Mico PSDIBS Suns E etat dac a rd ca uu EO nie 3 17 Using Virtual LAN EDR 810 series Onn eu ad ana additi uu ud ud ad i ami od ei aded un aud tud a vit Dad dd od e UU 3 18 Whatis a VIAN betes 3 18 Bene O VANS aan te iaa 3 18 Managing a VEAN nsession A 3 19 cContigurina Vikttial LAN CEDR e L
56. ddress The subnet mask Factory Default None Factory Default None Industrial Secure Router Features and Functions Gateway IP Address The Gateway IP address None Detailed Explanation of PPPoE Type WAN1 Configuration Connection Connect bbe iabe amp Enable Connect Type PPPoE PPPoE Dialup User Name Password Hast Name DNS Optional for dynamic IP or PPPoE Type Server 1 Server 2 server 3 182 158 2 1 0 0 0 0 0 0 0 0 PPPoE Dialup User Name Max 30 characters The User Name for logging in to the PPPoE server None Host Name Description Factory Default None Max 30 characters User defined Host Name of this PPPoE server Password Description Factory Default Max 30 characters The login password for the PPPoE server None WAN2 Configuration includes DMZ Enable EDR G903 only WAN2 Configuration Connection ConnectMode Disable Enable Backup Connect Type Dynamic IP Connection Note that there are there are three different connection types for the WAN2 interface Dynamic IP Static IP and PPPoE A detailed explanation of the configuration settings for each type is given below Connection Mode Enable or Disable Enable or Disable the WAN interface None DMZ Enable DMZ mode can only be enabled when the connection type is set to Static IP 3 24 Industrial Secure Router Features and Functions Connection Type Static IP Dynamic IP Configure the
57. dustrial Secure Router over an Ethernet LAN or over the Internet A web browser can be used to perform all monitoring and administration functions but the serial console and Telnet console only provide basic functions The following topics are covered in this chapter O RS 232 Console Configuration 115200 None 8 1 VT100 O Using Telnet to Access the Industrial Secure Router s Console O Using a Web Browser to Configure the Industrial Secure Router Industrial Secure Router Getting Started RS 232 Console Configuration 115200 None 8 1 VT100 NOTE Connection Caution We strongly suggest that you do NOT use more than one connection method at the same time Following this advice will allow you to maintain better control over the configuration of your Industrial Secure Router NOTE We recommend using Moxa PComm Terminal Emulator which can be downloaded free of charge from Moxa s website Before running PComm Terminal Emulator use an RJ45 to DB9 F or RJ45 to DB25 F cable to connect the Industrial Secure Router s RS 232 console port to your PC s COM port generally COM1 or COM2 depending on how your system is set up After installing PComm Terminal Emulator perform the following steps to access the RS 232 console utility 1 From the Windows desktop click Start gt Programs gt PCommbLite1 3 gt Terminal Emulator f Java Web Start ri Windows Live A Acrobat Distiller 7 0 9 Adobe Acrobat 7 0 Professional
58. e Router Features and Functions Firewall Policy Configuration The Industrial Secure Router s Firewall policy provides secure traffic control allowing users to control network traffic based on the following parameters Enable W Targets ACCEPT Interface From All To All Source IP All e Protocol All Service P Filter Destination IP A 4 Enable Enable or Disable Enable or disable the selected Firewall policy Enabled Interface From To All WAN1 WAN2 LAN Select the From Interface and To interface From All to All WAN1 WAN2 Quick Automation Profile Refer to the Quick Select the Protocol parameters in this Firewall Policy None Automation Profile section Service IP Filter This Firewall policy will filter by IP address IP Filter MAC Filter This Firewall policy will filter by MAC address Target Accept The packet will penetrate the firewall when it matches this Accept firewall policy Drop The packet will not penetrate the firewall when it matches this firewall policy Source IP All IP Address This Firewall Policy will check all Source IP addresses in the All packet Single IP Address This Firewall Policy will check single Source IP addresses in the O mmt Range IP Address This Firewall Policy will check multiple Source IP addresses in rm aerei mm 3 43 Industrial Secure Router Features and Functions ee Port Setting Description Fa
59. e traffic flow parameters and activate the defense process when abnormal traffic conditions are detected Null Scan Xmas Scan NMAP Amas scan SYN FIN Scan FIM Scan NMAP ID Scan SYN RST Scan ICHP Death Lirnit pkt s aYN Flaad Lirnit pkt s Null Scan Description Factory Default Enable or Disable Enable or disable the Null Scan None Xmas Scan Description Factory Default Enable or Disable Enable or disable the Xmas Scan None NMAP Xmas Scan Setting Description Factory Default Enable or Disable Enable or disable the NMAP Xmas SYN FIN Scan Setting Description Factory Default Enable or Disable Enable or disable the SYN FIN Scan None FIN Scan Description Enable or disable the FIN Scan Factory Default Enable or Disable None NMAP ID Scan Description Enable or disable the NMAP ID Scan Factory Default Enable or Disable None SYN RST Scan Description Enable or disable the SYN RST Scan Factory Default Enable or Disable None ICMP Death Description Factory Default Enable or Disable Enable or disable the ICMP Death defense None Packet Second The limit value to activate ICMP Death defense SYN Flood Enable or Disable Enable or disable the Null Scan function Packet Second The limit value to activate SYN Flood defense 3 53 Industrial Secure Router Features and Functions VPN Virtual Private Network EDR G902 G903 and EDR 810 VPN only Overview In this section we
60. each host must be updated manually With a VLAN setup if a host originally on VLAN 3 18 Industrial Secure Router Features and Functions Marketing for example is moved to a port on another part of the network and retains its original subnet membership you only need to specify that the new port is on VLAN Marketing You do not need to do any re cabling e VLANs provide extra security Devices within each VLAN can only communicate with other devices on the same VLAN If a device on VLAN Marketing needs to communicate with devices on VLAN Finance the traffic must pass through a routing device or Layer 3 switch e VLANs help control traffic With traditional networks congestion can be caused by broadcast traffic that is directed to all network devices regardless of whether or not they need it VLANs increase the efficiency of your network because each VLAN can be set up to contain only those devices that need to communicate with each other Managing a VLAN A new or initialized Moxa switch contains a single VLAN the Default VLAN This VLAN has the following definition e VLAN Name Management VLAN e 802 1Q VLAN ID 1 if tagging is required All of the ports are initially placed on this VLAN and it is the only VLAN that allows you to access the management software of the Moxa switch over the network Configuring Virtual LAN EDR 810 Only To configure 802 1Q VLAN on the Moxa switch use the 802 1Q VLAN Settings page to configure
61. emove from the group Step 5 Click Activate to finish the settings Trunk Group maximum of four trunk groups Trki Trk2 Trk3 Trk4 Specifies the current trunk group Trk1 Available Ports Member Ports Member Available Ports List the ports in the current trunk group and the ports that are available to be added Checkbox Select the port to be added or removed from the group Unchecked Port How each port is identified IJ Port description Displays the media type for each port MEE Indicates the transmission speed for each port MEM FDX flow control Indicates if the FDX flow control of this port is enabled or disabled Add selected ports into the trunk group from available ports DJ Remove selected ports from the trunk group EE Port Trunk Table The Port Trunk Table shows the current trunk status of configured trunk groups Trunk Table Member Port SI 2 Fail Trk1 4 Fail 5 Fail Trk2 6 Fail 7 Fail Trk3 8 Fail 3 17 Industrial Secure Router Features and Functions Trunk Table Setig peser OOO O Trunk group Displays the trunk type and trunk group Member port Displays the member ports that belong to the trunk group Status Success means port trunking is working properly Fail means port trunking is not working properly Standby means port trunking is working as a standby port When there are more than eight ports trunked as a trunking group the 9th port will be the standby port Using Virt
62. enerate PKCS 12 local certificate with password p12 and Certificate file for remote VPN tunnel crt a EDR G903 A gt Moxa A p12 and Moxa A crt b EDR G903 B gt Moxa B crt and Moxa B crt 4 Upload the PKCS 12 certificate to the Local Certification list a Moxa A p12 in EDR G903 A b Moxa B p12 in EDR G903 B 5 Send the Certificate file crt to the remote VPN gateway and upload to the Remote certificate file a Upload Moxa B crt to EDR G903 A b Upload Moxa A crt to EDR G903 B EDR G903 B 1 Create Root Certificate A 2 Generate Certification A 3 Generate 3 Generate PKCS 12 file Moxa A p12 and PKCS 12 file Moxa B p12 and Certificate file Moxa A crt Certificate file Moxa B crt 4 Upload Local Certificate Moxa A p12 4 Upload Local Certificate Moxa B p12 5 Upload Remote Certificate Moxa B crt 5 Upload Remote Certificate Moxa A crt Local Moxa Cert A p12 vi Remote Moxa Cert B cer vi Local Moxa Cert B p12 x Remote Moxa Cert A cer x a a A gt AAA AAA AAA AAA AAA AAA AAA AAA ss 3 60 Industria Secure Router Certificate Generation Features and Functions Certificate Request Country Name 2 letter 4 f j d il code us Certificate days State or Province Name Locality Name Organization Name Moxa Organizational Unit Name p SUppon moxa com The user must fill in the following information to generate the Root certification Country name
63. f Pre Shared Key NOTE The Encryption strength and Pre Shared key should be configured identically for both Industrial Secure Router units IPSec Advanced Setting Click Advanced Setting to configure detailed VPN settings Setting 2 Advanced Setting 3 55 Industrial Secure Router Features and Functions Tunnel Setting Tunnel Setting Enable Name LT2P tunnel VPN Connection Type Site to Site Remote VPN Gateway 0 0 0 0 Connect Interface WANT v Startup Mode Start in initial Local Network 192 166 127 254 Netmask 255 255 255 0 Remote Network 0 0 0 0 Netmask 0 0 0 0 Enable or Disable VPN Tunnel Description Enable or Disable this VPN Tunnel Factory Default Disable Enable or Disable Name of VPN Tunnel Description Factory Default Max of 16 characters User defined name of this VPN Tunnel None NOTE The first character cannot be a number L2TP over IPSec Enable or Disable Description Factory Default Enable or Disable Enable or Disable IPSec tunnel over L2TP protocol function None VPN Connection Type Setting Description Factory Default Site to Site VPN tunnel for Local and Remote subnets are fixed Site to Site Site to Site Any VPN tunnel for Remote subnet area is dynamic and Local subnet is fixed Remote VPN Gateway IP Address Remote VPN Gateway s IP Address Connection Interface Description Factory Default WAN1 The interface of the VPN Tunnel WAN1 WAN2 If the user en
64. ging the password None max 16 Characters New password Type new password when changing the password None Retype password If you type a new password in the Password field you will be None max 16 Characters required to retype the password in the Retype new password field before updating the new password 3 9 Industrial Secure Router Features and Functions Time The Time configuration page lets users set the time date and other settings An explanation of each setting is given below system Time Time Setting Curent Time 3l s Le ex 04 00 04 Current Date pis E zs ex 2002 11 13 Daylight Saving Time Month Week Day Hour Start Date pa A End Date fl le Eo E Offset Time Update system Up Time d h m34s Time Zone GMT Greenwich Mean Time Dublin Edinburgh Lisbon London a Enable NTPISNTP Server E Enable Server synchornize ist Time_Server_IP Name nd Time Server IP Mame Refresh The Industrial Secure Router has a time calibration function based on information from an NTP server or user specified Time and Date information Functions such as Auto warning Email can add real time information to the message NOTE The Industrial Secure Router has a real time clock so the user does not need to update the Current Time and Current Date to set the initial time for the Industrial Secure Router after each reboot This is especially useful when the network does
65. h the ping command is entered from the user s PC keyboard the actual ping command originates from the Industrial Secure Router itself In this way the user can essentially control the Industrial Secure Router and send ping commands out through its ports There are two basic steps required to set up the Ping command to test network integrity 1 Select which interface will be used to send the ping commands You may choose from WAN1 WAN2 and LAN 2 Type in the desired IP address and click Ping LLDP Function Overview Defined by IEEE 802 11AB Link Layer Discovery Protocol LLDP is an OSI Layer 2 Protocol that standardizes the methodology of self identity advertisement It allows each networking device such as a Moxa managed switch router to periodically inform its neighbors about itself and its configuration In this way all devices will be aware of each other LLDP Settings General Settings LLDP Enable Message Transmit Interval 30 Port Events Neighbor ID Neighbor Port Neighbor Port Description Neighbor System LET EN The router s web interface can be used to enable or disable LLDP and to set the LLDP Message Transmit Interval Users can view each switch s neighbor list which is reported by its network neighbors LLDP Setting Enable LLDP Enable or Disable Enable or disable LLDP function Message Transmit Interval 5 to 32768 sec Set the transmit interval of LLDP messages Unit is in seconds 30 sec
66. his page The Password must be the same as the p12 certificate file If the password is not correct the certificate import process will fail Label User defined name for this local certificate Name Subject Show the Name and subject when the certificate is imported successfully or the user selects the certificate on the list PKCS 12 Upload Use Browser to select the p12 file and press the Import button Import Password The Password for the p12 certificate Remote Certificate Upload Label Name Subject Certificate Upload Upload the crt Remote certificate on this page Label User defined name for this local certificate Name Subject Show the Name and subject when the certificate is imported successfully or the user selects a certificate from the list Certificate Upload Use the Browser to select a p12 file and press the Import button 3 62 Industrial Secure Router Features and Functions L2TP Layer 2 Tunnel Protocol L2TP is a popular choice for remote roaming users for VPN applications since an L2TP client is built in to the Microsoft Windows operating system Since L2TP does not provide an encryption function it is usually combined with IPSec to provide data encryption L2TP Configuration WAN L2TP Server Mode Disable Local IP 0 0 0 0 Offered IP Range 0 0 0 0 0 0 0 0 WAN2 L2TP Server Mode Disable Local IP 0 0 0 0 Offered IP Range 0 0 0 0 m 0 0 0 0 Login User Pass
67. hop address which is the next router along the path to the destination address and a metric that represents the cost we have to pay to access a different network Static Route You can define the routes yourself by specifying what is the next hop or router that the Industrial Secure Router forwards data for a specific subnet The settings of the Static Route will be added to the routing table and stored in the Industrial Secure Router RIP Routing Information Protocol RIP is a distance vector based routing protocol that can be used to automatically build up a routing table in the Industrial Secure Router The Industrial Secure Router can efficiently update and maintain the routing table and optimize the routing by identifying the smallest metric and most matched mask prefix Static Routing The Static Routing page is used to configure the Industrial Secure Router s static routing table Static Routing Enable v Name ISP 1 Destination Address 100 10 10 1 Netmask 255 255 255 0 Next Hop 100 10 10 254 Metric 10 Static Routing 1 512 Destination Address Netmask ETT B 0 Pi 5310010101 2552852550 1001010254 Enable Click the checkbox to enable Static Routing Name The name of this Static Router list Destination Address You can specify the destination IP address Netmask This option is used to specify the subnet mask for this IP address Next Hop This option is u
68. ick and easy configuration of VLAN settings 802 1Q VLAN Settings Quick Setting Panel VLAN ID Configuration Table Management VLAN ID 1 1 Access e 1 3 Access 1 5 Access le 3 7 Access 2 9 Access 1 10 Access e 1 trk1 Access 1 trk2 Access x 1 Quick Setting Panel Y Port Type PVID Fixed VLAN Tagged Fixed VLAN Untagged Access v Set To Table Hint Use comma and number number format to assign which ports you would like to copy to Hint 1 2 10 13 20 24 means the configuration will be copy to port 1 2 10 11 12 13 20 21 23 24 Input multi port numbers in the Port column and Port Type Tagged VLAN ID and untagged VLAN ID and then click the Set to Table button to create VLAN ID configuration table VLAN Management VLAN Management index VID JoidAccessPot ined Trunk Port ined Hybrid Port Action 1 1 1 3 9 10 trk1 trk2 2 2 T 3 3 5 3 20 Industrial Secure Router Features and Functions Use the 802 1Q VLAN Management table to review the VLAN groups that were created Joined Access Ports Trunk Ports and Hybrid Ports and also Action for deleting VLANs which have no member ports in the list Network Settings Mode Configuration EDR G902 G903 only Network Mode Each Industrial Secure Router provides Router Mode and Bridge Mode operation for different applications Network Mode 2 Router Mode Router Firewall VPN NAT D Bridge Mode Bridge Mode Firewall
69. icy 2 A rule 3 is cross conflict with rule 2 3 49 Industrial Secure Router Features and Functions Modbus TCP Policy Concept Modbus TCP is a Modbus protocol used for communications over TCP IP networks connecting over port 502 by default Some have experimented with using Modbus over UDP on IP networks which removes the overheads required for TCP The following table shows the Modbus TCP frame format Modbus TCP Frame Format Unit Identifier 1 byte Slave Address 255 is used for device broadcast information Data bytes Data block with additional information Modbus Policy Setup The Industrial Secure Router provides Modbus policy inspection of Modbus TCP packets which allows users to control Modbus TCP traffic based on the following parameters Modbus Policy Policy Setting Enable F Targets ACCEPT From ALL To ALL Source IP All Protocol All v Destination IP All x UID 0 Ignore UID Function Code J Manual Address All Read Coils Read Discrete Inputs Read Holding Registers Read Input Register Write Single Coil E Write Single Register Read Exception stat Modbus List ead Exception status Diagnostic E Get Com event counter Tem Hide aima he taceo memes pL A S M rte muttipie Registers 9 3 TC Report Slave ID Read File record Write File record Mask Write Register Read Write Multiple Registers Read FIFO queue Add a Modbus
70. include the data encryption algorithm IPSec Configuration IPSec configuration includes 5 parts e Global Setting Enable Disable all IPSec Tunnels and NAT Traversal function e Tunnel Setting Set up the VPN Connection type and VPN network plan e Key Exchange Authentication for 2 VPN gateways e Data Exchange Data encryption between VPN gateways e Dead Peer Detection The mechanism for VPN Tunnel maintenance 3 54 Industrial Secure Router Features and Functions Global Configuration The Industrial Secure Router provides 2 Global Settings for VPN applications IPSec Global Setting All IPSec Connection Enable IPSec NAT T Enable F All IPSec Connection Users can Enable or Disable all VPN services with this configuration NOTE The factory default setting is Disable so when the user wants to use VPN function make sure the setting is enabled IPSec NAT T If there is an external NAT device between VPN tunnels the user must enable the NAT T NAT Traversal function IPSec Quick Setting The Industrial Secure Router s Quick Setting mode can be used to easily set up a site to site VPN tunnel for two Industrial Secure Router units 9 Quick Setting For EDR G903 connects to EDR G903 When choosing the Quick setting mode the user just needs to configure the following e Tunnel Setting e Security Setting gt Encryption Strength Simple AES 128 Standard AES 192 Strong AES 256 gt Password o
71. ink off 2010 47 16 51 58 Port 3 LAN LAN N A Connect LAN link off 2010 47 16 52 1 WAN link on 2010 47 16 52 50 LAN link on 2010 47 16 52 54 NAT Configuration Change 2010 47 16 54 32 Wan 2 Backup Function Disable iii CARE Change 2010 47 16 55 12 DONS Disable hiss Configuration Change 2070 47 16 55 27 Dos Disable oe auth ok 2010 47 18 22 49 WAN Backup Disable admin auth ok 2010 4 7 18 38 5 Qos Disable Click More at the top of the Interface Status table to see detailed information about all interfaces Interface Status More PPPOE aT Wan 1 N A Connect Port 2 Opt Wan 2 N A Disconnect Part 3 LAN LAN PILA Connect Detail Interface Status Update WAN1 DHCP_IP 192 168 2 106 255 255 255 0 00 09 ad 00 00 03 Disable 0 0 0 0 Disable Connect 531874 379333 750705528 37464481 192 168 2 1 0 0 0 0 WAN2 STATIC_IP 0 0 0 0 0 0 0 0 00 09 ad 00 00 02 Disable 0 0 0 0 Disable Disconnect 0 0 0 0 0 0 0 0 LAN STATIC_IP 192 168 127 254 255 255 255 0 00 09 ad 00 00 01 NIA NIA Connect 386347 538273 41326230 751464253 0 0 0 0 0 0 0 0 DNS Server List 192 168 2 1 Industrial Secure Router Click More Features and Functions at the top of the Recent 10 Event Log table to open the EventLogTable page Recent 10 EventLog More WAN link on WANA link off LAN link off 351 352 53 353 53 354 53 355 53 356 63 357 63 358 63 EventLogTable 20101417 20101417 2010 4 7 2010 4 7 2010 4 7 2010 47 2010 4 7 201014
72. ions V3 only Contact Person admin Auth Type MDS Data Encryption Key TITITITI Community Community Name 1 public Access Control 1 Read Only Community Name 2 private Access Control 2 Read Only Trap Targets Target IP Address 1 0 0 0 0 EX 320200000 0XOX Target IP Address 2 0 0 0 0 Target IP Address 3 0 0 0 0 L3 EJ SNMP Versions Disable Select the SNMP protocol version used to manage the secure Disable V1 V2c V3 or router V1 V2c or V3 only Contact Person Admin or Admin privilege allows access and authorization to read and user write the MIB file User privilege only allows reading the MIB file but does give authorization to write Auth Type Provides authentication based on the HMAC MD5 algorithms 8 character passwords are the minimum requirement for authentication Provides authentication based on the HMAC SHA algorithms 8 character passwords are the minimum requirement for authentication Data Encryption Key Max 30 Characters 8 character data encryption key is the minimum requirement None for data encryption Community Name 1 2 Max 30 Characters Use a community string match for authentication 3 70 Industrial Secure Router Features and Functions Access Control Read only Public MIB Access control type after matching the community string Read only only Target IP Address IP Address Enter the IP address of the Trap Server used by your networ
73. k Read only SNMP Trap Type SNMP Trap Settings System Events Cold Start Warm Start I Power Transition On Off Power Transition Of On DI Off Fr Di On Config Change I Auth Failure Port Events Link Off WAN F E WAN LAN SNMP Trap Types can be divided into two basic groups System Events and Port Events System Events are related to the overall function of the router whereas Port Events are related to the activity of a specific port Warm Start The Industrial Secure Router is rebooted such as when network parameters are rset AAN DI Off Digital Input is triggered by an on to off transition DI On Digital Input is triggered by an off to on transition Config Change A configuration item has been changed Auth Failure An incorrect password is entered Link ON The port is connected to another device Link OFF The port is disconnected e g the cable is pulled out or the opposing device shuts down Using Auto Warning Since industrial Ethernet devices are often located at the endpoints of a system these devices will not always know what is happening elsewhere on the network This means that an industrial Ethernet router that connects to these devices must provide system maintainers with real time alarm messages Even when control engineers are out of the control room for an extended period of time they can still be informed of the status of devices almost instantaneously when exceptions oc
74. n Hold bul Delay 30 seconds Timeout 120 seconds Action Action when a dead peer is detected Hold this VPN tunnel Hold Reconnect this VPN tunnel Disable Dead Peer Detection Delay Delay time seconds The period of dead peer detection messages 30 sec Timeout Timeout seconds Timeout to check if the connection is alive or not 120 sec 3 59 Industrial Secure Router Features and Functions IPSec Status The user can check the VPN tunnel status in the IPSec Connection List This list shows the Name of the IPSec tunnel IP address of Local and Remote Subnet Gateway and the established status of the Key exchange phase and Data exchange phase IPSec Connection List Data Exchange IPSec Phase Key Exchange Name Local Subnet Local Gateway Remote Gateway Remote Subnet IPSec Phase 1 Eg X 509 Certification X 509 is a digital certificate method commonly used for IPSec Authentication The Industrial Secure Router can generate a trusted Root Certification and then export import the certificate to the remote VPN gateway The diagram below indicates the 5 steps you should follow to use X 509 for IPSec authentication with two VPN gateways referred to as EDR G903 A and EDR G903 B in the diagram 1 Root Certificate generation Both EDR G903 A and EDR G903 B need to generate their own root certificates EDR G903 A and EDR G903 B can request new certifications based on their own Root Certificates 3 G
75. nabled RIP Enable Interface Check the checkbox to enable RIP in the WAN interface Hachacked nchecke Check the checkbox to enable RIP in the LAN interface 3 36 Industrial Secure Router Features and Functions RIP Interface Table EDR 810 series only Enable Disable Check the checkbox to enable RIP for each interface Unchecked Routing Table The Routing Table page shows all routing entries Page 1 1 All v index Type Destination Address Next Hop Interface Name 1 default 0 0 0 0 0 192 168 2 254 wan1 2 connected 100 100 100 0 24 100 100 100 254 lan 0 3 connected 192 168 2 0 24 192 168 2 74 want 0 All Routing Entry List Network Address Translation NAT NAT Concept NOTE NOTE NAT Network Address Translation is a common security function for changing the IP address during Ethernet packet transmission When the user wants to hide the internal IP address LAN from the external network WAN the NAT function will translate the internal IP address to a specific IP address or an internal IP address range to one external IP address The benefits of using NAT include e Uses the N 1 or Port forwarding Nat function to hide the Internal IP address of a critical network or device to increase the level of security of industrial network applications e Uses the same private IP address for different but identical groups of Ethernet devices For example 1 to 1 NAT makes it easy to duplicate or extend identi
76. nal private IP addresses of these devices will map to different public IP addresses Configuring a group of devices for 1 to 1 NAT is easy and straightforward l Production line 1 10 10 1 1 10 10 1 2 m l Mn i 192 168 100 1 a LITT t 192 168 100 2 i Production Line 2 y I 10 10 2 1 10 10 2 2 UU yyy 192 168 100 1 La e m LITT 192 168 100 2 3 40 Industrial Secure Router Features and Functions 1 to 1 NAT Setting for EDR G903 in Production Line 1 NAT List 2 64 Protocol Source IP y Destination IP 1 192 168 100 1 10 10 1 1 B 2 200 0 9681002 311012 1 to 1 NAT Setting for EDR G903 in Production Line 2 NAT List 2 64 Protocol Source IP ty Destination IP 182 168 100 1 10 102 1 1 E ERTS R Enable E LAN DMZ IP NAT Mode 1 1 e WAN IP Interface WAM1 al Enable Disable NAT policy Enable or Disable Enable or disable the selected NAT policy NAT Mode Setting Description Factory Default N 1 Select the NAT types 1 1 Port Forward Interface 1 1 NAT type Setting Description Factory Default RN Select the Interface for this NAT Policy LAN DMZ IP 1 1 NAT type IP Address Select the Internal IP address in LAN DMZ network area None WAN IP 1 1 NAT type IP Address Select the external IP address in WAN network area None NOTE The Industrial Secure Router can obtain an IP address via DHCP or PPPoE However
77. nk aggregation involves grouping links into a link aggregation group A MAC client can treat link aggregation groups as if they were a single link The port trunking feature allows devices to communicate by aggregating up to 4 trunk groups with a maximum of 8 ports for each group If one of the 8 ports fails the other seven ports will automatically provide backup and share the traffic Port trunking can be used to combine up to 8 ports between two Moxa switches If all ports on both switches are configured as 100BaseTX and they are operating in full duplex the potential bandwidth of the connection will be 1600 Mbps 3 16 Industrial Secure Router Features and Functions Port Trunk Settings The Port Trunking Settings page is where ports are assigned to a trunk group Port Trunking Settings Trunk Group Trk1 v Trunk Type Static Member Ports Port Enabe Description Name Speed FDXFlow ctr E 2 Enable Auto Disable E 4 Enable Auto Disable ES E Available Ports Pot Enable Description Name Speed FDXFlow ctrl 1 Enable Auto Disable 3 Enable Auto Disable FE 9 Enable Auto Disable E 10 Enable Auto Enable Step 1 Select the desired Trunk Group Step 2 Select the Trunk Type Static or LACP Note LACP will be ready by Q4 2013 Step 3 Select the desired ports under Available Ports and click Up to add to the Trunk Group Step 4 Select the desired ports under Member Ports and click Down to r
78. not have an Internet connection for an NTP server or there is no NTP server on the network Current Time User adjustable Time The time parameter allows configuration of the local time in None hh mm ss local 24 hour format Current Date User adjustable date The date parameter allows configuration of the local date in None yyyy mm dd format yyyy mm dd Daylight Savings Time Daylight Savings Time also know as DST or summer time involves advancing clocks 1 hour during the summer to provide an extra hour of daylight in the evening 3 10 Industrial Secure Router Features and Functions Start Date User adjustable date The Start Date parameter allows users to enter the date that None daylight saving time begins End Date User adjustable date The End Date parameter allows users to enter the date that None daylight saving time begins Offset User adjustable date The offset parameter indicates how many hours forward the None clock should be advanced System Up Time Indicates the ED G903 s up time from the last cold start The unit is seconds Time Zone Setting Description Factory Default User selectable time The time zone setting allows conversion from GMT Greenwich GMT zone Mean Time to local time Changing the time zone will automatically correct the current time You should configure the time zone before setting the time Enable NTP SNTP Server Enable this function to
79. only used in Ethernet frames EtherType for Layer 2 Protocol 0x6559 Raw Frame Relay Ox80F3 Appletalk AARP 3 45 Industrial Secure Router Features and Functions 0x809B Appletalk CO AA Quick Automation Profile Ethernet Fieldbus protocols are popular in industrial automation applications In fact many Fieldbus protocols e g EtheNet IP and Modbus TCP IP can operate on an industrial Ethernet network with the Ethernet port number defined by IANA Internet Assigned Numbers Authority The Industrial Secure Router provides an easy to use function called Quick Automation Profile that includes 45 different pre defined profiles Modbus TCP IP Ethernet IP etc allowing users to create an industrial Ethernet Fieldbus firewall policy with a single click For example if the user wants to create a Modbus TCP IP firewall policy for an internal network the user just needs to select the Modbus TCP IP TCP or Modbus TCP IP UDP protocol from the Protocol drop down menu on the Firewall Policy Setting page Enable Targets Interface From All B To All Source IP Destination IP Filter List LISSE SIN GEI M The following table shows the Quick Automation Profile for Ethernet Fieldbus Protocol and the corresponding port number Ethernet Fieldbus Protocol Port Number EtherCat port TCP 34980 EtherCat port UDP 34980 EtherNet IP I O TCP 2222 3 46 Industrial Secure Router FF Fieldbus Message
80. provide protection when the device is connected to a LAN In this regard the LAN port connects to a secure or trusted area of the network whereas the WAN1 and WAN2 DMZ ports connect to an insecure or untrusted area LAN LAN IP Configuration IPF Address 192 168 127 254 subnet Mask CT mr iE CE ZEE 255 255 0 n ex 192 168 1 1 mr ex 255 255 255 0 LAN IP Configuration IP Address IP Address The LAN interface IP address 192 168 127 254 Subnet Mask Subnet Mask The subnet mask 255 255 255 0 Industrial Secure Router Features and Functions LAN Configuration EDR 810 series only The EDR 810 series supports up to 15 LAN interfaces for the 8 10 100 Mbps ports and the 2 Gigabit SFP ports Use the LAN Configuration page to Add Delete Modify LAN interfaces LAN Configuration LAN Configuration LAN IP Configuration Name LAN Enable 7 VLAN ID 1 IP Address 192 168 127 254 Subnet Mask 255 255 255 0 VLAN Interface List 2 16 Name Enable VLAN ID IP Address Subnet Mask DOCE 2 Modbus 3 10 0 0 254 255 255 255 0 Add a VLAN Interface Input a name of the VLAN interface select a VLAN ID and assign an IP address Subnet Mask for the interface Checkmark the Enable checkbox to enable this interface Delete a VLAN Interface Select the item in the VLAN Interface List and then click Delete to delete the item Modify a VLAN Interface Select the item in the VLAN Interface
81. ration Connection Connect Mode Disable Enable Connect Type Dynamic IP le Connection Note that there are three different connection types for the WAN1 interface Dynamic IP Static IP and PPPoE A detailed explanation of the configuration settings for each type is given below Connection Mode Enable or Disable Enable or Disable the WAN interface Connection Type Static IP Dynamic IP Setup the connection type Dynamic IP PPPoE Detailed Explanation of Dynamic IP Type WAN1 Configuration Connection mite d Enable Connect Type Dynamic IP PPTP Dialup PPTP Connection E Enable IP Address User Name Password DNS Optional for dynamic IP or PPPoE Type server 1 Server 2 Server 3 182 168 2 1 0 0 0 0 0 0 0 0 PPTP Dialup Point to Point Tunneling Protocol is used for Virtual Private Networks VPN Remote users can use PPTP to connect to private networks from public networks PPTP Connection Description Factory Default Enable or Disable Enable or Disable the PPTP connection None IP Address Description The PPTP service IP address Factory Default IP Address None User Name Description Factory Default Max 30 Characters The Login username when dialing up to PPTP service None Password Description Factory Default Max 30 characters The password for dialing the PPTP service None 3 22 Industrial Secure Router Features and Functions Example S
82. rm button the Industrial Secure Router will revert to the previous setting Firewall Policy Enables or Disables the SettingCheck function when the Firewall policies change NAT Policy Enables or Disables the SettingCheck function when the NAT policies change Accessible IP List Enables or Disables the SettingCheck function when the Accessible IP List changes Layer 2 Filter Enable or disable the SettingCheck function when the Layer 2 filter changes Timer 10 to 3600 sec The timer waits this amount of time to double confirm when the 180 sec user changes the policies For example if the remote user IP 10 10 10 10 connects to the Industrial Secure Router and changes the accessible IP address to 10 10 10 12 or deselects the Enable checkbox accidently after the remote user clicks the Activate button connection to the Industrial Secure Router will be lost because the IP address is not in the Industrial Secure Router s Accessible IP list W Enable the accessible IP list Disable will allow all IF s connection v LAN Enable Index IP Address Metmask 1 10 10 10 12 209 299 299 295 If the user enables the SettingCheck function with the Accessible IP list and the confirmer Timer is set to 15 seconds then when the user clicks the Activate button on the accessible IP list page the Industrial Secure Router will execute the configuration change and the web browser will try to jump to the SettingCheck Confirmed p
83. rnet traffic matches the outgoing policies the maximum bandwidth for a packet sent from these source IP addresses will be Bandwidth 192 168 127 10 10KByte s 192 168 127 11 20KByte s 192 168 127 12 30KByte s 192 168 127 13 40KByte s Features and Functions Packet Size 1518 byte Priority 0 192 168 127 10 25Mbps 1 192 168 127 11 25Mbps 2 192 168 127 12 25Mbps 3 192 168 127 13 25Mbps reserved by its target priority If there are only two kinds of traffic packets Bandwidth 192 168 127 10 80KByte s 192 168 127 11 20KByte s priority O and priority 1 then transmission will proceed from LAN to WAN1 and the Industrial Secure Router will reserve the minimum bandwidth 10 KBytes s and 20 Kbyte s based on these two different IP addresses In this case there are still 100 KBytes s 10 KBytes s 20 KBytes s 70 KBytes s that do not belong to any priority So the Industrial Secure Router will increase the bandwidth from highest Packet Size 1518 byte Priority 0 192 168 127 10 25Mbps 1 192 168 127 11 25Mbps priority 0 to lowest priority 3 The Industrial Secure Router will add this 70 KBytes s bandwidth to priority O because the maximum bandwidth of priority O is 100 KBytes s The figure to the above right shows the bandwidth arrangement of the Industrial Secure Router based on this configuration Configuring SNMP The Industrial Secure Router supports SNMP V1 V2c V3 SNMP V1 and
84. rors and these changes are incorporated into new editions of the publication Technical Support Contact Information Moxa Americas Toll free 1 888 669 2872 Tel 1 714 528 6777 Fax 1 714 528 6778 Moxa Europe Tel 49 89 3 70 03 99 0 Fax 49 89 3 70 03 99 99 www moxa com su ort Moxa China Shanghai office Toll free 800 820 5036 Tel 86 21 5258 9955 Fax 86 21 5258 5505 Moxa Asia Pacific Tel 886 2 8919 1230 Fax 886 2 8919 1231 Table of Contents Ts IATrOdUCHO Na AAA iaa 1 1 OVERVIEW A A A a suffer cti Efi 1 2 Package a Te dice 1 2 FeatLl GS crribi ero iy Ru P PEPXVG AU DP ERG d PETI PAPA PESE PIRA PDORR OX P PRRXSGG DIS P X gg IS PAGG GGG A PAXG GU PRX GR A IPRR GG X4 PRG KG P PRA Gag Ge ds 1 2 Industria NebWorking tababilbU nata ene canaawue mance aouun ream umne cue OUR D UND T DO MP URL L D TUUS 1 2 Designed Top industrial ADDIICatlois zie eoe iio icono doo adole Ruan dendi d fice docete o de 1 2 Useful Utility and Remote Configuration esssssessseeeee enhn nnnm nnn haa nnn a rnm nna aae nnn nnn 1 2 20 Getting Started aca aa 2 1 RS 232 Console Configuration 115200 None o9 1 VT TAO0Q eset eva Exo er Eee c E e C E c E EO OI Ede ees 2 2 Using Telnet to Access the Industrial Secure Router s Console sssssssseeeeseeee eese nnns 2 3 Using a Web Browser to Configure the Industrial Secure Router occccccccccnnnncnnnccnnnnnnna nene nnne nnns 2 4 3 Features and FUNCTIONS ses
85. rrors are related to Mask Include and Cross Conflict Mask Policy X is masked by Policy Y The Source Destination IP range or Source Destination port number of policy X is smaller or equal to policy Y but the action target Accept Drop is different For example two firewall policies are shown below 10 10 10 10 192 168 127 10 ACCEPT 20 20 20 10 192 168 127 20 ACCEPT to 20 20 20 30 Suppose the user next adds a new policy with the following configuration Index Input Output Protocol SourceIP _ Destination IP WAN2 LAN All 20 20 20 20 192 168 127 20 DROP After clicking the PolicyCheck button the Industrial Secure Router will issue a message informing the user that policy 3 is masked by policy 2 because the IP range of policy 3 is smaller than the IP range of policy 2 and the Target action is different A rule 3 is masked by rule 2 3 48 Industrial Secure Router Features and Functions Include Policy X is included in Policy Y The Source Destination IP range or Source Destination port number of policy X is less than or equal to policy Y and the action target Accept Drop is the same In this case policy X will increase the loading of the Industrial Secure Router and lower its performance For example two firewall policies are shown in the following table Output Protoco Source IP Destination IP 10 10 10 10 192 168 127 10 ACCEPT LAN All 20 20 20 10 192 168 127 20 AC
86. s Default Priority Priority 0 1 2 3 A packet without matching any incoming outgoing policy will Priority 3 adhere to the default priority Minimum Bandwidth of Priority 0 1 2 3 1 to 1 000 000 The minimum bandwidth for Priority 0 1 2 3 Priority 0 10 KBytes s KBytes s Priority 1 20 KBytes s Priority 2 30 KBytes s Priority 3 40 KBytes s Maximum Bandwidth of Priority 0 1 2 3 1 to 1 000 000 The maximum bandwidth for Priority 0 1 2 3 Priority 0 10 KBytes s KBytes s Priority 1 20 KBytes s Priority 2 30 KBytes s Priority 3 40 KBytes s Outgoing Incoming Policy Setup After configuring the minimum maximum TM Enable bandwidth for each priority users can set up me From All Source IP All bi the incoming or outgoing policies for Ethernet A traffic providing the setup meets all of the P Al iz following conditions Service BylP z Destination IP All Priority Priority 0 Enable or Disable Enable or Disable Enable or disable this Incoming or Outgoing Policy Disabled Packet To From All All WAN1 or WAN2 Select the direction of Ethernet traffic for this policy WAN1 To For outgoing policy WAN2 From For incoming policy Protocol All TCP UDP ICMP Select the Protocol for in this Policy mH TCP 3 67 Industrial Secure Router Features and Functions Priority Priority 0 1 2 3 Select the priority for this policy Priority O Source IP All IP Address Select the Source
87. s Relay Event Types Relay Warning Event Settings System Events Fl Override Relay 1 Warning Settings Power Input 1 failure On Om Disable v Power Input 2 failure On Om Disable y Port Events WAN LAN Ignore e L3 EJ Event Types can be divided into two basic groups System Events and Port Events System Events are related to the overall function of the router whereas Port Events are related to the activity of a specific port Port Events Warning Relay output is triggered when Link ON The port is connected to another device Link OFF The port is disconnected e g the cable is pulled out or the opposing device shuts down Override relay warning settings Select this option to override the relay warning setting temporarily Releasing the relay output will allow administrators to fix any problems with the warning condition Warning List Use this table to see if any relay alarms have been issued Current Warning List 1 WAN Link Off 2 WAN Link Off 3 74 Industrial Secure Router Features and Functions Using Diagnosis The Industrial Secure Router provides Ping tools and LLDP for administrators to diagnose network systems Ping Use Ping Command to test Network Integrity Interface WANT e IP address Name The Ping function uses the ping command to give users a simple but powerful tool for troubleshooting network problems The function s most unique feature is that even thoug
88. s from a PC host connected to the same LAN as the Industrial Secure Router you must make sure that the PC host and the Industrial Secure Router are connected to the same logical subnet Before accessing the Industrial Secure Router s web browser first connect the Industrial Secure Router s RJ45 Ethernet LAN ports to your Ethernet LAN or directly to your PC s Ethernet card NIC You can use either a straight through or cross over Ethernet cable The Industrial Secure Router s default LAN IP address is 192 168 127 254 Perform the following steps to access the Industrial Secure Router s web browser interface 1 Start Internet Explorer and type the Industrial Secure Router s LAN IP address in the Address field Press Enter to establish the connection amp https H192 168 127 254 2 4 Industrial Secure Router Getting Started 2 The web login page will open Select the login account Admin or User and enter the Password the same as the Console password and then click Login to continue Leave the Password field blank if a password has not been set Moxa EtherDevice Secure Router EDR G903 Username Password Login NOTE By default the Industrial Secure Router s password is not set i e is blank You may need to wait a few moments for the web page to be downloaded to your computer Use the menu tree on the left side of the window to open the function pages to access each of the router s functions MO
89. s policy will check all Data Address Index in the All CO Single Address Index This Modbus policy will check single Data Address Index in the Range Address Index This Modbus policy will check multiple Data Address Indexes in the packet Target Accept The packet will penetrate the firewall when it matches this Accept HR RR Drop The packet will not penetrate the firewall when it matches this HORN RR Source IP All IP Address This Modbus policy will check all Source IP addresses in the All packet Single IP Address This Modbus policy will check single Source IP addresses in the packet Range IP Address This Modbus policy will check multiple Source IP addresses in the packet 3 51 Industrial Secure Router Features and Functions Destination IP Single IP Address This Modbus policy will check single Destination IP addresses in IN tn Range IP Address This Modbus policy will check multiple Destination IP addresses MT IN Unit identifier UID is used with Modbus TCP devices that are composites of several Modbus devices It may All IP Address This Modbus policy will check all Destination IP addresses in the All packet be used to communicate via devices such as bridges and gateways which use a single IP address to support multiple independent end units Function code defines the message type and the type of action required by the slave The parameter contains one byte of informa
90. sed to specify the next router along the path to the destination Metric Use this option to specify a cost for accessing the neighboring network 3 35 Industrial Secure Router Features and Functions Clickable Buttons Add For adding an entry to the Static Routing Table Delete For removing selected entries from the Static Routing Table Modify For modifying the content of a selected entry in the Static Routing Table NOTE The entries in the Static Routing Table will not be added to the Industrial Secure Router s routing table until you click the Activate button RIP Routing Information Protocol RIP is a distance vector routing protocol that employs the hop count as a routing metric RIP prevents routing from looping by implementing a limit on the number of hops allowed in a path from the source to a destination The RIP Setting page is used to set up the RIP parameters RIP Setting RIP State Disable RIP Version RIP Version Ovi v2 RIP Distribution Distribution A Static RIP Enable Interface WAN LAN Interface Name MA AA vD LANZ 192 168 128 254 2 F LANA 192 168 129 254 4 E RIP State Enable Disable Enable or Disable RIP protocol Disable RIP Version V1 V2 Select RIP protocol version V2 RIP Distribution Static Check the checkbox to enable the Redistributed Static Route Unchecked function The entries that are set in a static route will be re distributed if this option is e
91. st click on a list to select it the background color of the device will change to blue modify the information as needed using the check boxes and text input boxes near the top of the browser window and then click Modify DHCP Leased List Use the DHCP Leased List to view the current DHCP clients Server 00 0E A6 09 7A GE 192 168 127 1 32m 3b5s Dynamic DNS Dynamic DNS Domain Name Server allows you to use a domain name e g moxa edr g903 to connect to the Industrial Secure Router The Industrial Secure Router can connect to 4 free DNS servers and register the user configurable Domain name in these servers Dynamic DNS Dynamic DNS Service p FI Service Disable server Mame User Name Password Verity Password Domain Name o E Service gt Disable Disable or select the DNS server Disable gt freedns afraid org gt www 3322 org gt members dyndns org gt dynupdate no ip com User Name Max 30 characters The DNS server s user name None Password Max 30 characters The DNS server s password None 3 31 Industrial Secure Router Features and Functions Verify Password Max 30 characters Verifies the DNS server password None Domain name Max 30 characters The DNS server s domain name None Network Redundancy Moxa s Industrial Secure Router provides two types of network redundancy functions WAN backup EDR G903 only and VRRP The Industrial Secure Router h
92. te the backup path e Link Check WAN1 link down e Ping Check Sends ping commands to a specific IP address e g the IP address of the ISP s server from WAN1 based on user configurable Time Interval Retry and Timeout When the WAN backup function is enabled and the Link Check or Ping Check for the WAN1 interface fails the backup interface WAN2 will be enabled as the primary interface 3 32 Industrial Secure Router Features and Functions WAN Backup Configuration NOTE WAN2 Configuration Connection Connect Mode Disable Enablef Backup Connect Type Dynamic IP Select Backup for the WAN2 DMZ Connect Mode and then go to the Network Redundancy gt WAN Backup setting page for the WAN Backup configuration Link Check Ping Check IP Interval sec 1 1000 Retry 1 100 Timeaut ms 100 10000 Activate Link Check Enable or Disable Activate Backup function by checking the link status of WAN1 Disabled Ping Check Enable or Disable Activates the Backup function if unable to ping from the Disabled Industrial Secure Router to a specified IP address IP IP address The Industrial Secure Router will check the ping integrity of this None IP Address if the Ping Check function is Enabled The IP address for Ping Check function should be on the network segment of WAN1 Interval 1 to 1000 sec sers can set up a different Ping Interval for a different network 180 sec
93. th and Name Max 40 Characters The path and filename of the Industrial Secure Router s log file After setting up the desired path and filename click Activate to save the setting Next click Download to download the file from the remote TFTP server or click Upload to upload a file to the remote TFTP server System File Update by Local Import Export Upgrade Software or Confiquration Configuration File EN Log File Export Upgrade Firmware Import Upload Configure Data import Configuration File Click Export to export the configuration file of the Industrial Secure Router to the local host Log File Click Export to export the Log file of the Industrial Secure Router to the local host NOTE Some operating systems will open the configuration file and log file directly in the web page In such cases right click the Export button and then save as a file Upgrade Firmware To import a firmware file into the Industrial Secure Router click Browse to select a firmware file already saved on your computer The upgrade procedure will proceed automatically after clicking Import This upgrade procedure will take a couple of minutes to complete including the boot up time Upload Configuration Data To import a configuration file to the Industrial Secure Router click Browse to select a configuration file already saved on your computer The upgrade procedure will proceed automatically after clicking Import 3 14 Ind
94. the Industrial Secure Router is controlled by IP address If a host s IP address is in the 3 7 Industrial Secure Router Features and Functions accessible IP table then the host will have access to the Industrial Secure Router You can allow one of the following cases by setting this parameter e Only one host with the specified IP address can access this device E g enter 192 168 1 1 255 255 255 255 to allow access to just the IP address 192 168 1 1 e Any host on a specific subnetwork can access this device E g enter 192 168 1 0 255 255 255 0 to allow access to all IPs on the subnet defined by this IP address subnet mask combination e Any host can access the Industrial Secure Router Disable this function by deselecting the Enable the accessible IP list option e Any LAN can access the Industrial Secure Router Disable this function by deselecting the LAN option to not allow any IP at the LAN site to access this device E g If the LAN IP Address is set to 192 168 127 254 255 255 255 0 then IP addresses 192 168 127 1 24 to 192 168 127 253 24 can access the Industrial Secure Router The following table shows additional configuration examples Allowable noss imputForma O 192 168 0 1 to 192 168 255 254 192 168 0 0 255 255 0 0 192 168 1 1 to 192 168 1 126 192 168 1 0 255 255 255 128 192 168 1 129 to 192 168 1 254 192 168 1 128 255 255 255 128 The Accessible IP list controls which devices can connect to the
95. tiation time The number of allowed reconnect times when startup mode is initiated If the number is O this tunnel will always try connecting to the remote gateway when the VPN tunnel is not created successfully IKE Lifetime IKE lifetime hours Lifetime for IKE SA 1 hr Rekey Expire Time Rekey expire time Start to Rekey before IKE lifetime expired 9 min minutes Rekey Fuzz Percent 0 100 The rekey expire time will change randomly to enhance the 100 security Rekey fuzz percent is the maximum random change margin of the Rekey expire time 100 means the rekey expire time will not change randomly 3 58 Industrial Secure Router Features and Functions Data Exchange IPSec phase II Data Exchange IPSec Phase 2 Perfect Forward Secrecy L SA Life Time 480 min Encryption Algorithm 3DES wv Hash Algorithm SHAT Perfect Forward Secrecy Setting Description Factory Default Enable or Disable Uses different security key for different IPSec phases to Disable enhance security SA Lifetime SA lifetime minutes Lifetime for SA in Phase 2 480 min Encryption Algorithm Encryption Algorithm in data exchange 3DES Hash Algorithm Any Hash Algorithm in data exchange SHA1 MD5 SHA1 SHA256 Dead Peer Detection Dead Peer Detection is a mechanism to detect whether or not the connection between a local secure router and a remote IPSec tunnel has been lost Dead Peer Detection Actio
96. tion Valid function codes are in the range 1 to 255 Not all Modbus devices recognize the same set of function codes The most common codes are supported for quick settings and user defined function codes are also supported Most function code addresses a single address or a range of addresses The Industrial Secure Router provides code for deep data inspection Common function codes The following table shows the various reading writing and other operations Physical Discrete Inputs Read Discrete Inputs Read Coils m Write Single Coil Write Multiple Coils 15 Physical Input Registers Read Input Register 4 Read Holding Registers 3 2 2 Bit Access Internal Bits or Physical Coils Write Single Register Data Access Write Multiple Registers 16 16 bit Access Internal Registers or i Read Write Multiple Physical Output Registers Write Multip Registers 1 23 Mask Write Register 2 Read FIFO Queue 24 0 21 File Record Access Read Exception Status Diagnostic e Get Com Event Counter Diagnostics Get Com Event Log 17 Read Device 43 Identification 3 52 Industrial Secure Router Features and Functions Denial of Service DoS function The Industrial Secure Router provides 9 different DoS functions for detecting or defining abnormal packet format or traffic flow The Industrial Secure Router will drop the packets when it detects an abnormal packet format The Industrial Secure Router will also monitor som
97. ual LAN EDR 810 series only Setting up Virtual LANs VLANs on your Moxa switch increases the efficiency of your network by dividing the LAN into logical segments as opposed to physical segments In general VLANs are easier to manage What is a VLAN A VLAN is a group of devices that can be located anywhere on a network but which communicate as if they are on the same physical segment With VLANs you can segment your network without being restricted by physical connections a limitation of traditional network design With VLANs you can segment your network into e Departmental groups you could have one VLAN for the marketing department another for the finance department and another for the product development department e Hierarchical groups you could have one VLAN for directors another for managers and another for general staff e Usage groups you could have one VLAN for email users and another for multimedia users Switch A Department 1 VLAN 1 Department 2 VLAN 2 Department 3 VLAN 3 Benefits of VLANs The main benefit of VLANs is that they provide a network segmentation system that is far more flexible than traditional networks Using VLANs also provides you with three other benefits e VLANs ease the relocation of devices on networks With traditional networks network administrators spend much of their time dealing with moves and changes If users move to a different sub network the addresses of
98. uppose a remote user IP 10 10 10 10 wants to connect to the internal server private IP 30 30 30 10 via the PPTP protocol The IP address for the PPTP server is 20 20 20 1 The necessary configuration settings are shown in the following figure WAN IP WAN IP 61 32 10 10 72 51 30 30 PPTP IP Client PPTP IP Server 20 20 20 2 32 20 20 20 1 32 Ba E 10 10 10 10 24 30 30 30 10 24 Static Route Static Route Destination Next Hop Destination Next Hop Address Address 30 30 30 0 255 255 255 0 20 20 20 1 10 10 10 0 255 255 255 0 20 20 20 2 Note Ifthe OS is Linux the Next Hop is 20 20 20 1 DNS Doman Name Server optional setting for Dynamic IP and PPPoE types Server 1 2 3 Setting Desrphon O OoOO IP Address The DNS IP address Factory Default None NOTE The priority of a manually configured DNS will be higher than the DNS from the PPPoE or DHCP server Detailed Explanation of Static IP Type WAN1 Configuration Connection Connect Mode Disable amp Enable Connect Type Static IP Address Information IP Address 9 0 0 0 Gateway 9 0 0 0 Subnet Mask 9 0 0 0 PPTP Dialup PPTP Connection E Enable IP Address UserName Password DNS Optional for dynamic IP or PPPoE Type server 1 Server 2 182 188 2 1 0 0 0 0 Address Information IP Address Setting pescon O O O oO IP Address The interface IP address Subnet Mask Setting Description O O o IP A
99. ure Router s rear panel by default e Hardware installation guide printed e CD ROM with user s manual and Windows utility e Warranty card Features Industrial Networking Capability e Router Firewall VPN all in one e 1WAN 1 LAN and 1 user configurable WAN or DMZ interface e Network address translation N to 1 1 to 1 and port forwarding Designed for Industrial Applications e Dual WAN redundancy function e Firewall with Quick Automation Profile for Fieldbus protocols e Intelligent PolicyCheck and SettingCheck tools e 40 to 75 C operating temperature T models e Long haul transmission distance of 40 km or 80 km with optional mini GBIC e Redundant dual 12 to 48 VDC power inputs e IP30 rugged high strength metal case e DIN rail or panel mounting ability Useful Utility and Remote Configuration e Configurable using a Web browser and Telnet Serial console e Send ping commands to identify network segment integrity 1 2 2 Getting Started This chapter explains how to access the Industrial Secure Router for the first time There are three ways to access the router 1 serial console 2 Telnet console and 3 web browser The serial console connection method which requires using a short serial cable to connect the Industrial Secure Router to a PC s COM port can be used if you do not know the Industrial Secure Router s IP address The Telnet console and web browser connection methods can be used to access the In
100. ustrial Secure Router Features and Functions Restart Restart This function will restart the system Activate This function is used to restart the Industrial Secure Router Reset to Factory Default Reset to Factory Default This function will reset all settings ta their factory default values Be aware that previous settings will be last The Reset to Factory Default option gives users a quick way of restoring the Industrial Secure Router s configuration settings to the factory default values This function is available in the console utility serial or Telnet and web browser interface NOTE After activating the Factory Default function you will need to use the default network settings to re establish a web browser or Telnet connection with your Industrial Secure Router Configuring Ports EDR 810 series only Port Settings Port settings are included to give the user control over port access port transmission speed flow control and port type MDI or MDIX Port Setting 1 7 100TX RJ45 Auto Disable Auto 2 7 100TX RJ45 Auto e Disable Auto w 3 V 100TX RJ45 Auto 7 Disable Auto 4 7 100TX RJ45 Auto x Disable Auto 5 7 100TX RJ45 Auto Disable Auto 6 7 100TX RJ45 Auto Disable y Auto 7 7 100TX RJ45 Auto le Disable Auto x 8 7 100TX RJ45 Auto o Enable Auto v 9 v mGBIC1000 Auto x Disable Auto x 10 V
101. vents Link Off WANT E F7 WANZ E E LAN E Email Warning Event Types can be divided into two basic groups System Events and Port Events System Events are related to the overall function of the router whereas Port Events are related to the activity of a specific port Warm Start The Industrial Secure Router is rebooted such as when network parameters are Puma AAN DI Off Digital Input is triggered by on to off transition DI On Digital Input is triggered by off to on transition Config Change A configuration item has been changed Auth Failure An incorrect password is entered Port Events Warning email is sent when Link ON The port is connected to another device Link OFF The port is disconnected e g the cable is pulled out or the opposing device shuts down 3 72 Industrial Secure Router Features and Functions E mail Setup Email Warning Events Settings Email Alert Configuration Email SMTP Server Address PORT User Name Password sender Address 1st Recipient amp ddress 2nd Recipient Address 3rd Recipient Address 4th Recipient Address Main Server IP Name IP address The IP Address of your email server None Port Port number The port number of your email server None Account Name Setting Description Factory Default Max 30 Characters Your email account name typically your user name None Email Password Description Factory Default Max 30 characters None The Pass
102. word Tunnel Setting Connection Type Site to Site Any Local Network 100 100 3 1 24 Same as LAN Interface Startup mode Wait for Connection Key Exchange Pre Shared Key 12345 Data Exchange Encryption Algorithm 3DES Harsh Algorithm SHA1 Traffic Prioritization The Industrial Secure Router s traffic prioritization capability provides Quality of Service QoS to your network by making data delivery more reliable You can prioritize traffic on your network to ensure that high priority data is transmitted with minimum delay Traffic can be controlled by a set of rules to obtain the required Quality of Service for your network NOTE The maximum number of traffic prioritization policies for the Industrial Secure Router is 256 3 65 Industrial Secure Router Features and Functions How Traffic Prioritization Works The Industrial Secure Router provides four different priorities levels 0 3 high to low for incoming and outgoing traffic The following figure illustrates incoming traffic which refers to the traffic transmitted from WAN1 to LAN or WAN 2 to LAN interface Outgoing traffic refers to the traffic transmitted from LAN to WAN1 or from LAN to WAN2 Out going Traffic LAN to WAN Incoming Traffic WANT to LAN or Out going Traffic WAN to LAN LAN to WAN The following figures show the configuration for incoming and outgoing traffic Users can manage the priority of incoming traffic WAN1 to LAN and WAN2 to LAN
103. word User Mame Password L2TP Server Mode Enable Disable Enable or Disable the L2TP function on the WAN1 or WAN 2 Disable interface Local IP IP Address The IP address of the Local Subnet 0 0 0 0 Offered IP Range Description Offered IP range is for the L2TP clients Factory Default IP Address 0 0 0 0 Login User Name Description Factory Default Max to xx character User Name for L2TP connection NULL Login Password Description Factory Default Max to xx character Password for L2TP connection NULL 3 63 Industrial Secure Router Features and Functions Examples for Typical VPN Applications Site to Site IPSec VPN tunnel with Pre Shared Key The following example shows how to create a secure LAN to LAN VPN tunnel between the Central site and Remote site via an Intranet network WAN WAN ecure Tunne EDR G903 1 EDR G903 2 Central site Network Intranet Network Remote site Network 100 100 1 0 24 100 100 2 0 24 100 100 3 0 24 VPN Secure Tunnel O Ethernet Switch VPN Plan e All communication from the Central site network 100 100 1 0 24 to the Remote site Network 100 100 3 0 24 needs to pass through the VPN tunnel e Intranet Network is 100 100 2 0 24 e The configuration of the WAN LAN interface for 2 Industrial Secure Routers is shown in the following table DJ Configuration Industrial Secure Router 1 Industrial Secure Router 2 EDR G903 WAN IP 100 100 2 1 100 100 2 2 Interface
104. word of your email account Sender Email Address Description Factory Default IP address The IP Address of the email sender None Recipient Email Address Max 50 characters You can set up to 4 email addresses to receive alarm emails None from the Industrial Secure Router Send Test Email After configuring the email settings you should first click Activate to activate those settings and then click Send Test Email to verify that the settings are correct NOTE Auto warning e mail messages will be sent through an authentication protected SMTP server that supports the CRAM MD5 LOGIN and PLAIN methods of SASL Simple Authentication and Security Layer authentication mechanism We strongly recommend not entering your Account Name and Account Password if auto warning e mail messages can be delivered without using an authentication mechanism 3 73 Industrial Secure Router Features and Functions Configuring Relay Warning The Auto Relay Warning function uses relay output to alert the user when certain user configured events take place There are two basic steps required to set up the Relay Warning function 1 Configuring Relay Event Types Select the desired Event types from the Web Browser Event type page a description of each event type is given later in the Relay Alarm Events setting subsection 2 Activate your settings After completing the configuration procedure you will need to activate your Industrial Secure Router
Download Pdf Manuals
Related Search