RUGGEDCOM ROX
Contents
1. zi Source Destination Mark Source Destination Protocol Posts Ports Test Length TOS Move Add 1 Any Any ICMP Any lecho request Any Any Any 4 H n Any Any ICMP Any lecho reply Any Any Any 1 H I 4 T 4 Any Any Any Any Any Minimize Delay y dk f Ia Any Any Any Any Any Any y il 2 Any Any UDP 54 53 1 C Any Any t H Add a new traffic classification rule Manually Edit File Click this button to manually edit the Shorewall file etc shorewall tcrules in which the entries above are stored 4 Return to list of tables Clicking on a link in the Mark column will allow you to edit or delete a traffic classification rule as shown below Edit TC Rule TC rule details Mark O Set Packet v markto 1 in Default chain 2 Modify packet mark by AND in Default chain SAVE connection mark with mask in Default chain D CONTINUE in Default y chain Source 9 Any Destination 9 Any Protocol ICMP Source Ports o Any UY Ports or ranges Destination Ports Any Ports or ranges echo request Test Packet v mark v Length O Any y Range Tos lt Any gt X Return to tcrules list Figure 239 Edit TC Rule The Mark row determines how the mark value will be assigned for a packet or a connection The Set field determines whether the packet or the connection is assigned the mark The mark to field s2. Help Modem b b b b J b a m m m mm Modem Modem Modem Modem Modem Modem Modem Modem PPP Modem PPP Incoming Call PPP Logs PPP Current Route Configuration Client Server Logs Connection amp Interface Connections Logs Table Modem Connection Status Status No connection Refresh Figure 68 Modem Configuration Main Menu 68 PPP Dial On Demand RUGGEDCOM ROX Chapter 3 User Guide Device Management On this page review and configure the modem interface and the PPP client and server connections If two internal modems are installed this page appears Help Modem Modem Modem Modem 1 Configuration Modem 2 Configuration Figure 69 Dual Modem Configuration Menu Select the modem you want to configure The modem configuration page for the selected modem appears In this example the configuration page for Modem 2 is shown Modem 2 Modem Modem Modem Modem Modem Modem Modem 2 Modem 2 PPP Modem 2 PPP Incoming Call PPP Logs PPP Current Route Configuration Client Server Logs Connection amp Interface Connections Logs Table Modem Connection Status PPP Type User Device Speed Address Peer TX RX MTU Server admin pppi9 33600 192 168 100 11 192 168 100 22 15 5 KiB 15 5 KiB 1500 Refresh E Return to Modem Main Menu Figure 70 Modem 2 Config
3. bus Core Interfaces Interfaces ethi Settings Status eth2 Settings Status eth3 Settings Status eth4 Settings Status pppo Settings Status ppp12 Settings Status pppso Settings Status w2c1ppp Settings Status w2c2ppp Settings Status w2c3ppp Settings Status w2c4ppp Settings Status Remove inactive interfaces lt Return to core Figure 262 Core Interface Parameters Each interface on the router is listed Clicking on settings displays a menu of configuration options for that interface Clicking on status displays the current status of the interface including link state IP address and traffic counts Clicking Remove inactive interfaces purges the list of any interfaces which are no longer configured on the router Core Interface Configuration eth1 Parameter Value blank default Description Possible values default value Bandwidth 10000 Bandwidth to use in autocost calculation 1 10000000 kbps l Save de Return to interfaces Figure 263 Core Interface Parameters The Bandwidth field sets the bandwidth value to assume for the interface when automatically calculating a cost for using the link on this interface By default all interfaces are treated as 10Mbit 10000 Kbps OSPF by default uses an automatic cost of 10 for all links by calculating is as reference bandwidth 100Mbit d
4. Core Settings 163 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 1 2 2 Dummy Interface Help Dummy Interface Dummy Interface Parameters IP Address 172 16 254 2 Save Delete de Return to network configuration Figure 160 Dummy Interface This menu allows you to configure a dummy interface Normally the router is reachable on any of its interface addresses whether the interface is active or not When OSPF and link detection is used inactive interfaces are not advertised to the network and thus not reachable A dummy interface is always advertised and is thus reachable Pressing the Save button will save the configuration change Pressing the Delete button will remove the dummy interface Section 5 1 2 3 Static Routes This menu allows you to configure static routing entries including default routes Each static route specifies how the router can reach a remote subnet It also allows the conversion of other static routes obtained via DHCP for example to permanently configured static routes If IPv6 support is enabled in the Core settings menu IPv6 static routes may also be configured here If multiple gateways are availabe to route to a given remote subnet a static route entry may be entered for each one with the same subnet and different gateway specifications Typically one would also enter a different metric for each route the lowest metric indicating the preferre
5. admin operator guest View login sessions Password Restrictions Figure 131 Webmin Users Menu This menu allows you to create change or delete a Webmin user to view and remove current login sessions and to set password restrictions Click the Select all link to select all manually created users Click the Invert selection link to deselect all manually created users Click the Create a new Webmin user link to create a new Webmin user Click on manually created user name to change its setting Webmin Users Menu 133 Chapter 4 RUGGEDCOM ROX System Administration User Guide Click the Delete Selected button to delete selected users Click the View login sessions button to view all current login sessions Click the Password Restrictions button to set the password restriction rules NOTE Li The accounts managed from this menu are local to the ROX and are not maintained on a RADIUS server even if one is configured Section 4 2 4 Edit Webmin User Menu This menu allows you to change the user name group membership password and real name for a user account Help Edit Webmin User W ebmin user access rights Usemame john Member of group admin Password maximum 8 characters Don tchange v Real name Save View Logs Delete de Retum to user list Figure 132 Edit Webmin User Menu IMPORTANT The following usernames are not permitted when creating a new user root adm
6. 9 None behind system within system Next hop to other Default Automatic Default route IP address system Figure 255 Editing a VPN Connection Part 2 The Public IP address fields determine the IP address of the side of the connection being edited Check the Address or hostname field and provide a fixed IP address or hostname If this side reflects a remote client whose IP address changes select Automatic Yany Use From default route if the host s IP is dynamically assigned The System identifier fields provide IPSec with a way to determine which section of the connection applies to which host Left to Default the parameter will use the public IP address from above Set to None the router will use an empty id You can override these with an IP address or hostname The Private subnet behind system fields determine if this system has an internal network connected to it that the other host should be granted access to Enter an IP network address and mask into this field If you enter a subnet of 0 0 0 0 0 in this field this connection will serve as a default route for all traffic The System s public key fields provide an RSA key if RSA keying is to be used If you want to use secret keying select None When you first create a connection this field is filled in for you with the local system s RSA key If Left Right System s Settings 261 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide you are filli
7. E Return to T1 E1 Main Menu Figure 191 T1 E1 Loopback Menu The Select Loopback Type field selects the loopback test The Number of Loops field controls the frames sent during digital and remote loopback This parameter is not used during line loopback The Time to run test field limits the time the sender will transmit and the router running line loopback will wait Running a loop test on an active interface will immediately cause it to go down The loop test automatically initializes the trunk after completing the test The loopback test provides a means to test your T1 E1 digital and analog hardware and the T1 E1 line The sender transmits a number of frames which are looped back to the sender The router verified the returning frames for correctness A digital loopback starts first and verifies the digital section of the interface If a loopback stub is inserted in the interface jack a remote loopback verifies the interface s digital and analog sections If the remote equipment is able to loop the entire T1 E1 line can be verified If the remote router is another Siemens router starting a line loopback verifies both cards and the line The router initiating the test displays the loopback frame count as frames arrive T1 E1 Interface T1 E1 Interface Sender m Line Loopback Test E Digital Loopback Test a T1 E1 Line Remote Loopback Test Remote Loopback Test Digital Analog Digital Analog Figure
8. Section 5 18 3 Option 82 Support with Disable NAK If DHCP relay clients option 82 clients are used on the same subnet as the DHCP server some clients will immediately try to renew a lease right after receiving it by requesting a renewal directly from the DHCP server Since the DHCP server is only configured to provide that lease through a relay agent with the right option 82 fields added the server will send the client a NAK to disallow use of the lease Enabling this option disables this reject message so that the renewal request that the DHCP relay agent sends a moment later which the DHCP server accepts since it has the right option 82 fields added will be the only message for which the client receives a reply If the DHCP server and clients are not on the same subnet this option is not required The meaning of the value of many fields depends on the client s interpretation of the field so the actual meaning of a field is determined by the client See the documentation of the client to determine what values are required by the client for special options Section 5 18 4 Example DHCP Scenarios and Configurations This section contains the following scenario examples Section 5 18 4 1 Single Network With Dynamic IP Assignment Section 5 18 4 2 Single Network With Static IP Assignment Section 5 18 4 3 Single Network With Option82 Clients On One Switch Section 5 18 4 4 Multiple Subnets on Separate VLANs Using Opt
9. sssssssssssssssssesse eem ene hee rene nne 268 5 12 4 Key OSPF and RIP Parameters eee EE eerte ntn pe dante eo Spo dan ee Eden 268 5 12 41 Network Areas orte Pee HI EE e ete ie RR dU 268 5 12 42 ROMO o co ette et eet det ta utet udine Res 269 5 12 4 3 Hello Interval and Dead Interval sssssssssseee 269 5 12 4 4 Active Passive Interface Default ssssssssssssssse ee 269 5 12 4 5 Redistributing Routes ccc cseceseeeeceeeereeceeneeceecegerceadegeeeeaesnereeacegeteeseuaereeaeegees 270 5 12 4 6 Link Detector Ht AM dites iua eu ra 270 5 12 4 7 Configuring OSPF Link Costs naed aii ead A a aad iLa ARN 270 5 12 4 8 OSPF Authentication ae a aaa a aa a e i A A aa Ea EAA renes 270 5 12 4 9 RIP Authentication riot ette e rete ER la MR eU arae 270 5 12 4 10 Administrative Distances sssssssssssssee eene m eere 271 5 12 5 OSPF and VRRP Example Network ssssssssssssssse eene nennen rne nne 271 5 12 01 Arga and Subnets 2 Hu e po ett p e liliana eap De es 272 5 12 5 2 VRRP Operation o et pepe e eee re Lee i ie seed Pa eee Rs 272 5 12 6 Dynamic Routing Configuration a oeira enari eiri eR mee memes 273 5 12 65 Enable Protocols e ree be teas lere pa i ea eee alata a 273 5 12 6 2 COPE e n oo o e o Ud Hb o Ud bod de No mode etie todas 274 5 12 6 3 Core Global Parameters ssssssssssssssssseeem een ene nennen 274 5 12 6 4 Core Interface P
10. 236 Traffic Control RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration TC Interfaces Interface Inbound bandwidth Outbound bandwidth eth1 5000kbit 5000kbit TC Classes Interface Mark Minimum Maximum Priority Options eth1 1 full 2 full 0 eth1 2 1kbit full 1 tcp ack eth1 3 full 5 full 5 10 2 eth1 4 1kbit full 5 10 3 default TC Rules Mark Source Destination Protocol Source Port Dest Port Test Length TOS 2 Any Any ICMP Any Any Any Any Any RESTORE Any Any Any Any Any 0 Any Any CONTINUE Any Any Any Any Any 10 Any Any 1 Any Any UDP 20000 Any Any Any Any 3 Any Any TCP Any 80 Any Any Any 4 Any Any Any Any Any 0 Any Any SAVE Any Any Any Any Any 10 Any Any The rules first check non connection based protocol rules ICMP in this case in order to assign a mark For any packet that is still not marked we attempt to restore a saved mark for the connection If at this point the packet has a mark set we stop checking rules CONTINUE since it is either ICMP or a packet from an existing connection which we have already assigned a mark If still no mark is assigned it must be a new connection so we process the packet through all the remaining rules to determine the mark it should receive At the end we save the new mark to the connection so that any further packets for the connection do not have to go through all the rules again in order to save processing resources We mark all packets with no other matching rule to 4 since that repres
11. 4 Upon successful activation the Activation status field will automatically change to display Activation successful If it displays Actvation Failed please verify all activation settings or contact the network provider s service personnel Section 3 9 4 3 Cellular Modem Configuration The Cellular Modem Configuration menu provides information that is necessary to establish cellular network service and allows the configuration of parameters that are necessary for the modem to access the cellular network Necessary parameters are configured in the top part of the screen and modem information and status are displayed at the bottom under Modem Status Help Cellular Modem Configuration Parameter Value Description Dial string 777 Dial string to connect to Wireless network Save Re activate modem Modem Status Last updated on Fri Oct 18 16 42 24 2013 Type of Modem CDMA 1xRTT EV DO Firmware version p2410701 51863 Electronic Serial Number ESN 0x608ABD96 Received Signal Strength Eclo 0 0 125 dBm None dB Network Carrier ID Verizon Network technology currently in use No Service Phone number 9547890192 Refresh Reset de Return to Modem Main Menu Figure 85 Cellular Modem Configuration with an Edge GPRS modem Modem Configuration The Access Point Name APN is necessary only on GPRS
12. GOOSE Tunnel Implementation Details The GOOSE protocol is supported by the Layer 2 Tunnel Daemon The daemon listens to configured Ethernet interfaces and to the network itself i e for tunnel connections from other daemon instances on a configurable UDP port The Media Access Control MAC destination address of frames received from Ethernet is inspected in order to determine which GOOSE group they are in The frames are then encapsulated in network headers and forwarded with MAC source and destination addresses intact to the network as GOOSE packets IEC61850 recommends that the MAC destination address should be in the range 01 0c cd 01 00 00 to 01 0c cd 01 01 ff GOOSE Packets received from the network are stripped of their network headers and forwarded to Ethernet ports configured for the same multicast address The forwarded frames contain the MAC source address or the originating device and not that of the transmitting interface The VLAN used will be that programmed locally for the interface and may differ from the original VLAN The frame will be transmitted with the highest 802 1p priority level p4 Packets received from the network will also be forwarded to any other remote daemons included in the group To enable forwarding for GOOSE packets configure a generic Layer 2 tunnel to listen for GOOSE packets on one VLAN and forward them to a second VLAN To configure the generic Layer 2 tunnel for this operation set the followin
13. Restarting webmin webmin RX1000 opt 5 Open Webmin in any modern browser and verify that the ceritificate is a new one The not valid before value could be helpful 144 Regenerating SSL Keys and Certificates RUGGEDCOM ROX Chapter 4 User Guide System Administration Section 4 4 2 1 Generating Self Signed SSL Certificates with Scripting Creating a persistent script to generate self signed SSL keys and certificates is possible with the commands referenced in Section 4 4 2 Regenerating SSL Keys and Certificates 1 Open a text editor such as notepad and copy the following text to it bin bash hn hostname amp amp cd opt amp amp openssl genrsa out CA key 2048 amp amp openssl req x509 new config etc ssl openssl cnf subj C CA ST Ontario L Concord O RuggedCom OU Support CN hn days 1825 key CA key out CA crt amp amp cat CA crt CA key etc webmin miniserv pem amp amp rm CA amp amp etc init d webmin restart 2 Save the file as renewkey without a filetype extension 3 Open Webmin in a browser and navigate to the Upload Download Files feature Help Upload Download Files To The Router Download files from the specified URLs to this router URLs to download File or directory to download to Create directory if needed Download mode 9 Immediately and show progress In background at date 29 Dec v 2002 andtime 13 46 Downlo
14. Section 3 14 3 5 IEEE1588 Status Help IEEE1588 Status IEEE1588 Status Local Clock Port IP MAC IEEE 1588 Status 192 168 5 1 00 0a dci14 e0 e4 MASTER Stop Reset Time Quality Calculation EC Return to Module index Figure 114 IEEE1588 Status This page shows the historical status of IEEE1588 on the router IRIG B Status 113 Chapter 3 RUGGEDCOM ROX Device Management User Guide The line above the table provides the local clock IP address MAC address and the time quality information The table will contain entries made when the clock source or status changes The current local time on the router the IEEE 1588 status IEEE1588 and UTC time the offset from master in seconds the master IP MAC address and grandmaster MAC address are provided Section 3 14 3 6 IRIG B Log Help IRIGB Log Refresh Month Day Time Process Event ng 57 usr sbin de Oct 30 13 08 27 iriab 2657 Force FPGA to init time na 239 l usr sbin M Oct 30 13 08 32 l irigb 2657 GPS lock locked Oct 30 13 15 13 usr sbin Detection of FPGA time 13 10 30 17 15 6 is out of sync with GPS UT Virigb 2657 13 10 30 17 15 9 force FPGA reset clock 1 amp 4n l usr sbin E Oct 30 13 16 40 l irigb 2657 GPS lock lock lost 16 54 l usr sbin Oct 30 13 16 51 irigb 2657 GPS lock locked Oct 30 13 08 53 usr sbin Detection of FPGA time 13 10 30 17 21 9 is
15. 41 21 47 14 48 15 50 27 40 19 39 37 03 35 refresh Return to NTP Main Menu Figure 322 GPS Status If the router is equipped with a Precision Time Protocol card this page will shows the status of the GPS module 334 Viewing The NTP Log RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The Latitude and Longitude fields show the current position of the GPS antenna The GPS Lock field show the GPS lock status The Number of Satellites shows how many satellites are currently being tracked by the GPS module The Tracked Satellite Status table shows the ID and signal strength of tracked satellites Section 5 20 11 Viewing the GPS Log L GPS Log Month Day Time Process Event Oct 30 13 08 32 usr sbin irigb 2657 GPS lock locked Oct 30 13 16 40 usr sbin irigb 2657 GPS lock lock lost Oct 30 13 16 51 usr sbin irigb 2657 GPS lock locked Oct 30 13 26 04 usr sbin irigb 2657 GPS lock lock lost Oct 30 13 26 16 usr sbin irigb 2657 GPS lock locked Oct 30 13 29 05 usr sbin irigb 2657 GPS lock lock lost Oct 30 13 29 16 usr sbin irigb 2657 GPS lock locked Oct 30 13 41 35 usr sbin irigb 2657 GPS lock lock lost Oct 30 13 41 47 usr sbin irigb 2657 GPS lock locked Oct 30 13 51 05 usr sbin irigb 2657 GPS lock lock lost Oct 30 13 51 13 usr sbin irigb 2657 GPS lock l
16. Figure 79 PPP Logs This page shows the PPP logs This is mainly useful when trying to debug a PPP connection problem Section 3 8 6 8 Modem PPP Connection Logs Help PPP Connection Logs Refresh x Bytes Bytes Month Day Time Event User Local IP Remote IP Speed Duration leceRrenlll BER var log 31 19 28 24 connect admin 192 168 100 11 192 168 100 22 33600 syslog 1 Oct Refresh de Return to Modem Main Menu Figure 80 PPP Connection Logs This page shows a list of PPP connections It shows who connected when they connected and disconnected the connection speed and session traffic Modem PPP Logs 77 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 9 Configuring PPP and the Cellular Modem This section familiarizes the user with Configuring the cellular modem Configuring the PPP client Viewing connection status The device may be equipped with an internal cellular modem instead of the land line modem or the serial card described in the preceding section PPP the Point to Point Protocol is used to establish an IP network connection over a cellular radio modem link Depending on local cellular network availability one of three cellular modem types may be ordered Edge GPRS CDMA EV DO HSPA Section 3 9 1 PPP Interface When a PPP connection is established a network interface is created in the system The
17. Section 5 2 4 IPv6 on Ethernet Fundamentals By default IPv6 disabled on the router in which caselPv6 addresses may not be assigned to Ethernet interfaces IPv6 may be enabled via the Pv6 Support option in Core settings under the Network Configuration category If IPv6 is enabled on the router and link is asserted on a given ethernet port the system will automatically assign a link local address on that port beginning with Oxfe80 for example fe80 20a dcff fe1a e401 64 ROX Functions Supporting VLANs 173 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 2 5 Bridge Fundamentals ROX supports software based Ethernet Bridging The bridge appears to the router as an Ethernet interface and may be assigned an IP address statically or via DHCP Network services such as SSH DHCP NTP VRRP etc may be configured to run on the bridge interface NOTE When adding interfaces to the bridge any network services running on the individual interfaces must be reconfigured to refer to the bridge interface For example if a DHCP server is running on eth1 and eth1 is made a member of the bridge br1 the DHCP configuration must be changed to refer to br1 The device s Ethernet bridge is implemented in software and is not as efficient as a hardware based switch We do not recommend connecting a switch to the Ethernet bridge interface When connecting a switch to the ROX configure the ROX interface as a normal
18. 18 19 20 21 22 23 Set the address range to 192 168 2 101 to 192 168 2 200 Click Create Edit the pool by clicking on the link for the pool with address range 192 168 2 101 192 168 2 200 Click add an option82 client Give the client a unique alpha numeric name for example subnetO 102 Set the remote id to the switch MAC address 00 0A DC 11 22 00 in this case Set the circuit id to the switches circuit id identifier to the port 00 02 00 02 for VLAN 2 port 2 on a SiemensRUGGEDCOM switch Click Create Click Save Repeat steps 8 through 20 for vlan3 through vlan4 changing the subnet default routers pool address range and circuit id for each vlan Restart the DHCP server or apply changes Section 5 18 5 DHCP Configuration Help DHCP Server ISC DHCPd version 3 1 1 Subnets and Shared Networks No subnets or shared networks have been defined Add a new subnet Add a new shared network Hosts and Host Groups No hosts or groups have been defined Add a new host Add a new host group Edit Client Options Edit DHCP client options that apply to all subnets shared networks hosts and groups Edit Network Interface j Set the network interfaces that the DHCP server listens on when started List Active Leases List leases currently issued by this DHCP server for dynamically assigned IP addresses Click this button to start the dhcp server This will start the server displaying
19. 3 7 9 2 Enabling Secure Remote Syslog ssssssssees meme 59 3 7 9 9 Remote Logging a i cte reti bee be emer eo leti tle par iitem 60 3 17 10 Upgrade System uoi ir Huh cien MNA 61 3 7 10 1 ROX Software Fundamentals sssssssssseee eee mnes 61 9 7 10 2 Upgrade to RATIO i ue bct A equis eod ab OR Miner apt pd E deeds 62 3 7 10 3 Change Repository Server esee nete tn pues t dde ae Redde n End aan pin 62 3 1 10 4 Upgrading All Packages eer nr iaa 63 3 7 10 5 Installing a New Package senera eterne nena ponet pas nh na Eu nena E nus nena Eua 64 3 7 10 6 Pre Upgrade Post Upgrade Scripts sssssssssssseee eee 65 3 7 11 Uploading and Downloading Files sseem emm 66 3 8 Configuring PPP and the Embedded Modem sssssssssee mem emen 66 3 0 1 PPP Interface 5 iit eo ER PR estu E E ent 67 3 8 2 Authentication Addresses and DNS Servers occoccoccoccocnoccocnonnononnnncnnnnornonnncnnnnnrnnnnarinnnannns 67 3 8 3 When the Modem Gorinects uec ene leet iets ceed E EE AA AE ETA MARE pud 67 3 9 4 PPP Dial On Demand miaire a te ate e Nhi tides 68 3 0 5 LED Desigriations n 68 3 8 6 PPP Modem CorifiguratiOn onec cette ete eben nieht Ht be ge que dagen sind eed MEA FR MERE AE 68 3 8 6 1 Modem Configuration sa 2 usin eter diee edd cade pepe dine DRE eae ea Exe Ge add 70 3 8 6 2 Modem PPP Client Connections iseken eenia a enne 72 3 8 6 3 Dial on
20. 544 4 E3 Interface Parameters ertt ota RUMP AER NEAR ERR RATE ada 200 5 4 4 5 Editing a Logical Interface Frame Relay sssseee m 200 5 4 4 6 Editing a Logical Interface PPP sssssessee Henn 201 SAS 13 E3 Statistlcs A 202 5 4 6 Current Routes and Interface Table ssssssssssee emen 202 S47 Upgrading Software ee ue i Ru Ee Pee us ghee DELL RE E Pese dde PORE 202 5 5 Configuring Frame Relay PPP and DDS coreana eani Ear A emen enne 202 5 5 1 Location of Interfaces and Labelling sm 203 9 9 2 LED Designations E o de tus tune E Ee Tue pud e dv ees 203 909 DD S Configuration zio eR MR RED 203 9 5 3 1 DDS Network Interfaces cep bete eben A satan ad ee per A Le RC A taU dant podeis 204 5 5 3 2 Editing a Logical Interface Frame Relay sese 205 5 5 3 3 Editing a Logical Interface PPP rtan riaa a T emen 206 9 0 3 4 DDS StatistiCs iecore eric aeo iae bo wake ip oue labeo iube od gia eda 206 5 5 3 5 DD S Poopb aclkes uir icto d E EHE EN EO E 207 5 5 3 6 Current Routes and Interface Table ssssssseeee 207 5 5 3 7 Upgrading SOftWare cibi n eed er epe Ad HIA ORO bte ad based babe cad Pared BA preda 208 5 6 M ltlink PPP over TUET xci t e d eR re Pee ep ha e dut e eae di P a e d o 208 9 61 Multilink PRP Fundamentals cocido D Hate em din 208 5 6 2 Notes on T1 E1 Channelization aes iarrt eraa E meme
21. Assigned time slots Channelized interface 1 ALL Channel Name Description Local Address Netmask Remote Address 1 w2c1fr16 Down Statistics No description 1 2 3 1 255 255 255 255 1 1 1 2 Edit T1 2 Parameters View T1 2 Link Statistics Loopback this Interface Enable disable loopback modes T1 3 Not Running Channel Assigned time slots Channelized interface A ALL Channel Name Description Local Address Netmask Remote Address Assign a new Frame Relay logical interface Assign a new PPP logical interface Assign new MLPPP logical interfaces Edit T1 3 Parameters 4 Return to T1 E1 Main Menu Figure 209 T1 E1 WAN Interfaces Click on Assign new MLPPP logical interfaces to specify the parameters of the MLPPP bundle The bundle can have one or more PPP links over T1 E1 Help Edit Logical Interface MLPPP MLPPP Parameters Local Address Netmask Remote Address Description 1 1 1 1 255 255 255 255 1 1 1 10 mippp MLPPP Channel Setting T1 1 T1 2 Channel 1 Channel 1 de Return to T1 E1 WAN Interfaces Figure 210 Edit MLPPP Logical Interface Menu The Local IP address field specifies the IP address of the MLPPP interface The Netmask field specifies the Network Address mask The Remote Address field specifies the IP address of the remote end of the MLPPP link Configuring PPP Multilink over T1 E1 2
22. Enabled Disabled bo Q9 Enabled Disabled ftp_telnet global inspection type stateful encrypted traffic no ch 9 Enabled Disabled ftp telnet protocol telnet Q9 Enabled Disabled ftp telnet protocol ftp server default 9 Enabled Disabled ftp telnet protocol ftp client default Q9 Enabled Disabled smtp ports 25 465 587 691 Enabled Disabled ssh server ports 22 9 Enabled Disabled dcerpc2 memcap 102400 events co Q9 Enabled Disabled dcerpc2 server default policy WinXP Q9 Enabled Disabled dns ports 53 enable_rdata_overflow Enabled Disabled ssl ports 443 465 563 636 989 992 993 994 995 7801 7802 Enabled Disabled sensitive data alert threshold 25 9 Enabled Disabled sip max sessions 40000 Q9 Enabled Disabled imap Enabled Disabled pop 1 0 Enabled Disabled modbus ports 502 9 Enabled Disabled dnp3 ports 20000 Enabled Disabled reputation Enabled 9 Disabled Save Changes ji Reset Changes de Return to Snort IDS Main Figure 121 Snort Preprocessors Preprocessors are plug in modules that operate on the captured packets Preprocessors perform a variety of transformations to make it easier for Snort to classify packets The configuration of preprocessors is beyond the scope of this user guide 122 PreProcessors RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 15 5 Alerts and Logging Al
23. Location of Interfaces and Labelling 203 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Section 5 5 3 1 DDS Network Interfaces Help DDS WAN Interfaces DDS Trunks and Logical Interfaces Refresh this page DDS 1 Not Running Name Description Local Address Netmask Remote Address Assign a new Frame Relay logical interface Assign a new PPP logical interface Return to DDS Main Menu Figure 203 DDS WAN Interfaces This menu allows you to display DDS trunks and configure the logical interfaces that run on them A table is presented for each interface Interface numbers are as described by the DDS labels as shown in the home page chassis diagram The status of both the physical interface and its corresponding logical interface is shown If no interfaces have been configured the menu will provide links to Frame Relay and PPP configuration menus This menu presents connection statuses but does not update them in real time Click on the Refresh this page link to update to the current status The menu will change after assignment of a logical interface providing links to logical interface and link statistics Help DDS WAN Interfaces DDS Trunks and Logical Interfaces Refresh this page DDS 1 Up Name Description Local Address Netmask Remote Address wippp Up Statistics No description 1 1 1 2 255 255 255 255 1 1 1 1
24. PPP Link Statistics Section 5 3 2 13 T1 E1 Loopback After configuring at least one logical interface you can perform T1 E1 Loopback tests After configuring an interface a Loopback this Interface link appears on the Interface menu Clicking the link displays the Loopback menu 194 PPP Interface Statistics RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Help T1 2 Loopback Loopback Settings Note A Digital loopback command causes test frames to be transmitted through the digital sections of the T1 E1 interface The frames are looped back immediately before the analog tranceivers received by the software and verified A Remote loopback command causes test frames to be transmitted through the analog tranceiver to the T1 E1 line and verifies frames received from the line You must arrange for the line to be remotely looped back e g Line loopback or employ a loopback stub with the clock mode set to Master for this test to succeed A Line loopback command causes frames received from the T1 E1 line to be looped back to the line A notification is presented for each frame received during this test A loopback test will take down the interface which may be undesirable when it is in use Also note that this testing runs independently of the settings in Enable disable loopback modes Select Loopback type Noloop Number of Loops 20 maximum 1000 Time to run test 20 maximum 600 sec Start Loopback
25. Registered Trademarks ROX Rugged Operating System On Linux CrossBow and eLAN are trademarks of Siemens Canada Ltd ROS is a registered trademark of Siemens Canada Ltd Linux is the registered trademark of Linus Torvalds in the U S and other countries The registered trademark Linux is used pursuant to a sublicense from LMI the exclusive licensee of Linus Torvalds owner of the mark ona world wide basis Other designations in this manual might be trademarks whose use by third parties for their own purposes would infringe the rights of the owner Open Source RUGGEDCOM ROX is based on Linux Linux and RUGGEDCOM ROX are made available under the terms of the GNU General Public License Version 2 0 http www gnu org licenses gpl 2 0 html Security Information Siemens provides products and solutions with industrial security functions that support the secure operation of plants machines equipment and or networks They are important components in a holistic industrial security concept With this in mind Siemens products and solutions undergo continuous development Siemens recommends strongly that you regularly check for product updates For the secure operation of Siemens products and solutions it is necessary to take suitable preventive action e g cell protection concept and integrate each component into a holistic state of the art industrial security concept Third party products that may be in use should al
26. Section 3 7 9 3 Remote Logging Remote logging often referred to as remote syslogging is the process of forwarding log entries to a remote host computer Remote logging enables central collation of logs and preserves logs in the events of security incidents Remote logging does not require any file storage on the router and as such does nat suffer from loss of information around unplanned power failures On the other hand remote logging cannot record events that occur before network connectivity to the logging host is established Remote logging can replace disk logging or can augment it If you wish to replace disk logging for some information type select the appropriate link under the System Logs sub menu Log Destination column Enter the URL of the logging host under the Syslog server on Help Edit System Log Log destination Logto File Nar log auth log a Y Sync after each message Named pipe Syslog server on Port Number 514 TCP 9 upp Local users All logged in users Logging active yes No Message types to log Facilities Priorities All y Many auth authpriv None All At or above v Y 9 X Many None All At or above v v Save View logfile Delete Note Secure remote syslog faality only works for TCP connection with remote syslog server Figure 61 Changing a Syslog Entry to Log Remotely If you wish to remote log in addition to disk log some log type you must d
27. System Hostname sub menu The router may be configured to log to a remote server by the Maintenance menu System Logs sub menu See Section 3 7 Maintaining the Router for more details 6 The router s DNS settings may configured in the DNS Clients sub menu You may also specify the IP addresses of frequently used hosts See Section 5 1 Configuring Networking for more details Section 1 3 3 Physical Interface Related 1 Ethernet port parameters may be changed in the Networking menu Ethernet sub menu The Ethernet Interfaces sub menu will configure the IP address subnet mask gateway address proxy arping and media type of each interface See Section 5 2 Configuring Ethernet Interfaces for more details If your router is equipped with T1 E1 WAN interfaces the Networking menu T1 E1 sub menu will allow you to configure them with Frame Relay or PPP connections See Section 5 3 Configuring Frame Relay PPP and T1 E1 for more details If your router is equipped with T3 WAN interfaces the Networking menu T3 sub menu will allow you to configure them with Frame Relay or PPP connections See Section 5 4 Configuring Frame Relay PPP and T3 E3 for more details If your router is equipped with DDS interfaces the Networking menu DDS sub menu will allow you to configure them with Frame Relay or PPP connections See Section 5 5 Configuring Frame Relay PPP and DDS for more details If your router is equipped
28. When your salesperson returns you an updated record overwrite the current record and press the Upgrade Inventory button A reboot will then be required Hash SHA1 Created by RuggedCom Inc Final Test Product information OrderCode RX1000 F RM HI 00 XX XX TX01 TX01 TC2 511 SerialNumber X1K 0409 02268 MacAddressEthi 00 0a dc 2a 3f a0 Version GnuPG v1 4 0 MingW32 iD8DBQFU KxVP2pya GSkdYRAmT fAJ9 KEaGEFoLbTYUnDiIndKXNSulJLACggZbq CLzIFxwT8XD8926u aerj61 Bcsc Mainboard 12 01 0001 RuggedRouter MainBoard 12 01 0001 Rev 03 ledboard 12 11 0015 LED Board Xilinx XC3550 12 11 0015 Rev B2 PowerSupply1 12 10 0008 P1 88 300VDC OR 85 264VAC 12 10 0008 P1 Rev C3 ifboardi 12 11 0002 2x10 100TX RJ45 12 11 0002 Rev C2 ifboard2 12 11 0002 2x10 100TX RJ45 12 11 0002 Rev C2 pcii 13 01 0004 T1 E1 Channelized Dual 13 01 0004 Rev A pci2 13 01 0015 Synchronous Dual Serial Card 13 01 0015 Rev A Upgrade Inventory de Return to Upgrade System Figure 63 Upgrade to RX1100 Section 3 7 10 3 Change Repository Server Help Change Repository Server Repository server Release Version Bandwidth Limiting Disabled v Save Changes ya R etum to Upgrade System Figure 64 Change Repository Server Use rrX Y to ugrade to that specific release or rrX to upgrade to the latest release 62 Upgrade to RX1100 RUGGEDCOM ROX Chapter 3 User Guide Device Management CAUTION AN Se
29. button is pressed The menu will display up to the provided number of messages waiting up to the specified number of seconds The Trace on protocols selections feature a all to short list of protocols with unused entries greyed out The default is A I Protocols Return to Layer 2 Tunnels The Message Decode field causes received transmitted frame entries to include protocol specific information If the Hex Dump field is selected the first 64 bytes of packet content is displayed The Packets field causes received transmitted packet entries to be displayed The RTT Measurement field displays Beacon messages used for RTT measurement NOTE Specifying large numbers of ports entries and capture times can result in a great deal of output Specifying a large capture time may require the web page to wait that interval if activity is infrequent Section 5 18 Configuring the DHCP server This section familiarizes the user with Activity Trace Menu 317 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide DHCP Server Configuration Use of Option 82 Dynamic Host Configuration Protocol DHCP is a method for centrally and consistently managing IP addresses and settings for clients offering a variety of assignment methods IP addresses can be assigned based on the Ethernet MAC address of a client sequentially or by using port identification provided by a DHCP relay agent device Section 5 18 1 DHCP Ne
30. cancel which only requires i to be specified 298 Testing a Link Backup Configuration RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 13 9 1 Examples In order to schedule a link backup test on eth1 at 10 30AM that will last for 10 minutes blinktest i eth1 b 10 30 s 10 40 start In order to cancel this test or to terminate it before the stop time blinktest i eth1 cancel Section 5 13 9 2 Logging Output blinktest logs activity and any error conditions to the system log file var log messages and to the serial console The following items are logged scheduled begin and stop times of a test and the main interface name of the link backup configuration under test actual begin time of a test actual stop time of a test cancellation of a test any errors Log messages have the following format date and time router host name application name blinktest blinktest version status OK or ERROR message string Some example log messages follow Mar 29 14 57 43 brouter blinktest 1 0 OK link eth3 backup test STOP scheduled for Mar 29 LAL 9e o0 29159 Mar 29 14 57 43 brouter blinktest 1 0 OK link eth3 backup test BEGIN scheduled for Mar 29 14 58 00 2010 Please note that the scheduled date time shown in the above log messages is the actual Scheduled date time as reported by the at utility When the tests actually begins or stop the following is shown Ma
31. on the other hand will fail to connect to the router but will receive a notification Note that order of policies is important If the last rule of this example were entered first then no connections at all would be allowed Policies are defined in the file etc shorewall policy and are modified from the Default Policy menu Section 5 8 3 5 Masquerading and SNAT Masquerading and Source NAT SNAT are forms of dynamic NAT Masquerading substitutes a single IP address for an entire internal network Use masquerading when your ISP assigns you an IP address dynamically at connection time SNAT substitutes a single address or range of addresses that you been assigned by your ISP Use SNAT when your ISP assigns you one or more static IP addresses that you wish to one or more internal hosts The masquerading SNAT entries are defined in the file etc shorewall masq and are modified from the Masquerading menu Each entry is of the form Interface Subnet Address Protocol Port s Policy 221 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Interface is the outgoing WAN or Ethernet interface and is usually your Internet interface Subnet is the subnet that you wish to hide It can be an interface name such as eth1 or a subnetted IP address NOTE Li It is always recommended to use subnetted IP address instead of interface name When using interface name the interface has to UP and running for the firewall to start with
32. 0 0 reset Connection Statistics Remote IP Remote Port Local Port Rx Packets Tx Packets Target Serial Port s Status Refresh JI Continuous Display Return to Serial Protocols Figure 98 Serial Protocols Statistics Menu This menu presents statistics of serial port activity and established connections The menu also allows you to reset a port forcing call hang up and re establishment The Port Statistics table provides a record for each active serial port The number of historical received and transmitted characters as well as errors will be displayed The Connection Statistics table reflects established TCP connections Network and serial connections can be paired by examining the Target Serial Port s field The Status field describes whether a network connection is established or in the process of being established NOTE i All counts are from the router s perspective The Rx Packets count reflects packets received from the network the contents of which are transmitted at the protocol and reflected in the Tx Chars field The Refresh button will cause the page to be reloaded The Continuous Display button will cause the browser to continuously reload the page showing the differences in statistics from the last display The difference is not a real time rate in bytes or packets per second Protocol Specific Packet Error Statistics The Raw Socket Packet Errors field refl
33. 02 pppd 17328 pppd 2 4 4 started by root uid O Oct 30 12 36 37 pppd 17328 Timeout waiting for PADO packets Oct 30 12 36 37 pppd 17328 Unable to complete PPPoE Discovery Oct 30 12 37 42 pppd 17328 Timeout waiting for PADO packets Oct 30 12 37 42 pppd 17328 Unable to complete PPPoE Discovery Oct 30 12 38 47 pppd 17328 Timeout waiting for PADO packets Oct 30 12 38 47 pppd 17328 Unable to complete PPPoE Discovery Oct 30 12 39 52 pppd 17328 Timeout waiting for PADO packets Oct 30 12 39 52 pppd 17328 Unable to complete PPPoE Discovery Oct 30 12 40 26 pppd 17328 receivePacket recv Network is down Oct 30 12 40 26 pppd 17328 Exit Oct 30 12 41 16 pppd 19438 Plugin rp pppoe so loaded Oct 30 12 41 16 pppd 19443 pppd 2 4 4 started by root uid O Oct 30 12 41 51 pppd 19443 Timeout waiting for PADO packets Oct 30 12 41 51 pppd 19443 Unable to complete PPPoE Discovery Oct 30 12 42 56 pppd 19443 Timeout waiting for PADO packets Oct 30 12 42 56 pppd 19443 Unable to complete PPPoE Discovery Oct 30 12 44 00 pppd 19443 receivePacket recv Network is down Oct 30 12 44 00 pppd 19443 Exit Refresh da Return to ADSL Main Menu Figure 179 Display PPP Logs Section 5 2 6 11 Current Routes and Interface Table The table provided by this command is as described in the Networking menu Network Ut
34. 1 interface eth4 interface gre0 1 Paa lo router rip network 192 168 2 0 24 network 192 168 10 0 24 neighbor 192 168 10 2 line vty qe Return to rip Figure 281 View RIP Configuration This menu displays the text of the active configuration file for the RIP daemon Section 5 13 Link Backup This section familiarizes the user with Configuring link backup Obtaining system status Testing link backup Link backup provides an easily configured means of raising a backup link upon the failure of a designated main link The main and backup links can be Ethernet CDMA or Dial Modem TE1 DDS ADSL or T3 The only requirement is that the main link be a permanent link raised at boot time The feature can back up to multiple remote locations managing multiple main backup link relationships When the backup link is a modem many profiles of dialed numbers can exist each serving as a distinct backup link The feature can back up a permanent high speed WAN link to a permanent low speed WAN link This is used when OSPF cannot be employed such as on public links View RIP Configuration 293 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide The feature can be used to migrate the default route from the main to the backup link The time after a main link failure to backup link startup and the time after a main link recovery to backup link stop are configurable The status of the sy
35. 1452 Save de Return to ADSL WAN Interfaces Figure 214 Edit Logical Interface PPPoE This menu allows you to display and configure logical interface fields for PPPoE and to convert the interface to Bridged Mode By default interfaces are created with PPPoE If you want the interface to be Bridged Mode click on the Convert this interface to bridged link The Description field attaches a description to the logical interface viewable from the network interfaces menu The VPI field determines the VPI number the connection uses The default of 0 is correct for most providers The VCI field determines the VCI number the connection uses The default of 35 is correct for most providers The Attempt ATM Autoconfiguration option causes the router to attempt to automatically determine the VPI and VCI used on the connection This does not work with all providers and may case the connection to fail even if the link light is on If this option is used it should only be used to find out what the correct values are if your provider isn t willing to help you and when the correct values are found it should be disabled with the correct values entered in the VPI and VCI fields instead The PPPoE Username field determines the username to use when connecting to the PPPoE server as specified by your provider The Password field determines the password provided to the PPPoE server The Default Route check box enables automatically settin
36. 192 T1 E1 Loopback Note that loopback tests are performed independently of the Enable Disable Loopback Modes settings Even if one or more loopback modes are disabled the router still performs the selected loopback tests For more information on enabling and disabling loopback modes see Section 5 3 2 14 Enabling and Disabling T1 E1 Loopback Modes T1 E1 Loopback 195 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 3 2 14 Enabling and Disabling T1 E1 Loopback Modes You can enable and disable T1 E1 loopback modes from the Enable disable loopback modes menu After configuring an interface an Enable disable loopback modes link appears on the Interface menu Clicking the link displays the Enable disable Loopback Modes menu T1 2 Enable disable loopback modes Configured loopback modes for w2c4 Digital loopback enabled disabled Line loopback enabled disabled Payload loopback enabled disabled i Apply to w2c4 Return to T1 E1 Main Menu Figure 193 Enable disable Loopback Modes Menu Select an option to enable or disable the Digital loopback Line loopback and Payload loopback modes Click the Apply button The loopback mode settings apply immediately and remain set when you reboot the appliance Note that enabling a loopback mode just enables the selected mode on the interface it does not perform a loopback test Also note that these settings are independent of the loopback te
37. 2 6 4 Edit Boot Time Interfaces Edit Bootup Interface Boot Time Interface Parameters None From DHCP IP 192 168 0 3 24 Name ethi Address Mask MTU Automatic Activate 9 Yes No Proxy ARP Yes No Media Type Auto Negotiation b Virtual Lan 0 Add virtual lan interfaces interface Save and Apply de Return to network interfaces Figure 172 Editing a Boot Time Interface This menu allows you to make permanent changes to interfaces and to immediately apply those changes if desired The Save button will save changes to the permanent configuration The Proxy ARP Media Type and Virtual Lan Interfaces controls are as described above The P Address Mask fields allow you to manually specify one or multiple IP address Mask for this interface or to obtain the address from DHCP or from BOOTP You can have both IPv4 and IPv6 if IPv6 is enabled addresses at the same time one on each line The Activate fields allow you permanently disable the interface without actually deleting it The Virtual LAN interfaces field displays how many VLAN interfaces are created on this interface and the link Add virtual lan interface allows you to add a VLAN interface on the boot time interface The Save and Apply button applies any changes after they have been saved Edit Boot Time Interfaces 177 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 2 6 5 Creating Bootup Virtual LAN Interfaces Create
38. 3 7 2 6 Archive Difference Tool Help Archive Differences Select Configuration Archives to Show Differences Archive Name Version Archive Comment 7 Archive20131022 0000 rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 El latestarchive rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 LL Archive20131019 0000 rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 19 00 00 m factorydefaults rr1 16 0 QA1 1 Factory defaults 7 Current Configuration rr1 16 0 QA1 1 Current Configuration on router Note select two and only two targets Show Differences Select Webmin Configuration Archives to Show Differences Archive Name Version Archive Comment LI Webmin20131022 0000 rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 El latestwebminarchive rri 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 L Current Configuration rr1 16 0 QA1 1 Current Configuration on router Note select two and only two targets Show Differences amp Return to Backup And Restore Figure 41 Archive Differences Menu The Archive Difference menu shows the difference between two targets The first target must be an archive while the second target can be either another archive or the current configuration Choose two and only two targets and click the Show Differences butto
39. 3V power supply voltages 5V 5V power supply voltage 12V 12V power supply voltage VBat Battery voltage The last power down time reflects the time power was removed from the chassis as a result of a power failure commanded reboot or an watchdog initiated reboot System alarms will be generated for out of range parameters and watchdog initiated reboots Section 3 7 7 Power over Ethernet The IEEE 802 3af standard describes a method known commonly as PoE Power over Ethernet for providing electrical power over the twisted pair wiring most commonly used in Ethernet networks The obvious benefit is the ability to take advantage of previously unused copper in the 10 100Base T wiring configuration to provide power without requiring that new wiring be installed The device can be provisioned to supply power according to IEEE standard 802 3af In order to provide PoE via all four router Ethernet ports the unit must be provisioned with a PoE power supply in place of the optional redundant power supply ROX implements PoE mode A supplying up to 400mA at up to 48V on pins 3 and 6 T568A pair 2 and return on pins 1 and 2 T568A pair 3 Pin Signal PoE Mode A 8 eg 1 RX v MAC j 2 RX V CAC TEILTE TE TL T 3 TX V Figure 55 PoE Pinout on 10 100BaseT Ports 4 Reserved Do Not Connect 5 Reserved Do Not Connect 6 TX V 7 Reserved Do Not Connect 8 Reserved Do Not Connect Case Shield Power over Ethernet 53 Chapt
40. 9 Statle ROoltes ciat cedi deed fase daa 164 5 1 2 4 Configuring Static Routes enerne a A A eem enne 165 5 1 2 5 Other Static ROES iere eere esa eed o iei edt tecta 166 9 1 2 6 Static Multicast ROUTING ccoo 167 STT JONS Client eM 168 21 228 Host Addresses ae epe A A ide AAA 168 RUGGEDCOM ROX Table of Contents User Guide 5 1 2 9 End to End Backup ii e HL SUI dadas 169 5 1 2 10 Configuring End To End Backup ssse eee 171 5 1 2 11 Current Routing and Interface Table sssseee nana 171 5 2 Configuring Ethernet Interfaces iecit rettet kde trt nhi e cadena LR n ED gba 171 9 2 1 LED Designations mtr UH P hen eer ERE tx uc tix apes 172 5 2 2 VLAN Interface Fundamentals ssssssssssssseeee eme emen emen nnne nnns 172 5 2 2 1 VLAN Tag iih ipe eg OA 172 5 2 2 2 ROX Functions Supporting VLANS sssssse emm ee 173 5 2 3 PPPoE On Native Ethernet Interfaces Fundamentals sss 173 5 2 4 IPv6 on Ethernet Fundamentals ssssssssseee emen mener enne 173 5 2 5 Bridge Fundamentals ita idolos 174 52 0 Ethernet Configuration a eaves 174 5 2 6 1 Ethernet Interfaces ics ei e ne MEE iere SEU a b EAR AE 175 5 2 6 2 Editing Currently Active Interfaces sssssssse nano 176 5 2 6 3 Creating Active Virtual LAN Interfaces ssssse He 176 5 2 6 4 Edit Boot Time Interfaces oc ct rte eese peto
41. A I Ports which selects all ports The Message RX TX field allows log entries to be printed for each received or transmitted message and method of packetization If the Hex Dump field is selected the first 64 bytes of packet content is displayed The Incoming Outgoing Connections field allows regular network level entries such as call connections and received transmitted messages to be displayed Note that some unexpected but unusual network messages may be displayed if they occur NOTE Li Specifying large numbers of ports entries and capture times can result in a great deal of output Specifying a large capture time may require the web page to wait that interval if activity is infrequent Section 3 10 7 8 Serial Protocols Sertrace Utility The command line sertrace utility offers the ability to trace the activity of serial ports in real time A port range may be specified to limit the output to specific ports The level of traffic to trace and the type of decoding may be specified The tool may also be used to force the port to transmit an output test message The following is an example of sertrace use ROX sertrace h Trace Serial Protocol Server Activity Usage sertrace dtr p portrange Serserver d protocol decode serserver t tcp level events serserver r raw packet display Serial Protocols Trace Menu 99 Chapter 3 RUGGEDCOM ROX Device Management User Guide serserver p ports to capture e g 1 3 6 7 sers
42. A zone type of IPV4 is used with normal traffic and route based VPNs Reorder the zones by clicking on the arrows under the Move field NOTE i If you define a VPN zone whose traffic is received via a network zone it is essential that the VPN zone be declared before the network zone Clicking on a link under the Zone ID field will allow you to edit or delete the zone Note that if you delete a zone you should remove any rules that reference it NOTE Li There must be exactly one zone of type firewall Do not delete this zone You may also make changes by manually editing the zone file Network Zones 227 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 8 5 2 Network Interfaces Help Network Interfaces Each of the network interfaces on your system that you want Shorewall to manage should be listed on this page and associated with the zone that it is connected to The loopback interface 1o must never be listed No network interfaces have been defined yet Add a new network interface Manually Edit File Click this button to manually edit the Shorewall file etc shorewall interfaces in which the entries above are stored E Return to list of tables Figure 220 Firewall Network Interfaces This menu allows you to add delete and configure network interfaces Add a new interface by selecting the Add a new network interface link or by clicking on the add above or add below images
43. Accessing the Router This section familiarizes the user with the ROX Serial Console interface the ROX Setup script and signing on to the Web interface This section describes the following procedures Running the Setup Script Signing on the Web Interface Signing on to the Command Prompt Restoring the default configuration You can access the router through the console Ethernet ports WAN ports and the modem port Accessing the Router 19 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 1 1 Accounts and Password Management The router provides an rrsetup account which provides a shell that quickly configures such items as passwords addresses date time and services offered by the router It is very useful to sign in to this shell first harden the router and configure network addresses in order that the router be reachable from the network through Web Management NOTE Li The rrsetup password should be changed recorded securely and restricted to qualified personnel The root account provides a superuser capability for SSH shell access and the Web server NOTE Li The root password should be changed recorded securely and restricted to qualified personnel The root and rrsetup accounts may be also be managed through RADIUS authentication The Web management agent can be accessed through the root account It may also be accessed through a number of RADIUS accounts via RADIUS authentication This
44. Bootup Interface Boot Time VLan Interface Parameters From DHCP Name ethi 4 digits maximum IP Address Mask MTU Automatic Activate Yes No VLAN QoS Map ingress to mark Map egress from marks 0 0 default 1 0 2 0 3 0 4 0 5 0 6 0 7 0 Create and Apply Return to network interfaces Figure 173 Creating a Virtual LAN Interface Click the link Add virtual Lan Interface in order to create a VLAN interface The Name field is the VLAN ID which must be a numeric value between 1 and 4094 The VLAN ID will be presented automatically as 4 digits prefixed with 0 if the input is smaller than 4 digits For example if the input is 2 it will be automatically changed to 0002 The IP Address Mask field sets the IP address and mask for this interface You can assign multiple IPv4 or IPvG addresses to the interface one on each line The Activate fields allow you permanently disable the interface without actually deleting it The VLAN QoS fields represent the QoS priority options Quality of Service QoS mapping is used to map QoS traffic It assigns a traffic control mark to incoming IP traffic based on the priority value of a tagged frame The incoming traffic is then classified and placed in the priority queues according to the traffic control rules specified for the marked rule In addition traffic control can assign the same priority or a different priority value when a frame n
45. CAUTION AN Configuration hazard risk of data corruption Access to the Command Line Interface CLI is provided for troubleshooting purposes and should only be used by Siemens technicians As such this interface is not fully documented Misuse of CLI commands can corrupt the operational state of the device and render it inaccessible Use an SSH agent running the version 2 protocol SSH to either the rrsetup or root accounts of the router at one of its IP addresses described above The router is shipped with default passwords of admin for either of these accounts Section 3 2 The Router Setup Shell Signing in as the rrsetup user will automatically enter the configuration shell shown below Quitting the shell with cancel or by entering escape will cause the connection to close RuggedRouter Setup Menu Make one of the following selections Note that modifications made here will override those made through the web based management system Change Passwords Change Port IP Address Information Set Hostname Set Radius Authentication Disable SSH Server Disable Web Management Set Date Time And Timezone Display Hardware Information Restore A Previous Configuration lt 0k gt lt Cancel gt Figure 15 Router Setup Main Menu The shell provides a number of configuration commands described below Section 3 2 1 Configuring Passwords The Change Passwords command changes the rrsetup and root account pa
46. Config ratiori seoseis et ee ee e tero eases Rae e e dep ba et ne edge deeds 38 RUGGEDCOM ROX User Guide Table of Contents 9 7 2 2 Gonfiguration Rollback coii ii e cii ep beato tiene rid eer tpa 39 3 2 9 Archive HIS Vit e m Pee ee ree re deed eed ed Pe AO e dins 41 9 2 4 Archive Backups eet ee ead attendre e Ree p RITE 42 3 120 Archive ReSIOFG ioi tere Lt eric ead labeo Loo sone ad o eod la ee fo Ed dul 42 3 7 2 6 Archive Difference Tool atiende e ede Hx ardido dedu dus 44 3 7 3 Decommissioning the Device 00 cece er eee AENEAN AA AREA EEC ARNEE ATARE 46 9 7 4 SNMP GCorfiQuratiori 3 ecco cbe pb RAE EI pd Mapa Od expe e I MA eed O die ne PA dieses 46 3 7 4 1 SNMP Main Configuration Menu ssse Hem eene 47 3454 2 System Configuration irera A et RR ERR ee eae eee el 47 3 7 4 3 Network Addressing Configuration sssssseseee m 47 9 544 ACCESS Control i ciim ie EN Re de s e Pe Ne e e tse 48 3 64 59 Trap Gonfig ratioh uoo A Ad 50 TADO MIB SUPPOME 2 ect Ee EH pibe Mei M Heat ie eur a 51 3 7 5 Outgoing Mall sron cds ALICIA e hdi tr cu Dtm ut ee 52 357 6 Chassis Parameter aneia bett en iuh ce atti deban as 52 9 4 1 Power over Ethernet ice coq eco liliana ances 53 3 7 7 1 Power over Ethernet Menu ioar Aranea n a ana a e a 54 Slo Banner COMU dina 55 oye LOGS eiae aA A Waheed chide E EE A EA EAA 57 3 7 9 1 Syslog Factory Defaults ee eee ied cepto Un AAAA 58
47. Demand Alternate Modem Setting sse 72 RUGGEDCOM ROX Table of Contents User Guide 3 9 0 4 Modem PPP Glient 3 etti et net Heine e S Hid ede Ha pu MERO iaa 73 3 8 6 5 Modem PPP Server ooi pc il dnd 75 3 8 6 6 Modem Incoming Call Logs sssseem Henne 76 3 9 6 7 Modem PPP LOGS messi lindas 77 3 8 6 8 Modem PPP Connection Logs ssssse emen nennen 77 3 9 Configuring PPP and the Cellular Modem sssssese eH e n mehr 78 3 9 1 BPP Interface i NI 78 3 9 2 Authentication IP Addressing and DNS Servers ocooocccoccccnocococonnoncccnnnnnnncnncnncnnnnnnnnnancnnnnins 78 3 9 3 LED Designations ee heh eene P ee e detta den Rd er ede pt ae MEER 79 3 9 4 PPP Cellular Modem Configuration sssssee ens 79 3 9 4 1 Over The Air Account Activation ooooooiccnnccconiccnnccccnonnnncnnnoncncnnnnnnncnnnnnnnnnannnenencnnnnns 80 3 9 4 2 Manual Account Activation ssssssssssssssss eene m emen rre 81 3 9 4 3 Cellular Modem Configuration eessssee en 82 3 9 4 4 Modem PPP Client Connections sssssssssss mmm eme 84 3 94 5 Modem PPP Client oerte Riad 85 3 9 4 0 PPP Logs PPP Connection LOgS reciente neret ennt nnt nad AA be ARE u Lan nu poda 85 3 9 4 7 Current Route and Interfaces Table ssssssssssssssssen eene 85 3 10 Configuring Serial Protocols rreraren en EE A E mmm ene enne nennen nnns 86 3 101 Ser
48. Engine ID Minimum Security No Authentication y Authentication Protocol MD5 Authentication Passphrase Privacy Protocol DES Privacy Passphrase 7 Enable Configuration Change Traps Add Figure 52 Trap Destinations V3 50 Trap Configuration RUGGEDCOM ROX Chapter 3 User Guide Device Management The SNMP V3 Trap Destinations part of the menu allows the creation and deletion of V3 trap destinations The Type field specifies the exchange used with this destination either V3 trap or V3 inform The P address and User Name fields specify the trap receiver s IP address and user name The Engine ID parameter is necessary for inform type notification destinations only and must be configured by the trap receiver in order to receive these notifications The value is considered hexadecimal ASCII It does not require a 0x prefix nor an h suffix and is limited to 64 characters The Minimum Security Authentication Protocol Authentication Passphrase Privacy Protocol and Privacy Passphrase fields are as described in Section 3 7 4 4 Access Control The Enable Configuration Change Traps option enables traps to be sent when the system s configuration is modified Please note that there is only one destination allowed for both V2c and for V3 For example if this option is enabled in one V2c definition then it will be the unique trap destination for configuration changes Same with V3 If it is enabled in one V3
49. Idhcp3 relay No No DHCP Relay Agent Idhcp3 server No No DHCP Server lend2endb No No End To End Backup Route Daemon idefender sap No No Industrial Defender Access Manager firewall must be properly configured and enabled first ipsec No No Virtual Private Networking Requires a default route to be set L3 keepalived No No VRRP Server I2tunneld No No Layer 2 tunnels linkd No No Link Backup lldpd es Yes Link Layer Discovery Protocol Daemon nte No No NTP Server E openizto ve No openi2tp Daemon lportm ap No No RPC Services Needed by NFS NIS rsh rlogin rexec and rep ptod No no lese1588 Stack Daemon PTP Card is required serserver es Yes Serial Server Ishorewall No No Firewall Note To prevent accidentally blocking access to the router disabling shorewall will not disable the firewall until you either reboot the router or click the Clear Firewall button on the Shorewall Firewall menu E smcoute Ino No Static Multicast Router Daemon lsnm pd Ves Yes SNMP Simple Network Management Protocol nort no No Intrusion Detection System ssh Yes Yes ISSH Server lsshguard no No Brute Force Attack Prevention Sends also SNMP traps if traps are configured Vc or V3 Note enabling disabling of the firewall will reset sshguard feneta No No Telnet server Telnet is not encrypted and unsecure strongly suggest to use ssh server instead of telnet server webmin Ves No Web Management Interface Note Stopping Webmin will immediately hang this
50. Listen on port Default 22 9 22 Accept protocols SSH vi V SSH v2 Disconnect if client has i Forever 120 crashed 9 ves No Time to wait for login mira Allow TCP forwarding O ves No o eod Yes No Saw Figure 106 SSH Server Networking The Listen on addresses fields determine an IP addresses and port upon which SSH will accept a connection The Listen on port field determines the port number SSH will listen on assuming Listen on addresses is set to All addresses The Accept Protocols fields determine which versions of SSH will be allowed The Disconnect if client has crashed field determines whether the SSH server should periodically check to see if the client is still alive The Time to wait for login field determines the maximum time from a connection request until login completes after which the client will be disconnected The Allow TCP forwarding field specifies whether TCP forwarding is permitted If this option is set clients on a remote network can tunnel TCP connections to machines on the device s network The Allow connection to forwarded portsfield specifies whether remote hosts on the client network are allowed to connect to ports forwarded for the client Networking 105 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 12 5 Access Control Access Control Network and login access control options Only allow users 9 all Only allow me
51. ORE RH EE Ud died 249 5 10 6 3 Prioritization Transmit Queue Length ssssseseseeem m 250 910 77 Prioritization Statistics enr tetti acit Nee T a das 250 5 11 Configuring IPSec VPN iiie cet ehe eco iae ce A at eoo lab celd bet eod aetas aee E 250 ST IPSeciMOGOS niii Hd eiui en AA idas 251 5 11 2 Policy Based VBNS oie didas 251 5 11 3 Supported Encryption Protocols 1 5 t e e He pe Lt CM ELA EO MED ans 252 5 11 4 Public Key and Pre Shared Keys sssssssesseeee mener nnns 252 SATS X509 Certificates rie a 252 5 11 6 NAT Traversal aer i erneut lindaa 253 5 11 7 Other Configuration Supporting IPSec sessssssee ee 253 5 11 8 The Openswan Configuration Process ssssssese eme emen 253 5 11 9 IPSec and Router lrterfaces io bct bee n epe pho RAE QA MARE OR Babe E Tode bet pegen 253 5 11 10 LATP A Ped teet t Pee PR dite et dedi Pe d tee dus 254 SAITA IPSec YPN Gonflg tationi aote rr eet en te e deae ds 254 5 11 12 VPN Malin Men titt ert tb en e lalalala baba 254 5 11 13 Server COnfguUratiON ernari t ede Nace e tr us d e dede Nee ode erede ae 256 541 14 E2TPD Configuration EE RE ERR DER LESER eons 257 5 11 14 1 Notes on Configuring a VPN Connection ssese mH 257 54311 15 P blic Key irme Pete eR e t Re Pee deor t de me queri de 258 5 11 16 Pre Shared Keys inherit mds 258 5 11 17 EISt COrtifiCateS iria beo esee id t eodd lave obe cc emer idle eoa lave bi
52. Protocols RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 11 6 NAT Traversal Historically IPSec has presented problems when connections must traverse a firewall providing Network Address Translation NAT The Internet Key Exchange IKE used in IPSec is not NAT translatable When IPSec connections must traverse a firewall IKE messages and IPSec protected packets must be encapsulated as User Datagram Protocol UDP messages The encapsulation allows the original untranslated packet to be examined by IPSec Section 5 11 7 Other Configuration Supporting IPSec If the router is to support a remote IPSec client and the client will be assigned an address in a subnet of a local interface you must activate proxy ARP for that interface This will cause the router to respond to ARP requests on behalf of the client and direct traffic to it over its connection IPSec relies upon the following protocols and ports protocol 51 IPSec AH Authentication Header RFC2402 protocol 50 IPSec ESP Encapsulating Security Payload RFC2046 UDP port 500 You must configure the firewall to accept connections on these ports and protocols See Section 5 8 4 Configuring the Firewall and VPN for details Section 5 11 8 The Openswan Configuration Process Each VPN connection has two ends in the local router and the remote router The Openswan developers designed the configuration in such a way that the configuration re
53. Router 1 Router 2 WAN link Note that it would not be useful to leave the Ethernet 1 1 2 0 24 subnets out of the area and turn on redistribute connected as OSPF would not use the subnets for routing 272 Area and Subnets RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 12 6 Dynamic Routing Configuration Dynamic Routing BGP EL Core BGP OSPF RIP DIS IS Enable Protocols Core BGP OSPF Restart quagga deamon Click this button to restart the quagga daemon This will apply configuration parameters Figure 258 Dynamic Routing Main Menu In order to begin dynamic route processing on ROX one of the protocols RIP OSPF or BGP must be enabled in the Enable Protocols menu under Dynamic Routing The Core menu configures link related items such as link detect and link cost The RIP OSPF and BGP menus configure the corresponding routing protocols Section 5 12 6 1 Enable Protocols Help Enable Protocols Enabled Protocol BGP Border Gateway Protocol OSPF Open Shortest Path First v2 IPv4 RIP Routing Information Protocol IPv4 Apply Settings Click this button to restart the quagga daemon and apply all configuration changes dee Return to dynamic routin Figure 259 Dynamic Protocol Enable Menu This menu enables RIP and OSPF for dynamic routing Dynamic Routing Configuration 273 Chapter 5 RUGGEDCOM ROX Setup
54. Router Firewall VPN DHCP Agent Option 82 Capable Full IPSec Virtual Private Networking Traffic prioritization NTP Server VPN with 3DES AES128 AES256 support IP Multicast Routing RADIUS centralized password management WAN Features Multi level user passwords Frame Relay RFC 1490 or RFC 1294 SNMP v2 v3 Simple Network Management PPP RFC 1661 1332 1321 1334 Protocol PAP CHAP Authentication Stateful Firewall with NAT PPPoE over DSL Management Features GOOSE messaging support Web based SSH CLI management interfaces SNMP v2 v3 Remote Syslog Router Software Features Cellular Modem Support Link Backup Precision Time Protocol PTP Card Serial IP Encapsulation Port Configuration and Status Event Logging and Alarms Rich set of diagnostics with logging and alarms Loopback diagnostic tests Raw and interpreted real time line traces Quick setup facility Section 1 2 Security Recommendations To prevent unauthorized access to the device note the following security recommendations Overview 1 Chapter 1 RUGGEDCOM ROX Introduction User Guide CAUTION AN Configuration hazard risk of data corruption Access to the Command Line Interface CLI is provided for troubleshooting purposes and should only be used by Siemens technicians As such this interface is not fully documented Misuse of CLI commands can corrupt the operational state of the device and render
55. SEL E tine d licita 305 5 14 8 Viewing VRRP Instances Status ssssssssss eme meme eher 306 5 15 Link Layer Discovery Protocol LLDP verriro i Hmm eene rne 306 5 16 Configuring Generic Routing Encapsulation ssssssee e 307 9 16 1 GRE Gonfig ratlon ott RR TENERE ER ERR Ee ose phe ee pee 308 5 16 1 1 GRE Configuration Menu aeee ieee agra EAE Aaa A ARERIA APARE I nemen nnns 309 9 17 Configuring Layer 2 TunnelS reren erara r A A A MIR TUA MAR EA 309 5 17 1 GOOSE Tunnel Implementation Details ooooococociccnnccconccnnnccccnncnnnnonnnncncnnnnnonannnnncncnnnnns 310 5 17 2 Generic Layer 2 Tunnel Fundamentals ssssssssese emen 311 5 17 2 1 Generic Tunnel Implementation Details ooooooncnnocicccnccconcccnnconcnncncnncnnnnccnnnnninnnn 311 XV RUGGEDCOM ROX Table of Contents User Guide 9 17 3 Layer 2 Tunnels Main Menu 5 2 inii ie rte Pei oL Eni pL energia AAE Eee gU nadan 312 5 17 4 General Configuration Menu sssssssee eene mene nnne nnne 312 STS GOSE Tunnels Me ind 313 5 17 67 Generic L2 Tunnels Menu 2 5 oc baee rod en em laesae aedi ae gad AIT 314 DITI GOOSE Statistics Menu exiit e t mU age te dtu UE eR P pee he 315 5 17 8 Generic L2 Tunnel Statistics Menu sss mmm nens 316 SATS Activity Trace Men 317 5 18 Configuring the DHCP Server occidere pone tu tt ads en LR S ERR LL ERE eR ERR LE ese o pad
56. Services HTTPS Telnet NTP SNMP SSH TCP Modbus TCP Modbus Gateway IPSec IKE IPSec NAT T DNPv3 RawSocket DHCP Server DHCP Server DHCP Agent RADIUS L2TP PTP LLDP Port Number TCP 443 TCP 23 UDP 123 UDP 161 TCP 22 TCP 502 TCP 502 UDP 500 UDP 4500 TCP 20000 TCP configured UDP 67 68 UDP 67 UDP 67 UDP 1812 to send opens random port to listen Random Port IEEE 1588 UDP 319 320 Open if configured Port Open Open if configured with login Open if configured with login Open if configured Open if configured with login Open if configured with login Open if configured Open if configured Open if configured Open if configured Open if configured Open if configured Open if configured Open if configured Open if configured Open if configured Open if configured Open if configured Open Port Default Open Closed Closed Closed Open Closed Closed Closed Closed Closed Closed Closed Closed Closed Closed Closed Closed Open Access Authorized Yes Yes No Yes Yes No No No No No No No No No Yes Yes No No Available Services by Port RUGGEDCOM ROX Chapter 2 User Guide Using ROX 2 Using ROX This chapter describes how to use the ROX interface It describes the following tasks Section 2 1 The ROX Web Interface Section 2
57. Session ID column to cancel a session Click the Webmin user link under the Webmin user column to display the Webmin user edit menu for that user Click the View logs link to display logs for that Webmin user Section 4 2 6 Password Restrictions Menu Help Password Restrictions iW ebmin password enforcement options Minimum password length 2 No minimum letters Regular expressions passwords must match Disallow passwords containing username Yes 9 No Number of old passwords to reject No limit on password re use passwords Save E Retum to user list Figure 134 Password Restrictions Menu This menu allows you to set restrictions for password selection in order to prevent the use of trivial or machine guessable passwords IMPORTANT Password restrictions do not apply to passwords for the root and rrsetup profiles The Minimum password length field sets the minimum length for password Current Login Sessions Menu 135 Chapter 4 RUGGEDCOM ROX System Administration User Guide The Regular expression passwords must match field sets the regular expression that a new password must match The above example restricts new passwords to begin with an alpha character followed by at least another 5 alphanumeric characters The Disallow passwords containing username field prevents new passwords from containing the user name The Number of old passwords to reject field determines after how many success
58. The Type configures type of the alert definition entry There are three types available Simple Shell and RMON Currently only the first two types are supported If users choose Shell type they should complete parameters under Parameters for Shell table The Parameters for Shell table allows user to configure additional parameters if the alert definition entry type is Shell 36 Change Alert Definition RUGGEDCOM ROX Chapter 3 User Guide Device Management The Sample Interval configures how often should the system run configured shell command to get a sample The Command configures the shell command to run The Comparator configures how to compare with the shell command result The Threshold configures the threshold to compare with the shell command result to see whether the condition is true or false The And Repeats configures how many times the condition must be true before the alert is generated The And Until configures how many seconds the condition should be true before an alert is generated The Not Cleared Repeats configures how many times the condition must be false before the alert is cleared The Not cleared Until configures how many seconds the condition must be false before an alert is cleared The Parameters for RMON table allows user to configure additional parameters if the alert definition entry type is RMON type The Device Name configures the name of the device to be monitored The MIB Variable configures the MIB
59. VRRP instances existing as of the last restart of keepalived The entries under the Current State column reflect the state VRRP instances An instance can be in one of Master master for the VRIP Backup backup for the VRIP or Fault VRRP interface or Monitored interface is down The entries under the Time Of Change To Current State column reflect when the current state was entered The entries under the VRRP Interface State column reflect the link state of the interface that the instance runs upon The entries under the Monitored Interface State column reflect the link state of the monitored interface or none if an interface is not configured Section 5 15 Link Layer Discovery Protocol LLDP The IEEE standard 802 1AB Link Layer Discovery Protocol LLDP promises to simplify troubleshooting of enterprise networks and enhance the ability of network management tools to discover and maintain accurate network topologies in multi vendor environments LLDP data are made available to NMS Network Management Systems via SNMP The LLDP service is enabled by default but may be disabled via Section 4 3 1 Bootup and Shutdown CAUTION AN LLDP is not secure by definition Avoid enabling LLDP on devices connected to external networks Siemens recommends using LLDP only in secure environments operating within a security perimeter NOTE In order to make LLDP information available via SNMP the SNMP service must be configured runnin
60. Web session Start Selected Now And AtBoot Stop Selected Now And At Boot Reboot System Click on this button to immediately reboot the system All currently logged in users will be disconnected and all services will be stopped Shutdown System Click on this button to prepare the system for removing power The system will reboot into a power down shell and wait for 300 seconds during which time it will be safe to remove power After this period the router will reboot into the normal operating mode Figure 135 Bootup and Shutdown Part 1 This menu allows you to enable disable services and to perform actions at boot The first part of the menu manages services Check the box for the desired service and click on Start Selected to start the service and have it start at the next boot Click on Stop Selected to stop the service and not have it start at boot The Reboot System button will cause the system to reboot The Shutdown System button shuts down the system in order to remove power NOTE The device never enters a permanent shutdown state If the device is instructed to shutdown either from Webmin or from a shell command it will reboot into a command line shell that waits five minutes before restarting If you really want the router to remain powered but permanently inactive you must issue the shutdown connect a terminal to the serial port wait for the router to enter the shutdown shell and issue a CTRL C The second part of t
61. Yes ISNMP Simple Network Management Protocol E snort No No Intrusion Detection System F3 ssh Yes Yes ISSH Server lsshguard No No Brute Force Attack Prevention Sends also SNMP traps if traps are configured V2c or V3 Note enabling disabling of the firewall will reset sshguard teInetd No No Telnet server Telnet is not encrypted and unsecure strongly suggest to use ssh server instead of telnet server E webmin Ives No Web Management Interface Note Stopping Webmin will immediately hang this Web session Start Selected Now And AtBoot Stop Selected Now And At Boot Reboot System Click on this button to immediately reboot the system All currently logged in users will be disconnected and all services will be stopped Shutdown System Click on this button to prepare the system for removing power The system will reboot into a power down shell and wait for 300 seconds during which time it will be safe to remove power After this period the router will reboot into the normal operating mode Figure 136 Bootup and Shutdown Part 2 The actions may be a series of commands that can be executed at the command line Each entered line is executed independently of the previous line so change directory commands will not be effective Always specify the absolute path of files used in commands Selecting Save and Run Now will run the script and show its output allowing you to debug it Section 4 3 2 Configuring Passwords This section fami
62. Yet another set of users is granted access via Webmin user accounts Section 4 6 2 RADIUS on ROX ROX supports RADIUS server redundancy Multiple RADIUS servers usually operating from a common database may be used to authenticate a new session If the first configured RADIUS server does not respond subsequent servers will be tried until a positive negative acknowledgment is received or an attempt has been made to contact all configured servers Each server is configured with an associated timeout which limits the time that ROX will wait for a response An authentication request could thus require up to the sum of the timeouts of all configured servers RADIUS authentication activity is logged to the authorization log file auth log Details of each authentication including the time of occurrence source and result are included Section 4 6 3 RADIUS ROX and Services RADIUS provides the means to restrict access on a per service basis Accounts may be configured on a RADIUS server to be allowed access only to the Webmin service for example ROX supports RADIUS authentication for the following services LOGIN PPP WEBMIN ROX provides the option of designating different servers to authenticate LOGIN PPP or WEMBIN services separately or in combination The LOGIN Service The LOGIN service consists of the following types of access Local console logins via the serial port and modem Remote shell logins via SSH and Tel
63. a local serial port the DNP source address and serial port number are entered into the Device Address Table When a message with an unknown DNP source address is received from the IP network on the IP interface that is configured as the DNP learning interface the DNP source address and the IP address of the sender are entered into the Device Address Table When a message with an unknown DNP destination address is received on a local serial port the message is sent in a UDP broadcast out the network interface configured as the DNP learning interface When a message with an unknown DNP destination address is received from the IP network it is sent to all local serial ports configured as DNP ports UDP transport is used during the DNP address learning phase All learned addresses will be kept in the Device Address Table which is saved in non volatile memory which makes it unnecessary to repeat the DNP address learning process across a ROX reboot or accidental power loss An aging timer is maintained per DNP address in the table and is reset whenever a DNP message is sent to or received for the specified address This learning facility makes it possible to configure the DNP3 protocol with a minimum number of parameters a TCP UDP port number a learning network interface and an aging timer Section 3 10 6 2 DNP Broadcast Messages DNP addresses 65521 through 65535 are reserved as DNP3 broadcast addresses ROX supports DNP3 broadcast mess
64. a unique name to assign to the shared network It could be the name of the interface the shared network is on for example Within a shared network you can create subnets hosts and groups of hosts 324 DHCP Shared Network Configuration RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration Section 5 18 5 2 DHCP Subnet Configuration NOTE The menu interfaces for creating a DHCP Subnet Configuration and for editing an existing one are the same only the title differs Create versus Edit Help Edit Subnet Subnet Details Subnet deacipiiom Local Network 192 168 2 0 Netmask 255 255 255 0 address dra iS gt 192 168 2 0 192 168 2200 El Dynamic BOOTP E El Dynamic BOOTP Shared Default ole lt None gt y Sonne ia 9 Default secs Boot filename None cane tae 9 Default secs Boot file a Server i E O This server is Default Lease length Lease end for BOOTP O Forever secs for BOOTP O Never clients clients ES Dynamic pater J Yes ONo Default DNS domain Default name Dynamic DNS Dynamic reverse 9 Default DNS From client domain hostname Allow unknown clients 2 Allow Deny Ignore Default Server is Disable NAK forthis O Yes O Default No of otion 2 yes Default No subnet this subnet Hosts directly Groups n in this subnet directly in this subnet Save Edit Client Options ListLeases Add a new host Add a new host group Address Po
65. aA a emen nens 103 3 12 Contiguririg SSH ded NS 103 3 12 1 Incl ded with SSH 2c tances Lea iie caeca Pvt bine pc bebe cgiancedd ae SLE Bin tet visu r e chides 104 3 12 2 SSH Main Men eins aa a o poke o US RR caren eae pike rs 104 3 12 9 Authentication incerti erar Dat ads 104 ewe edi 105 3 12 5 Access CONTO 2 x m xin ens unn Urea Meine 106 3 13 Configuring the Telnet Server geciren gR a A Eeee T EERE ARA AA AA TAREA PAAA STARO AREALE AEREA 106 3 13 1 Telnet Server Configuration s eiea aer aA ie nhe E A EA ca 107 3 14 Configuring IRIG B and IEEE1588 anaa aaa dR eme ATAA EEA R EA 107 314 1 EEE1988 FUundaMentalS tii iii 108 3 14 4 1 PTP Network Roles 3 c erre d erroe id t eod la er Dei ceed ea er Ld eon dale Pda 108 3 14 1 2 PIP Master Election cerrar ini EN qu ERU RN uud 108 3 14 1 3 Synchronizing NTP from IEEE1588 sssssssee e 109 3214 2 IRIG B F ndarentals 5 bct ter eed repro prete ed intend beat E imer a eliana uia iret d bins 109 3 14 2 1 IRIG B Output Formats 5 2 rre reri HR E Peto e PR Lebe ee 109 3 14 2 2 Reference Clocks ceira naar i a e d Su dd m E idas 110 3 14 2 3 How the Router Selects a Reference Clock ssssseesee 110 3 14 2 4 GPS Cable Compensation ssssssssssssseeee enm eene 110 3 14 3 IRIG B IEEE1588 Configuration sesine ereraa ARE a Eai EREA em eene 111 IIASA General Configurat
66. about Ethernet ports the front panel LEDs and the LED Panel A LED is associated with each port next to the Ethernet interface RJ45 socket This LED is off when the link is disconnected remains solidly on when the link is established and flashes briefly from on to off when traffic occurs The LED Panel also summarizes this information LEDs 1 4 reflect traffic on Ethernet port 1 4 LEDs 5 8 reflect the link status of the same ports Section 5 2 2 VLAN Interface Fundamentals A virtual LAN VLAN is a group of devices on one or more LAN segments that communicate as if they were attached to the same physical LAN segment VLANs are extremely flexible because they are based on logical instead of physical connections When VLANs are introduced all traffic in the network must belong to one or another VLAN Traffic on one VLAN cannot pass to another except through an intranetwork router or layer 3 switch The IEEE 802 1Q protocol specifies how traffic on a single physical network can be partitioned into VLANs by tagging each frame or packet with extra bytes to denote which virtual network the packet belongs to Section 5 2 2 1 VLAN Tag A VLAN tag is the identification information that is present in frames in order to support VLAN operation If an Ethernet frame is VLAN tagged the EtherType value immediately following the Source MAC address is set to 0x8100 denoting 802 1Q VLAN The next 2 bytes of the VLAN tag contain a 3 bit User
67. active configuration file for the OSPF daemon Section 5 12 6 18 Help RI P RIP al RIP RIP RIP RIP RIP Global RIP Interfaces Networks Status View RIP Parameters Configuration Return to dynamic routin Figure 276 RIP Menu This menu contains the configuration and status of RIP on the router The RIP Global Parameters and RIP Interfaces configure RIP The Status and View RIP Configuration menu display the actual status and configuration file contents of RIP View OSPF Configuration 287 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 12 6 19 RIP Global Parameters Help RIP Global Parameters Parameter Value Description Possible values default value sulle Password PEE Enable password For configuration access string without spaces previous password Telnet password For port 2602 access string without spaces Telnet Password eccccccccoce E previous password Identifier of router Often the DNS name of the router string without Hostname spaces no hostname Defauit Information enable H Advertise default route disabled Originate Default Metric 1 Control distribution of default information 1 16 1 Distance Define an administrative distance unset 1 255 unset not used E enable WE y Redistribute Redistribute routes for directly connected interf
68. and VRRP Dynamic routing is provided by the Quagga suite of routing protocol daemons Quagga provides three daemons for managing routing the core ripd ospfd and bgpd The core daemon handles interfacing with the kernel to maintain the router s routing table and to check link statuses It tells RIP OSPF and BGP what state links are in what routes are in the routing table and some information about the interfaces The ripd ospfd and bgpd daemons handle communications with other routers using the RIPv2 OSPFv2 and BGP protocols respectively and decide which routers are preferred to forward to for each network route known to the router In complex legacy networks RIP OSPF and BGP may be active on the same router at the same time Typically however one of them is employed Section 5 12 1 BGP Fundamentals The Border Gateway Protocol BGP RFC 4271 is a robust and scalable routing protocol BGP is designed to manage a routing table of up to 90000 routes and is therefore used in large networks or among groups of networks which have common administrative and routing policies If BGP is used to exchange routing information between different networks it is called Exterior BGP EBGP Interior BGP IBGP is used to exchange routing information between routers within the same network Section 5 12 2 RIP Fundamentals The Routing Information Protocol determines the best path for routing IP traffic over a TCP IP network based on
69. and you wish to use the Gauntlet security appliance activate and configure it If SNMP will be used limit the IP addresses which can connect and change the community names Configure SNMP to raise a trap upon authentication failures Only enable the services you need and expect to use ROX comes with the following login banner Replace the contents of the file etc issue and etc issue net in order to change it 2 Security Recommendations RUGGEDCOM ROX Chapter 1 User Guide Introduction WARNING You are attempting to access a private computer system Access to this system is restricted to authorized persons only This system may not be used for any purpose that is unlawful or deemed inappropriate Access and use of this system is electronically monitored and by entering this system you are giving your consent to be electronically monitored We reserve the right to seek all remedies for unauthorized use including prosecution If using a firewall configure and start the firewall before attaching the router to the public network Configure the firewall to accept connections from a specific domain Configure remote system logging to forward all logs to a central location Periodically audit the device to make sure it complies with these recommendations and or any internal security policies Section 1 3 Quick Starts The following instructions are included to aid those users experienced with communications e
70. assigned by the network administrator or Internet service provider The Gateway IP Address field defines the IP address to use as the gateway for sending to other sites This is usually the same as the Remote IP Address Editing a Logical Interface Bridged 215 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 7 2 4 ADSL Statistics Help m E 5 ADSL 3 Link Layer Statistics ADSL Statistics Link status Disconnected Modulation T1 413 Down Rate 0 kbps Up Rate 0 kbps Local SNR Ratio 0 dB Remote SNR Ratio 0 dB Refresh E Return to ADSL Main Menu Figure 216 ADSL Link Statistics When at least one logical interface is configured ADSL Link statistics will be available These statistics are available from links on the ADSL WAN Interfaces menu The Local SNR Ratio is an effective indicator of line quality SNR values above 40 db correspond to excellent line quality while values below 10 db result in marginal operation or failure Section 5 7 2 5 Current Routes and Interface Table The table provided by this command is as described in the Networking menu Network Utilities sub menu It is also provided here as a convenience Section 5 7 2 6 Upgrading Software For some customers access to remote sites in accomplished solely by an ADSL connection Usually a software upgrade will stop the system being upgraded perform the upgrade and then restart it If AD
71. authentication check box b Select the Networking tab select L2TP IPSec VPN for Type of VPN c Click the OK button to save the Properties settings d Now you are back to Connect window enter your user name and password to begin the connection More information about how to import a certificate in Windows XP 2000 can be found at the link http www jacco2 dds nl networking openswan l2tp html Certificates 346 VPN L2TP Configuration in Windows
72. before it stops If the number is 0 it will never stop and dial until the connection is established Otherwise a Reconnect button will appear in the Modem Main Menu after specified number of consecutive failed connection attempts The Dial Interval field determines how many seconds to wait before re initiating the link after it terminates Section 3 9 4 6 PPP Logs PPP Connection Logs Refer to Section 3 8 Configuring PPP and the Embedded Moderr for information Section 3 9 4 7 Current Route and Interfaces Table Refer to Section 3 8 Configuring PPP and the Embedded Moderr for information Modem PPP Client 85 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 10 Configuring Serial Protocols This section familiarizes the user with RawSockets Applications TCP Modbus Server Applications DNP Distributed Network Protocol Configuring Serial ports for RawSocket Viewing Serial Port and TCP Connection status and statistics Resetting Serial ports Tracing Serial Port activity Section 3 10 1 Serial IP Port Features The ROX Serial Server provides the following features for forwarding serial traffic over IP Raw Socket Protocol a means to transport streams of characters from one serial port on the router to a specified remote IP address and TCP port Four independent serial ports per product Bit rates of 1200 2400 4800 9600 19200 38400 57600 115200 or 230
73. bootup and shutdown menu The Apply Changes button applies new settings to the running DHCP server Use this after making any changes to the configuration Section 5 18 5 1 DHCP Shared Network Configuration NOTE Li The menu interfaces for creating a DHCP Shared Network Configuration and for editing an existing one are the same only the title differs Create versus Edit Help Create Shared Network Shared Network Details Shared network description Default o Network name Maso Hub Default secs Maximum o o Boot filename None len mh Default secs Boot file A Server o o server This server zonis Default Lease length Lease end for BOOTP O Forever secs for BOOTP O Never clients clients S Dynamic DA aa Yes No 9 Default DNS domain Default g name Dynamic DNS Dynamic reverse 9 Default DNS From client domain hostname Allow unknown clients Allow Deny Ignore 9 Default Horaria Disable NAK authoritative of option62 for this shared Yes Default No clients for Yes 9 Default No network this shared network Hosts directly in this shared Groups directly in this shared Subnets in this shared etwork network network Create de Return to subnet list Figure 311 DHCP Shared Network Configuration The settings specific to the Create Edit Shared network menu are The Shared network description field is used to describe the shared network as desired The Network name field is
74. card This corresponds to the IMEI for GSM networks Network Carrier ID displays the identity of the wireless network provider for which the cellular modem is currently configured Phone Number displays the cellular telephone number associated with the account created to provide service for the modem Section 3 9 4 4 Modem PPP Client Connections Help Modem PPP Client Connections Connection Name Action HeadOffice Edit Add new Parameter Value Description Connect at boot HeadOffice Which dient connection to start automatically at boot Save Retum to Modem Main Menu Figure 88 Modem PPP Client Connections To edit an existing connection click the Edit link for that connection To create a new connection click Add new link To have the router automatically dial a connection at boot time and keep it always active select which connection should be used from the drop down list of available connection profiles in the Connect at boot list 84 Modem PPP Client Connections RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 9 4 5 Modem PPP Client Help Modem PPP Client ppp10 Connection name HeadOffice PPP Username N A Password Defaultroute Vl Use peer DNS Y Maximum Dial Attempts 0 0 means try forever Dial Interval 1 86400 seconds 30 Note The Maximum Dial Attemps is the number of consecutive connection att
75. connection and the VPN connection passes through a firewall The Syslog logging level fields determines the facility and priority of log messages generated by Openswan 256 Server Configuration RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 11 14 L2TPD Configuration Help L2TPD Configuration L2TPD Configuration Option Local IP Address First Address in Remote IP Address Pool Maximum Number of Remote IP Address Netmask of Remote IP Address Pool 255 255 0 0 Primary DNS Server for Windows Client Secondary DNS Server for Windows Client Primary WINS Server for Windows Client Secondary WINS Server for Windows Client Save and Apply 4e Return to connections list Figure 250 L2TPD Configuration Menu The Local IP Address field sets the router s IP address for the PPP connection Note that for all connections the router will use the same local IP address The First Address in Remote IP Address Pool field sets the first IP address of the remote IP address pool IP addresses from this pool are assigned to PPP clients connecting to the L2TPd The Maximum Number of Remote IP address field sets how many simultaneous connections will be allowed The Netmask of Remote IP Address Pool field is always 255 255 0 0 The Primary DNS Server for Windows Client field sets the primary DNS Server IP address to be used by connecting Windows clients The Secondary DNS Server for Win
76. console to the same degree as any physical access to the device by setting a bootloader password If a bootloader password is not set the serial console could provide unauthorized access to BIST mode which includes tools that may be used to gain complete access to the device Restrict the IP addresses which Web management will accept connections from See the Webmin menu IP Access Control sub menu Restrict the Ethernet ports which Web management will accept connections from See the Webmin menu Ports and Addresses sub menu Review the IP networking settings provided in the Network Configuration menu Core Settings sub menu You may wish to tighten some settings especially Ignore All ICMP ECHO requests Restrict the users that the SSH server will allow to connect See the SSH Server menu Access Control sub menu It is highly recommended that critical applications be limited to private networks or at least be accessible only through secure services such as IPSec Connecting a ROX device to the Internet is possible However the utmost care should be taken to protect the device and the network behind it using secure means such as firewall and IPSec For more information about configuring firewalls and IPSec refer to Section 5 8 Configuring the Firewall and Section 5 11 Configuring IPSec VPN If the router is an RX1100 and you wish to use the Snort Intrusion Detection System activate and configure it If the router is an RX1100
77. delays of the interface The Passive Interface option controls if an interface is active or passive Passive interfaces do not send LSAs to other routers and are not part of an OSPF area The Authentication field controls the type of authentication to use when communicating with other routers It can be set to default which uses the routing package s default value null just check for message corruption or message digest which cryptographically signs each message with a shared key 284 OSPF Interfaces RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The Message Digest Keys table allow the addition and deletion of keys to use for areas connected to this interface when authentication is set to message digest Section 5 12 6 15 OSPF Network Areas a Network Areas Network Areas Area ID A B C D Area Address Netmask A B C D M Action 0 0 0 0 192 168 10 0 24 Delete 0 0 0 0 192 168 2 0 24 Delete Ada ga Return to ospf Figure 273 Network Areas OSPF uses areas to control which routes are distributed between routers To add a network to an area enter the area ID and the network address and netmask and click Add To delete an entry click the Delete button beside the entry All networks routes that are part of the same area will be distributed to other routers in the same area Section 5 12 6 16 OSPF Status This status menu shows various
78. difference between the local clock and the reference chosen by NTP the offset is more than 128ms for a period of more than 900 seconds NTP will step or instantaneously correct the time If the time difference is less than 128ms NTP will slew the time by no more than 500 microseconds every second toward the correct time in such a way that to an application on the system the time never appears to be flowing backwards 330 Configuring NTP Servers RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration NTP will step the system time when it starts up This is almost always at boot time Stepping the time afterwards can cause protocols such as OSPF that rely upon accurate real time to fail The router deals with this problem by restarting these protocols if they are running when NTP restarts After booting NTP uses slewing to achieve synchronization by making small and frequent changes to router hardware clock If the reference server s clock differs from the local clock by more than 1000 seconds the NTP daemon decides that a major problem has occured and terminates Usually NTP will succeed in synchronizing the clock at boot time If it fails to synchronize the clock perhaps due to a downed WAN link the NTP daemon may terminate The router however will note the termination and will automatically restart the NTP daemon Section 5 20 2 NTP and the Precision Time Protocol Card If the router is equipped with a Pre
79. each one Other statistics including known peers and memory usage The table in the Current BGP route status report provides the following information Network is the IP address for the network Next Hop is the next hop IP address Metric is the metric value LocPrf is the local preference Weight is the weight Path is the Autonomous System AS path The table in the Current BGP neighbor detail status report provides the following information Neighbor is the IP address for the neighbor Visthe IP version AS is the Autonomous System AS number MsgRcvd is the number of messages received MsgSent is the number of messages sent TblVeris the table version InQ is the in queue depth 280 BGP Status Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide OutQ is the out queue depth Up Down is the last up down time State PfxRcd is either the number prefixes received if the connection is established or the state of the connection Section 5 12 6 11 View BGP Configuration Help View BGP Configuration BGP show running config password ruggedquagga enable password ruggedquagga router bgp 200 bgp router id 192 168 10 1 network 192 168 2 0 24 network 192 168 10 0 24 neighbor 192 168 10 2 remote as 210 neighbor 192 168 10 2 maximum prefix 50 restart 10 line vty 1 da Return to bap Figure 269 View BGP Configuration Menu This menu di
80. emen nnne 208 5 6 3 Configuring PPP Multilink over TIET sssse eee 209 5 6 4 Multilink PPP Statistlcs ci etr eR Rm ERE 210 5 7 Configuring PPPoE Bridged Mode On ADSL ssssssseeee eme mener 210 5 7 1 PPPoE Bridged Mode Fundamentals ssssssssseeee meme 211 5 7 1 1 Authentication Addresses and DNS Servers ocoococccncccccononncononncnnonnonnoncannnarannnonons 211 5 7 1 2 PPPOE MTU ISSUES iced ico eer heel HE enter eot abre eletto od echec diat ed 211 xi RUGGEDCOM ROX Table of Contents User Guide MAESTRO stdaudehdecuabhandadvennitae 212 5 7 1 4 Location of Interfaces and Labelling se nana 212 DUO LED Desig nations aca ta 212 STe ADSL CONTgUTA ION ascitis lille 213 5 7 2 1 ADSL Network Interfaces ssssssssssssssssseeeee eene ene nhe renes 213 5 7 2 2 Editing a Logical Interface PPPOE ssss He 214 5 7 2 3 Editing a Logical Interface Bridged ssssse 215 5 24 ADSL Stallsties ox li poe aa 216 5 7 2 5 Current Routes and Interface Table sessssssssssse eee 216 5 7 2 6 Upgrading Softwate ut ions taret ortae d e tu eed E babel ue qd gent gir tege eg 216 5 8 Configuring the Firewall 2 idea e P eie en 216 5 8 1 Firewall Fundamentals ssssssssssssssssseee ene hene he enhn nnnm nhe rrr nn eris 217 5 8 1 1 Stateless vs Stateful Firewalls ssssss
81. emnes 189 5327 Frame Relay DL GIs iii tst E ida bete tip Ud LE L Lau ED EDT OO dal 190 5 3 2 8 Editing a Logical Interface PPP ssssssssee mmn 190 5 3 2 9 F PET Statistics Dt 191 5 9 2 10 Link Statistics 3 5 d rro ent eH PR eL etd ete pel et e bed eb god werd Peta a 192 RUGGEDCOM ROX User Guide Table of Contents 5 3 2 11 Frame Relay Interface Statistics oooooonccconnnnccconoccccnnnnanccnnnnanccnnnnncrnnnnancrnnn nani 193 9 3 2 12 PPP Interface Statistics ri eed ere perde PL ter die eee 194 5 32 13 7E 1 Loopback iion tete ihe ode uie etti ds 194 5 3 2 14 Enabling and Disabling T1 E1 Loopback Modes cccooccccccnncccccononcccnonnncccnonnnacnnnns 196 9 3 2 15 Upgrading Software deter ee i dede Hn Pide dae ode dine eu aes 196 5 3 2 16 Upgrading Firmware sssssessseee meme nme emen nnne 196 5 4 Configuring Frame Relay PPP and T3 E3 sssssssesee mee men eene nhe nns 197 9 4 1 TIE Fundamental Scies pereo ute a RB pda deed t penc das 197 5 4 2 Location of Interfaces and Labelling ssm Hm 197 5 4 3 LED Designatiors 5 ertt co mec eniro lobe codi ia kee e eee e glabro beate bud Mehr ead tadee 198 5 44 TS ES Configuration usa i Pe He e de s d de Neon 198 DAAT TIES Trunk Interfaces rcr RR ELE RD ERA REI DRE Pea 198 5 4 4 2 Naming of Logical Interfaces ssssssse eee 199 9 4 4 3 T3 Interface Parameters o pee c et o Rt Eus 199
82. end delay from about 650 ms to about 1000 ms The server can already be busy sending a request when the request of our example arrives Using the figures from the above paragraph the server being busy would increase the end to end delay from 1000 to 1350 ms The preceding analysis suggests that the Master should time out at some time after 1350 ms from the start of transmission Section 3 10 6 DNP Distributed Network Protocol ROX supports DNP 3 0 commonly used by utilities in process automation systems DNP3 protocol messages specify source and destination addresses A destination address specifies which device should process the data and the source address specifies which device sent the message Having both destination and source addresses satisfies at least one requirement for peer to peer communication since the receiver knows where to direct a response Each device supporting the DNP protocol must have a unique address within the collection of devices sending and receiving DNP messages 92 A Worked Example RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 10 6 1 Address Learning for DNP ROX implements both local and remote address learning for DNP A local Device Address Table is populated with DNP Addresses learned for local and remote DNP devices Each DNP address is associated with either a local serial port or a remote IP address When a message with an unknown DNP source address is received on
83. equipment damage CAUTION CAUTION alerts describe hazardous situations that if not avoided may result in equipment damage IMPORTANT IMPORTANT alerts provide important information that should be known before performing a procedure or step or using a feature NOTE NOTE alerts provide additional information such as facts tips and details Related Documents Other documents that may be of interest include RX1000 RX1100 Installation Guide RUGGEDCOM Fiber Guide RUGGEDCOM Wireless Guide Industrial Defender Access Manager User Manual e e e Industrial Defender Access Client User Manual Industrial Defender Access Manager System Installation Manual White Paper Rapid Spanning Tree in Industrial Networks Alerts xix RUGGEDCOM ROX Preface User Guide System Requirements Each workstation used to connect to the ROX Webmin user interface must meet the following system requirements Must have one of the following Web browsers installed Microsoft Internet Explorer 8 0 or higher Mozilla Firefox Google Chrome ceweasel IceCat Linux Only Must have a working Ethernet interface compatible with at least one of the port types on the unit The ability to configure an IP address and netmask on the computer s Ethernet interface A suitable Ethernet cable An SSH client application installed on a computer Accessing Documentation The latest Hardware Installation Guides and Software User Guides for
84. errors if they Start Server occur After dhcp starts cleanly cause it to start at boot time by enabling it through the re System folder Bootup And Shutdown menu Figure 310 DHCP Server Menu The DHCP Server main menu shows the subnets configured for DHCP as well as any groups and hosts New subnets groups and hosts can be added and existing entries can be edited or deleted The Edit Client Options button allows you to set global client settings for the DHCP server Settings made here apply to all clients unless overridden at a lower level in the configuration The Edit Network Interface button allows you to select which interfaces DHCP should listen for DHCP requests on Note that you must also have a subnet matching the IP address of the selected interface configured in DHCP in order to actually have DHCP listen for requests on a port The List Active Leases button displays IP leases that are currently assigned to clients from the dynamic IP address pool Note that static MAC address to IP address assignments handled by DHCP are not displayed in DHCP Configuration 323 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide this list From this list there is a button labelled List all active and expired leases which will additionally display leases that have been granted that are no longer active The Start Server button starts the server to check the configuration To permanently enable DHCP you should enable it in the
85. etree ee ree eene mene nennen 4 1 3 3 Physical Interface Related 0 0 00 cece ent inner eet eres eene nnne eer enne 4 1 34 Additional Configuration sc 1 ibo terio tratan 5 1 4 Available Services by Port alain 5 Chapter 2 A EE ERE TE 7 2 1 The ROX Web Iriterface eio e ie egets too hors A hA epa ARR Rd 7 2 1 1 Using a Web Browser to Access the Web Interface ssessssssee m 7 2 1 2 The Structure of the Web Interface ssssssssssssssssssssssssee eene nene nre 8 2 2 NetWork UU S sors oes eae 10 2 2 1 Network Utilities Main Menu cccccccceeeeceeeee ce eeee cece eee I ae eesaeeeeaeeeesaeeesaeeesaeeesneeeea 10 22 2 A ie te ke ede e eii e leitet vod s 11 2 23 Ping Check Menus lata 11 2 2 4 Traceroute Menu oe Re WT eat tl La A eet AA Ei ELO deua 12 2 2 5 ARP Ping Gheck Meriu ter bete t A a eddy Aes 13 Z 20 Host Men EN 14 22 6 Trace Merl oin E A eod e eaa aa to dh oda ed deir e E dae eet due le edet e Bod 14 2 2 8 Tcpdump a Network Interface sssssssssssssssssssseee enhn ehe t hne hens rrr nennen 15 2 2 9 Frame Relay Link Layer Trace a WAN Interface ssssss mH 16 2 2 10 Serial Trace a Serial Server Port sss memes 16 RUGGEDCOM ROX Table of Contents User Guide 2 2 11 Interface Statistics ManU sea errn eran ibn ette bero npe pid PM EE eb nbn pL Be EXER Bebe gen ARES 17 2 2 12 Current Rout
86. facilitate upgrading the ROX software across a network It describes the following tasks Section 6 1 Installing Apache Web Server On Windows Section 6 2 Installing a Microsoft IIS Web Server Section 6 3 VPN L2TP Configuration in Windows Section 6 1 Installing Apache Web Server On Windows A number of customers have asked for advice and instructions on setting up a web server on Windows Siemens recommends the Apache web server because it is secure robust easy to install and configure as well as being able to be installed on a wide variety of Windows platforms Begin by identifying a host computer and its physical and logical location on the network The Repository Server Requirements of the appendix Setting Up A Repository provide some guidance on host requirements The Apache installation process will prompt you for an IP address and domain name with which to serve the web pages Later in the install you will also need to provide the directory where the ROX releases will be kept Ensure that a web servers is not already installed Obtain Apache by visiting the web page of www apache org http www apache org Visit the HTTP Server portion of the web site and click on the Downloads page Identify the latest version of Apache and find its Win32 version usually under httpd binaries win32 You should be able to find a Microsoft System Installer Version e g apache 2 0 55 win32 x86 no ssl msi as well as pla
87. field specifies the minimum bandwidth allocated to this class The Maximum rate field specifies the maximum bandwidth allocated to this class Bandwidth is specified in megabytes per second mbps megabits per second mbit kilobytes per second kbps kilobits per second kbit or bytes per second bps Alternately it can be specified as a fraction of the full port speed defined in the TC Interfaces menu The Priority field specifies the priority with which this class is serviced Please note that lower value priority classes will be serviced first and hence with lower latency The lower priority classes are also the first to be allocated any leftover bandwidth after all classes have been provided with their minimum bandwidth Priority may be in the range 0 255 However a priority higher than 7 will be mapped automatically to 7 The default option field sets the current class as the default class for the interface Please note that you must define exactly one default class per interface The tos minimize delay option field specifies that a packet with the minimized delay ToS ToS bit 3 set belongs to this class The tos maximize throughput option field specifies that a packet with the maximize throughput ToS ToS bit set belongs to this class The tos maximuze reliability option field specifies that a packet with the maximize reliability ToS ToS bit 5 set belongs to this class The tos minimize cost option field specifies that a pa
88. file NOTE Li The Maintenance Menu Upload Download Files sub menu provides a method to transfer the files directly to the indicated directories Enable IPSec from the Bootup and Shutdown menu Visit the IPSec VPN menu and generate a public key Visit the Server Configuration menu and associate the IPSecO interface with the desired interface the connection will arrive on here w1ppp Create a connection for the clients Set the parameters as follows Parameters Value Comments At IPSec Startup Add connection We wish to add the connection when the client starts it Authenticate by rsasig X 509 certificates provide RSA Connection Type Tunnel Encryption Protocols As desired Compress Data As desired Perfect Forwarding Secrecy As desired Recommend yes NAT Traversal No Required when the router acts as a client and is behind a NAT firewall Left System Settings Router s side Public IP Address Address or hostname IP of public gateway System Identifier Default Private subnet behind system 10 0 0 0 8 Client Configuration 265 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Left System Settings Router s side System s public key Certificate File router pem Next hop to other system Default Right System Settings Laptop1 side Public IP Address Automatic System Identifier Default Private subnet behind system 10 0 1 0 24 Assign IP based on client from within this subnet System s public key Entered below c
89. file The Save and Apply button will save changes restart the end to end backup daemon Section 5 1 2 11 Current Routing and Interface Table This menu displays the current routing table and the state of the router s interfaces Consult Section 2 2 Network Utilities for details of this menu Configuring Ethernet Interfaces This section familiarizes the user with Configuring End To End Backup 171 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Reading the Ethernet LEDs in Section 5 2 1 LED Designations VLAN Fundamentals in Section 5 2 2 VLAN Interface Fundamentals Ethernet Bridge Fundamentals in Section 5 2 5 Bridge Fundamentals PPPoE Fundamentals in Section 5 2 3 PPPoE On Native Ethernet Interfaces Fundamentals Section 5 2 6 Ethernet Configuration contains instructions for the following Section 5 2 6 2 Editing Currently Active Interfaces Section 5 2 6 3 Creating Active Virtual LAN Interfaces Section 5 2 6 4 Edit Boot Time Interfaces Siemens manufactures dual Ethernet Interface boards in a variety of formats Some most notably the optical interfaces have the same outward appearance but different order numbers A complete set of descriptions is displayed on the console during boot and can be found after boot in the file var cache ruggedrouter inventory Section 5 2 1 LED Designations The device includes two sources of LED indicated information
90. firewall ensure that a hole is opened for each of the remote daemons using this port number The Beacon Interval field configures how often a Round Trip Time RTT measurement message is sent to each remote peer The interval takes the values Off to disable RTT measurement or a time of 10 3600 seconds Section 5 17 5 GOOSE Tunnels Menu Help GOOSE Tunnels Ethernet Interface Multicast Address Remote Tunnel Addresses Add a new GOOSE tunnel 4 Return to Layer 2 Tunnels Figure 302 GOOSE Tunnels Menu This menu displays configured GOOSE tunnels Edit the configuration of an existing tunnel by following the link under the Ethernet Interface field or create a new tunnel by clicking Add a new GOOSE tunnel Help Edit GOOSE Tunnel GOOSE Tunnel Ethernet Interface eth3 0030 Multicast Address 01 0c cd 01 00 33 Remote Daemon 192 168 2 20 Add a new Daemon Save Delete 4 Return to GOOSE Tunnels Figure 303 Edit GOOSE Tunnel Menu This menu configures a GOOSE tunnel The Ethernet Interface field configures suitable i e VLAN eligible interfaces to listen on for GOOSE frames You may set this field to none if the intent is simply to relay encapsulated traffic between remote tunnel endpoints The Multicast Address field configures the address to listen for The Remote Daemon and Add a new Daemon fields specify the IP addresses of remote daemons GOOSE Tun
91. for connection establishment between different firewall zones Each policy is of the form Source zone Destination zone Default action You can define a policy from each zone to each other You may also use a wildcard zone of all to represent all zones The default action describes how to handle the connection request There are six types of actions ACCEPT DROP REJECT QUEUE CONTINUE and NONE The first three are the most widely used and are described here When the ACCEPT policy is used a connection is allowed When the DROP policy is used a request is simply ignored No notification is made to the requesting client When the REJECT policy is used a request is rejected with an TCP RST or an ICMP destination unreachable packet being returned to the client An example should illustrate the use of policies Source Zone Destination Zone Policy loc net ACCEPT net all DROP all all REJECT The above policies will Allow connection requests only from your local network to the Internet If you wanted to allow requests from a console on the ROX to Internet you would need to add a policy of ACCEPT fw zone to net zone Drop ignore all connection requests from the Internet to your firewall or local network and Reject all other connection requests Note that a client on the Internet that is probing the ROX s TCP UDP ports will receive no responses and will not be able to detect the presence of the router A host in the local network
92. however that HDLC framing information is not preserved on transmission via TCP Section 3 11 2 Synchronous Serial Port Configuration The Synchronous Port Settings menu is accessed by clicking on Sync Serial in the Networking folder of the main Webmin menu Help Synchronous Serial 011001 110011 1001111 Synchronous Port Settings Figure 100 Synchronous Serial Main Menu Note that the Serial Protocols server is disabled by default and may be enabled via the Bootup and Shutdown menu under the System folder of the main Webmin menu Note also that these menus configure only the physical parameters of the ports Protocol configuration must be done via the Serial Protocols Configuration menu This section describes the configuration required to run the Raw Socket protocol over the synchronous serial ports Section 3 11 2 1 Synchronous Port Settings Menu This menu displays the current configuration of each synchronous serial port on the router Help Synchronous Port Settings Port Cable Slot Baud rate Clock CTS RTS delay Type 1 1 Lower 0 INTERNAL 0 ms RS232 Edit Sync Port 1 Parameters Port Cable Slot Baud rate Clock CTS RTS delay Type 2 2 Lower 0 INTERNAL O ms RS232 Edit Sync Port 2 Parameters de Return to Synchronous Serial Figure 101 Synchronous Port Settings Menu The Port field denotes the system s port number for the specific sync
93. in the PTP subdomain This is usually a set of PTP devices connected by a switched network or direct links The best clock in the subdomain is known as the master clock The master clock of a boundary clock is known as the grandmaster clock The protocol negotiates among PTP ports to identify the device with the highest quality clock source Ports issuing messages from the master clock are said to be masters while those that will receive the messages are slaves When a port will not participate in the protocol its status is passive When the network architect knows the relative quality their clock s time sources they may configure a specific clock to be the preferred master Section 3 14 1 2 PTP Master Election PTP clocks exchange SYNC messages containing information which is used by the PTP Best Master Clock BMC algorithm Several factors will affect the choice of best master clock including the preferred master clock setting the clock identifier grandmaster settings and clock stability The clock identifier is the measure of PTP clock quality and is one of the following PTP Identifier Description GPS The PTP clock is a primary reference standard traceable to a recognized standard source of time such as GPS The router uses this identifier when GPS is locked NTP The PTP clock is a secondary reference standard clock The router uses this identifier when it has synchronized with remote NTP server DFLT After the router has power c
94. in the Add field Reorder the interfaces by clicking on the arrows under the Move field Clicking on a link under the nterface field will allow you to edit or delete the interface Note that if you delete an interface you should remove any rules that reference it You may also make changes by manually editing the interfaces file NOTE Li If you use a WAN interface in the firewall the interface will be referred to by its name Some WAN changes such as changing the number of channels used by a T1 E1 logical interface will change the name Ensure that the entries in this menu reflect the correct interface names Edit Network Interface Network interface details Interface eth1 y Zone name local Broadcast address 9 None Automatic Options arp filter routeback tcpflags dhcp norfci918 nobogons routefilter proxyarp maclist nosmurfs logmartians Save Delete de Return to interfaces list Figure 221 Editing Network Interface s Firewall Settings The dhcp option should be selected if interface is assigned an IP address via DHCP or is used by a DHCP server running on the firewall The firewall will be configured to allow DHCP traffic to and from the interface even when the firewall is stopped You may also wish to use this option if you have a static IP but you are on a LAN segment that has a lot of laptops that use DHCP and you select the norfc1918 option see below The arp_filter option causes this interface t
95. indicate cellular modem status The leftmost LED of the bottom row LED 29 is the Line LED Solid Green indicates that a PPP link has been established Flashing green indicates that PPP link negotiation is in progress Off indicates that the cellular modem is active but a connection to the wireless network has not yet been established RED indicates that cellular modem is not currently operating The leftmost LED of second bottom row LED 25 is the cellular modem s Activity LED Off means that there is no data traffic on the cellular modem Flashing means that there is data traffic on the cellular modem connection Section 3 9 4 PPP Cellular Modem Configuration The top level configuration interface menu for the cellular modem and PPP is accessible by clicking on the Cellular Modem link in the Networking folder This menu allows you to display and configure the cellular modem interface Help Cellular Modem EN T Y Q m Cellular Modem Modem PPP Client PPP Logs PPP Connection Logs Configuration Connections Modem Connection Status Status No connection Refresh Figure 81 Cellular Modem Interface If the installed modem is a CDMA EV DO type and has not yet been activated for use on the cellular network the following top level menu will be seen instead offering two different methods for activating the modem for use on the cellular network see Section 3 9 4 1 Over The Air Account
96. interface name for both internal and external modem connections is ppp10 Refer to this interface name when configuring firewall rules Section 3 9 2 Authentication IP Addressing and DNS Servers In contrast to the configuration for land line modems described in the preceding section username and password might not be required for some cellular data service providers If username and password is not required you can enter none in the username and password fields of the GUI or leave them blank If authentication is required by the cellular data service provider again PPP authentication will automatically use PAP or CHAP Your service provider will provide you with a username and password along with an Access Provider Name APN which must be entered in the GUI The authentication process will provide a local IP address for use on the PPP interface and optionally the addresses of the DNS servers and a default gateway address to use You should generally use these addresses unless you need to provide your own The PPP interface s IP address obtained from the PPP server can be either a dynamic or a static IP address Firewall configuration should be performed as is appropriate NOTE i A PPP Client Connection for the cellular modem may be configured to connect at boot time 78 Configuring PPP and the Cellular Modem RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 9 3 LED Designations ROX dedicates two LEDs to
97. is connected If this option is selected other machines on the Ethernet subnet will be able to communicate with the remote PPP system as though it were connected directly to the Ethernet subnet The Idle timeout field controls how many seconds to wait when there is no traffic on the PPP connection before hanging up the connection Setting it to O or blank will disable the timeout The Server name fields determine the name used to authenticate the dial in user during PPP initialization The default value is pppin To use the system hostname set with the Webmin System Hostname link select the System hostname option To specify a custom value select the Other option and type a value in the text field The Username Password Setting table contains a list of locally defined users that are allowed to connect to the PPP server along with their passwords and a Delete button next to each entry to allow its removal A row of empty Username and Password fields ending with an Add button allows the addition of new user entries NOTE i If RADIUS authentication is used to authenticate PPP connection requests the Username Password Setting table will not be displayed and PPP user accounts must instead be configured at the RADIUS server See Section 4 7 RADIUS Server Configuration for details Modem PPP Server 75 Chapter 3 Device Management RUGGEDCOM ROX User Guide Each PPP user entry whether defined on the router or on a RADIUS server
98. is not yet active it will respond to the master with an exception using TcpModbus exception code 10 No Response If the forwarding of TcpModbus exceptions is disabled the client will not issue any responses Steps 3a and 3b represents the possibility that the Server Gateway does not have configuration for the specified RTU The Server Gateway will always respond with a type 10 No Path in step 3a which the client will forward in step 3b TcpModbus Performance Determinants 91 Chapter 3 RUGGEDCOM ROX Device Management User Guide Step 4 represents the possibility of queuing delay The Server Gateway may have to queue the request while it awaits the response to a previous request The worst case occurs when a number of requests are queued for an RTU that has gone offline especially when the server is programmed to retry the request upon failure Steps 5 8 represent the case where the request is responded to by the RTU and is forwarded successfully to the master It includes the think time for the RTU to process the request and build the response Step 9a represents the possibility that the RTU is offline the RTU receives the request in error or that the Server Gateway receives the RTU response in error If the Server Gateway does not retry the request it will issue an exception to the originator Section 3 10 5 6 A Worked Example A network is constructed with two Masters and 48 RTUs on four Server Gateways Each of the Mast
99. is proper for these parameters Section 5 3 2 7 Frame Relay DLCls The second table provides a listing of all DLCIs available on the channel Only the DLCI selected from the main menu can be edited although another DLCI can be added by following the Add another DLCI to this channel link The DLCI Number refers to the Data Link Connection Identifier This number should be provided to you by your provider The Local IP Address field defines the IP address for this logical interface The Netmask field displays the network address mask The value 255 255 255 255 indicates that the connection is point to point The Remote IP Address field defines the IP address for other side of this interface As most WAN links are of point to point type there is only one host connected to the other end of the link and its address is known in advance This option is the address of the other end of the link and is usually assigned by the network administrator or Internet service provider The Description field attaches a description to the logical interface viewable from the network interfaces menu The Delete this logical interface button removes the currently selected interface Repetitive use of this button on other DLCls assigned to the channel will free the channel up Section 5 3 2 8 Editing a Logical Interface PPP Help H A Edit New Logical Interface T1 2 Channel PPP Parameters Disable Channel Local Ad
100. ivlen 8 keysizemin 128 keysizemax 256 lgorithm ESP encrypt id 252 name ESP SERPENT ivlen 8 keysizemin 128 keysizemax 256 lgorithm ESP encrypt id 253 name ESP TWOFISH ivlen 8 keysizemin 128 keysizemax 256 lgorithm ESP auth attr id 1 name AUTH ALGORITHM HMAC MD5 keysizemin 128 keysizemax 128 lgorithm ESP auth attr id 2 name AUTH ALGORITHM HMAC SHA1 keysizemin 160 keysizemax 160 lgorithm ESP auth attr id 5 name AUTH ALGORITHM HMAC SHA2 256 keysizemin 256 keysizemax 256 lgorithm ESP auth attr id 251 name null keysizemin 0 keysizemax 0 lgorithm HRS po mames OA CE CA Mo cis MAS deme ias lgorithm EmiGiryocs acd Mee OAEISEAMESIDESMCB Mois c orale clef IIR lgorithm hash id 2 name OAKLEY SHA hashsize 20 lgorithm hash id 1 name OAKLEY MD5 hashsize 16 lgorithm h group id 2 name OAKLEY GROUP MODP1024 bits 1024 lgorithm group id 5 name OAKLEY GROUP MODP1536 bits 1536 lgorithm group id 14 name OAKLEY GROUP MODP2048 bits 2048 lgorithm group id 15 name OAKLEY GROUP MODP3072 bits 3072 26 algorithm group id 16 name OAKLEY GROUP MODP4096 bits 4096 2 wLgotitim group id 17 name OAKLEY GROUP MODP6144 bits 6144 28 algorithm group id 18 name OAKLEY GROUP MODP8192 bits 8192 29 Sess Clo Gos Te cre Coral emi maez soome t PAGE VIS CN Mtn amis 10 Ga 3360 attrs 0 6144 224 30 openswantest 10 0 0 0 8 204 50 190 89 204 50 190 91 192 168 1 0 24 erouted eroute owner 2997 oMAtIaAnFWNHEH
101. line A short haul synchronous data line driver known as a CSU DSU terminates the line and attaches to the DTE The DSU part of the DSU CSU manages the format of the data signal while the CSU manages electrical levels isolation and provides loopback to the TELCO The DDS port provides an integrated DTE DSU and CSU 202 T3 E3 Statistics RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 5 1 Location of Interfaces and Labelling Unlike the Ethernet ports which are statically located the location of T1 E1 DDS and ADSL ports in your router depends upon the number of ports and how they were ordered Refer to the labelled hardware image as presented in the Webmin home page To make labelling easy to understand all T1E1 T3 DDS and ADSL ports are assigned a unique port number that relates to the LEDs on the status panel Section 5 5 2 LED Designations ROX indicates information about DDS ports on the LED Panel A pair of LEDs will indicate traffic and link status of the port Consult the section Using The LED Status Panel to determine which LEDs correspond to the port Section 5 5 3 DDS Configuration Help D DS b E DDS DDS Trunks And Logical Interfaces Current Route amp Interface Table Figure 202 DDS Trunks and Interfaces This menu allows you to display and configure DDS Trunks The Current Routes menu will display the routes and status of the network interfaces
102. lists exceptions to the default policies for certain types of traffic sources or destinations The chosen action will be applied to packets matching the chosen criteria instead of the default Add a new firewall rule Action Source Destination Protocol Source Destination move Add ports ports Host 206 30 180 94 in E Al PT Al Al ACCEPT Any ne ae ny n onar H95t66 11 180 161 in bie cp me T 2 zone Internet y jt ACCEPT Any Zone DMZ ITCP Any ssh t I Add a new firewall rule Manually EditFile Click this button to manually edit the Shorewall file etc shorewall rules in which the entries above are stored 4m Return to list of tables Figure 227 Firewall Rules This menu allows you to add delete and configure firewall rules These rules are inspected and applied before the default policies are used Add a new rule by selecting the Add a new firewall rule link or by clicking on the add above or add below images in the Add field Reorder the policies by clicking on the arrows under the Move field Clicking on a link under the Action field will allow you to edit or delete the rule as shown below You may also make changes by manually editing the rule file Edit Firewall Rule Firewall rule details Action ACCEPT v and log to syslog level lt Don tlog gt v Source zone lt Any gt y a Only hosts in zone with addresses Destination zone or port lt A
103. main menu Figure 286 Link Backup Log The link backup log displays the log of recent backup events Section 5 13 7 Link Backup Status Help Link Backup Status Main Interface Backup Name Interface Main Ping Time of Last State rea DES Link Device Link Test Change State State ethi eth2 ethi N A eth2 N A N A 2013 10 16 12 16 19 Delaying monitor Refresh E Return to link backup main menu Figure 287 Link Backup Status Link Backup Logs 297 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide The link backup status menu displays the status of managed link backup sets Section 5 13 8 Testing a Link Backup Configuration Help A Test Link Backup Test duration 5 minutes Name Main Interface Backup Interface Enabled Action Current time 9 27 10 w2c1ppp gt w1c1ifr22 w2cippp wicifr22 yes Start Test Refresh e Return to link backup main menu Figure 288 Test Link Backup Clicking the Start Test button corresponding to a particular link backup configuration causes all data received on the Main interface to be discarded in order to convince the link backup process that the main link is down If the configuration is correct the link backup process will then bring up the Backup link and the connection to the network thus protected will be re established The Test Duration field controls the am
104. may optionally have a list of subnetworks associated with it When the corresponding user establishes a PPP connection with the server the configured static routes are entered into the routing table making the listed subnetworks available via the connected PPP client The Static Route Setting table is displayed whether PPP is authenticated locally or via RADIUS Each row of the table contains a Username a list of Static Route entries to be entered when that user establishes a PPP connection and a Delete button next to each entry to allow its removal An empty row prompting for Username and ending with an Add button allows the addition of new Static Route entries for that PPP user via the Edit Routes menu described below Edit Routes for user_one Route x x x x y Action aaa de Return to Modem PPP Server Menu Figure 77 Add Routes for PPP User The Route x x x x y field lists existing static routes for the listed PPP user with a Delete button next to each entry to allow its removal Static routes are added to the list by entering an IPv4 network address x x x x followed by the number of bits in the subnet address y and clicking Add Section 3 8 6 6 Modem Incoming Call Logs Help Incoming Call Logs Refresh Date Time Event 12 18 17 19 23 mgetty interim release 1 1 36 Jun15 12 18 17 19 23 check for lockfiles 12 18 17 19 23 locking the li
105. menu presents connection statuses but does not update them in real time Click on the Refresh this page link to update to the current status Section 5 3 2 2 Strategy for Creating Interfaces Initially each interface will be configured as T1 and will have a single channel that includes all timeslots 1 24 Channelized cards can have their timeslots reassigned to make additional channels Unchannelized cards may have timeslots removed from their single timeslot If the interface is to be an E1 convert it using the Edit T1 1 Parameters link If the interface is channelized and you need to have more than one channel construct the channel groups with the desired bandwidths This can be done by editing the single initially configured channel and removing timeslots The unassigned timeslots will be displayed on the main menu in a link that creates channels as shown below 186 T1 E1 Network Interfaces RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration Channel Assigned time slots Channelized interface 1 1 2 2 Timeslots 3 24 are unused assign a new channel Channel Name Description Local Address Netmask Remote Address Assign a new Frame Relay logical interface Assign a new PPP logical interface Assign new MLPPP logical interfaces Edit T1 2 Parameters Figure 182 T1 E1 Network Interfaces After Channel Creation Once all timeslots have been assigned to channe
106. menu suggests the currently expected directory The actual help files are provided with every release under the html directory at the repository server Ports and Addresses 129 Chapter 4 RUGGEDCOM ROX System Administration User Guide Section 4 1 4 Logging Module Index Heb Logging Webmin can be configured to write a log of web server hits in the standard CLF log file format If logging is enabled you can also choose whether IP addresses or hostnames are recorded and howoften the log file is deared When enabled logs are written to the file var log webmin miniserv log When logging is enabled Webmin will also write a more detailed log of user actions to the file var log webmin webmin log This log can be viewed and analysed with the Webmin Actions Log module to see exadly what each Webmin user has been doing W ebserver logging options Disable logging 9 Enable logging Use combined log format including referrer and user agent Clearlogfiles every 168 hours Log actions by allusers root Only log actions by Log actions in all modules Alerts Only log actions in Backup And Restore Bootup and Shutdown DHCP Server Ethernet Y v Log changes made to files by each action Permissions for log files 9 Default Sms 4 Retum to webmin configuration Figure 128 Webmin Configuration Menu Logging This menu allows you to log actions taken by Webmin administrators
107. name of a host that accept mail from the router The Belongs to Domain field specifies the email domain the router is part of This information is written into the email header upon transmission The Hostname field specifies the hostname to be written into the email header upon transmission NOTE You can generate emails from scheduled commands and scripts with echo To ops myco echo e Subject Hello n some command sendmail t Section 3 7 6 Chassis Parameters Chassis Parameters Help Parameter Current value Allowable Range VCore A 2 53 V 2 37 V to 2 62 V VCore B 1 20 V 1 14 V to 1 26 V 43 3 P51 3 34 V 3 14 V to 3 47 V 5V 5 11 V 4 76 V to 5 24 V 12V 12 65 V 10 82 V to 13 19 V VBat 3 12 V 2 40 V to 3 60 V temp 45 0 C 40 C to 85 0 C Last Power Down Time Power lost at Sat Dec 28 12 07 35 EST 2002 amp Return to Miscellaneous Main Page Figure 54 Chassis Parameters Menu 52 Outgoing Mail RUGGEDCOM ROX Chapter 3 User Guide Device Management This menu displays the chassis temperature and if hardware version 2 the voltage levels of chassis power supplies and a record of the last power down time The system will highlight red any out of range value The monitored values are described below Parameter Description temp Motherboard temperature VcoreA VCoreB Redundant 3 3V power supply voltages 3 3 PS1 3 3 PS2 Redundant 3
108. networks Edge or HSPA It is the name of the cellular network access point which provides a gateway to the Internet This information will be provided by the wireless network when you register for data service This field is not used for CDMA modems The Dial string is special command to be sent by the cellular modem to the cellular network to establish a data connection For example for GSM GPRS networks this is typically 99 1 This command will depend on the wireless network Please consult the wireless network operator for the correct dial string command for data service A regular telephone number is Modem Status usually not required to connect to a GSM GPRS network The Modem Status section displays information about and the current status of the cellular modem installed in the ROX NOTE i In the case of Edge GPRS modems cellular modem status information is only collected if a PPP link is not currently active on the information displayed is that modem If the Refresh button is clicked while a PPP link is active the obtained prior to the establishment of the PPP link In order to obtain 82 Cellular Modem Configuration RUGGEDCOM ROX Chapter 3 User Guide Device Management current modem status information an active PPP link on the cellular modem must be deactivated i e by selecting none for the Modem PPP Client Connection Connection to establish at boot time For EVDO CDMA and HSPA GPRS modems
109. offers the advantage of attributing actions in logs to the specific user as opposed to the root user Section 3 1 2 Default Configuration The RX1000 is shipped from the factory with the following defaults Ethernet ports are enabled and have an address of 192 168 X 1 where X is the port number WAN and modem ports are disabled RIG B output ports are disabled Setup account rrsetup password admin Superuser account root password admin SSH and Web Management interfaces are enabled by default All other services including Serial Protocol Server DHCP server NTP server End to End Backup Server VPN Server NFS OSPF RIP protocol and firewall are disabled by default Section 3 1 3 Accessing the Device Command Prompt From the Console Port Attach a terminal or PC running terminal emulation software to the RS232 port on the rear of the chassis The terminal should be configured for 8 bits no parity operation at 38 4 Kbps Hardware and software flow control must be disabled Select a terminal type of VT100 Once the terminal is connected pressing CR will prompt for the user to login as and that user s password Sign in as either the rrsetup or root user The router is shipped with default passwords of admin for either of these accounts 20 Accounts and Password Management RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 1 4 Accessing the Device Command Prompt From SSH
110. on the tunnel interface The Local IP field configures the IP address of the local end of the tunnel The Remote IP field configures the IP address of the local remote of the tunnel NOTE Li Each tunnel must have a unique combination of local and remote addresses or it will not be activated The Cost field configures the routing cost associated with networking routing that directs traffic through the tunnel The cost will default to zero if left unset The Local Egress Port configures a port to bind the tunnel to If set tunneled packets will only be routed via this port and will not be able to escape to another device when the route to the endpoint changes The Tunnel MTU field allows you to configure the MTU Maximum Transmission Unit value This is useful in preventing the fragmentation of GRE packets Section 5 17 Configuring Layer 2 Tunnels ROX is capable of extending the range of services that communicate solely via Layer 2 protocols i e at the level of Ethernet by tunneling them over routed IP networks The Layer 2 Tunnel Daemon supports the IEC61850 GOOSE protocol as well as a generic mechanism for tunneling by Ethernet type GRE Configuration Menu 309 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide This section familiarizes the user with Configuring GOOSE tunnels Configuring generic Layer 2 tunnels Viewing tunnel status and statistics Tracing tunnel activity IEC61850 is an internationa
111. ou eger idol 259 5 11 18 VPN GOnFRCIOFS 2i e t tte Np dn mE ede pedibus 259 5 11 18 1 IPSec VPN Connection Details greie renea EEEa Eaa REAA e 260 5 11 18 2 Left Right System s Settings sereine E AA ene 261 9 11 18 3 Export Configuratiori ert epe Shee rhe den teed cade peer UR A 262 5 11 19 Showing IPSec Stats c nU ERR ada 262 5 11 20 IPSec X 509 Roaming Client Example sse eme 263 xiii RUGGEDCOM ROX Table of Contents User Guide 5 11 20 1 Selecta Certificate Authority rieira aaee TAEA AEREE 264 5 11 20 2 Generate X 509 Certificates ooooonoconcccinnnccoccconcnncocnnconencnnnnnonnrcnnnnnonnnncnncnnnnnn 264 5 11 20 3 VPN Networking Parameters sssessssee meme nemen nnne 264 5 11 20 4 Client Configuration 2 errore tento pec treo tbe ebbe et petto ped ipte et abre eMe 265 5 11 20 5 Router IPSec Configuration sesssesssee eee 265 5 11 20 6 Firewall IPSec Configuration sssssese cnn nannnnnnnannnnnnns 266 5 11 20 7 Ethernet Port Configuration ssssseseeee Hen 266 5 12 Configuring Dynamic Routing esisin ai aAA RA m emen nene n hee AERE 266 5 12 41 BGP F nda amentalS inerti RES Eee Uie RR RP ex n ae E SCENE 267 512 2 RIP Fundamentals 451 eet e i lebe ev ea entia rete eo np tete at anaes lacada 267 5 12 39 OSPE FUNdamentals 3 iud b DE e Hee dete e t de Nt oen 268 5 12 3 1 Link State Advertisements
112. pieces of information about the current OSPF status The status of each interface is shown the current database the current OSPF neighbors and the current OSPF routing table OSPF Network Areas 285 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Status Current OSPF route status OSPF network routing table N 192 168 2 0 24 10 area 0 0 0 0 directly attached to eth2 N 192 168 6 0 24 20 area 0 0 0 0 via 192 168 10 2 eth4 IN 192 168 10 0 24 10 area 0 0 0 0 directly attached to eth4 OSPF router routing table OSPF external routing table Refresh display Current OSPF database status OSPF Router with ID 192 168 10 1 Router Link States Area 0 0 0 0 Link ID ADV Router Age Seg CkSum Link count 192 168 10 1 192 168 10 1 743 0x80000005 Oxad41 2 192 168 10 2 192 168 10 2 684 0x80000007 Ox26bf 2 Net Link States Area 0 0 0 0 Link ID ADV Router Age Seg CkSum 192 168 10 1 192 168 10 1 743 0x80000003 Oxb8cc Refresh display Current OSPF interface status lethl is up ifindex 3 MIU 1500 bytes BW 0 Kbit OSPF not enabled on this interface eth2 is up ifindex 4 MIU 1500 bytes BW 0 Kbit MIU mismatch detection enabled Router ID 192 168 10 1 Network Type BROADCAST Cost 10 Transmit Delay is 1 sec State DR Priority 1 Figure 274 OSPF Status The OSPF Status menu displays A list of routes currently managed by OSPF along
113. ping test target Ping Interval 60 Ping timeout 2 seconds Ping retry count 3 Startup delay 180 seconds Main path down timeout 60 seconds Main path up timeout 60 seconds Save amp Return to link backup configurations Figure 285 Edit Link Backup Configuration Set the Name field to supply an identification of the pair This field initially defaults to the main_link_name gt backup_link_name The Enable this configuration field enables this backup The Transfer default gateway field causes the gateway to be transferred to the backup link upon failure of the main link path If the backup interface is point to point such as PPP the Backup gateway IP address can be automatically determined Non point to point interfaces such as Ethernet must be configured with one The Bring up backup link on demand option allows protocols such as DHCP to be used to fetch an address when required The Startup Delay field configures the length of time to wait for the main link to come up at the start of day NOTE Li If Startup Delay is too low backup may be falsely triggered at start up The Ping Interval field configures how often pings are sent The Ping timeout field configures the duration before immediately retrying a ping The Ping retry count field configures the number of ping retries before construing a path failure NOTE i The maximum time to discover a path failure is the length of the Ping Interval and the produc
114. router can be part of multiple areas and function as a gateway between areas When multiple areas are used on a network area 0 is the backbone area All areas must have a router connecting them to area 0 Section 5 12 4 2 Router ID Defines the ID of the router By default this is the highest IP assigned to the router It is often a good idea to configure this value manually to avoid the router id changing if interfaces are added or deleted from the router During elections for designated router the router id is one of the values used to pick the winner Keeping the router id fixed will avoid any unexpected changes in the election of the master router Section 5 12 4 3 Hello Interval and Dead Interval The hello interval is the time between transmission of OSPF Hello packets The dead interval is the time to wait without seeing an OSPF Hello packet before declaring a neighboring router dead and discarding its routes It is recommended that the dead interval be at least four times the hello interval for reliable operation Lower values of these settings will help to speed up the change in network routes when the topology of the network changes It will also increase the load on the router and the links due to higher traffic caused by the increase in messages Lower values will also put limits on the number of routes that can be distributed within an area as will running over slower links NOTE Li OSPF will not work properly if the Hello Inte
115. routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute RIP fields control distribution of routes learned by RIP When enabled OSPF will advertise routes learned by RIP The Redistribute BGP fields control distribution of routes learned by BGP When enabled OSPF will advertise routes learned by BGP OSPF Global Parameters 283 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide The Router ID field sets the router id to use for the ospf daemon This value is used as a unique identifier for the dynamic routing protocol to identify which router sent which route advertisement If it is not set here it defaults to using the Router ID set in Section 5 12 6 3 Core Global Parameters If this last is not set either the Router ID defaults to a string containing the highest IP address assigned to an interface on the router in dotted quad notation It is recommended that this value be set to a unique fixed value on each router Note that for the new router id to take effect the routing daemon must be restarted Section 5 12 6 14 OSPF Interfaces Help OSPF Interfaces Interfaces ethi Settings Status eth2 Settings Status eth3 Settings Status leth4 Settings Status Remove inactive interfaces amp Return to ospf Figure 272 OSPF Interfaces Parameters specific to one interface are configu
116. sub menu The router provides a default event logging configuration You can modify this configuration through the Maintenance menu System Logs sub menu Remote logging can be activated here The routers SSH and Web Management interfaces are enabled by default The routers DHCP server IPSec VPN server NTP server OSPF RIP protocol VRRP protocol and firewall are disabled by default To changes these services visit the System menu Bootup and Shutdown sub menu You can install static IP and Multicast routings for Ethernet and WAN interfaces via the Networking menu Network Configuration Routing and Default Route and Static Multicast Routing sub menus You can configure the NTP server through the Servers menu NTP Server sub menu See Section 5 20 Configuring NTP Servers for more details You can configure SSH through the Servers menu SSH Server sub menu SSH can be set up to issue a login banner from this menu See Section 3 12 Configuring SSH for more details Traffic prioritization can be configured on the network interfaces through the Networking menu Traffic Prioritization sub menu See Section 5 10 Traffic Prioritization for more details SNMP is disabled by default You can configure SNMP by following the instructions in Section 3 7 4 SNMP Configuration You may allow read and write access set community names enable traps and program the router to issue traps with a specific client address If your ro
117. subnet when the link is restored This allows routing daemons to detect link failures more rapidly as the router does not have to wait for a dead interval to time out Link Detect also causes redistributed routes to start and stop being advertised based on the status of their interface links Section 5 12 4 7 Configuring OSPF Link Costs Link cost is used when multiple links can reach a given destination to determine which route to use OSPF will by default assign the same cost to all links unless provided with extra information about the links Each interface is assumed to be 10Mbit unless told otherwise in the Core Interface configuration The reference bandwidth for link cost calculations is 100Mbit by default in the OSPF Global Parameters The reference bandwidth divided by the link bandwidth gives the default cost for a link which by default is 10 Ifa specific bandwidth is assigned to each link the costs will take this into account It is also possible to manually assign a cost to using a link in the OSPF Interface Configuration for each interface for cases where the speed of the link is not desired as the method for choosing the best link Section 5 12 4 8 OSPF Authentication OSPF authentication is used when it is desirable to prevent unauthorized routers from joining the OSPF network By enabling authentication and configuring a shared key on all the routers only routers which have the same authentication key will be able t
118. system Save Note The router id is automatically picked as the highest IP address assigned to the unit at startup unless the config contains a router id to use The router id change updates the config and takes effect immediately de Return to bap Figure 265 BGP Global Parameter Menu The Enable Password field sets the password to be used for the bgpd enable command This is used by the telnet interface to control access to the bgpd configuration The Telnet Password field sets the password to be used for telnet access to bgpd This is used as the bgpd login password when locally telnetting to port 2605 of the router The Hostname field sets the hostname for the bgpd daemon This value is only used as a a reference for convenience The telnet interface prompt will contain this hostname The router s system wide hostname is used if this field is left blank The Distance field sets the administrative distance to use for all routes unless overridden by other distance settings The Always Compare Med field enables the comparison of MED for paths from neighbors in different AS Autonomous System By default MED comparison is only done among paths within the same AS Enabling this option BGP will always perform MED comparison regardless of AS The path with a lower MED is preferred to one with a higher value The Default Local Preference field sets the local preference value for the router The Determin
119. the approved version Therefore the older and approved version of ROX needs to be installed on new routers Upgrading Considerations 29 Chapter 3 RUGGEDCOM ROX Device Management User Guide A router that has become misconfigured or whose configuration is no longer trusted for some reason can be restored to a clean reference state by reinstalling ROX from the factory image Network staff may wish to explore how certain features operated in a previous ROX release Section 3 6 2 Reflashing the ROX System Software The reflashing procedure comprises the following steps 1 Obtain the flash image of the desired ROX version from Siemens Customer Support Make the file available to the ROX to be reflashed via a web server 2 If necessary back up the device s configuration and place the configuration archive file in the same location as the image file in the previous step Note that only a configuration archive saved using the same ROX version as the image to be reflashed will be recoverable using the reflashing utility 3 Ensure that the ROX to be reflashed can reach the web server over the network or through a direct Ethernet connection To verify connectivity use the Webmin Section 2 2 2 Ping Menu 4 Using a serial terminal connected to the device s console port log in and reboot the router As the router reboots repeatedly press the Down arrow key until the boot menu appears Debian GNU Linux kernel 2 6 26 2 g
120. the SSH keys on the ROX device using the following procedure NOTE Li Access through a physical connection to the console port is strongly recommended for this procedure See Section 3 1 3 Accessing the Device Command Prompt From the Console Port 1 Delete the current SSH key by typing the following command and then pressing Enter rm etc ssh ssh host key 2 Generate a new SSH key and restart SSH by typing the following command and then press Enter var lib dpkg info openssh server postinst configure 3 The following messages will appear as the script runs Creating SSH2 RSA key this may take some time Creating SSH2 DSA key this may take some time Restarting OpenBSD Secure Shell server sshd Section 4 5 Access Manager Secure Access Portal RX1100 owners can use Access Manager s Secure Access Portal SAP to restrict access to critical assets This section details how to activate the Secure Access Portal and determine currently negotiated sessions NOTE i Please note that when doing firewall configuration changes while the SAP is enabled that the SAP must first be stopped and then explicitly restarted after the firewall configuration changes are re enabled IMPORTANT All firewall disabling and re enabling done using the command line must be through one of these commands etc init d shorewall clear etc init d shorewall stop etc init d shorewall restart 146 Regenerating SSH Keys RUGGEDCOM ROX Ch
121. the number of hops between any two routers It uses the shortest route available to a given network as the route to use for sending packets to that network ROX s RIP daemon ripd is an RFC1058 compliant implementation of RIP support RIP version 1 and 2 RIP version 1 is limited to obsolete class based networks while RIP version 2 supports subnet masks as well as simple authentication for controlling which routers to accept route exchanges with RIP uses network and neighbor entries to control which routers it will exchange routes with A network is either a subnet or a physical broadcast capable network interface Any router that is part of that subnet or connected to that interface may exchange routes A neighbor is a specific router to exchange routes with specified by its IP address For point to point links T1 E1 links for example one must use neighbor entries to add other routers to exchange routes with The maximum number of hops between two points on a RIP network is 15 placing a limit on network size Link failures will eventually be noticed although it is not unusual for RIP to take many minutes for a dead route to disappear from the whole network Large RIP networks could take over an hour to converge when link or route changes occur For fast convergence and recovery OSPF is a much better choice RIP is a fairly old routing protocol and has mostly been superseded by OSPF BGP Fundamentals 267 Chapter 5 RUGGEDCOM ROX Setup an
122. the port number used by the RADIUS server The default port for RADIUS is 1812 The Shared Secret field configures a unique password used to authenticate communications with this server Note that the shared secret must also be configured on the RADIUS server for the router being configured The Timeout field sets the maximum time in seconds to wait for responses from the RADIUS server before aborting a transaction The entry created for both LOGIN and PPP Login can be changed from the web interface Section 3 2 5 Enabling and Disabling the SSH and Web Server By default SSH and Web Management are enabled The Disable SSH and Disable Web Management commands allows these services to be disabled The servers will be immediately stopped If access to the shell has been made through ssh the session will continue but no new sessions will be allowed Upon disabling the services the titles in the main menu will change to Enable SSH and Enable Web Management to reflect the disabled state Enabling a service automatically restarts it Section 3 2 6 Enabling and Disabling the Gauntlet Security Appliance The Gauntlet security Appliance requires a pass phrase unique to your network This menu will configure it my Gauntlet Setup Menu Select a Gauntlet Setup Option Enter Initial Passphrase lt Cancel gt Figure 20 Gauntlet Setup Menu Enabling and Disabling the SSH and Web Server 23 Chapter 3 RUGGEDCOM ROX Device Mana
123. the received signal strength can be obtained whenever the Refresh button is clicked The fields and format of the Modem Status display varies among installed cellular modem types The fields displayed for the Edge GPRS modem see above are as follows Edge GPRS Modem Status Type of Modem lists the cellular network standards supported by the modem currently installed This information may be required by the cellular network provider in order to determine optimal compatibility between the installed cellular modem and the network Firmware version displays firmware revision information for the installed cellular modem Received Signal Strength indicates the signal level received by the cellular modem from the cell site Network Operator displays the identity of the wireless network provider to which the cellular modem is currently connected Enhanced Network Operator displays the name of Mobile Virtual Network MVN that the cellular modem is currently connected to Network Registration Status displays the current registration status of the cellular modem with respect to the cellular network Possible values are Registered home Registered roaming Unregistered SIM Card Identification displays the ID of the SIM card currently installed in the cellular modem HSPA GPRS Modem Status The HSPA GPRS cellular modem lists mostly the same information as the Edge GPRS modem with some differences Modem Status Last updated on Mon
124. throughout the Internet Some important changes that IPv6 introduces relative to IPv4 fall into the following categories Addressing IPv6 addresses are four times the length of IPv4 addresses at 128 bits to be used as 64 bits of network and 64 bits of host address The larger address space allows much greater flexibility in hierarchical network definition and routing Header Format The IPv6 packet header has been simplified relative to IPv4 in order to simplify and therefore speed the processing of packets by routing nodes It also features more efficiently encoded options and greater flexibility in creating extensions Security Security has been designed into IPv6 rather than being treated as a component that must be added to existing IPv4 network stacks Section 5 1 2 Network Configuration Help H Network Configuration 2118 zs 2 E 2118 E2E 2m E 102124 Hr 41 10 2124 Iri E KERNEL 10218 DNS 10 216 wail wail 1 Core Dummy Static Static DNS Client Host End To End Current Settings Interface Routes Multicast Addresses Backup Route amp Routing Interface Table A Click this button to activate the current boot time interface and routing settings as they Apply Configuration normally would be after a reboot Warning this may make your system inaccessible via the network and cut off access to Webmin Figure 158 Network Confi
125. to those received at the tunnel ingress Other notes Source and destination Ethernet MAC addresses are preserved whether they are forwarded locally or remotely Packets received from the network will also be forwarded to any other remote daemons included in the group The UDP port number for inter daemon communication must be the same throughout the network Enabling Generic L2 Tunneling on an Ethernet interface does not interfere with other Layer 3 networking configuration on that interface e g firewall rules IP routing etc NOTE Li Avoid network configurations where the daemons can form a traffic loop The simplest such configuration is a triangle network where each daemon forwards to two other routers Frames arriving at one router will start cycling in clockwise and counter clockwise directions To avoid such packet storms frames forwarded to the network are tagged with an initial time to live count The count is decremented at each relay to the network and prevents the frame from being relayed indefinitely Generic Layer 2 Tunnel Fundamentals 311 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 17 3 Layer 2 Tunnels Main Menu Help Layer 2 Tunnels GOOSE L2 292 1 292 1 292 1 2 245 2 248 2 248 General GOOSE Tunnels L2 Tunnels GOOSE Statistics L2 tunnel Activity Trace Configuration Statistics Restart Layer 2 Tunnels daemon
126. to Create directory if needed Download mode Immediately and show progress In background at date 29 Dec v 2002 and time 13 46 Download URLs to router Send files from your current host to the router Files to upload Browse No file selected Browse No file selected Browse No file selected Browse No file selected File or directory to upload to Create diredory if needed Extract ZIP or TAR files Yes then delete Yes No Send to router Download a file from the routerto your host Download to your host Figure 67 Upload Download Menu The Upload Download Files menu provides a means to transfer files to and from the router The Download files from the specified URLs to this router part of the menu allows you to have the router download files from ftp and http servers You need to specify at least the file URL and the directory to download it to You may also decide to create directories cited in the download path at download time set the user group ownership of the file and postpone the download to a specific time The Send files from your current host to the router part of the menu allows you to send files from your host machine directly to the router You need to specify at least one file to send and the directory to upload it to Clicking on a browse button will open a file search dialog box Select the file to upload to the router and close the dia
127. to access the Webmin server from outside of your local network If not simply configure Webmin to listen on the local interface By default Webmin listens on TCP port 10000 for clients It is possible to change this default behaviour Section 4 1 3 Change Help Server Help Se hic Change Help Server URL URL of Help none Use Upgrade Repository Alternate URL Text Note If you spedfy an altemate URL to host the help text you must install release specific help directories in the form RELEASE html The router currently expects to find an html directory there Save Changes 4a Retum to webmin configuration Figure 127 Webmin Configuration Menu Change Help Server The Web management package provides context sensitive help in each of its menus When a help link is selected the router instructs the browser to open the help text from a help server In this way the router does not waste large amounts of disk space storing help text and network bandwidth sending large web pages By default the router directs the browser to the same server used to upgrade the router This is as specified in the Maintenance menu Upgrade System sub menu Change Repository Server command This command allows you to disable Web management help use the upgrade repository server as well as specify a new server If you specify an alternate web server to host the help text you must install release specific help directories below the document root The
128. to match The Destination Ports field specifies the destination TCP or UDP port number or ICMP type to match The Test field defines a test on the existing packet or connection mark The packet or the connection mark may be checked for equality or non equality against a reference mark A mask may again be specified in the field to apply to both marks prior to comparison Mark and mask may be in the range 1 255 in decimal or hex The Length field specifies the packet length or length range to match The TOS field specifies the packet TOS value to match A TOS value may be selected from the list or may be specified in decimal or hex by selecting Other It may take on one of the following values Minimize Delay 16 0x10 Maximize Throughput 8 0x08 Maximize Reliability 4 0x04 Minimize Cost 2 0x02 Normal Service 0 0x00 The Manually Edit File button also allows you to make direct changes to the TC Rules configuration file TC Rules 243 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide TC Rules This form can be used to manually edit the Shorewall file etc shorewall tcrules Be careful as no syntax checking will be done on the changes Shorewall version 4 Tcrules File For information about entries in this file type man shorewall tcrules See http shorewall net traffic_shaping htm for additional information For usage in selecting among multiple ISPs see http shorewall net MultiI
129. to refer to this connection when choosing which connection to dial automatically at boot or which connection to use as a backup for another link The Disconnect on idle timeout field specifies how long an established PPP connection will wait with no data traffic before it disconnects This option is only valid when the Dial on demand option is checked The PPP Username field determines the user name to use when connecting to the PPP server as specified by its operator The Password field determines the password to use when connecting to the PPP server The Dial type field determines the type of dialing system to use on the phone line Either DTMF Dual Tone Multi Frequency commonly known as Tone dialing or Pulse dialing Almost all phone systems support DTMF and DTMF is much faster at dialing DTMF is recommended whenever possible The Phonenumber field specifies the telephone number to dial to connect to the PPP server The Defaultroute check box enables automatically setting a default route using this interface whenever it connects If this is your primary network connection you probably want this option enabled On systems with two modems where you want to specify a Dial On Demand alternate modem this option must be disabled for the primary modem For more information on Dial On Demand alternate modem settings see Section 3 8 6 3 Dial on Demand Alternate Modem Setting The Use peer DNS check box enables automatically setting th
130. to the participating physical interface to remotely access the router The Bridge filtering options enable or disable bridge filtering When enabled only Ethernet frames that match the allowed Ethernet Types are allowed to pass over the bridge When disabled Ethernet frames travel through the bridge interface as if it were a normal switch For this option to function the Retain IP on Bridge Device check box must be checked The Bridge routing options enable or disable bridge routing When enabled IPv4 IPv6 and ARP frames are forced up to the routing layer for processing See Section 5 2 6 6 Bridge Configuration The Save button will save the configuration changes Please note that the changes will be effective immediately after clicking the save button The Bridge Filtering Rules table lists the allowed Ethernet types To delete an Ethernet type from the list click Delete To add a new type click Add new rule On the Create New Rule page specify the default ISO type or type a different type in the Others box Click Save when done Bridge Filtering RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration Help Bridge Filtering Configuration Create New Rule Allow Ethernet Typel None vl Others Save Return to previous page Figure 176 Creating New Rule NOTE Li For important information about using Ethernet bridging see Section 5 2 5 Bridge Fundamentals Section 5 2 6 8 PPPoE on
131. to use more internal IP addresses Since they re used internally only there s no possibility of conflict with IP addresses used by other organizations Typically your internal network will be setup to use one or more of the reserved address blocks described in RFC1918 namely 10 0 0 0 8 10 0 0 0 10 255 255 255 172 16 0 0 12 172 16 0 0 172 31 255 255 192 168 0 0 16 192 168 0 0 192 168 255 255 As packets with these address reach the NAT gateway their source address and source TCP UDP port number is recorded and the address port number is translated to the public IP address and an unused port number on the public interface When the Internet host replies to the internal machine s packets they will be addressed to the NAT gateway s external IP at the translation port number The NAT gateway will then search its tables and make the opposite changes it made to the outgoing packets and forward the reply packets on to the internal machine Translation of ICMP packets happens in a similar fashion but without the source port modification NAT can be used in static and dynamic modes Static NAT masks the private IP addresses by translating each internal address to a unique external address Dynamic NAT translates all internal addresses to one or more external address es Section 5 8 1 4 Port Forwarding Port forwarding also known as redirection allows traffic coming from the Internet to be sent to a host behind the NAT gateway Previ
132. traffic on The Message RX TX and Incoming Outgoing Connections fields causes data packets and Connection activity to be included in the trace The Hex dump field causes the content of data packets to be displayed The Maximum packets captured and Maximum capture time fields limits the amount of traffic captured Frame Relay Link Layer Trace a WAN Interface RUGGEDCOM ROX User Guide Chapter 2 Using ROX Section 2 2 11 Interface Statistics Menu Help Interface Statistics Interface rxbytes txbytes rxpackets txpackets rxerrors txerrors rxpackets dropped txpackets dropped eth1 374011 1305594 2438 2657 o eth2 0 o o o ojo leth3 o eth4 0 0 0 o o o o o 0 o o o o o o o o o 0 0 o 0 0 o gre0 o o Refresh Continuous Display dem Return to Network Utilities Figure 13 Interface Statistics Menu This menu provides basic statistics for all network interfaces The Refresh button will cause the page to be reloaded The Continuous Display button will cause the browser to continuously reload the page showing the differences in statistics from the last display The difference is not a real time rate in bytes or packets per second Note that detailed statistics for T3 T1 E1 DDS and ADSL are available within the menus that configure those interfaces S
133. used to distribute application specific information through a network using OSPF LSAs The Passive Default option controls the default active passive state of new interfaces When enabled all new interfaces will be passive by default The passive state of individual interfaces is controlled from the OSPF Interfaces configuration The Refresh Timer field controls how frequently OSPF LSA refreshes occur The RFC 1583 Compatibility field controls support for RFC1583 compatibility If this option is enabled OSPF will be compatible with the obsolete RFC1583 version of OSPF By default it is compatible with RFC2178 version of OSPF only The Redistribute Connected fields control distribution of connected routes When enabled OSPF will advertise routes to directly connected interfaces to other OSPF routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute Static fields control the distribution of static routes created using the Network Configuration Routing and Default Route menu When this parameter is enabled OSPF will advertise these static routes to other OSPF routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute Kernel fields control distribution of kernel routes When enabled OSPF will advertise routes from the kernel routing table which includes static routes entered by the administrator to other OSPF
134. variable being monitored The Sample Interval configures how often samples should be generated The Rising Threshold configures the value that will trigger an event when the value of the variable increments past this value The Falling Threshold configures the value that will trigger an event when the value of the variable decreases past this value The Startup configures the condition that will cause the initial event Section 3 7 2 Backup and Restore The Backup and Restore system provides the following features Help System Backup And Restore y if General Configuration Archive History Archive Backup Archive Restore Archive Configuration Rollback Differences waded waded i X2 WAG X26 Mae MAT MID Mena Ses Ses Figure 31 System Backup and Restore All configuration settings are saved in a configuration archive Webmin configuration settings are saved in a Webmin configuration archive Archives can be used to clone routers replicate a damaged resource or unwind a change Archives can be created manually including user comments or by the Automatic nightly backup which captures all changes over the previous 24 hours The nightly backup archives can be automatically transferred via scp or ftp to a designated server The nightly backup archives are kept on the router for a configurable number of days and then deleted The most recently made archive is nev
135. you to add delete and configure interfaces hosting multiple zones Add a new zone host by selecting the Add a new zone host link or by clicking on the add above or add below images in the Add field Reorder the hosts by clicking on the arrows under the Move field The Zone field selects a zone that will correspond to a subnet on the interface in question The Interface field describes that interface and the P address or network field describes the subnet Selecting the PSec zone Host Option field will identify that the traffic to host in this zone is encrypted The Save and Delete buttons will allow you to edit or delete the zone host You may also make changes by manually editing the policy Section 5 8 5 4 Default Policies Help Default Policies This page allows you to configure the default actions for traffic between different firewall zones They can be overridden for particular hosts or types of traffic on the Firewall Rules page No default policies have been defined yet Add a new default polic Manually Edit File Click this button to manually edit the Shorewall file etc shorewall policy in which the entries above are stored deu Return to list of tables Figure 223 Firewall Default Policies This menu allows you to add delete and configure default policies Add a new policy by selecting the Add a new default policy link or by clicking on the add above or add below images in the Aad field Reorder the po
136. 09 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide The Description field allows the administrator to store a brief description of MLPPP link The MLPPP Channel Setting table allows one or more T1 E1 channels to be included in the MLPPP bundle After the fields have been entered click the Save button to create the MLPPP bundle Section 5 6 4 Multilink PPP Statistics Once an MLPPP interface is configured interface statistics become available for both the T1 E1 links which comprise the MLPPP bundle and for the MLPPP interface itself The T1 E1 link statistics interface is described in Section 5 3 2 10 Link Statistics The statistics of the PPP links comprising the MLPPP bundle can also be displayed by clicking the Statistics link below the MLPPP interface name e g w1c1mlppp in the table for each T1 E1 interface Help w2c4mlppp Statistics Operational Statistics Number of frames transmitted Number of bytes transmitted Number of frames received ojojojo Number of bytes received Communication Error Statistics RX Stats Number of receiver overrun errors Number of receiver CRC errors Number of receiver Abort errors o 0 o Number of receiver corruption errors 0 Number of receiver PCI errors o o Number of receiver DMA descriptor errors TX Stats Number of transmitter PCI errors Number of transmitter PCI lat
137. 1 j aad i aad 2 245 Server L2TPD Preshared Keys Show Public Key List Certificates IPsec Status Configuration Configuration IPsec VPN Networking is currently stopped You may start it via the System folder Bootup And Shutdown menu Figure 247 IPSec VPN Configuration Menu Before After Generation After a VPN connection is created this menu will display an icon for the connection as shown in the next view of the VPN Configuration menu The Add defaults for all connections link allows you to create a profile that will apply to all connections for items such as key type encryption protocol and compression These defaults can then be overridden on a per connection basis The Add a new IPSec VPN connection link creates a new connection and its icon The Import connection from file link creates new connections from imported data Select the Server Configuration icon to configure server parameters Select the L2TPD Configuration icon to configure L2TP parameters Select the Pre shared Keys icon to create delete and edit pre shared keys Select the Show Public Keys icon to display the server s public key Select the PSec Status icon to display information about the server s capabilities and any current connections After a VPN connection is created this menu will include a Start Connection button that can start or restart VPN connections This button is shown in the next view of the VPN Configuration menu The Appl
138. 14 2 IRIG B Fundamentals IRIG B outputs are provided by the Precision Time Protocol Card option The Inter Range Instrumentation Group IRIG IRIG B standard details the format of an output signal containing information for the current day hour minute and second in UTC format broadcast at the start of each second ROX complies to IRIG Standard 200 04 generating formats IRIG B002 and IRIG B003 PWM and IRIG B122 and IRIG B123 AM Section 3 14 2 1 IRIG B Output Formats The router provides three ports by which the signal is distributed namely An Amplitude Modulated AM sinusoidal output port PTP1 Two TTL voltage level output ports PTP2 and PTP3 which may be configured as either pulse per second PPS or pulse width modulated PWM The signal can be used to synchronize intelligent devices to a high quality time source called the reference clock The router uses a global positioning satellite GPS receiver NTP or the router s local clock as the reference clock Synchronizing NTP from IEEE1588 109 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 14 2 2 Reference Clocks GPS provides the highest quality reference clock It will always be used when it is available but may require some time after boot before becoming acquired or GPS locked Typically GPS lock is usually acquired within five minutes of boot When GPS is the reference clock IRIG B timestamps are accurate to within ns If GP
139. 16777214 disabled 2 unset N 4 metric Redistribute BGP 2 Redistribute bgp routes to OSPF area routers enable disable 1 2 0 16777214 disabled 2 unset 3 3 3 a e A Z 3 E 5 metric Router ID Identifier of router Often the main IP address of the router A B C D highest IP of system Note The router id is automatically picked as the highest IP address assigned to the unit at startup unless the config contains a router id to use The router id change only updates the config and takes effect on restart Return to ospf Figure 271 OSPF Global Parameters The Enable Password field sets the password to be used for the enable command of ospfd This is used by the telnet interface of ospfd to control access to the configuration 282 OSPF Global Parameters RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The Telnet Password field sets the password to be used for telnet access to ospfd This is used as the login password of ospfd when locally telnetting to port 2604 of the router The ABR Type field select which method to use on area border routers to manage inter area routes Standard follows RFC2178 Cisco and IBM follow RFC3509 Shortcut is covered by the draft ietf ospf shortcut abr 00 txt document Standard requires all ABRs to have a backbone connection The other three methods allow for ABRs that do not have a backbone connection The Auto Cost
140. 2 Network Utilities Section 2 1 The ROX Web Interface The ROX Web interface is provided by an enhanced version of the popular Webmin interface Section 2 1 1 Using a Web Browser to Access the Web Interface Start a web browser session and open a connection to the router by entering a URL that specifies its hostname or IP address e g https 179 1 0 45 10000 Once the router is contacted start the login process by clicking on the Login link The resulting page should be similar to that presented below IMPORTANT D Starting with ROX v1 16 1 ROX uses 1024 bit RSA certificates by default which is required by most Web browsers However previous versions of ROX use 512 bit certificates and these certificates are not replaced during a simple upgrade If upgrading from a version of ROX older than v1 16 1 replace the current certificates with new 1024 bit certificates for compatibility with most modern Web browsers For more information refer to the application note Generating SSH Keys and SSL Certificates for ROS and ROX Using Windows AN22 available on www siemens com ruggedcom Enter the root user name and the appropriate password for that user then click on the Login button The router is shipped with a default administrator password of admin Once successfully logged in the user will be presented with the main menu Login You must enter a username and password to login on 192 168 0 3 Usemame Password Lo
141. 2 0000 rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 latestwebminarchive rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 Remove Selected Archives Upload configuration archives or webmin archives from your current host to this router Archive to upload No file selected Upload To Router Return to Backup And Restore Figure 36 Archive History The Archive History menu displays current system configuration archives including all configurations and Webmin configuration archives only includes Webmin configurations sorted by date most recent first Following the link of an archives under the Archive Name field upload a copy of it Selecting an under the Archive Name field and applying the Remove Selected Archives button will delete the archive Note that only manually backup archives can be deleted Automatic nightly backup archives will automatically aged out The latestarchive and factorydefaults archives will never be deleted The Archives to upload fields select archives to upload to the router The Browse button will allow you to select an archive Applying the Upload to Router button will upload the specified archive to the router Archive History 41 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 7 2 4 Archive Backup Help Archive Backup Backup type Configuration Archive Webmin Archive Archive Comment Comments entered
142. 2 168 10 2 0 0 120 00 00 07 Distance default is 120 Refresh displa Return to rip Figure 280 RIP Status The RIP Status menu displays A list of routes currently managed by RIP along with the status of each one Alist of RIP neighbors along with statistics and state information for each one Other statistics including known peers and memory usage The table in the Current RIP route status report provides the following information The tables in the Current RIP neighbour detail status report provides the following information Network is the IP address for the network Next Hop is the next hop IP address Metric is the metric value From is the source IP address Tag is the tag information for the route Time is the route up remaining time Interface is the interface name Send is the RIP send version Recv is the RIP receive version Key chain is the RIP authentication key chain Gateway is the gateway address BadPackets is the number of bad packets received 292 RIP Status RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration BadRoutes is the number of bad routes received Distance is the distance Last Update is the peer uptime since the last update Section 5 12 6 24 View RIP Configuration Hein View RIP Configuration RIP show running config password ruggedquagga enable password ruggedquagga interface ethl sitara eth2 interface eth3
143. 21 1 Edit T3 1 Parameters View T3 1 Link Statistics Figure 196 T3 E3 Network Interface With Logical Interfaces Section 5 4 4 2 Naming of Logical Interfaces ROX names the logical interfaces that are created for T3 E3 Trunks but allows you to provide a description All interfaces start with a w to identify them as wan interfaces followed by the interface number The next part of the identifier is either ppp or fr and the frame relay DLCI number Section 5 4 4 3 T3 Interface Parameters The Edit T3 X Parameters link from the T3 E3 WAN Interfaces menu links to this menu which displays and configures T3 Trunk parameters including the option to use the interface in E3 mode Help Edit T3 Interface Interface T3 1 Parameters Convert this interface to E3 Framing C Bit Line Decoding B3ZS y Clocking Master v Save de Return to T3 E3 WAN Interfaces Figure 197 Edit T3 Interface The Framing field determines the framing format used Your line provider will indicate the correct format The Line Decoding field reflects the line encoding decoding scheme Almost all T3s now use B3ZS Naming of Logical Interfaces 199 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide The Clocking field selects whether to accept or provide clock signal In normal use the central office provides the clock signal in which case the setting should be Normal It is also possible to connec
144. 21 3 1 Generating a Certificate Signing Request CSR sss 341 5 21 9 2 Installing Certificates 5 pec I AE AE PARE R d M OL LU AER Hp auda 342 Chapter 6 Upgrades A TE T TRITT DO LATE 343 6 1 Installing Apache Web Server On Windows sssssee eee 343 6 2 Installing a Microsoft IIS Web Server 0 0 cece tt eer i nner eee nnne nnne nnne 344 6 2 1 Using Microsoft Internet Information Services IIS Manager 6 0 or Higher as an Upgrade Ip ceo 345 6 3 VPN L2TP Configuration in Windows oreari aiee a Aree m em emen ener 346 xvii RUGGEDCOM ROX Table of Contents User Guide xviii RUGGEDCOM ROX User Guide Preface Preface This guide describes the user interface for ROX v1 16 running on the RX1000 RX1100 family of products lt contains instructions and guidelines on how to use the software as well as some general theory It is intended for use by network technical support personnel who are familiar with the operation of networks lt is also recommended for use by network and system planners system programmers and line technicians Alerts The following types of alerts are used when necessary to highlight important information A A A D Li DANGER DANGER alerts describe imminently hazardous situations that if not avoided will result in death or serious injury WARNING WARNING alerts describe hazardous situations that if not avoided may result in serious injury and or
145. 3 14 3 3 IEEE1588 Configuration Help 4 gt IEEE1588 Configuration IEEE1588 Options IEEE1588 Working Mode Master or Slave v Preferred Master Clock Subdomain Name DefaultPTPdomain 224 0 1 129 Sync Interval seconds 2 v The following options determine how IEEE1588 grandmaster clocks are represented to NTP based upon the quality of their clock source Treat NTP sync d grandmasters as 2 Treat Local clock sync d grandmaster 10 stratum 2 12 as stratum 2 12 Treat NTP sync d grandmasters as stratum is the stratum number of grandmaster when it does not have GPS locked but have locked with remote NTP server Treat Local clock sync d grandmaster as stratum is the stratum number of grandmaster when it only have locked with local clock l Save de Return to module index Figure 112 IEEE1588 Configuration Menu This menu allows you to configure IEEE 1588 parameters The 1588 Working Mode field allows configures whether the router will be forced to 1588 slave mode or determine its role by the BMC algorithm The Preferred Master Clock field configures the router to be preferred master clock The Subdomain Name field allows you to choose which domain you want the router to participate in There are four domains available each mapped to a different multicast IP address The Sync Interval field configures the rate at which SYNC messages are issued 112 IRIG B Configuration RUGGEDCOM RO
146. 317 5 18 1 DHCP Network Organizations eesssessssee mm m eene ener nnns 318 5 18 2 DHCP Client O ptlonS i e c tere ore ath ett eod nepote enacted ases eben 318 5 18 3 Option 82 Support with Disable NAK ssssssssssss me 320 5 18 4 Example DHCP Scenarios and Configurations ssessseee 320 5 18 4 1 Single Network With Dynamic IP Assignment sesem 320 5 18 4 2 Single Network With Static IP Assignment ssssss HI 321 5 18 4 3 Single Network With Option82 Clients On One Switch ssseeeeeees 321 5 18 4 4 Multiple Subnets on Separate VLANs Using Option82 on One Switch 322 5 18 5 DHCP Configuration 2 e it eir e Pad ute sks ede RR NOR AR 323 5 18 5 1 DHCP Shared Network Configuration esse 324 5 18 5 2 DHCP Subnet Configuration iiini eria AEA AEAEE meme 325 5 18 5 3 DHCP Group Configuration sssssssseee ene 326 5 18 5 4 DHCP Host Configuration sss mme enne 326 5 10 5 5 DACP Pool Configuration coccion bes br e ettet ege baee obe td igo pde giat 327 5 19 DHCP Relay Ete a TES 328 5 194 Configuring DHCP Rel ida 329 5 20 Configuring NTP Servers 5 2 eigo etn noH SER e pesto ati ua oe tea bo pep an te lea que PARE M AT 330 5 20 1 The NIP Sanity Limit acotar o t e e d d e t 330 5 20 2 NTP and the Precision Time Protocol Card sessse He 331 5 20 83 Included
147. 4 50 190 The IPSec Status button produces a window of text similar to that of the above figure except that line numbers have been inserted for purposes of illustration The first group lines 1 5 describes configured interfaces The second group lines 7 17 describes ESP capabilities In this group we can see encryption capabilities lines 7 13 and authentication capabilities lines 14 17 At least one set of values must match between the left and right hand side VPN devices This is also frequently referred to as the Phase 2 parameters because the data encryption process is the second and final thing to occur in establishing a VPN The third group lines 18 28 describes IKE capabilities and defines the various encrypted key exchange algorithms and their parameters At least one set of values must match between the left and right hand side VPN devices This is also frequently referred to as the Phase 1 parameters because the key exchange process is the first thing to occur in establishing a VPN The fourth group lines 30 39 describe connection describe VPN connections here openswantest The first line is particularly useful since it indicates the connection addresses subnets and that the connection is active erouted If there are no entries then the VPN hasn t been established at all If there are entries but no STATE_QUICK_R2 IPSec SA established lines then the IPSec parameters are configured but the tunnel hasn t bee
148. 400 bps Supports RS232 RS422 and RS485 party line operation XON XOFF flow control Supports a point to point connection mode and a broadcast connection mode in which up to 32 remote servers may connect to a central server TCP IP incoming outgoing or both incoming outgoing connections mode configurable local and remote TCP port numbers Packetize and send data on a full packet a specific character or upon a timeout Supports a turnaround time to enforce minimum times between messages sent out the serial port e Debugging facilities including connection tracing and statistics Section 3 10 1 1 LED Designations The Quad TriplePlay Serial card includes transmit and receive LEDs The transmit LED is leftmost when the card is in the top slot and will light while characters are being transmitted The receive LED is rightmost when the card is in the top slot and will light while characters are being received Serial port numbers are as described by the SER labels as shown in the home page chassis diagram 86 Configuring Serial Protocols RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 10 2 Serial Protocols Applications Section 3 10 2 1 Character Encapsulation Character encapsulation is used any time a stream of characters must be reliably transported across a network The character streams can be created by any serial device The baud rates supported at either server need not be
149. 68 0 3 9 enabled disabled eth2 192 168 2 1 9 enabled disabled eth3 192 168 3 1 enabled disabled eth4 192 168 4 1 enabled disabled New NOTE snmpd is currently configured to listen on all active IPV4 interfaces Figure 47 Network Addressing Configuration Menu Addresses to listen on The table of Addresses to listen on includes the list of currently configured and active IP addresses and whether the address is currently listened on The New field allows for the addition of other IP addresses Snmpd will use these addresses providing they are active at the time it starts By default snmpd listens on all interfaces Section 3 7 4 4 Access Control SNMP V1 and V2c Communities No V1 or V2c communities are currently defined r Add an SNMP V1 or v2c Community Name Community Name Access read only y Source IP OID Add Figure 48 Access Control Menu SNMP V1 and V2c The first part of the Access control page allows the creation and deletion of SNMP V1 and V2c community names 48 Access Control RUGGEDCOM ROX User Guide The Community Name field selects the name of the community The Access field determines whether the community is read only or read write The Source IP field may be used to specify an IP address or range e g 10 0 0 0 24 from which access to this community name may be made The OID field further restricts access to an Object Identifier OID tree at or be
150. 8 1 1 and save it 5 Click add a new host 6 Set the hardware address to Ethernet 00 11 22 33 44 01 and the fixed IP to 192 168 1 101 Assign the client a hostname as well Click Create Repeat steps 5 through 7 for the other hosts with the appropriate address MAC and hostname for each client N 9 Restart the DHCP server or apply changes Section 5 18 4 3 Single Network With Option82 Clients On One Switch In this example the eth1 interface is provided with IP address 192 168 1 1 24 A a switch connected to eth1 and uses address 192 168 1 2 24 The switch port 1 is connected to the router while its ports 2 through 8 provide DHCP relay support The switch has its DHCP relay server address set to router s address 192 168 1 1 The switch has all ports in VLAN 1 The switch base MAC address is 00 0A DC 11 22 00 Assign a client at switch port 2 address 192 168 1 102 Assign a client at switch port 3 address 192 168 1 103 Assign multiple clients at switch port 4 dynamic addresses 192 168 1 151 through 192 168 1 200 The router serves as the default gateway 1 Enable eth1 in the Edit Network Interfaces menu 2 Adda new subnet and configure it for network address 192 168 1 0 with netmask 255 255 255 0 3 Enable the Disable NAK of option82 clients for this subnet option to prevent confusing some DHCP clients due to the client being on the same network as the DHCP server and the DHCP relay agent the switch S
151. 865 is a protocol designed to allow the centralization of authentication authorization and configuration of various types of services The goal of RADIUS authentication is typically to restrict the distribution of account information and to avoid the replication of security management effort Section 4 6 1 RADIUS Usage The typical mode of operation involves a Network Access Server NAS in this case the ROX and a remote RADIUS server where account information is stored In the course of attempting to access connection oriented services on the NAS a user presents credentials to the NAS for authentication The NAS forwards these to a configured RADIUS server and accepts from it the determination of whether the user is allowed the requested access In order to protect the security of account information and of both the NAS and the RADIUS server transactions are encrypted and authenticated through the use of a shared secret which is never sent in the clear Upgrading the Access Manager s Secure Access Portal 151 Chapter 4 RUGGEDCOM ROX System Administration User Guide Some administrators set the passwords of existing ROX accounts e g rrsetup and root uniquely for each router and then employ a common password per account for all routers served by RADIUS The router specific passwords are restricted to a very few personnel A larger set of expert users is granted the rights to SSH login using the RADIUS root account passwords
152. 9 Fink BACKUP 2s ete e iE Ee atu dmn E EA RUE 293 5713 1 Path Failure DISCOVOFV i i ood iei breed ieri Lope De Pn EE OL HIA EE i Od eL ONE Odd la e adeb d dla 294 5 13 2 Use of Routing Protocols and the Default Route sssssseee m 294 5 13 3 Link Backup Configuration ssssssssse meme n eren R 295 5 13 4 Link Backup Configurations rria E A eme ee eene 295 5 13 5 Edit Link Backup Configuration aienea eniad a a mme nme 296 5 13 60 Link Backup OOS diia 297 5 137 v bink Backup Stat s uu e o E E E MARE SEE AERE AERE uns 297 5 13 8 Testing a Link Backup Configuration ssssssssee en 298 5 13 9 Scheduled Link Backup Test ccc cccceececeeeee cece eee eeceeeee se eeeeaeeeseeeeseaeeseeeeeaeeeeneeeeaaes 298 5 13 9 1 D E T E E iet ttes ptt tar o ec lenti dais ira 299 5 13 9 2 Eogging OUTPUT certo 2 1 m en EH ELE REL PEN PLE dedos ome c RE 299 5 14 Contig ririg VRRP a diia 300 5 14 1 The Problem with Static Routing merienenn eran a eae menn 300 9 14 2 The VRRP Sol tlori teo i eei eme teu mtt Pedo pe a e t LE Pere UR Ee 300 5 14 3 VRRP Terminology riti rhe at e iod eda e aaa 300 5 14 4 VRRP Config ratioli mtrs niagara 302 5 14 5 VRRP Configuration Menti ossai en a me meme n Henne n enne enhn rennes 303 5 14 6 Editing a VRRP Instance ccoonniccconnconicnonccnnnonnnnnnn romance nh nt nnns erre 304 514 7 Editing a VRRP GOUD dez ote ettet inte SL A A ER ESO bia began te
153. 90uHlTiJtcJPKdOjDqAva3eZ23VZL43t d0jIEL8xdIBXwDtEUyqNpanPO Managing SSH Keys and Certificates 143 Chapter 4 RUGGEDCOM ROX System Administration User Guide YVnWnMJZ2EacUlr500NOB7K IMjvZm0Nrrazt 9KEZ15pP rDSXBAqnumCw MI ICKQIBAAKBgQCvcenEvK0Bz8JPqAnCpaMQ0dRSV4zXVMNm3idFy778kuBKyw O X34hhgQa digj8Sniqqu9fCkeU6axiUJyaZohs8UByxyYsWOXNaYz8wqcMaeFItm jMCvECrZOWxSQhOYOh18LqMo20Lyrl7rvjIohLOFIywFdr5aL4FRO0s34rQIDAQAB AoGAG YuyME9XZWMJX 111UpyQt4KGtlsff7cJCld7VCSiTqhGEassx7YMJoMxkU BnsDX6R1EBY92 t fHNQAcZWs x9pUKTNekAb9Cg1Vs tdubOnYyIhL6TqfPNsfE HCP58GqaBFqkKYhy 1JL6N tNknqhazvdUc 9wPOXn 1f 4DYOCQQDZDcCt6kGeGFit rytBBCf bz5WzbeepqiAB3oxXnMUN8uj9elKgq3NfbhfGtJ9 yK8NF1RegLgiW0v3cA jdq24WqbAkEAzuzigJWiBUyZMMYs4bgf9 5UdNww2fIVmwqNRMHzgOOTUCAXm jK JTh5XD4xslL3ttFG7EGYRR6R258yMIOaVwJBAKuY984G98FpNhJ5 hQOmPqU1BBE vqt flECoKl1TQ2a3uANOUBjM58qhpmNitDUUFkREthz9E5pGFGrXuyYCKCkCQQOC8 r2UaulcyXdaSkyL58Fu2VOPMC7y 4 ToNuQhwrzzJDXz2u33fT2W7jOVCgc42re WZbCeE3ROT7ndRLfEsuhAkAu6H27Q0MI73kjEaIbUqKRfJXeln6Ca7Pt6Za4ShZRkW kDHo9Q2p46TAVKXstNgk6WY36gUrb pqXEJAxlAO0yqgy cec END RSA PRIVATE KEY Section 4 4 2 Regenerating SSL Keys and Certificates If itis not possible to provide certificates and keys to ROX from a proper X 509 system then Siemens recommends that the user regenerate the ROX keys and certificates on a regular basis following the steps below These certificates are self signed NOTE For security r
154. ALADO A DASS o Y 20 2L 22 29 24 I5 E Ei pd Ed B pi b pd pb pd 9 SA TS SEL SA S SU h h h h h h ESMMDOPemswdnuiseci M lites 3600S Tebea lites 26600087 re key mcer S MT ASUNT OLD keyingtries 0 32 openswantest policy PSK ENCRYPT TUNNEL PFS UP prio 24 8 interface eth2 262 Export Configuration RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration 33 openswantest newest ISAKMP SA 3093 newest IPSec SA 2997 34 Hopere esT Us TKa ello vtemuees 5 00W 1 5 5 000 1 2 3 000 2 5 5 000 2 2 ileGsec su ue 35 epsSnswainecesic s TKa amp looricime Cornes S 192 1_148 5 9 1921 128 2 192 2 leds S INTO MNT OO M 36 openswantest IKE algorithm newest 3DES CBC 192 MD5 MODP1536 37 ovemsganuese s ISP algorildans vemeeds 3 000 1 3 000 27 flage 8Sttricr SG ojereimswyewwuesr s ISP algo ldens loselos 3 000 1 S_O00 2 nlags sirice 39 openswantest ESP algorithm newest AES 256 HMAC SHA1 pfsgroup lt Phasel gt 40 3126 openswantest STATE QUICK I1 sent QII expecting ORI EVENT RETRANSMIT in 9s 41 3093 openswantest STATE MAIN R3 sent MR3 ISAKMP SA established EVENT SA REPLACE in 1050s newest ISAKMP 42 2997 openswantest STATE QUICK R2 IPSec SA established EVENT SA REPLACE in 19773s newest IPSec eroute owner 43 2997 openswantest esp df9839e90204 50 190 91 esp 8e2d7255 204 50 190 89 tun 0 204 50 190 91 tun 0 20
155. Activation and Section 3 9 4 2 Manual Account Activation below LED Designations 79 Chapter 3 RUGGEDCOM ROX Device Management User Guide Help Cellular Modem Manual Account Activation Over The Air Account Activation E Return to Modem Main Menu Figure 82 Cellular Modem Interface CDMA modem not yet activated Prior to use a CDMA type cellular modem must be activated for use on a particular provider s network Once the activation process has been completed the modem will be able to connect to the network without further intervention Two account activation methods are provided by ROX OTA Over the Air and Manual Both activation methods are described in this section Section 3 9 4 1 Over The Air Account Activation ROX supports the OTASP Over the Air Service Provisioning mechanism offered by most CDMA cellular service providers for provisioning cellular end stations for use on their networks Using this method the service provider or carrier supplies an OTASP dial string which ROX can use to contact the cellular network via the modem During this OTASP call the carrier authorizes and configures the modem for use on its network Note that an OTASP dial string typically begins with 228 Help A s Over The Air Account Activation Parameter Value Description Activation Dial 22899 Dial string to automatically activate account string O
156. BGP neighbors NOTE Li If BGP Neighbors are specified but no Networks are specified then the router will receive BGP routing information from its neighbors but will not advertise any routes to them 278 BGP Networks RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration Section 5 12 6 9 BGP Neighbor Configuration Help BGP Configuration Parameter Value Describtion Possible values default value Neighbor IP 192 168 10 2 Neighbor IP address Remote AS 210 Remote AS Maximum prefix 50 Maximum prefix accept from the neighbor Inbound attributes for the neighbor Metric attribute Metric attribute for the neighbor Local Preference attribute Local preference attribute for the neighbor Weight attribute Weight attribute for the neighbor Outbound attributes for the neighbor Metric attribute Metric attribute for the neighbor Local Preference attribute Local preference attribute for the neighbor Return to Figure 267 BGP Neighbor Configuration Menu networks Neighbor IP is the IP address of a BGP neighbor to add A BGP Neighbor is Remote AS is Autonomous System ID of a BGP neighbor The Metric attribute is propagated throughout an AS A path with a lower metric attribute is preferred over one with a higher value The Local Preference attribute is propagated throughout an AS A higher local preference a
157. By default when the Shorewall firewall is stopped it will deny access from all hosts This page allows you to define hosts or networks that will still be accessible No addresses to be accessible when stopped have been defined yet Add a new stopped address Click this button to manually edit the Shorewall file etc shorewall routestopped in which the entries above are stored Manually Edit File de Return to list of tables Figure 231 Actions When Stopped This menu allows you to control which addresses the firewall will accept connections from after it has been stopped Add a new translations by selecting the Add a new stopped address link or by clicking on the add above or add below images in the Add field Reorder the translations by clicking on the arrows under the Move field Clicking on a link under the Interface field will allow you to edit or delete the rule as shown below You may also make changes by manually editing the rule file Section 5 8 5 10 Controlling the Firewall from the Command Line The software provides limited control of the firewall from the command line such as from SSH IMPORTANT The firewall cannot be started or stopped unless it is configured Run enable first or see Section 5 8 5 Firewall Configuration CAUTION AN Configuration hazard risk of data corruption Access to the Command Line Interface CLI is provided for troubleshooting purposes and should only be used by Siem
158. C Config Options Connection Configuration Server Address 172 30 151 151 Server Port 21000 Client Connection 15 v minutes set to 0 for no Device Session Timeout 15 v minutes set to 0 Timeout timeout for no timeout Server Certificate Configuration CA Cert File Path etc crossbow cxb test ca certpem uz Cert File Path Jetc crossbow sac 151 certificate pem un apes Key File Path Jetc crossbow sac 151 privatekey pem x Private Key Pass Phrase Station Access Controller Configuration SAM I Common crossbowserver AM IHost 1059055232 SAMIHost 51099 Name Address rt SAM II Common Name crossbowsam SAM II Host 1999020172 SAM ILHoSt 510p gt Address Port User Access Configuration Max Login Attempts 3 Event Log Message Configuration Event Log Message Limit 10 Save options de Return to CrossBow Main Menu Figure 324 CrossBow SAC Config Options This menu allows you to configure CrossBow SAC including SAC the SAC connection certificates keys user access and event logs Section 5 21 1 1 Configuring the SAC Connection Connection Configuration Server Address Client Connection 15 v minutes set to 0 for no Timeout timeout Server Port 21000 Device Session Timeout for no timeout 15 v minutes set to 0 Figure 325 Connection Configuration This menu allows you to configure the Cro
159. Certificate Signing Request The Common Name field specifies the common name in the certificate The Passphrase field sets a passphrase for the CSR The Department Organization Locality State Province and Country Code fields define the address of the Certification Authority CA The RSA key size options specify the size of the keys 1024 or 2048 bits The Generate CSR button generates the final CSR Generating a Certificate Signing Request CSR 341 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Section 5 21 3 2 Installing Certificates Module Index Install New Certificate Certificate to Install Cert File location Browse Directory to upload pai etc certs This is a CrossBOW SAC Certificate This is a trusted CA certificate Upload de Return to CrossBow Certificates Figure 333 Install New Certificate This menu allows you to upload new certificates for CrossBow SAC The Cert file location fields specify the file its location and what type of certificate it is Use the Browse button to navigate to and select the file from your local PC or network The Directory to upload cert to field specifies where to save the certificate on the device The Upload button uploads the selected certificate to the device 342 Installing Certificates RUGGEDCOM ROX Chapter 6 User Guide Upgrades a Upgrades This chapter details how to install optional software to
160. Click this button to restart the Layer 2 Tunnelss daemon with the current configuration This will restart all protocols Figure 300 Layer 2 Tunnels Main Menu Note that the Layer 2 Tunnel daemon is disabled by default and may be enabled via the System folder Bootup and Shutdown menu The General Configuration menu changes parameters that apply to all protocols The GOOSE Tunnels and GOOSE Statistics menu configures and display statistics for these tunnels The L2 Tunnels and L2 Statistics menu configures and display statistics for these tunnels The Activity Trace menu provides a capture and trace facility fdor NOTE i When enabled any configuration changes may be made to take effect by selecting the Restart Layer 2 Tunnels daemon button Section 5 17 4 General Configuration Menu Helps General Configuration Layer 2 Daemon Parameters Daemon UDP Listen Port 1311 Beacon Interval 60 Seconds l Save Changes du Return to Layer 2 Tunnels Figure 301 General Configuration Menu This menu configures general settings for the daemon that apply to all supported tunnel configurations The Daemon UDP Listen Port field configures port used by the daemon to communicate with other daemons 312 Layer 2 Tunnels Main Menu RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration NOTE i All Layer 2 Tunnel daemons in the network must use the same port number If the router employs a
161. Concepts and Issues Section 3 10 5 1 Host and Remote Roles Client gateways such as that implemented by the ROX always make the TCP connection to the Server Gateway The Server Gateway can only accept a connection Section 3 10 5 2 Port Numbers The TCP port number dedicated to Modbus use is port 502 The Server Gateway can also be configured to accept a connection on a configurable port number This auxiliary port can be used by masters that do not support port 502 NOTE li The Server Gateway is capable of creating only one connection on the specified auxiliary port whereas when Modbus is configured to use the default port 502 it may connect to multiple RTUs Section 3 10 5 3 Retransmissions The Server Gateway offers the ability to resend a request to an RTU should the RTU receive the request in error or the Server Gateway receives the RTU response in error The decision to use retransmissions and the number to use depends upon factors such as The probability of a line failure The number of RTUs and amount of traffic on the port The cost of retransmitting the request from the server vs timing out and retransmitting at the master This cost is affected by the speed of the ports and of the network Section 3 10 5 4 ModBus Exception Handling If the Server Gateway receives a request for an unconfigured RTU it will respond to the originator with a special message called an exception type 10 A type 11 exception is
162. Configure Webmin Users RUGGEDCOM ROX Chapter 4 User Guide System Administration common RADIUS server eliminating the need to replicate the effort of configuring the same user account information on many routers If ROX is configured to use RADIUS to authenticate Webmin users in the Miscellaneous module under the Maintenance category the router will present the configured RADIUS server with the user name and password presented to a Webmin session for authentication If the RADIUS server authenticates the user it will return an indication of success along with the privilege level described above associated with the user A user successfully authenticated by a RADIUS server will have Webmin access corresponding to his her privilege level as configured for the user account on the RADIUS server For information on how to configure user accounts on a RADIUS server please refer to Section 4 7 RADIUS Server Configuration NOTE Li A Webmin user will only be authenticated locally if a user account of that name has already been created in Webmin NOTE Li The Change Password Command can only be accessed via a locally defined user account Section 4 2 3 Webmin Users Menu Help Webmin Users Webmin Users Seled all Invert selection Create a new Webmin user Webmin Users root Seled all Invert selection Create a new Webmin user Delete Selected Webmin Groups W ebmin Groups
163. DCOM ROX User Guide Chapter 3 Device Management Help Archive Restore Configuration Archives Restore one of the following configuration archives by selecting its name Archive Name Version Archive Comment Archive20131022 0000 rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 latestarchive rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 Archive20131019 0000 rri 16 0 QA1 1 Automatic nightly backup at 2013 10 19 00 00 lfactorydefaults rr1 16 0 QA1 1 Factory defaults Webmin Archives Restore one of the following webmin configuration archives by selecting its name Archive Name Version Archive Comment Webmin20131022 0000 rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 latestwebminarchive rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 dee Return to Backup And Restore Figure 39 Archive Restore Menu Click on one of the links under Archive Name to start the restore Starting the restore results in the following display Restoring Are you sure you want to restore configuration with archive Archive20131019 0000 Note The chassis will restart immediately after the restore is complete de Return to Archive Restore Figure 40 Start Restore To begin the restoring process click the Start Restore button Archive Restore 43 Chapter 3 Device Management RUGGEDCOM ROX User Guide Section
164. DP protocols is applied The router sees both TCP and UDP traffic that qualifies for NAT The rule is then modified to allow only UDP The router will still see TCP packets i e retransmission packets If required reboot the router to flush all existing connection streams Action ACCEPT DROP REJECT DNAT REDIRECT The remaining fields of a rule are as described below Field Action Source Zone Destination Zone Protocol Destination Port Source Port Original Destination IP Rate Limit User Group Description Allow the connection request to proceed The connection request is simply ignored No notification is made to the requesting client The connection request is rejected with an RST TCP or an ICMP destination unreachable packet being returned to the client Forward the request to another system and optionally another port Redirect the request to a local tcp port number on the local firewall This is most often used to remap port numbers for services on the firewall itself Description The action as described in the previous table The zone the connection originated from The zone the connection is destined for The tcp or udp protocol type The tcp udp port the connection is destined for The tcp udp port the connection originated from The destination IP address in the connection request as it was received by the firewall A specification which allows the rate at which connections are m
165. DST MAC 00 0a dc 0f 4f 40 SRC MAC 00 0a dc 0f 28 012 L2 GEN Received message from eth3 length DST MAC 00 0a dc 0 4 40 SRC MAC 00 0a dc 0 29 013 L2 GEN Received message from eth3 length DST MAC 00 0a dc 0f 4f 40 SRC MAC 00 0a dc 0f 30 014 L2 GEN Received message from eth3 length DST MAC 00 0a dc 0f 4f 40 SRC MAC 00 0a dc 0f 31 017 L2 GEN Received message from eth3 length DST MAC 00 0a dc 0f 4f 40 SRC MAC 00 0a dc 0f 32 020 L2 GEN Received message from eth3 length DST MAC 00 0a dc 0f 4f 40 SRC MAC 00 0a dc 0f 33 021 L2 GEN Received message from eth3 length DST MAC 00 0a dc 0 4 40 SRC MAC 00 0a dc 0f 734 033 L2 GEN Received message from eth3 length DST MAC 00 0a dc 0f 4f 40 SRC MAC 00 0a dc 0f 35 039 L2 GEN Received message from eth3 length DST MAC 00 0a dc 0 4 40 SRC MAC 00 0a dc 0f 1 second to capture Start Trace 60 4f 60 4f 60 4f 60 4f 60 4f 60 4 60 4f 60 4f 60 4f APP APP APP APP APP APP APP APP APP 65278 65278 65278 65278 65278 65278 65278 Oxfefe Oxfefe Oxfefe Oxfefe Oxfefe Oxfefe Oxfefe Oxfefe Oxfefe 4 Figure 309 Activity Trace Menu This menu displays captured and decoded network activity on configured layer 2 tunnels The desired traffic sources number of messages and length of time to capture are entered and the Start Trace
166. E1 DDS and ADSL ports in your router depends upon the number of ports and how they were ordered Refer to the labelled hardware image as presented in the Webmin home page To make labelling easy to understand all T1 E1 T3 DDS and ADSL ports are assigned a unique port number that relates to the LEDs on the status panel 184 T1 E1 Fundamentals RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 3 1 3 LED Designations ROX includes two sources of LED indicated information about T1 E1 lines the T1 E1 card itself and the LED Panel One LED is associated with each line next to the interface jack This LED is red when the link is disconnected flashes green when the link is connecting and remains solid green when the link is established ROX also indicates information about T1 E1 ports on the LED Panel A pair of LEDs will indicate traffic and link status of the port Consult the section Section 3 3 Using The LED Status Panel to determine which LEDs correspond to the port Section 5 3 1 4 Included with T1 E1 T1 E1 includes wanpipemon a utility that can capture traces from the T1 E1 line Section 5 3 2 T1 E1 Configuration Help T1 E1 b E T1 El T1 E1 Trunks And Interfaces Current Route amp Interface Table Figure 180 T1 E1 Trunks and Interfaces This menu allows you to display and configure T1 or E1 Trunks as well as display the routes and status of the network int
167. Ethernet interface rather than as an Ethernet bridge Because the device s Ethernet bridge is implemented in software CPU resources are required to forward broadcast multicast and unicast traffic on the bridge If the router is running as a firewall the routeback option must be enabled for the bridge interface under Firewall Edit Network Interface The device s Ethernet bridge turns off spanning tree by default Do not connect the bridge interface to a ring network Ethernet frames traveling over the bridge can also be filtered based their Ethernet type When enabled only the frames that match the allowed Ethernet type s are allowed to pass through The Ethernet type is a two octet field in the Ethernet frame used to indicate the protocol encapsulation in the payload Bridge filtering can be used in applications that require Layer 2 packet filtering at a high data rate between Ethernet interfaces Section 5 2 6 Ethernet Configuration Help Ethernet a rat za rat i we n m Ethernet Interfaces Bridge PPPoE Interfaces PPP Logs Current Route amp Interface Table A Click this button to activate the current boot time interface and routing settings as they Apply Configuration normally would be after a reboot Warning this may make your system inaccessible via the network and cut off access to Webmin Figure 168 Ethernet Menu This menu allows you to configure Ethernet interface Bridge PPPoE
168. For a detailed discussion of the configuration and use of Secure Access Portals from the Access Manager s point of view please consult the Access Manager User Manual under Managing Secure Access Portals Access Manager and the Firewall 149 Chapter 4 RUGGEDCOM ROX System Administration User Guide Section 4 5 3 VRRP Firewall Rules and Access Manager It may be necessary to specify additional firewall rules in order that Access Manager s SAP Secure Access Portal be able to access certain protocols such as VRRP on the router If for example the router is configured to be a member of a VRRP Virtual Router Group it must be able to accept VRRP communication from its peers The following firewall rule must be added after the ACCEPT rules to UDP ports 30000 and 30001 and before the rules under Access Manager control Action Source zone Destination zone Protocol Source Ports ACCEPT net fw VRRP any The order of the firewall rules is significant Any rules that are entered after the Access Manager rules may not be processed Rules inserted before the Access Manager rules may compromise the security provided by Access Manager NOTE i Exposing any protocol or networked service has the potential of being a security risk and should not be done without good reason Contact Siemens Customer Support for assistance if you wish to add other rules to the set recommended here Section 4 5 4 Access Manager s Secure Access Portal Status Men
169. If the ssh connection has been made over an active T1 E1 interface the connection will fail but the upgrade will continue The upgrade can also be scheduled for a specific time by using the System menu Scheduled Commands sub menu Set the Commands to execute field to usr sbin update wanfirmware proceed set the Run in directory field to root and set the Run at time field to the desired upgrade time After the upgrade completes alarms recommending an upgrade will be cleared Section 5 4 Configuring Frame Relay PPP and T3 E3 This section familiarizes the user with Configuring Frame Relay and PPP Links Viewing status and statistics Upgrading Firmware Section 5 4 1 T3 E3 Fundamentals T3 refers to a communications link upon which has been imposed a Digital Signal 3 DS3 signalling scheme The scheme allows 672 time slots of 64 Kbps DSO information to be multiplexed onto a 44 736 Mbps circuit E3 refers to the ITU standard corresponding to the mainly North American T3 standard E3 calls for 512 DSO equivalent time slots multiplexed onto a 34 368 Mbps circuit ROX provides the ability to operate Frame Relay or PPP over your physical T3 E3 interfaces NOTE Li Channel groups and fractional lines are not supported on ROX T3 and E3 interfaces Section 5 4 2 Location of Interfaces and Labelling Unlike the Ethernet ports which are statically located the location of T1 E1 T3 DDS and ADSL ports in your router dep
170. Interval Waiting time between ping packet in second Ping retries Max ping packets to send before taking action Remote IP address Host to send ping packets to Pre defined action None X Pre defined action if ping check failed Other Action Action to be done if ping check failed Save de Return to Ping check Figure 6 Ping Check Edit Menu The Interval field specifies the time between each successive ping request to the IP host The Ping retries field specifies the number of ping requests that are allowed to go unanswered before taking the configured action The Remote IP address field specifies the IP address of remote host to monitor The Pre defined action drop list may be used to select a pre defined action to be taken if the monitored IP host does not reply within the configured number of ping retries Currently the list contains Restart PPP on Cellmodem if a cellular modem is installed and Restart MLPPP The Other action field accepts any valid shell command as the action to be executed if the monitored IP host does not reply within the configured number of ping retries Section 2 2 4 Traceroute Menu Help Traceroute Hostname IP Address Verbose Output How many Hops 30 7 Lookup Addresses L Use ICMP instead of UDP Packet Length 40 Interface asta de Return to Network Utilities Figure 7 Traceroute Menu The Hostname field accepts the host name or IP address to trace the route to Not
171. It is also possible to log actions based on the module where the actions are performed The Log resolved hostnames field will cause Webmin to provide a hostname rather than just an IP address for the client computer that performed an action The Clear logfiles every hours field causes Webmin to rotate its own logs and keep them from overfilling the disk with old logs Currently the Log actions by all users field should be left selected The Log changes made to files by each action field causes verbose logging and should be left enabled 130 Logging RUGGEDCOM ROX Chapter 4 User Guide System Administration Section 4 1 5 Authentication Help Authentication When enabled password timeouts protect your Webmin server from brute force password cracking attacks by adding a continuously expanding delay between each failed login attempt for the same user When session authentication is enabled each logged in users session will be tracked by Webmin making it possible for idle users to be automatically logged out Be aware that enabling or disabling session authentication may force all users to re login Authentication and session options Disable password timeouts 9 Enable password timeouts V Block hosts with more than 3 failed logins for 300 seconds Y Log blocked hosts logins and authentication failures to syslog Disable session authentication Enable session authentication Y Auto logout after 90 mi
172. N etwork Configuration Ethernet ATEL 3 T3 E3 User root Modem Remote IP 192 168 0 200 Shorewall Firewall Hostname ruggedco I Shorewall Firewall Time u Oct 10 04 30 58 2013 IPsec VPN 3 5 Uptime 04 30 59 up 6 18 0 users load average 1 56 1 42 1 41 Dynamic Routing Link Ba 4 Disk Usage 29 256M of 936M VRRP Memory Usage 10 26M of 256M f Temperature 45 5 C 113 9 F C GRE Tunnels P E EG PIEdDAOM Major Alarms none LLDP AN etwork Utilities Servers Layer 2 Protocols DHCP Relay CLEE 8900928390 80802000 LLELE m Modem ETH3 ETH4 TE1 2 TE1 3 System summary SW Version Webmin 1 160 2 rr850 in ROX1 16 0 QA1 0 HW Version RX1000 V2 C2 Serial Number RX1K 0506 0002 Figure 2 ROX Web Interface Main Menu Window The index frame presents a number of entries with associated icons The e icon causes home page window to be redisplayed The a icon signifies that the next level contains a menu of menus 8 The Structure of the Web Interface RUGGEDCOM ROX User Guide Chapter 2 Using ROX The B icon signifies that clicking the entry will run a single menu The icon logs out of Webmin The menu system entries are composed of the Webmin System Servers Networking and Maintenance menus The Webmin Menu provides the ability to Configure the sign on password Specify session timeouts Restrict the Subnet of IP addresses that can login Co
173. Native Ethernet Interfaces This menu allows you to display and configure the PPPoE interfaces on all available Ethernet ports Help PPPOE Interfaces PPPOE Interfaces Ethernet Interface Name MTU Default Route Use Peer DNS Status lethi Add PPPoE interface eth2 Add PPPoE interface eth3 Add PPPoE interface eth4 Add PPPoE interface de Return to Ethernet Main Menu Figure 177 List PPPoE Interfaces The PPPoE Interfaces table allows you to add a PPPoE interface on an Ethernet ports or change PPPoE interface parameters of created interfaces Only one PPPoE interface can be created on each Ethernet port The Ethernet field shows all available Ethernet ports The Interface Name field shows created PPPoE interfaces and provides a link to edit the existing configuration or create a new one The MTU Use Peer DNS and Default Route fields are the configured information for PPPoE interfaces The Status field shows the current PPPoE link status PPPoE on Native Ethernet Interfaces 181 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 2 6 9 Edit PPPoE Interface This menus allows you to edit a PPPoE interface Edit PPPoE Interface on eth2 Interface Parameters PPPoE Username Password Default Route Y Use Peer DNS Y MTU 1452 Save Delete amp Return to PPPoE Interfaces List Figur
174. Oct 28 13 43 11 2013 Type of Modem Edge GPRS Firmware version REVISION 03 010 IMEI 010644000109408 Received Signal Strength 12 9 105 dBm Network Operator Network technology currently in use Edge Network Registration Status Not registered SIM Card Indentification Refresh Reset da Return to Modem Main Menu Figure 86 Cellular Modem Status HSPA GPRS The IMEI International Mobile Equipment Identity is a numeric identifier unique to the cellular modem card The Network technology currently in use field displays which network technology out of the ones listed as being supported in the Type of Modem field is currently in use between the modem and the network Cellular Modem Configuration 83 Chapter 3 RUGGEDCOM ROX Device Management User Guide CDMA Modem Status The CDMA cellular modem lists several of the same fields with some additional differences Modem Status Last updated on Fri Oct 18 16 42 24 2013 Type of Modem CDMA 1xRTT EV DO Firmware version p2410701 51863 Electronic Serial Number ESN 0x608ABD96 Received Signal Strength Eclo 0 0 125 dBm None dB Network Carrier ID Verizon Network technology currently in use No Service Phone number 9547890192 Refresh Reset de Return to Modem Main Menu Figure 87 Cellular Modem Status CDMA The Electronic Serial Number ESN is a numeric identifier unique to the cellular modem
175. POST http method lcontent 0A Host 3A 20 rl ammyy com OD 0A fast pattern only http header Imetadata ruleset community service http reference url www ammyy com classtype policy violation sid 25947 rev 2 web vulnerability scanner XSS attempt flow to_server established lcontent gt 5C xa2 fast pattern only http uri metadata service http reference url www acunetix com classtype web application attack sid 25365 rev 1 Return to Snort IDS Main Figure 119 Snort Ruleset Edit Rulesets 119 Chapter 3 RUGGEDCOM ROX Device Management User Guide NOTE i Editing rules on the device itself may conflict with updated rules that are uploaded to the device Make sure precautions are in place to preserve any edits made on the device You can enable disable and edit each rule in the ruleset Section 3 15 2 4 Rule Lookup by SID The Look Up Rule button accepts an SID and displays its rule You may elect to disable the rule or learn more information about it 120 Rule Lookup by SID RUGGEDCOM ROX User Guide Chapter 3 Device Management Section 3 15 3 Network Settings Help Network Settings Snort Network Settings Network Variable Setting Description HOME NET any IP Addresses in the local subnet EXTERNAL NET any IP Addresses in the exernal subnet DNS SERVERS HOME_NET Addresses of DNS servers in the local sub
176. PSec Internet Protocol SECurity uses strong cryptography to provide both authentication and encryption services Authentication ensures that packets are from the right sender and have not been altered in transit Encryption prevents unauthorized reading of packet contents These services allow you to build secure tunnels through untrusted networks Everything passing through the untrusted network is encrypted by the IPSec gateway and decrypted by the gateway at the other end The result is a Virtual Private Network VPN a network which is effectively private even though it includes machines at several different sites connected by the insecure Internet The IPSec protocols were developed by the Internet Engineering Task Force IETF and are required as part of IP version 6 Openswan is the open source implementation of IPSec used by ROX The protocols used by IPSec are the Encapsulating Security Payload ESP and Internet Key Exchange IKE protocols ESP provides encryption and authentication ensuring that a message originated from the expected sender and has not been altered on route IKE negotiates connection parameters including keys for ESP IKE is based on the Diffie Hellman key exchange protocol which allows two parties without any initial shared secret to create one in a manner immune to eavesdropping Section 5 11 1 IPSec Modes IPSec has two basic modes of operation In transport mode IPSec headers are added as the origin
177. Phase 1 Encryption Protocols Hash fields select the hash method used for Phase 1 aka ISAKMP SA If Default is selected the value in the Defaults for all connections record is used Normally the user should select the Default option However in special cases with some kind of VPN server for example you may need to clearly specify which one sha1 or md5 you want to use The Phase 2 Encryption Protocols fields select the encryption protocols used for Phase 2 aka IPSec SA If Default is selected the value in the Defaults for all connections record is used If allow only is selected only the selected protocols among aes256 aes192 aes128 and 3des will be included in the list of protocols to be negotiated At connection time the two peers will compare their capabilities and select the strongest common protocol 260 IPSec VPN Connection Details RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The Phase 2 Encryption Protocols Hash fields select the hash method used for Phase 2 aka IPSec SA If Default is selected the value in the Defaults for all connections record is used Normally the user should select the Default option However in special cases with some kind of VPN server you may need to clearly specify which one sha1 or md5 you want to use The Compress data fields will select whether data should be compressed prior to encryption If Default is selected the value in the Defaul
178. Priority Field that may be used as a priority level for Ethernet frames a 1 bit Canonical Format Indicator CFI used to indicate the presence of a Routing Information Field RIF and finally the 12 bit VLAN Identifier VID which uniquely 172 LED Designations RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration identifies the VLAN to which the Ethernet frame belongs These four bytes known as the VLAN tag are followed by the rest of the Ethernet frame starting with the length field Section 5 2 2 2 ROX Functions Supporting VLANs Functions Support Comments Static Route and Default Route Yes Static Multicast Routing Yes End To End backup Yes PPPoE No Shorewall Firewall Yes IPSec Yes VRRP Yes Traffic Prioritization Yes Dynamic Routing Both OSPF and RIP support VLAN GRE Tunnel Yes DHCP Server Yes Section 5 2 3 PPPoE On Native Ethernet Interfaces Fundamentals ROX supports PPPoE Point to Point Protocol Over Ethernet over both external modems described here and internal interfaces described in Section 5 7 Configuring PPPoE Bridged Mode On ADSL The section contains more useful information on PPPOE Authentication Addresses DNS Servers and MTU Issues Only one PPPoE interface can be created on each Ethernet Interface Each PPPoE interface name is assigned internally The name is pppX where X is 10 plus the native Ethernet interface the PPPoE is created upon e g a PPPoE on eth1 is ppp11
179. Pv6 address fe80 20a dcff fe0a 1540 64 in this example is the automatically assigned link local IPv6 address The Status field provides a way to disable the interface or bring it back into service The Proxy ARP fields display whether the interface has proxy arp activated The Media Type field displays the current media type Copper interfaces may be configured to Auto negotiable 10 BaseT Half Duplex 10 BaseT Full Duplex 100 BaseT Half Duplex and 100 BaseT Full Duplex modes The Virtual LAN interfaces field displays how many VLAN interfaces are created on this interface and the link Add virtual lan interface allows you to add a VLAN interface on the physical interface Section 5 2 6 3 Creating Active Virtual LAN Interfaces Create Active Interface Active Virtual Lan Interface Parameters Name eth3 4 digits maximum IP Address Mask Status up 9 Down Create dm Return to network interfaces Figure 171 Creating a Virtual LAN Interface 176 Editing Currently Active Interfaces RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Click the link Add Virtual Lan Interface in order to create a VLAN interface The only new parameter is the VLAN ID which must be a numeric value between 1 and 4094 The VLAN ID will be presented automatically as 4 digits prefixed with 0 if the input is smaller than 4 digits For example if the input is 2 it will be automatically changed to 0002 Section 5
180. RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Module Index Create Host Address Host and Addresses IP Address Hostnames Create de Return to host addresses list Figure 165 Create Host Address The P Address field sets the IP address The Hostnames field sets the hostname The Create button saves the host address Section 5 1 2 9 End to End Backup End to end backup is method of using two interfaces to ensure a reliable end to end connection between two routers using alternate routing without the need to configure routing protocols The two interfaces are assigned as a primary secondary backup pair The primary interface serves as the gateway If connectivity to the target is lost from the primary interface traffic is migrated to the secondary interface When connectivity is restored on the primary path traffic will be restored to it End to End Backup 169 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide w1ppp 192 168 16 2 N E 192 168 17 3 7 ff f oO 2 ff Figure 166 End to End Backup Example 1 Network A 2 Network B 3 Router1 4 Router 2 The backup is end to end because connectivity is determined by the availability of an interface on the target system and not a local link In the above figure interface w1ppp acts as the primary interface and eth1 acts as the secondary interface The router tests the primary path
181. Reference Bandwidth field sets the reference bandwidth used to calculate auto costs for OSPF interfaces The auto cost is the reference bandwidth divided by the interface bandwidth By default this is 100Mbit 10Mbit auto cost of 10 The interface cost is set in the Core Interface configuration for each interface The cost for each interface can also be set in the OSPF Interface configuration to override the auto cost calculation The Default Metric field sets the default metric to be used for OSPF routes which don t have another metric specified The Default Information Originate field when enabled causes the router to advertise its default route to the OSPF network The Distance field sets the administrative distance to use for all routes unless overridden by other distance settings The Distance External field sets the administrative distance to use for all external routes backbone routes The Distance Inter area field sets the administrative distance to use for all routes between areas The Distance Intra area field sets the administrative distance to use for all routes within an area The Hostname field sets the hostname for the ospf daemon This value is only used as a a reference for convenience The telnet interface prompt will contain this hostname The router s system wide hostname is used if this field is left blank The Opaque LSA field controls the opaque LSA option This feature is covered in RFC2370 This feature is sometimes
182. S has not yet locked and IEEE1588 is locked the router will use IEEE1588 server as a reference clock When IEEE 1588 is synchronized IRIG B timestamps are accurate to within microsecond or sub microseconds If GPS and IEEE 1588 have not yet locked the router will use an NTP server or peer as a reference clock NTP typically requires less than two minutes after boot to synchronize When NTP is the reference clock IRIG B timestamps can be accurate to within ms Before NTP is able to synchronize the router will use the local clock to obtain the time and will emit IRIG B timestamps on a one second basis Section 3 14 2 3 How the Router Selects a Reference Clock The router can be configured to use the following as reference clocks GPS IEEE1588 NTP and the local clock GPS NTP and the local clock GPS and IEEE1588 GPS If the router is configured to use multiple reference clocks it will start sending timestamps using the best ever locked reference clock local clock is always locked If better reference clock is locked later the router will step i e suddenly change the time and use the new reference clock If the current reference clock becomes unavailable the router will keep running with its own high precision timing hardware It will use this hardware until the last used reference clock is locked or a higher quality reference clock is available If the router is configured to use only GPS no timestamps will be issued
183. SIEMENS RUGGEDCOM ROX v1 16 User Guide For RX1000 RX1000P RX1100 RX1100P 9 2014 RC1098 EN 02 Preface Introduction Using ROX Device Management System Administration Setup and Configuration Upgrades RUGGEDCOM ROX User Guide Copyright O 2014 Siemens Canada Ltd All rights reserved Dissemination or reproduction of this document or evaluation and communication of its contents is not authorized except where expressly permitted Violations are liable for damages All rights reserved particularly for the purposes of patent application or trademark registration This document contains proprietary information which is protected by copyright All rights are reserved No part of this document may be photocopied reproduced or translated to another language without the prior written consent of Siemens Canada Ltd Disclaimer Of Liability Siemens has verified the contents of this manual against the hardware and or software described However deviations between the product and the documentation may exist Siemens shall not be liable for any errors or omissions contained herein or for consequential damages in connection with the furnishing performance or use of this material The information given in this document is reviewed regularly and any necessary corrections will be included in subsequent editions We appreciate any suggested improvements We reserve the right to make technical improvements without notice
184. SL Interfaces This menu allows you to display and configure ADSL interfaces The PPP Logs menu will display a log of PPP related information The Current Routes menu will display the routes and status of the network interfaces Section 5 7 2 1 ADSL Network Interfaces Help ADSL WAN Interfaces ADSL Interfaces Refresh this page ADSL 3 Up Name Description Local Address DDD3 over w3adsl Up ADSL Link 174 138 218 119 View ADSL 3 Link Statistics de Return to ADSL Main Menu Figure 213 ADSL WAN Interfaces Netmask Remote Address 255 255 255 255 206 80 253 197 This menu allows you to display and configure ADSL interfaces and the protocols that run on them A table is presented for each interface Interface numbers are as described by the ADSL labels as shown in the home page chassis diagram The status of the physical interface its corresponding logical interface and link statistics are provided This menu presents connection statuses but does not update them in real time Click on the Refresh this page link to update to the current status ADSL Configuration 213 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 7 2 2 Editing a Logical Interface PPPoE Help Edit Logical Interface Interface Parameters Convert this interface to bridged Description vPI 0 Attempt ATM Autoconfiguration vcr 35 PPPoE Username Password Defaultroute Y Use peer DNS Y MTU
185. SL was upgraded in this way the upgrade would fail as the ADSL link was taken down Instead ADSL software upgrades modify only the software on the disk You must schedule a reboot in order to run the new version of ADSL software See Section 3 7 10 Upgrade System and Section 3 7 11 Uploading and Downloading Files for further information Section 5 8 Configuring the Firewall This section familiarizes the user with Enabling Disabling The Firewall Elements of Firewall design How to configure the Firewall 216 ADSL Statistics RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Checking Firewall configuration Section 5 8 1 Firewall Fundamentals Firewalls are software systems designed to prevent unauthorized access to or from private networks Firewalls are most often used to prevent unauthorized Internet users from accessing private networks intranets connected to the Internet When the ROX firewall is used the router serves a gateway machine through which all messages entering or leaving the intranet pass The router examines each message and blocks those that do not meet the specified security criteria The router also acts as a proxy preventing direct communication between computers on the Internet and intranet Proxy servers can filter the kinds of communication that are allowed between two computers and perform address translation Section 5 8 1 1 Stateless vs Stateful Firewalls Firewalls f
186. SNMP is used to manage items on the device to be managed as well as by the device itself to report alarm conditions and other events The first version of SNMP V1 provides the ability to send a notification of an event via traps Traps are unacknowledged UDP messages and may be lost in transit SNMP V2 adds the ability to notify via informs Informs simply add acknowledgement to the trap process resending the trap if it is not acknowledged in a timely fashion SNMP V1 and V2 transmit information in clear text which may or may not be an issue depending the facilities the data is transmitted over and are lacking in the ability to authenticate a user SNMP V3 adds strong authentication and encryption 46 Decommissioning the Device RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 7 4 1 SNMP Main Configuration Menu ip SNMP Configuration EZ p B a E System Configuration Network Addressing Access Control Trap Configuration Configuration Figure 44 SNMP Main Configuration Menu Configuring SNMP on ROX requires that the SNMP daemon be running Enable snmpd the snmp daemon via the use the System folder Bootup and Shutdown menu NOTE i Prior to ROX 1 10 0 SNMP was manually configured used the com2sec group view and access directives If so configured the SNMP menu will prompt you to convert the configuration to one it can manage Section 3 7 4 2 System Configuration Hel
187. SP html See http shorewall net PacketMarking html for a detailed description of the Netfilter Shorewall packet marking mechanism ARPRERARER RARA RERA DARIA RARA RARA RR AREA RARA RARA RARA ARA A RARE RARA RAR AREA HHE Eiif iffffiffffifffiffffifffffiffifffifiii MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PORT S PORT S z icmp echo request 1 icmp echo reply 4 all Minimize Delay v 3 all 44 Save Undo de Return to tcrules list Figure 240 Manually Edit TC Rules Hints on optimizing the TC Rule table Every rule is processed in table order for every packet unless a CONTINUE rule is matched in which case processing stops This can be used to improve efficiency in combination with the SAVE and RESTORE rules For example consider a TC Rules table organized roughly as follows and in the same order A RESTORE rule is used to restore the connection s mark to a matching unmarked packet A CONTINUE if the mark is non zero Specific rules to check criteria to assign a mark and finally A SAVE mark to connection if the mark is non zero ie a match was found above Using the above structure for the TC Rules table only the first packet of any tcp or udp connection will have to go through all the rules while every following packet will have its mark restored by the first rule and then CONTINUE skipping potentially many matching rules in the remainder of the ta
188. Section 5 4 6 Current Routes and Interface Table The table provided by this command is the same one as described in the Networking menu Network Utilities sub menu It is also provided in the T3 E3 configuration menu as a convenience Section 5 4 7 Upgrading Software In some installations the only access to a device at a remote site may be via a a T3 or E3 connection Usually a ROX system software upgrade will stop the system perform the upgrade and then restart it If the T3 E3 port were to be upgraded in this way the upgrade would fail as the T3 E3 link would be taken down Instead T3 E3 software upgrades modify only the software on the disk You must schedule a reboot in order to run the new version of T3 software See Section 3 7 10 Upgrade System and Section 3 7 11 Uploading and Downloading Files for further information Section 5 5 Configuring Frame Relay PPP and DDS This section familiarizes the user with Configuring Frame Relay and PPP Links Viewing status and statistics Upgrading software A Digital Data Services DDS line is a North American digital transmission method that operates at 56 Kbps synchronously over an unloaded 4 Wire metallic pair circuit The DDS line is typically a telephone grade network connection often called the local loop A Data Terminal Equipment DTE device attaches to the line and transmits data to the telephone company TELCO which routes the data to a remote DDS
189. Servers are managed through Telnet An SNMP network management polling application tracks the status of all devices 246 Prioritization Example RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration It is generally wise to ensure that control and management capabilities are always provided OSPF and SSH Telnet should be assigned to the highest priority queue OSPF packet are small and do not consume much bandwidth SSH and Telnet are not often used but must be available when required TcpModbus traffic is ensured a low latency by assigning it the next lowest queue Web traffic will be used to manage the router and switches and should be assigned to a still lower queue All other traffic can be assigned to a final queue In all four queues are required The system provides three basic queues high normal and low and a fourth the extra high can be manually added Traffic filters are inspected in the order in which they are entered To reduce load and improve performance the filters should be entered in an order which recognizes the most frequent traffic under normal conditions The best filter order is probably match source port 502 gt queue high match protocol OSPF gt queue extra high match source port snmp gt queue extra high match source port www queue normal match source port 10000 queue normal match source port ssh queue extra high match source port telne
190. The Message Before Login field is the banner displayed above the login prompt The Information After Login fields select from among three utilities to display to he user on a successful login Last login causes information about the last login to be displayed what time from where and on what terminal the user last logged in System Information displays information about the running operating system kernel Router Status displays information on the ROX release Webmin version serial number uptime temperature disk memory and pending alarms The Extra Message After Login field is displayed after a successful login The SSH Banner Configuration has the same customizations as above except that no message can be displayed prior to the login prompt The Webmin Banner Configuration menu allows you to customize the web based login box seen on connecting to the device s secure web interface The Session Header field is the description displayed at the top of the login box The Session Message field is the message displayed above the username and password prompts The Username and Password fields are the strings displayed at the left side of the login box describes that the input boxes are for username and password respectively The Login Button field is the string displayed at the left button of the login box The Clear Button field is the string displayed at the right button of the login box The following image illustrate
191. View 56K 1 Link Statistics Loopback this Interface de Return to DDS Main Menu Figure 204 DDS WAN Interfaces after logical interface assignment Webmin names the logical interfaces for you but allows you to provide a description All interfaces start with a w to identify them as wan interfaces followed by the interface number The next part of the identifier is either ppp or fr and the frame relay DLCI number 204 DDS Network Interfaces RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 5 3 2 Editing a Logical Interface Frame Relay Help Edit New Logical Interface 56K 1 Frame Relay Parameters Station Type CPE FR DTE Interface Signalling type ANSI Link Failure Leaves IP interface up v 1391 10 1392 16 N391 6 N392 6 N393 4 EEK Type Off y EEK Timer 5 New Logical Interface DLCI Local Address Netmask Remote Address Description 255 255 255 255 Save de Return to DDS WAN Interfaces Figure 205 Edit Logical Interface Frame Relay single DLCI This menu allows you to display and configure logical interface fields for Frame Relay The menu is composed of two tables The first table provides link based configuration which affect all DLCIs The second table provides configuration parameters for individual DLCls After the first DLCI has been configured revisiting that DLCI will display a menu that allows add
192. Windows IAS In order for Windows IAS to authenticate PPP connections that use the CHAP authentication protocol IAS must be made to store passwords using what it calls reversible encryption 1 2 Ensure that CHAP authentication is enabled in the Remote Access Policy In the Active Directory settings for each PPP user select Store password using reversible encryption PPP CHAP and Windows IAS 159 Chapter 4 System Administration RUGGEDCOM ROX User Guide Jeff Sani Properties 121x MemberOf Diatin Environment Sessions Remote control Terminal Services Profile COM General Address Account Profile Telephones Organization User logon name rem nafrlocal fal User logon name pre Windows 2000 NAFRA Jieffsan Logon Hours Log On To Account is locked out Account options TF User cannot change password J Password never expires Store password using reversible encryption Account is disabled Account expires Never C End of Thursday September 27 2007 z A Figure 157 Active Directory User Account Properties 160 PPP CHAP and Windows IAS RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration y Setup and Configuration This chapter describes how to setup and configure the device for use on a network using the various features available in ROX It describes the following tasks S
193. With NEP iiciit i eii ee eot tete DUE onte Eo eot iate lei ete oli venter ente et alae tat 331 5 204 NTP Gonfig ratiOh 1 dr tort cct e e tede ee P te le ree e ede Neg prt Legen 331 5 20 5 Generic Options oce ERRORI BER P EA ERR MER DPA RN SERRE 332 5 20 6 Servers Cornifiguratlori 2 22 pecu etre pot peni o n bred ebbe se epe pogee A gute EE ele pe qad heus 332 5 20 7 Peers Configuratio serora anaE e t E us ete eee ue pean cha etapa RE 333 9 20 89 Viewirig NTP Status cis cereo tate dene Re dear de tiae e M den RR TOE 333 5 20 9 Viewing The NTP SOG 4 eret ee lia 334 5 20 10 Viewing GPS Status dine NE c ie t dde Ne oi Le d c E ede age 334 5 20 11 Viewing the GPS LOG des 335 5 21 CrossBow Station Access Controller SAC ssssssssseee eee 335 5 21 1 Configuring CrossBow SAC omien ana a aAa m en e Henne n ene n nhe enhn 337 5 21 1 1 Configuring the SAC Connection sss een 337 5 21 1 2 Configuring the SAC Certificates isei erogr naie eranan nE EEE me 338 xvi RUGGEDCOM ROX User Guide Table of Contents 5 21 1 3 A oso hp PLI A A ESL EMI pug be a OP Bee t gae sities 338 5 21 1 4 Configuring User ACCESS ero edo oe ler tu pdt cd e ee Us phe eg dies 339 5 21 1 5 Configuring Event LOGS iret cas 339 5 21 2 Configuring Log ODptloris 522 2 tnter bte o emer eed lae eo eo eden dre 340 5 21 3 GrossBow Certificates vouch ii petet t de Nh died 340 5
194. X User Guide Chapter 3 Device Management The router NTP daemon uses GPS as a clock source when it is available and with IEE1588 when GPS is not available The Treat NTP sync d grandmaster as stratum field assigns the stratum number when grandmaster clock synchronized with remote NTP server but not GPS The Treat Local Clock sync d grandmaster as stratum field assigns the stratum number when grandmaster clock synchronized with local clock but not NTP server or GPS Section 3 14 3 4 IRIG B Status Help IRIGB Log Month Day Time Process Event 08 27 usr sbin Oct 30 13 08 27 l irigb 2657 Force FPGA to init time 19 2 l usr sbin M Oct 30 13 08 32 Virigb 2657 IGPS lock locked oct 30 13 15 13 l usr sbin Detection of FPGA time 13 10 30 17 15 6 is out of sync with GPS vee Virigb 2657 13 10 30 17 15 9 force FPGA reset clock 1 amp 4n Vusr sbin E Oct 30 13 16 40 l irigb 2657 IGPS lock lock lost 16 54 l usr sbin E Oct 30 13 16 51 Virigb 2657 IGPS lock locked Oct 30 13 08 53 l usr sbin Detection of FPGA time 13 10 30 17 21 9 is out of sync with GPS UT firigb 2657 13 10 30 17 21 16 force FPGA reset clock 93 30 usr sbin z x Oct 30 13 23 30 irigb 2657 reload configuration Refresh de Return to IRIGB IEEE1588 Main Menu Figure 113 IRIG B GPS Status This page shows whether GPS is locked and the source of the current reference clock
195. a Support Request SR or check on the status of an existing SR Telephone Call a local hotline center to submit a Support Request SR To locate a local hotline center visit http www automation siemens com mcms aspa db en automation technology Pages default aspx Mobile App Install the Industry Online Support app by Siemens AG on any Android Apple iOS or Windows mobile device and be able to Access Siemens s extensive library of support documentation including FAQs manuals and much more Submit SRs or check on the status of an existing SR Find and contact a local contact person Ask questions or share knowledge with fellow Siemens customers and the support community via the forum And much more Customer Support xxi RUGGEDCOM ROX User Guide Preface Customer Support xxii RUGGEDCOM ROX Chapter 1 User Guide Introduction A Introduction This chapter provides a basic overview of the ROX software It describes the following topics Section 1 1 Overview Section 1 2 Security Recommendations Section 1 3 Quick Starts Section 1 4 Available Services by Port Section 1 1 Overview Welcome to the ROX Software User Guide for the RX1000 RX1100 This Guide describes the wide array of carrier grade features made available by ROX Rugged Operating System on Linux software These features include Routing Features Security Appliance Functions VRRP OSPF BGP RIP Integrated
196. access to one or several services For more information on these services on ROX please refer to Section 4 6 3 RADIUS ROX and Services A RADIUS attribute specific to Siemens RuggedCom Privilege level is used by Webmin to assign specific capabilities to Webmin users on a per user basis This attribute must be set for user accounts designated to access Webmin Please refer to Section 4 2 1 Webmin User and Group Fundamentals for a complete discussion of privilege levels and their use in ROX The following information is necessary to add support for this attribute to the vendor specific extensions of the chosen RADIUS server Siemens uses Vendor number 15004 RuggedCom Privilege level is attribute 2 of type string RuggedCom Privilege level must take one of the following three values admin operator guest User accounts that require access to Webmin must be assigned a RuggedCom Privilege level Accounts that do not require Webmin access access but are to be given shell login or PPP access do not require the privilege level attribute to be set The following two sections illustrate how to add this information to a RADIUS server configuration Section 4 7 1 Webmin Privilege Levels and FreeRADIUS This section describes how to add Siemens Vendor Specific RADIUS attributes to the FreeRADIUS dictionary so that they may be used in configuring accounts for ROX 1 Locate the FreeRADIUS dictionary files comm
197. aces to RIP area routers Connected metric enable disable 0 16 disabled unset enable iaci X os Redistribute static routes to RIP area routers enable disable 0 16 Redistribute Static 3 metric disabled unset enable Al EM A ve Redistribute kernel routes to RIP area routers enable disable 0 16 Redistribute Kernel x metric disabled unset oe enable Redistribute ospf routes to RIP area routers enable disable 0 16 Redistribute OSPF a E metric disabled unset enable z Redistribute bgp routes to RIP area routers enable disable 0 16 Redistribute BGP a metric disabled unset Passive Default enable E Set new interfaces passive by default enabled Update Timer 30 Routing table update timer 5 2147483647 30 Timeout Timer 180 Routing information timeout timer 5 2147483647 180 ea Collection 159 Garbage collection timer 5 2147483647 120 Send Version 2 RIP version to transmit to neighbors 1 2 2 Save Key Chains Key Chain Name Action a 4a Return to rip Figure 277 RIP Global Parameters The Enable Password field sets the password to be used for the enable command of ripd This is used by the telnet interface of ripd to control access to the configuration The Telnet Password field sets the password to be used for telnet access to ripd This is used as the login password of ripd when locally telnetting to port 2602 of the router The Hostname field sets the hostname for the rip
198. ad URLs to router Send files from your current host to the router Files to upload Browse No file selected Browse No file selected Browse No file selected Browse No file selected File or directory to upload to Create diredory if needed Extract ZIP or TAR files Yes then delete Yes No Sendto router Download a file from the router to your host Download to your host Figure 146 Upload Download Menu 4 Under Send files from your current host to the router click on any of the buttons that say Browse and select the file that was just created Set the option File or directory to upload to usr bin and click Send to router Once the upload is successful open a SSH connection or serial console connection to ROX Type the command chmod 700 usr bin renewkey and hit Enter Type the command dos2unix usr bin renewkey if the file was created using a Windows text editor oOo ND The script is now ready for use Issuing the command renewkey will regenerate a new pair of RSA keys and a certificate for Webmin The output looks as below Generating Self Signed SSL Certificates with Scripting 145 Chapter 4 RUGGEDCOM ROX System Administration User Guide RX1000 renewkey Generating RSA private key 2048 bit long modulus aa EAE e is 65537 0x10001 Restarting webmin webmin RX1000 Section 4 4 3 Regenerating SSH Keys Regenerate
199. address 204 226 111 45 External interface eth y virtual Internal address 192 168 0 1 No IP alias Active for all hosts Q9 Yes No Active for firewall system Yes No Save Delete Return to static NAT list Figure 230 Creating a Static NAT Entry The External address and Internal address fields specify the addresses to translate The External interface field specifies the interface to perform the translation upon The No IP alias field is used to tell the firewall not create the IP alias for the external address if it has not been created on the external interface yet The Active for all hosts field is used to specify whether access to the external IP from all firewall interfaces should undergo NAT Yes or yes or if only access from the interface in the INTERFACE column should undergo NAT The Active for firewall system field is used to specify whether packets originating from the firewall itself and destined for the EXTERNAL address are redirected to the internal ADDRESS 234 Static NAT Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 8 5 8 TC Traffic Control Interfaces Classes and Rules The Traffic Control subsystem of the firewall allows sophisticated management of the amount of bandwidth that different types of traffic are permitted to use on a given interface Please see Section 5 9 Traffic Control for details Section 5 8 5 9 Actions When Stopped LI When Stopped
200. ade to be limited A method of limiting outbound traffic from the firewall to a specific user group of users and a specific application The following examples illustrate the effects of the rules file Rule Action Source Zone Destination Zone Protocol Dest Port Sources Origina i Port Destination IP 1 ACCEPT net 204 18 45 0 24 fw 2 DNAT net loc 192 168 1 3 tcp ssh http 3 DNAT net 204 18 45 0 24 loc 192 168 1 3 tcp http 130 252 100 69 Rules 223 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Rule Action Source Zone Destination Zone Protocol Dest Port Spes guons I Port Destination IP 4 ACCEPT fw net icmp 5 ACCEPT net 204 18 45 0 24 fw icmp 8 1 This rule accepts traffic to the firewall itself from the 204 18 45 0 24 subnet If the default policy is to drop all requests from net to the firewall this rule will only accept traffic from the authorized subnet This rule forwards all ssh and http connection requests from the Internet to local system 192 168 1 3 This rule forwards http traffic from 204 18 45 0 24 which was originally directed to the firewall at 130 252 100 69 to the host at 192 168 1 3 in the local zone If the firewall supports another public IP address e g 130 252 100 70 a similar rule could map requests to another host 4 and 5 These rules allow the firewall to issue icmp requests to the Internet and to respond to icmp echo requests from the authorized subnet Rules are defined in the f
201. ages DNP broadcast messages received on local serial ports are transmitted to all IP Addresses in the DNP Device Address Table whether learned or statically configured When a DNP broadcast message is received from the IP network it is transmitted on all local serial ports configured as DNP ports Section 3 10 7 Serial Protocols Configuration Help Serial Protocols RAW 4 d O MODE 19200 RAW CR DHP DHP 492 1 492 1 DNI 8N1 SOCKET proce Server Server amp 5 O TIN RS485 Server 2 24 2 24 Assign Port Settings Raw Socket TcpModbus DNP DNP Device Serial Line Trace Protocols Settings Table Protocols Settings Statistics Restart Serial Protocols daemon Click this button to restart the Serial Protocols daemon This will restart all protocols Figure 91 Serial Protocols Server Main Menu Address Learning for DNP 93 Chapter 3 RUGGEDCOM ROX Device Management User Guide Note that the Serial Protocols server is disabled by default and may be enabled via the Bootup and Shutdown menu under the System folder of the main Webmin menu The Assign Protocols menu assigns a serial protocol to one of your serial ports The Port Settings menu configures the serial port and its electrical protocol If any of your serial ports are configured as RawSocket protocol this menu will configure them The Serial Protocols Statistics menu will show you the status and statistic
202. al IP datagram is created The resultant packet is composed of an IP header IPSec headers and IP payload including a transport header Transport mode is most commonly used between IPSec end stations or between an end station and a gateway In tunnel mode the original IP datagram is created normally and then encapsulated into a new IP datagram The resultant packet is composed of an new IP header IPSec headers old IP header and IP payload Tunnel mode is most commonly used between gateways the gateway acting as a proxy for the hosts behind it Section 5 11 2 Policy Based VPNs ROX supports the creation of policy based VPNs which may be characterized as follows PSec network interfaces are not created The routing table is not involved in directing packets to the IPSec later Only data traffic matching the tunnel s local and remote subnets is forwarded to the tunnel Normal traffic is routed by one set of firewall rules and VPN traffic is routed based on separate rules The firewall is configured with a VPN zone of type IPSec As IPSec packets are received they are decoded policy flagged as IPSec encoded and presented as having arrived directly via the same network interface on which they were originally received IPSec Modes 251 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Firewall rules must be written to allow traffic to and from VPN tunnels These are based on the normal form of source des
203. all into two broad categories stateless and stateful session based Stateless or static firewalls make decisions about a traffic without regard to the history simply opening a hole for the traffic s type based upon TCP or UDP port number Stateless firewalling is a relatively simple affair easily handling web and email traffic Stateless firewalls suffer from disadvantages however All holes opened in the firewall always open there is no opening and closing connections based on outside criteria Static IP filters offer no form of authentication Stateful firewalling adds considerable complexity the firewalling process by tracking the state of each connection A stateful firewall also looks at each packet and apply tests but the tests applied or rules may be modified depending on packets that have already been processed This is called connection tracking Stateful firewalls can also recognize that traffic on connected sets of TCP UDP ports is from a particular protocol and manage it as a whole Section 5 8 1 2 Linux netfilter iptables and the Shoreline Firewall ROX employs a stateful firewall system known as netfilter a set of loadable kernel modules that provides capabilities to allow session based packet examination The netfilter system is an interface built into the Linux kernel that allows the IP network stack to provide access to packets The netfilter system uses rulesets collections of packet classification rules tha
204. ame of the router string cna without spaces no hostname value Distance Define an administrative distance unset 1 255 unset not used IP Mask Always compare gt Always comparing MED from different neighbors enable disable enable Med disable Default local 100 Local preference value high value means preferred in IBGP preference 0 4294967295 100 Pick the best MED path among paths advertised from neighboring l perennis Med fane IN AS enable disable disable lenable m E Redistribute Redistribute routes for directly connected interfaces to BGP area Connected metric routers enable disable 0 16 disabled unset enable A Redistribute static routes to BGP area routers enable disable 0 16 Redistribute Static metric disabled unset Redistribute enable Redistribute kernel routes to BGP area routers Kernel metric enable disable 0 16 disabled unset enable Redistribute ospf routes to BGP area routers enable disable 0 16 Redistribute OSPF a metric disabled unset enable E y J nm Redistribute rip routes to BGP area routers enable disable 0 16 Redistribute RIP 4 metric disabled unset Autonomous System ID AS ID 200 Note When AS ID is changed all BGP configurations related to this AS will be removed Identifier of router Often the main IP address of the router ncm 192 168 10 1 A B C D highest IP of
205. and Configuration User Guide Section 5 12 6 2 Core Help Core Core zal Core Core Core Global Parameters Core Interfaces View Core Configuration E Return to dynamic routin Figure 260 Core Menu The Core routing daemon handles communications between the kernel of the router and the other dynamic routing protocols The core handles link detection static route monitoring and routes for directly connected interfaces on the router It also manages adding routes to the kernel routing table based on the routes discovered by other dynamic routing protocols Core is always enabled whenever dynamic routing is enabled as it is required by all other dynamic routing protocols Section 5 12 6 3 Core Global Parameters Help Core Global Parameters Parameter Value Description Possible values default value Enable AA Enable password For configuration access string without spaces previous Password password Telnet Telnet password For port 2601 access string without spaces previous 999900009006 Password password Identifier of router Often the DNS name of the router string without spaces Host ostname no hostname Identifier of router Often the main IP address of the router A B C D Router ID highest IP of system Save Note The router id is automatically picked as the highest IP address assigned to the unit at startup unless the config contains a router id to use In OSPF the r
206. and display the routes and status of all network interfaces Select the Ethernet Interfaces icon to configure Ethernet interfaces 174 Bridge Fundamentals RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration The Network Interfaces menu lets you edit the permanent configuration of Ethernet interfaces or simply try out changes The Apply Configuration button serves to restore the permanently saved changes and restart Ethernet networking Section 5 2 6 1 Ethernet Interfaces Help Ethernet Interfaces Current Configuration Interface Type IP Address Netmask Status Auto Negotiation 192 168 0 3 255 255 255 0 Up Auto Negotiation 192 168 2 1 255 255 255 0 Up Auto Negotiation 192 168 3 1 255 255 255 0 Up Auto Negotiation 192 168 4 1 255 255 255 0 Up Boot Time Configuration Interface Type IP Address Netmask Activate Auto Negotiation 192 168 0 3 255 255 255 0 Auto Negotiation 192 168 2 1 255 255 255 0 Auto Negotiation 192 168 3 1 255 255 255 0 Auto Negotiation 192 168 4 1 255 255 255 0 E Return to Ethernet Main Menu Figure 169 Current and Boot Time Ethernet Configuration This menu allows you to display and configure the Ethernet interfaces in the router The Current Configuration table allows you to try out changes on the existing interfaces bef
207. another router by using a cross over cable and selecting a Master clocking option on one of the two routers 188 Editing a T1 E1 Interface RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The Line Build Out field tunes the shape of the T1 pulses and adjusts their amplitude depending upon distances and the desired attenuation E1 Settings The Framing and Line Decoding fields for E1 reflect the European variants The Clocking field performs the same function as that described for T1 Section 5 3 2 5 Editing a Logical Interface Frame Relay Help Edit New Logical Interface T1 2 Channel Frame Relay Parameters Station Type CPE FR DTE Interface Signalling type ANSI v T391 10 T392 16 N391 6 N392 6 N393 4 EEK Type Off v EEK Timer 5 New Logical Interface Channel DLCI Local Address Netmask Remote Address Description 4 y 255 255 255 255 Save des Return to T1 E1 WAN Interfaces Figure 185 Editing a Logical Interface Frame Relay This menu allows you to configure Frame Relay link and logical interface fields Section 5 3 2 6 Frame Relay Link Parameters The first table presents the link parameters and applies to all logical interfaces The Station Type field determines whether the router acts as a customer premises equipment or as a frame relay switch When a Frame Relay network provider is used the CPE interface shoul
208. anslation RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 8 2 Shorewall Quick Setup For users familiar with Shorewall the following serves as a reminder of how to build the firewall New users may wish to read Section 5 8 3 ShoreWall Terminology and Concepts before continuing 1 Logically partition your network into zones Will you establish a DMZ Will all Ethernet interfaces need to forward traffic to the public network Which interfaces are to be treated in a similar fashion 2 Assign your interfaces to the zones If using T1 E1 have you created your T1 E1 interfaces prior to building the firewall 3 Set the default policies for traffic from zone to zone to be as restrictive as possible Has the local zone been been blocked from connecting to the DMZ or firewall Does the DMZ or firewall need to accept connections Which connections should be dropped and which reset What logs are kept 4 How is the network interface IP assigned i e dynamically or statically Do hosts at the central site need to know the local address If your network interface IP is dynamically assigned configure masquerading If your network interface IP is statically assigned configure Source Network address Translation SNAT Ifa sufficient number of IP addresses are provided by the ISP static NAT can be employed instead 7 If your hosts must accept sessions from the Internet configure the rules file to support Destina
209. apter 4 User Guide System Administration Details and recommendations on applying the Access Manager system to networking may be found in texts referred to in the section called Related Documents of the user guide The Access Manager is configured through the Industrial Defender Main Menu see figure below Help Industrial Defender Main Menu 492 1 2 248 Industrial Defender SAP Status Industrial Defender SAP Release Notes Idefender SAP Industrial Defender SAP version 4 3 01 6 SAP enabled status disabled Shorewall restart at boot is disabled Shorewall has not run OpenVPN version 2 0 9 4etchiRR1 Tunnel kernel module present debug level o Figure 147 Access Manager Configuration Menu Section 4 5 1 What Access Manager s Secure Access Portal Protects and How The Secure Access Portal protects against unauthorized access to critical assets including the router itself The Secure Access Portal allows connection through an openVPN tunnel from known management devices to assets behind the firewall operating on known TCP UDP port numbers NOTE i When restoring a previously saved configuration the Secure Access Portal will have to be reconfigured Section 4 5 2 Access Manager and the Firewall Access Manager integrates tightly with the firewall opening it for communications between vetted clients and critical assets on a demand basis There are four steps re
210. arameters a eaa a e aa a Tae aa a a aaae iaaa taara 275 5 1265 View Core Configuration oce ded cade eene ite a A aaa i 276 5 12 6 6 BOP Configuration a renean ia e et E aE EEA a T ORE 276 5126 7 BGP GlobaliParameters oce tet eee et DL ela aa a aasa daa ai 276 9 12 6 8 BGP Networks in o tem e um RR taire 278 5 12 6 9 BGP Neighbor Configuration esssssseseee mee nn 279 5 12 6 10 BGP Status 2 2 HH eti et M D ib WE HD eq eiae tes 280 5 12 6 11 View BGP Configuration orosenie eee n ens 281 5 12 61 2 OSPR cee onda teta oh eta tti eese adu io diete os R cA daga 281 5 12 6 13 OSPF Global Parameters et teet t etr ele bee EE HL eth Pad 282 xiv RUGGEDCOM ROX User Guide Table of Contents 5 12 0 14 OSPF Interfaces iie E nte gi HAE SL ala naedgucgeehe Bee t gna MATE EM dl 284 51206 15 OSPF Network Areas eoe rod peer eere Rr den gpd LER Ee d Pec 285 5 12 0 16 OSPF Status serra te dia 285 5 12 6 17 View OSPF Configuration asean EEEE mem memes 287 5 12 60 10 RIB aisi nne a peak shit NOI 287 5 12 6 19 RIP Global Parameters m oriee reer eene mener 288 9 12 6 20 RIP Key Chana iain i epo ibi Ec In eid DRE d ente In ub Od A REO UL AE ELE MARE E ERO 289 5 12 6 21 RIP Interfaces ce en hue duet eda use eios 290 9 12 6 22 RIP NetwOIKS iere pen hatte dee oe mti Eds 291 5 12 6 23 RIP Status siciliana alias 291 5 12 6 24 View RIP Configuration ecreis a mme emen nnne 293 5 1
211. art of the bridge interface The Retain IP on Bridge Device choices enable or disable the ability to retain an Ethernet interface s IP address when it is added to the bridge When enabled checked the IP address is retained and the router can be remotely accessed via the Ethernet interface When disabled clear the IP address must be assigned to the bridge to remotely access the router This should be enabled when bridge routing is enabled For more information see Section 5 2 6 7 Bridge Filtering The Save button will save the configuration changes Please note that the changes will be effective immediately after clicking the save button NOTE Li For important information about using Ethernet bridging see Section 5 2 5 Bridge Fundamentals Bridge Configuration 179 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Section 5 2 6 7 Bridge Filtering Help Bridge Filtering Configuration Bridge Filtering Configuration Bridge filtering Enable Disable Bridge routing Enable Disable Save Bridge Filtering Rules Allow Ethernet Type Action ISO Delete 0x0800 Delete 0x0806 Delete Add new rule de Return to Ethernet Main Menu Figure 175 Configuring Bridge Filtering This menu allows you to configure Ethernet bridge filtering It is only available when the Ethernet bridge interface is configured IMPORTANT When bridge filtering is enabled an IP address must be assigned
212. as its DHCP relay server address set to router s address 192 168 1 1 The switch has all ports in VLAN 1 The Switch base MAC address is 00 0A DC 11 22 00 The switch port 2 is on vlan2 using subnet 192 168 2 0 24 and should assign addresses 192 168 2 101 to 192 168 2 200 and default gateway 192 168 2 1 The switch port 3 is on vlan3 using subnet 192 168 3 0 24 and should assign addresses 192 168 3 101 to 192 168 3 200 and default gateway 192 168 3 1 The switch port 4 is on vlan4 using subnet 192 168 4 0 24 and should assign addresses 192 168 4 101 to 192 168 4 200 and default gateway 192 168 4 1 1 Enable eth1 in the Edit Network Interfaces menu Add a new subnet and configure it for network address 192 168 1 0 with netmask 255 255 255 0 Save it Add a new shared network Ow ooo Name the shared network for example eth 1 and select the subnet 192 168 1 0 to be included in the shared network Save it Edit the shared network again Add a new subnet and configure it for network address 192 168 2 0 with netmask 255 255 255 0 9 Save the new subnet and then save the shared network settings 10 Edit the subnet just created and click Edit Client Options 11 Set default routers to 192 168 2 1 and save it 12 Click add an address pool to the subnet o9 322 Multiple Subnets on Separate VLANs Using Option82 on One Switch RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration 13 14 15 16 17
213. ation in Windows This section describes how to set up a VPN L2TP connection on Windows XP 2000 There are two ways to establish a connection in Windows using a pre shared key in the case of Windows XP or using a certificate for either Windows XP or Windows 2000 Here are the steps to establish a connection with a pre shared key 1 Start the New Connection Wizard accessed via the Start gt All Programs gt Accessories gt Communications menus On the Network Connection Type page select the option Connect to the network at my workplace On the Network Connection page select the option Virtual Private Network Connection On the Connection Name page enter a name for the new connection a Ff WN On the Public Network page select either Do not dial the initial connection or Automatically dial this initial connection according to your requirements o On the VPN Server Selection page enter the IP address of your device After the connection has been created double click the connection A Connect window will appear select Properties 8 Select the Security tab You will need to disable L2TP PPP encryption unless you want double encryption using either of the following methods a Inthe Security tab click the IPSec Settings button enable the Use pre shared key for authentication check box and enter the pre shared key If you decide to use a certificate disable the Use pre shared key for
214. atus and review historical changes Section 3 14 3 1 General Configuration Help IRIGB IEEE1588 201 IEEE IEEE AD tsas 1 EM E p p Sn A b A General IRIGB IEEE1588 IRIGB Status IEEE1588 Status IRIGB LOG Configuration Configuration Configuration Figure 110 IRIGB IEEE1588 General Configuration Menu This menu allow you to configure general parameters The Reference Clock Selection field selects the order in which to prefer reference clocks The Cable Compensation field specifies the value in nanoseconds that will be used to compensate for the cable type and length The compensation is done using integer nanosecond values Fractional decimal values will be truncated IRIG B IEEE1588 Configuration 111 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 14 3 2 IRIG B Configuration Help z General Configuration Reference Clock Selection GPS v Cable Compensation nanoseconds Save 4 Return to IRIGB IEEE1588 Main Menu Figure 111 IRIG B Configuration Menu This menu allow you to configure IRIG B parameters The save button will save the changes of configuration permanently The AM Port 1 PTP1 Output field enables or disables the amplitude modulated output of this port The TTL Port 2 PTP2 Output and TTL Port 3 PTP3 Output fields sets the output formats of these ports to PPS PWM and OFF Section
215. ault S Registers S6 X Wait time for dialtone detection 2 255 seconds default 2 S7 X Wait time for carrier detection 1 255 seconds default 50 S8 X Pause time for comma in dial string 0 255 seconds default 2 S9 X Carrier detect response time 50 255 1 seconds default 6 S10 X Loss of carrier to hangup delay 50 255 1 seconds default 14 S11 X DTMF tone duration 50 255 01 seconds default 95 Modem Configuration 71 Chapter 3 RUGGEDCOM ROX Device Management User Guide S29 X Hook flash dial modifier time 0 255 01 seconds default 70 Country Code selects which country s dialing system If this is not set correctly the modem might not be able to dial or connect Speaker Volume controls the modem speaker loudness Speaker Mode controls whether the speaker on the modem is on or off Section 3 8 6 2 Modem PPP Client Connections Help Modem PPP Client Connections Connection Name Action HeadOffice Edit Add new Parameter Value Description Connect at boot HeadOffice Which dient connection to start automatically at boot Save Retum to Modem Main Menu Figure 73 Modem PPP Client Connections To edit an existing connection click the Edit link for that connection To create a new connection click Add new link To have the router automatically dial a connection at boot time and keep it always active select wh
216. ave it then edit the subnet just created and click Edit Client Options Set default routers to 192 168 1 1 and save it Click add an address pool to the subnet Set the address range to 192 168 1 102 to 192 168 1 102 NO an A Single Network With Static IP Assignment 321 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide 8 Click Create 9 Edit the pool by clicking on the link for the pool with address range 192 168 1 102 192 168 1 102 10 Click add an option82 client 11 Give the client a unique alpha numeric name for example client0102 12 Set the remote id to the switch MAC address 00 0A DC 11 22 00 in this case 13 Set the circuit id to the switches circuit id identifier to the port 00 01 00 02 for VLAN 1 port 2 on a SiemensRUGGEDCOM switch 14 Click Create 15 Click Save 16 Repeat steps 6 through 15 for clients 192 168 1 103 changing the pool address range and circuit id 17 Repeat steps 6 through 15 for port 4 using the address range 192 168 1 151 to 192 168 1 200 and the circuit id for port 4 18 Restart the DHCP server or apply changes Section 5 18 4 4 Multiple Subnets on Separate VLANs Using Option82 on One Switch In this example the eth1 interface is provided with IP address 192 168 1 1 24 A switch connected to eth1 and using address 192 168 1 2 24 The switch port 1 is connected to the router while its ports 2 through 8 provide DHCP relay support The switch h
217. ble Section 5 10 Traffic Prioritization This section familiarizes the user with Enabling Disabling Traffic Prioritization Viewing Traffic Prioritization Statistics NOTE Traffic Prioritization has been retained in ROX for compatibility with older installations that may rely on it For new configurations please use the newer and more flexible Section 5 9 Traffic Control facility instead 244 Traffic Prioritization RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration ROX is able to prioritize traffic transmitted on network interfaces including Ethernet T1E1 DSL and PPP ports giving preferential treatment to certain classes of traffic It is important to note that prioritization can only be applied to outbound traffic Inbound traffic can not be prioritized The two key elements of prioritization are traffic queues and filters Each prioritized interface has its own unique set of these elements NOTE Li Traffic Prioritization works most effectively with WAN interfaces For LAN interfaces please use the Section 5 9 Traffic Control interface Section 5 10 1 Priority Queues Prioritization establishes a number of queues each holding packets of differing priority When the interface is ready to transmit a packet it selects a packet from the highest priority queue first If the interface is busy transmitting when packets arrive they are enqueued in the appropriate queue If the interface i
218. ble to allow new outbound connections to be configured When multiple outbound connections are configured and present in the table a Delete button will appear in the Action column of the table to allow additional connections to be deleted Section 3 11 3 Synchronous Serial Diagnostics Statistics and line tracing utilities are available for the synchronous serial ports via the Serial Protocols menu interfaces For information on port statistics please refer to Section 3 10 7 6 Serial Protocols Statistics Menu For information on a menu for tracing Raw Socket protocol exchanges please refer to Section 3 10 7 7 Serial Protocols Trace Menu For information on a command line utility for tracing Raw Socket protocol exchanges please refer to Section 3 10 7 8 Serial Protocols Sertrace Utility Section 3 12 Configuring SSH This section familiarizes the user with Configuring SSH Authentication SSH Networking and Access Control Setting SSH Server Options The Secure Shell protocol provides interactive remote login service remote command execution and file transmission functions It implements strong authentication and secure communications over insecure channels The program that accepts an SSH client s connection is an SSH server The SSH server can be programmed to enforce conditions to increase security These conditions can be imposed upon specific hosts or upon all hosts in general SSH has seen t
219. bled a read only user named internal will be automatically created to satisfy the requirements of the event MIB Access Control 49 Chapter 3 Device Management Chapter 3 Device Management RUGGEDCOM ROX User Guide Section 3 7 4 5 Trap Configuration Help Trap Configuration Trap Generation Options E Enable Authentication Traps Enable link up down traps Apply Figure 50 Trap Configuration Menu Trap Options The Trap Configuration page manages SNMP trap destinations Under Trap Generation Options you may enable the generation of notifications on authentication failures or IP interface link up down events SNMP V1 and V2c Trap Destinations No V1 or V2c trap destinations are currently defined r Add an SNMP V1 or V2c Trap Destination Type ViTrap IP Address Trap Community Enable Configuration Change Traps V2c only Aaa Figure 51 Trap Destinations V1 and V2c The SNMP V1 and V2c Trap Destinations part of the menu allows the creation and deletion of trap destinations The Type field specifies the exchange used with this destination either V1 trap V2c trap or V2c inform The P address and Trap Community fields specifies the receivers IP address and community name SNMP V3 Trap Destinations No V3 trap destinations are currently defined r Add an SNMP V3 Trap Destination Type V3 Trap y IP Address User Name
220. by probing 192 168 16 2 on router 2 A failure of the either w1ppp network A or the remote link on router2 will render the primary path as failed If the primary path fails the routing table will be modified to direct packets out the secondary eth1 in the above figure Presumably the secondary is a higher cost and perhaps lower throughput path In the initial deployment of this feature the secondary path was implemented with Ethernet CDMA modem The modem featured a low latency connection time initiated by the reception of packets but had a low bandwidth capability and high monetary cost Note that the feature must be implemented at both routers f the feature is only implemented at router 1 the second router s gateway will still point towards Network A after a failure of the primary path Packets from router 1 would reach router 2 through the secondary but the responses would disappear in the black hole of the failed path To configure End to End backup see Section 5 1 2 10 Configuring End To End Backup 170 End to End Backup RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 1 2 10 Configuring End To End Backup Help End To End Backup This menu configures the end to end backup feature This method assigns two interfaces as a primary secondary backup pair and monitors the primary link to detect a failure After a failure occurs traffic is shunted to the secondary until the primary i
221. cess to your serverto trusted addresses especially if it is accessible from the Internet Otherwse anyone who guesses your password will have complete control of your system Access control options 9 Allow from all addresses Only allow from listed addresses Deny from listed addresses Resolve hostnames on every request Save de Retum to webmin configuration Figure 125 Webmin Configuration Menu IP Access Control Webmin uses a secure communications method called Secure Sockets Layer SSL to encrypt traffic with its clients Webmin guarantees that communications with the client is kept private But Webmin will provide access to any client that provides the correct password rendering it vulnerable to brute force attacks The best way of addressing this problem is to restrict access to specific IP addresses or subnets By default IP access control allows all IP addresses to access Webmin If your router is being used on a completely private network or IP access control is being provided by the firewall you may leave IP Access Control disabled Select the Allow from all addresses field and Save If you wish to restrict access to a single address or subnet select the Only allow from listed addresses field Enter a single IP address or a subnetted address If you wish to deny access to a specific subnet select the Deny from listed addresses field Enter a single IP address or a subnetted address If DNS is
222. cision Time Protocol card NTP will treat the Global Positioning System signals received from the card when GPS locks as a stratum 0 reference clock The router will always preferentially use this reference above all others Section 5 20 3 Included with NTP Your ROX software includes the ntpq ntpdc ntptrace and ntp keygen command line utilities The ntpq utility program can be used to monitor the NTP daemon operations and determine how well it is running The ntpdc utility program is used to query the NTP daemon about its current state and to request changes in that state The ntptrace utility is a utility trace a chain of NTP servers back to the primary source The ntp keygen utility can be used to generate secure public keys for authentication Section 5 20 4 NTP Configuration NTP Server NJP NI NP m u a a A gt s LO Generic Server list Peers list View NTP View NTP Log View GPS View GPS log Options Status Status Restart ntpd daemon Click this button to restart the ntpd client daemon This will apply configuration parameters Figure 317 NTP Server Note that the NTP server is disabled by default and may be enabled via the System folder Bootup and Shutdown menu When enabled any configuration changes may be made to take effect by selecting the Restart ntpd daemon button The View GPS Status and View GPS log sub menus appear if the router is equi
223. cket with the minimize cost ToS ToS bit 6 set belongs to this class The tcp ack option field specifies that a tcp ack packet with size lt 64 belongs to this class This is useful for speeding up bulk downloads Please note that the size of the ack packet is limited to 64 bytes because this option is intended to only match packets with no payload This option is only valid for one class per interface 240 TC Classes RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The tos option field allows you to define a classifier for the given value mask combination of an IP packet s TOS byte Value and mask are both specified in hexadecimal notation using the Ox prefix It is also possible to specify a diffserv marking or DSCP Diffserv Code Point These are typically quoted as 6 bit values and must be left shifted multiplied by 4 for use in the tos field For example a DSCP of Ox2E EF or Expedited Forwarding would be entered as OxB8 OxFC 4 X Ox2E 0xB8 and the two lowest order bits are masked by masking with OxFC NOTE i ToS field matches take precedence over the assigned mark The Save button saves the class changes to the TC configuration The Delete button delete the class from the TC configuration The Manually Edit File button also allows you to make direct changes to the TC Classes configuration file TC Classes This form can be used to manually edit the Shorewall file etc shorewall tcclas
224. configured you may allow and deny based upon hostname Partially qualified domain names such as foo com are acceptable The Resolve hostnames on every request field forces Webmin to perform a hostname lookup for every user access The result of this will be that a dynamically assigned IP with a DNS entry with a Dynamic DNS registrar will be able to be checked against the IP Access Control list just like a fixed address This method is useful for administrators who travel or simply don t have a fixed address at their normal location NOTE i This is not efficient if you have more than a few domain names entered in the IP Access Control list due to the high overhead of performing a name lookup for every hostname in the list on every request 128 IP Access Control RUGGEDCOM ROX Chapter 4 User Guide System Administration Section 4 1 2 Ports and Addresses Module Index gt Ports and Addresses IP addresses and ports Listen on IPs and ports Bind to IP address Listen on port Anyaddress v Specific port 10000 y Same as first v Save Retum to webmin configuration Figure 126 Webmin Configuration Menu Ports and Addresses This command allows you to restrict access to Webmin from one particular network interface on your server If your Webmin server has a non routable local address and a routable Internet address you should decide whether anyone will ever need to be able
225. connections The Local Port field selects the local TCP port to use to accept incoming connections Section 3 10 7 4 TcpModBus Menu This menu configures the TcpModbus settings for each port Changes are made immediately RawSocket Menu 95 Chapter 3 RUGGEDCOM ROX Device Management User Guide Help gt TcpModbus Port Response Timer Pack Timer Turnaround Retransmits Max Conns Loc Port 3 50 200 off 0 1 RTU List 3 1234 Save Changes de Return to Serial Protocols Figure 95 TcpModbus Menu The Response Timer field configures the maximum time from the last transmitted character of the outgoing poll until the first character of the response If the RTU does not respond in this time the poll will have been considered failed The Response Timer must be between 50 and 1000 milliseconds inclusive The Pack Timer field configures the maximum allowable time to wait for a response to a Modbus request to complete once it has started The Pack Timer must be between 200 and 1000 milliseconds inclusive NOTE Li The Modbus specification states the minimum time is about 640 character times at baud rates below 19200 Kbps and 256 char times 192 ms at baud rates above 19200 Kbps You may specify a larger value if you think your RTU will take longer to complete transmission than the calculated time The Turnaround field configures the amount of delay if any to insert after the transmissions of Modbu
226. controls the number of seconds after the router changes between master and backup state that a second set of gratuitous ARPs are sent This mechanism offers a second chance to teach the switching fabric and hosts of the new provider of a gateway address The Extra Interface to Monitor field causes VRRP to release control of the VRIP if the specified interface stops running This prevents the situation in which a host forwards information to a gateway router that itself has no way to forward the traffic NOTE Li The Extra Interface to Monitor field allows monitoring of both logical and physical network interfaces Examples of a physical interface include a WAN port w1 a channelized interface on a WAN port w1c1 Logical interfaces ultimately provide transport for IP on top of physical interfaces Examples of logical interfaces implemented on top of physical interfaces might include a PPP interface on a channelized WAN port w1ctppp a Frame Relay interface on an unchannelized WAN port w1fr16 Generally one will need to monitor logical network interfaces as they participate directly in the IP network For the purposes of VRRP one generally wants to monitor status at the highest network layer that is practical e g IP layer 3 304 Editing a VRRP Instance Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide NOTE i Monitoring a physical interface does not provide an aggregation of the status in
227. cord describing a VPN connection can be used without change at either end One side of the connection typically the local side is designated the left side and the other is designated the right side A convenient method is to configure both ends simultaneously having two browser windows up The relevant information is cut and pasted from window to window This module also includes tools to export and import the connection data The configuration can thus be generated at one router exported and imported at the remote router Section 5 11 9 IPSec and Router Interfaces The IPSec daemon requires router interfaces to exist before it starts If none of the interfaces needed by IPSec exist IPSec will check for them every minute until at least one does Note that in the unlikely event that IPSec uses multiple network interfaces a stop of any of those interfaces will cause all tunnels to stop IPSec may have to be manually restarted after configuring network interfaces when multiple tunnels exist NAT Traversal 253 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 11 10 L2TPD L2TP stands for Layer Two Tunneling Protocol The main purpose of this protocol is to tunnel PPP packets through an IP network although it is also able to tunnel other layer 2 protocols On ROX L2TPd is used in conjunction with Openswan and PPP to provide support for establishing a secure private connection with the rout
228. cribed above Note that the Ethernet type code must be in hexadecimal format e g 0x8037 for Novell Netware IPX 0x88b8 for GOOSE etc Add a new Daemon fields specify the tunnel egress which may be a local Ethernet interface or the IP addresses of a remote daemon Several endpoints may be added with these fields using successive edits of the tunnel configuration The Replace Sender s MAC address option signals the daemon at the tunnel egress to replace the sender s Ethernet MAC address in tunneled frames with the MAC address of output Ethernet interface By default the source MAC address of all tunneled frames remain intact 314 Generic L2 Tunnels Menu RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Help Edit L2 Tunnel L2 Tunnel Ethernet Interface eth Ethernet Type ISO Add Ethernet Type None Others Remote Daemon eth4 Add a new deamon None v Remote IP Replace Sender s MAC address Save Delete de Return to L2 Tunnels Figure 306 Edit Generic L2 Tunnel The menu to edit a Generic L2 Tunnel configuration adds only two fields to the creation menu described above The existing list of configured Ethernet Types for the tunnel and a list of Remote Daemon items Note that in this context a Remote Daemon may be either the IP address of a remote daemon or the name of a local Ethernet interface Section 5 17 7 GOOSE Statistics Menu Help GOOSE Statistics R
229. ction 3 3 Using The LED Status Panel The LED status Panel provides the console port indicates the status of hardware software and can initiate a controlled reboot Using The LED Status Panel 25 Chapter 3 RUGGEDCOM ROX Device Management User Guide COPPP DATA C ALARM COPPP LINK POWER 1 COGPS LOCK COPOWER 2 qu CONSOLE E 38400 N 8 1 99989000 998698909 98866900 9688689606 Figure 25 LED Status Panel The LEDs are organized into three primary groups the port group GPS PPP group and the Alarm Power Supply group The display possibilities are as follows Table Meaning of LEDs LED Name Description LED 1 4 Green link activity on Ethernet port 1 4 LED 5 8 Green link detected on Ethernet port 1 4 Red link failure on Ethernet port 1 4 LED 9 12 Green link activity on WAN port 1 4 LED 13 16 Green link detected on WAN port 1 4 Red link failure on WAN port 1 4 LED 17 20 Green link activity on WAN port 5 8 LED 21 24 Green link detected on WAN port 5 8 Red link failure on WAN port 5 8 PPP DATA Green link activity on PPP Modem port PPP LINK green link detected on PPP Modem port GPS LOCK Green The PTP card has acquired a GPS satellite lock ALARM Red A Major Alarm exists POWER 1 Green Power Supply 1 is working properly Red failure detected in Power Supply 1 POWER 2 Green Power Supply 2 is working properly Red failure detected in Power Supply 2 The so
230. curity hazard risk of data exposure Make sure to establish a secure connection between the device and the repository server to prevent unauthorized users from obtaining information about the operating system This menu defines the server used to upgrade software The Repository server field accepts a URL containing the domain name or IP address of an http or ftp server along with the directory on the server containing the upgrades The release version field accepts a software release string such as rr1 rr1 7 or rr1 7 2 If you configure this field with only a major release number such as rr1 the router will always pick the latest release at the server As an example if the router is running with release rr1 7 and release rr1 7 2 becomes available the latter will be used If you configure this field with a major minor patch release number such as rr1 7 2 the router will only upgrade from that release The Bandwidth Limiting selector allows you to limit the bandwidth used in the course of upgrading the system software Section 3 7 10 4 Upgrading All Packages Upgrade All Packages is used for attended upgrades of the ROX system software to a newer revision The upgrade process obtains a list of packages from the specified repository server and release version see Section 3 7 10 3 Change Repository Server automatically determines which packages need to be added or upgraded and performing the necessary package acqui
231. cute 3 root Fri Oct 11 01 00 00 2013 Thu Oct 10 02 50 12 2013 reboot Figure 139 Scheduled Commands This menu allows you to schedule a command to run in the future Change Bootloader Password Command 139 Chapter 4 RUGGEDCOM ROX System Administration User Guide Begin by selecting the time and date you wish to run the command at using the Run on date and Run at time fields Use the Run in directory field to enter a directory to run the command in or simply use Finally enter the command to execute in the Commands to execute field NOTE i The command will remain scheduled after reboot After the command is entered the Scheduled Commands menu will display any commands and allow you cancel them Help Scheduled Commands New scheduled command Run on date 10 Oct w 2013 cii Run at time 00 Current date 10 0ct 2013 Current time 02 51 Run in directory Commands to execute Create Figure 140 Scheduled Commands Displaying a Command Section 4 3 4 Scheduled Cron Jobs Cron is a service that allows flexible regular scheduling of system commands A Cron job is the set of a command to run and a definition of the times at which to run it The Scheduled Cron Jobs menu allows you to create edit and delete these jobs Help Scheduled Cron Jobs There are no cron jobs on this system Create a new scheduled cron job Figure 141 Webmin Scheduled Cr
232. d column Clicking on a link in the nterface column will allow you to edit or delete a traffic classification interface as shown below Edit TC Interface TC interface details Interface eth1 In bandwidth 2000 kbit Out bandwidth 5000 kbit v Save Delete de Return to todevices list Figure 233 Edit TC Interface The Interface field specifies a network interface whose traffic will be controlled by the TC subsystem The n bandwidth field specifies the maximum inbound bandwidth that the interface can handle If the rate exceeds this value packets may be delayed or potentially dropped The Out bandwidth field specifies the maximum outbound bandwidth that the interface can handle Outbound traffic above this rate is delayed or potentially dropped Bandwidth is specified in either kilobytes per second kbps or kilobits per second kbit NOTE i The minimum bandwidth that may be specified to the Traffic Control subsystem for any network device is 10 kilobits per second kbit The Manually Edit File button also allows you to make direct changes to the TC interface configuration file 238 TC Interfaces tcdevices RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration TC Interfaces This form can be used to manually edit the Shorewall file ezc shorewall tcdevices Be careful as no syntax checking will be done on the changes Shorewall version 4 Tcdevices File For informati
233. d Configuration User Guide Section 5 12 3 OSPF Fundamentals The Open Path Shortest First OSPF protocol routing determines the best path for routing IP traffic over a TCP IP network based on link cost and quality Unlike static routing OSPF takes link failures and other network topology changes into account Unlike the RIP routing protocol OSPF provides less router to router update traffic ROX s routing protocols are supplied by the Quagga routing package ROX s OSPF daemon ospfd is an RFC 2178 compliant implementation of OSPFv2 The daemon also adheres to the RFC2370 Opaque LSA and RFC3509 ABR Types extensions OSPF network design usually involves partitioning a network into a number of self contained areas The areas are chosen to minimize intra area router traffic making more manageable and reducing the number of advertised routes Area numbers are assigned to each area All routers in the area are known as Area routers If traffic must flow between two areas a router with links in each area is selected to be an Area Border router and serves as a gateway Section 5 12 3 1 Link State Advertisements When an OSPF configured router starts operating it issues a hello packet Routers having the same OSPF Area hello interval and dead interval timers will communicate with each others and are said to be neighbors After discovering its neighbors a router will exchange Link State Advertisements in order to determine the network to
234. d be chosen When the connection is end to end it is typical to set the central site end to switch and the remote end to be CPE The Signaling type field reflects the Frame Relay link management protocol used which include ANSI T1 617 Annex D LMI and Q 933 signaling The 7397 Link Integrity Verification polling timer is valid at the CPE and indicates the number of seconds between the transmission of In channel Signaling messages The 7392 verification of polling cycle timer is valid at the Switch and indicates the expected number of seconds between the reception of In channel Signaling messages transmitted by the CPE The N391 counter is valid at the CPE and defines the frequency of transmission of Full Status enquiry messages The N392 counter is valid at both the CPE and the Switch and defines the number of errors during N393 events which cause the channel to be inactive The N393 counter is valid at both the CPE and the Switch and is an event counter for measuring N392 Editing a Logical Interface Frame Relay 189 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide The EEK Type field controls whether End to End Keepalive messages are sent while operating as a CPE device If this option is set to Off EEK is disabled If this option is set to Request EEK messages are sent every EEK Timer x T391 seconds This timer may be configured from 1 to 100 periods in duration Your network provider will inform you of what
235. d route Multipath Routes It is also possible to specify the same metric for each one of several alternative routes to the same remote subnet This allows the creation of a multipath route With such a set of redundant routes available to a remote subnet the router will select one or another route to transmit traffic destined to the subnet The end result is that the aggregate of data traffic to the remote subnet is shared among the multiple routes Note the distinction between Multipath Routing and Section 5 6 Multilink PPP over T1 E1 whereas Multilink PPP effectively multiplies the bandwidth for all traffic by the number of links that comprise a bundle Multipath Routing multiplies the capacity of the route at link native speeds by the number of different routes provided Default Routes A default route is a special instance of a static route The destination network of 0 0 0 0 0 is the most general possible IPv4 network specification Packets destined to an IPv4 subnet that is not reachable via any other routing entry in the system will be forwarded to the default gateway i e the gateway for the default route Default routes for both IPv4 and IPv6 may be configured 164 Dummy Interface RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 1 2 4 Configuring Static Routes Help Static Routes Configured Static Routes Route Network Mas
236. daemon This value is only used as a a reference for convenience The telnet interface prompt will contain this hostname The router s system wide hostname is used if this field is left blank The Default Information Originate field when enabled causes the router to advertise its default route to the RIP network The Default Metric field sets the default metric to be used for RIP routes which don t have another metric specified 288 RIP Global Parameters RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The Distance field sets the administrative distance to use for all routes unless overridden by other distance settings The Redistribute Connected fields control distribution of connected routes When enabled RIP will advertise routes to directly connected interfaces to other RIP routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute Static fields control the distribution of static routes When enabled RIP will advertise static routes created using the Network Configuration Routing and Default Route menu to other RIP routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute Kernel fields control distribution of kernel routes When enabled RIP will advertise routes from the kernel routing table which includes static routes entered by the administrator to other RIP routers in the a
237. ded in reported alerts as part of a Snort unique rule ID a three digit number of the form generator SID revision The generator field reflects the type of preprocessor or decoder used for a rule The SID is a unique number to reflect an individual rule while the revision reflects improvements to the rule The main Snort IDS menu provides the capability to disable individual and groups of rules A difference between Disabled and Enabled rule is shown in the following example falert tcp SEXTERNAL NET any HOME NET any msg This is a test sid 161 alert tcp SEXTERNAL NET any HOME NET any msg This is a test sid 161 116 Which Interfaces to Monitor RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 15 1 4 Alerting Methods Alerts generated by Snort are stored by one of two methods as syslog messages or in a specified alert file When the local syslog method is chosen the destination log file may be selected When the alert file method is chosen a daily analysis of the file can be emailed The SIDs referenced in alerts can be used to quickly locate the rule via the main Snort IDS menu The rule itself often contains HTML links to Internet resources such as http www securityfocus com and http cve mitre org These provide more in depth descriptions of the vulnerability Section 3 15 1 5 Performance and Resources The performance impact of Snort varies with the number of interfaces monitored t
238. definition then it is not allowed to be defined elsewhere in V3 or V2c Siemens SNMP MIB definitions are available from www siemens com ruggedcom and from Customer Support Section 3 7 4 6 MIB Support ROX device supports the following MIBs MIB Name MIB Description IF MIB The MIB module to describe generic objects for network interface sub layers SNMPv2 MIB The MIB module for SNMPv2 entities TCP MIB The MIB module for managing TCP implementations IP MIB The MIB module for managing IP and ICMP implementations UDP MIB The MIB module for managing UDP implementations LLDP MIB The MIB module for managing LLDP SNMP VIEW BASED ACM MIB SNMP FRAMEWORK MIB SNMP MPD MIB SNMP USER BASED SM MIB View based Access Control Model for SNMP The SNMP Management Architecture MIB The MIB for Message Processing and Dispatching The management information definitions for the SNMP User based Security Model MIB Support 51 Chapter 3 Device Management RUGGEDCOM ROX User Guide Section 3 7 5 Outgoing Mail Help Outgoing Mail SMTP Settings Forward to Mail Hub mail Belongs to Domain Hostname rceng02 Save E Return to Miscellaneous Main Page Figure 53 Outgoing Mail Outgoing Mail is configured from within the Maintenance menu Miscellaneous sub menu This menu controls where emails originated by the router are forwarded to The Forward to Mail Hub field specifies an IP address or domain
239. dows Client field sets the secondary DNS Server IP address to be used by connecting Windows clients The Primary WINS Server for Windows Client field sets the primary WINS Server IP address to be used by connecting Windows clients The Secondary WINS Server for Windows Client field sets the secondary WINS Server IP address to be used by connecting Windows clients Section 5 11 14 1 Notes on Configuring a VPN Connection In addition to configuring L2TP using the menu described above setting up a VPN connection using L2TP requires several other items to be configured Create a VPN connection using the Edit Connection menu described below Set the At PSec Startup field to Add Connection set Perfect Forwarding Secrecy to No and set L2TP to Yes Set Private subnet behind system to None for both left system and right system settings It is recommended to configure RADIUS in order to authenticate VPN clients Note that the ROX RADIUS configuration must be set to authenticate PPP services L2TPD Configuration 257 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 6 3 VPN L2TP Configuration in Windows Describes the steps required to configure the VPN client in Microsoft Windows 2000 XP NOTE AES encryption was designed to be more computationally efficient than 3DES AES256 or AES128 are therefore preferred for VPN connections as they require less of the CPU resource AES256 is not supported in Window
240. dress Netmask Remote Address Magic Description Number 1 255 255 255 255 Save de Return to T1 E1 WAN Interfaces Figure 186 Edit Logical Interface PPP The Local Address Netmask Remote Address and Description fields are as described in the previous section Some PPP implementations exist that are unable to negotiate the LCP Magic Number feature correctly The Disable Magic Number field disables PPP LCP negotiation of the Magic Number feature altogether 190 Frame Relay DLCIs RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 3 2 9 T1 E1 Statistics When at least one logical interface is configured T1 E1 Link and logical interface statistics will be available These statistics are available from links on the T1 E1 WAN Interfaces menu Link Statistics are provided through the View Link Statistics link at the bottom of each interface table Frame Relay and PPP statistics are available through Statistics links under the interface name column of each interface table Help T1 E1 WAN Interfaces T1 E1 Trunks Channels and Logical Interfaces Refresh this page T1 1 Up Channel Assigned time slots Channelized interface 4 1 24 Channel Name Description Local Address Netmask Remote Address wicifri6 U 1 efis P No description 3 1 1 3 255 255 255 255 1 1 1 2 Edit T1 1 Parameters View T1 1 Link Statistics Loopback this Interface Enable di
241. e 178 Editing a PPPoE Interface The PPPoE Username field determines the username to use when connecting to the PPPoE server as specified by your provider The Password field determines the password provided to the PPPoE server The Default Route check box enables automatically setting a default route using this interface whenever it connects If this is your primary connection you probably want this option enabled The Use peer DNS check box enables automatically setting the DNS server entries that the PPPoE server recommends Enable this option unless you provide your own name servers The MTU field defines the MTU size to request when connecting to the PPPoE server In some cases the PPPoE provider may provide a smaller MTU in which case the smaller setting will be used or it may refuse to alter the MTU and use whatever it considers to be the default The Save button will update all of the changes The current PPPoE link will be connected The Delete button will delete the PPPoE interface closing the current PPPoE link Section 5 2 6 10 PPP Logs This menu displays the native Ethernet and internal ADSL interface PPPoE connection messages This is mainly useful when trying to debug a PPP connection problem 182 Edit PPPoE Interface RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration PPP Logs Refresh Month Day Time Process Event Oct 30 12 36 02 pppd 17317 Plugin rp pppoe so loaded Oct 30 12 36
242. e DNS server entries that the PPP server recommends Enable this option unless you provide your own name servers The Maximum Dial Attempts field specifies the number of consecutive times that the modem will dial the phone number before it stops attempting to establish a connection If the number is 0 it will never stop and dial until the connection is established Otherwise a Reconnect button will appear in the Modem Main Menu after specified number of consecutive failed connection attempts For Australian A tick compliance a maximum number of 15 attempts is set when the country code is set to Australia when the setting is found to be either 0 or above 15 The Dial Interval field determines how many seconds to wait before re initiating the link after it terminates The Dial on Demand field specifies that this connection is designated as dial on demand meaning that establishment of the PPP connection is postponed until there is data to be transmitted via the interface When Dial on Demand is enabled you must specify a Local IP Address and a Remote IP Address On systems with two modems Dial On Demand can also trigger and use the alternate modem to transmit data if the first modem is busy When Dial On Demand is selected a Dial On Demand Setting table appears on the PPP Client Connections page For instructions on configuring the alternate modem settings see Section 3 8 6 3 Dial on Demand Alternate Modem Setting The Local IP Address a
243. e Ed 122 3 155 Alerts and Logging desa 123 3 15 06 Test Configuratlori eia e eget bu ete i pet bh a tbe po get ub V etba p pet e et eed tage eb oed 123 3 15 7 Edt Contig Elle iot oup t pecan Rt ite aro PRU n 124 3 16 Brute Force Attack Protection System sssssssssssseeeeem memes 124 System AGIMIAIS AON aude ileso 127 4 1 Webmin Configuration 3 3 f tt habe ib t t tct einn 127 AA IP Access Control ue e o be tete dee ettet 128 4 172 Ports arid Addresses ose e desea rd etas e ade dengue oae eddies 129 41 9 Change Help Sever 5 tn ttt eM Eat E tM uoi rette ots 129 ATA Logglng eet etel o be aed te HE e d ls Eee edd e toov Hd d desig 130 41 5 Authentication rema 131 4 1 6 Webmin Events LOG ic uoc RM DIU EEUU 131 4 2 Configure Webmin Users ied e A E x EH aia 132 4 2 1 Webmin User and Group Fundamentals sssssssssssssssseee eene 132 4 2 2 RADIUS User Access Control Fundamentals ooooooocccoccccncccconccnnnccccnnnnnnccnnoncncnnnnnnnancnnnnnns 132 42 9 Webmin Users Menu eet ee Eee reme Pede roe ERE Ee EE Rd a 133 4 2 4 Edit Webmin User Menu scort da e te reta tera aei ea Eee A aua ere basa tallada 134 4 2 5 Current Login Sessions Menu eee tete tert there P RR pe RE EAR R RED NAR RR E S RARE ED ARR RER NAA 135 4 2 6 Password Restrictions Menu sssssssssssssssen een ene nnn ren eher 135 4 3 Configuring thes Systerm seco eod qttod rsen te Eee pe pH Ree te esa
244. e Round Trip Times table reflects the measured RTT to each remote daemon The minimum average maximum and standard deviation of times is presented Wntries with a large difference between the Transmitted and Received fields indicate potential problems The Refresh button will cause the page to be reloaded The Continuous Display button will cause the browser to continuously reload the page showing the differences in statistics from the last display The difference is not a real time rate in bytes or packets per second Section 5 17 8 Generic L2 Tunnel Statistics Menu Help L2 tunnel Statistics Refresh Continuous Display Ethernet Statistics Interface Rx Frames Tx Frames Rx Chars Tx Chars Errors leth2 0 160350 O 9621000 0 Connection Statistics Interface Remote IP Rx Packets Tx Packets Rx Chars Tx Chars Errors eth2 192 168 12 2 160350 O 10262400 0 O Round Trip Times Remote IP Transmitted Received Minimum RTT Average RTT Maimum RTT Std Deviation 192 168 12 2 2783 2782 0 769 ms 1 146 ms 58 743 ms 2 080 ms Refresh Continuous Display Clear RTT Statistics amp Return to Layer 2 Tunnels Figure 308 Generic L2 Statistics Menu This menu presents statistics of tunneled L2 traffic The Ethernet Statistics table provides a record local Ethernet interface that is part of a tunnel configura
245. e br eb dt gebe gt 177 5 2 6 5 Creating Bootup Virtual LAN Interfaces essssssee m 178 5 2 6 0 Bridge Configuration comica dra HER Ma eh 179 926 7 Bridge Filtering 2 citi rU est iin pU top t Concil one ul alae pat oot 180 5 2 6 8 PPPoE on Native Ethernet Interfaces sssssssse e 181 5 2 6 9 Edit PPPOE Interface is ie RAE OE e erp edge tas 182 5 2 6 10 PPP LOGS incid tei bee Line rol oe utate bare ob es aou oett eate eiat teda ete odi ats 182 5 2 6 11 Current Routes and Interface Table ssssssese ee 183 5 3 Configuring Frame Relay PPP and TIET coireigin Eiaa Ea A a AA memes 183 531 T1ET1 FundamentalS re eet eb een i E E A EO EA AEA 184 95 91 11 Frame Relay xi RR e o o ty a oes 184 5 3 1 2 Location of Interfaces and Labelling s HH 184 5 9 L3 LED Designations ductae eorr esa bebe rte eae coe tetas eta beste pla 185 5 3 1 4 Included with T 1 E 1 d HE ele come shed ede Ne prt a de xg 185 5 32 T1 ET Configuration a 185 5 3 2 1 1 1 E1 Network Interfaces it eo tente en re na pod ios o Hia pol ue oo OE 186 5 3 2 2 Strategy for Creating Interfaces sssssssssseseee eee 186 5 3 2 3 Naming of Logical Interfaces ereire annari ean RALE E EALA RAE 187 9 324 Editing a TVET Interface cette be bee ehe pc TTA ates EA 188 5 3 2 5 Editing a Logical Interface Frame Relay sss 189 5 3 2 6 Frame Relay Link Parameters sssssssessssee
246. e due to its high overhead 264 Select a Certificate Authority RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 11 20 4 Client Configuration Depending upon the client you may be required to produce the certificate in a P12 format and may be required to include an export password as well This password will be required to be known be the personnel that configure the client in order to import the certificate Install the client IPSec software and import the cacert and the clients own certificate and key Configure the client with the router public gateway the clients internal network address and the desired encryption parameters At this point the client should be able to use its Internet connection to ping the public gateway Section 5 11 20 5 Router IPSec Configuration Transfer the cacert and the router s certificate to the router If your authority prepares a Certificate Revocation List CRL you will want to transfer that as well The cacert file should be renamed cacert pem and installed in etc IPSec d cacerts The CRL file should be renamed to crl pem and installed in etc IPSec d cris The router s certificate must be installed in etc IPSec d certs Its public key file e g router key must be installed in etc IPSec d private and a line RSA router key Password where Password is the pass phrase that was used to generate the certificate must be added to the end of the etc IPSec secrets
247. e if it is the only router in the network and many clients will be connecting to it On the other hand if the router holds the certificate authority and is compromised all certificates must be constructed again Ensure that the Certificate Authority generates certificates with a reasonable life and generates keys of at least 1024 bits in length Section 5 11 20 2 Generate X 509 Certificates Use the authority to produce a certificate authority public certification cacert and a certificate for each of the clients and a certificate for the router The certificate authority will require some information that is shared by all certificates e g a Country Name C a State Or Province Name S an Organization name O and some per client information e g a Common Name CN and an Email address E Together this information forms the Distinguished Name DN and is used by the router and client to validate each other Section 5 11 20 3 VPN Networking Parameters The first step is to identify the key parameters required The router public gateway here vpn xyz com and its gateway interface w1ppp must be known The local network subnet 10 0 0 0 8 and each clients internal network address here 10 0 1 1 must be known All client addresses should be assigned from a subnet of the local network e g 10 0 1 0 24 A number of encryption parameters should be decided upon depending upon the client capabilities Avoid selecting 3DES if possibl
248. e of defining only one MLPPP bundle Section 5 6 2 Notes on T1 E1 Channelization T1 E1 lines can be configured as channelized or unchannelized A more complete discussion of this topic than the one provided below can be found in the section on Section 5 3 2 2 Strategy for Creating Interfaces In unchannelized mode an entire T1 E1 link is aggregated into one channel In the MLPPP Channel Setting table below unchannelized T1 E1 interfaces will be seen to have only one channel channel 1 In channelized mode more than one channel is defined for each T1 E1 interface The section on Section 5 3 2 2 Strategy for Creating Interfaces describes the process of creating multiple channels on a T1 E1 interface Note that in order for PPP Multilink to operate optimally it is advisable to ensure that each link in the MLPPP bundle has the same bandwidth This means that the number of time slots the clocking mode and rate for each T1 E1 link that is used by PPP Multilink should be the same 208 Upgrading Software RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 6 3 Configuring PPP Multilink over T1 E1 In order to begin creating an MLPPP bundle click on T1 E1 in the Networking folder of the main Webmin menu T1 E1 Trunks and Interfaces will display the menu below Help T1 E1 WAN Interfaces T1 E1 Trunks Channels and Logical Interfaces Refresh this page T1 2 Down Channel
249. e that this may be an IPv4 or and IPv6 address The Verbose Output field causes ping to present the maximum of output 12 Traceroute Menu RUGGEDCOM ROX Chapter 2 User Guide Using ROX The Lookup Addresses field causes ping to resolve IP addresses to domain names This can make ping behave very slowly if DNS is not properly configured The Use ICMP instead of UDP field causes traceroute to probe with ICMP packets The How many Hops field limits the maximum number of hops that traceroute will attempt to map The Packet Length field specifies the size of the data in the traceroute packet The Interface field specifies the network interface to obtain the source IP address for outgoing probe packets Otherwise the router will manually set the address based on the actual interface taken Section 2 2 5 ARP Ping Check Menu Help ARP Ping Check Hostname IP Address Interface eth1 How many Packets 5 Timeout 10 Seconds Always use broadcast ARP Pingit 4 Return to Network Utilities Figure 8 ARP Ping Check Menu The Hostname IP address field accepts the host name or IP address to ping Note that this may be an IPv4 or and IPv6 address The nterface field specifies the interface on the router through which the ARP ping packet will be sent The How many Packets field specifies the number of packets to be sent The maximum is 99 packets The Timeout field specifies the number of seconds to allow for an ARP ping
250. easons it is highly recommended that proper X 509 certificates signed by a Certificate Authority CA be used If a certificate is not signed by a CA and is self signed the trust portion of the certificate cannot work because the Certificate owner is essentially its own CA 1 Copy the following text into a plain text editor cd opt amp amp openssl genrsa out CA key 2048 amp amp openssl req x509 new config etc ssl openssl cnf subj C CA ST Ontario L Concord O RuggedCom OU Support CN hostname days 1825 key CA key out CA crt amp amp cat CA crt CA key etc webmin miniserv pem amp amp rm CA amp amp etc init d webmin restart Replace the text CN hostname with the system s hostname or primary management IP address Login to the unit using SSH See Section 3 1 3 Accessing the Device Command Prompt From the Console Port 4 Copy and paste the text and hit Enter if required The output should look like the text below RX1000 RX1000 cd opt amp amp openssl genrsa out CA key 2048 amp amp openssl req x509 new config etc ssl openssl cnf subj C CA ST Ontario L Concord O RuggedCom OU Support CN RX1000 days 1825 key CA key out CA crt amp amp cat CA crt CA key etc webmin miniserv pem amp amp rm CA amp amp etc init d webmin restart Generating RSA private key 2048 bit long modulus saaana a aa E eec aeaa eee ELECE elis 655997 OSCURO ONIS
251. ebsite http vrt blog snort org Sourcefire VRT Blog Mailing list Contact snort sigs lists sourceforge net False Positive reports fp sourcefire com Snort bugs bugs snort org Compatible with Snort Versions VERSIONS 2 9 5 5 Snort build options OPTIONS enable gre enable mpls enable targetbased enable ppm enable perfprofiling enable zlib enable active response enable normalizer enable reload enable react enable flexresp3 Additional information This configuration file enables active response to run snort in test mode T you are required to supply an interface i interface or test mode will fail to fully validate the configuration and exit with a FATAL error Se Me cbe cc Pe oie ote obs FSSSSSFSFSFSFSSSSFS FSFE FS RARA dA fifi fl 0 0 1 ARA RARA RA This file contains a sample snort configuration You should take the following steps to create your own custom configuration 1 Set the network variables 2 Configure the decoder 3 Configure the base detection engine 4 Configure dynamic loaded libraries 5 Configure preprocessors 6 Configure output plugins 7 Customize your rule set 8 Customize preprocessor and decoder rule set 9 Customize shared object rule set AERERERE RARA AREA R RARA RA RARA RAR ARA RARA RAR RARA RARA Save Changes Reset Changes da Return to Snort IDS Main Figure 123 Edit Config File Snort is extre
252. ect the number of times that a network message was received and could not be enqueued at the serial port because of output buffering constraints This is usually symptomatic of a remote peer that uses a higher baud rate or local flow control 98 Serial Protocols Statistics Menu RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 10 7 7 Serial Protocols Trace Menu Im Line Trace Specifying large numbers of ports entries and capture time can result in a greate deal of output Port Trace on ports 1 2 3 4 All Ports V Message RX TX J Hex dump v Incoming Outgoing Connections v Maximum number of entries to capture 20 Maximum time in seconds to capture over 5 15 30 03 261 TCPCONN Opening connection to 172 30 148 37 50001 39795 for serial port 1 15 30 03 262 TCPCONN Connect failure 111 Connection refused 172 30 148 37 50001 for serial port 1 3 seconds to capture 2 seconds to capture 1 second to capture l Start Trace Return to Serial Protocols Figure 99 Serial Protocols Trace Menu This menu displays decoded serial port and network activity The desired traffic sources number of messages and length of time to capture are entered and the Start Trace button is pressed The menu will display up to the provided number of messages waiting up to the specified number of seconds The Trace on ports selections feature a list of serial ports with unused entries greyed out The default is
253. ection 2 2 12 Current Routing amp Interface Table Help Current Route amp Interface Table Routing Table Destination Via Device Metric Protocol Source ToS Weight 192 168 0 0 24 jethi kernel 192 168 0 3 Refresh Interface Status Device Link Up Address Netmask Bcast Peer MTU Txqueuelen lo Yes 127 0 0 1 8 16436 0 eth1 Yes 192 168 0 3 24 192 168 0 255 1500 1000 eth2 No 192 168 2 1 24 192 168 2 255 1500 1000 leth3 No 192 168 3 1 24 192 168 3 255 1500 1000 eth4 No 192 168 4 1 24 192 168 4 255 1500 1000 E Return to Network Utilities Figure 14 Current Routing amp Interface Table This menu displays the current routing table and the state of the router s interfaces Select the Refresh link in order to refresh the display Interface Statistics Menu 17 Chapter 2 RUGGEDCOM ROX Using ROX User Guide The entries under the Destination field reflect the network or host which can be reached through this route The default entry matches any packet which has not already matched another route The entries under the Via field reflect the address of the gateway to route packets through to reach the target network The field is blank for non gateway routings The entries under the Device field reflect the name of the interface this route belongs to Packets using this route will be sent on this interface The entries u
254. ection 5 1 Configuring Networking Section 5 2 Configuring Ethernet Interfaces Section 5 3 Configuring Frame Relay PPP and T1 E1 Section 5 4 Configuring Frame Relay PPP and T3 E3 Section 5 5 Configuring Frame Relay PPP and DDS Section 5 6 Multilink PPP over T1 E1 Section 5 7 Configuring PPPoE Bridged Mode On ADSL Section 5 8 Configuring the Firewall Section 5 9 Traffic Control Section 5 10 Traffic Prioritization Section 5 11 Configuring IPSec VPN Section 5 12 Configuring Dynamic Routing Section 5 13 Link Backup Section 5 14 Configuring VRRP Section 5 15 Link Layer Discovery Protocol LLDP Section 5 16 Configuring Generic Routing Encapsulation Section 5 17 Configuring Layer 2 Tunnels Section 5 18 Configuring the DHCP server Section 5 19 DHCP Relay Section 5 20 Configuring NTP Servers Section 5 21 CrossBow Station Access Controller SAC Section 5 1 Configuring Networking This section familiarizes the user with Configuring routing and gateways Configuring DNS Dynamic Name Service Entering host addresses Configuring a pair of End To End Backup interfaces Viewing routing tables Configuring Networking 161 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 1 1 IPv6 Fundamentals Version 6 of the Internet Protocol IPv6 RFC 2460 has been designated to replace IPv4
255. eeds to be egressed with a VLAN tag through a traffic control interface The Map ingress to mark and Map egress to mark fields allow you to set ingress and egress marks Egress markers for QoS maps are used to assign priority to traffic that shares the same mark as one of the egress marks configured for the device The Create and Apply button creates and applies the new virtual LAN interface 178 Creating Bootup Virtual LAN Interfaces RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 2 6 6 Bridge Configuration Help Bridge Configuration Bridge Configuration Parameters O None From DHCP Enable 2 Enable Bridge IP Address Mask 192 168 40 1 24 Disable 3 ug Ethernet Select Bridge Suus Retain IP on Bridge w Devices eth3 Ethernet Device eth4 Ethernet 4e Return to Ethernet Main Menu Figure 174 Creating an Ethernet Bridge This menu allows you to configure the Ethernet bridge interface The Enable Bridge field controls whether the bridge interface is enabled The Bridge Filtering icon also appears on the Ethernet menu If the bridge interface is disabled the other fields will be ignored The P Address Mask field assigns the IP address and mask on this bridge interface The bridge interface may similarly use one or more static IPv4 or IPv6 addresses or obtain an address via DHCP The Select Bridge Devices list is used to select which Ethernet interfaces are to be p
256. efresh Continuous Display Ethernet Statistics Interface L2 MAC Address Rx Frames Tx Frames Rx Chars Tx Chars Errors leth3 0030 01 0c cd 01 00 33 167302 o 9368912 0 o Connection Statistics Interface 2 MAC Address Remote IP Rx Packets Tx Packets Rx Chars Tx Chars Errors eth3 0030 01 0c cd 01 00 33 192 168 2 20 167302 0 10038120 0 0 Round Trip Times Remote IP Transmitted Received Minimum RTT Average RTT Maimum RTT Std Deviation 192 168 2 20 2843 2843 0 051 ms 0 867 ms 27 948 ms 0 768 ms Refresh Continuous Display Clear RTT Statistics de Return to Layer 2 Tunnels Figure 307 GOOSE Statistics Menu This menu presents statistics of GOOSE activity at the Ethernet and Network Layers The Ethernet Statistics table provides a record for each GOOSE tunnel The number of historical received and transmitted characters as well as errors will be displayed The Connection Statistics table reflects UDP connections Network and Ethernet connections can be paired by examining the L2 MAC Address field GOOSE Statistics Menu 315 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide NOTE i All counts are from the router s perspective The Rx Packets count reflects packets received from the network the contents of which are transmitted at the protocol and reflected in the Tx Chars field Th
257. eld causes ping to resolve IP addresses to domain names This can make ping behave very slowly if DNS is not properly configured The Packet Size field specifies the size of the data in the ping packet The true length of the packet is 28 bytes larger due to IP ICMP overhead The Time between pings field limits the rate at which pings are sent The Pattern s to send Hex field specifies a pattern to fill the packet sent This is useful for diagnosing data dependent problems in a network For example specifying ff will cause the sent packet to be filled with all ones Section 2 2 3 Ping Check Menu The Ping Check utility is configured to ping an IP host If the configured host fails to respond to ping checks the utility performs a configured action in response For example if it is detected that a host across a PPP connection is no longer reachable one might wish to explicitly reset the PPP connection The main Ping Check menu displays a list of currently configured and active ping check entries de Ping Check Index Interval sec Ping tries Remote IP address Action Add a new Ping check de Return to Network Utilities Figure 5 Ping Check Menu Ping Menu 11 Chapter 2 RUGGEDCOM ROX Using ROX User Guide The main Ping Check menu also contains links to Add a new Ping check or to Edit an existing entry isi Ping Check Parameter Value Description
258. em Time Day Date Month Year Hour Tuesday 26 y November v 2013 09 13 56 v Apply Timezone Australia Melboume Australia NSW Australia North Australia Perth Australia Queensland Australia South Australia Sydney Australia Tasmania Australia Victoria Australia West Ll Australia Yancowinna Canada Atlantic Canada Central Canada East Saskatchewan Current location or zone El Change timezone Note If the timezone is changed reboot is required for the router you can reboot the router from Bootup and Shutdown menu Figure 145 System Time This menu provides a method to set the router s time and timezone 142 System Hostname RUGGEDCOM ROX Chapter 4 User Guide System Administration NOTE OSPF and RIP are sensitive to accurate system time If OSPF or RIP are enabled changing the time from this menu will cause them to be restarted Section 4 4 Managing SSH Keys and Certificates The following sections describe how to manage SSH certificates and keys on the device Section 4 4 1 Uploading SSL Keys and Certificates Section 4 4 2 Regenerating SSL Keys and Certificates e Section 4 4 3 Regenerating SSH Keys Section 4 4 1 Uploading SSL Keys and Certificates The SSL file used in ROX is a file that contains both the SSL private key and the SSL Certificate Both are in PEM format See example below 1 Once the SSL certificate and key has been created and is available in the correct
259. ement station while the firewall is stopped If you do not do this you lose web ssh access and have to gain access via the console in order to restart the firewall Stopping the firewall will not disable it Disable the firewall via the System folder Bootup and Shutdown menu The Show Status button presents a variety of information summarizing the status of the firewall and routing system The Check Firewall button tests the current configuration to ensure it is valid 226 Firewall Configuration RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 8 5 1 Network Zones Help Network Zones The zones listed on this page represent different networks reachable from your system defined by name and type of zone Add a new network zone Zone ID Zone type Add fw Firewall system T 4 Add a new network zone Manually Edit File Click this button to manually edit the Shorewall file etc shorewall zones in which the entries above are stored de Return to list of tables Figure 219 Firewall Network Zones This menu allows you to add delete and configure zones Add a new zone by selecting the Add a new network zone link or by clicking on the add above or add below images in the Add field The Zone Type field controls the type of traffic carried in the zone The Firewall system zone type is built in to the fw zone A zone type of IPSec is used with policy based VPNs
260. empts the modem dial the phone number before it stops If the Maximum Dial Attemps is 0 it will try forever Otherwise the reconnect button will appear in the Modem Main Menu after specified number of consecutive failed connection attempts Save Saving will reset ppp link to update settings delete Return to Modem PPP Client Connections Figure 89 Configure Modem PPP Client The Connection Name field determines what name will be used to refer to this connection when choosing which connection to dial automatically at boot or which connection to use as a backup for another link The PPP Username field determines the user name to use when connecting to the PPP server as specified by your network provider If the username is not required you can enter none in this field or leave it blank The Password field determines the password to use when connecting to the PPP server If the password is not required you can enter none in this field or leave it blank The Default Route check box enables automatically setting a default route using this interface whenever it connects If this is your primary connection you probably want this option enabled The Use peer DNS check box enables automatically setting the DNS server entries that the PPP server recommends Enable this option unless you provide your own name servers The Maximum Dial Attempts field specifies number of consecutive connection attempts the modem dial the phone number
261. ency warnings o 0 Number of transmitter DMA descriptor errors 0 Number of transmitter DMA descriptor length errors 0 Refresh J Clear Statistics de Return to T1 E1 Main Menu Figure 211 MLPPP Link Statistics Section 5 7 Configuring PPPoE Bridged Mode On ADSL This section familiarizes the user with Configuring PPPoE and Bridged Mode Links Viewing status An ADSL Asymmetric Digital Subscriber Line line is a communications link running over regular POTS telephone service The link is asymmetric supporting data transfer at up to 8 Mbps from the network and up to 1 Mbps to the network The actual bandwidth depends upon the distance between the router and telco central 210 Multilink PPP Statistics RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration office the maximum distance of which may be up to 5480 m An ADSL card must connect to a central ADSL DSLAM for its connection ADSL shares ordinary telephone lines by using frequencies above the voice band ADSL and voice frequencies will interfere with each other If the line will be used for both data and voice a splitter should be installed to divide the line for DSL and telephone ADSL is almost always used to make a connection to the Internet via an ISP There are two methods for establishing the connection PPPoe and Bridged mode ADSL uses the ATM protocol to communicate with the central office DSLAM ATM uses virtual cha
262. ends on the number of ports and how they are ordered Refer to the labelled hardware image as presented in the Webmin home page To make labelling easy to understand all T1 E1 T3 E3 DDS and ADSL ports are assigned a unique port number that relates to the LEDs on the status panel Configuring Frame Relay PPP and T3 E3 197 RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 4 3 LED Designations ROX includes two sources of LED indicated information about T3 E3 lines the T3 E3 card itself and the LED Panel One LED is associated with each line next to the interface jack This LED is red when the link is disconnected flashes green when the link is connecting and remains solid green when the link is established ROX also indicates information about T3 E3 ports on the LED Panel A pair of LEDs will indicate traffic and link status of the port Consult the section Section 3 3 Using The LED Status Panel to determine which LEDs correspond to the port Section 5 4 4 T3 E3 Configuration Help T3 E3 em E T3 E3 T3 E3 Trunks And Interfaces Current Route amp Interface Table Figure 194 T3 E3 Trunks and Interfaces This menu allows you to display and configure T3 E3 Trunks as well as display the routes and status of the network interfaces Section 5 4 4 1 T3 E3 Trunk Interfaces Help T3 E3 WAN Interfaces T3 E3 Trunks Channels and Logical Interfaces Refresh thi
263. ens technicians As such this interface is not fully documented Misuse of CLI commands can corrupt the operational state of the device and render it inaccessible The following commands run from the command line To enable the firewall now or at bootup etc init d shorewall enable TC Traffic Control Interfaces Classes and Rules 235 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide To disable the firewall now or at bootup etc init d shorewall disable To clear the firewall clearing allows all connections etc init d shorewall clear To stop the firewall etc init d shorewall stop To start or restart the firewall etc init d shorewall start etc init d shorewall restart Section 5 9 Traffic Control Traffic Control is a subsystem of the firewall that allows management of the amount of bandwidth per network interface that different types of traffic are permitted to use Each interface to be managed is assigned a total bandwidth that it should allow for incoming and outgoing traffic Classes are then defined for each interface each with its own minimum assured bandwidth and a maximum permitted bandwidth The combined minimum of the classes on an interface must be no more than the total outbound bandwidth specified for the interface Each class is also assigned a priority and any bandwidth left over after each class has received its minimum allocation if needed will be allocated to the lowes
264. ents the default class as defined in TC Classes This allows explicit traffic control of even unspecified network connections Section 5 9 2 Traffic Control Configuration NOTE i Traffic Control is mutually exclusive of Traffic Prioritization Do not enable both of these features at once Traffic Control Configuration 237 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 9 2 1 TC Interfaces tcdevices Help TC Interfaces Each of the traffic classification interfaces on your system that you want Shorewall to manage should be listed on this page and with its maximum inbound and outbound bandwidths the link is capable of handling The loopback interface lo must never be listed Add a new traffic classification interface Interface In bandwidth Out bandwidth Add ethi 2000kbit 5000kbit T Add a new traffic classification interface Manually Edit File Click this button to manually edit the Shorewall file ezc shorewall tcdevices in which the AA entries above are stored Return to list of tables Figure 232 TC Interfaces This Menu allows you to add edit or remove traffic classification interfaces and to assign the maximum inbound and outbound bandwidths that the interface can handle Add a new traffic classification interface by selecting the Add a new traffic classification interface link or by clicking on the add above or add below images in the Ad
265. er 3 RUGGEDCOM ROX Device Management User Guide Section 3 7 7 1 Power over Ethernet Menu Power over Ethernet Port Power Na Enabled Power Limit W Delivery Class Voltage V Current mA Power W Status eth Enabled 150 No L E ok 0 20W eth2 Enabled 150 No E E ok 0 20W Save Refresh Return to Miscellaneous Main Page Figure 56 Power over Ethernet Menu This menu allows you to enable disable the Power over Ethernet function and set the power limitation on available Ethernet ports It also displays the current status on each port The Port Name column identifies the Ethernet port number The Enabled column allows you to enable or disable the Power over Ethernet function on this port The Power Limit column specifies the monitored power limitation on the port An alarm will be generated if the power is over this limitation The Power Delivery column shows whether the power is delivered on this port The Class column shows the class of the PD device on this port The Voltage Current and Power columns show the voltage current and power value in unit of Volt mill Ampere and Walt respectively when there is power delivery on this port The Status column shows whether there is any error detected on this port 54 Power over Ethernet Menu RUGGEDCOM ROX User Guide Chapter 3 Device Management Section 3 7 8 Banner Configuration Ban
266. er Guide Log destination displays the location or logging method of the log Active displays whether syslog is logging messages to the log Messages selected displays the filtering criteria used to include messages in the log ROX implements a set of default system logs as described in Section 3 7 9 1 Syslog Factory Defaults System logs can be encrypted for secure remote logging as described in Section 3 7 9 2 Enabling Secure Remote Syslog In support of remote syslogging the Remote Syslog Source IP Bind Interface field makes it possible to bind the selected network interface s IP address to syslog Syslog messages transmitted by the router will have the selected interface s IP address as their source If none is selected the source IP address will be that of the network interface from which messages are transmitted to the remote syslog server Any changes made using this menu including adding or modifying system log configurations or changing the IP Bind Interface address require clicking Apply Changes in order to take effect If the syslog daemon is not yet running the button will instead read Start Syslog Server Section 3 7 9 1 Syslog Factory Defaults Although new logs can be created and the type of information saved in existing logs changed the factory defaults are as follows messages This log file catches a wide variety of generic information excluding authentication cron and mail messages Thi
267. er destroyed Manually created archives are never destroyed Backup and Restore 37 Chapter 3 RUGGEDCOM ROX Device Management User Guide f you make a configuration change you later wish to reverse you can restore a previously made archive completely An archive difference tool is provided showing the difference between one archive and either another archive or the current configuration Changes in configuration can also be detected and unwound by applying the previous state of a router on a file by file basis Archive filename is user definable and can include any of date time host name and or release version Archives can be uploaded to the router and restored A Configuration Rollback feature that allows users to safely make modifications under a safety net A factory defaults file is included Note the following caveats Chassis specific items such as serial number hardware inventory and MAC addresses are not saved Log and history files are not saved Information stored in the root and user accounts are not saved Section 3 7 2 1 General Configuration Help General Configuration General Configuration Options Automatic Nightly Backup Schedule At 00 00 Archive Name Includes Date Time V Hostname Router Version Archive Aging Remove after 5 1 30 Days Configuration Server Options Export Method 9 off SCP FTP FTP Option Username Password Use Anonymous SCP Opti
268. er is connected to a Client Gateway with a 115 2 Kbps line The RTUS are restricted to 9600 bps lines The network is Ethernet based and introduces an on average 3 ms of latency Analysis of traces of the remote sites has determined that the min max RTU think times were found to be 10 100 ms What time out should be used by the Master The maximum sized Modbus message is 256 bytes in length This leads to a transmission time of about 25 ms at the Master and 250 ms at the RTU Under ideal circumstances the maximum round trip time is given by 25 ms Master gt client 3 ms network delay 250 ms server gt RTU 100 ms Think time 250 ms RTU gt server 3 ms network delay 25 ms client gt Master This delay totals about 650 ms Contrast this delay with that of a quick operation such as reading a single register Both request and response are less than 10 bytes in length and complete for this example in 1 and 10 ms at the client and server Assuming the RTU responds quickly the total latency will approach 35 ms It is also necessary to take account such factors as the possibility of line errors and collisions between masters at the server The server may be configured to recover from a line error by retransmitting the request Given a maximum frame transmission time of 250 ms and an RTU latency of 100 ms it would be wise to budget 350 ms for each attempt to send to the RTU Configuring a single retransmission would increase the end to
269. er is equipped with a second internal modem the interface name for the second modem connection is ppp20 Refer to these interface names when configuring firewall rules Section 3 8 2 Authentication Addresses and DNS Servers PPP authentication automatically uses either the PAP or CHAP protocols To create a PPP client connection in Webmin obtain a user ID password and telephone number from the operator of the PPP server to which you are connecting The operator might be an Internet Service Provider or a system administrator within your organization The authentication process provides a local IP address for use on the PPP interface and optionally the addresses of the DNS servers and default gateway Generally you should use these addresses unless you need to provide your own The PPP interface IP address obtained from the PPP server can be either a dynamic or a static IP address Firewall configuration should be performed as is appropriate for the type of address In the case of a PPP server configuration you must configure the parameters described above for incoming PPP client connections Section 3 8 3 When the Modem Connects A PPP Client Connection may be configured to connect at boot time or to dial only when there is traffic to be transmitted PPP Interface 67 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 8 4 PPP Dial On Demand The PPP client can be configured to dial only when there i
270. er using the Microsoft Windows VPN L2TP client NOTE Li L2TPD listens on UDP port 1701 The firewall will need to be configured to allow connections to L2TPD via IPSec but to prevent connections to L2TPD directly without using IPSec Section 5 11 11 IPSec VPN Configuration Help IPsec VPN Configuration Openswan version U2 4 13 K2 6 26 2 gx1 No host key appears to listed in the file etc ipsec secrets One must be generated for your system before you can define any VPN connections l Generate key for host ruggedcom Figure 246 IPSec VPN Configuration Menu Before Key Generation Upon the first entry to this menu you will prompted to generate a VPN host key Key generation will require about 30 seconds to complete after which the menu appearance will change Section 5 11 12 VPN Main Menu The new menu appearance will resemble that of the following menu with the exception that you will be warned that VPN networking is not enabled Enable VPN networking via the System folder Bootup and Shutdown menu 254 L2TPD RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration mE IPsec VPN Configuration Openswan version U2 4 13 K2 6 26 2 gx1 Existing VPN connections No IPsec VPN connections have been defined yet Add a new IPsec VPN connection Add defaults for all connections Import connection from file Global options and policies 1 C C C 492
271. erfaces LED Designations 185 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 3 2 1 T1 E1 Network Interfaces Help T1 E1 WAN Interfaces T1 E1 Trunks Channels and Logical Interfaces Refresh this page T1 2 Down Channel Assigned time slots Channelized interface 1 ALL Channel Name Description Local Address Netmask Remote Address 1 w2c1fr16 Down Statistics No description 1 1 1 1 255 255 255 255 1 1 1 2 Edit T1 2 Parameters View T1 2 Link Statistics Loopback this Interface Enable disable loopback modes T1 3 Not Running Channel Assigned time slots Channelized interface 1 ALL Channel Name Description Local Address Netmask Assign a new Frame Relay logical interface Edit T1 3 Parameters Remote Address Assign a new PPP logical interface Assign new MLPPP logical interfaces Return to T1 E1 Main Menu Figure 181 T1 E1 Network Interfaces Initial Configuration This menu allows you to display and configure T1 E1 Trunk parameters Channels and the logical interfaces that run on them A table is presented for each interface Note that the interface number is the same regardless of whether it is a T1 or E1 interface Interface numbers are as described by the WAN labels as shown in the home page chassis diagram The status of the trunks physical and logical interfaces are shown This
272. ert Derive identity from incoming certificate Next hop to other system Default Apply the configuration to restart the server and create an IPSeco interface Section 5 11 20 6 Firewall IPSec Configuration Create firewall Zones vpn and net Ensure that the WAN interface here w1ppp and IPSeco interface are present in the Shorewall Network Interfaces The WAN interfaces should be in zone net while IPSecO should be in zone vpn Add the following firewall rules Action Source Zone Destination Zone Protocol Dest Port ACCEPT all fw ah ACCEPT all fw esp ACCEPT all fw udp 500 ACCEPT vpn loc Restart the firewall to install the rules Section 5 11 20 7 Ethernet Port Configuration Because the remote client will be assigned a local IP address but is reachable only through the IPSec connection proxy ARP must be employed Activate proxy ARP on the Ethernet interface that hosts the local network here eth1 via the Networking Menu Ethernet sub menu boot time entry Proxy ARP setting When a host on eth1 arps for the remote client address the router will answer on behalf of the client Section 5 12 Configuring Dynamic Routing This section familiarizes the user with 266 Firewall IPSec Configuration RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Enabling the Dynamic Routing Suite Enabling and starting OSPF RIP and BGP Configuring OSPF RIP and BGP Obtaining OSPF RIP and BGP Status OSPF
273. erts generated by Snort are stored by one of three methods as local syslog messages remotely syslogged messages and in an alert file Help Alerts amp Logging Logging Destination Local syslogging to Facility LOG AUTH var log auth log Local Alert file var log snort alert User name to mail snort Alert file summaries to root Save Changes J Reset Changes Note Snort will be restarted after clicking Save Changes button 4a Return to Snort IDS Main Figure 122 Snort Alerts When the Local syslogging method is chosen the destination log file may be selected When the alert file method is chosen a daily analysis of the file can be emailed to the user provided in the User Name field Note the you must also visit the Maintenance menu Miscellaneous sub menu Outgoing Mail sub menu in order to configure a mail forwarder Section 3 15 6 Test Configuration This menu validates the Snort configuration and displays a final report The report lists any errors found and then provides details on the current status of the configuration Use this utility to test your Snort configuration before deployment Alerts and Logging 123 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 15 7 Edit Config File Help H Edit Config File etc snort snort conf a ene VRT Rule Packages Snort conf E M E For more information visit us at http www snort org Snort W
274. erver s ports to send a test message out on when s Enter keys are pressed n the absence of parameters all decoding on all ports is provided ROX sertrace p 1 s 1 0 56 18 405 TOPCONN Listening on TCP Port 50002 from port 1 0 56 19 944 TCPCONN Connection opened from 10 0 10 236 4991 50002 S 0 56 47 497 RAWSOCKET Transmitting message on port 1 length 44 TA 68 G5 20 Til 75 69 63 Gla 20 G2 72 Ole TT Geo 20 las cublels Jonson 66 6f 78 20 6a 75 6d 70 65 64 20 6f 76 65 72 20 fox jumped over 74 68 65 20 6c 61 7a 79 20 64 6f 67 the lazy dog 0 56 47 545 RAWSOCKET Received message on port 1 length 44 31ms by timer TA 68 G5 20 Til 75 G9 63 Gla 20 62 72 Gi TI Ge 20 las cublels exon 66 6f 78 20 6a 75 6d 70 65 64 20 6f 76 65 72 20 fox jumped over TA 68 65 20 Ge 61 Te 79 20 G4 Gi 67 the lazy dog 0 56 47 545 TCPCONN Tx Data from port 1 44b to 10 0 10 236 4991 50002 Section 3 11 Synchronous Serial Ports Section 3 11 Synchronous Serial Ports This section familiarizes the user with configuring the device to forward data from Synchronous Serial ports over IP using the Raw Socket protocol The ROX Serial Protocols Server see also Section 3 10 Configuring Serial Protocols that forwards data traffic from asynchronous serial ports over IP networks can also be configured to run Raw Socket connections over synchronous serial ports ROX Synchronous Serial ports provide the following features up to four independent sy
275. ery boot you must enable it via the System folder Bootup and Shutdown menu Static Multicast Routing 167 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 1 2 7 DNS Client DNS Client DNS Client Options DNS servers 19216811 Search domains None Listed local net Save Return to network configuration Figure 163 DNS Client This menu allows you to display and configure various DNS client fields The DNS servers fields allow you to specify in order the servers from which to request Internet Domain Name resolution The Search domains field allow you to specify the domain names of primarily the domain of which the router is a member and secondarily other domains that may be used to search for an unqualified host name i e as though it were local If a domain name is not specified here the router will attempt to extract this information from the host addresses Section 5 1 2 8 Host Addresses Help Host Addresses IP Address Hostnames 192 168 12 12 leftside_controller 192 168 13 3 rtu9 Add a new host address de Return to network configuration Figure 164 Host Addresses This menu allows you to display and configure host addresses Host addresses are useful when a non changing IP address is often used or when DNS is not configured Click the Add a new host address link to add an address 168 DNS Client
276. es The device provides you the ability to operate Frame Relay or PPP over your logical interfaces An E1 is is a communications circuit conforming to European standards possessing 32 64 Kbps channels of which one is usually reserved for signalling information Section 5 3 1 1 Frame Relay Frame Relay is a packet switching protocol for use over the WAN ROX provides the ability to construct point to point IP network connections over Frame Relay Each Frame Relay interface provides a link between a local and peer station One of the stations must be configured as a Data Communications Equipment DCE device often known as the Switch while the peer station must be configured as a Data Terminal Equipment DTE device often known as Customer Premises Equipment CPE The DCE is responsible for managing the link advertising connections to the DTE and Switching packets between connections The DTE raises individual connections and sends data on them When using a T1 E1 line to access a public Frame Relay provider configure the Router as a DTE Unlike PPP a Frame Relay link can provide multiple connections Each connection is identified by a Data Link Connection Identifier DLCI and must match at the DCE and DTE The use of multiple connections can support meshed network interconnections and disaster recovery Section 5 3 1 2 Location of Interfaces and Labelling Unlike the Ethernet ports which are statically located the location of T1
277. ess will be that of the network interface from which messages are transmitted to the RADIUS server Note again that this setting applies to the WEBMIN service only Section 4 7 RADIUS Server Configuration This section describes the configuration procedures for two popular RADIUS servers FreeRADIUS and the Microsoft Windows Internet Authentication Service in order to create and manage accounts that are able to access resources on ROX There are four RADIUS attributes required for the configuration of accounts to access services on ROX The following table shows the RADIUS attributes required by ROX for accounts that are designated to use one or more of the webmin login ppp or ssh services Table Required Attributes for various RADIUS services RADIUS Attribute webmin login ppp ssh User ID required required required required Password required required required required 154 Edit RADIUS Server Parameters RUGGEDCOM ROX Chapter 4 User Guide System Administration RADIUS Attribute webmin login ppp ssh NAS Identifier RuggedCom Privilege level required Every account to be authenticated on behalf of the ROX must have a user ID and password The RADIUS NAS Identifier attribute may optionally be used to restrict which service an account may access webmin login ppp ssh Accounts that do not specify a NAS Identifier attribute may access any ROX service upon authentication Accounts may also be defined to have
278. et Een ag data ox gau e debo Eae ip E eund 136 43 1 Boot p and ShUtdOWnb z ias 137 43 2 Gonfiguring Passwords coe o a ere An Te per a 138 viii RUGGEDCOM ROX User Guide Table of Contents 4 3 2 1 Change Password Command ccceceeeeeeeee center eter eee eene mener 138 4 3 2 2 Change Bootloader Password Command ssssssee nano 139 4 3 3 Scheduled Commands rn eem ee pert rei d p RERBA E NARI 139 43 4 Scheduled Grom Jobs de eo et abet aree abe eee pere cd est lare ea aen pese chr ipu 140 4 3 5 System Hostname 3 5 xi ot o E RE DR ter da t E t dr tod uz 142 RS TIfie dere EEEE E eR REB e d E Pee e pa Ee pdt ER Oe PeRH 142 4 4 Managing SSH Keys and Certificates ssssssssssseeee emen emnes 143 4 4 1 Uploading SSL Keys and Certificates ssssssssssee mee 143 4 4 2 Regenerating SSL Keys and Certificates sssssssssees m 144 4 4 2 1 Generating Self Signed SSL Certificates with Scripting sseessssss 145 4 43 Regenerating SSH Keys o E te er n OE REN Pl LAU de DRE Ne aw eae 146 4 5 Access Manager Secure Access Portal sssssssssssssessee eene meme nemen nnns 146 4 5 1 What Access Manager s Secure Access Portal Protects and How ssssssssss 147 4 5 2 Access Manager and the Firewall sse em 147 4 5 3 VRRP Firewall Rules and Access Manager ssssssssss emm 150 4 5 4 Acces
279. ey to the next over time A key consists of a key string which is the value used for authentication It also has the optional lifetime to accept RIP messages with the key and the optional lifetime to send RIP messages with that key RIP Key Chains 289 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Section 5 12 6 21 RIP Interfaces Help RIP Interface Configuration ethi Parameter Value blank default Description Possible values default value Passive Interface passive Control interface passive setting not passive Receive Version 12 RIP version to accept from other routers 1 2 1 2 both 1 2 Send Version 2 v RIP version to transmit to other routers 1 2 1 2 both 2 Authentication 9 None String Key Chain v Authentication to use None Specified string Specified key chain None Authentication Mode Text Mode of authentication to use Plain text MDS RFC compliant MDS old ripd compatible Text Use Split Horizon Yes Use a split horizon No Yes Yes with poisoned reverse No Save da Return to interfaces Figure 278 RIP Interfaces Parameters specific to one interface are configured here Each interface on the router is listed Clicking on settings displays a menu of configuration options for that interface Clicking Remove inactive interfaces purges the lis
280. f the NTP servers the client should use Static routes Static routes the client should use Time servers The IPs of the time servers the client should use Lesser used client options include e e e Subnet mask The subnet mask the client should use Rarely needed Broadcast address The broadcast address the client should use Rarely needed Log servers The IPs of the LOG servers the client should use Swap server The IP of the swap server the client should use Normally only used for diskless network booted clients Root disk path The path the client should use for its root device Normally only used for diskless network booted clients NIS domain The NIS domain the client should use NIS servers The IPs of the NIS server the client should use Font servers The IPs of the font servers the client should use Normally only used for X terminals XDM servers The IPs of the XDM servers the client should use Normally only used for X terminals NetBIOS name servers The IPs of the Netbios name servers the client should use NetBIOS node type The NetBIOS name resolution method the client should use NetBIOS scope The NetBIOS scope the client should use Time offset The offset from a time server the client should be using Custom options allows you to add additional DHCP options required by a client BOOTP and Dynamic DNS related options include Boot filename The filename the client should request from a tftp ser
281. fic to or from the selected IP address will be excluded displayed A typical usage of this filter is to dump all traffic on an interface and to prevent the user s own traffic from being displayed The gnore protocols Only protocols selector excludes or displays traffic in the protocols specified in the accompanying check boxes The Ports to trace field specifies TCP UDP ports to trace Enter a list of port numbers separated by spaces to trace more than a single port Tcpdump a Network Interface 15 Chapter 2 RUGGEDCOM ROX Using ROX User Guide Section 2 2 9 Frame Relay Link Layer Trace a WAN Interface Frame Relay Link Layer Trace A WAN Interface Interface to capture on wicifil6 y Maximum packets captured 20 maximum 1000 Maximum capture time 20 maximum 240 sec Trace Figure 11 Frame Relay Trace Menu Frame Relay tracing uses the wanpipemon utility The nterface to capture on field specifies the interface to show traffic on The Maximum packets captured and Maximum capture time fields limits the amount of traffic captured Section 2 2 10 Serial Trace a Serial Server Port Serial Trace A Serial Server Port Trace on ports 1 2 304 All Ports Message RX TX Incoming Outgoing Connections Hex dump Maximum packets captured 20 maximum 1000 Maximum capture time 20 maximum 240 sec r Serial Trace It Figure 12 Serial Server Port Trace Menu The Trace on ports fields specify the serial port to show
282. figuration menu Start Connection button If Start connection is chosen then the connection will be authorized when Openswan is started but not activated until an incoming request arrives A value of Route will cause a route and only the route for packets to be established discarding packets sent there which may be preferable to having them sent elsewhere based on a more general route e g a default route The Authenticate by fields select the authentication method If Default is selected the value in the Defaults for all connections record is used If rsasig is selected then the System s public key of each of the Left System s Settings and Right System s Settings sections must include an RSA signature string or an X 509 certificate must be in use If secret is selected then the Preshared key menu must contain a key indexed by the Public IPs of the Left and Right systems The Phase 1 Encryption Protocols fields select the encryption protocols used for Phase 1 aka ISAKMP SA If Default is selected the value in the Defaults for all connections record is used If allow only is selected only the selected protocols among aes256 aes192 aes128 and 3des will be included in the list of protocols to be negotiated At connection time the two peers will compare their capabilities and select the strongest allowed common protocol In decreasing order of cryptographic strength they are AES256 AES192 AES128 and 3DES The
283. for ROX 1 Create a group for each privilege level For example for the operator privilege level create a group named RADIUS ROX operator User accounts needing operator privileges would then be added to this group Use the New Remote Access Policy Wizard to create a custom policy with the following settings Policy conditions NAS Identifier matches webmin Windows Group matches the group corresponding to the user s privilege level Permission Grant remote access permission Double click the newly created policy name In the popup window click the Edit Profile button 156 Webmin Privilege Levels and Windows IAS RUGGEDCOM ROX Chapter 4 User Guide System Administration AEPTest_other Properties Figure 151 IAS Window Edit Remote Access Policy 4 In the Edit Profile window under the Advanced tab click the Aad button Edit Dial in Profile Remove OK cme me Figure 152 IAS Window Edit Profile 5 In the Add Attribute window select the Vendor Specific attribute line and click Add Webmin Privilege Levels and Windows IAS 157 Chapter 4 System Administration RUGGEDCOM ROX User Guide 6 7 To add an attribute to the Profile select the attribute and then click Add To add an attribute that is not listed select the Vendor Specific attribute Attribute Tunnel Server Auth ID RADIUS Standard Specifies the name used by the tunnel te
284. format log in to the ROX web interface Navigate to Maintenance gt Upload Download Files Under Send files from your current host to router choose the file to upload In the File or directory to upload to textbox type the following etc webmin miniserv pem 4 Click Send to router 5 Reboot the ROX device for Webmin to start using the new certificate The SSL Key Certificate format in ROX I looks as shown in the example below NOTE This is only an example Do not use this key and certificate combination MIIC DCCAmGgAwIBAgIJALOJ8uF HwWXMA0GCSqGSIb3DQEBBQUAMIGuMQswCQYD VOOGEWJDOTEOMA4GA1UECBMHT250YXJpbzEQOMA4GA1UEBXMHO2 9uY 2 9yZDESMBAG AlUEChMJUnVnZ2VkY29tMRkwFwYDVQOLExBDdXNOb211ciBTdXBwb3JOMSYwJAYD VOQODEx1WTS1WSVZFSylURVNULIJVROdFRENPTS5MTONBTDEkMCIGCSqGSIDb3DQEJ ARYVc3VwcG9ydEBydWdnZzWRjb20uY29tMBA4XDTEzMDUxNzIwMzkwNVoXDTE4MDUx NjIwMzkwNVowgZ4xCzAJBgNVBAYTAkNBMRAwDgYDVQOIEwdPbnRhomlvMRAwDgYD VQOHEwdDb25jb3JkMRIwEAYDVQOKEwlSdWdnZWRDb20xGTAXBgNVBAsTEEN1C3Rv bWVyIFN1cHBvcnQOxFjAUBgNVBAMTDTE 3Mi 4zMC4xNDguNDYxJDAiBgkgqhkiG9w0B CQEWFVN1ICHBvcnRAcnVnZ2VkY29tLmNvbTCBnzANBgkqhkiG9wOBAQEFAAOBjQAw gYkCgYEAr3HpxLytAc CT6gJwqW jENHUUleM11TDZt4nRcu JLgSssPzl94IYYE Gv3YoI Ep4qqrvXwpHlOmsYlCcmmaIbPFAcscmLFjlzWmM MKnDGnhSLZozArxAq 2TlsUkITmNIdfC6jKNtC8q9e674yKIS9BSMsBXa Wi BUdLNH KOCAwEAAaMsMCOW COYDVROTBAIwADAdBgNVHQA4EFgQUi ijRkgmRox5jYFsRimo7Ex8Em2swDQYJKoZI hvcNAQEFBQADgYEAeR10MJ8YiW OqIXh79NCaByOGuReghuljLtxrwkclfTEQ626 t kI7w
285. formation of logical interfaces configured on top of it For example it could be that all the logical interfaces on a given physical interface are not running but the physical interface itself is still up and running The Use Virtual MAC option determines whether or not to use a virtual MAC address for the virtual IP address By default ROX does not use a virtual MAC address for VRRP the virtual IP address is bound to the physical interface on which VRRP works When Use Virtual MAC is selected ROX creates a virtual interface with the name VRRP vrid where vrid is the virtual router ID set for this VRRP instance When it becomes the Master the virtual IP address is bound to this interface and the virtual MAC address will be 00 00 5e 00 01 vrid where vrid is the hex value for the virtual router ID set for this VRRP instance NOTE Li When Use Virtual MAC is selected a virtual interface is created and the virtual IP address will be bound to this interface If you have the firewall configured you must set it to allow VRRP messages to be sent and received on this virtual interface When Use Virtual MAC is not selected the virtual IP address is bound to the physical interface If you have the firewall configured you must set it to allow VRRP messages to be sent and received on the physical interface The Virtual IP address field configures the VRIP IP addresses associated with this VRID Multiple virtual IP addresses maximum 200 can be conf
286. ftware will cause the ALARM LED to become active for various reasons Any condition that causes the ALARM LED to become active will activate the critical fail relay The Web interface displays the alarms Pressing the pushbutton for more than five seconds will reboot the router Section 3 4 Obtaining Chassis Information The chassis displays the hardware inventory at boot time This information is captured in the var log messages file after boot The Web Management interface home page displays the chassis serial number 26 Obtaining Chassis Information RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 5 Setting Up a Router Software Repository ROX upgrade mechanism requires a repository of software to available The following instructions detail Requirements for a repository server Initial set up of a repository Upgrading the repository to the latest release Maintain separate releases streams for different groups of routers Setting up one router to test new releases Configuring the network routers Section 3 5 1 Repository Server Requirements In order to establish a repository you will need a host that is accessible to the routers that will be upgraded This host must be able to act as a web server or ftp server The host must also be able to access www siemens com ruggedcom in order to download new releases of software from Siemens The server requirements are fairly modest The princi
287. ful passwords settings you are allowed to reuse an old password NOTE Li The password restriction mechanism in ROX uses PERL regular expression syntax For the definitive reference documentation on regular expressions in PERL refer to http perldoc perl org perlreref html http perldoc perl org perlre html http perldoc perl org perlretut html http perldoc perl org perlrequick html If you do not have access to an Internet connection but do have a UNIX Linux system with PERL installed access the local manual pages by typing on of the following commands at the command line man perlreref man perlre man perlretut man perlrequick Root privilege is not required to access manual pages Section 4 3 Configuring the System This section familiarizes the user with Enabling and disabling processes such as SSH and Web Management Changing passwords Shutting down and rebooting the system e Scheduling one off and periodic commands Examining system logs Changing the hostname e Changing the system time and timezone 136 Configuring the System RUGGEDCOM ROX Chapter 4 User Guide System Administration Section 4 3 1 Bootup and Shutdown Bootup and Shutdown Bootup and Shutdown Action Start at boot Running now Description binds no No ons Server lrossbow No No Crossbow SAC
288. g and accessible LLDP information can be polled using the standard LLDP MIB 306 Viewing VRRP Instances Status RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration LLDP status can also be seen directly using Webmin Please note that there is a 30 second delay between updates Pressing the Refresh button will query LLDP for current information Help LLDP Neighbors LLDP Neighbors 1 neighbor found LLDP neighbors Interface ethl ChassisID 00 0a dc 78 f c 40 MAC SysName Doc Group i800 SysDescr i800 M T MgmtIP 192 168 0 5 Caps Bridge E PortID 8 ifName PortDescr Not received Refresh Note It may take up to 30 seconds before the neighbor information changes Figure 296 LLDP Summary Display Section 5 16 Configuring Generic Routing Encapsulation This section familiarizes the user with Enabling Disabling GRE Viewing GRE Status ROX is able to encapsulate multicast traffic and IPv6 packets and transport them through an IPv4 network tunnel A GRE tunnel can transport traffic through any number of intermediate networks The key parameters for GRE in each router are the tunnel name local router address remote router address and remote subnet NOTE i A GRE tunnel is a virtual interface but it requires a physical network interface to reach the tunnel endpoint If that physical interface is down the GRE interface and subsequently the routes configured for
289. g a default route using this interface whenever it connects If this is your primary connection you probably want this option enabled The Use peer DNS check box enables automatically setting the DNS server entries that the PPPoE server recommends Enable this option unless you provide your own name servers The MTU field defines the MTU size to request when connecting to the PPPoE server In some cases the PPPoE provider may provide a smaller MTU in which case the smaller setting will be used or it may refuse to alter the MTU and use whatever it considers to be the default NOTE Li If the negotiated MTU is different from the requested MTU a warning will be displayed on the Networking ADSL menu 214 Editing a Logical Interface PPPoE RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 7 2 3 Editing a Logical Interface Bridged Help Edit Logical Interface Interface w3adsl Parameters Convert this interface to PPPoE Description 0 Comment Attempt ATM Autoconfiguration vcr 35 Use DHCP Y Local IP Address 169 254 0 1 Netmask 255 255 0 0 Default Route N Gat Remote IP Address 16925402 Use as Default Route R id Save delete de Return to ADSL WAN Interfaces Figure 215 Edit Logical Interface Bridged The Description field attaches a description to the logical interface viewable from the network interfaces menu The VPI field determines the VPI number the c
290. g for the tunnel 310 GOOSE Tunnel Implementation Details RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Ethernet Interface select the VLAN on which the GOOSE packets originate Ethernet Type set as 0x88b8 0x88b8 Remote Daemon select the VLAN to which to forward the GOOSE packets Section 5 17 2 Generic Layer 2 Tunnel Fundamentals The Layer 2 Tunnel Daemon also supports a generic mode of operation based on the Ethernet type of Layer 2 data traffic seen by the router Multiple tunnels may be configured each one with Ethernet type Tunnel ingress Ethernet interface VLAN interface Tunnel egress either another locally connected Ethernet interface VLAN interface or the remote IP address of another Layer 2 Tunnel daemon instance running on another ROX Section 5 17 2 1 Generic Tunnel Implementation Details For each tunnel configured the daemon monitors the specified Ethernet or VLAN interface for Ethernet Layer 2 frames of the specified type If the configured egress is another local Ethernet port or VLAN interface frames are simply forwarded on that port unmodified If the configured tunnel egress is a remote IP address the daemon encapsulates the frames and forwards them to that address where a corresponding Layer 2 Tunnel Daemon must be configured to receive tunneled frames for local retransmission Encapsulation headers are stripped in order that the retransmitted frames are identical
291. g interval the timer is restarted This method allows characters transmitted as part of an entire message to be forwarded to network in a single packet when the timer expires after receiving the very last character of the message This is usually the only packetizer selected when supporting ModBus communications 88 Serial Protocols Concepts and Issues RUGGEDCOM ROX Chapter 3 User Guide Device Management Finally the server will always packetize and forward on a full packet i e when the number of characters fills its communications buffer 1024 bytes Section 3 10 3 4 Use of Turnaround Delays Some RTU protocols such as ModBus use the concept of a turnaround delay When the host sends a message such as a broadcast that does not invoke an RTU response it waits a turnaround delay time This delay ensures that the RTU has time to process the broadcast message before it has to receive the next poll When polling is performed network delays may cause the broadcast and next poll to arrive at the remote server at the same time Configuring a turnaround delay will enforce a minimum separation time between each message sent out the port Note that turnaround delays do not need to be configured at the host computer side and may be disabled there Section 3 10 4 TcpModBus Server Application The TcpModbus Server application is used to transport Modbus requests and responses across IP networks The source of the polls is a Modbus
292. g to each forwarder By configuring different forwarders low severity and high severity control centers can be set up Each alert is mapped to an alert definition entry which is predefined by a daemon who owns the alert or by a user All alert definition entries are configurable by user An alert filter is a user defined configuration to define the forwarders destination of active alerts Any active alerts with Renotify Interval set to non zero value and matches with the filter level will be forwarded to the defined forwarder destination Maintaining the Router 31 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 7 1 1 Alert Main Menu Help Alerts All Alerts View by All Alerts Higher than Emergency Alert Critical Error Warning Notice Info Debug Category chassis performance interface daemon Alert Name Specific Severity Date Action Power Supply 2 Failure Failure Critical Wed Oct 23 14 25 56 2013 Clear Alert Alert Configuration Alert Definition Configuration Figure 26 Alert Main Menu This menu displays active alerts and allows you to change alert system configuration and alert definitions Follow the All Alerts link to show all alerts The view of system alerts may be limited by severity by following one of the severity links Emergency Alert Critical Error Warning Notice Info Debug or by category by following one of the catego
293. gement User Guide Section 3 2 7 Configuring the Date Time and Timezone The Set The Date Time and Timezone command allows these parameters to be set Figure 21 Router Date Time Timezone Menu Once set the router will account for Daylight Savings time Section 3 2 8 Displaying Hardware Information The Display Hardware Information command describes commissioned hardware Figure 22 Router Hardware Information Menu Section 3 2 9 Restoring a Configuration The Restore A Previous Configuration command provides a means to restore a previously taken snapshot of the configuration of the router 24 Configuring the Date Time and Timezone RUGGEDCOM ROX Chapter 3 User Guide Device Management NOTE Li The router will reboot immediately after restoring configuration The user is first prompted to select either the factory default configuration or a previously made archive NOTE i Restoring the factory defaults will reset IP addresses and may make the router impossible to reach from the network Figure 23 Selecting a configuration to reload Initially your router will have no previously saved configurations The factory defaults will always be available Once a configuration is selected the archive will be restored After the configuration is restored the router will reboot immediately Figure 24 Selecting a previously made configuration Se
294. gin Clear Figure 1 Signing On to the Router With a Web Browser The ROX Web Interface 7 Chapter 2 RUGGEDCOM ROX Using ROX User Guide Section 2 1 2 The Structure of the Web Interface The Web interface presents an web page with two frames The leftmost or index frame selects subsystems to configure and is always displayed The rightmost or configuration frame presents the configuration for the currently selected subsystem or in the case of signing on the home page window The home page window presents an annotated view of the front of the chassis as well as a number of important system parameters These parameters include The router uptime and load averages for the past 1 5 and 15 minutes Under normal operation the load average should be less than 2 0 The disk usage A disk usage higher than 92 requires attention The memory usage indicating the amount of memory used by applications Under normal operation memory usage should be less than 60 The chassis temperature Any major alarms such as the failure of hardware components SIEMENS i ruggedcom Webmin ruggedcom Sl Webmin Configuration L Webmin Events Log Chassis RXLL00 B 00 48 24 XX M1 FXO5 FX07 DS3 TC2 3 Webmin Users PS 1 48 WDC 36 59VDC 12 10 0004 P1 Rev system ETHL ETH2 TE3 1 C Bootup and Shutdown j a Change Password C Scheduled Commands L Scheduled Cron Jobs B System Hostname B System Time Networking A
295. guration Menu This menu allows you to configure IP networking parameters Select the Core Settings icon to configure kernel networking settings such as syncookies filtering Select the Dummy Interface in order to assign an IP Address to the router that is independent of its interfaces Select the Static Route icon to assign a gateway address Select the Static Multicast Routing icon to configure static multicast routes Select the DNS Client icon to point the router at a DNS server Select the Host Addresses icon to locally configure IP address hostname mappings Select the End To End Backup icon to configure an end to end backup connection Select the Current Routing amp Interface Table icon to view the routing table 162 IPv6 Fundamentals RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration The Apply Configuration button serves to restore the permanently saved changes and restart Ethernet networking Section 5 1 2 1 Core Settings ia Core Settings Core Settings Allow IPv6 Configuration Yes 9 No Ignore All ICMP ECHO requests Yes 9 No Ignore ICMP Broadcasts Q9 ves No Syncookie Protection Yes No Send ICMP Redirect Q9 Yes No Set UDP non block in IPSec Yes 9 No Save and Apply 4e Return to network configuration Figure 159 Core Networking Settings This menu allows you to configure core networking settings The Allow IPv6 Configuration field determines whether IPv6 ma
296. hanges button Note also that when disabling the SSH server any currently active SSH connections to the server will remain active Subsequent connection attempts will not succeed Section 3 12 3 Authentication Help A Authentication Login and authentication options Allow authentication by password yes No Permit logins with empty passwords Yes No Pre login message file None etc issue Save Return to module index Figure 105 SSH Server Authentication Menu Allow authentication by password determines whether to allow clear text tunnelled passwords If set to Yes the user will be allowed to enter a password for authentication if it can not be done using a public key Permit logins with empty passwords valid when authentication by password is allowed specifies whether the server will allow login to accounts with empty passwords 104 Included with SSH RUGGEDCOM ROX Chapter 3 User Guide Device Management Pre login message file specifies the name of a file that contains a message that can be displayed before the passphrase password prompt during the login process By default it is etc issue same as the serial console banner If a custom message for SSH sessions is desired specify the path to the custom file Section 3 12 4 Networking Help E Networking Networking options Listen on addresses All addresses Entered below Address Port 9 Default
297. he acint zone Industrial Defender SAP uses OpenVPN for secure communication between client and protected device OpenVPN creates virtual tunnel interfaces for this purpose Zone ID Interface net eth1 loc eth2 unusd eth3 unusd eth4 acint tun 4 Visit the Default Policies sub menu and assign the following policies Source zone Destination zone fw any loc net acint any any any 5 Visit the Firewall Rules sub menu and assign the following rules Address detect detect detect detect detect Policy ACCEPT ACCEPT DROP DROP NOTE Li Idefender and SAPCtI Actions must have log to syslog level set to Don t log gt Action Source zone Destination zone ACCEPT acint fw Protocol any Src Port Dst Port 148 Access Manager and the Firewall RUGGEDCOM ROX Chapter 4 User Guide System Administration Action Source zone Destination zone Protocol Src Port Dst Port SAPCtl net fw UDP Idefender acint loc any See also the note on VRRP Firewall Rules and Access Manager below 6 Apply the Shorewall configuration NOTE i Granting uncontrolled accesses to the router is not required in normal operation This is a security risk and should not be done without good reason Rules are order dependent and so place this rule above the SAPCtl and Idefender rules a For Webmin and or SSH access to the router you can add a rule ACCEPT net fw tcp 22 10000 b The order of these rules is significant Any r
298. he 192 168 30 0 24 subnet The Gateway field specifies the IP address of the next hop to which to forward traffic destined to the specified subnet If the gateway to a particular subnet is across a point to point link it is not necessary to specify a gateway but a network interface below must be specified The nterface field specifies the network interface to use to reach the gateway The interface does not need to be active or even exist but the route will not be installed until both are true Specifying an interface is only strictly necessary when a gateway address is not specified The menu provides a list of currently configured interfaces for quick reference NOTE i A blackhole or null route may be installed by entering nullO in the interface field Configuring Static Routes 165 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide The Metric field specifies an integer cost metric for the route which is used when choosing among multiple routes in the routing table that most closely match the destination address of a packet being forwarded The route with the lowest metric is chosen as the active route NOTE Li Multiple routes to the same destination subnet may also be specified using identical metrics in order to create multipath routes Please refer to the section called Multipath Routes The Comment field shows the status of the static route and provides a basic cause when the route is not installab
299. he IP address will be blocked again but the time blocked will increase by a factor of 1 5 This will continue as long as the IP keeps the same behavior NOTE i The failed logins must happen within 10 minutes to be considered as malicious behavior When BFA protection is started the following auth log entry is displayed Jun 7 14 40 59 ruggedrouter sshguard 24720 Started successfully a p s 50 420 600 now ready to scan A bfalnfo SNMP v2c or V3 trap can be sent each time an IP is blocked if SNMP traps are configured An auth log entry is created when an IP address is blocked an example is shown below Jun 7 14 43 04 ruggedrouter sshguard 24720 Blocking 172 59 9 1 4 for gt 630secs 60 danger in 5 attacks over 70 seconds all 60d in 1 abuses over 70s Each failed login has a value of 10 The sixth failed login represents a cumulative value of 60 and is reported as such Brute Force Attack protection is enabled in the Bootup and Shutdown page under sshguard NOTE Li Enabling disabling a firewall configuration will reset the Brute Force Attack protection mechanism Brute Force Attack Protection System 125 RUGGEDCOM ROX Chapter 3 User Guide Device Management Brute Force Attack Protection System 126 RUGGEDCOM ROX Chapter 4 User Guide System Administration Y System Administration This chapter describes how to perform various administrative tasks related to device identification user permissio
300. he menu allows you to program specific actions at boot time The script will be run after all regular boot actions have completed Bootup and Shutdown 137 Chapter 4 System Administration RUGGEDCOM ROX User Guide Em Bootup and Shutdown Bootup and Shutdown Action Start at boot Running now Description I binds No No DNS Server I lrossbow No No Crossbow SAC I Idhcp3 relay No No DHCP Relay Agent I Idhcp3 server No No DHCP Server I lend2endb No No End To End Backup Route Daemon E fidefender sap no No Industrial Defender Access Manager firewall must be properly configured and enabled first ipsec No No Virtual Private Networking Requires a default route to be set keepalived No No VRRP Server ll2tunneld No No Layer 2 tunnels lind No No Link Backup E llldpd Yes Yes Link Layer Discovery Protocol Daemon Inte No No INTP Server lopeni2tp No No lOpeni2tp Daemon portm ap No No RPC Services Needed by NFS NIS rsh rlogin rexec and rcp Iptpd No No IEEE1588 Stack Daemon PTP Card is required E rerserver Ives Ives Se al Server Ishorewall No No Firewall Note To prevent accidentally blocking access to the router disabling shorewall will not disable the firewall until you either reboot the router or click the Clear Firewall button on the Shorewall Firewall menu I sm aroute No No Static Multicast Router Daemon I snm pd Yes
301. he number of rules enabled the packet rate and the logging method Snort has been empirically determined to use about 20 of the CPU clock cycles at its maximum processing rate The router is capable of recording about 300 entries second to the local syslog and 500 entries second to the alert file Alerts at rates exceeding the above rates will not be recorded Snort will require 5 MB of system memory to start with an additional 15 MB of memory for each interface monitored Section 3 15 1 6 Troubleshooting Snort If Snort does not start on the intended interface s use the following steps to identify and solve the issue 1 In most cases Webmin would display the error message indicating the root cause of the problem You can also refer to the Snort start up log message which is logged in the syslog on a router running Snort 2 From the ROX shell type the command ps aux grep snort and find out whether Snort is running on the intended interface 3 If Snort is enabled on one or more interface s and restarting Snort results in Snort not running on all intended interfaces you may have exceeded the maximum number of rules and flowbit tags For more information refer to Section 3 15 1 1 Configuring Snort To find out the total number of rules and flow bit tags that are currently being used by the enabled rule sets go to the ROX shell and type either cat var log syslog grep rules or cat var log auth log grep rules depend
302. he peer address if the interface is a point to point interface The entries under the MTU field reflect the Maximum Transmission Unit size for the interface The entries under the Txqueuelen field reflect the transmit queue length for the interface Current Routing amp Interface Table RUGGEDCOM ROX Chapter 3 User Guide Device Management cy Device Management This chapter describes how to configure and manage the device and its components such as module interfaces logs and files It describes the following tasks i See ere about how to configure the device to work with a network refer to Chapter 5 Setup and Configuration Section 3 1 Accessing the Router Section 3 2 The Router Setup Shell Section 3 3 Using The LED Status Panel Section 3 4 Obtaining Chassis Information Section 3 5 Setting Up a Router Software Repository Section 3 6 Reflashing the Router Software Section 3 7 Maintaining the Router Section 3 8 Configuring PPP and the Embedded Modem Section 3 9 Configuring PPP and the Cellular Modem Section 3 10 Configuring Serial Protocols Section 3 11 Synchronous Serial Ports Section 3 12 Configuring SSH Section 3 13 Configuring the Telnet Server Section 3 14 Configuring IRIG B and IEEE1588 Section 3 15 Configuring the Intrusion Detection System Section 3 16 Brute Force Attack Protection System Section 3 1
303. he pre upgrade script will only be executed immediately prior to the second stage of the upgrade post upgrade will be downloaded by the router and executed immediately after the upgrade process has completed The scripts must start with bin bash or usr bin perl in order to use one of either the BASH or PERL command interpreters on the router and be designed to produce consistent results in the event that they are run more than once consecutively It is possible for example for an upgrade to be interrupted after the pre upgrade script runs and restarted at a later date The result of running the pre upgrade script is included in the upgrade output The following post upgrade script will send an email notification when an upgrade completes assuming SMTP is configured properly bin bash echo Subject Software upgrade for Release rr1 9 0 on hostname completed gt tmp mail echo To controlcenter ruggedcom com gt gt tmp mail echo Software upgrade for Release rr1 9 0 on hostname completed at date gt gt tmp mail echo tmp mail cat tmp mail ssmtp controlcenter ruggedcom com rm f tmp mail Pre Upgrade Post Upgrade Scripts 65 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 7 11 Uploading and Downloading Files Help Upload Download Files To The Router Download files from the specified URLs to this router URLs to download File or directory to download
304. he user with Pinging hosts Running a traceroute Performing a host lookup Tracing line activity Showing interface statistics Section 2 2 1 Network Utilities Main Menu Help peg Network Utilities 209 116 1 a o E E ar i D P e T ot e uuw smeg Fa 2 245 Ping Check Traceroute ARP Ping lost Trace Interface Current Check Statistics Route amp Interface Table Hostwame IP Ping Traceroute Host Ping It Traceroute It Look Up Figure 3 Network Utilities Main Menu The lower part of the menu provides quick pinging tracerouting and lookup of hosts The upper part leads to menus providing more configurable options for these commands Additionally Ethernet WAN and Serial port tracing is provided A summary of interface statistics and the current routing table is provided Network Utilities RUGGEDCOM ROX User Guide Chapter 2 Using ROX Section 2 2 2 Ping Menu Help Ping Hostname IP Address Verbose Output Lookup Addresses How many Packets 5 Packet Size 56 Time between pings 1 Seconds Pattern s to send Hex Ping It de Return to Network Utilities Figure 4 Ping Menu The Hostname field accepts the host name or IP address to ping Note that this may be an IPv4 or and IPv6 address The Verbose Output field causes ping to present the maximum of output The Lookup Addresses fi
305. hronous serial port The Cable field lists the cable marking for the port The Slot field indicates whether the port is in the router s Upper or Lower expansion slot Synchronous Serial Port Configuration 101 Chapter 3 RUGGEDCOM ROX Device Management User Guide The Baud rate field sets the bit rate in bits s of transmitted data and the frequency in Hz of transmitted clock when the port is clocked internally see below The Clock field selects whether the port operates from the internal clock or using a received external clock signal The CTS RTS delay field sets the delay in milliseconds that RTS will follow CTS The Type field displays the port s interface type depending on the type of synchronous card installed Underneath each port displayed in the table a link named Edit Sync Port X Parameters leads to an editing menu for the corresponding port s parameters Help A Edit Synchronous Serial Port Port Baud rate Clock CTS RTS delay Type 1 0 y INTERNAL v 0 v RS232 Save Changes de Return to Synchronous Port Settings Figure 102 Edit Synchronous Serial Port Parameters Section 3 11 2 2 Configuring Raw Socket on Synchronous Serial Ports In order to enable the Raw Socket protocol the desired synchronous serial port use the Assign Protocols sub menu under the Serial Protocols menu refer to Section 3 10 7 1 Assign Protocols Menu As noted above the Raw Socket pr
306. ial IP Port Features c IEEE M oue ta beta tte latiendo 86 3 10 1 1 LED Designations oer Rte oe RE t os et E Pene us Pa o cse 86 3 10 2 Serial Protocols Applications cccccccecc cece ce eeee cee ee eee ce eeee ae eeseeeeeaeeeeeaeeesaeeesaeeeeseeeea 87 3 10 2 1 Character Encapsulation 2 e ete t t verte mit aer i RR ERE anced 87 3 10 2 2 RTU Poling us toi eoo d eto P be e pU e ND E tere 87 3 10 2 3 Broadcast RTU Poli rias 87 3 10 3 Serial Protocols Concepts and ISSUES ssssssssssssse emere 88 3 10 3 1 Host and Remote Roles iiis m ae e aa aa eibet 88 3 10 3 2 Use of Port Redirectors sss esee nennen 88 3 10 3 3 Message Packetizatior 2 retineo e net venio jastaveqsadeneedoies 88 3 10 3 4 Use of Turnaround Delays persoanei ee meme nennen 89 3 10 4 TcpModBus Server Application ssssssssssesssee emen 89 3 10 4 1 Local Routing at the Server Gateway sssesssse eee Hen 89 3 10 4 2 MultiMaster Capability osuran eter renter rete meme 89 3 10 5 TcpModbus Concepts and ISSUES 0ccccceeece eect eeeeee eee ce eeee ae eeseeeeeaeeeeeaeeeaaeeesaeeeeaeeeeas 90 3 10 5 4 Host and Remote Roles uc et e eel et ei en e teilte D ER eaa AER 90 3 10 5 2 Port NumbOers 2 oon t n REN dt e deo URS 90 3 10 5 3 Retransmisslons ooo e ERR RE EE t ER Re ARE TIN 90 3 10 5 4 ModBus Exception Handling sesseee mem 90 3 10 5 5 TcpModbus Performance Dete
307. ich connection should be used from the drop down list of available connection profiles in the Connect at boot list Section 3 8 6 3 Dial on Demand Alternate Modem Setting On systems with two modems the Dial On Demand function can trigger and use an alternate modem to transmit data when the first modem is busy For instructions on setting the Dial on Demand option see Section 3 8 6 4 Modem PPP Client When Dial on demand is selected on the PPP Client page the Dial on Demand Setting table appears on the PPP Client Connections page 72 Modem PPP Client Connections RUGGEDCOM ROX User Guide Chapter 3 Device Management Modem 1 PPP Client Connections Connection Name Action Headoffice Edit Add new Parameter Value Descri ption Connect at boot none X which client connection to start automatically at boot Save Dial on Demand Setting Alternate modem Action none M Add 4 Return to Modem 1 Main Menu Target network Figure 74 PPP Client Connections page with Dial On Demand Setting table The Target network is the remote network to which the alternate modem will transmit traffic Specify the network in dotted decimal CIDR notation for example 192 168 1 0 24 The Alternate modem is the secondary modem to use when the primary modem is busy Select a modem from the list When none is selected the traffic is handled by the
308. ifferent privilege level Please refer to Section 4 2 1 Webmin User and Group Fundamentals for more detail on Webmin privilege levels The RADIUS server authenticating the WEBMIN service must also be configured to supply a privilege level field which is used to allow different levels of access to different users of the web management interface See Section 4 7 RADIUS Server Configuration for more information on configuring the RADIUS server Section 4 6 4 RADIUS Authentication Configuration Help Radius Authentication Configure Radius Authentication Address Port Secret Timeout Services Bind Interface Move Add Add a Radius server de Retum to Miscellaneous Main Page Figure 149 RADIUS Authentication Main Menu RADIUS Authentication is configured from within the Maintenance menu Miscellaneous sub menu This menu allows you to add delete and RADIUS servers Add a server by by clicking on the add above or add below arrows in the Add column You may also edit a server by following its link under the Address field Reorder the servers by clicking on the arrows in the Move column RADIUS Authentication Configuration 153 Chapter 4 RUGGEDCOM ROX System Administration User Guide Section 4 6 5 Edit RADIUS Server Parameters Help Edit Radius Server Parameters Radius Server Parameters Hostname IP 186 424 130 Port Number 9 Default Shared Secret Ti
309. iguration by using the Test Configuration option under Snort IDS in Webmin For more information refer to Section 3 15 6 Test Configuration Configuring Snort 115 Chapter 3 RUGGEDCOM ROX Device Management User Guide Enable Snort to start now and after the boot up process from the Boot Up and Shutdown menu in Webmin and verify that Snort is started and running on the intended interface Make sure to restart Snort after making any changes under the Snort IDS menu in Webmin Snort can be restarted by pressing the Restart Snort button under the Snort IDS menu in Webmin Once restarted wait for the message Snort was restarted and is running on ports Intended Ethernet Interface s to ensure successful operation of Snort Section 3 15 1 2 Which Interfaces to Monitor Typically the router will have an interface to an external network and interfaces comprising the local network The firewall will cite these interfaces as belonging to the net and local zones A key decision is whether to monitor traffic outside or inside of the firewall Monitoring traffic outside the firewall on the external network interface has the advantage that attacks which the firewall is blocking can be seen This method however will generate a large number of alerts Additionally firewall rules installed to eliminate vulnerabilities will not prevent future alerts since traffic is monitored before the firewall Finally this method will not de
310. igured Not setting this parameter will result in a functional GRE configuration but DHCP relay will not work over the tunnel The Save button will save the configuration permanently The Apply Configuration button will restart the DHCP Relay Agent with the saved configuration Configuring DHCP Relay 329 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 20 Configuring NTP Servers This section familiarizes the user with Enabling Disabling NTP Setting servers and peers Setting generic NTP options NTP Tools NTP Network Time Protocol is an Internet protocol used to synchronize the clocks of computers to some time reference Variants of NTP such as SNTP Simple NTP a reduced functionality NTP and XNTP Experimental NTP exist NTP itself is available in versions 3 and 4 ROX includes version 4 NTP is a fault tolerant protocol that allows an NTP daemon program to automatically select the best of several available time sources or reference clocks to synchronize to Multiple candidates can be combined to minimize the accumulated error Temporarily or permanently wrong time sources are detected and avoided The NTP daemon achieves synchronization by making small and frequent changes to the router hardware clock The NTP daemon operates in a client server mode both synchronizing from servers and providing synchronization to peers If NTP has a number of servers to choose from it will synchroni
311. igured in this field Each IP address is separated by a return key The Virtual IP Netmask field configures the Virtual IP address mask The Save button saves the virtual instance The Delete button deletes the virtual instance After you save or delete an instance you must restart the daemon to action your change Section 5 14 7 Editing a VRRP Group Help Edit VRRP Group Virtual Group Parameters VRID_20 VRID_21 Delete Group Name VGO Group Members Save Return to VRRP Configuration Figure 294 VRRP Group The Group Name field is only for information purpose The Group Members field determines the group members in this VRRP group At least two members are needed in order to establish a group Editing a VRRP Group 305 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 14 8 Viewing VRRP Instances Status Help VRRP Instances Status Instance Current State Time Of Change To Current State VRRP Interface State Monitored Interface State IVR44 Master Tue Dec 17 15 50 04 EST 2013 leth3 is Up none Refresh Display 4 Return to VRRP Main Menu Figure 295 VRRP Instances Status The VRRP Instances Status menu displays the current status of VRRP instances This menu does not update status in real time Click on the Refresh Display button to update to the current status The entries under the Instance column reflect the name of
312. ile etc shorewall rules and are modified from the Firewall Rules menu Section 5 8 4 Configuring the Firewall and VPN Section 5 8 4 1 Policy Based Virtual Private Networking Begin configuration by creating local network and vpn zones Identify the network interface that carries the encrypted IPSec traffic and make this interface part of zone ANY in the interfaces menu as it will be carrying both traffic for both zones Visit the Zone Hosts menu and for the network interface that carries the encrypted IPSec traffic create a zone host with zone VPN the correct subnet and the IPSec zone option checked If you plan to have VPN tunnels to multiple remote sites ensure that a zone host entry exists for each or collapse them into a single subnet Create another zone host for the same interface with a network zone using a wider subnet mask such as 0 0 0 0 0 It is important that the vpn zone be declared before the net zone since the more specific vpn zone subnet must be inspected first Host Zone Interface Subnet IPSec Zone vpn w1ppp 192 168 1 0 24 Yes net w1ppp 0 0 0 0 0 No The IPSec protocol operates on UDP port 500 and using protocols ah Authentication Header and Encapsulating Security Payload ESP protocols The firewall must accept this traffic in order to allow IPSec Action Source Zone Destination Zone Protocol Dest Port ACCEPT net fw ah ACCEPT net fw esp ACCEPT net fw udp 500 IPSec traffic arriving at the firewall is di
313. ilities sub menu It is also provided here as a convenience Section 5 3 Configuring Frame Relay PPP and T1 E1 This section familiarizes the user with Frame Relay and PPP Terminology and Issues Configuring Frame Relay and PPP Links Viewing status and statistics Upgrading Firmware Current Routes and Interface Table 183 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 3 1 T1 E1 Fundamentals A T1 is a communications circuit upon which has been imposed a digital signal 1 DS1 signalling scheme The scheme allows 24 timeslots of 64 Kbps DSO information as well as 8 Kbps of signalling information to be multiplexed to a 1544 Kbps circuit The 24 DSOs can be used individually as standalone channels bonded into groups of channels or can be bonded to form a single 1536 Kbps channel referred to as a clear channel Not all channels need be used It is quite common to purchase N channels of 64Kbps bandwidth and leave the remainder unused this is known as fractional T1 The telephone network terminates the T1 line and maps each of the channels through the T1 network to a chosen T1 line Individual and bonded DSOs from more than one remote T1 can be aggregated into a full T1 line often referred to as central site concentration Whereas the T1 line itself is referred to as the physical interface groups of DSOs form channels and the protocols that run on the channels are known as a logical interfac
314. imum length of packets The maximum Ethernet frame is 1518 bytes long 14 bytes are consumed by the header and 4 by the frame check sequence leaving 1500 bytes for the payload For this reason the Maximum Transmission Unit MTU of an Ethernet interface is usually 1500 bytes PPPoE Bridged Mode Fundamentals 211 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide This is the largest IP datagram which can be transmitted over the interface without fragmentation PPPoE adds another six bytes of overhead and the PPP protocol field consumes two bytes leaving 1492 bytes for the IP datagram This reduces the MTU of PPPoE interfaces to 1492 bytes Packets received by hosts via Ethernet that are sized to the Ethernet MTU will be too large for the PPPoE connections MTU and will be fragmented Large packets from hosts on the Internet will be fragmented by the ISP The router will re assemble these packets but at the cost of increased latency Configuring smaller MTUs at your hosts may reduce latency Section 5 7 1 3 Bridged Mode In bridged mode the router simply employs the ADSL interface as a carrier of Ethernet frames The interface will be created at boot time with a 1500 byte MTU No authentication information is required for bridged mode Your ISP will provide you with one or more IP addresses and an appropriate subnet mask Your ISP will also suggest a DNS server which you can configure via the Networking Network Configurat
315. in operator guest webmin and none The Username field sets the user name for the Webmin user This user name will be used in the login The Member of group field determines which group the user belongs to Recall that the group is equivalent to the privilege level which determines the user s access level for the Webmin system The Password field sets the password for the user The Real name field sets the real name for the user The Save button will save the changes permanently The View Logs button will display the action logs for this Webmin user The Delete button will delete the current user from Webmin NOTE Li When a Webmin user is deleted any current session the user may have established will be terminated 134 Edit Webmin User Menu RUGGEDCOM ROX Chapter 4 User Guide System Administration Section 4 2 5 Current Login Sessions Menu Help Current Login Sessions Current Webmin session logins are listed below To cancel an existing session and force the user to login again click on its session ID Session ID Webmin user Privilege IP address Logged in at f 2920a6b998221707a88da917c6b95fd root root 192 168 0 200 22 Oct 2013 15 55 View logs e Return to user list Figure 133 Current Login Sessions Menu This menu allows you to view and delete current login sessions delete login session will force the login user to login again Click on Session link under the
316. in User and Group Fundamentals When the Webmin package is installed for the first time an account for the user root exists on the router Besides the root account three groups or privilege levels are defined admin operator and guest Users belonging to the admin group have full access to all Webmin modules Users belonging to the operator group have full access to most Webmin modules with the following exceptions Webmin Configuration Webmin Event Log Webmin Users Scheduled Commands Scheduled Cron Jobs System Hostname System Time SSH Server Backup and Restore Upgrade System Upload Download Files Users belonging to the guest group can only view configuration and statistics but can not change them Besides this limitation they also have no access to the modules forbidden to the operator group listed above The root user must always be defined New Webmin users can be created and deleted and must belong to one of the three aforementioned groups New Webmin user names must contain only the characters a zA Z0 9 but must not begin with and must not conflict with any existing user or group name Section 4 2 2 RADIUS User Access Control Fundamentals Webmin provides the ability to authenticate against a RADIUS server in order to centralize the creation and maintenance of user accounts Multiple devices may be configured to authenticate Webmin users using a 132
317. in place from the time the user presses the Start Configuration Rollback Monitoring button until he eventually goes back to the Configuration Rollback menu and presses the Accept Current Configuration button Holp Configuration Rollback Configuration Rollback is active When you are done changing the configuration and are sure everything is working as desired click to accept the configuration and disable the configuration rollback monitoring Accept Current Configuration E Return to Backup And Restore Figure 35 Configuration Rollback menu ready to accept changes 40 Configuration Rollback RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 7 2 3 Archive History Halbu Archive History Configuration Archives The total size of all archived configurations is 6749404 bytes Click on an archive to download a copy of it Archive Name Version Archive Comment Archive20131022 0000 rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 latestarchive rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 22 00 00 Archive20131019 0000 rr1 16 0 QA1 1 Automatic nightly backup at 2013 10 19 00 00 factorydefaults rr1 16 0 QA1 1 Factory defaults Remove Selected Archives Webmin Archives The total size of all archived configurations is 11796 bytes Click on an archive to download a copy of it Archive Name Version Archive Comment Webmin2013102
318. ing amp Interface Table sssssssssesee meme nnne 17 Chapter 3 BES EE 19 9 1 Accessing the Rouler 5 riii tdt 19 3 1 1 Accounts and Password Management sssssssssseee eene mener 20 3 1 2 Default Configuration cites rum eee itte rae prar eei edt E 20 3 1 3 Accessing the Device Command Prompt From the Console Port essesessesss 20 3 1 4 Accessing the Device Command Prompt From SSH sss 21 3 2 The Router Setup Shell 3 n eben redderet dared pio enamel tete ero ee RO Pe UE leech 21 3 2 1 Configura PassWOFdS oseese trt ote etta en dnce eter teda e acest deir andas 21 3 2 2 Setting the Hostname and Domain 0 cect eerie ee etree eee eene 22 3 2 3 Setting the Hostname and Domain sssssssssssee ee eene meneneennennn 22 3 2 4 Configuring RADIUS Authentication esssssesee mene 22 3 2 5 Enabling and Disabling the SSH and Web Server ssssssssssee 23 3 2 6 Enabling and Disabling the Gauntlet Security Appliance sse 23 3 2 7 Configuring the Date Time and Timezone cece cece etter eee e eene 24 3 2 8 Displaying Hardware Information 0 ccc cece etter eee tree etree eme emen nennen nnne 24 3 2 9 Restoring a Configuration sss emen AEA nnne nnns 24 3 3 Using The LED Status Panel otto es rte re teste en ik peu e denke tes ayaa De Rao nda RR epe de 25 3 4 Obtaining Chassis Inf
319. ing on your log destination This must be done after Snort has started If you have exceeded the maximum limit adjust the total number of enabled rule sets and restart Snort Section 3 15 2 IDS Configuration The Snort IDS menu configures Snort IDS and is composed of three sections Global Snort Configuration Alerting Methods 117 Chapter 3 RUGGEDCOM ROX Device Management User Guide Interfaces Rulesets NOTE Li Snort is disabled by default and may be enabled via the System folder Bootup and Shutdown menu If Snort is running configuration changes must be made active by restarting it The Restart Snort button will restart Snort and list the interfaces it is active upon Section 3 15 2 1 Global Configuration Snort IDS Global Snort Configuration Network Settings PreProcessors Alerts amp Logging Test Configuration Edit Config File Figure 116 Snort Global Configuration The Global Configuration menu section configures parameters that apply to all interfaces Section 3 15 2 2 Interfaces Interfaces Interface Status Action Interface Status Action Interface Status Action lethi Y Disable leth3 Y Disable leth2 Y Disable eth4 Y Disable Figure 117 Snort Interfaces The Interfaces section selects the interfaces Snort will monitor You must restart Snort after changing interfaces 118 Global Configuration RUGGEDCOM ROX User Guide Chapte
320. into the following field will be stored in the archive Backup archive file name Specify the archive name here do not specify the file extension as it will be automatically generated Archive20131022 1331 Start Backup Return to Backup And Restore Figure 37 Archive Backup This menu allows the user to manually create a configuration archive or Webmin archive The Backup Type field determines which type configuration archive or Webmin archive of archive you want to backup The Archive Comment field sets a comment which will be included in the archive file The Backup archive file name field allows you to input the candidate archive file name Starting the backup results in the following display Archive Backup Created Archive20131022 1354 tgz Upload A Copy Of This Archive E Return to Backup And Restore Figure 38 Archive Backup Complete The archive created can be immediately uploaded if desired by following the Upload A Copy Of This Archive link NOTE Li If you use the Internet Explorer web browser you must Right click the link and save the file manually Otherwise Internet Explorer will rename the file after uploading preventing its use in a subsequent archive restore Section 3 7 2 5 Archive Restore The restore process begins by selecting an archive to restore from Following an archive link will restore the archive and reboot the router 42 Archive Backup RUGGE
321. ion DNS Client menu Section 5 7 1 4 Location of Interfaces and Labelling Unlike the Ethernet ports which are statically located the location of ADSL ports in your router depends upon the number of ports and how they were ordered Refer to the labelled hardware image as presented in the Webmin home page To make labelling easy to understand all T1E1 T3 DDS and ADSL ports are assigned a unique port number that relates to the LEDs on the status panel Section 5 7 1 5 LED Designations ROX includes two sources of LED indicated information about ADSL lines the ADSL card itself and the LED Panel Four LEDs are associated with the line next to the interface jack Power Green indicates when the card is active and powered Link Green indicates when the DSL link is established TX Red indicates when data is being transmitted over DSL RX Red indicates when data is being received over DSL While connecting the LEDs are flashing sequentially ROX also indicates information about ADSL ports on the LED Panel A pair of LEDs will indicate traffic and link status of the port Consult the section Section 3 3 Using The LED Status Panel to determine which LEDs correspond to the port 212 Bridged Mode RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration Section 5 7 2 ADSL Configuration dns ADSL ADSL ADSL ADSL Interfaces PPP Logs Current Route amp Interface Table Figure 212 AD
322. ion eas orraa a E E A EAT RE 111 3 14 3 2 IRIG B Configuration cert eed cade pee Un A A hb aie tdo a 112 3 14 3 3 1EEE1588 Configuration eni ernai a E E AA nnne 112 3 14 9 4 IRIGSB Status 3 a bee A cod sea ter ld EE AAEE 113 vii RUGGEDCOM ROX Table of Contents User Guide 3 14 3 5 AS A rei dg I e O O 113 39 14 3 6 IRIGeB E09 enc tt epe ere epe tutta 114 3 15 Configuring the Intrusion Detection System 00 2 cece cents cere tee ee etna ener menn 114 3 15 1 Snort Fundamentals 22 cirios 114 319711 Configuring Snort occi ii e te P dU RU ei e Pea t 115 3 15 1 2 Which Interfaces to Monitor sssssssssssssse eee rene 116 3 15 1 3 Snort A eie e e Het qim tt eite M Hettssia bere a aded ras 116 3 15 1 4 Alerting Methods 2 ee tee t et bas eeu e pee UL ur EE Penes es 117 3 15 1 5 Performance and Resources ocococcccncccconoccnnccccnnnnnnnnnnonencnnnnnnnnnnnnnrnnnnnnnonancnnnninnnss 117 3 15 1 6 Troubleshooting SnOrt 5 t eingehen dee eodd abel eb qu pea pad 117 3 15 2 IDS Configuration d t E e PUR LU IR e e pat deu eo te en ec 117 3 15 2 1 Global GConfig ration ipm eei eir et e inp C SERRE IRSE 118 3 15 2 2 InterfaGes oc e Hep ee ia Hte io Le AI IO 118 3 15 2 3 RUleSels un re e E Rt pt o EE ef Rte 119 3 15 2 4 Rule Lookup by SID inicias 120 3 15 3 Network Settings 2 4 coe t nece dlete e nee latir 121 3 15 45 PrePIOCGSSOIS co xit abo d HU det po e t E P
323. ion82 on One Switch Section 5 18 4 1 Single Network With Dynamic IP Assignment In this example the eth1 interface is provided with IP address 192 168 1 1 24 while addresses 192 168 1 101 through 192 168 1 200 are assigned to the clients The router serves as the default gateway 1 Enable eth1 in the Edit Network Interfaces menu Click add a subnet and configure it for network address 192 168 1 0 with netmask 255 255 255 0 Set the assigned address range to 192 168 1 101 192 168 1 200 Click Create then edit the subnet just created and click Edit Client Options Set default routers to 192 168 1 1 and save Restart the DHCP server or apply changes oa hom 320 Option 82 Support with Disable NAK RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 18 4 2 Single Network With Static IP Assignment In this example the eth1 interface is provided with IP address 192 168 1 1 24 Assign address 192 168 1 101 to a DHCP client with MAC 00 11 22 33 44 01 Assign address 192 168 1 102 to a DHCP client with MAC 00 11 22 33 44 02 Assign address 192 168 1 103 to a DHCP client with MAC 00 11 22 33 44 03 The router serves as the default gateway 1 Enable eth1 in the Edit Network Interfaces menu 2 Click add a subnet and configure it for network address 192 168 1 0 with netmask 255 255 255 0 3 Click Create then edit the subnet just created and click Edit Client Options 4 Set default routers to 192 16
324. istic Med field is used to select the best MED path among paths advertised from neighboring AS BGP Global Parameters 277 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide The Redistribute Connected fields control the distribution of connected routes When enabled BGP will advertise routes to directly connected interfaces to other BGP routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute Static fields control the distribution of static routes When enabled BGP will advertise static routes created using the Network Configuration Routing and Default Route menu to other BGP routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute Kernel fields control the distribution of kernel routes When enabled BGP will advertise routes from the kernel routing table which includes static routes entered by the administrator to other BGP routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute OSPF fields control the distribution of routes learned by OSPF When enabled BG will advertise routes learned by OSPF The Redistribute RIP fields control the distribution of routes learned by RIP When enabled BGP will advertise routes learned by RIP The AS ID is the Autonomous System ID used between BGP routers Note that for BGP route
325. it inaccessible Replace the default passwords for all user accounts and processes where applicable before the device is deployed Use strong passwords Avoid weak passwords such as password1 123456789 abcdefgh etc Make sure passwords are protected and not shared with unauthorized personnel If RADIUS authentication is being employed configure authentication servers The default SSL certificate that is provided in Webmin is a self signed certificate which means that the trust part of the SSL connection cannot work Siemens highly recommends following the instructions in Section 4 4 Managing SSH Keys and Certificates and providing ROX with a proper X 509 certificate SSL and SSH keys are accessible to users who connect to the device via the serial console Make sure to take appropriate precautions when shipping the device beyond the boundaries of the trusted environment Replace the SSH and SSL keys with throwaway keys prior to shipping Take the existing SSH and SSL keys out of service When the device returns create and program new keys for the device See Section 4 4 3 Regenerating SSH Keys for further information Restrict physical access to the flash card to only trusted personnel A person with malicious intent in possession of the flash card could extract critical information such as certificates keys etc user passwords are protected by hash codes or reprogram the card Control access to the serial
326. itional DLCls to be configured Help Edit Logical Interface w1fr17 56K 1 Frame Relay Parameters Station Type CPE FR DTE Interface Signalling type ANSI v Link Failure Leaves IP interface up v T391 10 T392 16 N391 6 N392 6 N393 4 EEK Type Off v EEK Timer 5 56K 1 Channel 1 Name DLCI Local Address Netmask Remote Address Description wifri6 16 1 1 1 1 255 255 255 255 2 2 2 2 Link 123 wifri7 17 3333 255 255 255 255 4 4 4 4 Link 456 Add another DLCI to this channel Save Delete this logical interface de Return to DDS WAN Interfaces Figure 206 Edit Logical Interface Frame Relay multiple DLCIs The fields and buttons in this menu are the same as those described in Section 5 3 2 5 Editing a Logical Interface Frame Relay Editing a Logical Interface Frame Relay 205 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 5 3 3 Editing a Logical Interface PPP Help Edit Logical Interface wippp 56K 1 PPP Parameters Name Local Address wippp 10 2 1 1 Save de Return to DDS WAN Interfaces Netmask Remote Address 255 255 255 255 10212 No description Description Delete Figure 207 Edit Logical Interface PPP The fields and buttons in this menu are the same as those described in the Editing A Logical Interface PPP section
327. ivided by the link bandwidth 10Mbit If a manual cost is assigned to the interface in OSPF this value is ignored RIP does not use this parameter Core Interface Parameters 275 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 12 6 5 View Core Configuration This menu shows the current configuration file for the Core interfaces Section 5 12 6 6 BGP Configuration Help B G P BGP BGP BGP BGP BGP Global Parameters Networks Status View BGP Configuration 42 Return to dynamic routin Figure 264 BGP Main Configuration Menu This menu contains the configuration and status of BGP on the router The BGP Global Parameters and Networks menus configure BGP The Status and View BGP Configuration menus display the actual status and configuration file contents of BGP Section 5 12 6 7 BGP Global Parameters NOTE Li The AS ID defined below must be configured prior to any configuration of BGP networks or neighbors 276 View Core Configuration RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration BGP Global Parameters Parameter Value Descbgption Possible values default value Enable password For configuration access string without spaces Enable Password eeeeeeecccce previous password Telnet password For port 2605 access string without spaces Telnet Password 999990000000 previous password Identifier of router Often the DNS n
328. k Gateway Interface Metric Comment 1 0 0 0 0 0 w2clppr Inactive 2 10 2 3 0 24 192 168 100 2 Inactive 3 10 200 0 0 16 172 30 128 1 Active 4 Save Other Static Routes Network Mask Gateway Interface Metric Action 10 2 3 0 24 grel Save to Configured Static Routes 0 0 0 0 0 wicifr22 Save to Configured Static Routes Note This router has the following network interfaces for IPv4 routes eth1 eth2 eth3 eth4 wicifr22 w2c1ppp Note This router is set to not support IPv6 Note Assign nullo to Interface field to install blockhole route Return to network configuration Figure 161 Static Routes NOTE Li Modem PPP PPPoE on ADSL and any interface configured to obtain IP configuration via DHCP may also negotiate default gateways independently of this configuration menu The Network Mask field specifies the remote subnet field of a static route definition If this field is cleared the route will be deleted when Save is clicked The Network is specified in dotted quad notation and the Mask the number of bits in the subnet mask is an integer between 0 for a default route and 32 for a host route NOTE Li It is possible to create a route on a locally connected broadcast network i e without a gateway without also bringing up a corresponding IP address on that interface For example it would be possible to add 192 168 30 0 24 to eth1 which has an IP address of 10 0 1 1 but no corresponding alias address on t
329. ket Note that changes are made immediately causing call placement to start Port Pack Char Pack Timer Turnaround Call Dir Max Conns Rem IP Rem Port Loc Port 1 10 1000 off OUT 2 172 30 148 27 50001 Save Changes amp Return to Serial Protocols Figure 94 Raw Socket Menu This menu configures the Raw Socket settings for each port Changes are made immediately The Pack Char field configures the numeric value of the ASCII character which will force forwarding of accumulated data to the network The Pack Char must be between 0 and 255 inclusive or the value off If configured off accumulated data will be forwarded based upon the packetization timeout parameter The Pack Timer field configures the delay from the last received character until when data is forwarded The Pack Timer must be between 5 and 1000 milliseconds inclusive The Turnaround timer field controls the amount of delay if any to insert between the transmissions of individual messages out the serial port The Pack Timer must be between 1 and 1000 milliseconds inclusive of off The Call Dir field configures whether to accept an incoming connection place an outgoing connection or do both The Max Conns field configures the maximum number of incoming connections to permit when the call direction is incoming The Remote IP field configures the address used when placing an outgoing connection The Remote Port field selects the TCP destination port used in outgoing
330. l standard for substation automation It is a part of the International Electrotechnical Commission s IEC Technical Committee 57 TC57 architecture for electric power systems An important feature of IEC61850 is the fast transfer of event data Transfers of Generic Substation Events GSEs are accomplished through the GOOSE Generic Object Oriented Substation Event protocol IEC61850 uses Layer 2 multicast frames to distribute its messages and hence is incapable of operating outside of a switched Ethernet Network The GOOSE tunnel feature provides a capability to bridge GOOSE frames over a WAN GOOSE tunnels provide the following features e GOOSE traffic is bridged over the WAN via UDP IP One GOOSE traffic source can be mapped to multiple remote router Ethernet interfaces in mesh fashion To reduce bandwidth consumption GOOSE daemons may be located at each of the legs and at the center of a star network The centrally located daemon will accept GOOSE packets and re distribute them Statistics reports availability of remote GOOSE daemons packet counts and Round Trip Time RTT for each remote daemon When Virtual Router Redundancy Protocol VRRP is employed GOOSE transport is improved by sending redundant GOOSE packets from each VRRP gateway You can enable GOOSE forwarding by configuring a generic Layer 2 tunnel When configured ROX listens for GOOSE packets on one VLAN and forwards them to another VLAN Section 5 17 1
331. ld be translated to 100 1 101 16 as it sent to the Internet on t1 e1 port w1ppp 4 This example is much the same as the previous one except that only SMTP from 192 168 2 0 24 subnet will be allowed Masquerading and SNAT rules are defined in the file etc shorewall masq and are modified from the Masquerading menu Section 5 8 3 6 Rules The default policies can completely configure traffic based upon zones But the default policies cannot take into account criteria such as the type of protocol IP source destination addresses and the need to perform special actions such as port forwarding The Shorewall rules can accomplish this The Shorewall rules provide exceptions to the default policies In actuality when a connection request arrives the rules file is inspected first If no match is found then the default policy is applied Rules are of the form 222 Rules RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration Action Source Zone Destination Zone Protocol Destination Port Source Port Original Destination IP Rate Limit User Group Actions are ACCEPT DROP REJECT DNAT DNAT REDIRECT REDIRECT CONTINUE LOG and QUEUE The DNAT REDIRECT CONTINUE LOG and QUEUE actions are not widely used and are not described here NOTE When applying new rules previous traffic seen by the router might still be considered as having valid connections by the connection tracking table For instance a rule for the TCP and U
332. le The Save button below the table will perform the following sanity checks on routing entries that have been added or modified If the tests pass the routes will be saved and immediately installed Aspecified Gateway must be reachable and if a network interface is also specified must be reachable via that interface f a specified network interface exists but is not active the static route will be installed and marked Inactive interface is not active If a specified network interface does not exist e g an on demand modem PPP connection the static route will be installed and marked Inactive interface does not exist Delete routes by removing their Network Mask addresses before saving NOTE Li In order to redistribute static routes to other routers the Redistribute Static option must be enabled in the corresponding OSPF RIP or BGP configuration s Global parameters menu in Webmin Section 5 1 2 5 Other Static Routes This table will be shown if there are active static routes which were not configured manually in the Configured Static Routes table The Save to Configured Static Routes link next to each route entry in this table will make the corresponding route permanent NOTE Li There are situations where manually entered routes should not be converted e g routes dynamically added by IPSec and GRE tunnels Making these routes permanent may cause the daemons that add them to fail 166 Other Static R
333. le tells you how to set up the routers Suppose you have just unzipped rr1 2 zip into ruggedroutertest on a server available to the network at server xyz net The major release is rr1 and the minor release is 2 You have chosen this directory because you want to test the release on a specific machine before propagating it to the network Login to the test router and visit the Maintenance menu Upgrade Software Change Repository Server sub menu Change the Repository server field to http server xyz net ruggedroutertest and the Release Version field to rr1 You can proceed to upgrade the router manually or wait for the next nightly upgrade to take place After you are satisfied that the upgrade was successful you can proceed to unzip the rr1 2 zip file into your ruggedrouter directory or copy the rr1 dists rr1 2 and rr1 dists current directories into or the ruggedrouter directory Ensure that the remainder of the routers to be upgraded have a Repository server field to http server xyz net ruggedrouter and the Release Version field to rr1 They can now be upgraded Section 3 5 4 1 An Alternate Approach You can eliminate the need for separate release and test directories by making your routers upgrade to a specific major and minor releases In this approach you will always extract releases to the same directory e g ruggedrouter All routers will be configured with a Repository server field set to http server xyz ne
334. les Figure 225 Firewall Masquerading and SNAT This menu allows you to add delete and configure masquerading and SNAT rules Add a new rule by selecting the Add a new masquerading rule link or by clicking on the add above or add below images in the Add field Reorder the policies by clicking on the arrows under the Move field Clicking on a link under the Outgoing interface field will allow you to edit or delete the rule as shown below You may also make changes by manually editing the rule file Edit Masquerading Rule Masquerading rule details Outgoing interface eth Only for destination Network to masquerade Subnet address 9 Subnet on interface eth Except for networks SNAT address None 206 176 248 148 Save fi Delete amp Return to masquerading list Figure 226 Editing a Masquerading Rule The Only for destination field restricts the masquerading to the specified IP address The Network to masquerade fields determine the interface or subnet on the private network that you wish to masquerade The Except for networks field restricts traffic from the specified subnet The SNAT address field is used to determine whether masquerading or SNAT is being performed If checked the entered IP address is used as a SNAT address Masquerading 231 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Section 5 8 5 6 Firewall Rules Help Firewall Rules This table
335. les in this table are sorted by the change time most recent changes first Files that exist in only one of the targets are shown separately Following the links under File Name column will show a files difference between the two targets The difference will be shown by two methods The difference between the two targets will be first be shown in a side by side scrollable comparison The difference will also be shown in a window that shows differing lines Show Difference Difference on default lldpd between Archive20131019 0000 and Current Configuration Side by Side Difference Display DAEMON_ARGS Differing Lines Display ici lt DAEMON_ARGS gt DAEMON_ARGS x DAEMON ARGS x Note lines beginning with lt belong to Archive20131019 0000 lines beginning with gt belong to Current Configuration l Copy This File To Current Configuration de Return to Archive Differences List Figure 43 Show Difference for selected file between two targets Archive Difference Tool 45 Chapter 3 RUGGEDCOM ROX Device Management User Guide The Copy This File to Current Configuration button will be present when the destination archive is the Current Configuration lt allows user to copy the selected file from the old archive to current configuration NOTE i It is possible to damage your router through use of this feature Ensure that the configuration file copied makes sense in the current versio
336. liarizes the user with Changing the system password Changing the bootloader password Section 4 3 2 1 Change Password Command This command changes only the root account password used to login to Webmin and the root account via the serial console or SSH 138 Configuring Passwords RUGGEDCOM ROX Chapter 4 User Guide System Administration Help Change Password Change Password for user root This module can be used to change the root password used to login wth webmin ssh and console root login password Leave unchanged Set to Re enter Save Figure 137 System Menu Change Password Command Section 4 3 2 2 Change Bootloader Password Command This command changes the bootloader password used to log in to the available service modes CAUTION Security hazard risk of unauthorized access To prevent unauthorized personnel from accessing the available boot modes it is strongly recommended that a bootloader password be set before the device is deployed Help Change Password Change Password for boot loader This module can be used to change the password maximum 128 characters used in boot loader Boot loader password is not set Boot loader password Leave unchanged Clear Set to Re enter Save Figure 138 Bootloader Change Password Command Section 4 3 3 Scheduled Commands Help Scheduled Commands JobID Runasuser Run at Created on Commands to exe
337. licies by clicking on the arrows under the Move field Clicking on a link under the Source zone field will allow you to edit or delete the policy as shown below You may also make changes by manually editing the policy file Edit Default Policy Default policy details Source zone Any y Destination zone Any v Policy REJECT X Syslog level Logging disabled Traffic limit 9 None Limit Burst Save Delete de Return to policies list Figure 224 Editing a Firewall Default Policy The Syslog level field causes a log entry to be generated every time the rule is followed The Traffic limit fields allow you to place an upper limit upon the rate at which the rule is applied The Limit field is the steady state rate and is of the form X sec or X min where X is the number of allowed rule followings The Burst field denotes the largest permissible burst and defaults to five if not configured 230 Default Policies RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 8 5 5 Masquerading Help Masquerading Entries on this page set up network address translation for traffic routed between some network and a particular interface No masquerading rules have been defined yet Add a new masquerading rule Manually Edit File Click this button to manually edit the Shorewall file etc shorewa11 masq in which the entries above are stored Return to list of tab
338. lnet Server This section familiarizes the user with configuration of the Telnet server Telnet is an IP network protocol RFC854 that provides remote terminal access to a system on TCP port 23 Telnet is commonly used to refer to both the protocol and to the server and client programs that implement it An important consideration when using telnet is that both the authentication process and the entire session are transmitted in the clear i e unencrypted This makes it possible for an attacker to log the telnet session as it appears on the network and acquire from it the username and password of the account used to log in via telnet along with the entire text of a login session 106 Access Control RUGGEDCOM ROX Chapter 3 User Guide Device Management NOTE i Wherever possible the use of SSH is recommended over telnet since SSH encrypts both the authentication exchange and the session For information on the configuring the SSH server on ROX please refer to Section 3 12 Configuring SSH There are some situations in which remote network access to the router is necessary and an SSH client is not readily available but a telnet client is Older computer systems or network terminal devices for example may support telnet and not SSH due in part to the fact that telnet itself has been in use for several decades and that it requires much fewer resources than does SSH One way to decrease the risk associated with running a telne
339. log box Click upon the Send to router button to start the transfer You may also decide to create directories cited in the upload path at upload time set the user group ownership of the file and extract tar or zip files The Upload a file from the router to your host part of the menu allows you to send files from the router a specified your host machine You need to specify the file to send You may specify the files path directly or click on the browse button to open a file search dialog box Select the file to upload and close the dialog box Then click the Upload to your host button Section 3 8 Configuring PPP and the Embedded Modem This section familiarizes the user with 66 Uploading and Downloading Files RUGGEDCOM ROX Chapter 3 User Guide Device Management Configuring PPP Client Configuring PPP Server Configuring Dial in console Viewing status ROX may be equipped with one or two internal modems or with a serial card which allows connection to an external modem A modem allows connections to be made over standard telephone lines PPP Point to Point Protocol is used to establish a network connection over a modem link As of ROX version 1 15 two internal modems can be installed in ROX Section 3 8 1 PPP Interface When a PPP connection is established a network interface is created in the system The interface name for the first internal modem connection or an external modem connection is pppo If the rout
340. low a specified OID SNMP V3 Users No V3 users are currently defined r Add an SNMP V3 User User Name Access read only y Minimum Security No Authentication M OID Authentication Protocol MD5 Authentication Passphrase Privacy Protocol DES Privacy Passphrase Add Figure 49 Access Control Menu SNMP V3 The second part of the Access control menu allows creation and deletion of V3 users The User Name field selects the name of the new user The Access field determines whether the community is read only or read write The Minimum Security field selects the level of security used by this user It may be No Authentication no authentication or encryption Authentication Only authentication by MD5 or SHA1 authentication methods no encryption or Authentication with Privacy authentication by MD5 or SHA1 encryption by DES or AES ciphers The OID field further restricts access to an Object Identifier OID tree at or below a specified OID The Authentication Protocol Authentication Passphrase Privacy Protocol and Privacy Passphrase fields configure the protocols and passphrases used depending on the Minimum Security field These settings are shared between agent and remote user Note that if authentication and privacy are both used but only the authentication passphrase is provided snmpd will use the authentication passphrase as the privacy passphrase Note also that if any notifications are ena
341. ls the Timeslots link will no longer appear Note that you do not have to assign all timeslots Assign Frame Relay or PPP to the channels by following the Assign Protocol links The resultant menus will allow you select the desired channel If you are assigning multiple DLCIs assign the first DLCI used by that interface and configure the Frame Relay Link Parameters and that DLCIs network parameters After assigning the first DLCI you may revisit the interface through the link under the Name field and add additional DLCIs Once all channels have been assigned the Assign links will no longer appear as shown below Note that any of the Frame Relay interfaces on a channel in this case w1c4fr16 and w1c4fr17 may be used to edit the Frame Relay Link Parameters Help T1 E1 WAN Interfaces T1 E1 Trunks Channels and Logical Interfaces Refresh this page T1 1 Up Channel Assigned time slots Channelized interface 1 1 24 Channel Name Description Local Address Netmask Remote Address 1c1fr16 U 5 1 Hos P No description 1 1 1 1 255 255 255 255 1 1 1 2 Edit T1 1 Parameters View T1 1 Link Statistics Loopback this Interface Enable disable loopback modes T1 2 Not Running Channel Assigned time slots Channelized interface 1 ALL Channel Name Description Local Address Netmask Remote Address Assign a new Frame Relay logical interface Assig
342. ly they may not be configured to run on the same network interface Section 5 19 1 Configuring DHCP Relay The DHCP Relay is disabled by default and may be enabled via the Bootup and Shutdown menu under the System folder Help DHCP Relay Configuration DHCP Relay Configuration 192 168 54 3 wil 2 Servers Interfaces ees z Save Apply Configuration Click this button to apply configuration This will restart the DHCP Relay Agent Figure 316 DHCP Relay Configuration This menu allows you to configure DHCP Relay Agent The Servers field configures the list of DHCP servers to which DHCP BOOTP requests will be forwarded NOTE Li In general the DHCP servers configured here will themselves need to be configured to serve the subnets from which DHCP BOOTP client requests will be forwarded Refer to Section 5 18 1 DHCP Network Organizations for a brief discussion of the DHCP server configuration required to support Relay Agents The nterfaces field selects the network interfaces on which the relay agent will listen for DHCP BOOTP requests Select both the network interface to which clients and servers are attached NOTE i ROX allows the use of DHCP relay over GRE tunnels and PPP Frame Relay interfaces for cases in which the DHCP server resides behind the far endpoint of the GRE tunnel or WAN link In case of GRE it is mandatory that the GRE interface have the Tunnel IP address parameter conf
343. master a host computer that issues the polls over a serial line A TcpModbus Client application such as that implemented by the RuggedServer accepts Modbus polls on a serial line from a master and determines the address of the corresponding RTU The client then encapsulates the message in TCP and forwards the frame to a Server Gateway or native TcpModbus RTU Returning responses are stripped of their TCP headers and issued to the master The TcpModbus Server application accepts TCP encapsulated modbus messages from Client Gateways and native masters After removing the TCP headers the messages are issued to the RTU Responses are TCP encapsulated and returned to the originator A native TcpModbus master is one that can encapsulate the Modbus polls in TCP and directly issue them to the network Section 3 10 4 1 Local Routing at the Server Gateway The Server Gateway supports up to 32 RTUs on any of its four ports When a request for a specific RTU arrives the server will route it to the correct port Section 3 10 4 2 MultiMaster Capability It is possible for multiple masters to simultaneously issue requests for the same RTU The Server Gateway will queue the requests and deliver them to the RTU in turn This multimaster capability allows widely distributed masters to configure and extract information from the RTU Use of Turnaround Delays 89 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 10 5 TcpModbus
344. matching condition found among the enabled rules NOTE i Due to limited CPU and memory resources on a router it is strongly recommended to enable Snort only on one Ethernet interface which could be connected to the external network Following is a general guideline for the maximum number of rules that could be enabled depending on the Ethernet interface s on which Snort is enabled One Ethernet Interface 10 000 rules with a maximum of 400 flowbit tags used in the rules Two Ethernet Interfaces 4 500 rules with a maximum of 200 flowbit tags used in the rules Four Ethernet Interfaces 800 rules For more information refer to Section 3 15 1 2 Which Interfaces to Monitor and Section 3 15 2 2 Interfaces Upload the rule sets to the etc snort rules directory on the router using the upload download file menu in Webmin The rule sets can also be uploaded through WinSCP or any other method Include and enable the intended rule sets in the Snort conf file The Snort conf file may include some pre configured rule sets to demonstrate an example and these rule sets are not enabled by default If the rule set that you intend to use is listed in the configuration file remove the sign from the prefix of the included rule set otherwise the rule set needs to be included in the configuration file For more information about rule sets refer to Section 3 15 1 3 Snort Rules and Section 3 15 2 3 Rulesets Test your conf
345. mbers of groups all Deny users None Deny members of groups None Save de Retum to module index Figure 107 SSH Server Access Control The Only allow users field specifies the users allowed to connect by SSH The specification can be a list of user name patterns separated by spaces Login is allowed only for user names that match one of the patterns and can be used as wild cards in the patterns Only user names are valid a numerical user ID is not recognized By default login is allowed for all users If the pattern takes the form USER HOST then USER and HOST are separately checked restricting logins to particular users from particular hosts The account selector button can be used to build up a list of allowable users The Only allow members of groups field specifies the group in the Unix sense of users allowed to connect by SSH The specification can be followed by a list of group name patterns separated by spaces If specified login is allowed only for users whose primary group or supplementary group list matches one of the patterns and can be used as wild cards in the patterns Only group names are valid a numerical group ID is not recognized By default login is allowed for all groups The account selector button can be used to build up a list of allowable groups The Deny users and Deny members of groups fields specify users and groups to deny connections to Section 3 13 Configuring the Te
346. me Channel re assignments can however lead to a non intuitive relationship between channels and timeslots Section 5 3 2 4 Editing a T1 E1 Interface Help gt Edit T1 Interface Interface T1 2 Parameters Convert this interface to E1 Framing ESF X Line Decoding B8ZS v Clocking Normal Line Build Out CSU 0dB X Save de Return to T1 E1 WAN Interfaces Figure 184 Edit T1 Interface This menu allows you to display and configure T1 or E1 Trunk parameters By default the interface is set for T1 operation The Convert this interface to E7 link will set the interface for E1 operation and allow you to configure its settings If logical interfaces use a channel number larger than 24 an attempt to convert from E1 to T1 will prompt to delete the logical interface first T1 Settings NOTE i The D4 framing format option is not used It is available solely for compatibility with legacy data models The Framing field determines the framing format used Your line provider will indicate the correct format Modern facilities usually employ Extended Super Frame ESF an enhanced T1 format that allows a line to be monitored during normal operation The Line Decoding field reflects the line encoding decoding scheme Almost all T1s now use B8ZS The Clocking field selects whether to accept or provide clocks In normal use the central office provides clocks and your setting should be Normal You may also connect to
347. me to refer to the host within the DHCP configuration The Hardware address field is the Ethernet MAC of the client associated with the host entry The Fixed IP address field is the IP to assign to the matching client Section 5 18 5 5 DHCP Pool Configuration NOTE i The menu interfaces for creating a DHCP Address Pool Configuration and for editing an existing one are the same only the title differs Create versus Edit DHCP Pool Configuration 327 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Help Edit Address Pool In subnet 192 168 2 0 255 255 255 0 Address pool options Address 192 168 2 11 192 1682 11 Dynamic BOOTP ranges Dynamic BOOTP Failover Peer 9 None Clients to Clients to allow deny Default lease o ina Default secs Maximum o o Boot filename None ida MA Default secs Boot file o o E This server Server name Default Lease length for BOOTP O Forever secs cid O Never clients namic DNS Dynamic DNS cashed Yes No 99 Default domain name Default Dynamic DNS reverse 9 Default Adler From client domain Allow unknown Allow Deny Ignore 9 Default clients Option 82 clients Client Name Remote ID Circuit ID Add an option82 client Save Delete de Return to subnet Figure 315 DHCP Pool Configuration The settings specific to the Create Edit Address Pool menu are The Failover peer field is the IP address of a DHCP
348. mely flexible and not all capabilities have been described in this user guide This menu provides the user with the ability to make raw configuration changes to the Snort configuration file from within Webmin CAUTION Configuration hazard risk of data corruption Modifications to the Snort configuration made on the device itself may conflict with rules that are later uploaded to the device from a central server Section 3 16 Brute Force Attack Protection System ROX 1 16 features a Brute Force Attack BFA protection mechanism This mechanism will analyze the behavior of external hosts trying to access the ssh port specifically the number of failed logins On the 5th or 6th failed login the IP address of the host will be blocked for 630 seconds The range of 5 to 6 failed login exists to take into 124 Edit Config File RUGGEDCOM ROX Chapter 3 User Guide Device Management account various methods of accessing the device notably when same or different ports are used across a series of failed logins IMPORTANT The Brute Force Attack BFA protection system is not applicable to SNMP Follow proper security practices for configuring SNMP For example Do not use SNMP over the Internet Use a firewall to limit access to SNMP Do not use SNMPv1 After the blocking time has expired the IP will be allowed to access the device again If the malicious behavior continues from the same IP eg another 6 failed login attempts then t
349. meout 10 1 20 Seconds Service WEBMIN X Bind Interface ethl v Save Test Delete Note The Bind Interface option applies to RADIUS requests for the WEBMIN service only The source IP address of these exchanges will be the IP address of the selected network interface 4 Return to Radius Authentication Figure 150 RADIUS Authentication Server Parameters This menu configures tests and deletes RADIUS server entries The Hostname IP field configures the RADIUS server s IP address The Port Number field sets the port number used by the RADIUS server The default port for RADIUS is 1812 The Shared Secret field configures a unique password used to authenticate communications with this server Note that the shared secret must also be configured on the RADIUS server for the router being configured The Timeout field sets the maximum time in seconds to wait for responses from a RADIUS server before aborting the transaction with the current server When the timeout expires ROX will proceed to the next configured server if one has been configured to retry the transaction The Service field configures whether the server authenticates LOGIN WEBMIN PPP LOGIN or any combination of these types The Bind Interface field sets the source IP address for RADIUS requests for the WEBMIN service only The IP address of the selected network interface will be used as the source address for these exchanges If none is selected the source IP addr
350. most RUGGEDCOM products are available online at www siemens com ruggedcom For any questions about the documentation or for assistance finding a specific document contact a Siemens sales representative Training Siemens offers a wide range of educational services ranging from in house training of standard courses on networking Ethernet switches and routers to on site customized courses tailored to the customer s needs experience and application Siemens Educational Services team thrives on providing our customers with the essential practical skills to make sure users have the right knowledge and expertise to understand the various technologies associated with critical communications network infrastructure technologies Siemens unique mix of IT Telecommunications expertise combined with domain knowledge in the utility transportation and industrial markets allows Siemens to provide training specific to the customer s application For more information about training services and course availability visit www siemens com ruggedcom or contact a Siemens sales representative Customer Support Customer support is available 24 hours 7 days a week for all Siemens customers For technical support or general information please contact Siemens Customer Support through any of the following methods Online Xx System Requirements RUGGEDCOM ROX User Guide Preface Visit http www siemens com automation support request to submit
351. mpact of new software This will require a directory such as ruggedroutertest to be created These directory names will be used in examples in the remainder of this section Ensure that the web server publishes these directories Setting Up a Router Software Repository 27 Chapter 3 RUGGEDCOM ROX Device Management User Guide NOTE i If you are using Microsoft Internet Information Services IIS Manager 6 0 or higher as your upgrade repository see Section 6 2 1 Using Microsoft Internet Information Services IIS Manager 6 0 or Higher as an Upgrade Repository for special instructions Section 3 5 3 Upgrading the Repository ROX releases are obtained from www siemens com ruggedcom as ZIP files Download the ZIP file to your regular and or test release directories and unzip them You may delete the original ZIP file if desired The ZIP file name will be in the form rrX Y zip The major release number X is changed when major new functionality often hardware related is offered The minor release number Y is increased when minor functionality is added or bug repairs are made The first router upgrade release is rr1 1 zip The zip file will extract to a directory that has the same name as the major release e g rr1 As subsequent release are made they will also be extracted into this directory Section 3 5 4 Setting Up the Routers The name of the release directory and the major and minor release names from the zip fi
352. n 44 Archive Difference Tool RUGGEDCOM ROX User Guide Chapter 3 Device Management Archive Differences List Differences between archive Archive20131019 0000 and Current Configuration File Name Archive20131019 0000 Current Configuration iquaqga daemons 2013 05 30 11 36 07 2013 10 21 15 45 02 idefault lldpd 2013 10 18 15 07 05 2013 10 21 15 39 14 jdefault service snmpd 2013 10 08 15 52 20 2013 10 21 15 39 13 default service portmap 2013 10 08 15 52 17 2013 10 21 15 34 53 default service openl2tp 2013 10 08 15 52 17 2013 10 21 15 34 52 default service serserver 2013 10 08 15 52 15 2013 10 21 14 08 13 default service 2tunneld 2013 10 08 15 52 15 2013 10 21 14 08 12 default service linkd 2013 10 08 15 52 06 2013 10 21 14 08 12 idefault service openswan 2013 10 08 15 52 26 2013 10 21 14 08 12 idefault service keepalived 2013 10 08 15 52 20 2013 10 21 14 08 11 File Name Files only exist in archive Current Configuration Timestamp jwebmin shorewall version 2013 10 22 10 24 03 isnmp persistent snmpd conf 2013 10 21 15 39 15 jopenl2tp openl2tpd conf 2013 10 21 15 34 59 webmin sshd version 2013 10 21 15 11 52 de Return to Archive Differences Figure 42 Archive Differences List The resulting menu shows the differences between the two selected targets Fi
353. n Section 5 11 17 List Certificates Help s sg List Certificates Certificate Name in etc ipsec d Certificate Key file in etc ipsec d Secret for certificate in certs private etc ipsec secrets rceng02Cert pem not present not configured E Return to connections list Figure 253 List Certificates This menu lists available certificate files their corresponding key files and details whether a public key for the certificate is configured Section 5 11 18 VPN Connections The IPSec main menu Add a new IPSec VPN connection link leads to the Create Connection menu creating a new connection and its icon Selecting the connection s icon from the IPSec main menu displays the same menu allowing editing and deletion An IPSec connection is composed of three types of information There is information about the local host the remote host and about the overall connection between them The configuration data has been designed in such a way that there are identical connection specifications on both ends Because of this connection specifications are written in terms of left and right participants rather than in terms of local and remote Which participant is considered left or right is arbitrary IPSec figures out which one it is being run on based on internal information The Create Edit Connection menu is reflects this organization by being split into three sections The first section IPSec VPN Connec
354. n Figure 242 Interface Prioritization Menu This menu allows you to add delete and configure queues and filters Add a new queue or filter by by clicking on the add above or add below arrows in the Add field You may also edit a manually created queue by following its link under the Queue Name column and edit a filter by following its Edit link 248 Interface Prioritization Menu RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Reorder the queues and filters by clicking on the arrows in the Move field Some restrictions apply with queues You are not allowed to reorder queues in a way that violates the priority implicit in their name The Transmit Queue Length Selector allows you to make a tradeoff between latency and performance Remove prioritization by selecting the Delete and Apply button Section 5 10 6 1 Prioritization Queues Help w2cippp Queue Configuration Queue Configuration for new queue Queue Name Save and Apply de Return to Traffic Prioritization Figure 243 Prioritization Queue Configuration This menu allows you to edit the name of of a priority queue and to delete the queue If you delete a queue referenced by filters the filters will be adjusted to use the next lowest queue Section 5 10 6 2 Prioritization Filters Help w2c1ppp Filter Configuration Filter Configuration for new filter Source IP Netmask Source Port Dest IP Netma
355. n Threshold And Repeats 0 1000000 times And Until 0 1000000 seconds Not Cleared Repeats 0 1000000 times Not cleared Until 0 1000000 times Parameters for RMON Device Name MIB Variable Sample Interval 30 86400 seconds Startup Event Rising X Rising Threshold Falling Threshold Save 4 Return to Alert Definition List Menu Figure 30 Change Alert Definition Menu This menu allows you to change an existing alert definition entry The Codepoint is the key part of the alert definition entry and does not allow to be changed The Category configures which category the alert definition entry belongs to The Name configures the name of the alert definition which will be displayed by Webmin login or email forwarder when an active alert exists The Subsystem configures which subsystem the alert definition entry belongs to The Severity configures the severity level of the alert The severity level is sorted from highest priority to lowest priority The Alarmable configures whether the matched alert should trigger the critical relay and alarm LED on the LED panel of the router The Enabled configures whether the alert system should monitor and record matched active alert If Enabled is not checked matching active alert will be ignored The Renotify Interval configures how often should the matched active alert be notified according to alert filter configuration setting If it is disabled no notification will be forwarded
356. n a new PPP logical interface Assign new MLPPP logical interfaces Edit T1 2 Parameters des Return to T1 E1 Main Menu Figure 183 T1 E1 Network Interfaces After Interface Creation Section 5 3 2 3 Naming of Logical Interfaces Webmin names the logical interfaces for you but allows you to provide a description All interfaces start with a w to identify them as wan interfaces followed by the physical interface number Naming of Logical Interfaces 187 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Unchannelized hardware interfaces supply only one channel that can be composed of a varying number of timeslots logical interface You may configure one PPP interface or up to 992 Frame Relay DLCI interfaces The next part of the identifier is either ppp or frX where X the frame relay channel number Channelized hardware allows more than one logical interface The next part of the identifier indicates the channel the interface uses with a c followed by the lowest channel used The final part of the identifier is either ppp or fr and the frame relay channel number NOTE Li Once a channel is created and an interface is constructed on it the name of the interface will never change This will remain true even if the number of timeslots on the channel is changed This property is desirable since interface names used by features such as OSPF RIP and the firewall can rely on the interface na
357. n established This can be normal tunnels become active once the Phase 1 and Phase 2 security associations are created and this usually only occurs after traffic is flowing The associations then get torn down after a time out period Section 5 11 20 IPSec X 509 Roaming Client Example This example details how to set up IPSec connections using X 509 certificates on the router The router will provide an IPSec gateway to a number of remote clients that connect via an Internet connection Each of the clients will fetch an IP address locally from a DHCP server and it is assumed but not required that network address translation will be applied at the client end Each of the clients should appear on the local network on a specific IP address In this example the clients are laptop PCs IPSec X 509 Roaming Client Example 263 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide wippp vpn xyz com Remote Gateway eth1 192 168 17 3 10 0 1 1 Local Network 10 0 0 0 8 Laptop IPSec Client Figure 256 IPSec X 509 Roaming Client Example Section 5 11 20 1 Select a Certificate Authority Begin by constructing the required certificates You may construct the certificates using a ROX or a third party tool The device that is used to build the certificates is known as the certificate authority There are advantages and disadvantages to using the router itself as the authority It is convenient to us
358. n of the router Copying the configurations may not make any actual operating changes until the systems that own them are restarted If the source archive has a file that is not present in the Current Configuration it is possible to view that file and then copy it into Current Configuration Section 3 7 3 Decommissioning the Device Before taking the device out of service either permanently or for maintenance by a third party make sure the device has been fully decommissioned This includes removing any sensitive proprietary information To decommission the device do the following 1 Obtain a copy of the ROX firmware currently installed on the device For more information contact Siemens Customer Support Log in to ROX See Section 2 1 1 Using a Web Browser to Access the Web Interface Clear the boot password See Section 4 3 2 2 Change Bootloader Password Command Flash the ROX firmware obtained in Step 1 but do not select the option to restore the previous configuration See Section 3 6 Reflashing the Router Software 5 Shutdown the device See Section 4 3 1 Bootup and Shutdown Section 3 7 4 SNMP Configuration The SNMP menus provide the following configuration features System information agent network addresses Community access to the agent SNMP trap delivery The SNMP the Simple Network Management Protocol protocol is used by network management systems and the devices they manage
359. n the link in the email to access the router The Default Filter Level for Webmin configures the lowest alert level to show on Webmin All active alerts higher priority than this level will be displayed on the Webmin home page The Default Filter Level for Command Line configures the lowest alert level to show when user login by console or ssh The Save button saves all changes of general configuration The Create New Filter button allows you to create a new forwarder filter for active alerts Alert Configuration 33 Chapter 3 Device Management RUGGEDCOM ROX User Guide Section 3 7 1 3 Alert Filter Configuration Help The filter configuration is successfully saved Change Filter Configuration Filter Parameters Forward Destination Type EMail y Forward Destination admin example com Filter Level Comparator Greater Than y Emergency Alert Info Debug Filter Level Critical Error W Warning Notice Save Use comma to seperate multiple email addresses Return to Alert Configuration Menu Figure 28 Alert Filter Configuration Menu This menu configures an alert filter which defines the forwarder destination for active alerts matching with defined filter level The Forward Destination Type configures the type of filter Currently only type Email is supported The Forward Destination configures the destination matching with the Forwarder Destinati
360. n to host list Figure 313 DHCP Group Configuration The settings specific to the Create Edit Host Group menu are The Group description field is used to describe the group as desired The Use name as client hostname field determines whether host entries should use the hosts entry name as the client hostname to provide to the client Within a group you can create hosts Section 5 18 5 4 DHCP Host Configuration NOTE i The menu interfaces for creating a DHCP Host Configuration and for editing an existing one are the same only the title differs Create versus Edit 326 DHCP Group Configuration RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration Help Create Host Host Details Host description Host assigned to Host name Toplevel RE Hardware ethernet y Fixed IP Default o address lease time Default BERF x Maximum o o Boot filename None nasa iba Default secs Boot file 9 9 E 9 This server Server name Default Lease length Lease end for BOOTP O Forever secs for BOOTP O Never clients clients m Dynamic a tad Yes No Default DNS domain Default y name Dynamic DNS Dynamic reverse 9 Default DNS 9 From client domain hostname Allow unknown Allow Deny Ignore Default clients Create de Return to host list Figure 314 DHCP Host Configuration The Host description field is used to describe the host as desired The Host name field is the unique na
361. nce menu Set the Only show which packages would be upgraded radio button to No and click on the Upgrade Now button to start the upgrade Section 6 2 1 Using Microsoft Internet Information Services IIS Manager 6 0 or Higher as an Upgrade Repository When using Microsoft Internet Information Services IIS Manager 6 0 or higher as your ROX upgrade repository you must add a new application octet stream MIME type named to the IIS properties The new MIME type is required for IIS to consider ROX upgrade packets as an application octet stream If the new MIME type is not added ROX upgrades will fail To add the new MIME type do the following on your IIS server 1 Inthe Windows Start menu right click on My Computer and select Manage The Computer Management dialog appears 2 Under Services and Applications locate the Internet Information Services IIS Manager node Right click on your ROX upgrade repository website and select Properties The Properties dialog appears 3 Select the HTTP Headers tab and click MIME Types The MIME Types dialog appears Using Microsoft Internet Information Services IIS Manager 6 0 or Higher as an Upgrade Repository 345 Chapter 6 RUGGEDCOM ROX Upgrades User Guide Click New The MIME Type dialog appears In the Extension field type In the MIME type field type application octet stream 6 Click OK on the MIME Type MIME Types and Properties dialog boxes Section 6 3 VPN L2TP Configur
362. nchronous serial ports per router two ports per slot configurable data rates from 2400 to 230400 bits per second internal or external clocking modes RTS CTS hardware flow control HDLC framing support for the Raw Socket protocol a means to transport data from a synchronous serial port on the router to a specified remote IP address and TCP port up to eight TCP Raw Socket connections per port debugging facilities including connection tracing and statistics Section 3 11 1 Raw Socket Operation on Synchronous Ports The Raw Socket protocol operates somewhat differently on synchronous ports from the way it does on asynchronous ports One important difference is that in the case of outgoing calls only up to eight TCP connections may be mapped to a single synchronous serial port This means that data received on the port will be transmitted to all configured TCP endpoints and all data received from the TCP endpoints will be transmitted on the synchronous port 100 Synchronous Serial Ports RUGGEDCOM ROX Chapter 3 User Guide Device Management Another difference concerns framing Forwarding to and from asynchronous serial ports involves time outs and pack characters in order to aid in framing or packetization for transmission on an IP network HDLC frames received on the synchronous port will be transmitted immediately on the TCP connection and incoming data on TCP connections are written directly to the port Note
363. nd Remote IP Address fields specify the local and remote IP addresses respectively to use on the PPP connection Note that one or both of these addresses may be overridden by a remote PPP server when a connection is established 74 Modem PPP Client RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 8 6 5 Modem PPP Server Help Modem PPP Server Server Configuration pppo Server IP address 192 168 100 11 Client IP address 192 168 100 22 Client Nameserver Proxy ARP Idle timeout Seconds Server name System hostname ruggedcom localdomain 9 Other pppin Save Changes take effect next time user connects Username Password Setting Username Password Action admin admin Delete Add Static Route Setting Username Static Route Action Add d Return to Modem Main Menu Figure 76 Configure Modem PPP Server The Server IP address field specifies the IP address that the router will use for the PPP interface The Client IP address field specifies the IP address to assign to an incoming PPP client connection The Client Nameserver field controls which nameserver if any the client should use for DNS lookups The Proxy ARP option makes the router attempt to proxy ARP the remote IP onto a local Ethernet subnet This requires that the Client IP address be set to an IP that would be valid on one of the Ethernet subnets to which that the router
364. nder the Metric field reflect the cost of this route The route with the lowest metric matching a destination is used The entries under the Protocol field reflect the system that created the route It is one of kernel default interface routes core dynamic routing protocol routes redirect routes added due to ICMP redirect message or static for manually added routes The entries under the Source field reflect the source address to use when originating a packet to a destination matching this route Note that packets routed through the router have their own source address Note that if the sending application decides to it can manually specify the source address The entries under the ToS field reflect the ToS value a packet must match to be routed by this route The entries under the Weight field reflect the relative bandwidth or quality of this link within a multi path route Note that multi path routes are shown with multiple lines for a single destination Interface Status This menu also summarizes the interface status The entries under the Device field reflect the name of the device The entries under the Link up field reflect the current link state of interface The entries under the Address field reflect the local address of interface The entries under the Netmask field reflect the netmask applied to this interface The entries under the Bcast Peer field reflect the broadcast address for the interface or t
365. ne 12 18 17 19 41 mgetty interim release 1 1 36 Jun15 12 19 07 19 51 checking if modem is still alive 12 19 07 19 51 mdm_send AT gt OK 12 19 07 19 51 waiting 12 19 08 19 51 checking if modem is still alive 12 19 08 19 51 mdm_send AT gt OK 12 19 08 19 51 waiting 12 19 09 19 51 checking if modem is still alive 12 19 09 19 51 mdm_send AT gt OK 12 19 09 19 52 waiting Refresh 4a Return to Modem 1 Main Menu Figure 78 Incoming Call Logs 76 Modem Incoming Call Logs RUGGEDCOM ROX Chapter 3 User Guide Device Management This page shows the latest log entries for incoming calls This is mainly useful when trying to debug a problem with establishing incoming connections Section 3 8 6 7 Modem PPP Logs Help Peer PPP Logs Month Day Time Process Event var log syslog Oct 30 10 43 02 pppd 11651 Plugin rp pppoe so loaded var log syslog Oct 30 10 43 02 pppd 11663 pppd 2 4 4 started by root uid O var log syslog Oct 30 10 43 37 pppd 11663 Timeout waiting for PADO packets var log syslog Oct 30 10 43 37 pppd 11663 Unable to complete PPPoE Discovery l var log syslog Oct 30 10 43 40 pppd 11663 Terminating on signal 15 l var log syslog Oct 30 10 43 40 pppd 11663 Exit amp Return to Modem Main Menu
366. ne an administrative distance unset 1 255 unset not used Distance OSPF Define an administrative distance external unset 1 255 External unset use Distance Distance OSPF Define an administrative distance inter area unset 1 255 Inter area unset use Distance Distance OSPF Define an administrative distance intra area unset 1 255 Intra area unset use Distance H Identifier of router Often the DNS name of the router string without lostname spaces no hostname Opaque LSA enable Enable Opaque LSA capability disabled Passive Default enable set new interfaces passive by default enabled Refresh Timer 10 set refresh timer 10 1800 Seconds 10 RFC 1583 Enable compatibility with obsolete RFC1583 OSPF current is Compatibility RFC2178 disabled enable Redistribute gt Redistribute routes for directly connected interfaces to OSPF area iti Connected ail aans routers enable disable 1 2 0 16777214 disabled 2 unset metric enable Baiiia Sai w Redistribute static routes to OSPF area routers enable disable 1 2 0 16777214 disabled 2 unset 3 3 g S JE g 3 N 4 Redistribute Kernel enable Redistribute kernel routes to OSPF area routers enable disable 1 2 0 16777214 disabled 2 unset 3 3 g S JE z 3 NI 4 Redistribute RIP enable Redistribute rip routes to OSPF area routers enable disable 1 2 0
367. nels Menu 313 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 17 6 Generic L2 Tunnels Menu Help L2 Tunnels Ethernet Interface Ethernet Type Remote Tunnel Addresses Add a new L2 tunnel de Return to Layer 2 Tunnels Figure 304 Generic L2 Tunnels Menu This menu displays configured GOOSE tunnels Edit the configuration of an existing tunnel by following the link under the Ethernet Interface field or create a new tunnel by clicking Add a new L2 tunnel Help Create L2 Tunnel L2 Tunnel Ethernet Interface None v Add Ethernet Type None v Others Add a new deamon None y Remote IP Replace Sender s MAC address Save J Delete de Return to L2 Tunnels Figure 305 Create an L2 Tunnel This menu configures a generic layer 2 tunnel The Ethernet Interface field configures suitable Ethernet interfaces including VLAN interfaces to listen on for L2 Ethernet frames of the specified type You may set this field to none if the intent is simply to relay encapsulated traffic between remote tunnel endpoints The Add Ethernet Type field configures the predefined Ethernet type code that specifies the layer 2 traffic that is to be tunneled If the desired Ethernet type is not in the predefined list select Other and enter the type code in the Others field The Others field configures any Ethernet type code that is not predefined in the list box des
368. ner Configuration Login Banner Configuraiton Customize console login messages Message Before Login Information After Login Extra Message After Login WARNING You are attempting to access a private computer system Access to this system is restricted to authorized persons only This system may not be used for any purpose that is unlawful or deemed inappropriate Access and use of this system is electronically monitored and by entering this system you NE SER v Las Login iV System Information Router Status ssu Banner Configuration Customize ssh login messages Information After Login Extra Message After Login Ivi Las Login v System Information v Router Status Webmin Banner Configuration Customize webmin login messages Session Header Session Message Password Login Button Clear Button Message when Login Fails Logout Message Message for Session Timeout P Save Configuration Default Default Default Default Default Default Default Default Default Figure 57 Banner Configuration Menu This menu allows you to customize different aspects of each of the access methods to the device Serial console login SSH login Webmin login Banner Configuration 55 Chapter 3 RUGGEDCOM ROX Device Management User Guide The Login Banner Configuration menu customizes the messages seen prior to and after login via the serial console
369. net Secure file transfers using SCP and SFTP based on SSH Note that the only two accounts that typically use the LOGIN service on ROX are root and rrsetup Authentication requests for LOGIN services will attempt to use RADIUS first and any local authentication settings will be ignored Only when there is no responce positive or negative form any of the configured RADIUS servers will ROX authenticate users locally NOTE Li ROX manages both the RADIUS login and ssh services together as LOGIN from the Webmin interface Please refer to Section 4 7 RADIUS Server Configuration for details on configuring accounts for these services at the RADIUS server 152 RADIUS on ROX RUGGEDCOM ROX Chapter 4 User Guide System Administration The PPP Service The PPP service represents incoming PPP connections via modem Authentication requests to the PPP service use RADIUS only In the event that no response is received from any configured RADIUS server ROX will not complete the authentication request The WEBMIN Service The WEBMIN service represents access to the Webmin user interface Webmin accesses are authenticated first against the local user database If the user does not exist locally the root account for example is always defined locally then Webmin will attempt to authenticate the user via RADIUS The WEBMIN service allows the configuration of multiple operator accounts each logged separately and each with a d
370. net ISMTP_SERVERS HOME_NET Addresses of SMTP servers in the local subnet HTTP_SERVERS HOME_NET Addresses of HTTP servers in the local subnet ISQL_SERVERS HOME_NET Addresses of SQL servers in the local subnet TELNET_SERVERS HOME_NET Addresses of TELNET servers in the local subnet ISSH_SERVERS HOME_NET Addresses of SSH servers in the local subnet FTP_SERVERS HOME_NET Addresses of FTP servers in the local subnet ISIP_SERVERS HOME_NET Addresses of SIP servers in the local subnet MODBUS_CLIENT HOME_NET Address of the Mdobus client MODBUS_SERVER HOME_NET Address of the Modbus server AIM_SERVERS 64 12 24 0 23 64 12 28 0 23 64 12 161 0 24 64 12 163 0 Known AIM servers HTTP_PORTS 36 80 81 82 83 84 85 86 87 88 89 90 311 383 591 593 6 Ports which serve http SHELLCODE_PORTS 180 Ports you want to look for SHELLCODE jon lORACLE PORTS 1024 mw you test to look for ORACLE SSH_PORTS 22 Ports used by the SSH server FTP_PORTS 21 2100 3535 Ports used by the FTP server SIP_PORTS 5060 5061 5600 Ports used by the SIP server FILE_DATA_PORTS HTTP_PORTS 110 143 List of file data ports for file inspection GTP_PORTS 2123 2152 3386 Ports used for the GTP preprocessor l Save Changes J Reset Changes de Return to Snort IDS Main Figure 120 Snort Network Settings This menu allows you to configure the IP addresses and ports of servers in the local and external netw
371. nets of hosts pools potentially discontinuous ranges of addresses shared networks a single physical networks for which distinct subnets of hosts coexist and request addresses and groups The meaning of each option is the same in each case while the type of target determines which clients it applies to In DHCP settings at a more specific level overrides higher levels For example you can configure a DNS server for all clients the create a group that overrides the setting This allows defaults to be set at a high level to apply to most clients while exceptions can be places just where they are needed Many settings are only supported by certain specific types of clients and are ignored by the majority of clients Basic options you should pay attention to include Address ranges The range of addresses to use for dynamic IP clients Default lease time The default length of leases assigned to clients if the client doesn t request a lease length Maximum lease time The maximum length of leases allowed to clients If a client requests a higher value it will be refused Client hostname The hostname the client should use Default routers The default gateway the client should use 318 DHCP Network Organizations RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration e Domain name The DNS domain name the client should use DNS servers The IPs of the DNS servers the client should use NTP servers The IPs o
372. nfigure and view Webmin event logs The System Menu provides the ability to Change the router password Enable and disable applications from running Reboot the router Schedule one time and periodic tasks to run Change the router s name hostname Change the time and date The Servers Menu provides the ability to Control and configure the Serial Protocol DHCP NTP IRIG B and SSH servers The Networking Menu provides the ability to Configure the network interfaces Configure static IP and Multicast Routings and configure a default gateway Select a DNS server and edit local host addresses Configure End To End Backup Configure DDS T1 E1 T3 and ADSL Networking Configure the embedded modem Set up the firewall Set up Virtual Private Networking Configure Routing protocols such as OSPF and RIP Configure Virtual Router Redundancy Protocol VRRP Configure Traffic Prioritization Perform pings traceroutes host lookups and line tracing The Maintenance Menu provides the ability to Manage the Gauntlet Security Appliance Backup and restore configurations Configure SNMP access Configure RADIUS Authentication View system logs Upgrade the software of the router The Structure of the Web Interface Chapter 2 Using ROX RUGGEDCOM ROX User Guide Upgrade the router type to RX1100 Upload Download files to and from the router Section 2 2 Network Utilities This section familiarizes t
373. ng Broadcast polling allows a single host connected ROX to fan out a polling stream to a number of remote RTUs The host equipment connects via a serial port to a ROX Up to 32 remote devices may connect to the host server via the network Initially the remote servers will place connections to the host server The host server in turn is configured to accept the required number of incoming connections The host will sequentially poll each RTU Each poll received by the host server is forwarded i e broadcast to all of the remote servers All RTUs will receive the request and the appropriate RTU will issue a reply The reply is returned to the host server where it is forwarded to the host Serial Protocols Applications 87 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 10 3 Serial Protocols Concepts and Issues Section 3 10 3 1 Host and Remote Roles ROX can either initiate or accept a TCP connection for serial encapsulation It can establish a connection from field remote equipment to the central site host equipment vice versa or bi directionally Configure ROX at the host end to connect to the remote when The host end uses a port redirector that must make the connection The host end is only occasionally activated and will make the connection when it becomes active A host end firewall requires the connection to be made outbound Connect from the remote to the host if the host end accept
374. ng anti spoofing facility on this interface The kernel will reject any packets incoming on this interface that have a source address that would be routed outbound through another interface on the firewall NOTE i The routefilter option should not be enabled on interfaces that are part of a multipath routing configuration The proxyarp option causes Shorewall to set proxy arp for the interface Do not set this option if implementing Proxy ARP through entries in etc shorewall proxarp The maclist option causes all connection requests received on this interface to be subject to MAC address verification May only be specified for Ethernet interfaces The nosmurfs option causes incoming connection requests to be checked to ensure that they do not have a broadcast or multicast address as their source Any such packets will be dropped after being optionally logged according to the setting of SMURF LOG LEVEL in etc shorewall shorewall conf The ogmartians option causes the martian logging facility will be enabled on this interface See also the LOG MARTIANS option in etc shorewall shorewall conf Section 5 8 5 3 Network Zone Hosts Create Zone Host Zone host details Zone fw v Interface ethl v IP address or network Host options ji Create de Return to zone hosts list Figure 222 Firewall Zone Hosts Network Zone Hosts 229 RUGGEDCOM ROX Chapter 5 Setup and Configuration User Guide This menu allows
375. ng in this field for the remote system the key can be obtained from the Show Public Key page on that system Select Certificate File and provide a certificate if using X 509 certificates The Next hop to other system fields determine the address to forward traffic to in order to reach the other system Unless you have an unusual network setup this field should be set to Default route NOTE If you set Next hop to other system to default you must configure a default route You can check for the existence of a default route with the Network Configuration menu Current Routing amp Interface Table icon A default route will be indicated by a default in the Destination column Section 5 11 18 3 Export Configuration Selecting the Export Configuration button provides a means to capture the connection specification in such a way as to be importable at the remote router Section 5 11 19 Showing IPSec Status IPSec Status interface lo lo 127 0 0 1 interface eth1 eth1 10 0 0 253 interface eth2 eth2 204 50 190 89 interface wlppp wlppp 206 186 238 138 myid none debug none algorithm ESP encrypt id 2 name ESP DES ivlen 8 keysizemin 64 keysizemax 64 algoritm sio Seiya arc S MEME RSS SDIS lc e lia 19 MES masc L92 algorithm ESP encrypt id 7 name ESP BLOWFISH ivlen 8 keysizemin 40 keysizemax 448 algorithm ESP encrypt id 11 name ESP NULL ivlen 0 keysizemin 0 keysizemax 0 lgorithm ESP encrypt id 12 name ESP AES
376. nk Backup Figure 283 Link Backup Main Menu Note that Link backup is disabled by default and may be enabled via the System folder Bootup and Shutdown menu Link backup can be configured through the Link Backup Configuration link Link backup status and logs can be viewed through the Link Backup Status and the Link Backup Log link after the daemon has been started A link backup configuration can be tested through the Link Backup Test link Section 5 13 4 Link Backup Configurations Help H H Link Backup Configurations Name Main Interface Backup Interface Enabled lethi gt eth2 ethi leth2 yes Add new Apply Configuration This applies the current settings by restarting the link backup deamon de Return to link backup main menu Figure 284 Link Backup Configurations This menu displays existing main backup link relationships Following the links under the Name field to an existing pair will edit them or adds a new one The Apply Configuration button will apply changes by restarting the link backup daemon Link Backup Configuration 295 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 13 5 Edit Link Backup Configuration Help Edit Link Backup Configuration Configure eth1 to eth2 link backup Name eth1 gt eth2 V Enable this configuration Transfer default gateway Backup gateway Bring up backup link on demand Main
377. nnels to route traffic and the DSL connection needs to know which virtual channels to use Most providers use VPI 0 and VCI 35 There are exceptions to this Some providers that use different settings are listed in the following table Provider VPI VCI Typical Provider 0 35 Bell South 8 35 New Edge 0 38 Sprint 8 35 US West Qwest 0 32 Section 5 7 1 PPPoE Bridged Mode Fundamentals In PPPoE Point to Point Protocol Over Ethernet the PPP dial up protocol is used with Ethernet over ADSL as the transport PPPoE supports the protocol layers and authentication widely used in PPP and enables a point to point connection to be established in the normally multipoint architecture of Ethernet As your PPPoE connection is established a PPP interface will be created The name will be pppX where X is the same as the interface number Use this interface name in firewall rules Section 5 7 1 1 Authentication Addresses and DNS Servers PPP authentication utilizes PAP or CHAP Your ISP will provide you with a user ID and password which you will enter in the GUI The authentication process will assign a local IP address and addresses of the ISPs DNS servers to the router You should use these DNS servers unless you wish to provide your own You will obtain either a dynamic or static IP from your ISP Firewall configuration should be performed as is appropriate Section 5 7 1 2 PPPoE MTU Issues The use of PPPoE introduces a limitation of the max
378. none mail news none View emerg Add a new system log Secure Remote Syslog Setting Enable CA Certificate me Certificate uia Key a D Do not check 9 Match Pattern pattern Multiple patterns are seperated by spaces Permitted Peer Common Name Note Secure remote syslog facility only works for TCP connection with remote syslog server When secure remote syslog is enabled all TCP connection will be secure connection Remote Syslog Source IP Bind Interface none v Note This option is used to bind the selected interface IP address as source IP for remote syslog messages If none is selected it will use the output interface IP address as the source IP address Apply Changes Click this button to make the current configuration active by killing the running syslog process and restarting it Figure 59 System Logs Menu The System Logs menu screen is used to configure the system logging process It consists primarily of a list of log destinations each of which may be a log file on the router itself a remote syslog server or one of several other destinations Please refer to Section 3 7 9 3 Remote Logging for more detail on log destinations Two links Add a new system log are provided above and below the list in order to configure new system logs Each entry in the list displays information for a particular log managed by syslog System Logs 57 Chapter 3 RUGGEDCOM ROX Device Management Us
379. ns alarm configuration certificates and keys and more lt describes the following tasks Section 4 1 Webmin Configuration Section 4 2 Configure Webmin Users Section 4 3 Configuring the System Section 4 4 Managing SSH Keys and Certificates Section 4 5 Access Manager Secure Access Portal Section 4 6 RADIUS Authentication e Section 4 7 RADIUS Server Configuration Section 4 1 Webmin Configuration This section familiarizes the user with configuring the router through the Webmin menu and describes the following procedures Section 4 1 1 IP Access Control Section 4 1 2 Ports and Addresses Section 4 1 3 Change Help Server Section 4 1 4 Logging Section 4 1 5 Authentication Section 4 1 6 Webmin Events Log Ei Webmin Configuration Webmin version 1 160 http 4 www aw R4 4nnn E t IP Access Control Ports and Addresses Change Help Server Logging Authentication URL Figure 124 Webmin Configuration Menu Webmin Configuration 127 Chapter 4 RUGGEDCOM ROX System Administration User Guide Section 4 1 1 IP Access Control Module Index Halo EN IP Access Control The Webmin server can be configured to deny or allow access only from certain IP addresses using this form Hostnames like foo bar com and IP networks like 10 254 3 0 or 10 254 1 0 255 255 255 128 can also be entered You should limit ac
380. nt Log Message Configuration Event Log Message 100 Limit T Figure 329 Event Log Message Configuration This menu allows you to configure the maximum number of event messages logged by the Station Access Controller SAC When the limit is reached the oldest message will be removed for each new message added to the log The Event Log Message Limit field defines the maximum number from 0 no limit to 5000 The default is 100 Configuring User Access 339 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 21 2 Configuring Log Options Module Index CrossBow Log Log Options Process ConnectionManager Log Level Warning Duration in seconds will revert to default 300 log level after this interval Change Log Level maximum 3600 de Return to CrossBow Main Menu Figure 330 CrossBow Log This menu allows you to configure the log level for a specific CrossBow process CrossBow SAC must be enabled to configure this option The Process field selects the process The Log level field selects the log level e g Warning The Duration in seconds field defines how long the log level will last Section 5 21 3 CrossBow Certificates Module Index CrossBow Certificates SAC Server Configuration CrossBow Certificate Information File Subject Start Data End Data C CA ST Alberta L Calgary Nov 12 Nov 12 cxb test ca cert pem O RuggedCom OU RuggedSoluti
381. nt Shorewall configuration with the shorewall restart command Refresh Configuration Click this button to activate just the Blacklist and Traffic Shaping tables with the shorewall refresh command AAA Click this button to clear the Shorewall firewall with the shorewa11 clear command This will allow access from all hosts without restriction AAA Click this button to shut down Shorewall with the snorewall stop command This will block access from all hosts P except those in the When Stopped table Show Status Click this button to view Shorewall s tables and rules from the shorewall status command Check Firewall Click this button to have Shorewall validate your firewall configuration with the shorewall check command Figure 218 Shorewall Firewall Menu The Apply Configuration button must be used after making configuration changes It is recommended that the Check Firewall button be used first to verify that any changes made are valid The Refresh Configuration button can be used to activate changes to the blacklisted host and traffic shaping configurations The Clear Configuration button will remove the firewall rules completely and eliminate any protection they offer In some cases you might wish to do this temporarily to determine if the firewall is responsible for an application problem The Stop Firewall button will stop the firewall Note that you should add an entry to the When Stopped menu to allow access from your manag
382. ntegrity Verification Status Enquiry mesg 143 received Full Status Reply messages sent 33 Link Integrity Verification Status messages sent 139 CPE initializations Current Send Sequence Number 142 Current Receive Sequence Number 143 Current N392 count Current N393 count Frame Relay Trunk Communications Errors I frames not transmitted after a tx int due to lexessive frame length I frames not transmitted after a tx int due to lexcessive throughput o Received frames discarded as they were either too Ishort or too long discarded I frames with unconfigured DLCI discarded I frames due to a format error App didn t respond to the triggered IRQ within the given timeout period o 10 9 o discarded In channel Signalling frames due to a format error o In channel frames received with an invalid Send Seq Numbers received In channel frames received with an invalid Receive Seq Numbers received timeouts on the T392 timer consecutive timeouts on the T392 timer times that N392 error threshold was reached during IN393 monitored events Refresh Clear Statistics Figure 189 Frame Relay Statistics Information bytes transmitted Note that the Frame Relay Trunk Statistics and Frame Relay Trunk Communications Errors tables are common to all Frame Relay DLCls on the trunk Frame Relay Interface Statistics 193 Chapter 5 Setu
383. nternet you could create another zone Zones are defined in the file etc shorewall zones and are modified from the Network Zones menu Section 5 8 3 2 Interfaces Shorewall Interfaces are simply the Ethernet and WAN interfaces available to the router You must place each interface into a network zone If an interface supports more than one subnet place the interface in zone Any and use the zone hosts setup see below to define a zone for each subnet on the interface An example follows Interface Zone eth1 loc eth2 loc eth3 Any eth4 dmz w1ppp net Interfaces are defined in the file etc shorewall interfaces and are modified from the Network Interfaces menu Section 5 8 3 3 Hosts Shorewall hosts are used to assign zones to individual hosts or subnets on an interface which handles multiple subnets This allows the firewall to manage traffic being forwarded back out the interface it arrived on but destined for another subnet This is often useful for VPN setups to handle the VPN traffic separately from the other traffic on the interface which carries the VPN traffic An example follows Zone Interface IP Address or Network local eth3 10 0 0 0 8 guests eth3 192 168 0 0 24 Interfaces are defined in the file etc shorewall hosts and are modified from the Network Hosts menu 220 Interfaces RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 8 3 4 Policy Shorewall policies are the default actions
384. nutes of inadivity Saw de Retum to webmin configuration Figure 129 Webmin Configuration Menu Authentication This menu allows you to configure what Webmin will do when a number of failed logins from the same IP address occur Ifthe Enable password timeouts field is selected the host will be blocked for the specified period of time If the Log blocked hosts logins and authentication failures to syslog field is selected warning messages will be added to the syslog Enabling the Enable session authentication field activating Auto logout after will cause an individual administrators session to be logged out after the specified period Section 4 1 6 Webmin Events Log Help Webmin Events Log Search the Webmin log for actions Actions in module G in any module In module Alerts X Actions on dates At any time 9 Fortoday only Between Jan v and Jan v Actions that modified file which modified any file That modified file Search Figure 130 Webmin Events Log Authentication 131 Chapter 4 RUGGEDCOM ROX System Administration User Guide This menu allows you to search the Webmin log for changes made by yourself or other administrators Section 4 2 Configure Webmin Users This section familiarizes the user with Configuring Webmin users Displaying and removing existing login sessions Setting up password restrictions Section 4 2 1 Webm
385. ny gt y For DNAT or REDIRECT rules this is the new destination address and or port normally it is the destination for the rule al Only hosts in zone with addresses Protocol lt Any gt X Source ports 9 Any Ports or ranges to user set Destination Any Ports or ranges poris For DNAT or REDIRECT rules fill in the original destination port here Original destination address for None C DNAT or REDIRECT Rate limit No limit expression Rule applies 9 All users Save amp Return to firewall rules list Figure 228 Editing a Firewall Rule 232 Firewall Rules RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The following fields describe the information to match against an incoming connection request in order to apply this rule The Action field specifies the final action to take on incoming requests matching the rule The and log to syslog field determines whether logging will take place and at which logging level The Source zone field specifies the zone from which the request originates NOTE Li When defining the destination zone for a DNAT rule select the Only hosts in zone with addresses and type the IP address for the new destination in the field next to it When defining the destination zone for a REDIRECT rule select Other and enter the port number for the new destination The Destination zone or port field specifies the reques
386. o only answer ARP who has requests from hosts that are routed out of that interface Setting this option facilitates testing of your firewall where multiple firewall interfaces are 228 Network Interfaces RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration connected to the same HUB Switch all interfaces connected to the single HUB Switch should have this option specified Note that using such a configuration is strongly recommended against The routeback option causes Shorewall to set up handling for routing packets that arrive on this interface back out the same interface The tcpflags option causes Shorewall to make sanity checks on the header flags in TCP packets arriving on this interface Checks include Null flags SYN FIN SYN RST and FIN URG PSH these flag combinations are typically used for silent port scans Packets failing these checks are logged according to the TCP FLAGS LOG LEVEL option in etc shorewall shorewall conf and are disposed of according to the TCP FLAGS DISPOSITION option The norfc1918 option causes packets arriving on this interface and that have a source or destination address that is reserved in RFC 1918 to be dropped after being optionally logged The nobogons option causes packets arriving on this interface that have a source address reserved by the IANA or by other RFCs other than 1918 to be dropped after being optionally logged The routefilter option invokes the Kernel s route filteri
387. o send and receive advertisements within the OSPF network Authentication adds a small overhead due to the encryption of messages so is not to be preferred on completely private networks with controlled access Section 5 12 4 9 RIP Authentication RIP authentication is used when it is desirable to prevent unauthorized routers from joining the network RIP authentication is supported by per interface configuration or the use of key chains Separate key chains spanning different groups of interfaces and having separate lifespans are possible By enabling authentication and configuring a shared key on all the routers only routers which have the same authentication key will be able to send and receive advertisements within the RIP network 270 Redistributing Routes RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 12 4 10 Administrative Distances The router may work with different routing protocols at the same time as well as employing local interface and statically assigned routes An administrative distance from O to 255 is a rating of the trustworthiness of a routing information source For a given route the protocol having the lowest administrative distance will be chosen By default the distances for a connected interface is O and for a static route is 1 By default OSPF will set an administrative distance of 110 and RIP will set a distance of 120 Section 5 12 5 OSPF and VRRP Example Network This net
388. o supply an identification of the router for VRRP logs This field initially defaults to the current hostname The VRRP instances under the Name column define virtual IP groups Clicking on a link will allow you to edit that instance The VRRP groups under the Group Name column define virtual IP groups Clicking on a link will allow you to add members to that group VRRP Configuration Menu 303 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 14 6 Editing a VRRP Instance Help Edit VRRP Instance Virtual IP Instance Parameters Name VRID 20 Interface eth2 v Virtual Router ID 20 Priority 100 Advert Interval 1 desd AQ 5 Extra Interfaceto pong y Use Virtual MAC Monitor 192 168 2 10 i Virtual IP Address Veten IP 24 Save Delete E Return to VRRP Configuration Figure 293 VRRP Instance The Name field is purely for informational purposes The nterface field configures the interface that VRRP packets are sent upon The Virtual Router ID field determines the VRID number Ensure that all routers supplying the same VRIP have the same VRID The value of the VRID varies from 1 to 255 The Advert Interval field configures the time between VRRP advertisements Ensure that all routers supplying the same VRID have the same interval NOTE i The VRRP advertisement interval must be configured to the same value in the master and backup routers The Gratuitous ARP Delay field
389. ob 230 978 970 Masqueradlihg baaa 231 5 8 5 0 Firewall Eul s int eth e ei eet eadem telle atu ease an 232 SEST State INAT scite O 234 5 8 5 8 TC Traffic Control Interfaces Classes and Rules oooooocccccccccoccccnncccnncnonncnccnncnnnnn 235 5 8 5 9 Actions When Stopped 1i rei d ee ide Heat b MU A Ei M He 235 5 8 5 10 Controlling the Firewall from the Command Line sseee 235 Ae RA eeoa ie ME AEE E AE EA omma ec e pa E iu EE 236 5 9 1 Traffic Control Example eot hc ero e eee oui aaa De qoo a a Bo a aeaaea eA 236 xii RUGGEDCOM ROX User Guide Table of Contents 5 9 2 Traffic Control Configuration i5 2 2 tidad 237 5 9 2 1 TC Interfaces tcdevices ce dr eet eerie deer doe dod sade eae din POR das 238 S922 TC Classes dina 239 5 9 2 9 TC RuleS O 241 5 10 Traffic Prioritization escri RR RN Eu ee A RR e Np DEREN ESPERE DUREE OR IEEE RERO 244 5 10 1 Priorty QU A UEM qum 245 pA O E EE A E AA AEE tide pecde aides 245 103 TOS PriotItZatlor 3 2 a EAA ec a pe dass A AARAA a 245 510 4 Prioritization Example donen 246 5 10 5 Configuring Traffic Prioritization seers narran inana meme 247 5 10 6 Interface Prioritization Menu sssssssssee mm emen emen nnne nnns 248 5 10 6 1 Prioritization QUEUES ssssssssssssee enn m eme he nnm I enirn rer nennt 249 5 10 6 2 Prioritization Filters ssiiseceehisiscatasabeedzuea ya cleabaubicstianscdeatanscdchlabd Hd oL
390. ocked Oct 30 13 54 05 usr sbin irigb 2657 GPS lock lock lost Oct 30 13 54 18 usr sbin irigb 2657 GPS lock locked Oct 30 14 03 35 usr sbin irigb 2657 GPS lock lock lost Oct 30 14 03 46 usr sbin irigb 2657 GPS lock locked Oct 30 14 06 36 usr sbin irigb 2657 GPS lock lock lost Oct 30 14 06 44 usr sbin irigb 2657 GPS lock locked Oct 30 14 16 05 usr sbin irigb 2657 GPS lock lock lost Oct 30 14 16 16 usr sbin irigb 2657 GPS lock locked Oct 30 14 19 06 usr sbin irigb 2657 GPS lock lock lost Oct 30 14 19 20 usr sbin irigb 2657 GPS lock locked Oct 30 14 19 35 usr sbin irigb 2657 GPS lock lock lost Oct 30 14 19 43 usr sbin irigb 2657 GPS lock locked Oct 30 14 24 08 usr sbin irigb 2657 GPS lock lock lost Oct 30 14 24 17 usr sbin irigb 2657 GPS lock locked Refresh de Return to NTP Main Menu Figure 323 GPS Log The GPS Log menu displays the log of recent GPS events Section 5 21 CrossBow Station Access Controller SAC There may be times when it is not possible or practical to access a facility s devices via the network connection to the CrossBow server To address this possibility Siemens has developed the Station Access Controller SAC The Station Access Controller acts as a local version of the CrossBow server The SAC is in
391. of Section 5 3 Configuring Frame Relay PPP and T1 E1 Section 5 5 3 4 DDS Statistics 206 When at least one logical interface is configured DDS Link and logical interface statistics will be available These statistics are available from links on the DDS WAN Interfaces menu Link Statistics are provided through the View Link Statistics link at the bottom of each interface table Frame Relay and PPP statistics are available through Statistics links under the interface name column of each interface table Editing a Logical Interface PPP RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Help 56K 1 Link Layer Statistics Receive Statistics Transmit Statistics Number of frames received Number of frames transmitted 6 Number of bytes received Number of bytes transmitted 72 Transmit Throughput 0 Received frames discarded too short Transmit frames discarded length error 0 Received frames discarded too long Transmit frames realigned l4 44 Receive Throughput 0 o 0 o Received frames discarded link inactive Transmit Errors Number of transmitter PCI errors Number of transmitter PCI latency warnings Receive Errors Number of receiver overrun errors Number of receiver CRC errors Number of receiver Abort errors Number of transmitter DMA descriptor errors olololo m Number of
392. ogical Interface This menu allows you to display and configure logical interface fields for Frame Relay The menu is composed of two tables The first table contains configuration parameters that apply to all DLCIs in the Frame Relay link The second table configures network parameters of individual DLCls 200 E3 Interface Parameters RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration The fields and buttons in this menu are the same as those those described in Section 5 3 2 5 Editing a Logical Interface Frame Relay Once the first DLCI has been configured revisiting the link to that DLCI from the Trunks and Interfaces page will display a menu that allows additional DLCIs to be configured Help Edit New Logical Interface T3 1 Frame Relay Parameters Station Type CPE FR DTE Interface X Signalling T391 10 T392 16 N391 6 N392 6 N393 4 EEK Type Off type ANSI y v EEK Timer 5 New Logical Interface DLCI Local Address Netmask Remote Address Description 255 255 255 255 Save des Return to T3 E3 WAN Interfaces Figure 200 Edit Logical Interface Frame Relay Section 5 4 4 6 Editing a Logical Interface PPP Help Edit New Logical Interface T3 1 PPP Parameters Local Address Netmask Remote Address Description 255 255 255 255 Save de Return to T3 E3 WAN In
393. ols for Subnet Pool Address Ranges Option 82 Clients clientname remote id circuit id Add an address pool de Return to subnet list Figure 312 DHCP Subnet Configuration The settings specific to the Create Edit Subnet menu are The Subnet description field is used to describe the subnet as desired The Network address and Netmask fields define a subnet containing a span of addresses to assign Within a subnet you can create hosts groups of hosts and address pools DHCP Subnet Configuration 325 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Section 5 18 5 3 DHCP Group Configuration NOTE Li The menu interfaces for creating a DHCP Group Configuration and for editing an existing one are the same only the title differs Create versus Edit Help Create Host Group Group Details Group description Hosts in this group Group assigned to Toplevel Y Use name as Default client Yes No Default pasa Mon Default secs hostname 7 Maximum 9 9 Boot filename None sk MS Default secs But n 9 This server Server name Default server Lease length Lease end for BOOTP O Forever secs for BOOTP O Never clients clients namic DNS Dyanenic n ierit Yes No Default DNS domain Default E name Dynamic DNS Dynamic reverse 9 Default DNS 9 From client domain hostname Allow unknown Allow Deny Ignore Default clients Create E Retur
394. on Jobs Initially there will be no scheduled jobs Follow the create link to create one 140 Scheduled Cron Jobs RUGGEDCOM ROX User Guide Chapter 4 System Administration Create Cron Job Job Details Execute cron job as Adive O Yes No Command Input to command W hen to execute Minutes Hours Days Months Weekdays 9 all 9 all 9 Al 9 all 9 AI Selected Selected Selected Seleded Seleded 0 12 24 36 4 48 0 a 112 1 13 25 January Sunday 1 113 25 37 49 1 13 2 14 26 February Monday 2 14 26 38 50 2 14 3 15 27 March Tuesday 3 115 27 39 51 3 15 4 16 28 April Wednesday 4 116 28 40 52 4 16 5 17 29 May Thursday 5 17 29 41 53 5 TM 6 18 30 June Friday 6 18 30 42 54 6 18 19 31 amp July Saturday ha 7 119 31 43 55 7 19 8 20 August 8 20 32 44 56 8 20 9 21 September 9 21 33 45 57 9 21 10 22 October 10 22 34 46 58 10 22 11 23 November 11 23 1 135 47 59 11 141123 S 12 24 amp December Note Ctri click or command click on the Mac to select and de seled minutes hours days and months Create 7m Figure 142 Creating a Cron Job Begin the creation of a cron job specification by selecting a user to execute as For most purposes root will suffice Enter the user name in the Execute cron job as field Enter the command to execute and any input to the command in the Command field Select the times the script is to run f
395. on Type Note that multiple email addresses should be separated by comma The Filter Level Comparator configures the way to match with defined filter level The Filter Level configures what filter level is to be compared Note that Emergency has the greatest filter level and Debug has the lowest filter level 34 Alert Filter Configuration RUGGEDCOM ROX User Guide Chapter 3 Device Management Section 3 7 1 4 Alert Definition Configuration Help Alert Definition Configuration View Alert Definition by Category chassis Ref Renotify Codepoint Category Name Subsystem Severity Enabled Alarmable PSE Seer Type A Inventory A A ichassis 1 chassis Problem chassis error yes yes o simple chassis 2 chassis Power Supply 1 chassis critical lyes yes o simple Failure Ichassis 3 chassis Power Supply 2 chassis critical lyes yes o simple Failure Ledboard Push A ichassis 4 chassis Button chassis error yes yes o simple chassis 5 chassis Ledboard chassis error yes yes o simple chassis 6 chassis Modular slot 1 chassis error yes yes o simple chassis 7 chassis Modular slot 2 chassis error yes yes o simple chassis 8 chassis Ethernet interface chassis error yes yes o simple module 1 chassis 9 chassis Ethernet interface css error yes yes o simple module 2 chassis 10 chassis PCI slot 1 chassis error yes yes o simple cha
396. on User Guide Section 5 5 3 7 Upgrading Software For some customers access to remote sites in accomplished solely by a DDS connection Usually a software upgrade will stop the system being upgraded perform the upgrade and then restart it If DDS port was upgraded in this way the upgrade would fail as the DDS link was taken down Instead DDS software upgrades modify only the software on the disk You must schedule a reboot in order to run the new version of DDS software See Section 3 7 10 Upgrade System and Section 3 7 11 Uploading and Downloading Files for further information Section 5 6 Multilink PPP over T1 E1 This section familiarizes the user with Multilink PPP in overview Configuring Multilink PPP Viewing MLPPP statistics Section 5 6 1 Multilink PPP Fundamentals The PPP Multilink Protocol also known as Multilink PPP is defined in Internet RFC 1990 Its purpose is to combine two or more PPP links into one so called bundle in order to provide more bandwidth to a point to point connection PPP Multilink must be supported on both sides of the link and may be used if there is more than one PPP link connecting the two endpoints It works by multiplexing data on a per packet basis to transmit across multiple PPP links Sequence numbering is used to attempt to preserve the order of packets transmitted across the bundle ROX is capable of running PPP Multilink over two to four T1 E1 links It is capabl
397. on Username Bandwidth Limiting Disabled Show Router SSH Key Save Archive Configuration to Hostname IP Directory Save Webmin Configuration to Hostname IP Directory l Save 4 Return to Backup And Restore Figure 32 Backup and Restore General Configuration This menu configures the backup system The Automatic Nightly Backup field specifies when the nightly backup is scheduled The automatic export to a server will start if enabled immediately after the backup completes The Archive Name Includes field selects text fields Date Time Hostname Router Version included in archive name The Archive Aging field specifies how long nightly backup archives are kept Note that the most recently made nightly backup will never be deleted Manually made archives are never aged and must be manually deleted The Configuration Server Options table allows user define the configuration server 38 General Configuration RUGGEDCOM ROX Chapter 3 User Guide Device Management The Export Method field selects the method of exporting backup archives to a server If the Export Method field is set to FTP the FTP Options are used If the Export Method field is set to SCP the SCP Options are used The FTP Option field specifies FTP User name Password or to use anonymous FTP The SCP Option field specifies SCP User name and Bandwidth Limitation when the Export Method is SCP The Show Router SSH Key link will display the ssh
398. on about entries in this file type man shorewall tcdevices See http shorewall net traffic_shaping htm for additional information Lillllliiiilllcllcl bk 4 l f f f f ff f f ff f f f f 2 0 d RARA RARA 022 NUMBER IN BANDWITH OUT BANDWIDTH OPTIONS REDIRECTED INTERFACE INTERFACES ethi 2000kbit 5000kbit LAST LINE ADD YOUR ENTRIES BEFORE THIS ONE DO NOT REMOVE Return to tcdevices list Figure 234 Edit TC Interface Section 5 9 2 2 TC Classes H TC Classes Classes define the bandwidth available to specific types of traffic Exactly one class per interface must be flagged as default At most one class per interface can have the tcp ack flag set Each tos byte match is limited to one class per interface and tos byte matching overrides Mark matching A packet can be matched either by Mark or by tos byte Add a new traffic classification class Interface Mark to match Minimum rate Maximum rate Priority Options Move Add lethi 1 full 2 full 8 10 1 itos minimize delay tcp ack d 4 eth1 2 200kbit 200kbit 1 default t TL Add a new traffic classification class Manually Edit File Click this button to manually edit the Shorewall file ezc shorewall tcclasses in which the entries above are stored 4a Return to list of tables Figure 235 TC Classes This menu allows you to add edit or remove a traffic classification class Please no
399. on their network segment Normally Router 1 is the VRRP master and only in case of a link failure to the switch or the router failing will Router 2 take over the virtual IP The virtual IP used as the gateway is 1 1 2 254 Each router also has its own IP on the network so that each can be reached individually If Router 1 or its Ethernet link fail VRRP will detect the link being down and remove the direct route to the 1 1 2 0 24 VRRP on Router 2 will stop seeing messages from Router 1 elect itself master and will take over the gateway for the network OSPF on router 1 will notice the link being down and the route to 1 1 2 0 24 disappearing and will use information from router 2 install a route to 1 1 2 0 24 via Router 2 Router 3 will notice than Router 2 is now a more direct path to 1 1 2 0 24 network and start sending to Router 2 instead of Router 1 After the failure all routers still know how to reach the entire network and the clients on 1 1 2 0 24 can still send on the network using the same gateway address The clients will see only a MAC address change of the gateway and experience a few seconds of network outage When the link returns VRRP will switch back to the master and the routes will return to their normal state Note that if the Router 1 WAN link fails Router will see routes to Router3 via the Router 1 Router 2 WAN and Ethernet links If the faster Router 1 Router 2 Ethernet path fails Router 1 will fall back to the
400. onfiguration changes to be made under a safety net If a configuration change effectively blocks the user s access to the unit or has any other detrimental effect the unit not seeing any user acceptance will reboot at the end of the timeout period When activated by pressing the Start Configuration Rollback Monitoring button each subsequent configuration screen will display the line Configuration Rollback is active at the top of the page reminding the user that there is a timeout period in effect and an eventual reboot of the unit if changes are not accepted For example Configuration Rollback 39 RUGGEDCOM ROX Chapter 3 User Guide Device Management H Ethernet Configuration Rollback is active mom oU Ethernet Interfaces Bridge PPPoE Interfaces PPP Logs Current Route amp Interface Table e Click this button to activate the current boot time interface and routing settings as they Apply Configuration normally would be after a reboot Warning this may make your system inaccessible via the network and cut off access to Webmin Figure 34 Ethernet main menu while Configuration Rollback is active Please note that the timeout period is re initialized to the value specified in the timeout entry field at each user action Using the above timeout value the user does not have a maximum of 300 seconds Rather each of his actions will reset the timer to 300 seconds The timeout mechanism will be
401. only in the usr share freeradius directory on Linux systems 2 Inthe dictionary directory open the file named dictionary and add the line INCLUDE dictionary ruggedcom Note that there are typically many other vendor attribute dictionary files included in the main FreeRADIUS dictionary file 3 Create a file named dictionary ruggedcom in the dictionary directory containing the following jn cc eee The RuggedCom Vendor Specific dictionary Version Id dictionary RuggedCom v 1 3 4 1 2005 11 30 22 17 24 aland Exp Webmin Privilege Levels and FreeRADIUS 155 RUGGEDCOM ROX Chapter 4 System Administration User Guide For a complete list of Private Enterprise Codes see http www isi edu in notes iana assignments enterprise numbers VENDOR RuggedCom 15004 BEGIN VENDOR RuggedCom ATTRIBUTE RuggedCom Privilege level 2 String END VENDOR RuggedCom 4 Create user accounts in the etc freeradius users file For example in order to create a user john with a password test with operator access to Webmin add the following lines to etc freeradius users john Auth Type Local User Password test NAS Identifier webmin RuggedCom Privilege level operator 5 Restart your freeradius server Section 4 7 2 Webmin Privilege Levels and Windows IAS This section describes the steps necessary to configure Microsoft Windows IAS Internet Authentication Service to authenticate Webmin user accounts
402. onnection uses The default of 0 is correct for most providers The Attempt ATM Autoconfiguration option causes the router to attempt to automatically determine the VPI and VCI used on the connection This does not work with all providers and may case the connection to fail even if the link light is on If this option is used it should only be used to find out what the correct values are if your provider isn t willing to help you and when the correct values are found it should be disabled with the correct values entered in the VPI and VCI fields instead The VCI field determines the VCI number the connection uses The default of 35 is correct for most providers The Use DHCP field forces the router to fetch its IP address from the peer via DHCP Note that DHCP is selected the local and remote IP addresses are immediately dummied out to 169 254 0 1 and 169 254 0 2 the netmask is Set to 255 255 0 0 and default gateway option is suppressed The Local IP Address field defines the IP address for this interface The Netmask field defines the network address mask The value 255 255 255 255 specifies a point to point connection which is almost always correct The Remote IP Adaress field defines the IP address for other side of this interface As most WAN links are of point to point type there is only one host connected to the other end of the link and its address is known in advance This option is the address of the other end of the link and is usually
403. ons 20 14 37 2010 20 14 37 2030 Delete CN CrossBow Test Certification Authority GMT GMT C CA ST Alberta O SiemensRuggedCom Nov 21 Nov 21 Delete sac 151 certificate pem OU SiemensRuggedSolutions 17 54 45 2013 17 54 45 2014 elete CN 172 30 151 151 GMT GMT Create CSR Install New Certificate a Return to CrossBow Main Menu Figure 331 CrossBow Certificates This menu allows you to review the certificates that have been installed generate a Certificate Signing Request CSR and upload certificates 340 Configuring Log Options RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration For each certificate listed in the table click the name of the certificate to view more details Click the Delete button to delete a certificate Click the Create CSR button to create a Certificate Signing Request CSR See Section 5 21 3 1 Generating a Certificate Signing Request CSR Click the Install New Certificate button to upload and install new certificates See Section 5 21 3 2 Installing Certificates Section 5 21 3 1 Generating a Certificate Signing Request CSR Module Index Certificate Signing Request Generate CSR Common Name ruggedcom R Pass Phrase T Department Organization Locality Eg City State Province Country Code RSA key size 9 1024 2048 Generate CSR E Return to CrossBow Certificates Figure 332
404. ore Virtual Routers 300 Configuring VRRP RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Each Virtual Router has a user configured Virtual Router Identifier VRID and an Virtual IP address or set of IP addresses on the shared LAN Hosts on the shared LAN are configured to use these addresses as the default gateway One router in the Virtual Router Group will be elected as the Master all other routers in the group will be Backups Each router in the group will run at a specific Priority The router with the highest priority is elected Master The value of Priority varies from 1 to 255 VRRP can also monitor a specified interface and give up control of a VRIP if that interface goes down In the following network host 1 uses a gateway of 1 1 1 253 and host 2 uses a gateway of 1 1 1 252 The 1 1 1 253 gateway is provided by VRID 10 In normal practice router 1 will provide this virtual IP as its priority for VRID 10 is higher than that of router 2 If router 1 becomes inoperative or if its w1ppp link fails it will relinquish control of VRIP 1 1 1 253 to router 2 In a similar fashion host 2 can use the VRID 11 gateway address of 1 1 1 252 which will normally be supplied by router 2 OO Figure 289 VRRP Example 1 Network 2 Remote Router 1 3 Remote Router2 4 Switch 5 Host1 6 Host 2 In this example traffic from host 1 will be sent through router 1 and traffic from host2 through router 2 A failure of either ro
405. ore making permanent changes Any changes made take effect immediately but will not be present after the next boot The entries in this table can also be used to temporarily disable or re enable an interface The Boot Time Configuration table router allows you make changes to the permanent configuration of any interface The Network Configuration menu Apply Configuration button applies permanent changes and restart Ethernet networking If only temporary changes have been made the permanent configuration will be re applied In either table edit the desired interface by clicking on its link under the Name column Ethernet Interfaces 175 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 2 6 2 Editing Currently Active Interfaces Edit Active Interface Active Interface Parameters None Y IP 192 168 3 1 24 Name eth3 Address Mask Status 9 up Down Proxy ARP Yes No Media Type Auto Negotiation M Virtual Lan 0 Add virtual lan interfaces interface Save Delete de Return to network interfaces Figure 170 Editing a Network Interface This menu allows you to make changes to the currently active interfaces The Save button will activate any changes and will not affect the permanent configuration The IP Address Mask field sets the IP address and mask for this interface You can assign multiple IPv4 or IPvG addresses to the interface one on each line Please note that I
406. ork The Home Net field defaults to ANY and designates the IP subnet of any local ports on the router Configuring a specific subnet can reduce the number of alerts generated To specify multiple IP addresses in the Home Net field enclose a comma separated list of IP addresses in square brackets There must not be any spaces in the list of addresses For example 10 10 10 20 192 168 1 23 172 16 30 25 Network Settings 121 Chapter 3 Device Management RUGGEDCOM ROX User Guide Section 3 15 4 PreProcessors PreProcessors Snort Preprocessor Settings Preprocessor Options Status normalize ip4 Q9 Enabled Disabled normalize tcp ips ecn stream 9 Enabled Disabled normalize icmp4 Enabled Disabled normalize ip6 Q9 Enabled Disabled normalize icmp6 Q9 Enabled Disabled frag3 global max frags 65536 Enabled Disabled frag3_engine policy windows detect anomalies overlap limit 10 mii Enabled Disabled streamS5 global track tcp yes Enabled Disabled stream5 tcp policy windows detect anomalies require 3whs 180 Enabled Disabled stream5_udp timeout 180 9 Enabled Disabled http_inspect global iis_unicode_map unicode map 1252 compres Enabled Disabled http inspect server server default 9 Enabled Disabled rpc_decode 111 32770 32771 32772 32773 32774 32775 32776 327
407. ormation sesanderan aa eee eee hene E 26 3 5 Setting Up a Router Software Repository 2 0 0 0 cece ee eect eee eee tree meme nnne 27 3 5 1 Repository Server Requirements ssssssssssssssssssse s esee en eene 27 3 5 2 Initial Repository Setup erae a a ie ener eene hene hh nn rennen rsen rene r nnns 27 3 5 3 Upgrading the Repository D e kp ida 28 3 5 4 Setting Up thes Routers scada 28 3 5 4 1 An Alternate Approach 0 cccccccecc cece ce eeee ce eeeeeeeecaeeeeaeeeecageeaeeeesaaeesaeeeeaeeeeseeeesaes 28 3 5 4 2 Upgrading Considerations cccceceeeee nese tees eee ENEA ee em eH ens 29 3 6 Reflashing the Router Software icc2 cccadccsseeedsassacdect S RA aia aaa Re REX dace a neue ERR rex R dna RETE NAR REX Ee dE vere 29 SROMNEUL Xe EE 29 3 6 2 Reflashing the ROX System Software sssssssssssssseee emen emen nnns 30 3 7 Maintaining the Router siii det re tec vanes Co panacea e deep a teu A 31 S471 Alert Systertio oa iaa aet frat ere tetteetteita ia cease acte aaa Facete se st oleetaced deuaaioh aa rabat aoi 31 3 7 1 1 Alert Mal Menu 2e Herr e pete reciba etes aei bp iet uded 32 9 1 2 Alert Conflguratlori e aetate tec c eek arx e px tect exe ER rex de aes 33 3 7 1 3 Alert Filter Configuration sraa a E dera 34 3 7 1 4 Alert Definition Configuration sess menn 35 9 7 1 5 Change Alert Deflnition vico t n 36 3 52 Backup arid Restore ida 37 3 7 2 1 General
408. ort org follow these basic guidelines Configure the network variables for Snort according to the IP network scheme of your organization For more information refer to Section 3 15 3 Network Settings By default the IP address for HOME_NET and EXTERNAL_NET are set to use any IP address If you decide to keep the default configuration for the HOME and EXTERNAL networks make sure not to enable any rules that use as a prefix to a network variable Configure the preprocessor for Snort Most of the preprocessors are enabled by default but you may want to disable the preprocessor that are not required for the rule set that you plan to enable For more information refer to Section 3 15 4 PreProcessors Configure the destination for Alert amp Logging The default destination for alert and logging is auth log You may want to change it to syslog and it is strongly recommended to setup a remote logging facility so that old log messages are not lost after the log rotation in the local logging facility For more information refer to Section 3 15 1 4 Alerting Methods and Section 3 15 5 Alerts and Logging A sample configuration for Snort is provided through Webmin You may want to modify the configuration based on the need of your network For more information refer to Section 3 15 7 Edit Config File Enable Snort on the Ethernet interface s on which you want Snort to decode network traffic and raise alert if there is a
409. otocol operates differently for synchronous and asynchronous ports The configuration for each also differs Help Raw Socket Note that changes are made immediately causing call placement to start Port Pack Char Pack Timer Turnaround Call Dir Max Conns Rem IP Rem Port Loc Port 1 10 1000 off OUT v2 172 30 148 27 50001 Save Changes e Return to Serial Protocols Figure 103 Edit Synchronous Serial Raw Socket Parameters The Pack Char Pack Timer and Turnaround timer fields are unused and are ignored in the case of synchronous serial ports The Call Dir field configures whether to accept an incoming connection N place an outgoing connection OUT or do both BOTH The Max Conns field configures the maximum number of incoming connections to permit when the call direction is incoming or the maximum number of connections to configure if the direction is outgoing The Remote IP field configures the address used when placing an outgoing connection 102 Configuring Raw Socket on Synchronous Serial Ports RUGGEDCOM ROX Chapter 3 User Guide Device Management The Remote Port field selects the TCP destination port used in outgoing connections The Local Port field selects the local TCP port to use to accept incoming connections When Max Conns is set to more than one and the call direction os outgoing a button labelled AddNewConns will appear in the Action column of the ta
410. ou want to use this form of encryption each router configures its VPN connection to use a secret pre shared key The pre shared key is configured through the Pre shared Keys menu NOTE Li Use of pre shared keys require that the IP addresses of both ends of the VPN connection be statically known so they can t be used with sites with dynamic IPs Section 5 11 5 X509 Certificates When one side of the VPN connection is placed from a dynamic IP the so called roaming client X509 Certificates may be used to authenticate the connection Certificates are digital signatures that are produced by a trusted source namely a Certificate Authority CA For each host the CA creates an certificate that contains CA and host information and signs the certificate by creating a digest of all the fields in the certificate and encrypting the hash value with its private key The encrypted digest is called a digital signature The host s certificate and the CA public key are installed on all gateways that the host connects to When the gateway receives a connection request it uses the CA public key to decrypt the signature back into the digest It then recomputes its own digest from the plain text in the certificate and compares the two If both digests match the integrity of the certificate is verified it was not tampered with and the public key in the certificate is assumed to be the valid public key of the connecting host 252 Supported Encryption
411. ough the System folder Bootup And Shutdown menu Check Firewall Click this button to have Shorewall validate your firewall configuration with the shorewall check command Figure 217 Starting Shorewall Firewall Menu The above figure shows the firewall menu prior to configuration Configure the firewall through the provided menus The Check Firewall button can be selected after each menu configuration to check the existing configuration and provide notice of items still to be configured When the firewall is fully configured the Start Firewall button may be selected Starting the firewall in this way will provide more detail in the event of a problem If the firewall starts cleanly the menu appearance will change to that of the figure below In order to start the firewall at each and every boot you must enable it via the System folder Bootup and Shutdown menu Virtual Private Networking to a DMZ 225 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Help Shorewall Firewall Shorewall version 4 4 11 6 lt mm imme lo raid 223 N i NU NL Network Network Zone Default Firewall Masquerading Static TG TC TC Rules When Stopped Zones Interfaces Hosts Policies Rules masq NAT Interfaces Classes tcrules routestopped zones interfaces hosts policy rules nat tcdevices tcclasses Apply Configuration Click this button to activate the curre
412. ount of time to run before restoring service to the main trunk Please note that this duration must take into account the timing parameters of the backup configuration The duration should comfortably exceed the Ping Interval plus the Ping Timeout multiplied by the Ping retry count plus the Main path down timeout In the case of a dial backup configuration also be sure to take into account the call setup and modem connection times Add to this a time that will allow time to navigate the Webmin menus to observe that Link Backup status link states and routing are all as expected before during and after the Link Backup test Section 5 13 9 Scheduled Link Backup Test The blinktest command line utility provides a mechanism for scheduling tests of link backup configurations lts function is similar to that of the Webmin based link backup test described above It differs by being accessible from the command line and by allowing a test to be scheduled to start and stop at some time in the following 24 hours The syntax of the blinktest command is as follows blinktest i lt interface gt b lt begin gt s lt stop gt lt command gt where interface is the main interface as configured for the link backup begin is the time the test is scheduled to begin in 24 hour HH MM format stop is the time the test is scheduled to stop in 24 hour HH MM format command is either start in which case i b and s must be specified or
413. ous ARPs when moving between master and backup state These unsolicited ARPs teach the hosts and switches in the network of the current MAC address and port associated with the VRIP The router will issue a second set of ARPs after the time specified by the Gratuitous ARP delay Section 5 14 4 VRRP Configuration VRRP AN AN ve gt VRRP Configuration VRRP Instances Status Restart VRRP daemon J Click this button to restart the VRRP daemon This will apply configuration parameters Figure 291 VRRP Main Menu Note that VRRP is disabled by default and may be enabled via the System folder Bootup and Shutdown menu 302 VRRP Configuration RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration VRRP can be configured through the VRRP Configuration link before the daemon is started When enabled any configuration changes may be made to take effect by selecting the Restart VRRP daemon button The VRRP Instances Status link presents the status VRRP instances existing as of the last restart of keepalived Section 5 14 5 VRRP Configuration Menu Help VRRP Configuration Router Identification Router Name ruggedcom Save VRRP Virtual IP Instances Name VRID Interface Monitored Interface Virtual IP Address Virtual IP Netmask Local Interface IP Add a new instance de Return to VRRP Main Menu Figure 292 VRRP Configuration Menu Set the Router Name field t
414. ous examples have described the NAT process when connections are made from the Intranet to the Internet In those examples addresses and ports were unambiguous When connections are attempted from the Internet to the Intranet the NAT gateway will have multiple hosts on the Intranet that could accept the connection It needs additional information to identify the specific host to accept the connection Suppose that two hosts 192 168 1 10 and 192 168 1 20 are located behind a NAT gateway having a public interface of 213 18 101 62 When a connection request for http port 80 arrives at 213 18 101 62 the NAT gateway could forward the request to either of the hosts or could accept it itself Port forwarding configuration could be used to redirect the requests to port 80 to the first host Port forwarding can also remap port numbers The second host may also need to answer http requests As connections to port 80 are directed to the first host another port number such as 8080 can be dedicated to the second host As requests arrive at the gateway for port 8080 the gateway remaps the port number to 80 and forwards the request to the second host Finally port forwarding can take the source address into account Another way to solve the above problem could be to dedicate two hosts 200 0 0 1 and 200 0 0 2 and have the NAT gateway forward requests on port 80 from 200 0 0 1 to 192 168 1 10 and from 200 0 0 2 to 192 168 1 20 218 Network Address Tr
415. out any problems Address is an optional IP address that you wish to masquerade as NOTE i The presence of the Address field determines whether masquerading or SNAT is being used Masquerading is used when only Interface and Subnet are present SNAT is used when Interface Subnet and Address are present Protocol optionally takes on the name of protocols e g tcp udp that you wish to masquerade Ports optionally takes on the ports to masquerade when protocol is set to tcp or udp These can be raw port numbers or names as found in file etc services Some examples should illustrate the use of masquerading Rule Interface Subnet Address Protocol Ports 1 eth1 192 168 1 0 24 2 ppp 192 168 0 0 24 66 11 180 161 3 w1ppp 192 168 2 0 24 100 1 101 16 4 w1ppp 192 168 2 0 24 100 1 101 16 tcp smtp 1 In this masquerading rule 192 168 1 0 24 subnet is the local network and eth1 is connected to a DSL modem Traffic from the subnet should be translated to whatever IP is assigned to the modem Internet clients will not be able to determine the router s public address unless some form of dynamic dns is employed 2 In this SNAT rule a static address of 66 11 180 161 is acquired from the ISP Traffic from the subnet 192 168 0 0 24 should be translated to 66 11 180 161 as it sent to the Internet over ppp The at the end of ppp causes Shorewall to match any ppp interface 3 In this SNAT rule traffic from the subnet 192 168 2 0 24 shou
416. out of sync with GPS oe lirigb 2657 13 10 30 17 21 16 force FPGA reset clock 93 30 ust sbin Oct 30 13 23 30 irigb 2657 reload configuration Refresh E Return to IRIGB IEEE1588 Main Menu Figure 115 IRIG B GPS Status This page reflects reference clock changes in IRIG B Section 3 15 Configuring the Intrusion Detection System This section familiarizes the user with Configuration of Snort as an Intrusion Detection System Generating a daily Snort analysis email Section 3 15 1 Snort Fundamentals The Snort Intrusion Detection System IDS provides a type of security management system for the router Snort gathers and analyzes information on various network interfaces to identify possible security breaches which include both intrusions attacks from outside the protected network and misuse attacks from within the protected network Snort examines packets received on selected interfaces applies rules from its database and generates log entries to warn of vulnerabilities 114 IRIG B Log RUGGEDCOM ROX Chapter 3 User Guide Device Management Snort is a complex system with many capabilities and a large community of contributors and users The interested reader is encouraged to seek more information at the project s web site http snort org Section 3 15 1 1 Configuring Snort Snort must be configured properly before it is started In addition to the detailed Snort Manual available at http sn
417. outer id change only updates the config and takes effect on restart In BGP the router id change updates the config and takes effect immediately Qu m Figure 261 Core Global Parameters The Enable Password field sets the password to be used for the enable command of core This is used by the telnet interface of core to control access to the configuration The Telnet Password field sets the password to be used for telnet access to core This is used as the login password of core when locally telnetting to port 2601 of the router The Hostname field sets the hostname for the core daemon This value is only used as a a reference for convenience The telnet interface prompt will contain this hostname The router s system wide hostname is used if this field is left blank 274 Core RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The Router ID field sets the router id to use for the core daemon This value is used as a unique identifier for the dynamic routing protocol to identify which router sent which route advertisement By default it uses the highest IP assigned to an interface on the router It is recommended that this value be set to a unique fixed IP on each router Note that this value is used by both OSPF and by BGP if not overridden under the global configuration for each protocol Section 5 12 6 4 Core Interface Parameters Parameters specific to one interface are configured here
418. outes RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 1 2 6 Static Multicast Routing Help Static Multicast Routing Configured Static Multicast Routes Multicast IP Input Source IP Route Pr rca Aires Output Interfaces Comment 1 224 10 10 10 eth1 192 168 1 254 eth4 Installed Use commas to seperate Output z Interfaces Save Note This router has the following network interfaces eth1 eth2 eth3 eth4 wic1 wippp de Return to network configuration Figure 162 Static Multicast Routing This menu allows you to configure static multicast routing The Configured Static Multicast Routes table shows configured multicast routes New routings may be added by completing the bottom row of the table and selecting the Save button Routings may be deleted by clearing the routings Multicast IP Address field and selecting the Save button The Multicast IP Address field specifies the multicast IP address to be forwarded The nput Interface field specifies the interface upon which the multicast packet arrives The Source IP Address specifies the multicast packet s expected source IP address The Output Interface specifies the interface to which the matched multicast packet will be forwarded The Comment field shows the current status of the routing The Note field below the table shows current active interfaces In order to start Multicast routing at each and ev
419. p System Configuration System Variables System name System location Unknown configure etc snmp snmpd local t System contact Root lt root localhost gt configure etc snmp System description Save de Return to SNMP Configuration Figure 45 System Configuration Menu The System name System location System contact and System description fields configure descriptive parameters for the router Section 3 7 4 3 Network Addressing Configuration For reference the set of currently configured and active IP addresses is listed near the top of the page SNMP Main Configuration Menu 47 Chapter 3 RUGGEDCOM ROX Device Management User Guide Client IP Address Source IP IP Address NOTE If this option is not specified the source address of SNMP packets from this host is the IP address of the interface from which the packet exited the host Figure 46 Network Addressing Configuration Menu Client Address The Client address Source IP field specifies the address from which snmpd will send notifications If the field is blank the default behaviour will be to transmit the notification from the IP address of the interface from which the message leaves the router Snmpd will return to this behavour if the configured address is not available when it starts Addresses to listen on Interface Name IP Address Listening lo 127 0 0 1 enabled disabled eth1 192 1
420. p and Configuration RUGGEDCOM ROX User Guide Section 5 3 2 12 PPP Interface Statistics Help TBI wicippp Statistics Protocols Statistic Receive Transmit Number of LCP packets 2 11 Number of PAP packets Number of CHAP packets o o ojo Number of IP packets LCP Statistic Receive Number of Config Request pkts Number of Config Ack packets Number of Config Nack packets Number of Config Reject packets Number of Term Reqst packets Number of Terminate Ack packets Number of Code Reject packets Number of Protocol Rej packets o ojojojo o ojojojo Number of Echo Request packets Number of Echo Reply packets Number of Discard Request packets ojojojo ojojo jo LCP Communications Errors Packets discarded unknown LCP code Received LCP packets too large Received packets invalid or out of sequence Configure Acks Received packets invalid Configure Naks or Configure Rejects Configure Naks or Configure Rejects with bad Identifier olol ololo General Communications Errors Number discards bad header Number discards unknown unsupported protocol Refresh Clear Statistics Number discards unknown unsupported protocol too large for Protocol Reject de Return to T1 E1 Main Menu Figure 190
421. pal requirements are for disk space bandwidth and the ability to serve an adequate number of http sessions Each software release will require approximately 50 Mb of disk space Note that this figure includes an entire software image most upgrades will involve the transfer of only a small fraction of this amount A large number of such releases could easily be stored on a system of only modest capabilities In practice only one or two releases are usually all that need be kept The bandwidth requirements are determined by the many factors including the number of routers size of upgrade when the routers upgrade bandwidth limiting at each router and network bandwidth capability Most Web servers can serve files to the limit of the network interface bandwidth so even a modest e g 486 class machine would prove acceptable The server should be able to accept at least as many http or ftp connections as there are upgradable routers in the network In practice you will configure the routers to have staggered upgrade times in order to minimize the impact of upgrading on the network A large upgrade or a low bandwidth limiting value at each router may cause all the routers to be upgrading at any one time Section 3 5 2 Initial Repository Setup You must create a directory on the web server to hold the releases for the router The directory can have any name such as ruggedrouter Some administrators like to designate one router to test the i
422. pecifies the mark value for the rule and the field specifies the mask for the mark value if the field is empty the mark value will be the value set in the mark to field The in field specifies the chain in which the rule will be processed Mark and mask may be in the range 1 255 in decimal or hex 242 TC Rules RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The Modify packet mark by field allows you to change the mark value by an AND or OR value The in field specifies the chain in which the rule will be processed The value may be in the range 1 255 in decimal or hex The SAVE RESTORE connection mark with mask field allows you to save or restore the connection mark value with an assigned mask value The in field specifies the chain in which the rule will be processed The mask value may be in the range 1 255 in decimal or hex The CONTINUE in field specifies that no more TC rules be checked if the packet matches and to forward the packet to the specified chain The Source field specifies the source IP address subnet or MAC addresses to match Please refer to Section 5 8 Configuring the Firewall for the formats of MAC and IP addresses supported by Shorewall The Destination field specifies the destination IP address subnet or MAC addresses to match The Protocol field specifies the protocol UDP TCP ICMP etc to match The Source Ports field specifies the source TCP or UDP port number or ICMP type
423. peer server if a fail over pool is created The Clients to allow deny field can be used to control which clients can get IP address from the pool See documentation for dhcpd3 for syntax and allowed values Very rarely needed The Allow unknown clients setting already handles the most common use of this option Section 5 19 DHCP Relay This section familiarizes the user with the use and configuration of the device s DHCP Relay feature The device can be configured to act as a DHCP Relay Agent A DHCP Relay Agent forwards DHCP and BOOTP requests from clients on one layer 2 network to one or more configured DHCP servers on other networks This allows one to implement some measure of isolation between DHCP clients and servers The DHCP Relay Agent is configured to listen for DHCP and BOOTP requests on particular Ethernet and VLAN network interfaces and to relay to a list of one or more DHCP servers When a request is received from client it forwards the request to each of the configured DHCP servers When a reply is received from a server it forwards the reply back to the originating client 328 DHCP Relay RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration NOTE i The current release of DHCP Relay Agent on ROX only supports operation on Ethernet interfaces It also does not support the Circuit ID and Remote ID Information sub options NOTE i While DHCP Relay and DHCP Server may both be configured to run concurrent
424. phrase allocated to the network the network address of the Command and Control Center CCC Note that you must also configure and activate the firewall before using the Gauntlet Ensure that the date time and timezone fields are correctly set If Web or SSH services will not be used these can be disabled from the setup shell All further configuration is accomplished through the web management interface Attach the configuring host to one of the Ethernet ports configured above Point your web browser at the address for that port use https and specify a port number of 10000 e g https 192 168 1 1 10000 or otherwise if configured in step 4 Quick Starts 3 Chapter 1 RUGGEDCOM ROX Introduction User Guide Login with the root user and password configured above If RADIUS authentication is configured and a server is available you may also login via a RADIUS user Section 1 3 2 Basic Web Based Configuration Change the router password from the System menu Change Password sub menu 2 Ifyou are using the web management interface you may wish to restrict the allowed users to a specific subnet This can be done in the Webmin menu Webmin Configuration IP Access Control sub menu 3 If you are planning to SSH in to the router you may wish to restrict the allowed users to a specific subnet This can be done in the Servers menu SSH Server Networking sub menu The router s local hostname may configured in the System Menu
425. pology Every 30 minutes by default the entire topology of the network must be sent to all routers in an area If the link speeds are too low the links too busy or there are too many routes then some routes may fail to get re announced and will be aged out Splitting the network into smaller areas to reduce the number of routes within an area or reducing the number of routes to be advertised may help to avoid this problem In shared access networks i e routers connected by switches or hubs a designated router and a backup designated are elected to receive route changes from subnets in the area Once a designated router is picked all routing state changes are sent to the designated router which then sends the resulting changes to all the routers The election is decided based on the priority assigned to the interface of each router The highest priority wins If the priority is tied the highest router id wins Section 5 12 4 Key OSPF and RIP Parameters Section 5 12 4 1 Network Areas Network areas determine the regions within which routes are distributed to other routers The subnets at a particular router can be added to its OSPF Area The router will advertise these subnets to all routers in its area 268 OSPF Fundamentals RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration NOTE i OSPF areas must be designed such that no single link failure will cause the network to be split into two disjoint networks A
426. pped with a Precision Time Protocol card NTP and the Precision Time Protocol Card 331 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 20 5 Generic Options Helo NTP Generic Options NTP OPTIONS Multicast address gt 2 Default Custom Broadcast Client No v Custom address Bind Interface for sending NTP packets none X Save options Note The Bind Interface option allows ntpd always use IP address of the selected network interface as source IP address of outbounding ntp packets Return to NTP Main Menu Figure 318 NTP Generic Options Set the Broadcast Client option to Yes if you wish to act on NTP broadcast messages The default multicast address used for NTP is 224 0 1 1 Select a custom multicast address with the Custom address field if you wish to use a different address The Bind interface option allows you to select an existing interface so that ntp will use the selected interface IP address as the source IP address for outbounding NTP packets Section 5 20 6 Servers Configuration NTP Server List IP ADDRESS VERSION KEY PREFERRED CHECK pool ntp org Default 4 None No Contact p Create ni ew amp Return to NTP Main Menu Figure 319 NTP Server List The servers under the P address column are used as primary synchronization devices Clicking on a link will allow you to edit that server By default the ro
427. primary modem only NOTE To allow the alternate modem to handle traffic when the primary modem is busy the Defaultroute option must be disabled for the primary modem on the PPP Client page For example if Modem 2 is set as the alternate modem for Modem 1 Defaultroute must not be selected for Modem 1 Section 3 8 6 4 Modem PPP Client Help Modem PPP Client pppo Connection name PPP Usemame Dialtype DTMF Defaultroute Maximum Dial Attempts 0 0 means try forever Dial on demand Local IP Address Disconnect on idle timeout Seconds Password Phonenumber Use peer DNS Y Dial Interval 1 86400 seconds 30 Remote IP Address Note The Maximum Dial Attemps is the number of conseautive connection attempts the modem dial the phone number before it stops If the Maximum Dial Attemps is 0 it will try forever Otherwise the reconned button will appear in the Modem Main Menu after spedfied number of consecutive failed connection attempts The Local IP Address and Remote IP Address are only required for Dial on Demand These IP address will be overwritten if the server side gives any of these IP addresses Save Saving will reset ppp link to update settings de Retum to Modem PPP Client Connections Figure 75 Configure Modem PPP Client delete Modem PPP Client 73 Chapter 3 RUGGEDCOM ROX Device Management User Guide The Connection Name field determines the name that will be used
428. public key for this router which can be used in the configuration server to accept SCP from the router The Save Archive Configuration to field specifies the configuration server hostname or IP address and the directory in which to save configuration archives The Save Webmin Configuration to field specifies the configuration server hostname or IP address and the directory in which to save Webmin configuration archives Section 3 7 2 2 Configuration Rollback Help Configuration Rollback Timeout 300 seconds Start Configuration Rollback Monitoring If you do not return here and accept the configuration when done changing settings the previous configuration will be restored and the router rebooted when the timeout expires The timer is reset everytime a configuration webpage is successfully accessed so you do not have to do all the configuration changes within the timeout you just have to accept the changes within the timeout of the last change you make de Return to Backup And Restore Figure 33 Configuration Rollback Menu The Configuration Rollback menu enables the user to define a period of time in which configuration changes can be made and subsequently accepted If the user does not explicitly accept the changes being made then the unit will revert to a configuration snapshot that was taken when the user started the configuration rollback In reverting to this configuration the unit will reboot This enables c
429. quipment that may wish to attempt to configure the router without fully reading the guide Section 1 3 1 Initial Configuration Before Attaching to the Network Locate mount the chassis in its final resting place and apply power The router can be configured through its web management interface or for advanced users through ssh The default Ethernet addresses for ports one through four are 192 168 1 1 through 192 168 4 1 Two shell accounts rrsetup and root are provided Both accounts have a default password of admin The web management interface uses the root account password The rrsetup account provides a shell that configures such items as passwords addresses date time and services offered by the router The root account provides a full shell Attach a PC running terminal emulation software to the RS232 port and apply power to the chassis default baud rate data bits parity 38400 8 n 1 no hardware software flow control Set the terminal type to VT100 Press ENTER to obtain a login prompt Login as the rrsetup user with password admin Change the root and rrsetup passwords from the shell Record the passwords in a secure manner lf RADIUS authentication will be employed configure at least one authentication server address Configure the router s hostname IP address subnet mask and gateway addresses for the built in Ethernet ports For an RX1100 router the Gauntlet Security application may be configured with the pass
430. quired to activate Access Manager s Secure Access Portal Step 1 of 4 Access Manager Configuration 1 Use Access Manager to Create a Secure Access Portal SAP See the Industrial Defender Access Manager User Manual for details or use Help after connecting to the Access Manager 2 Using Access Manager authorize user s for defined devices behind a router SAP What Access Manager s Secure Access Portal Protects and How 147 Chapter 4 System Administration RUGGEDCOM ROX User Guide Step 2 of 4 Shorewall Configuration 1 Use the RX1000 Installation Guide and ROX User Guide to set up the RX1100 and gain access to rrsetup via the console port Use Restore a Previous Configuration to Reload Factory Defaults Change passwords port IP address information set the hostname and set the date time and time zone Do not use Idefender Setup at this time From a web browser access the ROX Webmin user interface to perform the rest of the steps 2 Visit the Shorewall Firewall menu Network Zones sub menu and add the net and loc IPv4 zones This document defines the zone for WAN interfaces as net and the zone for local interfaces as loc Zone ID Zone type net IPv4 loc IPv4 acint IPv4 unusd IPv4 fw Firewall System 3 Visit the Network Interfaces sub menu and assign interfaces to the zones For example eth net eth2 loc The exact assignment will depend upon your configuration NOTE i The assignment of t
431. r 29 12 40 00 brouter blinktest backup link test BEGIN Mee ONSE Nn It exo ditm tse sits MIS ac I ibas ESSE SOI Some example error messages Mar 27 12 43 11 brouter blinktest 1 0 ERROR Begin Invalid interface 0 Mar 27 12 43 45 brouter blinktest 1 0 ERROR Invalid start time Mar 29 12 49 09 brouter blinktest 1 0 OK link backup test for eth3 canceled at Mon Mar 29 12749509 EDT 2010 Examples 299 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 14 Configuring VRRP This section familiarizes the user with Configuring VRRP Enabling and Starting VRRP Obtaining VRRP Status The Virtual Router Redundancy Protocol VRRP eliminates a single point of failure associated with statically routed networks by providing automatic failover using alternate routers The ROX VRRP daemon keepalived is an RFC 2338 version 2 compliant implementation of VRRP Section 5 14 1 The Problem with Static Routing Many network designs employ a statically configured default route in the network hosts A static default route is simple to configure requires little if any overhead to run and is supported by virtually every IP implementation When dynamic host configuration protocol DHCP is employed hosts may accept configuration for only a single default gateway Unfortunately this approach creates a single point of failure Loss of the router supplying the default route or the router s WAN connection resul
432. r 3 Device Management Section 3 15 2 3 Rulesets Rulesets Rule Set Status Action Rule Set Status Action Rule Set Status Action app detect Y browser other Y exploit Y jattack browser re res Y hs Y exploit kit 4 backdoor Y browser webkit Y file executable 4 bad traffic Y chat y file flash 4 blacklist y gontent y file identi 4 replace botnet cnc Y aa wf file imaue 4 b z A T a browser y ns J fteiove Y browser firefox Y dos 4 file multimedia Y browser ie Y experimental 4 file office Y Figure 118 Snort Rulesets The Rulesets section selects the rules to apply on monitored interfaces Each ruleset reflects a collection of related rules Links in the Action column enable or disable all of the rules in a ruleset To modify individual rules in a ruleset click the ruleset name link in the Rule Set column The Edit Ruleset menu appears jel P Edit Ruleset Rule Signature Current Rules in app detect rules alert tcp HOME_NET any gt EXTERNAL_NET HTTP_PORTS msg APP DETECT Absolute alert tcp HOME_NET any gt EXTERNAL_NET HTTP_PORTS msg APP DETECT Absolute Software Computrace outbound connection search namequery com flow to server established content Host 3A search namequery com 0D 0A fast pattern only http header content TagId ht
433. rameter Value Description Activation Master Subsidy Lock code provided by service icode provider Phone Mobile Directory Number provided by service number 9547890192 provider Mobile Indentification Number provided by NN 9545795619 iservice provider System ID 4152 System ID provided by service provider Network ID 65535 Network ID provided by service provider Modem Status Type of Modem CDMA 1xRTT EV DO Firmware version p2410701 51863 Electronic Serial Number ESN 0x608ABD96 Received Signal Strength Eclo 0 0 125 dBm None dB Network Carrier ID Verizon Network technology currently in use No Service Phone number 9547890192 Activation status Modem is activated Refresh Reset 4 Return to Modem Main Menu Figure 84 Manual Account Activation 1 First establish an account with a service representative of the cellular network provider You will need the following settings in order to activate your modem Note that not all of these parameters are required by all network providers Activation code also known as a subsidy lock Phone Number or MDN Mobile Directory Number MIN Mobile Identification Number often the same as the Phone Number System ID or Home System ID Network ID Click Activate The Activation status field will display Activation is in progress Please wait until a success or failure is detected Manual Account Activation 81 Chapter 3 Device Management RUGGEDCOM ROX User Guide
434. rea Normally only routes that fall within the scope of the network areas will be advertised The Redistribute OSPF fields control distribution of routes learned by OSPF When enabled RIP will advertise routes learned by OSPF The Redistribute BGP fields control distribution of routes learned by BGP When enabled RIP will advertise routes learned by BGP The Passive Default option controls the default active passive state of new interfaces When enabled all new interfaces will be passive by default The passive state of individual interfaces is controlled from the RIP Interfaces configuration The Update timer field controls how often RIP sends out routing table updates The Timeout Timer field controls how long information stays in the routing table after it is received without an update The Garbage Collection Timer field controls how long expired entries are remembered before being purged Section 5 12 6 20 RIP Key Chains The Key Chains table configures authentication keys used on the interfaces By defining the keys in a key chain the same settings can be applied to multiple groups of interfaces Without key chains the same settings would have to be entered for each interface separately Key chains also allow multiple keys to be entered in a single key chain with a start time for when that key should become valid as well as the duration the key is valid This allows multiple keys to be set up with automatic transitions from one k
435. rected to openswan the IPSec daemon Openswan then decrypts the traffic and forwards it back to shorewall on the same interface that originally received it You will also need a rule to allow traffic to enter from this interface 224 Configuring the Firewall and VPN RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Action Source Zone Destination Zone ACCEPT vpn loc Section 5 8 4 2 Virtual Private Networking to a DMZ If the firewall is to pass the VPN traffic through to another device e g a VPN device in a DMZ then establish a DMZ zone and install the following rules Action Source Zone Destination Zone Protocol Dest Port ACCEPT net dmz ah ACCEPT net dmz esp ACCEPT net dmz udp 500 ACCEPT dmz net ah ACCEPT dmz net esp ACCEPT dmz net udp 500 Section 5 8 5 Firewall Configuration Help Shorewall Firewall Shorewall version 4 4 11 6 Ty i Network Network Eu lt Firewall is Static IC Rules When Stopped Zones Interfaces D Raat Rules masa NAT anoo E tcrules routestopped zones interfaces hosts policy rules nat tcdevices tcclasses Click this button to start Shorewall with the current configuration with the shorewall start command This will start Start Firewall Shorewall providing a report on the activation After Shorewall starts cleanly cause it to start at boot time by enabling it thr
436. red here Each interface on the router is listed Clicking on settings displays a menu of configuration options for that interface Clicking on status displays the current status of the interface including link state and current OSPF status on the interface If an interface is not part of an area it will show up as OSPF not enabled on interface Clicking Remove inactive interfaces purges the list of any interfaces which are no longer configured on the router The Cost field controls the administrative cost of routing over this interface By default the cost is auto calculated as the ospf reference bandwidth divided by the core interface bandwidth By default this is 100Mbit 10Mbit cost 10 The Priority field controls the priority associated with this interface By default the priority of interfaces is 1 The router with the highest priority wins elections for designated router for an area The Hello Interval field controls how often hello packets are sent to other routers in the area This value must match on all router interfaces in an area The Dead Interval field controls how long to wait for hello packets before declaring another router dead This should normally be set to 4 times the hello interval The Retransmit Interval field controls the delay between retransmissions The Transmit Delay field controls the estimated number of seconds to transmit a link state update packet This should take into account transmission and propagation
437. rently in use Refresh de Return to NTP Main Menu Figure 320 NTP Status The NTP Status menu displays possible sources and currently used reference clocks Peers Configuration 333 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Section 5 20 9 Viewing The N Figure 321 NTP Log The NTP Log menu dis Section 5 20 10 TP Log Help NTP Log histening on interface 1 wildcard 123 Disabled Listening on interface 2 lo 1 123 Enabled Listening on interface 3 eth3 0030 fe80 20a dcff fe08 a01e 123 Enabled Listening on interface 4 eth2 fe80 20a dcff fe08 a01d 123 Enabled 1 EER 18 25 23 epateoss Varas a fis 25 23 ntpd 6055 fedens m fis 25 23 ntpd 6059 EE Es 18 29 13 ntpd 6285 kernel time sync status change 0001 jolie ER Ps m intpd 6059 nod 4 2 4p481 1520 0 Sat Feb 5 16 17 18 UTC 2011 1 TER ls fis 2s 23 epateoss precision 3 000 usec jail ls 8 25 23 Ptedteoss uterino on interface 0 wildcard 0 0 0 0 123 Disabled fea Listening on interface 5 eth1 fe80 20a dcff fe08 a01c 123 Enabled plays the log of recent NTP events Viewing GPS Status Help GPS Status GPS Status Latitude Longitude GPS Lock Number of Satellites Tracked 43 48 4722 N 79 32 4232 W locked 10 Tracked Satellite Status Satellite ID Satellite Strength dBHz 18 42 22 47 24
438. request The maximum is 99 seconds The Always use broadcast field specifies whether broadcast should be used for all packets frames If not selected ROX will only use broadcast for sending the first ARP packet frame after which only unicast will be used ARP Ping Check Menu 13 Chapter 2 Using ROX RUGGEDCOM ROX User Guide Section 2 2 6 Host Menu Figure 9 Host Menu The Hostnamefield accepts the host name or IP address to ping Help Host Hostname IP Address Type Network address A Nameserver Default 9 Timeout 10 LookUp de Return to Network Utilities The Type field selects the type of information to capture The Nameserver fields select the server to use to resolve with If Default is left selected the DHCP DNS or local resolv conf setup will be used Otherwise the address supplied will be used The Timeout field specifies the maximum time to wait before abandoning a lookup Section 2 2 7 Trace Menu The Trace Menu contains three sections providing the capability to trace network interfaces frame relay interfaces and serial server interfaces The latter two menus will appear only if you have configured frame relay or serial server interfaces Host Menu RUGGEDCOM ROX Chapter 2 User Guide Using ROX Section 2 2 8 Tcpdump a Network Interface Tcpdump A Network Interface Interface to capture on eth1 Y Maximum packets captured 20 maximum 1000 Maximum capt
439. returned by the server if the RTU fails to respond to requests Native TcpModbus polling packages will want to receive these messages Immediate indication of a failure can accelerate recovery sequences and reduce the need for long time outs 90 TcpModbus Concepts and Issues RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 10 5 5 TcpModbus Performance Determinants The following description provides some insight into the possible sources of delay and error in an end to end TcpModbus exchange Client Server Gateway Gateway Master RTU Transmission time from Master to Client Gateway Network transmission time Queuing time Transmission time from Server Gateway to RTU RTU think and transmission times to Server Gateway Network transmission time Transmission time from Client Gateway to Master Time out Retransmissions complete Exception sent ZAG gp Aa M M Figure 90 Sources of Delay and Error in an End to End Exchange In step 1 the master issues a request to the Client Gateway If the Client Gateway validates the message it will forward it to the network as step 2 The Client Gateway can respond immediately in certain circumstances as shown in step 1a When the Client Gateway does not have a configuration for the specified RTU it will respond to the master with an exception using TcpModbus exception code 11 No Path When the Client Gateway has a configured RTU but the connection
440. ricted to the classic in the sense of Class A B and C networks RIP v2 does not have this failing Section 5 12 6 23 RIP Status This status menu shows various pieces of information about the current RIP status The status of each interface is shown the current database the current RIP neighbors and the current RIP routing table RIP Networks 291 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide LRL Status Current RIP route status Codes R RIP C connected S Static O OSPF B BGP Sub codes n normal s static d default r redistribute i interface Network Next Hop Metric From Tag Time C i 192 168 2 0 24 0 0 0 0 1 self 0 R n 192 168 6 0 24 192 168 10 2 2 192 168 10 2 0 02 53 C i 192 168 10 0 24 0 0 0 0 1 self 0 Refresh display Current RIP neighbor detail status Routing Protocol is rip Sending updates every 30 seconds with 50 next due in 4 seconds Timeout after 180 seconds garbage collect after 120 seconds Outgoing update filter list for all interface is not set Incoming update filter list for all interface is not set Default redistribution metric is 1 Redistributing Default version control send version 2 receive any version Interface Send Recv Key chain eth2 2 12 eth4 2 LE Routing for Networks 192 168 2 0 24 192 168 10 0 24 192 168 10 2 Routing Information Sources Gateway BadPackets BadRoutes Distance Last Update 19
441. rminants sss 91 3 10 5 6 A Worked Example ct tab evexit emper eM nee RH 92 3 10 6 DNP Distributed Network Protocol eccora aeie a AA eee nmn 92 vi RUGGEDCOM ROX User Guide Table of Contents 3 10 6 1 Address Learning for DNP saie 2 iiti ee ei b selene Eo Le Hee e PARERE 93 3 10 6 2 DNP Broadcast Messages ssssssse mee e een erre 93 3 10 7 Serial Protocols Configuration serisi i anaE meme nennen 93 3 10 7 1 ASSIGN Protocols Meri us cci iode itt E emer eile be tl eei eed bn 94 3 10 72 Port Settings Menu 1 illa i ede teak pas ege e ee a RE Hee ains 94 3 10 73 RaWSocket Menu iic ERR RR RR DR M ERREUR 95 310 747 TepModB s METU oi b tte Ee RR EE HER HAE Lp apu Ri He ince MAR 95 IAS DNP Mem ca pottea pate o er cask et age A tee d e us pe 96 3 10 7 6 Serial Protocols Statistics Menu ereas rairit raina EEEa mee 98 3 10 7 7 Serial Protocols Trace Menu seniorren a A E AATE 99 3 10 7 8 Serial Protocols Sertrace Utility sssse e 99 3 17 Synchronous Serial Ports E e et PERI EXER mA PE PR a 100 3 11 1 Raw Socket Operation on Synchronous Ports sssssssse eee 100 3 11 2 Synchronous Serial Port Configuration sssssssssee e 101 3 11 2 1 Synchronous Port Settings Menu sess Hee 101 3 11 2 2 Configuring Raw Socket on Synchronous Serial Ports ssessesssss 102 3 11 3 Synchronous Serial Diagnostics perenaine nei
442. rminator during th Tunnel Server Endpt RADIUS Standard Specifies the IP address of the server end of the tunnel 1 Tunnel Type RADIUS Standard Specifies the tunneling protocols used V 5 C U ndard 5 E AY isco Sp Allowed Certificate OID Microsoft Specifies the certificate purpose or usage object identifiers Generate Class Attribute Microsoft Specifies whether IAS automatically generates the class al Generate Session Timeout Microsoft Specifies whether IAS automatically generates the session Ignore User Dialin Properties Microsoft Specifies that the user s dial in properties are ignored MS Quarantine IPFilter Microsoft Specifies the IP traffic filter that is used by the Routing anc MS Quarantine Session Timeout Microsoft Specifies the time in seconds that the connection can rer Tunnel Tag Microsoft Description not yet defined USR ACCM Type U S Robotics Inc Description not yet defined USR AT Call Input Filter U S Robotics Inc Description not yet defined USR AT Call Output Filter U S Robotics Inc Description not yet defined USR AT Input Filter U S Robotics Inc Description not yet defined USR AT Output Filter U S Robotics Inc Description not yet defined USR AT RTMP Input Filter U S Robotics Inc Description not vet defined sil gt Figure 153 IAS Window Add Attribute In the Multivalued Attribute Information window click the Add button Multivalued Attribute Information ax At
443. rms indicate ongoing problems ALOS LOS Loss of Signal This alarm indicates a complete absence of synchronization pulses on the line RED Red Alarm This is a local equipment alarm It indicates that the incoming signal has been corrupted for a number of seconds This equipment will then begin sending a yellow alarm as its outbound signal AIS Alarm Indication Signal or BLUE alarm This alarm indicates the total absence of incoming signal as a series of continuous transitions an all 1 s pattern is received YEL Yellow Alarm This alarm is transmitted to the network and alerts it that a failure has been detected OOF Out of Frame This alarm signifies the occurrence of a particular density of framing error events This alarm could signify that the wrong framing mode is configured 192 Link Statistics RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration Section 5 3 2 11 Frame Relay Interface Statistics Help wicifri6 Statistics DLCI Receive Statistics DLCI Transmit Statistics Information frames received Information frames transmitted Information bytes received Received I frames discarded due to inactive DLCI I frames received with Discard Eligibility DE indicator set I frames received with the FECN bit set I frames received with the BECN bit set Frame Relay Trunk Statistics Full Status Enquiry messages received 29 Link I
444. rom the When to execute table remember to check the selected button above any column you edit The Active radio button at the top of the menu temporarily disables the job After selecting the Create button the Scheduled Cron Jobs menu will display the job Help Scheduled Cron Jobs Create a new scheduled cron job User Active Command Move root Yes ido wn ethi eth2 sleep 1 ifup eth1 eth2 Create a new scheduled cron job Figure 143 Scheduled Cron Jobs Menu Displaying Cron Jobs Follow the link of a specific job in order to delete the job edit it or test the command part of the job by running it immediately If you have multiple jobs the arrows in the Move column will alter the order in which they are presented Scheduled Cron Jobs 141 Chapter 4 System Administration RUGGEDCOM ROX User Guide Section 4 3 5 System Hostname Help System Hostname Hostname and Domain Hostname ruggedcom Domain localdomain Save Figure 144 System Hostname The Hostname field modifies the hostname as presented in the web server and shell sessions The Domain field modifies the domain as presented in the web server and shell sessions The default is localdomain Note that the new hostname and domain settings will only appear in new sessions Section 4 3 6 System Time Help 5 System Time Syst
445. rs connected to the Internet these numbers are controlled by IANA the Internet Assigned Numbers Authority The Router ID field sets the router id to use for the BGP daemon This value is used as a unique identifier for the dynamic routing protocol to identify which router sent which route advertisement By default it uses the highest IP assigned to an interface on the router It is recommended that this value be set to a unique fixed IP on each router Section 5 12 6 8 BGP Networks Help Networks Neighbors Remote AS Action Add a new neighbor Networks Subnet x x x x x or x x x x Action Add 4m Return to bap Figure 266 BGP Networks Menu Neighbors are other BGP routers with which to exchange routing information One or more neighbors must be specified in order for BGP to operate To add a neighbor to the BGP network click on Add a new neighbor to configure its BGP attributes Networks may be specified in order to add BGP routers connected to the specified subnets Note that a network specification need not be a given valid entry in the routing table Since BGP is a border gateway protocol one would more typically enter a more general network specification here For example if a routed network inside the AS comprised many different Class C subnets 24 of the 192 168 0 0 16 range it would be more efficient to advertise the one Class B network specification 192 168 0 0 16 to one s
446. rt gt All programs gt Apache HTTP Server gt Configure Apache Server gt Edit the Apache httpd conf file Search the file for the DocumentRoot variable and change it to the directory where your ROX releases are kept Restart Apache by clicking Start gt All programs gt Apache HTTP Server gt Control Apache Web Server gt Restart Return to the web browser used earlier to verify Apache and refresh the screen It should now reflect the contents of your ROX release directory You should now be able to perform an upgrade from a router Section 6 2 Installing a Microsoft IIS Web Server This section provides general advice and instructions on setting up a Microsoft IIS web server on Windows For complete installation details refer to the official Microsoft documentation Begin by identifying a host computer that has IIS and its physical and logical location on the network For some guidance on host requirements see Section 3 5 1 Repository Server Requirements Start to install IIS by clicking on Start menu Control Panel Add or Remove Programs Add remove Windows Components In the resultant menu check the Internet Information Services IIS box and select next 344 Installing a Microsoft IIS Web Server RUGGEDCOM ROX Chapter 6 User Guide Upgrades Windows Components Wizard Windows Components You can add or remove components of Windows XP To add or remove a component click the checkbox A shaded box means that only par
447. rval and Dead Interval are not identical on every router in an area Section 5 12 4 4 Active Passive Interface Default OSPF regards router interfaces as either passive or active sending OSPF messages on active interfaces and ignoring passive interfaces By default newly created interfaces are viewed as passive from OSPF until they are configured active This is more efficient and secure for the router The default type for new interfaces is controlled by the passive interface default option in the OSPF Global Parameters NOTE Li The default setting of Passive Interface Default means that you must explicitly configure interfaces active before OSPF will attempt to use them Router ID 269 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 12 4 5 Redistributing Routes Routes for subnets which are directly connected to the router but are not part of the OSPF area or RIP or BGP networks can be advertised if redistribute connected is enabled in the OSPF RIP or BGP Global Parameters Static routes and routes handled by the kernel can also be redistributed if redistribute static and redistribute kernel are enabled respectively Section 5 12 4 6 Link Detect Link detection is enabled for active network interfaces which ensures that the appropriate routing daemon is notified when an interface goes down and stops advertising subnets associated with that interface The routing daemon resumes advertising the
448. ry links chassis performance interface daemon Note that active alerts are volatile and will be regenerated after reboot If you clear an alert manually it will appear if the condition occurs again You may disable the alert permanently by disabling the alert from its entry in the definition menu The Clear Alert link under the Action column allows you to clear the alert Clicking on the Alert Name Specific Severity and Date column headers will sort the alerts by those types Select Alert Configuration to change the generic configuration and alert filter configurations Select Alert Definition configuration to change the alert definition entries 32 Alert Main Menu RUGGEDCOM ROX User Guide Chapter 3 Device Management Section 3 7 1 2 Alert Configuration This menu configures the general information and forward filters for the alert system Help Alert Configuration General Configuration This Router s URL used in email message https unknown 10000 Default Filter Level for Webmin Warning Y Default Filter Level for Command Line Error b Save Alert Filters Forward Destination Forward Destination Type Filter Level Comparator Filter Level Create New Filter Return to Alert Main Menu Figure 27 Alert Configuration Menu The This Router s URL configures the link to access this router This information will be used in the email forwarder which user can click o
449. s broadcast messages out the serial port The Turnaround must be between 1 and 1000 milliseconds inclusive or off The Retransmits field configures the number of times to retransmit the request to the RTU before giving up should the original attempt fail The Max Conns field configures the maximum number of incoming connections The Local Port field may be used to specify an alternate local TCP port number If this field is configured a single connection per serial port may be made to this alternate port number Note that TCP Modbus uses a default local port number of 502 There is no limit imposed on the number of connections to the default TCP port Section 3 10 7 5 DNP Menu Help j DNP Settings Address learning Aging Timer Max Conns Loc Port eth1 X 1000 1 20000 Save Changes de Return to Serial Protocols Figure 96 DNP Settings The Address Learning field may be set to Disabled or to an Ethernet interface name 96 DNP Menu RUGGEDCOM ROX Chapter 3 User Guide Device Management The Aging Timer sets the length of time which a learned DNP device in the Device Address Table may go without any DNP communication before it is removed from the table The Max Conns field configures the maximum number of incoming DNP connections The Loc Port field configures the TCP UDP port number on which DNP protocol listens DNP devices normally use port 20000 The Device Address field config
450. s Manager s Secure Access Portal Status Menu ssssses e 150 4 5 5 Upgrading the Access Manager s Secure Access Portal ssssssseseeeee 151 4 6 RADIUS Authentication dais 151 4 61 RADIUS 1J5age o cL b Htc e dr pe ec ie He b ts 151 4 6 2 RADIUS On ROX i ro cu e tr or cote CO et oap or Pa e Pu ou e Pose oad 152 4 6 3 RADIUS ROX and Services sssssssssssssssssseesene eee e eene see ne re sese se ear e risen ans 152 4 6 4 RADIUS Authentication Configuration sssesseee mme 153 4 6 5 Edit RADIUS Server Parameters 22 iine seite otn deus cess len ene Dod cepe s R dans Hon capo dois 154 4 7 RADIUS Server Configuration aras 154 4 7 1 Webmin Privilege Levels and FreeRADIUS ssssee een 155 4 7 2 Webmin Privilege Levels and Windows IAS ssseee mH 156 4 0 3 PPP CHAP and Windows IAS ui ee bee em ade oa BLUR ER ad 159 Chapter 5 Setup and Configuration qusscucnocodaccendatiuniedoasendA 007 uhaaadi deidades 161 5 1 Configuring Networking essssssssee mem ne e nhe eh nnne rh h nnn enhn nn nnn nennen nens 161 KELP Fundamentals eo e o Rec cte eral tutes ti odor pedi eat lid 162 5 1 2 Network ConfIQUratlOFi cereos ue ete tc oe temet ts Cedo d eed pet in sedi a Dee EE tesa Le EE eddy dn aad 162 STAV GOTO SemS Ais caido io antic eo fasc alopean eu eee 163 5 1 2 2 Dammy Interface tete e ott eid edet od s tna odd fedet dede RE 164 51 2
451. s XP but is supported in Vista Section 5 11 15 Public Key Help Show Public Key The public RSA key shown below should be copied into the configuration of other systems connecting to this one in the section related to this host 0sAQOd20sNgI75uHfEBHRCWBl2nTdFdKvLyGSV32wFpe IVWkWVORvlSJJflpNqrJf tvjdiHwYGw8WaH nR2riDqqj5Ze4L73brx5GT OH6DfVSwESyWUOwSBYAHGTbRF83Uxw0jEQ3AP22X63dfVgABLANkQOCHu 1ID8HXSALGevCuktiUb8Msbg5rkqgkdi7H9DAAzYhzFwx49jzcPxZ6s6cAiuUOGGQAyVESpyKhCHk4g0V SZFLGib wEKLpwFKIXZaNkDScCn04JqWt94qB0A 5DoJ6MNqEor qszarog1 3gE2H4IzitpjjAPXy3O XpYXdIZ2PVkvuVkRuJlt3JAiWLQbkC8ABptf2CsJPpVPruOb202 de Return to connections list Figure 251 Show Public Key This menu displays the device s public RSA key Section 5 11 16 Pre Shared Keys Help Preshared Keys Remote Address Local Address Pre shared key 172 42 67 9 61 181 222 40 PreSharedKey2 176 42 67 9 201 172 152 6 PreSharedKey1 Add a new secret ke de Return to connections list Figure 252 Pre Shared Keys This menu creates deletes and edits pre shared keys used by VPN connections using secret key encryption Select the links under the Remote Address column to edit or delete a secret key The menu will not allow more than one entry to have a specific pair of IP addresses The menu will not allow a password shorter than eight characters in length 258 Public Key RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuratio
452. s for any established sessions The Line Trace menu will provide a line activity trace for the serial ports Section 3 10 7 1 Assign Protocols Menu Help Assign Protocols Assigning a protocol to a port will make it available for configuration via a menu in the main page Port Type 1 rawsocket v 2 dnp X 3 tcpmodbus v 4 none X Save Changes de Return to Serial Protocols Figure 92 Assign Protocols Menu This menu associates a protocol with a serial port Unused ports should be left associated with none Changing an association will immediately close the calls of the old protocol Section 3 10 7 2 Port Settings Menu Port Settings Note that all changes are made immediately Port Speed DataBits Parity StopBits Flow Control Type Current Protocol 1 19200 8 NONE 1 v NONE RS232 v rawsocket 2 9600 v 8 y NONE 1 v NONE RS232 v dnp 3 9600 v 8 NONE y 1 v NONE RS232 v tcpmodbus 4 9600 8 NONE lv NONE vy RS232 v none 4 Save Changes Return to Serial Protocols Figure 93 Port Settings Menu 94 Assign Protocols Menu RUGGEDCOM ROX Chapter 3 User Guide Device Management This menu configures the serial settings and electrical protocol associated with a serial port Changes are made immediately Section 3 10 7 3 RawSocket Menu Help Raw Soc
453. s multiple connections from remote ends in order to implement broadcast polling Connect from each side to other if both sides support this functionality Section 3 10 3 2 Use of Port Redirectors Port redirectors are PC packages that emulate the existence of communications ports The redirector software creates and makes available these virtual COM ports providing access to the network via a TCP connection When a software package uses one of the virtual COM ports a TCP connection is placed to a remote IP address and TCP port that has been programmed into the redirector Some redirectors also offer the ability to receive connections Section 3 10 3 3 Message Packetization The server buffers received characters into packets in order to improve network efficiency and demarcate messages The server uses three methods to decide when to packetize and forward the buffered characters to the network Packetize on Specific Character Packetize on timeout and Packetize on full packet If configured to packetize on a specific character the server will examine each received character and will packetize and forward upon receiving the specific character The character is usually a CR or an lt LF gt character but may be any ASCII character If configured to packetize on a timeout the server will wait for a configurable time after receiving a character before packetizing and forwarding If another character arrives during the waitin
454. s not transmitting when the frame arrives to be enqueued the frame is immediately transmitted Prioritization will not add additional delay to a stream of packets of differing priority Prioritization will simply reorder the sequence of transmission of packets to send higher priority packets first Note that it is possible in indefinitely stall the transmission of packets from a lower priority queue if a traffic from a higher queue saturates the interface NOTE Li The router mandates that you must have at least a low normal and high priority queue Additionally the high queue must be of higher priority than the normal queue which must be of higher priority than the low queue Section 5 10 2 Filters For each packet to be transmitted on a prioritized interface the packet is compared against each of the filters on that interface until a match is found The matching filter directs the packet onto a specific queue If no matching filter is found the packets Type of Service TOS bits in its IP header are examined and used It is possible to match on source and destination IP address mask pairs source and destination port numbers and protocols The 0 0 0 0 0 address mask matches any IP address Protocols that can be matched upon include TCP UDP ICMP OSPF VRRP and IPSec Section 5 10 3 TOS Prioritization The priority of an IP packet can be derived from its Type of Service field The TOS field has the following format Priorit
455. s page T3 1 Not Running Name Description Local Address Netmask Remote Address Assign a new Frame Relay logical interface Assign a new PPP logical interface Edit T3 1 Parameters du Return to Return to T3 E3 Main Menu Figure 195 T3 E3 Network Interface Initial Configuration This menu allows you to display and configure T3 E3 Trunk parameters A table is presented for each interface Interface numbers are as described by the WAN labels as shown in the home page chassis diagram 198 LED Designations RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The status of each trunk s physical and logical interface is shown The menu presents connection status but note that it does not update in real time Click on the Refresh this page link to update the status display Each T3 E3 trunk may be configured as a Frame Relay link with one or more DLCIs or as a single PPP link Select Assign a New Frame Relay logical interface or Assign a new PPP logical interface respectively The contents of the menu will change after the creation of logical interfaces providing links to logical interface configuration and statistics and overall trunk statistics as seen below T3 E3 Trunks Channels and Logical Interfaces Refresh this page T3 1 Not Running Name Description Local Address Netmask Remote Address wifr20 Down Statistics North 10 200 20 1 255 255 255 255 10 200
456. s restored Note that in order for end to end backup to work the primary interface must act as the default interface End To End Routes Primary Interface ethl y Peer IP Address on Primary 192 168 16 2 Secondary Interface eth2 v Peer IP Address on Secondary 192 168 17 2 Fail Over Time Seconds 1 0 Fail Over Time lt 60 Generate Alarms Yes No Save Save and Apply de Return to network configuration Figure 167 End To End Backup This menu allows you to display and configure end to end backup In order to start end to end backup at each and every boot you must enable it via the System folder Bootup and Shutdown menu The menu will remind you if the feature is not enabled The Primary Interface field determines the primary interface The interface selected should be configured to supply the default gateway The Peer IP Address on Primary field sets the IP address to probe for connectivity on the primary interface The Secondary Interface field determines the secondary interface The Peer IP Address on Secondary field sets the IP address to probe for connectivity on the secondary interface The Fail Over Timer field determines the amount of time the primary link must be failed before directing packets down the secondary link The Generate Alarms field determines whether alarms are generated upon configuration problems and link failures The Save button will save changes to the configuration
457. s should be the first log you inspect when starting to debug a problem syslog This log file catches all information with the exception of authentications Syslog contains all that messages contains and more Examine this log if you can not find relevant information in messages auth log This log file catches authentication requests View auth log when you are trying to debug a problem in which a user is not able to sign on to a service such as web management or ssh critical This log catches reports of critical failures There should never be any messages in this log Your Siemens Customer Support representative may ask you to inspect this file kern log This log contains messages issued by the kernel the most central part of the operating system This log always displays messages issued at boot time and should rarely be added to after that Your Siemens Customer Support representative may ask you to inspect this file cron log initially disabled This log file contains messages from the cron systems notifying of tasks started through cron Your Siemens Customer Support representative may ask you to enable and inspect this log daemon log initially disabled This log file contains messages from daemons programs that run continuously in the background Your Siemens Customer Support representative may ask you to enable and inspect this log Each one of the default logs above is represented in the Figure 59 along with an
458. s the position of each of these fields in the login box ET must enter a username and password to login on 192 168 0 3 Usemame 3 Password 44 O Login Clear c H Figure 58 Webmin Banner Configuration Fields 1 Session Header 2 Session Message 3 Username Box 4 Password Box 5 Login Button 6 Clear Button The Message when Login Fails field specifies the message displayed when the login fails The Logout Message field specifies the message displayed upon logout The Message for Session Timeout field specifies the message displayed when the session is timeout 56 Banner Configuration RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 7 9 System Logs System logs are records of activities that have occurred on the router sorted into specific categories System logs can be invaluable when debugging configuration changes As such most of your use of the logs will likely consist simply of examining them System Logs Add a new system log Log destination File var log auth loq File var log syslog free fes File vax 10q cron log No cron ee fe fes fes Messages selected auth authpriv View auth authpriv none View Fl EIE File var log daemon loq File var log kern loq File var log messages All users daemon kern E m z ui info notice warn auth authpriv none cron daemon
459. s traffic to be transmitted To do so the the PPP interface must be configured to be the default gateway on the device configuring the PPP client to dial on demand automatically enables the default gateway option At the beginning the PPP interface will be shown as being up but the link will not actually be connected Only when there is traffic to be transmitted via the PPP interface will the configured number be dialled and a connection initiated The Dial on Demand feature requires IP addresses to be configured on for both the local and the remote ends of the PPP connection used These addresses are required in order to instantiate PPP for the purpose of monitoring for traffic Note that the local address remote address or both may be overridden by the PPP server at the time a connection is actually established NOTE Li Do not configure the default gateway on the router if you decide to use PPP Dial on Demand Section 3 8 5 LED Designations ROX provides a pair of LEDs to indicate information about the modem PPP connection PPP Link will be green when the modem PPP link is established It will flash while a connection is being established or a console dial in session is active PPP Data will flash green when there is traffic on the PPP link Section 3 8 6 PPP Modem Configuration From the Configuration Main Menu select Modem Configuration Ifa single internal modem is installed this page appears
460. sable loopback modes de Return to T1 E1 Main Menu Figure 187 View T1 E1 Link Statistics T1 E1 Statistics 191 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Section 5 3 2 10 Link Statistics T1 1 Link Layer Statistics Receive Statistics Transmit Statistics Number of frames received Number of frames transmitted Number of bytes received Number of bytes transmitted Receive Throughput Transmit Throughput Received frames discarded too short Transmit frames discarded length error Received frames discarded too long Received frames discarded link inactive Receive Errors DGIE Transmit frames realigned Transmit Errors Number of receiver overrun errors Number of transmitter PCI errors Number of receiver CRC errors Number of transmitter PCI latency warnings Number of receiver Abort errors Number of transmitter DMA descriptor errors Number of receiver corruption errors Number of receiver PCI errors Number of receiver DMA descriptor errors Link Alarms ALOS OFF Los OFF RED OFF AIS OFF RAI OFF DOF OFF Refresh Clear Statistics ojojojojojo Number of transmitter DMA descriptor length errors olololo p Return to T1 E1 Main Menu Figure 188 T1 E1 Link Statistics The Link Ala
461. serve the incoming call or to perform the dial out manually Rings before answer controls how many times to let the modem ring before answering a call if either of Dial in console or PPP Server is enabled Additional Modem AT Init Codes allows you to enter extra AT codes The router does not verify the AT codes entered here so take care to ensure that the codes are correct The following lists the AT codes supported for the SiemenslInternal modem For external modems refer to the external modem documentation Blind Dial XO Ignore dialtone busy signal Blind dial X4 Monitor and report dialtone busy signal default Guard Tone Control amp GO Disable guard tone default amp G1 Enable guard tone at 550Hz amp G2 Enable guard tone at 1800Hz Pulse Dialing Control amp PO Make break ratio of 39 61 at 10 pulses second default amp P1 Make break ratio of 33 67 at 10 pulses second amp P2 Make break ratio of 39 61 at 20 pulses second amp P3 Make break ratio of 33 67 at 20 pulses second Compression Control CO Disable data compression negotiation C1 Enable MNP5 compression negotiation C2 Enable V 42bis compression negotiation C3 Enable MNP5 and V 42bis compression negotiation default Line Quality Monitoring Control EO0 Disable line quality monitor and auto retrain E1 Enable line quality monitor and auto retrain E2 Enable line quality monitor and fallback fallforward def
462. ses Be careful as no syntax checking will be done on the changes Shorewall version 4 Tcclasses File For information about entries in this file type man shorewall tcclasses See http shorewall net traffic shaping htm for additional information Lilllllclisddllllillllllllll Adddddlilillllllllllll FTF FFT FT RARA RARA RRA FFF RAR INTERFACE CLASS MARK RATE CEIL PRIORITY OPTIONS DMAX UMAX ethi 1 full 2 full 8 10 5 tos minimize delay tcp ack eth2 2 200kbit 200kbit 2 default LAST LINE ADD YOUR ENTRIES BEFORE THIS ONE DO NOT REMOVE Save J Undo Return to tcclasses list Figure 237 Manually Edit TC Classes Section 5 9 2 3 TC Rules This menu allows you to add edit or remove a traffic classification rule Add a new rule by selecting the Add a new traffic classification rule link or by clicking on the add above or add below images in the Add column Reorder rules by clicking on the arrows in the Move column TC Rules 241 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Figure 238 TC Rules I TC Rules Rules define which mark to assign to a packet and or connection based on various criteria Every rule is processed in order for each packet and every matching rule is applied to the packet or its connection unless a CONTINUE rule is matched in which case no further rules are processed for the packet Add a new traffic classification rule
463. sions for testing purposes Manually initiated installs of new packages for testing purposes Section 3 7 10 1 ROX Software Fundamentals You may be required to upgrade the router in order to take advantage of new features security improvement and bug repairs Your ROX software is provided in releases of the form rrX Y Z The platform release number X changes when new hardware platforms are released The major release number Y is increased when important new features are added This is called a Major release The minor release number Z is increased when minor functionality is added or bug repairs are made This is called a Minor release ROX is organized into a number of interdependent packages Each package contains all of the files necessary to implement a set of related commands or features such as a firewall or ssh client A router upgrade involves replacing some of these packages with newer versions and sometimes adding new packages The upgrade system handles these functions automatically Upgrade System 61 Chapter 3 Device Management RUGGEDCOM ROX User Guide Section 3 7 10 2 Upgrade to RX1100 This menu allows you to upgrade your router The display usefully provides a description of the current hardware in the router inventory Help Upgrade Inventory This router has an RX1000 order code In order to upgrade to an RX1100 contact your sales manager and provide them with following inventory record
464. sitions and installations Upgrade All Packages Resynchronize package list update Yes No Only show which packages would be upgraded Yes No Upgrade Now Figure 65 Upgrading All Packages The Resynchronize package list field selects whether to obtain the full package list from the repository server The list need only be obtained once per upgrade so checking No can save time on the upgrade process if a first pass was performed with the Only show option described below This is especially true if the network link is a low speed WAN link The Only show which packages would be upgraded field controls whether to only show the packages that will be upgraded Yes or to actually perform an upgrade No After setting the two parameters described above click Upgrade Now to begin the upgrade process NOTE i Webmin manages the upgrade of other packages When Webmin must upgrade itself the process requires an extra step You will be requested to start a Webmin only upgrade Webmin will start another program to manage the upgrade and will self terminate Webmin will automatically restart after the upgrade completes after which time you may log back in Upgrading All Packages 63 Chapter 3 RUGGEDCOM ROX Device Management User Guide Notes on Software Upgrade Procedures ROX upgrades that involve a new Major release number generally require a router reboot after completion of the upgrade Minor releases will never req
465. sk Dest Port Protocol Target Queue extra high v Save and Apply d Return to Traffic Prioritization Figure 244 Prioritization Filter Configuration This menu allows you to edit and delete traffic filters The Source P Netmask and Dest IP Netmask fields specify the IP addresses and masks used to match an outgoing packet Use 0 0 0 0 0 to generate an all packets match The Source Port and Dest Port fields specify the port numbers used to match an outgoing packet You may specify either a raw number or a mnemonic as specified in the etc services file This setting matches both UDP and TCP ports unless the Protocol field specifies UDP or TCP The Protocol field specifies a protocol to match against currently either TCP UDP ICMP OSPF VRRP or IPSec Prioritization Queues 249 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide The Target Queue field selects one of the available priority queues Section 5 10 6 3 Prioritization Transmit Queue Length The WAN protocols supplied by the ROX rely upon transmit queues to ensure their efficiency Even as a packet is starting to be transmitted other packets can be lining up behind it Normally there is only one queue the transmit queue and packets are transmitted from it in the order in which they arrived The transmit queue is a means of enhancing performance Prioritization favors some packets over others by transmitting them with preference Prioritiza
466. so be considered For more information about industrial security visit http www siemens com industrialsecurity To stay informed about product updates as they occur sign up for a product specific newsletter For more information visit http support automation siemens com Warranty Refer to the License Agreement for the applicable warranty terms and conditions if any For warranty details visit www siemens com ruggedcom or contact a Siemens customer service representative Contacting Siemens Address Telephone E mail Siemens Canada Ltd Toll free 1 888 264 0006 ruggedcom info i ia siemens com Industry Sector Tel 1 905 856 5288 Web 300 Applewood Crescent Fax 1 905 856 1995 Concord Ontario www siemens com ruggedcom Canada L4K 5C7 RUGGEDCOM ROX User Guide Table of Contents Table of Contents Li 10 gt DORE OOOO OOOO ON xix AS a at TA A RE DUE cds prse US xix Related DOCUMENTS 000000 A A A e Po PR de a aaepe ee Ede dev kae tpud xix System Requirements tdi Xx Accessing Documentatii 2 eoe A RE e DERE NER RS XX Irem XX Customer Support ete ett betetub tede od tb e etd e m e Fa XX Chapter 1 ips p ntt EE DN TR PPP S 1 Ae OVEIVIEW ce 1 1 2 Security RecOMMENAAIONS ii ie 1 To Quick Starts ici da 3 1 3 1 Initial Configuration Before Attaching to the Network ssssem HH 3 1 3 2 Basic Web Based Configuration c cece tee e
467. splays the text of the active configuration file for the BGP daemon Section 5 12 6 12 e OSPF OSPF OSPF z 4 ospr OSPF OSPF Global OSPF Interfaces Network Areas Status View OSPF Parameters Configuration de Return to dynamic routin Figure 270 OSPF Menu This menu contains the configuration and status of OSPF on the router The OSPF Global Parameters OSPF Interfaces and Network Areas menus configure OSPF The Status and View OSPF Configuration menu display the actual status and configuration file contents of OSPF View BGP Configuration 281 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Section 5 12 6 13 OSPF Global Parameters ine OSPF Global Parameters Parameter Value Description Possible values default value Enable Password Enable password For configuration access string without spaces 990900000000 previous password Telnet Password ABR Type Bandwidth Auto Cost Reference Telnet password For port 2604 access string without spaces previous password cisco y Set OSPF ABR type standard cisco ibm shortcut cisco 100 Calculate OSPF interface cost according to bandwidth 1 4294967 Mbps 100 Default Information Originate lenable advertise default route disabled Default Metric 20 Control distribution of default information 1 16777214 20 Distance Defi
468. ssBow SAC connection The Server Address field configures the IP address for the Station Access Controller SAC to which a client will connect Configuring CrossBow SAC 337 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide The Server Port field configures the TCP port for the Station Access Controller SAC to which a client will connect The default is 21000 The Client Connection Timeout and Device Connection Timeout fields configure the time out period If the client or device does not reply before the time out period ends the connection is terminated Section 5 21 1 2 Configuring the SAC Certificates Server Certificate Configuration CA Cert File Path Jetc crossbow cxb test ca certpem Bt Cert File Path Jetc crossbow sac 151 certificate pem Private Renan Jetc crossbow sac_151_privatekey pem Private Key Pass Phrase Figure 326 Server Certificate Configuration This menu allows you to configure certificates and private keys for CrossBow SAC The CA Cert File Path field defines the path to the CA certificate Use the Browse button to navigate to the folder in ROX that contains the certificate The Cert File Path field defines the path to the self signed certificate Use the Browse button to navigate to the folder in ROX that contains the certificate The Private Key File Path field defines the path to the private key Use the Browse button to navigate to the folder in ROX
469. ssis 11 chassis PCI slot 2 chassis error yes yes o simple chassis 12 chassis Chassis chassis error yes yes o simple chassis 13 chassis Watchdog chassis error yes yes o simple Power on ichassis 14 chassis Ethernet chassis error yes yes lo simple Create New Definition de Return to Alert Main Menu Figure 29 Alert Definition Configuration Menu This menu displays matched alert definition entries It also allows user to change an alert definition entry or create a new entry An alert definition entry defines an alert which will be monitored by the system The View Alert Definition by Category allows you to display alert definition entries matching with selected category The Create New Definition button allows you to create a user defined alert definition entry Click on one of the link under the Codepoint column allows you to change the configuration for that alert definition entry Alert Definition Configuration 35 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 7 1 5 Change Alert Definition Help o Change Alert Definition Alert Definition Parameters Codepoint cfgw 1 Category daemon X Name Upgrade made changes Subsystem configwatch Severity Warning X Alarmable Renotify 9 Disabled 1 86400 Enabled 7 Interval second seconds Type Simple v Parameters for Shell Sample Interval 30 86400 seconds Command Comparator Greater tha
470. ssssesem mm 217 5 8 1 2 Linux netfilter iptables and the Shoreline Firewall eseeesseeessee 217 5 8 1 3 Network Address Translation sssssssssssssseeeenem ener 218 5 8 1 4 Port Forwarding esce bates E ates obete aedi a 218 5 9 2 Shorewall Quick Set p 2 nte A de Heec E de e sobs LE ede ERE OR E ee 219 5 8 3 ShoreWall Terminology and Concepts ssssssee Heer 219 5 9 39 1 ZONES iecit pli ce to tet ipei e He le ue d tee 219 5 9 3 2 Interfaces seo n e proce ei re BRE RE Pee E tae a s eto Fe 220 928 33 HOSTS despite rixa dtu mcdia e E M M 220 nr dee M PM 221 5 8 3 5 Masquerading and SNAT sonsiz eia emen eene hn hen nennen nenne 221 A RUIGS conr eite e mq ebd t de ER PO ER MEE 222 5 8 4 Configuring the Firewall and VPN ssssssssee Henne nme AN E nnns 224 5 8 4 1 Policy Based Virtual Private Networking ssssee 224 5 8 4 2 Virtual Private Networking to a DMZ sssse meme 225 5 8 5 Firewall Cornflguration s oe t ee ea to e t ate obe qol gea e pod teat ad 225 5 8 5 1 Network Zones orci o dp d ed D RN bed ade d deg UR ede ee Pod dE 227 5 8 5 2 Network Interfaces ssssssssssssssssssssssese esee hen ehe nn eh en enhn serene nnne 228 5 8 5 3 Network ZoNe H AS S 2 espe ded dee ap Mass nd e ela e O a ia RO ie 229 5 98 54 Defaults POlCIOS 200 ae ee i po e o a eee d
471. sswords These passwords should be changed before installing the router on the network Accessing the Device Command Prompt From SSH 21 Chapter 3 RUGGEDCOM ROX Device Management User Guide RuggedRouter Passwords Menu Change Setup Menu Password lt Cancel gt Figure 16 Router Setup Password Change Menu Section 3 2 2 Setting the Hostname and Domain The Set Hostname command sets the hostname and the domain Change Hostname and Domain Hostname rjc5 Domain ruggedcom com lt OK gt lt Cancel gt Figure 17 Hostname and Domain Configuration Menu Section 3 2 3 Setting the Hostname and Domain The Set Hostname command sets the hostname and the domain Change Hostname and Domain Hostname rjc5 Domain ruggedcom com lt OK gt lt Cancel gt Figure 18 Hostname and Domain Configuration Menu Section 3 2 4 Configuring RADIUS Authentication The Set RADIUS Authentication command configures the address of a RADIUS server if one is available 22 Setting the Hostname and Domain RUGGEDCOM ROX Chapter 3 User Guide Device Management Add a New Radius Server Set port to empty to use default radius port Set Username and Password to try Radius Server Address hostname IP Port Secret Timeout second lt OK gt lt Cancel gt Figure 19 RADIUS Server Configuration Menu The Hostname IP field configures the RADIUS server s IP address The Port Number field sets
472. stalled on a device Viewing the GPS Log 335 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide that is physically located within the facility During normal operation communications occur as usual between the remote CrossBow server the enterprise server and the devices within the facility However if network connectivity is lost or if network speed makes it impractical for an on site operator to use the enterprise server connection a CrossBow client launched from within the facility s network can access the facility s devices via the SAC On site operators can access the local facility devices using their usual CrossBow interface Operations initiated via the SAC are logged and can be uploaded to the enterprise server database once the network connection is restored The Station Access Controller appears as a device in the Device View in the main CrossBow database NOTE CrossBow SAC is disabled by default and may be enabled via the Bootup and Shutdown menu under the System folder For more information about the Station Access Controller SAC refer to the RUGGEDCOM CrossBow User Guide Li mes This section familiarizes the user with Configuring CrossBow SAC Configuring the log level Managing certificates 336 CrossBow Station Access Controller SAC RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration Section 5 21 1 Configuring CrossBow SAC Module Index CrossBow SA
473. stem and a method of testing fail over is provided Section 5 13 1 Path Failure Discovery In order to discover the failure of a primary path here through Network A the link backup daemon will both inspect the link status of the main link and send a regular ping to a designated host In this way failures of network links within the cloud are discovered It is essential that the host always respond to the ping Another option is to configure a dummy address within the router and ping that address Router 1 Router 2 Figure 282 Link Backup Example The daemon will construe the main link as having failed even if its link status is up if the remote host fails to respond to configurable number of pings after waiting a configurable timeout for each ping Section 5 13 2 Use of Routing Protocols and the Default Route Ifthe main trunk is on a private network employ a routing protocol to ensure that an alternate route to end network is learned after the backup trunk is raised Ensure that OSPF RIP are configured to operate on the secondary trunk assigning it a higher metric cost than that of the main trunk 294 Path Failure Discovery RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration If the main trunk is on a public network employ the transfer default route feature Section 5 13 3 Link Backup Configuration Help H Link Backup Link Backup Configurations Link Backup Logs Link Backup Status Test Li
474. sts performed from the T1 E1 Loopback menu Section 5 3 2 15 Upgrading Software For some customers access to remote sites is accomplished solely by a T1 or E1 connection Usually a software upgrade will stop the system being upgraded perform the upgrade and then restart it If T1 E1 was upgraded in this way the upgrade would fail as the T1 E1 link was taken down Instead T1 E1 software upgrades modify only the software on the disk You must schedule a reboot in order to run the new version of T1 E1 software See Section 3 7 10 Upgrade System and Section 3 7 11 Uploading and Downloading Files for further information Section 5 3 2 16 Upgrading Firmware ROX T1 E1 interfaces reside upon PCI interface cards These cards contain FLASH memory which from time to time will be required to be upgraded The upgrade process will take down the T1 E1 links upgrade the firmware and then restart the interfaces NOTE i The upgrade process requires upwards of 15 minutes for each PCI interface card Because of the lengthy duration required to upgrade the interfaces ROX does not automatically perform the firmware upgrade Instead the scheduling of the upgrade is left to the user 196 Enabling and Disabling T1 E1 Loopback Modes RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The upgrade can be performed by signing on to the platform via the console or ssh and running the command lusr sbin update wanfirmware
475. sum of all bandwidth limiting settings Routers using Frame Relay with CIR under subscription may also encounter lengthier downloads because of retransmission Section 3 6 Reflashing the Router Software ROX provides a utility to perform a complete software reinstallation ROX persistent storage is implemented using flash memory rewriting this memory is referred to as reflashing The ROX operating system software and the complete configuration are both stored in flash memory The reflashing process overwrites the software and reverts the configuration to its factory defaults When reflashing to a release of ROX version 1 the reflashing utility provides an opportunity to restore a saved configuration archive NOTE Li To restore a configuration archive using the reflashing utility the configuration must have been made on a router using the same version of ROX as is being reflashed Section 3 6 1 Use Cases The typical ROX upgrade method is through the Section 3 7 10 Upgrade System menu in Webmin The the reflashing utility provides an alternative mechanism that also allows you to downgrade to an older version of ROX The following are some examples of when to use the reflashing utility instead of the Webmin based upgrade process A network management authority may designate a particular version of ROX as the only version approved for use on the network Newer routers added to a network may have a more recent firmware version than
476. t queue extra high match source IP Mask 0 0 0 0 0 gt queue low Note that the snmp www ssh and telnet keywords are defined in the file etc services so we can use their mnemonics here We could also have used the raw port numbers 161 80 22 and 23 respectively The TcpModbus port number is not common and must be explicitly entered The Webmin port number of 10000 reflects the fact that web traffic from a router is issued on this port Each of the port based filters must match a source port Matching is being applied to packets from the service at the well known source port to an unknown and variable destination port number Finally note that the final traffic filter essentially suppresses TOS inspection by directing all unmatched traffic onto the low queue Section 5 10 5 Configuring Traffic Prioritization NOTE i Traffic Prioritization is mutually exclusive of Traffic Control Do not enable both of these features at Once Configuring Traffic Prioritization 247 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Help Traffic Prioritization Please note that Traffic Control should be used instead Interfaces Interface Prioritized Queues Filters Statistics ethi No leth2 No leth3 No leth4 No ui ha s w2c1ppp No ES i Ej w2c2ppp No w2c3ppp No i E E Figure 241 Traffic Prioritization Main Menu This menu displays ne
477. t IP E Port DISC cost Status Add a new GRE tunnel Figure 298 GRE Main Menu 308 GRE Configuration RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 16 1 1 GRE Configuration Menu Help New Tunnel Configuration new tunnel This menu will prefix gre to the tunnel name upon saving legal tunnel names are 12 characters or less in length and contain only a z or 0 9 Tunnel IP Tunnel Name 1 address Tunnel MTU 1476 Remote Net Multicast Local IP Remote IP Cost Local Egress Port any X Save and Apply de Return to Generic Routing Encapsulation Tunnels Figure 299 GRE Tunnel Configuration Menu This menu allows you to add or edit a tunnel The Tunnel Name field will be presented if the tunnel is being created The tunnel name is purely for informational purposes A network interface device with this name will be created In order that the name not collide with those used by other interfaces it will be prefixed with gre The Tunnel IP address field optionally configures and IP address on the gre network interface The Remote Net field configures the target network at the ingress egress at the remote end of the tunnel whose traffic is forwarded through the tunnel It may be an individual IP address or an IP subnet address e g 192 168 0 0 24 A given Remote Net must not be used by another tunnel Setting the Multicast option enables multicast traffic
478. t determine the outcome of examination of a specific packet The rules are defined by iptables a generic table structure syntax and utility program for the configuration and control of netfilter In practice an iptables rule file and a script are all that are needed to load the netfilter system with rules on upon router start up The iptables rules however are somewhat difficult to configure and manage The Shoreline Firewall often known as shorewall offers a more convenient approach Shorewall is really just a front end to netfilter maintaining the information used to generate the iptables rules in a less complicated form Shorewall itself does not provide a graphical front end and instead assumes administrators will have a fair amount of familiarity with reading and editing Linux configuration files ROX comes with a GUI front that simplifies some of the management aspects Firewall Fundamentals 217 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 8 1 3 Network Address Translation Network Address Translation NAT enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic The NAT function of netfilter makes all necessary IP address translations as traffic passes between the intranet and Internet NAT is often referred to in Linux as IP Masquerading NAT itself provides a type of firewall by hiding internal IP addresses More importantly NAT enables a network
479. t of the componentwill be installed To see what s included in a component click Details Components Internet Information Services IIS EELE 84 Management and Monitoring Tools Message Queuing W MSN Explorer M S3 Networking Services Description Includes Web and FTP support along with supportfor FrontPage transactions Active Server Pages and database connections Total disk space required 68 0 MB Space available on disk 1027 3 MB Figure 335 Installing IIS Download the desired release e g rr1 9 0 zip from www siemens com ruggedcom Create the directory ruggedcom under the IIS root directory C Unetpublwwwroofl Unzip the rr1 9 0 zip file within C Unetpublwwwroot ruggedcom Start to enable IIS by clicking on Start menu Control Panel Administrative Tools Internet Information Services Right click on Internet Information Services Connect and enter the host computer s IP address e g 192 168 0 1 Verify the IIS web server by opening a web browser on another host on the network and entering the URL http followed by the IP address IIS was installed with followed by ruggedcom e g http 192 168 0 1 ruggedrouter Visit the router you wish to upgrade and visit the Maintenance menu Upgrade System sub menu Click on the Change Server button and set the Repository Server field e g http 192 168 0 1 ruggedcom Set the Release Version field to rr1 Save the configuration and return to the Maintena
480. t of any interfaces which are no longer configured on the router The Passive Interface option controls if an interface is active or passive Passive interfaces do not send RIP updates to other routers The Receive Version field controls which versions of RIP messages will be accepted from Either version 1 2 or both versions can be accepted By default both RIP versions are accepted The Send Version field controls which versions of RIP messages to send to other routers Either version 1 2 or both versions can be sent By default only RIP version 2 messages are sent The Authentication fields choose the authentication mode this port uses A port can either use no authentication use a specific authentication string used the same was as the string in a key or use a specific key chain s settings By default no authentication is used The Authentication mode field chooses the mode of authentication used Options are plain text the default MD5 following the RIP authentication RFC and MD5 using the method used by the old ripd implementation The Use Split Horizon field controls use of the RIP split horizon feature RIP v2 only It can be disabled or enabled and if enabled it can optionally enable the poisoned reverse feature Split horizon controls whether routes learned through an interface should be allowed to be advertised back out that interface By default RIP advertises all routes it knows about to everyone which makes it take a ver
481. t of the Number of missed pings before fail over and the Ping timeout The Main path down timeout field specifies the number of seconds the main trunk must be down before starting the backup trunk The Main path up timeout field specifies the number of seconds the main trunk must have returned to service before stopping the backup trunk 296 Edit Link Backup Configuration RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration You may delete a link backup configuration through the Delete button NOTE i If you delete a link backup configuration that has failed over or is failing over to its backup trunk the link daemon will stop attempting the link backup and restore the main trunk even if the main trunk is still down NOTE Li When using Ethernet as on demand backup interface first disable the backup interface in the main Networking menu When an interface is disabled and configured as an on demand interface it remains down until it is brought up when needed by link failover Section 5 13 6 Link Backup Logs Help Link Backup Logs Refresh Day Time Process Event var log syslog Oct 28 15 57 23 linkd 4664 linkd initializing var log syslog Oct 28 fis 57 23 linkd 4664 flinkd configured and started var log syslog Oct 28 15 57 23 webmin 4601 root Bootup and Shutdown Started actions linkd Refresh E Return to link backup
482. t priority class up until it reaches its maximum bandwidth after which the next priority is allocated more bandwidth When the specified total bandwidth for the interface is reached no further packets are sent and any further packets may be dropped if the interface queues are full Packets are assigned to classes on the outbound interface based on either a mark assigned to the packet or the ToS type of service field in the IP header If the ToS field matches a defined class then the packet is allocated to that class Otherwise it is allocated to any class that matches the mark assigned to the packet and if no class matches the mark then the packet is assigned to the default class Marks are assigned to packets either by the TC Rules based on any of a number of parameters such as IP address port number protocol packet length and so on or by mapping an 802 1p VLAN CoS value to a MARK in the VLAN configuration of the incoming port Marks are also used to map back to an 802 1p CoS value on an outbound VLAN port Section 5 9 1 Traffic Control Example The goal of this example is to operate Ethernet port 1 at 5Mbit s and ensure that UDP source port 20000 traffic gets at least half the bandwidth while ICMP and TCP ACK packets should have high priority HTTP traffic gets at least 20 and at most 50 and all other traffic should get what is left over but only up to 50 of the bandwidth The three TC menus would be configured as follows
483. t ruggedrouter and the Release Version field initially set to rr1 1 When you need to upgrade to rr1 2 you will visit the routers and update the Release Version field 28 Upgrading the Repository RUGGEDCOM ROX Chapter 3 User Guide Device Management This method is simpler but has the disadvantage that you need to visit each of the routers This can become unwieldy when there are many routers to manage Section 3 5 4 2 Upgrading Considerations The device offers you the ability to perform automatic daily upgrades specify the download time and limit the download bandwidth These tools automate the upgrade process and minimize the impact of upgrading on the network When automatic daily upgrades are used you may wish to stagger the upgrade time of the routers If your network has a natural ebb flow period of traffic activity schedule the upgrades during this time As an example if you have 20 routers to upgrade and they must be upgraded over an eight hour period configure each router to start its upgrade 20 minutes after the previous router Be careful with limiting download bandwidth in the router Typical upgrades will involve less than 5 MBytes of traffic If bandwidth limiting is employed and set to 8 Kbps the upgrade will require upwards of 1 5 hours to complete Administrators should also be wary of routers which concentrate locally connected routers as the upgrade bandwidth consumed on the network link could reach the
484. t s destination Each of the Source and Destination zones may use one of the defined zone names or one may select Other and specify a zone name in the text field to the right Both Source and Destination may be further qualified using the Only hosts in zone with addresses fields Multiple comma separated subnet IP or MAC addresses may be specified in the following way Subnet 192 168 1 0 24 P 192 168 1 1 P range 192 168 1 1 192 168 1 25 MAC 00 A0 C9 15 39 78 The Protocol field specifies the protocol tcp udp or icmp to match The Source ports and Destination ports fields specify TCP or UDP port numbers to match These fields are in the form of a list of comma separated port numbers or ranges of port numbers of the form first last The Original destination address field matches the request s destination IP address NOTE Li If you use are using DNAT to implement port forwarding enter the original destination address here and the forwarded address in the Destination zone or port fields Only hosts in zone with address sub field The Rate limit expression fields specify rate limit control of the form X sec or X min where X is the number of allowed requests in the time period A burst limit field Y where Y is the maximum consecutive number of requests and defaults to five if not configured The Rule applies to user set fields allow advanced users to match the rule against specific users and groups This ma
485. t server on ROX is to configure the firewall to restrict telnet connections It would be advisable for example to allow telnet connections only from the LAN side of the router and prevent them from the WAN side Section 3 13 1 Telnet Server Configuration ap Telnet Server Configuration Telnet server configuration Listen on address All addresses 192 168 0 3 eth1 192 168 2 1 eth2 192 168 3 1 eth3 192 168 4 1 eth4 Save Click this button to start the Telnet Service This is the same as you start telnet service at bootup and Start Telnet Server Shutdown menu Figure 108 Telnet Server Configuration Main Menu The Listen on address field and list are used to control which local router addresses the telnet server will respond from If All addresses is selected then the router s telnet server will be reachable via any configured IP address If All addresses is not selected then the telnet server will only respond from highlighted addresses in the list below The Save button will commit the configuration change If the telnet server is not running the configuration will be saved but will not start the server If the telnet server is running the configuration will take effect immediately The Start Telnet Server button allows you to start telnet server This is the same as starting the telnet server from the Bootup and Shutdown menu Note that if the telnet server is running the Stop Telnet Server b
486. t to another router for example by using a cross over cable and selecting Master on one of the two routers to provide the clock signal The link Convert this interface to E3 reconfigures the interface for use as an E3 trunk Section 5 4 4 4 E3 Interface Parameters Help Edit E3 Interface Interface E3 1 Parameters Convert this interface to T3 Framing G 751 framing format v Line Decoding HDB3 Clocking Normal Save de Return to T3 E3 WAN Interfaces Figure 198 Edit E3 Interface The Framing field determines the framing format used Your line provider will indicate the correct format The Line Decoding field reflects the line encoding decoding scheme The Clocking field selects whether to accept or provide clock signal In normal use the central office provides the clock signal in which case the setting should be Normal It is also possible to connect to another router for example by using a cross over cable and selecting Master on one of the two routers to provide the clock signal The link Convert this interface to T3 reconfigures the interface for use as a T3 trunk Section 5 4 4 5 Editing a Logical Interface Frame Relay Help Edit T3 Interface Interface T3 1 Parameters Convert this interface to E3 Framing C Bit y Line Decoding B3ZS v Clocking Normal Save de Return to T3 E3 WAN Interfaces Figure 199 Creating a Frame Relay L
487. tching only takes place when the source of the traffic is the firewall itself Firewall Rules 233 RUGGEDCOM ROX Chapter 5 Setup and Configuration User Guide Section 5 8 5 7 Static NAT Static NAT The static network address translation entries in this table can be used to set up a 1 1 correspondence between an external address on your firewall and an RFC1918 address of a machine behind your firewall Static NAT is often used to allow connections to an internal server from outside your network Add a new static NAT entry External address External interface Internal address Move Add 204 226 111 45 ethi 192 168 0 1 y To 204 62 138 24 ethi 10 0 0 1 t TL Add a new static NAT ent Manually Edit File Click this button to manually edit the Shorewall file etc shorewall nat in which the entries above are stored de Return to list of tables Figure 229 Static NAT This menu allows you to add delete and static NAT translations Add a new translations by selecting the Add a new static NAT entry link or by clicking on the add above or add below images in the Add field Reorder the translations by clicking on the arrows under the Move field Clicking on a link under the External Address field will allow you to edit or delete the rule as shown below You may also make changes by manually editing the rule file Edit Static NAT Static NAT entry details External
488. te format PEM format RSA key pair 512 to 2048 bits in length NOTE i Once secure remote system logging is enabled and a remote syslog server is configured TCP port 6514 is automatically opened Enable enables or disables secure remote syslog CA certificate specifies the path and filename of a CA Certified Authority certificate The client and server certificates must by signed by the same Certified Authority CA Certificate specifies the path and filename of a certificate Key specifies the path and filename of a key Permitted Peer Common Name allows you to match the common name in the certificate with one or more match patterns Each match pattern must be separated by a space The default value is pattern which can be replaced by one or more patterns which can include wildcards For example the match pattern example com will match abc example com Alternatively the match pattern a example com will also match abc example com but it will not match abc example CAUTION N Security hazard risk of unauthorized access or exploitation Selecting the Do not check radio button configures ROX to accept a certificate with any common name from the server This mode is vulnerable to man in the middle attacks and is not recommended If you do not want to match the common name select the Do not check radio button Enabling Secure Remote Syslog 59 Chapter 3 RUGGEDCOM ROX Device Management User Guide
489. te that each class is associated with exactly one network interface Exactly one class for each interface must be designated as default Unmarked traffic packets which have not been assigned a mark value in the TC Rules menu or via VLAN 802 1p will be handled by the default class Classes can match packets either by their assigned mark or by their ToS field The ToS field takes precedence over the mark Add a new traffic class by selecting the Add a new traffic classification class link or by clicking on the add above or add below images in the Add column TC Classes 239 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Clicking on a link in the Interface column will allow you to edit or delete a traffic classification class as shown below Edit TC Classes TC class details Interface eth1 Mark to 1 match nm kbit full 1 12 rate Hada kbit full 8 10 rate Priority 1 Options default V tos minimize delay tos maximize throughput tos maximize reliability tos minimize cost tos normal service V tcp ack tos 0xXX or 0xXX OxYY where XX is two digit hex tos value and YY is two digit hex mask Save Delete Return to tcclasses list Figure 236 Edit TC Classes The Interface field specifies which network interface this TC Class applies to The Mark to match field specifies what mark value this TC Class will match The mark may be in the range 1 255 in decimal or hex The Minimum rate
490. tect misuse of the local ports Monitoring traffic inside the firewall on all local interfaces has the advantage that the number of alerts decreases as vulnerabilities are eliminated at the firewall It is also good to monitor as much of the internal traffic as possible Section 3 15 1 3 Snort Rules The Snort application in ROX does not include any rule sets It is the responsibility of the user to download rule sets from various sources and only upload the rule sets that are intended to be used on the router running Snort Common sources for Snort rule sets include VRT Community and ETOpen rule sets The VRT and Community rule sets can be downloaded from http snort org and registration is required before downloading free or subscribed rules The ETOpen rule sets can be downloaded from http emergingthreats net but make sure to download the nogpl version if you intend to use the VRT rule sets beside the ETOpen rule sets NOTE i Unzip the downloaded rule set files if they are zipped select the rule sets that you plan to use on your router and copy the selected rule sets to a new folder before uploading them to the intended router The selection of the rule sets depends on the need of your organization You may want to enable the rules from a rule file before uploading them to a router A rule can be enabled by removing the sign from the beginning of a rule Each rule contains a unique Signature Identifier SID The SID is inclu
491. terfaces Figure 201 Edit Logical Interface PPP The Local IP Address field defines the IP address for the PPP interface The Netmask field displays the network address mask The value 255 255 255 255 indicates that the connection is point to point The Remote IP Address field defines the IP address for other side of the link This address is usually assigned by the network administrator or Internet service provider The Description field attaches a description to the logical interface viewable from the network interfaces menu The Delete button removes the currently selected interface Editing a Logical Interface PPP 201 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 4 5 T3 E3 Statistics When at least one logical interface is configured T3 E3 Link and logical interface statistics will be available These statistics are available from links on the T3 E3 WAN Interfaces menu Link Statistics are available via the View T3 E3 X Link Statistics link at the bottom of each interface table Frame Relay and PPP statistics are available through Statistics links under the interface name column of each interface table Link Frame Relay and PPP Interface Statistics are as described in detail in the Section 5 3 2 9 T1 E1 Statistics section of Section 5 3 Configuring Frame Relay PPP and T1 E1 The differences are that the T3 E3 link reports only only AIS LOS OOF and YEL alarms
492. tform specific notes Download and install this version Verify the web server by opening a web browser on another host on the network and entering the URL http followed by the IP address Apache was installed with Note that you may also verify Apache from a browser on the web server itself by browsing http localhost http localhost If properly set up the Apache default web page will be shown Installing Apache Web Server On Windows 343 Chapter 6 RUGGEDCOM ROX Upgrades User Guide Tf you can see this it means that the installation of the Apache web server software on this system was successful You may now add content to this directory and replace this page Seeing this instead of the website you expected This page is here because the site administrator has changed the configuration of this web server Please contact the person responsible for maintaining this server with questions The Apache Software Foundation which wrote the web server software this site administrator is using has nothing to do with maintaining this site and cannot help resolve configuration issues The Apache documentation has been included with this distribution You are free to use the image below on an Apache powered web server Thanks for using Apache OZ APACHE Figure 334 Apache Default Web Page Apache serves the web pages contained in the directory known as the DocumentRoot You must change the document root by from the desktop clicking Sta
493. that contains the key The Private Key Pass Phrase field configures the passphrase for the private key Section 5 21 1 3 Configuring SAC Station Access Controller Configuration SAM Common Name SAM Host Address SAM Host Port 21000 SAM Common Name SAM Host Address SAM Host Port 21000 Figure 327 Station Access Controller Configuration This menu allows you to configure the Station Access Controller SAC ROX supports up to two Secure Access Managers SAMs NOTE Li The common name host address and host port must be defined for one or more SAMs The SAM Common Name field defines the common name in the certificate that the SAM the parent of the SAC will present when mutually authenticating with the SAC The common name must not contain spaces The SAM Host Adaress field defines the IP address for the SAM 338 Configuring the SAC Certificates RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The SAM Host Port field defines the TCP port for the SAM The default is 21000 Section 5 21 1 4 Configuring User Access User Access Configuration Max Login Attempts 3 Figure 328 User Access Configuration This menu allows you to configure the maximum number of times a user can attempt to log in to the Station Access Controller SAC The Max Login Attempts field defines the maximum number from 0 no limit to 10 Section 5 21 1 5 Configuring Event Logs Eve
494. the interface remain up The GRE interface does not monitor the status of the network interface to which it sends traffic Configuring Generic Routing Encapsulation 307 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide 172 16 17 18 172 19 20 21 eth1 192 168 1 1 192 168 2 1 eth2 192 168 1 0 8 Figure 297 Example GRE Tunnel Configuration 192 168 2 0 8 1 Router 1 2 Router 2 In the above example Router 1 will use a GRE tunnel with a local router address of 172 16 17 18 a remote router address of 172 19 20 21 and a remote subnet of 192 168 2 0 24 Li NOTE If you are connecting to a CISCO router in place of Router 1 in the example above the local router address corresponds to the CISCO IOS source address and the remote router address corresponds to the destination address You may also set a cost for the tunnel If another method of routing between Router1 and Router2 becomes available the tunneled packets will flow through the lowest cost route You can optionally restrict the packets by specifying the local egress device in the case of router1 w1ppp Section 5 16 1 GRE Configuration This menu displays configured GRE tunnels The tunnel status will read active if the tunnel was created successfully Help Generic Routing Encapsulation Tunnels Tunnels Tunnel Tunnel IP Tunnel Remote Local Remote Local Egress a Tunnel Name address E uU Ne
495. the same If configured the router will obey XON XOFF flow control from the end devices One of the routers is configured to listen to TCP connection requests on a specific TCP port number The other server is configured to connect to its peer on the listening port number ROX will attempt to connect periodically if the first attempt fails and after a connection is broken ROX can be used to connect to any device supporting TCP e g a host computer s TCP stack or a serial application on a host using port redirection software Section 3 10 2 2 RTU Polling The following applies to a variety of RTU protocols besides ModBus RTU including ModBus ASCII and DNP The remote router communicates with host equipment through native TCP connections another device via a serial port or a port redirection package which Supports TCP If a ROX is used at the host end it will wait for a request from the host encapsulate it in a TCP message and send it to the remote side There the remote ROX will forward the original request to the RTU When the RTU replies the ROX will forward the encapsulated reply back to the host end ModBus does not employ flow control so XON XOFF should not be configured ROX maintains configurable timers to help decide replies and requests are complete and to handle special messages such as broadcasts ROX will also handle the process of line turnaround when used with RS485 Section 3 10 2 3 Broadcast RTU Polli
496. through Webmin or by logging in to a local serial or remote SSH console as the rrsetup user 30 Reflashing the ROX System Software RUGGEDCOM ROX Chapter 3 User Guide Device Management NOTE i The router must not lose power or be interrupted during the reflashing process The process involves a complete rewrite of the operating software image Interruption will require that the router be returned to the factory to have the software restored Siemens recommends minimizing the risk by using a standalone PC as the web server and by powering both the web server and the router using an uninterruptible power supply UPS Section 3 7 Maintaining the Router This section familiarizes the user with Viewing Alerts Backing up and restoring configurations Decommissioning the device Configuring SNMP Configuring RADIUS Authentication Configuring Outgoing Mail Chassis Parameters Power over Ethernet Banner Configuration Using System Logs Upgrading Software Using Pre upgrade Post upgrade scripts Uploading and downloading files Section 3 7 1 Alert System The alert system provides the following features Generates alerts displaying them locally and or forward them via email messages Alerts are set and cleared by the daemons that own them Active alerts are locally displayed and can be cleared manually Multiple forwarders can be configured a configurable filter level controls alert forwardin
497. tination IP addresses and IP protocol and port numbers These rules by virtue of the zones they match use the policy flagging inserted by netkey and route matching data traffic to the proper interface Section 5 11 3 Supported Encryption Protocols Openswan supports the following standard encryption protocols 3DES Triple DES Uses three DES encryptions on a single data block with at least two different keys to get higher security than is available from a single DES pass 3DES is the most CPU intensive cipher AES The Advanced Encryption Standard protocol cipher uses a 128 bit block and 128 192 or 256 bit keys This is the most secure protocol in use today and is much preferred to 3DES due to its efficiency Section 5 11 4 Public Key and Pre Shared Keys In public key cryptography keys are created in matched pairs called public and private keys The public key is made public while the private key is kept secret Messages can then be sent by anyone who knows the public key to the holder of the private key Only the owner of the private key can decrypt the message When you want to use this form of encryption each router configures its VPN connection to use the RSA algorithm and includes the public signature of its peer The device s public signature is available from the output of the Show Public Keys menu In secret key cryptography a single key known to both parties is used for both encryption and decryption When y
498. tion The number of historical received and transmitted characters as well as errors will be displayed The Connection Statistics table provides a record for each L2 tunnel that terminates on a local Ethernet interface or on a remote UDP IP connection The Round Trip Times table reflects the measured RTT to each remote daemon The minimum average maximum and standard deviation of times is presented Entries with a large difference between the Transmitted and Received fields indicate potential problems The Refresh button will cause the page to be reloaded The Continuous Display button will cause the browser to continuously reload the page showing the differences in statistics from the last display Note that the difference is not a real time rate in bytes or packets per second 316 Generic L2 Tunnel Statistics Menu RUGGEDCOM ROX User Guide Chapter 5 Setup and Configuration Section 5 17 9 Activity Trace Menu Help Activity Trace Specifying large numbers of protocols entries and capture time can result in a greate deal of output Trace Layer 2 Tunnelss Trace on protocols GOOSE L2GEN All Protocols V Message Decode V Hex dump 7 Packets 7 RTT Measurement Messages Maximum number of entries to capture 20 Maximum time in seconds to capture over 10 15 15 15 15 15 15 15 15 15 20 20 27 011 L2 GEN Received message from eth3 length
499. tion Details describes parameters relating to the connection itself The next two sections Left System s Settings Right System s Settings describe IP networking parameters and RSA signatures at each peer These two sections are identical and are described once List Certificates 259 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 11 18 1 IPSec VPN Connection Details gs Edit Connection IPsec VPN connection details Connection name Remote_16 At IPsec startup Default X Authenticate by Default rsasig secret Connection type Tunnel host or network X reed de Default 9 allow only V aes256 V aes192 V aes128 V 3des reo ab T Default shat mds Vased ien id rq Default allow only Y aes256 V aes192 V aes128 V 3des Soman ii Default 9 shat mds Compress data Yes No Default a Yes o Sergei TS 9 Default Connection key lifetime L2TP Yes 9 No secs v Figure 254 Editing a VPN Connection Part 1 The Connection name field associates a name with the connection Do not embed whitespace in the name The At IPSec startup field determines what happens to the connection after Openswan starts and includes the options Ignore Add connection Start Connection Route and Default A value of Ignore will cause the connection to be ignored A value of Add connection will cause the connection to be established when explicitly started via command line or the PSec VPN Con
500. tion Network address Translation DNAT Which hosts need to accept connections from whom and on which ports 8 Configure the rules file to override the default policies Have external connections been limited to approved IP address ranges Have all but the required protocols been blocked 9 If you are supporting a VPN add additional rules 10 Check the configuration using the Shorewall Firewall menu Check Firewall button 11 Activate the firewall It is usually a good idea to port scan the firewall after activation and verify that logging is functioning Section 5 8 3 ShoreWall Terminology and Concepts This section provides background on various Shorewall terms and concepts References are made to the section where configuration applies Section 5 8 3 1 Zones A network zone is a collection of interfaces for which forwarding decisions are made for example Name Description net The Internet loc Your Local Network dmz Demilitarized Zone fw The firewall itself Shorewall Quick Setup 219 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Name Description vpn1 IPSec connections on w1ppp vpn2 IPSec connections on w2ppp You may create new zones if you wish For example if all of your Ethernet interfaces are part of the local network zone disallowing traffic from the Internet zone to the local zone will disallow it to all Ethernet interfaces If you wanted some interfaces but not others to access the I
501. tion works by establishing queues at the required priority levels filling the transmit queue with them in priority order The aim of establishing low latency for certain traffic is foiled when transmit queue lengths are large because multiple low priority packets may have queued before a high priority packet arrives at the router Siemens recommends that the transmit queue length be left at its minimum default value of 1 Higher values however may strike a balance between latency an performance Section 5 10 7 Prioritization Statistics Help Prioritization Statistics For wippp os 100 extra high 44 e4kkkdk kd k RR HERR RR RR E ERR EEE 11 57 MB high normal 598 B low I Refresh Clear Statistics And Refresh d Return to Traffic Prioritization Figure 245 Prioritization Statistics This menu displays the percentage of interface traffic that has been transmitted from each priority queue The Refresh button causes the statistics to be updated The Clear Statistics and Refresh button causes the statistics to be cleared and then captured after a one second interval Section 5 11 Configuring IPSec VPN This section familiarizes the user with Configuring IPSec VPN Global Options Creating VPN Connections Configuring L2TPD 250 Prioritization Transmit Queue Length RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Enabling and Starting IPSec Obtaining VPN Status I
502. tp header Imetadata policy security ips drop ruleset community service http reference url absolute com support consumer technology computrace reference url www blackhat com presentations bh usa 09 ORTEGA BHUSA0S9 Ortega DeactivateRootkit PAPER pdf classtype misc activity sid 26287 rev 4 Software Computrace outbound connection search dnssearch org flow to server established content Host 3A search dnssearch org 0D 0A fast pattern only http header content TagId http header metadata policy security ips drop ruleset community service http reference url absolute com support consumer technology_computrace reference url www blackhat com presentations bh usa 09 ORTEGA BHUSA09 Ortega DeactivateRootkit PAPER pdf classtype misc activity sid 26286 rev 4 m 7 alert tcp HOME_NET any gt EXTERNAL_NET HTTP_PORTS msg APP DETECT Chocoplayer successful installation flow to_server established content post player php http uri content type http client body content mac distance 0 http client body content os distance 0 http client body metadata policy security ips drop service http reference url www chocoplayer com classtype misc activity sid 25981 rev 1 Im E alert tcp EXTERNAL_NET any gt HOME_NET HITP PORTS msg APP DETECT Acunetix alert tcp HOME_NET any EXTERNAL_NET 80 msg APP DETECT Ammyy remote access tool flow to server established content
503. transmitter DMA descriptor length errors Number of receiver PCI errors o o o Number of receiver corruption errors o o o Number of receiver DMA descriptor errors Link Alarms In Service GREEN Data mode idle OFF Zero supp code OFF Ctrl mode idle OFF Out of service code OFF Out of frame code OFF Valid DSU NL loopback OFF Unsigned mux code OFF Rx loss of signal Refresh Clear Statistics 4a Return to DDS Main Menu Figure 208 DDS Link Statistics Frame Relay and PPP Interface Statistics are as described in Section 5 3 Configuring Frame Relay PPP and TVET Section 5 5 3 5 DDS Loopback When at least one logical interface is configured and that interface is active a DDS Loopback test can be performed This menu can be reached from a link on the DDS WAN Interfaces menu The remote equipment must be able to loop allowing the entire line to be verified If the remote equipment is another ROX starting a line loopback will verify both cards and the line DDS has no standard for performing digital loopback For more information on DDS loopback refer to Section 5 3 2 13 T1 E1 Loopback Section 5 5 3 6 Current Routes and Interface Table The table provided by this command is as described in the Networking menu Network Utilities sub menu It is also provided here as a convenience DDS Loopback 207 Chapter 5 RUGGEDCOM ROX Setup and Configurati
504. tribute name Vendor Specific Attribute number j Attribute format o ctetString Attribute values Move Up ova Im Move Down Hemove Edit OK Cancel b Figure 154 IAS Window Multivalued Attribute Information In the Vendor Specific Attribute Information window select Enter Vendor Code and enter 15004 Select Yes It conforms and click the Configure Attribute button 158 Webmin Privilege Levels and Windows IAS RUGGEDCOM ROX User Guide Chapter 4 System Administration 8 endor Specific Attribute Information 2x Attribute name Vendors pecific Specify network access server vendor C Select from list RADIUS Standard Enter Vendor Code 15004 Specify whether the attribute conforms to the RADIUS RFC specification for vendor ific attributes C No It does not conform Configure Attribute Cancel Figure 155 IAS Window Vendor Specific Attribute Information In the Configure VSA RFC compliant window in the Vendor assigned attribute number edit box enter 2 For Attribute format select string for Attribute value enter the privilege level of the group being created e g operator Configure YSA RFC compliant 2xj Vendor assigned attribute number IB Attribute format String Attribute value root Cancel Figure 156 IAS Window Configure VSA RFC compliant Section 4 7 3 PPP CHAP and
505. ts for all connections record is used The Perfect Forward Secrecy fields will enable PFS causing keys to be exchanged in a manner which provides attackers that have compromised a key with no advantage in decoding previously intercepted packets or with subsequent packets Not all clients support PFS The Connection key lifetime fields determine how long a particular instance of a connection should last from successful negotiation to expiry Normally the connection is renegotiated before it expires The L2TP field determines whether this connection uses L2TP NOTE Li ROX supports only DH group 1024 bits or greater for both Phase 1 and Phase 2 Please ensure that your client is configured not to use DH group sizes of less than 1024 bits Section 5 11 18 2 Left Right System s Settings Left system s settings Public IP address System identifier Private subnet behind system oe None Entered below Automatic any Certificate File key OsAQOb6Hs5WIVgvEvcVdiMWONndZ3i8 4xA5Hj9qGcueIWv7eRxHO6AKZq6Q8 R5IaK5dIr6tZNDkECez dDs79455kBpKZM6KebKm9GTtnOmw915vwURXLIKCI1MBT112cwAjcSwojxGcqFAWTp8aJ7m58EO0qkFov ZDSe9ve718giTODnNNdAp6KW3aCnFNufQOGl ya5Foe7USi4 ErOUN8v3sagCxwiyJzitkxvi4hOytQKG PEAJJQLVgmTiKF7dqaumvsLzD5rB6sB7BrUmA4469 5S7xSFPWyvYZyFNTagvMeG2dlK8WH3qUmjkYVvF q9Yh T4JHdvZ1BiboC BQGNhQ8A31Yzj IAHTzZ51 CoCMgEFSIP From default route Automatic any Address or hostname 206 73 193 8 9 Default None IP address Hostname
506. ts in isolating the hosts relying upon the default route There are a number of ways that may be used to provide redundant connections to the host Some hosts can configure alternate gateways while others are intelligent enough to participate in dynamic routing protocols such as Routing Information Protocol RIP or Open Shortest Path First routing protocol OSPF Even when available these approaches are not always practical due to administrative and operation overhead Section 5 14 2 The VRRP Solution VRRP solves the problem by allowing the establishment of a virtual router group composed of a number of routers that provide a specific default route VRRP uses an election protocol to dynamically assign responsibility for the virtual router to one of the routers in the group This router is called the VRRP Master If the Master or optionally its WAN connection fails the alternate i e backup routers in the group elect a new Master The new master provides the virtual IP address and issues a gratuitous ARP to inform the network of where the gateway can be reached Because the host s default route does not change and MAC address is updated packet loss at the hosts is limited to the amount of time required to elect a new router Section 5 14 3 VRRP Terminology Each physical router running VRRP is known as a VRRP Router Two or more VRRP Routers can be configured to form a Virtual Router Each VRRP Router may participate in one or m
507. ttribute is preferred over a lower one for the entire AS The Weight attribute is defined locally If the router learns more than one route to the same destination the one from the router with a higher weight is preferred BGP Neighbor Configuration 279 Chapter 5 Setup and Configuration RUGGEDCOM ROX User Guide Section 5 12 6 10 BGP Status I Status Current BGP route status IBGP table version is 0 local router ID is 192 168 10 1 Status codes s suppressed d damped h history valid best i internal r RIB failure S Stale R Removed Origin codes i IGP e EGP incomplete Network Next Hop Metric LocPrf Weight Path gt 192 168 2 0 0 0 0 0 0 32768 i gt 192 168 6 0 192 168 10 2 0 0 210i 192 168 10 0 192 168 10 2 0 0210i gt 0 0 0 0 0 32768 i Total number of prefixes 3 Refresh display Current BGP neighbor detail status BGP router identifier 192 168 10 1 local AS number 200 RIB entries 5 using 320 bytes of memory Peers 1 using 2520 bytes of memory Neighbor v AS MsgRcvd MsgSent TblVer InQ OutQ Up Down State PfxRcd 192 168 10 2 4 210 8 9 o 0 0 00 05 43 2 Total number of neighbors 1 Refresh display 4a Return to bgp Figure 268 BGP Status Display The BGP Status menu displays A list of routes currently managed by BGP along with the status of each one A list of BGP neighbors along with statistics and state information for
508. twork Organizations The information to assign addresses in DHCP is organized to deal with clients at the host group subnet pool and shared network level Hosts entries assign specific settings to a client based on its Ethernet MAC address Groups allow identical settings to be created for a group of hosts making it simpler to manage changes to the settings for all the hosts contained within the group Groups contain hosts Pools contain ranges of IP addresses to hand out to clients with access rules to determine which clients should receive addresses from that pool Subnets control settings for each subnet that DHCP serves A subnet can include a range of IP address to hand out to clients Only one subnet can contain dynamic IP address ranges without any access restrictions on any given physical port since DHCP doesn t know which subnet a client should belong to when the request is received Subnets contain groups pools and hosts Shared networks are used when multiple subnets should be served by a single physical port This applies both when using a DHCP relay agent connected to the port with additional subnets behind the relay agent or when multiple virtual networks exist on one physical interface Each subnet then gets its own subnet definition inside the shared network rather than at the top level Shared networks contain subnets groups and hosts Section 5 18 2 DHCP Client Options The following options apply to single hosts sub
509. twork interfaces for which prioritization may be activated Prioritization may be configured by following the nterface column link The statistics of prioritized interfaces may be viewed by following the links in the Statistics column Section 5 10 6 Interface Prioritization Menu Help w2c1ppp Prioritization Prioritiztion Queues Note that you must have at least a low normal and high priority queue The high queue must be of higher priority than the normal queue which must be of higher priority than the low queue If you delete a priority queue any filters which use that queue will be adjusted to point at the next lowest queue Queue Name Move Add high TI normal FL low TL Prioritization Filters Packets are matched against filters from the following table in ascending order When a match occurs the packet is entered onto the respective target queue If no matches occur the packet s TOS bits are inspected and the packet is entered onto the low normal or high queue Source IP Netmask Source Port Dest IP Netmask Dest Port Protocol Target Queue Move Add Add a traffic filter Transmit Queue Length Packets from the above prioritzation queues are collected on to a transmit queue prior to transmission Limiting the size of this queue increases performance by preventing the buffering of a number of lower priority frames Length Edit 1 E Return to Traffic Prioritizatio
510. u Access Manager integrates tightly with the firewall opening it for communications between vetted clients and critical assets on a demand basis The status menu provides a list of validated open connections 150 VRRP Firewall Rules and Access Manager RUGGEDCOM ROX Chapter 4 User Guide System Administration Industrial Defender SAP Status Industrial Defender SAP Status current time Mon Jan 6 15 04 55 2014 SAP is up SAPAgent has run Mon Jan 6 14 34 46 SAPAgent OpenVPN has Mon Jan 6 14 36 20 since 2014 run since 2014 AuthMgr has run Mon Jan 6 14 34 48 AuthMgr OpenVPN has run Mon Jan 6 14 37 57 since 2014 since 2014 Mon Jan 6 14 37 57 Dewico credendi Mon Jan 6 14 37 57 2014 2014 Mon Jan 6 14 36 20 2014 User credentials Mon Jan 6 14 37 57 OpenVPN keys 2014 Configuration data Industrial Defender SAP Open Rules chain Idefender proto from to info 1 tcp 10 100 1 6 192 168 2 1 tcp dpt 22 2 tcp 10 100 1 6 192 168 2 2 tcp dpt 22 Refresh de Return to Industrial Defender Main Menu Figure 148 Access Manager s Secure Access Portal Status Section 4 5 5 Upgrading the Access Manager s Secure Access Portal During a ROX upgrade all existing Access Manager Secure Access Portal protected connections will be closed Section 4 6 RADIUS Authentication RADIUS Remote Authentication Dial In User Service described in RFC 2
511. uire a reboot The release notes accompanying the upgrade will state whether a reboot will be necessary If a reboot is required a notice will appear to that effect upon clicking Upgrade Now and before beginning the upgrade Ifthe upgrade must be done in two stages a notice to this effect will appear The first stage will consist of an upgrade to Webmin only After completion of the first stage of the upgrade launch the second stage of the full upgrade process by again running Upgrade All Packages Additional notifications may appear depending on the old and new ROX versions and on router hardware options NOTE Li If the currently installed version of ROX predates release 1 14 1 the upgrade procedure must be done in two stages While the first stage Webmin upgrade is in progress there will be no visual feedback from the system since the web interface itself will be shut down This upgrade lasts up to 5 minutes after which time it is recommended to click refresh to verify that the Webmin upgrade has completed correctly Once the upgrade has completed it may be necessary to log in if the session timeout has expired in the meantime Section 3 7 10 5 Installing a New Package Install a New Package Select the location to install a new package from From local file From uploaded file Browse No file selected From ftp or http URL Install Figure 66 Installing a New Package The nstall A New Package feature
512. ules added after the Idefender rules may not get processed Rules inserted before the Idefender rules may compromise the security provided by Idefender Contact Siemens Customer Support for assistance if you wish to add other rules 7 Using Webmin visit the Bootup and Shutdown menu and ensure that Shorewall is enabled to start at boot Start Shorewall Webmin access is now blocked until secure access through Access Client is opened Step 3 of 4 SAP Configuration Use rrsetup to define a passphrase and required setup parameters and to enable the portal 1 Select the required parameters menu option and enter the unit name assigned to this router and the IP address of the Access Manager which will control it Select the SAP Passphrase menu option and enter a valid passphrase Select the Enable Idefender SAP menu option to enable the software If it is already enabled then the menu option will say Disable Idefender SAP NOTE Idefender SAP can also be enabled via Bootup and the shutdown menu in the Webmin user interface The unit name and passphrase entered at the router and the Access Manager must match or else the Access Manager will refuse to acknowledge the router The unit name and passphrase are both case sensitive Li mes Step 4 of 4 Verification Test 1 To verify that the Access Manager SAP and client are functioning you can now use Access Client with a user account to connect to an authorized device NOTE i
513. until GPS locks If GPS fails the router will keep running with its own high precision timing hardware When GPS returns the time will be stepped back to the GPS reference clock Section 3 14 2 4 GPS Cable Compensation GPS signals received by the antenna will be delayed in time depending upon the type and length of the cable to the router This delay will introduce inaccuracy in the calculated time and position ROX provides a method to account for this delay The table below gives some examples of the delay that can be expected for a given dielectric type Please note that cable characteristics varies from one manufacturer to the other Dielectric Type Time Delay in ns m ns ft Solid Polyethylene 4 62 1 54 Foam Polyethylene FE 3 81 1 27 Foam Polystyrene FS 3 36 1 12 110 Reference Clocks RUGGEDCOM ROX Chapter 3 User Guide Device Management Dielectric Type Time Delay in ns m ns ft Air Space Polyethylene ASP 3 45 3 63 1 15 1 21 Solid Teflon ST 4 38 1 46 Air Space Teflon AST 3 39 3 60 1 13 1 20 Section 3 14 3 IRIG B IEEE1588 Configuration Help IRIGB IEEE1588 IEEE IEEE 1599 1599 pr pH po d d G General IRIGB IEEE1588 IRIGB Status IEEE1588 Status IRIGB LOG Configuration Configuration Configuration Figure 109 IRIG B 1588 Main Menu This menu allows you to configure IRIG B and IEEE1588 display its current st
514. uplicate the log entry and the configure the logging host Duplicate the entry by using the Add a new system log link on the System Logs sub menu Finally you may forward all information to the remote logger by creating a new system log entry and specifying All Facilities and all priorities and checking the Syslog server on field with an appropriate address 60 Remote Logging RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 7 10 Upgrade System Help Software Upgrade System Upgrade to RX1100 Gain access to the RX1100 feature set including Intrusion Detection Systems and Gauntlet Security Upgrade To RX1100 Change Repository Server The router needs to be configured with a repository server The router is currently operating release software rr1 16 0 QA1 1 Change Server Install a New Package Select the location to install a new package from From local file From uploaded file Browse No file selected From ftp or http URL Install Upgrade All Packages Please configure a repository server Figure 62 Software Upgrade System The Software Upgrade system provides the following features Upgrading from either HTTP or FTP servers anonymous access only Upgrade traffic bandwidth limiting to prevent disruption to mission critical applications Manually initiated upgrades from a central server Manually initiated upgrades of new ver
515. uploads and installs packages to the router Select the From local file option if you have already moved the package to the router through http ftp or scp You may either enter the full path from the root directory to the package or use the file selector to identify the package Select the From uploaded file option if you have the file locally on your workstation You may either enter the iBrowse location of the file on your local file system browse selector to identify the package Select the From ftp or http URL if you know the network address of the package Complete the installation by selecting the install button 64 Installing a New Package RUGGEDCOM ROX Chapter 3 User Guide Device Management Section 3 7 10 6 Pre Upgrade Post Upgrade Scripts The pre upgrade and post upgrade scripting feature allows you to execute defined scripts on the router both before and after a software system upgrade The scripts execute before and after an actual upgrade only and not a dry run during which the packages to be updated are shown and not actually updated In the course of an upgrade the router will download the scripts from the same location as is configured via the Change Repository Server page The script files named pre upgrade user will be downloaded by the router and executed immediately prior to beginning the upgrade process Note that in the case where a two stage upgrade procedure is required t
516. uration Main Menu On this page review and configure the modem interface and the PPP client and server connections PPP Modem Configuration 69 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 8 6 1 Modem Configuration Modem Configuration Parameter Value Description Dial in Console enable Enable dial in console access PPP Server enable Enable incoming PPP connections Radius Authentication enable Radius Authenticate for incoming PPP connections Rings before answer 1 Number of rings to wait before answering 1 10 Additional Modem AT Init Codes L3MO Any extra AT codes to use when initializing the modem Country code Australia X Set modem country code Speaker Volume ov Set modem speaker volume Speaker Mode Off Set modem speaker mode Save Note Changing the country code will cause the modem to reset Active connections will be lost dem Retum to Modem Main Menu Figure 71 Edit Internal Modem Configuration Help 4 Modem 1 Configuration Parameter Value Description Dial in Console enable El Enable dial in console access PPP Server enable E Enable incoming PPP connections Radius Authentication enable E Radius Authenticate for incoming PPP connections Rings before answer 1 Number of rings to wait before answering 1 10 Additional Modem AT Init Codes Any extra AT codes to use when initializing the modem amp Ret
517. ure time 20 maximum 240 sec Lookup addresses Display link level header Perform HEX ASCII dump Verbosity Off 1 2 3 Ignore hostname v for protocols SSH Webmin traffic All traffic Ignore protocols v TCP UDP ICMP ARP VRRP IGMP OSPF ESP AH Ports to trace Tepdump It Figure 10 Tcpdump Menu The nterface to capture on field specifies the interface to show traffic on The Maximum packets captured and Maximum capture time fields limit the amount of traffic captured The Lookup addresses field causes IP addresses to be resolved into domain names This can make tcpdump behave very slowly if DNS is not properly configured The Display link level header field causes this header to be displyed The Perform HEX ASCII dump field causes the data content of the captured packets to be displayed This option may generate a large capture data set The Verbosity fields specify the level of decoding which tcpdump supplies The gnore hostname Only hostname selector causes traffic to or from from the specified address to be excluded or included to the exclusion of other traffic respectively One of the following three check boxes must be selected in order for filtering to take place If the SSH box is selected SSH traffic to or from the selected IP address will be excluded displayed If the Webmin traffic box is selected Webmin traffic to or from the selected IP address will be excluded displayed If the All traffic box is selected traf
518. ures a DNP device address whether local or remote The address may be that of a DNP device connected to a local serial port or one available via the serial port of a remote IP host The address may be in the range 1 to 65520 Note that both local and remote serial ports must be properly configured The Rem IP field configures the IP address of the remote host that provides a connection to the DNP device with the configured address DNP Device Table Settings Device Address Rem IP Port Add Delete de Return to Serial Protocols Device Address Table Device Address Rem IP Port 12 3 3 3 3 Unknown 15 0 0 0 0 2 Figure 97 DNP Device Table Settings The Port field configures the serial port to which the DNP device is attached If the entry is for a remote DNP device i e the DNP device is attached to the serial port of remote IP host the value of this parameter is Unknown Device Address Table This table displays all currently known active DNP devices DNP Menu 97 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 10 7 6 Serial Protocols Statistics Menu Help Serial Protocols Statistics Refresh Continuous Display Port Statistics Port Protocol Rx Chars Tx Chars Packet Errors Parity Errors Framing Errors Overrun Errors 1 rawsocket 1923 0 o 0 0 0 reset 2 dnp o 0 t 0 0 0 reset 3 itepmodbus 0 o t o
519. urn to Modem 1 Main Menu Figure 72 Edit External Modem Configuration These menus allow you to configure modem settings and usage features The Dial in console field allows the modem to answer incoming calls and present a login screen in the same way that the console serial port does The login used for the Dial in console is the same as that used for SSH and serial console logins NOTE If RADIUS authentication is enabled the Dial In Console login will be in the LOGIN group and not in the PPP group See the section RADIUS Authentication for details The PPP server field configures the router to answer incoming modem calls and negotiate a PPP connection to the calling system to provide network access The RADIUS Authentication field will cause incoming PPP connections to be authenticated against the RADIUS servers configured in the Maintenance menu RADIUS Authentication sub menu 70 Modem Configuration RUGGEDCOM ROX Chapter 3 User Guide Device Management NOTE Li The Dial in Console and PPP Server can be enabled at the same time The router automatically detects whether an incoming call is PPP or console only If PPP Client mode is active the router attempts to maintain the PPP link at all times and hence blocks incoming calls most of the time You can enable PPP Client and Dial in Console and or PPP Server at the same time as long as PPP Client is not configured to connect at boot time In this case the modem is free to
520. uter or its wan link will be recovered by the other router Note that both routers can always be reached by the hosts at their real IP addresses Two or more VRRP instances can be assigned to be in the same VRRP Group in which case they can fail over together In the following network both host 1 and host 2 use a gateway of 192 168 3 10 The external side can access the internal side by gateway 192 168 2 10 The VRID_20 and VRID_21 are grouped together Normally the Router 1 will provide both internal and external access gateway as its priority is higher than those on Router 2 When either internal or external side of Router 1 becomes inoperative it will remove the control of both VRIP 192 168 2 10 and 192 168 3 10 and gives the control to Router 2 VRRP Terminology 301 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide O 192 168 2 2 192 168 2 3 Figure 290 VRRP Group Example 1 Network 2 Remote Router 1 3 Remote Router2 4 Switch 5 Host1 6 Host 2 Other VRRP parameters are the Advertisement Interval and Gratuitous ARP Delay The advertisement interval is the time between which advertisements are sent A backup router will assume mastership four advertisement intervals after the master fails so the minimum fail over time is four seconds If a monitored interface goes down a master router will immediately signal an election and allow a backup router to assume mastership The router issues a set of gratuit
521. uter includes the links 0 debian pool ntp org The O debian pool ntp org address selects a random low stratum server from a pool of ntp servers on the Internet If you are operating in a private network you will want to delete both of these addresses and substitute that of a locally known low stratum server The Version field indicates the version of the NTP protocol used to communicate with this host Change this only if it is known that the host requires a version other than 4 332 Generic Options RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration The Key field provides an authentication key ID associated with this host The creation of keys is not supported by the ROX Web interface The Preferred field determines whether this host is preferred over other hosts in the list The Check field link leads to a page that displays the result of an NTP query to this host Use this feature to determine if the configured host is active Section 5 20 7 Peers Configuration This menu allows you to enter and edit peers Peers are NTP servers of the same stratum as the router and are useful when contact is lost with the hosts in the NTP servers menu The per peer configuration information is as described in the previous menu Section 5 20 8 Viewing NTP Status Help NTP Status INTP Reference Clock Status Reference Clock Stratum Offset ms Status and Description LOCAL 13 0 000 synchronized system clock cur
522. uter is an RX1100 you may configure and activate the Snort Intrusion Detection System and the Gauntlet Security Appliance If you decide to forward daily email summaries you must configure a mail forwarder in the Maintenance menu Miscellaneous sub menu Outgoing Mail sub menu When your routers configuration is stable it is recommended that the configuration should be uploaded from the router and stored as a backup The Maintenance menu Backup and Restore sub menu will be useful Should you need to transfer files to or from the router the Maintenance menu Upload Download Files sub menu will be useful Further concerns such as ensuring robustness measuring and optimizing performance are dealt with by reading the guide fully Section 1 4 Available Services by Port The following table lists the services available under ROX This table includes the following information Services The service supported by the device Port Number The port number associated with the service Port Open The port state whether it is always open and cannot be closed or open only but can be configured Additional Configuration 5 Chapter 1 Introduction RUGGEDCOM ROX User Guide NOTE In certain cases the service might be disabled but the port can still be open e g TFTP Port Default The default state of the port i e open or closed Access Authorized Denotes whether the ports services are authenticated during access
523. utton will be shown instead of the Start Telnet Server button Note also that if the telnet server is stopped currently active telnet connections will not be terminated Section 3 14 Configuring IRIG B and IEEE1588 This section familiarizes the user with Telnet Server Configuration 107 Chapter 3 RUGGEDCOM ROX Device Management User Guide IEEE 1588 Configuration IRIG B Configuration Viewing IRIG B and IEEE1588 Status Section 3 14 1 IEEE1588 Fundamentals The IEEE 1588 working group Precise Timing Protocol PTP standard details a method of synchronizing a clocks over networks including Ethernet ROX provides a special hardware assisted PTP capability as provided by the device s PTP card When used in conjunction with the cards Global Positioning System GPS receiver the router can provide nanosecond accuracy via IEEE 1588 Additionally IEEE 1588 may be used in GPS failure situations to synchronize to a remote source and provide accurate time for IRIG B Section 3 14 1 1 PTP Network Roles The IEEE 1588 standard describes regular clocks as devices having a single PTP port that can issue and receive PTP messages PTP boundary clocks are clocks have multiple PTP ports offering the ability to serve time to more than one subnet at a time ROX can serve as a regular clock and communicate with boundary clocks The set of devices that can communicate using the PTP protocol IP multicast transmissions are said to be
524. ver The Air Activate Modem Status Type of Modem CDMA 1xRTT EV DO Firmware version p2410701 51863 Electronic Serial Number ESN 0x608ABD96 Received Signal Strength Eclo 0 0 125 dBm None dB Network Carrier ID Verizon Network technology currently in use No Service Phone number 9547890192 Activation status Modem is activated Refresh Reset de Return to Modem Main Menu Figure 83 Over The Air Account Activation First establish an account with the help of a service representative of the cellular network provider Enter the OTASP dial string supplied in the Activation Dial string field and click Activate The Activation status field will display Activation is in progress Please wait until a success or failure is detected 80 Over The Air Account Activation RUGGEDCOM ROX Chapter 3 User Guide Device Management 4 Upon successful activation the Activation status field will automatically change to display Activation successful If it displays Actvation Failed please verify the activation dial string or contact the network provider s service personnel Section 3 9 4 2 Manual Account Activation If the carrier does not support Over the Air Service Provisioning the cellular modem must be programmed via the Manual Account Activation form using settings supplied by the carrier s service personnel Help Manual Account Activation Pa
525. ver to boot from This only applies to network booted clients Boot file server The IP address of the tftp server to boot from This only applies to network booted clients Server name The hostname of the boot server This only applies to network booted clients Lease length for BOOTP clients How long the IP assigned to a BOOTP client should be considered valid Lease end for BOOTP clients Cut off date for all BOOTP client leases Dynamic DNS enabled Should DNS information be updated on the DNS server when a client receives an IP address Dynamic DNS domain name The domain name to update dynamic DNS information in Dynamic DNS hostname Use the specified hostname for clients or use the hostname supplied by the client Dynamic DNS reverse domain The reverser DNS domain to update dynamic information in for the reverse DNS entry Dynamic DNS reverse domain The reverser DNS domain to update dynamic information in for the reverse DNS entry Lesser used DHCP server configurations include e Allow unknown clients Should DHCP accept requests from clients it has never seen before or only from clients that have already received leases in the past DHCP Client Options 319 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Server is authoritative If the server is authoritative it will send deny messages to any client which tries to renew a lease which the server knows the client shouldn t have Option 82 Support
526. with ADSL interfaces the Networking menu ADSL sub menu will allow you to configure them See Section 5 7 Configuring PPPoE Bridged Mode On ADSL for more details If you wish to use PPPOE with an external ADSL modem the Networking menu Ethernet sub menu will configure it If your router is equipped with an embedded modem the Networking menu Modem sub menu will allow you to configure it with PPP or incoming console connections See Section 3 8 Configuring PPP and the Embedded Modem for more details If your router is equipped with Serial Interfaces the Servers menu Serial Protocols sub menu will allow you to configure them with an operating protocol See Section 3 10 Configuring Serial Protocols for more details If your router is equipped with a Precision Time Protocol Card the Servers menu RIG B sub menu will allow you to enable and configure its output ports See Section 3 14 Configuring IRIG B and IEEE 1588 for more details Basic Web Based Configuration RUGGEDCOM ROX Chapter 1 User Guide Introduction Section 1 3 4 Additional Configuration You may wish to configure a backup interface to use in the event of a failure of your default gateway interface This can be done in the Networking menu Network Configuration End To End Backup sub menu If you are planning to connect your router to the Internet configure the firewall and then activate it This can be done in the Networking menu Shorewall Firewall
527. with the status of each one The status of the OSPF database The status of current OSPF interfaces The tables in the Current OSPF route status report provide the following information Nis the OSPF destination network flag IA is either the inter area flag if displayed or the intra area flag if not displayed Ris the router flag ChkSum is the LS checksum The tables in the Current OSPF database status report provide the following information Link ID is the Link State LS ID ADV Router is the IP address for the advertising router Age is the age of the LS e Seg is the LS sequence number ChkSum is the LS checksum Internet Address 192 168 2 1 24 Broadcast 192 168 2 255 Area 0 0 0 0 E1 E2 is the external route type E1 equals type1 E2 equals type2 286 OSPF Status RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Link Count is the number of links Route is the network subnet Section 5 12 6 17 View OSPF Configuration Help View OSPF Configuration OSPF show running config password ruggedquagga enable password ruggedquagga interface ethl interface eth2 interface eth3 interface eth4 interface gre0 1 interface lo router ospf network 192 168 2 0 24 area 0 0 0 0 network 192 168 10 0 24 area 0 0 0 0 line vty 1 de Return to ospf Figure 275 View OSPF Configuration This menu displays the text of the
528. wo major revisions of the protocol SSH v1 and v2 SSH v1 supported only the RSA authentication scheme while SSH v2 supports both RSA and DSA CAUTION Avoid using SSH v1 as it is insecure and could leave your network vulnerable Use SSH v2 SSH provides service on TCP port 22 by default If a firewall configured and operating on the router it is advised to leave port 22 or whichever port SSH has been configured to use open in order to allow secure authorized access from outside the firewall SSH also provides TCP forwarding a means to forward otherwise insecure TCP traffic through SSH Secure Shell Synchronous Serial Diagnostics 103 Chapter 3 RUGGEDCOM ROX Device Management User Guide Section 3 12 1 Included with SSH Your ROX software includes scp an SSH utility to perform secure copying of files and directories over the network If you decide to create user accounts the ssh keygen utility can be used to populate the account with SSH keys Section 3 12 2 SSH Main Menu Help SSH Server OpenSSH 5 5 Authentication Networking Access Control Click this button to apply the current configuration by sending a SIGHUP signal to the running SSHd Apply Changes m Figure 104 SSH Server Note that the SSH server is enabled by default and may be disabled via the System folder Bootup and Shutdown menu When enabled any configuration changes may be made to take effect by selecting the Apply C
529. work consists of three routers connected in a ring with T1 E1 links Router 1 and 2 and the switched network represent a remote site in which the routers supply a redundant gateway to the hosts via VRRP and the T1 E1 links supply a redundant network connection to the rest of the network IP 2 2 2 101 GW 2 2 2 254 Area 0 1 1 2 1 VRIP 1 1 2 254 Priority 100 VRIP 1 1 2 254 Priority 50 IP 2 2 2 101 GW 1 1 2 254 IP 1 1 2 102 GW 1 1 2 254 Figure 257 OSPF and VRRP Example Administrative Distances 271 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Section 5 12 5 1 Area and Subnets As the OSPF design is simple an area of 0 is used The three point to point T1 E1 links are placed in the area by adding 1 1 1 0 24 to it Router 1 and 2 will include their Ethernet links by adding subnet 1 1 2 0 24 to their area descriptions Router 3 must also include 2 2 2 0 24 in its area description so that its existence is advertised The point to point T1 E1 interfaces and Ethernet interfaces on Router 1 and 2 must be made active The Ethernet interface on Router 3 can be left passive since it does not participate in OSPF advertisements Router 1 and 2 must enable link detect to stop advertising 1 1 1 0 24 in the event of a link failure Section 5 12 5 2 VRRP Operation Router 1 and 2 have VRRP setup on their Ethernet connection so that they can both function as the gateway for the clients
530. x1 Debian GNU Linux kernel 2 6 26 2 gx1 BIST mode Debian GNU Linux kernel 2 6 26 2 gx1 recovery mode Software Reflash Utility Select Software Reflash Utility and press Enter Follow the prompts to provide the following information which Ethernet interface to use 1 2 3 4 whether to use a static IP address or DHCP when using a static IP address provide the IP address netmask and gateway the URL specifying the location of the reflash image file Use a numeric IP address and not a DNS name For example http 192 168 1 1 imagerr1 14 1 tar the URL specifying the location of a configuration archive file if applicable When reflashing to ROX2 the router does not prompt you to specify a configuration archive file 7 After setting the reflash parameters a confirmation prompt appears Do you want to S tart reflashing change setting 1 2 3 4 or E xit To change a setting type 1 2 3 or 4 and press Enter To exit without reflashing type E and press Enter To reflash the memory type S and press Enter 8 On selecting S the router repartitions the flash memory and installs the specified image file followed by the configuration archive if one is specified When the reflash is complete the confirmation prompt appears again Type E and press Enter The router reboots in normal mode 9 After rebooting into the newly flashed ROX software image you can configure the router in the usual manner
531. y Configuration button restarts the server to activate any configuration changes that have been made restarting VPN connections VPN Main Menu 255 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide Help IPsec VPN Configuration Openswan version U2 4 13 K2 6 26 2 gx1 Existing VPN connections g Connection test2 Add a new IPsec VPN connection Add defaults for all connections Import connection from file Global options and policies 7 i 192 1 2248 Server L2TPD Preshared Keys Show Public Key List Certificates IPsec Status Configuration Configuration Start Connection Select a connection from the list next to this button and click it to attempt its immediate test v establishment Apply Configuration Click this button to activate the current configuration by re starting the running OpenSwan IPsec server process Any established connections will be terminated Figure 248 IPSec VPN Configuration After Connections Have Been Created Section 5 11 13 Server Configuration Help Server Configuration Global VPN server settings NAT Traversal Q9 ves O No Syslog logging level Default daemon error O Log to facility auth with priority debug v 4 Return to connections list Figure 249 Server Configuration The NAT Traversal fields enable and disable this feature Enable NAT Traversal if this router originates the VPN
532. y Queues 245 Chapter 5 RUGGEDCOM ROX Setup and Configuration User Guide 7 6 5 4 S 2 il 0 TOS Bits PRECEDENCE MD MT MR MMC OQ 4 4R 4 4 4 4 4 4 4 The four TOS bits the TOS field are defined as MD Minimize Delay MT Maximize Throughput MR Maximize Reliability MMC Minimize Monetary Cost As any or all of these bits may be set in a packet at a time there are 16 possible combinations The router maps these combinations into the high normal and low priority queues as shown in the following table MD MT MR MMC Descriptions Priority Queue 0 0 0 0 Normal Service Normal 0 0 0 1 Minimize Monetary Cost Low 0 0 1 0 Maximize Reliability Normal 0 0 1 1 MR MMC Normal 0 1 0 0 Maximize Throughput Low 0 1 0 1 MT MMC Low 0 1 1 0 MT MR Low 0 1 1 1 MT MR MMC Low 1 0 0 0 Minimize Delay High 1 0 0 1 MD MMC High 1 0 1 0 MD MR High 1 0 1 1 MD MR MMC High 1 1 0 0 MD MT Norma 1 1 0 1 MD MT MMC Normal 1 1 1 0 MD MT MR Normal 1 1 1 1 MD MT MR MMC Normal Section 5 10 4 Prioritization Example A remote site router connects to a private network via a T1 line The router uses OSPF to manage an alternate routing but its primary purpose is to allow access to a switched network of RuggedServers implementing TcpModbus gateways TCP UDP port 502 The router and switches are managed through their Web interfaces but can me managed through SSH as well The Rugged
533. y be configured via Webmin The gnore All ICMP ECHO field corresponds to the kernel icmp echo ignore all setting Setting Ignore All ICMP ECHO to yes will cause the kernel to reject incoming ICMP ECHO request packets The gnore ICMP Broadcasts field corresponds to the kernel icmp echo ignore broadcasts setting Setting Ignore ICMP Broadcasts to yes will cause the kernel to reject incoming ICMP ECHO request packets if their destination address is a broadcast address The Syncookie Protection field corresponds to the kernel tcp syncookie setting Setting Syncookie Protection to yes will cause the kernel to protect against SYN flood attacks The Send ICMP Redirect field corresponds to the kernel send redirect setting Consider a networked host H1 sending an IP datagram to a remote host H2 H1 is on the same network segment as two routers R1 and R2 If host H2 is reachable via R2 and H1 sends an IP datagram to H2 via R1 then assuming that R1 has a route to H2 via R2 R1 will send an ICMP redirection message to H1 informing it that the route to H2 is via R2 Setting Send ICMP Redirect to no will cause the kernel not to send an ICMP redirect message even if one would normally be sent The Set UDP non block in IPSec field is used to control the logging to the remote syslog server during IPSec tunnel establishment By default it is set to no which means the system will not log to the remote syslog server until the IPSec tunnel is established
534. y long time for dropped links to age out of the network The split horizon prevents advertising those routes back out the same interface which helps to control this problem Some network topologies with rings of routers will still have some issues with aging out dead routes even with split horizon enabled but they will still age out faster If fast network recovery is desired use OSPF 290 RIP Interfaces RUGGEDCOM ROX Chapter 5 User Guide Setup and Configuration Section 5 12 6 22 RIP Networks Help Networks Neighbors Neighbor Action 192 168 10 2 Delete Add Networks Subnet x x x x x or Interface Action 192 168 10 0 24 Delete 192 168 2 0 24 Delete Add ethl y Add Return to rip Figure 279 RIP Networks Neighbors are specific routers with which to exchange routes using the RIP protocol This can be used when you want to explicitly control which routers are part of your RIP network Networks are used when you want to add any router that is part of a specific subnet or connected to a specific network interface to be part of your RIP network Both neighbors and networks can be used at the same time NOTE i For point to point links T1 E1 links for example one must use neighbor entries to add other routers to exchange routes with Also note that RIP v1 does not send subnet mask information in its updates Any defined networks are rest
535. y others that may have been created Left unrestricted the logging system would consume all available disk space causing the router to fail The router limits the memory used by the logging system by storing logs in a volatile i e lost after a reboot file system which is limited in size Such a system will lose logging information when a power failure occurs too much logging is generated or as the result of a user commanded reboot The router deals with this problem by storing compressed versions of three key files messages auth log and critical to the permanent disk The log files are saved every 180 seconds and upon an orderly reboot The log files are restored during the next boot All other files but these are cleared 58 Syslog Factory Defaults RUGGEDCOM ROX User Guide Chapter 3 Device Management Section 3 7 9 2 Enabling Secure Remote Syslog Secure Remote Syslog Setting Enable CA Certificate Certificate Key Permitted Peer Common Do not check Match Pattern pattern Multiple patterns are Name seperated by spaces Save Note Secure remote syslog facility only works for TCP connection with remote syslog server When secure remote syslog is enabled all TCP connection will be secure connection Figure 60 Secure Remote Syslog Settings ROX supports the encryption of system logs with rsyslog NOTE All certificates must be conform to the following specifications X 509 v3 digital certifica
536. ycled but before any GPS or NTP locks have occurred 108 IEEE 1588 Fundamentals RUGGEDCOM ROX Chapter 3 User Guide Device Management PTP favors preferred masters over normal masters GPS over NTP over DFLT higher clock stability over lower clock stability Section 3 14 1 3 Synchronizing NTP from IEEE1588 If GPS is unavailable and PTP becomes a slave the NTP server will view the received IEEE1588 time as any other source of time The quality i e stratum of IEEE1588 information is determined by the type of clock source at the master the number of Boundary Clock hops and the measured network jitter The number of Boundary Clock hops is the number of IEEE1588 devices the original time source is relayed through and not Ethernet hops and is always 1 or higher The measured network jitter factor is 0 if jitter is higher than 1 microsecond and 1 if less than 1 microsecond PTP Identifier Stratum reported to NTP GPS 1 Number of Hops 1 if low jitter NTP user configurable value default 2 Number of Hops 1 if low jitter DFLT user configurable value default 10 Number of Hops 1 if low jitter The stratum number reported will be limited to a range of 1 to 16 to comply with NTP As an example a directly connected PTP clock having a GPS clock source and low jitter would report a stratum of 1 With defaults a 2 hop away PTP clock having a NTP clock source and high jitter would report a stratum of 4 Section 3
537. ze with the lowest stratum server The stratum is a measure of the number of servers to the most highly accurate reference clock A reference clock itself appears at stratum 0 A server synchronized to a stratum n server will be running at stratum n 1 You will generally configure lower stratum NTP hosts as servers and other NTP hosts at the same stratum as peers If all your configured servers fail a configured peer will help in providing the NTP time It is generally a good idea to configure one at least one server and peer The NTP daemon will know about the NTP servers and peers to use in three ways It can be configured manually with a list of servers to poll t can be configured manually with a list of peers to send to t can look at advertisements issued by other servers on multicast or broadcast addresses Note that if multicasting or broadcasting is used it is strongly recommended to enable authentication unless you trust all hosts on the network NTP uses UDP IP packets for data transfer because of the fast connection setup and response times UDP offers The NTP protocol uses port UDP port 123 Note that if your router employs a firewall and acts as a client it must open UDP port 123 Additionally if the router acts as a server the firewall must allow connection requests on port 123 as well Section 5 20 1 The NTP Sanity Limit The NTP daemon corrects the system time through two means stepping and slewing If the
Download Pdf Manuals
Related Search