Moxa EDR-G902 Ethernet LAN Grey router
Contents
1. System Total Packets Packet sec TX Packets le RX Packets 12 q b 3 a aay 454 update interval of 5 sec Port Tx Rx A gee 0 0 Format Total Packets Packets in previous 5 sec interval Wan 1 O 0 Wan 2 1 0 0 Lan 10198 20 13359 20 Monitor by Port Access the Monitor by Port function by selecting the WAN1 WANZ2 or LAN interface from the left drop down list You can view graphs that show All Packets TX Packets or RX Packets but in this case only for an individual port The graph displays data transmission activity by showing Packets s i e packets per second or pps versus sec seconds The graph is updated every few seconds allowing you to analyze data transmission activity in real time Monitor LAN Total Packets an El Total Packets Packetisec TX Packets LAN Total Packets LE RX Packets 12 q Ei 3 0 j EER 454 Format Total Packets Packets in previous 5 sec interval update interval of 5 sec Wand 0 0 0 0 Wanz 1 0 0 Lan 12333425 16653 3230 3 63 EDR G903 G902 Features and Functions Using System Log The EtherDevice Router provides EventLog and Syslog functions to record important events Using EventLog EventLog Table Page 3 8 21 30 2010 2582 10 32 58 0d0h m10s Power 2 Power transition Off On 22 30 2010 2H2 10 32 59 0d0h0dm10s LAN link on 23 30 2010 2 12 10 33 8 OdohoOm19s Cold start 24 30 2010 2982 10 33 32. DNS Doman Name Server optional setting for Dynamic IP and PPPoE es Server 1 2 3 IP Address The DNS IP address None NOTE The priority of a manually configured DNS will higher than the DNS from the PPPoE or DHCP server Detailed Explanation of Static I P Type WAN1 Configuration Connection 28 Enable Connect Type Static IP Address Information IP Address 0 0 0 0 Gateway 0 0 0 0 Subnet Mask 0 0 0 0 PPTP Dialup PPTP Connection E Enable IP Address User Name Password DNS Optional for dynamic IP or PPPoE Type Server 1 Server 2 Server 3 192 168 21 0 0 0 0 0 0 0 0 Address Information IP Address IP Address The interface P address None Subnet Mask IP Address The subnet mask None 3 14 EDR G903 G902 Features and Functions Gateway IP Address The Gateway IP address None Detailed Explanation of PPPoE Type WAN1 Configuration Connection Connect bbe icsbhle Enable Connect Type PPPoE PPPoE Dialup Liser Name Password Host Name DNS Optional for dynamic IP or PPPoE Type Server 1 Server 2 Serer 3 192 168 2 1 0 0 0 0 0 0 0 0 PPPoE Dialup User Name Description Factory Default Max 30 characters The User Name for logging in to the PPPoE server None Host Name Description Factory Default Max 30 characters User defined Host Name of this PPPoE server None Password Description Factory Default Max 30 characters The login pas
3. fan Java Web Start m Windows Live Acrobat Distiller 7 0 TX Adobe Acrobat 7 0 Professional Q Adobe Designer 7 0 fay PComm Tala Library Programming Guide k Library Reference ef PComm Monitor En The Communication Parameter page of the Property window will appear Select the appropriate COM port for Console Connection 115200 for Baud Rate 8 for Data Bits None for Parity and 1 for Stop Bits Communication Parameter Terminal File Transfer Capturing COM Options Pots com A 5300 E Data Bits gy M RIS CTS DTR ON OFF M XON XOFF RTS ON OFF Lok cancet_ 2 2 EDR G903 G902 Getting Started Click the Terminal tab and select VT100 for Terminal Type Click OK to continue 5 Type 1 to select ansi VT100 terminal type and then press Enter The Console login screen will appear Use the keyboard to enter the login account admin or user and then press Enter to jump to the Password field Enter the console Password this is the same as the Web Browser password leave the Password field blank if a console password has not been set and then press Enter EDR G 83 login admin Password Moxa EtherDevice Secure Router EDR G9A3 Moxa Technologies Co Ltd EDR G H3H m 7 Enter a question mark to display the command list in the console EDR G 638 disable Switch the Admin mode to User mode end End current mode and change to enable mode exit Exit thi
4. IP Address IP Address The interface P address 3 17 EDR G903 G902 Features and Functions Subnet Mask IP Address The subnet mask None Gateway Description Factory Default IP Address The Gateway IP address None Detailed Explanation of PPPoE Type WAN2 Configuration Connection Connect Mode Disable Enable Backup DMZ Enable Connect Type PPPoE PPPoE Dialup User Mame Password Host Name DNS Optional for dynamic IP and PPPoE Type Server 1 Server 2 192 168 2 1 0 0 0 0 PPPoE Dialup User Name Description Factory Default Max 30 characters The User Name for logging in to the PPPoE server None Host Name Description Factory Default Max 30 characters User defined host name for this PPPoE server None Password Factory Default Max 30 characters The login password for this PPPoE server None EDR G903 G902 Features and Functions Using DMZ Mode A DMZ demilitarized zone is an isolated network for devices such as data FTP web and mail servers connected to a LAN network that need to frequently connect with external networks The deployment of an FTP server in a DMZ is illustrated in the following figure i DMZ WANA IP i l i abla i Ey Local FTP server 1 A IP 192 168 20 20 i ia a vp Pi fl a ii e lt li a ee Secure LAN Network r i Local Device EDR G903 ALL t IP 192 168 100 1 F l l i l Enmen 1 A Local Device SITE IP 192
5. v Time 50 min DNS Server F for Client 0 0 0 0 0 0 0 0 Offered IP Range 192 168 127 1 192 168 127 252 DHCP configuration DHCP Server Enable Disable Description Factory Default Enable or Disable Enable or Disable DHCP server function Enable Lease Time Factory Default 60 min Description gt 5min The lease time of the DHCP server DNS Server IP for Client Description Factory Default IP Address The DHCP server s IP address None Offered IP Range IP address The offered IP address range for the DHCP server 192 168 127 1 to 192 168 127 252 NOTE 1 The DHCP server is only available for LAN interfaces 2 The Offered IP address range must be in the same Subnet on the LAN 3 20 EDR G903 G902 Features and Functions Static DHCP List Use the Static DHCP list to ensure that devices connected to the EtherDevice Router always use the same IP address The static DHCP list matches IP addresses to MAC addresses Static DHCP Enable W Name Device 01 Static IP 1192168 127 101 WAC Address 00 0 ad 00 33 01 Static DHCP 3 256 List MAC Address Dd 102468427401 O0OSad00aa01 Device 02 192 168 127 102 00 08 ad 00 3a 0 2 Device 03 192 168 127 103 00 08 ad 00 3a 03 In the above example a device named Device 01 was added to the Static DHCP list with static IP address set to 192 168 127 101 and MAC address set to 00 09 ad 00 aa 01 When a device with MAC address of 00 09 ad 00 a
6. 120 192 168 1 120 255 255 255 255 The Accessible IP list controls which devices can connect to the EtherDevice Router to change the configuration of the device In the example shown below the Accessible IP list in the EtherDevice Router contains 10 10 10 10 which is the IP address of the remote user s PC WAN Network Remote user IP 10 10 10 10 EDR G903 IP WAN1 10 10 10 11 The remote user s IP address is shown below in the EtherDevice Router s Accessible IP list W Enable the accessible IP list Disable will allow all IF s connection 52 LAN Enable Index IP Address Netmask M1 10 10 10 10 Password The EtherDevice Router provides two levels of access privilege admin privilege gives read write access to all EtherDevice Router configuration parameters and user privilege provides read access only You will be able to view the configuration but will not be able to make modifications Password Change Admin y Old Password New Password Check Password Activate 3 5 EDR G903 G902 Features and Functions e ATTENTION e By default the Password field is blank If a Password is already set then you will be required to type the Password when logging into the RS 232 console Telnet console or web browser interface Account Admin admin privilege allows the user to modify all configurations Admin User user privilege only allows viewing device conf
7. 168 100 2 l l DMZ mode is configured on the WAN2 configuration web page Set Connect Mode to Enable Connect Type to Static IP and checkmark the DMZ Enable check box You will also need to input the IP Address and Subnet Mask Click the Activate button to save the settings Connection Connect Mode Disable Enable Backup W DMZ Enable Connect Type Address Information IPAddress 192 168 127 12 Gateway Subnet Mask 255 255 255 0 NOTE WAN2 configuration and DMZ mode are only available on EDR G903 LAN Interface A basic application of an industrial Firewall VPN device is to provide protection when the device is connected to a LAN In this regard the LAN port connects to a secure or trusted area of the network whereas the WAN1 and WAN2 DMZ ports connect to an insecure or untrusted area LAN LAN IP Configuration IP Address 192 168 127 254 ex 192 168 1 1 subnet Mask 3 19 EDR G903 G902 Features and Functions LAN IP Configuration IP Address Factory Default IP Address The LAN interface IP address 192 168 127 254 Subnet Mask Factory Default IP Address The subnet mask 255 255 255 0 DHCP Server The EtherDevice Router provides a DHCP Dynamic Host Configuration Protocol server function for LAN interfaces When configured the EtherDevice Router will automatically assign an IP address to a Ethernet device from a defined IP range DHCP DHCP Configuration Lease Enable
8. Authentication Mode Pre shared Key The authentication mode of IPSec VPN Per Shared Key X 509 In Per Shared Key Mode the user needs to key in the same Per Shared Key in the IPSec setting between the Local and Remote secure router Authentication Mode Pre Share Key 12345 3 44 EDR G903 G902 Features and Functions In X 509 Mode the user needs to upload the Local and Remote certifications first and then select the certifications from the drop down list See the X 509 Certification section in this chapter for details Authentication Mode X 509 Local Moxa Cert A pl2 Remote Moxa Cert B cer Encryption Algorithm DES Encryption Algorithm in key exchange 3DES AES 128 AES 192 AES 256 Hash Algorithm Any Hash Algorithm in key exchange MD5 SHA1 SHA256 DH Group DH1 modp 768 Diffie Hellman groups DH2 modp 1024 DH2 modp 1024 the Key Exchange group between the Remote and VPN DH5 modp 1536 Gateways DH14 modp 2048 Negotiation Time Negotiation time The number of allowed reconnect times when startup mode is initiated If the number is O this tunnel will always try connecting to the remote gateway when the VPN tunnel is not created successfully IKE Lifetime IKE lifetime hours Lifetime for IKE SA 1 hr Rekey Expire Time Rekey expire time Start to Rekey before IKE lifetime expired 9 min minutes Rekey Fuzz Percent The rekey expire time will change random
9. B p12 in EDR G903 B 5 Send the Certificate file crt to the remote VPN gateway and upload to the Remote certificate file e Upload Moxa B crt to EDR G903 A e Upload Moxa A crt to EDR G903 B Ee EE A f f pulg EDR G903 B 3 Generate 3 Generate PKCS 12 file Moxa A p12 and Certificate file Moxa A crt PKCS 12 file Moxa B p12 and Certificate file Moxa B crt 4 Upload Local Certificate Moxa B p12 5 Upload Remote Certificate Moxa A crt Local _Moxa Cert A p12 x Remote Moxa Cert B cer Local _Moxa Cert B p12 x Remote Moxa Cert A cer x gt gt PEPER ERORUORUOROCEOCOOOCTOSOOOSCOCOTOSCOCOSCOOCOSCOCTCOSCOROCTOCOOSCOOCOSCOOOCOCOCUOCTCOSCOCOOCOCOTC OSC OOO Ce OC ee Te 3 47 EDR G903 G902 Features and Functions Certificate Generation Certificate Request Country Name 2 letter Le Certifica d code US Certificate days Organization Name Moxa Organizational Unit Name Common Name siete SUppon moxa com The user must fill in the following information to generate the Root certification e Country name 2 Letter code e Certificate Days e State or Province Name e Locality Name e Organization Name e Organization Unit Name e Common Name e Email Address After keyin in all information press Activate to generate the Root Certification NOTE modified by the user Certificate Setting Certificate Setting Certificate days 100 Organization
10. Email After configuring the email settings you should first click Activate to activate those settings and then click Send Test Email to verify that the settings are correct NOTE Auto warning e mail messages will be sent through an authentication protected SMTP server that supports the CRAM MD5 LOGIN and PLAIN methods of SASL Simple Authentication and Security Layer authentication mechanism We strongly recommend not entering your Account Name and Account Password if auto warning e mail messages can be delivered without using an authentication mechanism 3 60 EDR G903 G902 Features and Functions Configuring Relay Warning The Auto Relay Warning function uses relay output to alert the user when certain user configured events take place There are two basic steps required to set up the Relay Warning function 1 Configuring Relay Event Types Select the desired Event types from the Web Browser Event type page a description of each event type is given later in the Relay Alarm Events setting subsection 2 Activate your settings After completing the configuration procedure you will need to activate your EtherDevice Router s Relay Event Types Relay Warning Event Settings System Events Fl Override Relay 1 Warning Settings Power Input failure On Off Disable Power Input 2 failure On O f Disable e DI of Disable D1 Om Disable Port Events WAN Ignore f WAN2 o EJ Event Types can be divi
11. IP All IP Address This Firewall Policy will check all Destination IP addresses in the All packet Single IP Address This Firewall Policy will check single Destination IP addresses in the packet Range IP Address This Firewall Policy will check multiple Destination P addresses Destination Port All Port number This Firewall Policy will check all Destination port numbers in All the packet Single Port number This Firewall Policy will check single Destination Port numbers in the packet Range Port number This Firewall Policy will check multiple Destination port numbers in the packet The EtherDevice Router s firewall function will check if incoming or outgoing packets match the firewall policy It starts by checking the packet with the first policy Index 1 if the packet matches this policy it will accept or drop the packet immediately and then check the next packet If the packet does not match this policy it will check with the next policy The maximum number of Firewall policies for the EtherDevice Router is 256 Layer 2 Policy Setup In Bridge Mode the EtherDevice Router provides an advanced Layer 2 Firewall policy for secure traffic control which depends on the following parameters Enable Targets ACCEPT Interface From All w To All w Source MAC 00 90 e2 20 00 01 i Address C E Protocol Py4 e Destination MAC Address 00 Stes 20 00 02 EtherType Interface From To Select the From Interfa
12. Industrial Applications gt Useful Utility and Remote Configuration EDR G903 G902 Introduction Overview As the world s network and information technology becomes more mature the trend is to use Ethernet as the major communications interface in many industrial communications and automation applications In fact a whole new industry has sprung up to provide Ethernet products that comply with the requirements of demanding industrial applications The EtherDevice Router series is a Gigabit speed all in one Firewall VPN Router for Ethernet security applications in sensitive remote control and monitoring networks The EtherDevice Router supports one WAN one LAN and a user configurable WAN DMZ interface EDR G903 that provides high flexibility for different applications such as WAN redundancy or Data FTP server security protection The Quick Automation Profile function of the EtherDevice Router s firewall supports most common Fieldbus protocols including EtherCAT EtherNet IP FOUNDATION Fieldbus Modbus TCP and PROFI NET Users can easily create a secure Ethernet Fieldbus network from a user friendly web UI with a single click In addition wide temperature models are available that operate reliably in hazardous 40 to 75 C environments Package Checklist The EtherDevice Router is shipped with the following items If any of these items are missing or damaged please contact your customer service representative for assistance e 1
13. Moxa EtherDevice Router e RJ45 to DB9 console port cable e Protective caps for unused ports e DIN Rail mounting kit attached to the EtherDevice Router s rear panel by default e Hardware Installation Guide printed e CD ROM with User s Manual and Windows Utility e Moxa Product Warranty statement Features Industrial Networking Capability e Router Firewall VPN all in one e 1 WAN 1 LAN and 1 user configurable WAN or DMZ interface e Network address translation N to 1 1 to 1 and port forwarding Designed for I ndustrial Applications e Dual WAN redundancy function e Firewall with Quick Automation Profile for Fieldbus protocols e Intelligent PolicyCheck and SettingCheck tools e 40 to 75 C operating temperature T models e Long haul transmission distance of 40 km or 80 km with optional mini GBIC e Redundant dual 12 to 48 VDC power inputs e P30 rugged high strength metal case e DIN Rail or panel mounting ability Useful Utility and Remote Configuration e Configurable using a Web browser and Telnet Serial console e Send ping commands to identify network segment integrity 1 2 2 Getting Started This chapter explains how to access the EtherDevice Router for the first time There are three ways to access the switch 1 serial console 2 Telnet console or 3 web browser The serial console connection method which requires using a short serial cable to connect the EtherDevice Router to a PC s COM port can b
14. PPTP Connection E Enable IP Address User Name Password DNS Optional for dynamic IP or PPPoE Type Server 1 Server 2 Server 3 192 168 2 1 0 0 0 0 0 0 0 0 PPTP Dialup Point to Point Tunneling Protocol is used for Virtual Private Networks VPN Remote users can use PPTP to connect to private networks from public networks PPTP Connection Description Factory Default Enable or Disable Enable or Disable the PPTP connection None IP Address Description The PPTP service IP address Factory Default IP Address None User Name Description Factory Default Max 30 Characters The Login username when dialing up to PPTP service None Password Factory Default Max 30 characters The password for dialing the PPTP service None 3 13 EDR G903 G902 Features and Functions Example Suppose a remote user IP 10 10 10 10 wants to connect to the internal server private IP 30 30 30 10 via the PPTP protocol The IP address for the PPTP server is 20 20 20 1 The necessary configuration settings are shown in the following figure WAN IP WAN IP 61 32 10 10 72 51 30 30 PPTP IP Client PPTP IP Server 20 20 20 2 32 20 20 20 1 32 WAN 10 10 10 10 24 30 30 30 10 24 Static Route Static Route Destination Netmask Next Hop Destination Next Hop Address Address 30 30 30 0 255 255 255 0 20 20 20 1 10 10 10 0 255 255 255 0 20 20 20 2 Note If the OS is Linux the Next Hop is 20 20 20 1
15. Protocol RIP is a distance vector based routing protocol that can be used to automatically build up a routing table in the EtherDevice Router The EtherDevice Router can efficiently update and maintain the routing table and optimize the routing by identifying the smallest metric and most matched mask prefix Static Routing The Static Routing page is used to configure the EtherDevice Router s static routing table Static Routing Enable E Name ISP 1 Destination Address 100 10 10 1 Metmask 259 299 25959 0 Next Hop 100 10 10 254 Metric 10 Static Routing 1 512 Destination Address EE ETT B o SPH 10070101 2552552550 100 10 10 254 Enable Click the checkbox to enable Static Routing Name The name of this Static Router list Destination Address You can specify the destination IP address Netmask This option is used to specify the subnet mask for this IP address Next Hop This option is used to specify the next router along the path to the destination Metric Use this option to specify a cost for accessing the neighboring network 3 26 EDR G903 G902 Features and Functions Clickable Buttons Add For adding an entry to the Static Routing Table Delete For removing selected entries from the Static Routing Table Modify For modifying the content of a selected entry in the Static Routing Table NOTE The entries in the Static Routing Table will not be added to the Eth
16. accounting UDP PolicyCheck The EtherDevice Router supports a PolicyCheck function for maintaining the firewall policy list The PolicyCheck function detects firewall policies that may be configured incorrectly PolicyCheck provides an auto detection function for detecting common configuration errors in the Firewall policy e g Mask Include and Cross conflict When adding a new firewall policy the user just needs to click the PolicyCheck button to check each policy warning messages will be generated that can be used for further analysis If the user decides to ignore a warning message the EtherDevice Router firewall will run on the configuration provided by the user The three most common types of configuration errors are related to Mask Include and Cross Conflict 3 38 EDR G903 G902 Features and Functions Mask Policy X is masked by Policy Y The Source Destination IP range or Source Destination port number of policy X is smaller or equal to policy Y but the action target Accept Drop is different For example two firewall policies are shown below Index Imput Output Protocol SourceIP_ DestinationiP WAN1 LAN Al 10 10 10 10 192 168 127 10 ACCEPT 2 WAN2 LAN All 20 20 20 10 192 168 127 20 ACCEPT to 20 20 20 30 Suppose the user next adds a new policy with the following configuration Index Imput Output Protocol Source P Destination IP WAN2 LAN Al 20 20 20 20 192 168 127 20 DROP After clic
17. each production line The internal private IP addresses of these devices will map to different public IP addresses Configuring a group of devices for 1 to 1 NAT is easy and straightforward l Production line 1 s 192 168 100 1 T wn 192 168 100 2 10 10 1 1 10 10 1 2 Production Line 2 Le i wT 192 168 100 1 r ny 192 168 100 2 10 10 2 1 10 10 2 2 1 to 1 NAT Setting for EDR G903 in Production Line 1 NAT List 2 64 Index Protocol Source IP i sug Destination IP 192 168 100 1 10 10 1 1 1 to 1 NAT Setting for EDR G903 in Production Line 2 NAT List 2 64 Index Protocol Source IP Sea Destination IP 192 168 100 1 10 10 21 3 31 EDR G903 G902 Features and Functions Enable 52 LAN DMZ IP NAT Mode 14 x WAN IP Interface WANA gt Enable Disable NAT policy Enable or Disable Enable or disable the selected NAT policy NAT Mode N 1 Select the NAT types None 1 1 Port Forward Interface 1 1 NAT type WAN1 Select the Interface for this NAT Policy WAN1 WAN2 LAN DMZ IP 1 1 NAT type Factory Default IP Address Select the Internal IP address in LAN DMZ network area None WAN IP 1 1 NAT type IP Address Select the external IP address in WAN network area None NOTE The EtherDevice Router can obtain an IP address via DHCP or PPPoE However if this dynamic IP address is the same as the WAN IP for 1 to 1 NAT then the 1 to 1 NAT function will not work For th
18. will synchronize the time information with another NTP SNTP server 3 7 EDR G903 G902 Features and Functions Time Server I P Name lst Time Server IP or Domain address e g 192 168 1 1 time stdtime gov tw None IP Name or time nist gov 2nd Time Server The EtherDevice Router will try to locate the 2nd NTP Server if IP Name the 1st NTP Server fails to connect SettingCheck Firewall Policy NAT Policy Accessible IP List Layer 2 Filter Only work in Bridge Mode Timer 180 sec SettingCheck is a safety function for industrial users using a secure router It provides a double confirmation mechanism for when a remote user changes the security policies such as Firewall filter NAT and Accessible IP list When a remote user changes these security polices SettingCheck provides a means of blocking the connection from the remote user to the Firewall VPN device The only way to correct a wrong setting is to get help from the local operator or go to the local site and connect to the device through the console port which could take quite a bit of time and money Enabling the SettingCheck function will execute these new policy changes temporarily until doubly confirmed by the user If the user does not click the confirm button the EtherDevice Router will revert to the previous setting Firewall Policy Enables or Disables the SettingCheck function when the Firewall policies change NAT Policy Enables or Disables the S
19. 0 0d0h0m41s admin auth ok 30 2010 2 12 10 42 2 0d0ham13s LAN link off 26 31 201012121 126 28 d0h mg9s Power 2 Power transition Off On 21 31 2010 2121 12 65 29 0d0h0dm10s Cold start 28 31 2010 2 21 12 46 16 0d0h39ms57s LAN link on 29 31 2010 2 21 12 47 28 0d0h41m9s admin auth ok 30 31 2010 12 21 13 49 55 0d1h43m36s SNMP Enable Field Description The date is updated based on how the current date is set in the Basic Setting page Time The time is updated based on how the current time is set in the Basic Setting page System Startup Time The following events will be recorded in the EtherDevice Router EventLog Table Event Sas Configuration change activated Configuration change activated Configuration change activated NS NAT oS TP N NAT Configuration change activated Configuration change activated QoS_Bandwith Configuration change activated QoS_DownStream Configuration change activated QoS_UpStream Configuration change activated Configuration Change activated Enable Disable SNMP Configuration Change activated Enable Disable Power transition On 9 Power transition Om gt 00 A DI transition Off gt On DHCP Configuration Change activated Enable Disable DDNS Configuration Change activated Enable Disable 3 64 EDR G903 G902 Features and Functions NOTE The maximum number of event entries is 1000 Using Syslog This function provides the event logs for the syslog ser
20. 0KByte s Features and Functions Packet Size 1518 byte Priority 0 192 168 127 10 25Mbps 1 192 168 127 11 25Mbps 2 192 168 127 12 25Mbps 3 192 168 127 13 25Mbps OS Packet Size 1518 byte Priority 0 192 168 127 10 25Mbps 1 192 168 127 11 25Mbps based on these two different IP addresses In this case there are still 100 KBytes s 10 KBytes s 20 KBytes s 70 KBytes s that do not belong to any priority So the EtherDevice Router will increase the bandwidth from highest priority 0 to lowest priority 3 The EtherDevice Router will add this 70 KBytes s bandwidth to priority O because the maximum bandwidth of priority O is 100 KBytes s The following figure shows the bandwidth arrangement of the EtherDevice Router based on this configuration Configuring SNMP The EtherDevice Router supports SNMP V1 V2c V3 SNMP V1 and SNMP V2c use a community string match for authentication which means that SNMP servers access all objects with read only permissions using the community string public default value SNMP V3 which requires that the user selects an authentication level of MD5 or SHA is the most secure protocol You can also enable data encryption to enhance data security SNMP security modes and security levels supported by the EtherDevice Router are shown in the following table Select the security mode and level that will be used to communicate between the SNMP agent and manager Protocol Authenticati
21. EDR G903 G902 User s Manual Second Edition January 2011 www moxa com product MOXA O 2011 Moxa Inc All rights reserved Reproduction without permission is prohibited EDR G903 G902 User s Manual The software described in this manual is furnished under a license agreement and may be used only in accordance with the terms of that agreement Copyright Notice Copyright 2011 Moxa Inc All rights reserved Reproduction without permission is prohibited Trademarks The MOXA logo is a registered trademark of Moxa Inc All other trademarks or registered marks in this manual belong to their respective manufacturers Disclaimer Information in this document is subject to change without notice and does not represent a commitment on the part of Moxa Moxa provides this document as is without warranty of any kind either expressed or implied including but not limited to its particular purpose Moxa reserves the right to make improvements and or changes to this manual or to the products and or the programs described in this manual at any time Information provided in this manual is intended to be accurate and reliable However Moxa assumes no responsibility for its use or for any infringements on the rights of third parties that may result from its use This product might include unintentional technical or typographical errors Changes are periodically made to the information herein to correct such errors and these
22. N gateways e Data Exchange Data encryption between VPN gateways e Dead Peer Detection The mechanism for VPN Tunnel maintenance Global Configuration The EtherDevice Router provides 2 Global Settings for VPN applications IPSec Global Setting All IPSec Connection Enable IPSec NAT T Enable F All IPSec Connection Users can Enable or Disable all VPN services with this configuration NOTE The factory default setting is Disable so when the user wants to use VPN function make sure the setting is enabled IPSec NAT T If there is an external NAT device between VPN tunnels the user must enable the NAT T NAT Traversal function IPSec Quick Setting The EtherDevice Router s Quick Setting mode can be used to easily set up a site to site VPN tunnel for two EtherDevice Router units 2 Quick Setting For EDR G903 connects to EDR G903 When choosing the Quick setting mode the user just needs to configure the following e Tunnel Setting e Security Setting gt Encryption Strength Simple AES 128 Standard AES 192 Strong AES 256 gt Password of Per shared Key NOTE The Encryption strength and Per shared key should be configured the same for both EtherDevice Router units I PSec Advanced Setting Click Advanced Setting to configure detailed VPN settings Setting 2 Advanced Setting 3 42 EDR G903 G902 Tunnel Setting Tunnel Setting Enable Name VPN Connection Type Site to Site Co
23. SettingCheck Confirmed page After 15 seconds the EtherDevice Router will roll back to the original Accessible IP List setting allowing the remote user to reconnect to the EtherDevice Router and check what s wrong with the previous setting 3 The page cannot be displayed The page you are looking for is currently unavailable The Web site might be experiencing technical difficulties or you may need to adjust your browser settings Please try the following Click the Refresh button or try again later If you typed the page address in the Address bar make sure that itis spelled correctly e To check your connection settings click the Tools menu and then click Internet Options On the Connections tab click Settings The settings should match those provided by your local area network LON administrator or Internet service provider ISP See if your Internet connection settings are being detected You can set Microsoft Windows to examine your network and automatically discover network connection settings if your network administrator has enabled this setting 1 Click the Tools menu and then click Internet Options 2 On the Connections tab click LAN Settings 3 Select Automatically detect settings and then click OK If the new configuration does not block the connection from the remote user to the EtherDevice Router the user will see the SettingCheck Confirmed page shown in the following figure Click Conf
24. TP server or click Upload to upload a file to the remote TFTP server System File Update by Local mport Export Upgrade Software or Configuration Configuration File Export Log File EN Upgrade Firmware Import Upload Configure Data import Configuration File Click Export to export the configuration file of the EtherDevice Router to the local host 3 10 EDR G903 G902 Features and Functions Log File Click Export to export the Log file of the EtherDevice Router to the local host NOTE Some operating systems will open the configuration file and log file directly in the web page In such cases right click the Export button and then save as a file Upgrade Firmware To import a firmware file into the EtherDevice Router click Browse to select a firmware file already saved on your computer The upgrade procedure will proceed automatically after clicking Import This upgrade procedure will take a couple of minutes to complete including the boot up time Upload Configuration Data To import a configuration file to the EtherDevice Router click Browse to select a configuration file already saved on your computer The upgrade procedure will proceed automatically after clicking mport Restart Restart This function will restart the system activate This function is used to restart the EtherDevice Router router Reset to Factory Default NOTE Reset to Factory Default This function will reset al
25. a 01 is connected to the EtherDevice Router the EtherDevice Router will offer the IP address 192 168 127 101 to this device Enable or Disable Factory Default Disabled Description Enable or Disable the selected device in the Static DHCP List Enable or Disable Name Description Factory Default Max 30 characters The name of the selected device in the Static DHCP List None Static I P Address Description Factory Default IP Address The IP address of the selected device None MAC Address Description Factory Default The MAC address of the selected device MAC Address None Clickable Buttons Add Use the Add button to input a new DHCP list The Name Static IP and MAC address must be different than for the existing list Delete Use the Delete button to delete the Static DHCP list Click on a list to select it the background color of the device will change to blue and then click the Delete button Modify To modify the information for a particular list click on a list to select it the background color of the device will change to blue modify the information as needed using the check boxes and text input boxes near the top of the browser window and then click Modify 3 21 EDR G903 G902 Features and Functions DHCP Leased List Use the DHCP Leased List to view the current DHCP clients Server 0O0 0E A6 09 7A GE 192 168 127 1 32m 36s Dynamic DNS Dynamic DNS Domain Name Server allows you to use a dom
26. ain name e g moxa edr g903 to connect to the EtherDevice Router The EtherDevice Router can connect to 4 free DNS servers and register the user configurable Domain name in these servers Dynamic DNS Dynamic DNS Service Service Disable le server Name o User Mame Password Verify Password Domain Name Cance Service gt Disable Disable or select the DNS server Disable gt freedns afraid org gt www 3322 0rg gt members dyndns org gt dynupdate no ip com User Name Description Factory Default Max 30 characters The DNS server s user name None Password Description Factory Default Max 30 characters The DNS server s password None Verify Password Description Factory Default Max 30 characters Verifies the DNS server password None Domain name Description Factory Default Max 30 characters The DNS server s domain name None 3 22 EDR G903 G902 Features and Functions Network Redundancy Moxa EtherDevice Router provides 2 types of network redundancy functions WAN backup EDR G903 only and VRRP The EtherDevice Router has two WAN interfaces WAN1 is the primary WAN interface and WANZ2 is the backup interface When the EtherDevice Router detects that connection WAN1 has failed Link down or Ping fails it will switch the communication path from WAN1 to WAN2 automatically When WAN1 recovers the major communication path will return to WAN1 WAN Backup EDR G903 o
27. al Unit Name Moxa Cert aA Email Address 12345 Certificate Name Certificate Password Modify The default setting for Certificate Day is 0 which means that the certification will not terminated unless Moxa support moxa com After Root Certification is activated the user can generate different certifications for different VPN Tunnels The user needs to fill in the following information and press Add and Activate to add the new certificate to the Certificate List e Certificate Days e Organization Unit Name e Certificate Name e Email Address e Certificate Password Certificate List 3 10 Name 100 Certificate Password Email Address SUppot moxa com SUppot moaxa com The user can then choose certificates from the list and press the PKCS 12 Export button to generate a p12 file for a local certificate and press Certificate Export to generate a crt file for certificates on a Remote VPN gateway 3 48 EDR G903 G902 Features and Functions Local Certificate Upload Label Name Subject PKCS 12 Upload Import Import Password Upload the p12 local certificate on this page The Password must be the same as the p12 certificate file If the password is not correct the certificate import process will fail Label User defined name for this local certificate Name Subject Show the Name and subject when the certificate is imported successfully or the user selects the certificate on t
28. and Destination port in policy X and policy Y are masked and the action target Accept Drop is different For example two firewall policies are shown in the following table Index Input Output Protocol SourcelP_ DestinationiP WAN1 LAN All 10 10 10 10 192 168 127 10 ACCEPT 2 WAN2 LAN All 20 20 20 20 192 168 127 25 ACCEPT to 20 20 20 30 3 39 EDR G903 G902 Features and Functions Suppose the user next adds a new policy with the following configuration Output Protocol SourcelP_ DestinationiP 3 WAN2 LAN All 20 20 20 25 192 168 127 20 DROP to 192 168 127 30 The source IP range in policy 3 is smaller than policy 2 but the destination IP of policy 2 is smaller than policy 3 and the target actions Accept Drop of these two policies are different If the user clicks the PolicyCheck button the EtherDevice Router will issue a message informing the user that policy 3 is in Cross Conflict with policy 2 A rule 3 is cross conflict with rule 2 Denial of Service DoS function The EtherDevice Router provides 9 different DoS functions for detecting or defining abnormal packet format or traffic flow The EtherDevice Router will drop the packets when it detects an abnormal packet format The EtherDevice Router will also monitor some traffic flow parameters and activate the defense process when abnormal traffic conditions are detected Null Scan Amas Scan NMAP Amas scan SYN FIN Scan FIM Scan NMAP ID Sca
29. ber of Waits for connecting to a VPN tunnel is 20 3 43 EDR G903 G902 Features and Functions Local Network Netmask ID IP Address IP address of local VPN network IP address of LAN interface Subnet Mask Subnet Mask of local VPN network Netmask of LAN interface ID for indentifying the VPN tunnel connection The Local ID must be equal to the Remote ID of the VPN Gateway Otherwise the VPN tunnel cannot be established successfully Remote Network Netmask ID IP Address IP address of Remote VPN network 0 0 0 0 Subnet Mask Subnet Mask of local VPN network 0 0 0 0 ID for indentifying the VPN tunnel connection None The Local ID must be equal to the Remote ID of the VPN Gateway Otherwise the VPN tunnel cannot be established Key Exchange IPSec phase l Key Exchange IPSec Phase 1 IKE Mode Main we Authentication Mode Pre Share Key 12345 Encryption Algorithm 3DES s Hash Algorithm SHAT DH Group DH 2 modp1024 Negotiation Times o O forever IKE Life Time 1 hour Rekey Expire Time 9 min Rekey Furz Percent 100 w I KE Mode In Main IKE Mode both the Remote and Local VPN gateway MAIN will negotiate which Encryption Hash algorithm and DH groups can be used in this VPN tunnel both VPN gateways must use the same algorithm to communicate Aggressive In Aggressive Mode the Remote and Local VPN gateway will not negotiate the algorithm it will use the user s configuration only
30. ber to identify the connection of this internal external IP address This function is also called Network Address Port Translation NAPT or IP Masquerading The N 1 NAT function is a one way connection from an internal secure area to an external non secure area The user can initialize the connection from the internal to the external network but may not be able to initialize the connection from the external to the internal network 3 28 EDR G903 G902 Features and Functions Enable W LAN IF Range 192 168 127 1 192 168 127 252 NAT Mode H 1 WAN IF Interface Auto Enable Disable NAT Policy Enable or Disable Enable or disable the selected NAT policy Enabled NAT Mode N 1 Select the NAT types N 1 1 1 Port Forwarding Interface N 1 mode Select the Interface for this NAT Policy The EtherDevice Router provides a Dual WAN backup function for network redundancy If the interface is set to Auto the NAT Mode is set to N 1 and the WAN backup function is enabled the primary WAN interface is WAN1 If the WAN1 connection fails the WAN interface of this N 1 policy will apply to WAN2 and switch to WAN2 for N 1 outgoing traffic until the WAN1 interface recovers IP Range IP address Select the Internal IP range for IP translation to WAN IP None address WAN IP N 1 mode IP address The IP address of the user selected interface WAN1 WANZ2 None and Auto in this N to 1 policy NOTE The EtherD
31. ce and To interface None Protocol Refer to table Select the Layer 2 Protocol in this Firewall Policy None EtherType for Layer 2 Protocol for a more detailed description 3 35 EDR G903 G902 Features and Functions EtherType 0x0600 to OxFFFF When Protocol is set to Manual you can set up EtherType None manually Target Accept The packet will pass the Firewall when it matches this Firewall None policy Drop The packet will not pass the Firewall when it matches this None a e Source MAC Address Mac Address This Firewall Policy will check all Source MAC addresses of the 00 00 00 00 00 00 packet Destination MAC Address Mac Address This Firewall Policy will check all destination MAC addresses of 00 00 00 00 00 00 the packet The following table shows the Layer 2 protocol types commonly used in Ethernet frames EtherType for Layer 2 Protocol i IPv6 Internet Protocol version 6 0x880B PPR Frame based ATM Transport over Ethernet 3 36 EDR G903 G902 Features and Functions Quick Automation Profile Ethernet Fieldbus protocols are popular in industrial automation applications In fact many Fieldbus protocols e g EtheNet IP and Modbus TCP IP can operate on an industrial Ethernet network with the Ethernet port number defined by IANA Internet Assigned Numbers Authority The EtherDevice Router provides an easy to use function called Quick Automation Profile that includes 45 d
32. ce via IP Example ping 192 168 127 10 ssh ssh IP address Open a ssh connection Example ssh 192 168 127 10 telnet telnet IP address Open a telnet connection Example telnet 192 168 127 10 telnet IP address port number Open a telnet connection with port number Example telnet 192 168 127 10 23 Using Telnet to Access the EtherDevice Router s Console You may use Telnet to access the EtherDevice Router s console utility over a network To access the EDR s functions over the network by either Telnet or a web browser from a PC host that is connected to the same LAN as the EtherDevice Router you need to make sure that the PC host and the EtherDevice Router are on the same logical subnet To do this check your PC host s IP address and subnet mask By default the EtherDevice Router s LAN IP address is 192 168 127 254 and the EtherDevice Router s subnet mask is 255 255 255 0 for a Class C subnet If you do not change these values and your PC host s subnet mask is 255 255 0 0 then its IP address must have the form 192 168 xxx xxx On the other hand if your PC host s subnet mask is 255 255 255 0 then its IP address must have the form 192 168 127 xxx NOTE To use the EtherDevice Router s management and monitoring functions from a PC host connected to the same LAN as the EtherDevice Router you must make sure that the PC host and the EtherDevice Router are connected to the same logical subnet NOTE Before accessing the
33. changes are incorporated into new editions of the publication Technical Support Contact I nformation Moxa Americas Toll free 1 888 669 2872 Tel 1 714 528 6777 Fax 1 714 528 6778 Moxa Europe Tel 49 89 3 70 03 99 0 Fax 49 89 3 70 03 99 99 www moxa com su ort Moxa China Shanghai office Toll free 800 820 5036 Tel 86 21 5258 9955 Fax 86 21 5258 5505 Moxa Asia Pacific Tel 886 2 8919 1230 Fax 886 2 8919 1231 Table of Contents De ea UT Os o y EP Poo gg O 1 1 OVER os 1 2 Package Checklist ed 1 2 EAS A E e 1 2 industrial INGEW ON KU O EA a iia 1 2 Designed Tor Industiiall Application Sci al Mee daba da da dada 1 2 Useful Utility and Remote Configuration ui A AAA AAA AAA A A 1 2 2 Getting Tarea A A A A err rrr rrr cern rer rrr 2 1 RS 232 Console Configuration 115200 None 8 1 VT100 ccc cece cc ceee ee eee nn rr rr 2 2 Using Telnet to Access the EtherDevice Router s COnsole cccccccccccee cece eset ee nn 2 4 Using a Web Browser to Configure the EtherDevice Router sssssrrserrrresrrrrsrrrrerrrresrrrrsrrererrrrerrrrrsrreret 2 5 Yu Features and FURCUON Scroll aa 3 1 CONTIUM Basic SANO S ssp a sa dol OA e 3 3 System dentiticati n direis 3 3 A A OO O OO 3 4 PASSWO LKA A E ds A A ANT ITE ATEEN EEEE TEET TELETELE ETELE TERETE EEEE LEET 3 5 A E AEEA E E E A E AAA AA AA AIA AAA AA AD E A T E eaetos eins 3 6 A Gee en ee ee en or ee ee ee CA EA VEU VEA er rr er O AEST 3 8 Sys
34. connected to the same logical subnet Before accessing the EtherDevice Router s web browser first connect the EtherDevice Router s RJ 45 Ethernet LAN ports to your Ethernet LAN or directly to your PC s Ethernet card NIC You can use either a straight through or cross over Ethernet cable The EtherDevice Router s default LAN IP address is 192 168 127 254 Perform the following steps to access the EtherDevice Router s web browser interface 1 Start Internet Explorer and type the EtherDevice Router s LAN IP address in the Address field Press Enter to establish the connection 2 The web login page will open Select the login account Admin or User and enter the Password this is the same as the Console password and then click Login to continue Leave the Password field blank if a password has not been set Moxa EtherDevice Secure Router EDR G903 Username Admin Password Login 2 5 EDR G903 G902 NOTE Getting Started By default the EtherDevice Router s password is not set i e is blank You may need to wait a few moments for the web page to be downloaded to your computer Use the menu tree on the left side of the window to open the function pages to access each of the router s functions MOXA Model EDR G903 WAN1 MAC WAN 1 IP 192 168 2 71 Main Menu Overview Basic Setting Network Communication Redundancy Routing NAT Firewall Poilcy SNMP Traffic P
35. console utility via Telnet first connect the EtherDevice Router s RJ 45 Ethernet LAN ports to your Ethernet LAN or directly to your PC s Ethernet card NIC You can use either a straight through or cross over Ethernet cable NOTE The EtherDevice Router s default LAN IP address is 192 168 127 254 2 4 EDR G903 G902 Getting Started Perform the following steps to access the console utility via Telnet l Click Start Run and then telnet to the EtherDevice Router s IP address from the Windows Run window You may also issue the telnet command from the MS DOS prompt SS he zixl Type the name of a program Folder document or Internet resource and Windows will open it For you Open telnet 192 168 127 254 Cancel Browse 2 Refer to instructions 6 and 7 in the RS 232 Console Configuration 115200 None 8 1 VT100 section on page 2 3 Using a Web Browser to Configure the EtherDevice Router NOTE NOTE NOTE The EtherDevice Router s web browser interface provides a convenient way to modify the switch s configuration and access the built in monitoring and network administration functions The recommended web browser is Microsoft Internet Explorer 6 0 with JVM Java Virtual Machine installed To use the EtherDevice Router s management and monitoring functions from a PC host connected to the same LAN as the EtherDevice Router you must make sure that the PC host and the EtherDevice Router are
36. d by a set of rules to obtain the required Quality of Service for your network NOTE The maximum number of Firewall policies for the EtherDevice Router is 256 3 52 EDR G903 G902 Features and Functions How Traffic Prioritization Works The EtherDevice Router provides four different priorities levels 0 3 high to low for incoming and outgoing traffic The following figure illustrates incoming traffic which refers to the traffic transmitted from WANI to LAN or WANZ2 to LAN interface Outgoing traffic refers to the traffic transmitted from LAN to WAN1 or from LAN to WANZ2 Out going Traffic LAN to WAN Incoming Traffic WANT to LAN or Out going Traffic WAN to LAN LAN to WAN The following figures show the configuration for incoming and outgoing traffic Users can manage the priority of incoming traffic WAN1 to LAN and WAN2 to LAN and outgoing traffic LAN to WAN1 and LAN to WAN2 Incoming Traffic Configuration WAN1 2 to LAN Enable Y MAX Bandwidth 100 KByte s Default Priority Priority 3 x Priority 0 MIN BW 10 KByte s MAX BW 10 KByte s Priority 1 MIN BY 20 KByte s MAX BW 20 KByte s Priority 2 MIN BW 30 KByte s MAX BW 30 KByte s Priority 3 MIN BW 40 KByte s MAX BW 40 KByte s Outgoing Traffic Configuration LAN to WAN1 Enable Fi MAX Bandwidth 100 KByte s Default Priority Priority 3 Priority 0 MIN BW 10 KByte s MAX BW 10 KByte s Pri
37. ddress subnet mask etc Power Transition On Off The EtherDevice Router is powered down Power Transition Off On The EtherDevice Router is powered up DI Off Digital Input is triggered by an on to off transition DI On Digital Input is triggered by an off to on transition Config Change A configuration item has been changed Auth Failure An incorrect password is entered Port Events enp Tra i Sent We eke SNMP Trap is sent when Link ON ON The The port is connected to another device is connected to another device Link OFF The port is disconnected e g the cable is pulled out or the opposing device shuts down Using Auto Warning Since industrial Ethernet devices are often located at the endpoints of a system these devices will not always know what is happening elsewhere on the network This means that an industrial Ethernet router that connects to these devices must provide system maintainers with real time alarm messages Even when control engineers are out of the control room for an extended period of time they can still be informed of the status of devices almost instantaneously when exceptions occur The EtherDevice Router supports different approaches to warn engineers automatically such as by using email and relay output It also supports one digital input to integrate sensors with your system and automate alarms using email and relay output Configuring Email Warning The Auto Email Warning functio
38. ded into two basic groups System Events and Port Events System Events are related to the overall function of the router whereas Port Events are related to the activity of a specific port System Events Warning Relay output is triggered when Power Input 1 failure On gt Off Power input 1 is down Power Input 2 failure On gt Off Power input 2 is down DI Off Digital Input is triggered by on to off transition Digital Input is triggered by off to on transition Port Events Warning Relay output is triggered when Link ON The port is connected to another device Link OFF The port is disconnected e g the cable is pulled out or the opposing device shuts down Ignore the status of the port Override relay alarm settings Select this option to override the relay warning setting temporarily Releasing the relay output will allow administrators to fix any problems with the warning condition Warning List Use this table to see if any relay alarms have been issued Current Warning List 1 WAN Link Of 2 WAN Link Of 3 61 EDR G903 G902 Features and Functions Using Diagnosis The EtherDevice Router provides Ping tools and LLDP for administrators to diagnose network systems Ping Use Ping Command to test Network Integrity Interface WANT e IF address Name EN The Ping function uses the ping command to give users a simple but powerful tool for troubleshooting network problems The functions m
39. ding the MIB file but does give authorization to write Auth Type Provides authentication based on the HMAC MD5 algorithms MD5 8 character passwords are the minimum requirement for authentication Provides authentication based on the HMAC SHA algorithms 8 character passwords are the minimum requirement for authentication Data Encryption Key Max 30 Characters 8 character data encryption key is the minimum requirement None for data encryption Community Name 1 2 Max 30 Characters Use a community string match for authentication EDR G903 G902 Features and Functions Access Control Read only Public MIB Access control type after matching the community string Read only only Target IP Address IP Address Enter the IP address of the Trap Server used by your network Read only SNMP Trap Type SNMP Trap Settings System Events Cold Start Warm Start Power Transition On Of Power Transition Of On DI Off Fr DIC On Config Change E Auth Failure Port Events WAN El F WAN E LAN SNMP Trap Types can be divided into two basic groups System Events and Port Events System Events are related to the overall function of the router whereas Port Events are related to the activity of a specific port System Events SNMP Trap is sent when Cold Start Power is cut off and then reconnected Warm Start The EtherDevice Router is rebooted such as when network parameters are changed IP a
40. e Router System Identification The system identification section gives you an easy way to identify the different switches connected to your network System Identification Router Name Firewallf PN Router 00000 Router Location Device Location Router Description Maintainer Contact Info http or https e Web Configuration Activate Router name Max 30 Characters This option is useful for specifying the role or application of Firewall VPN router Serial No of this switch different EtherDevice Router units E g Factory Router 1 Router Location Max 80 Characters To specify the location of different EtherDevice Router units Device Location E g production line 1 Router Description Max 30 Characters Use this field to enter a more detailed description of the None EtherDevice Router unit 3 3 EDR G903 G902 Features and Functions Maintainer Contact I nfo Max 30 Characters Enter the contact information of the person responsible for None maintaining this EtherDevice Router Web Configuration http or https Users can connect to the EtherDevice Router router via http or http or https https protocol https only Users can connect to the EtherDevice Router router via https protocol only Accessible IP The EtherDevice Router uses an IP address based filtering method to control access to EtherDevice Router units Accessible IP List Enable the accessible IP l
41. e used if you do not know the EtherDevice Router s IP address The Telnet console and web browser connection methods can be used to access the EtherDevice Router over an Ethernet LAN or over the Internet A web browser can be used to perform all monitoring and administration functions but the serial console and Telnet console only provide basic functions The following topics are covered in this chapter O RS 232 Console Configuration 115200 None 8 1 VT100 O Using Telnet to Access the EtherDevice Router s Console O Using a Web Browser to Configure the EtherDevice Router EDR G903 G902 Getting Started RS 232 Console Configuration 115200 None 8 1 VT100 NOTE Connection Caution We strongly suggest that you do NOT use more than one connection method at the same time Following this advice will allow you to maintain better control over the configuration of your EtherDevice Router NOTE We recommend using Moxa PComm Terminal Emulator which can be downloaded free of charge from Moxa s website Before running PComm Terminal Emulator use an RJ 45 to DB9 F or RJ 45 to DB25 F cable to connect the EtherDevice Router s RS 232 console port to your PC s COM port generally COM1 or COM2 depending on how your system is set up After installing PComm Terminal Emulator perform the following steps to access the RS 232 console utility L From the Windows desktop click Start gt Programs gt PCommLite1 3 gt Terminal Emulator
42. ed E AE ee E EA REAA 3 33 Firewall PONEY OVINA 3 33 Firewall POlcy COnNNOUraLION gt ra AO 3 34 Layer 2 POC SCRIP ar O ELA rosada 3 35 QUES Automato eS cadaEs 3 37 o A RR te ccenee 3 38 Dental o service DOS TUNA lid ciics 3 40 VPN Virtual Private NOEW ON taste a EA A A A A al 3 41 OVEIVIWis ara NERO SES DEE A ED a 3 41 A UU O Me a a E Rc Rel E et tte alae seeldeec deat fas AS 3 42 ADOC GING AOU acter A A hee manatees ae 3 47 EZ TP layer 2 Tunnel Proc ee oe eh a tne a ddadda 3 49 Examples Tor Typical VPN ADDINCAtONS e eRe cel T OEE 3 51 Prae Prior HZA liiasashonsh cen cneeennatorta E ase eck 3 52 FIOM Tano UO MIA Zh COIR VN OTIS siesta OS 3 53 TRatC Prortizaton COn TU ON casearia aaa a a a a a dnde dsds duledda dto lore 3 53 CONTA O S NMP A rT rer rT Terre 3 56 USMO ACEON ed add a a ello cru OO ooo Ta rare 3 58 USING DINOS Satin il li cr 3 62 USM Mie NIO greeter tc te ee ee et te a aa lnea 3 63 USMO SY Stent Olvidada diras dla dais dada dudado dote dis datada dadas ol Leo reido ot Deia alu btt 3 64 Un A ree eer ie Tend eee ee eee ee ee en eer E eT rene re Cen Cet 3 65 A MIB Groups 1 Introduction Welcome to the Moxa EtherDevice Router EDR G903 G902 the Gigabit Firewall VPN secure routers designed for connecting Ethernet enabled devices in industrial field applications The following topics are covered in this chapter O Overview O Package Checklist O Features gt Industrial Networking Capability gt Designed for
43. efault Timeout seconds Timeout to check if the connection is alive or not 120 sec 3 46 EDR G903 G902 Features and Functions IPSec Status The user can check the VPN tunnel status in the IPSec Connection List This list shows the Name of the IPSec tunnel IP address of Local and Remote Subnet Gateway and the established status of the Key exchange phase and Data exchange phase IPSec Connection List Data Exchange IPSec Phase E Key Exchange Mame Local Subnet Local Gateway Remote Gateway Remote Subnet IPSec Phase 1 X 509 Certification X 509 is a digital certificate method commonly used for IPSec Authentication The EtherDevice Router can generate a trusted Root Certification and then export import the certificate to the remote VPN gateway The diagram below indicates the 5 steps you should follow to use X 509 for IPSec authentication with two VPN gateways referred to as EDR G903 A and EDR G903 B in the diagram 1 Root Certificate generation Both EDR G903 A and EDR G903 B need to generate their own root certificates 2 EDR G903 A and EDR G903 B can request new certifications based on their own Root Certificates Generate PKCS 12 local certificate with password p12 and Certificate file for remote VPN tunnel crt e EDR G903 A gt Moxa A p12 and Moxa A crt e EDR G903 B gt Moxa B crt and Moxa B crt 4 Upload the PKCS 12 certificate to the Local Certification list e Moxa A p12 in EDR G903 A e Moxa
44. erDevice Router s routing table until you click the Activate button RIP Routing Information Protocol RIP is a distance vector routing protocol that employs the hop count as a routing metric RIP prevents routing loops by implementing a limit on the number of hops allowed in a path from the source to a destination The RIP page is used to set up the RIP parameters RIP State Disable Enable WAN1 RIP Enable WAN2 RIP Enable LAN RIP RIP v1 only Redistribute Static Route RIP State Enable Disable Enable or Disable RIP protocol Enable WAN 1 RIP Check the checkbox to enable RIP in the WAN 1 interface Enable WAN 2 RIP Check the checkbox to enable RIP in the WAN 2 interface Enable LAN RIP Check the checkbox to enable RIP in the LAN interface RIP V1 only Check the checkbox to enable only RIP V1 interfaces Redistributed Static Router Check the checkbox to enable the Redistributed Static Route function The entries that are set in a static route will be re distributed if this option is enabled 3 27 EDR G903 G902 Features and Functions Routing Table The Routing Table page shows all routing entries Page 1 1 All v index Type Destination Address Next Hop Interface Name 1 default 0 0 0 0 0 192 168 2 254 want 2 connected 100 100 100 0 24 100 100 100 254 lan 0 3 connected 192 168 2 0 24 192 168 2 74 want 0 All Routing Entry List Network Address Translation NAT NAT Co
45. ettingCheck function when the NAT policies change Accessible IP List Enables or Disables the SettingCheck function when the Accessible IP List changes Layer 2 Fiber Enable or disable the SettingCheck function when the Layer 2 filter changes Timer 10 to 3600 sec The timer waits this amount of time to double confirm when the 180 sec user changes the policies For example if the remote user IP 10 10 10 10 connects to the EtherDevice Router and changes the accessible IP address to 10 10 10 12 or deselects the Enable checkbox accidently after the remote user clicks the Activate button connection to the EtherDevice Router will be lost because the IP address is not in the EtherDevice Router s Accessible IP list Y Enable the accessible IP list Disable will allow all IP s connection Ww LAN Enable Index IP Address Netmask 10 10 10 12 ook J i en E Et cn Pa CT iTi me E Led 3 8 EDR G903 G902 Features and Functions If the user enables the SettingCheck function with the Accessible IP list and the confirmer Timer is set to 15 seconds then when the user clicks the Activate button on the accessible IP list page the EtherDevice Router will execute the configuration change and the web browser will try to jump to the SettingCheck Confirmed page automatically Because the new IP list does not include the Remote user s IP address the remote user cannot connect to the
46. etwork 100 100 3 0 100 100 1 0 12345 S 3 51 EDR G903 G902 Features and Functions L2TP for Remote User Maintenance The following example shows how a Roaming user uses L2TP over IPSec to connect to theremote site network Roaming User Internet Network Remote site Network No Fixed IP 100 100 3 0 24 VPN Secure Tunnel O Ethernet Switch el VPN Plan e All communication from the Roaming user no fixed IP to the Remote site Network 100 100 3 0 24 needs to pass through the VPN tunnel e Communication goes through the Internet e The configuration of the WAN LAN interface for the EtherDevice Router is shown in the following table ATA Configuration EtherDevice Router 1 EDR G903 WAN IP 100 100 2 1 Interface Setting LAN IP 100 100 3 1 Based on the requirement and VPN plan the recommended configuration for L2TP over IPSec is shown in the following table A Teconfiguration 2 EtnerDevice Router 1 L2TP Tunnel Local Network 100 100 3 1 24 Same as LAN Interface Startup mode Wait for Connection Key Exchange Per shared Key 12345 Data Exchange Encryption Algorithm 3DES Harsh Algorithm SHA1 Traffic Prioritization The EtherDevice Router s traffic prioritization capability provides Quality of Service QoS to your network by making data delivery more reliable You can prioritize traffic on your network to ensure that high priority data is transmitted with minimum delay Traffic can be controlle
47. evice Router will add an N 1 policy from the source IP 192 168 127 1 to 192 168 127 252 to the WANI interface after activating the Factory Default Port Forwarding If the initial connection is from outside the LAN but the user still wants to hide the Internal IP address one way to do this is to use the Port Forwarding NAT function The user can specify the port number of an external IP address WAN1 or WANZ2 in the Port Forwarding policy list For example if the IP address of a web server in the internal network is 192 168 127 10 with port 80 the user can set up a port forwarding policy to let remote users connect to the internal web server from external IP address 10 10 10 10 through port 8080 The EtherDevice Router will transfer the packet to IP address 192 168 127 10 through port 80 The Port Forwarding NAT function is one way of connecting from an external insecure area WAN to an internal secure area LAN The user can initiate the connection from the external network to the internal network but will not able to initiate a connection from the internal network to the external network 3 29 EDR G903 G902 Features and Functions 10 10 10 1 m Port 8080 y E A i 10000001 192 168 127 10 Port 80 Remote user WAN Network Production line Enable Fi Protocol TCP le NAT Mode Port Forward y WAN Port Interface WAN e LAN DMZ IF LANIDMZ Port Enable Disable NAT policy Enable or Disab
48. ffic based on the following parameters Enable Targets ACCEPT Interface From All e To All Source IP All e Protocol All E Service P Filter m Destination IP A 4 Interface From To All WAN1 WAN2 LAN Select the From Interface and To interface From All to All WAN1 WAN2 Quick Automation Profile Refer to the Quick Select the Protocol parameters in this Firewall Policy None Automation Profile section on page 3 29 Service IP Filter This Firewall policy will filter by IP address IP Filter MAC Filter This Firewall policy will filter by MAC address The packet will penetrate the firewall when it matches this Accept firewall policy Drop The packet will not penetrate the firewall when it matches this firewall policy Source IP All IP Address This Firewall Policy will check all Source IP addresses in the All packet Single IP Address This Firewall Policy will check single Source IP addresses in the ee ee Range IP Address This Firewall Policy will check multiple Source IP addresses in M a re Sowns r tenet Source Port All Port number This Firewall Policy will check all Source port numbers in the All packet Single Port number This Firewall Policy will check single Source Port numbers in the packet Range Port number This Firewall Policy will check multiple Source port numbers in M e sS 3 34 EDR G903 G902 Features and Functions NOTE NOTE Destination
49. he 255 is the highest priority If several L3 switches routers have the same priority the router with higher IP address has the higher priority The usable range is 1 to 255 Preemption Mode Determines whether a backup L3 switch router will take the Enabled authority of master or not Track Interface The Track Interface is used to track specific interface within the Disable router that can change the status of the virtual router for a VRRP Group For example the WAN interface can be tracked and if the link is down the other backup router will become the new master of the VRRP group 3 25 EDR G903 G902 Features and Functions Static Routing and Dynamic Routing The EtherDevice Router supports two routing methods static routing and dynamic routing Dynamic routing makes use of RIP V1 V1c V2 You can either choose one routing method or combine the two methods to establish your routing table A routing entry includes the following items the destination address the next hop address which is the next router along the path to the destination address and a metric that represents the cost we have to pay to access a different network Static Route You can define the routes yourself by specifying what is the next hop or router that the EtherDevice Router forwards data for a specific subnet The settings of the Static Route will be added to the routing table and stored in the EtherDevice Router RIP Routing Information
50. he list PKCS 12 Upload Use Browser to select the p12 file and press the Import button Import Password The Password for the p12 certificate Remote Certificate Upload Label Name Subject Certificate Upload Import Upload the crt Remote certificate on this page Label User defined name for this local certificate Name Subject Show the Name and subject when the certificate is imported successfully or the user selects a certificate from the list Certificate Upload Use the Browser to select a p12 file and press the Import button L2TP Layer 2 Tunnel Protocol L2TP is a popular choice for remote roaming users for VPN applications since an L2TP client is built in to the Microsoft Windows operating system Since L2TP does not provide an encryption function it is usually combined with IPSec to provide data encryption 3 49 EDR G903 G902 Features and Functions L2TP Configuration WAN L2TP Server Mode Disable Local IP 0 0 0 0 Offered IF Range 0 0 0 0 m 0 0 0 0 WAN2 L2TP Server Mode Disable Local IP 0 0 0 0 Offered IF Range 0 0 0 0 0 0 0 0 Login User Password User Name Password L2TP Server Mode Setting Description Factory Default Enable Disable Enable or Disable the L2TP function on the WAN1 or WAN 2 Disable interface Local IP Description The IP address of the Local Subnet Factory Default IP Address 0 0 0 0 Offered IP Range Description Facto
51. hes the parameters of Priority 0 20 Kbytes is reserved for traffic that matches the parameters of priority 2 and so forth Outgoing Traffic Configuration LAN to WAN Enable MAX Bandwidth 100 KByte s Default Priority Priority 3 e Priority 0 MIN BWW 410 KByte s MAX BW 100 KByte s Priority 1 MIN BW 20 KByte s MAX BW 100 KByte s Priority 2 MIN BW 30 KBytes MAX BW 100 KByte s Priority 3 MIN BW 40 KBytes MAX BW 100 KByte s Set up the outgoing policies as below 1 All All All WAN 1 192 168 127 10 All Priority 0 2 WAN 1 All 192 168 127 11 All All All Priority 1 3 WANI All 192 168 127 12 All All Priority 2 All La WANT Al Raa 0h A Priority 3 55 EDR G903 G902 The EtherDevice Router will manage the bandwidth for outgoing packets Based on the four outgoing policies below when the source IP of the Ethernet traffic matches the outgoing policies the maximum bandwidth for a packet sent from these source IP addresses will be reserved by its target priority If there are only two kinds of traffic packets priority O and priority 1 then transmission will proceed from LAN to WANI and the EtherDevice Router will reserve the minimum bandwidth 10 KBytes s and 20 Kbyte s Bandwidth 192 168 127 10 10KByte s 192 168 127 11 20KByte s 192 168 127 12 30KBytefs 192 168 127 13 40KByte s z Bandwidth 192 168 127 10 80KByte s 192 168 127 11 2
52. ifferent pre defined profiles Modbus TCP IP Ethernet IP etc allowing users to create an industrial Ethernet Fieldbus firewall policy with a single click For example if the user wants to create a Modbus TCP IP firewall policy for an internal network the user just needs to select the Modbus TCP I P TCP or Modbus TCP I P UDP protocol from the Protocol drop down menu on the Firewall Policy Setting page Enable Targets ACCEPT al Interface From ERA le Source IP Al al Destination IP All Al ly Newinsert Filter List OA E ee The following table shows the Quick Automation Profile for Ethernet Fieldbus Protocol and the corresponding port number 3 37 EDR G903 G902 Features and Functions Modbus TCP IP UDP PROFI net RT Unicast TCP PROFI net RT Unicast UDP PROFI net RT Multicast TCP PROFI net RT Multicast UDP PROFI net Context Manager TCP PROFI net Context Manager UDP IEC 60870 5 104 TCP IEC 60870 5 104 UDP DNP TCP DNP UDP The Quick Automation Profile also includes the commonly used Ethernet protocols listed in the following table Ethernet Protocol IPSec NAT Traversal UDP IPSec NAT traversal TCP SSH UDP Telnet TCP Telnet UDP HTTP TCP HTTP UDP IPSec TCP IPSec UDP L2F amp L2TP TCP L2F amp L2TP UDP PPTP TCP PPTP UDP Radius authentication TCP Radius authentication UDP RADIUS accounting TCP RADIUS
53. igurations Password Old password Type current password when changing the password None New password Type new password when changing the password None Retype password If you type a new password in the Password field you will be None max 16 Characters required to retype the password in the Retype new password field before updating the new password The Time configuration page lets users set the time date and other settings An explanation of each setting Time IS given below system Time Time Setting Current Time ex 04 00 04 Current Date ex 2002111113 Daylight Saving Time start Date End Date Offset Time Update system Up Time Od0hOm34s a GMT Greenwich Mean Time Dublin Edinburgh Lisbon London Mi Enable NTP SNTP Server E Enable Server synchornize ist Time_Server_IP NMame 2nd Time _Server_IP NMame The EtherDevice Router has a time calibration function based on information from an NTP server or user specified Time and Date information Functions such as Auto warning Email can add real time information to the message 3 6 EDR G903 G902 Features and Functions NOTE NOTE The EtherDevice Router has a real time clock so the user does not need to update the Current Time and Current Date to set the initial time for the EtherDevice Router after each reboot This is especially useful when the network does not have an Internet connection for an NTP server or there is no NTP server on
54. irm to save the configuration updates Confirm Press Confirm button to save the change 3 9 EDR G903 G902 Features and Functions System File Update by Remote TFTP The EtherDevice Router supports saving your configuration file to a remote TFTP server or local host to allow other EtherDevice Router routers to use the same configuration at a later time or saving the Log file for future reference Loading pre saved firmware or a configuration file from the TFTP server or local host is also Supported to make it easier to upgrade or configure the EtherDevice Router Upgrade Software or Configuration TFTP Server IP Name Configuration File Path and E Name eee Firmware File Path and Name Download l Log File Path and Name Upload TFTP Server P Name IP Address of TFTP The IP or name of the remote TFTP server Must be configured None Server before downloading or uploading files Configuration File Path and Name Max 40 Characters The path and filename of the EtherDevice Router s None configuration file in the TFTP server Firmware File Path and Name Max 40 Characters The path and filename of the EtherDevice Router s firmware file Log File Path and Name Factory Default Max 40 Characters The path and filename of the EtherDevice Router s log file After setting up the desired path and filename click Activate to save the setting Next click Download to download the file from the remote TF
55. is reason we recommend disabling the DHCP PPPOE function when using the 1 to 1 NAT function 3 32 EDR G903 G902 Features and Functions Firewall Settings Firewall Policy Concept A firewall device is commonly used to provide secure traffic control over an Ethernet network as illustrated in the following figure Firewall devices are deployed at critical points between an external network the non secure part and an internal network the secure part Wits iyi AS O ALTA External or Unsecure area Internal or Secure area Firewall Policy Incoming Outgoina P MAC Protocol TCP UDP Source IP Part Destination IP Port Accept Drop Firewall Policy Overview The EtherDevice Router provides a Firewall Policy Overview that lists firewall policies by interface direction Interface From To Filter List La SOUTCE Enable Index input Output Protocol Source IF Port 5 All All All All Destination IP All 6 LAN Select the From interface and To interface and then click the Show button The Policy list table will show the policies that match the From To interface All WAN1 WAN2 LAN Select the From Interface and To interface From All to All Interface From To WAN1 WAN2 3 33 EDR G903 G902 Features and Functions Firewall Policy Configuration The EtherDevice Router s Firewall policy provides secure traffic control allowing users to control network tra
56. ist Disable will allow all IF s connection Y LAN Enable Index IP Address Netmask 1 2 3 4 5 6 T 8 g 10 Activate Accessible IP Settings allows you to add or remove Legal remote host IP addresses to prevent unauthorized access Access to the EtherDevice Router is controlled by IP address If a host s IP address is in the accessible IP table then the host will have access to the EtherDevice Router You can allow one of the following cases by setting this parameter e Only one host with the specified IP address can access this device E g enter 192 168 1 1 255 255 255 255 to allow access to just the IP address 192 168 1 1 e Any host on a specific subnetwork can access this device E g enter 192 168 1 0 255 255 255 0 to allow access to all IPs on the subnet defined by this IP address subnet mask combination e Any host can access the EtherDevice Router Disable this function by deselecting the Enable the accessible IP list option e Any LAN can access the EtherDevice Router Disable this function by deselecting the LAN option to not allow any IP at the LAN site to access this device E g If the LAN IP Address is set to 192 168 127 254 255 255 255 0 then IP addresses 192 168 127 1 24 to 192 168 127 253 24 can access the EtherDevice Router 3 4 EDR G903 G902 Features and Functions The following table shows additional configuration examples Allowable Hosts Input Format 192 168 1
57. king the PolicyCheck button the EtherDevice Router will issue a message informing the user that policy 3 is masked by policy 2 because the IP range of policy 3 is smaller than the IP range of policy 2 and the Target action is different A rule 3 is masked by rule 2 Include Policy X is included in Policy Y The Source Destination IP range or Source Destination port number of policy X is less than or equal to policy Y and the action target Accept Drop is the same In this case policy X will increase the loading of the EtherDevice Router and lower its performance For example two firewall policies are shown in the following table Index Input Output Protocol SourcelP_ DestinationIP WAN1 LAN Al 10 10 10 10 192 168 127 10 ACCEPT 2 WAN2 LAN All 20 20 20 10 192 168 127 20 ACCEPT to 20 20 20 30 Suppose the user next adds a new policy with the following configuration Index Input Output Protocol SourcelP_ DestinationiP WAN2 LAN Al 20 20 20 20 192 168 127 20 ACCEPT After clicking the PolicyCheck button the EtherDevice Router will issue a message informing the user that policy 3 is included in policy 2 because the IP range of policy 3 is smaller than the IP range of policy 2 and the Target action is the same A rule 3 is included in rule 2 Cross Conflict Policy X cross conflicts with Policy Y Two firewall policy configurations such as Source IP Destination IP Source port
58. l There are two common applications for secure remote communication in an industrial automation network IPSec Internet Protocol Security VPN for LAN to LAN security Data communication only in a pre defined IP range between two different LANs L2TP Layer 2 Tunnel Protocol VPN for Remote roaming User Secure data communication for remote roaming users with dynamic IP L2TP is a popular choice for remote roaming users for VPN applications because the L2TP VPN protocol is already built in to the Microsoft Windows operating system IPSec uses IKE Internet Key Exchange protocol for Authentication Key exchange and provides a way for the VPN gateway data to be protected by different encryption methods There are 2 phases for IKE for negotiating the IPSec connections between 2 VPN gateways Key Exchange IPSec Phase 1 The 2 VPN gateways will negotiate how IKE should be protected Phase 1 will also authenticate the two VPN gateways by the matched Per shared Key or X 509 Certificate Data Exchange IPSec Phase 2 In Phase 2 the VPN gateways negotiate to determine additional IPSec connection details which include the data encryption algorithm 3 41 EDR G903 G902 Features and Functions IPSec Configuration IPSec configuration includes 5 parts e Global Setting Enable Disable all IPSec Tunnels and NAT Traversal function e Tunnel Setting Set up the VPN Connection type and VPN network plan e Key Exchange Authentication for 2 VP
59. l settings to their factory default values Be aware that previous settings will be lost Activate The Reset to Factory Default option gives users a quick way of restoring the EtherDevice Router s configuration settings to their factory default values This function is available in the console utility serial or Telnet and web browser interface After activating the Factory Default function you will need to use the default network settings to re establish a web browser or Telnet connection with your EtherDevice Router 3 11 EDR G903 G902 Features and Functions Network Settings Mode Configuration Network Mode EtherDevice Router provides Router Mode and Bridge Mode operation for different applications Network Mode 2 Router Mode Router Firewall VPN NAT O Bridge Mode Bridge Mode Firewall Address Information for Bridge Mode IP Address 192 168 127 254 subnet Mask 255 255 255 0 Gateway 255 255 255 255 Router Mode In this mode EtherDevice Router operates as a gateway between different networks e Each interface WAN1 WAN2 and LAN has its own IP addresses amp different subnet e It provides Routing Firewall VPN and NAT functions e Default setting of EtherDevice Router Bridge Mode In this mode EtherDevice Router operates as a Bridge mode firewall or call transparent firewall in a single subnet Users could simply insert EtherDevice Router into the existing single subnet without the need t
60. le Enable or disable the selected NAT policy Enabled NAT Mode N 1 Select the NAT types N 1 1 1 Port Forward Interface Port Forward mode WAN1 Select the Interface for this NAT Policy WAN1 WAN2 Protocol Port Forward mode TCP Select the Protocol for NAT Policy TCP UDP TCP amp UDP WAN Port Port Forward mode Description Factory Default 1 to 65535 Select a specific WAN port number None LAN DMZ IP Port Forward mode Description Factory Default IP Address The translated IP address in the internal network None LAN DMZ Port Port Forward mode Description Factory Default 1 to 65535 The translated port number in the internal network None 3 30 EDR G903 G902 Features and Functions 1 to 1 NAT If the internal device and external device need to communicate with each other choose 1 to 1 NAT which offers bi directional communication N to 1 and Port forwarding are both single directional communication NAT functions a A Mi 192 168 100 1 Remote user WAN Network producion line 1 to 1 NAT is usually used when you have a group of internal servers with private IP addresses that must connect to the external network You can use 1 to 1 NAT to map the internal servers to public IP addresses The IP address of the internal device will not change The figure below illustrates how a user could extend production lines and use the same private IP addresses of internal devices in
61. led as the primary interface WAN Backup Configuration WAN2 Configuration Connection Connect Mode Disable Enable 0 Backup Connect Type Dynamic IP Select Backup for the WAN2 DMZ Connect Mode and then go to the Network Redundancy gt WAN Backup setting page for the WAN Backup configuration 3 23 EDR G903 G902 Features and Functions Link Check Ping Check IP Interval sec 1 1000 Retry 1 100 Timeout ms 100 10000 Activate Link Check Enable or Disable Activate Backup function by checking the link status of WAN1 Disabled Ping Check Enable or Disable Activates the Backup function if unable to ping from the Disabled EtherDevice Router to a specified IP address IP IP address The EtherDevice Router will check the ping integrity of this IP None Address if the Ping Check function is Enabled NOTE The IP address for Ping Check function should be on the network segment of WAN1 Interval 1 to 1000 sec User can set up a different Ping Interval for a different network 180 sec topology Retry 1 to 100 User can configure the number of retries If the number of 3 continuous retries exceeds this number the EtherDevice Router will activate the backup path Timeout 100 to 10000 ms The timeout criterion of Ping Check 3000 ms EDR G903 G902 Features and Functions Virtual Router Redundancy Protocol VRRP VRRP Settings VRRP Setting VRRP Enable E
62. ly to enhance the 100 security Rekey fuzz percent is the maximum random change margin of the Rekey expire time 100 means the rekey expire time will not change randomly 3 45 EDR G903 G902 Features and Functions Data Exchange IPSec phase llI Data Exchange IPSec Phase 2 Perfect Forward Secrecy F SA Life Time 460 min Encryption Algorithm 3DES w Hash Algorithm SHAT Perfect Forward Secrecy Setting Description Factory Default Enable or Disable Uses different security key for different IPSec phases to Disable enhance security SA Lifetime Setting Description lt Factory Default SA lifetime minutes Lifetime for SA in Phase 2 480 min Encryption Algorithm DES Encryption Algorithm in data exchange 3DES 3DES AES 128 AES 192 AES 256 Hash Algorithm Any Hash Algorithm in data exchange SHA1 MD5 SHA1 SHA256 Dead Peer Detection Dead Peer Detection is a mechanism to detect whether or not the connection between a local secure router and a remote PSec tunnel has been lost Dead Peer Detection Action Hold bl Delay 30 seconds Timeout 120 seconds Action Action when a dead peer is detected Factory Default Hold Hold this VPN tunnel Hold Restart Reconnect this VPN tunnel Clear Clear this VPN tunnel Disable Disable Dead Peer Detection Delay Factory Default Delay time seconds The period of dead peer detection messages 30 sec Timeout Factory D
63. mine whether you want to trust the certifying authority The secunty certificate date is walid The name on the security certificate is invalid or does not match the name of the site Do pou want to proceed Yes View Certificate 3 Select Yes to enter the EtherDevice Router s web browser interface and access the web browser interface secured via HTTPS SSL 3 66 A MIB Groups The EtherDevice Router comes with built in SNMP Simple Network Management Protocol agent software that supports cold start trap line up down trap and RFC 1213 MIB II The standard MIB groups that the EtherDevice Router series support are MIB 11 1 System Group sysORTable MIB 11 2 Interfaces Group iffable MIB 11 4 I P Group ipAddrTable ipNetToMediaTable pGroup pBasicStatsGroup pStatsGroup MIB 11 5 I CMP Group lempGroup Icmpl nputStatus cmpOutputStats MIB 11 6 TCP Group tcpConnTable TcpGroup TcpStats MIB 11 7 UDP Group udpTable UdpStats MIB 11 11 SNMP Group SnmpBasicGroup Snmpl nputStats SnmpOutputStats Public Traps 1 Cold Start 2 Link Up 3 Link Down 4 Authentication Failure Private Traps 1 Configuration Changed 2 Power On 3 Power Off 4 DI Trap The EtherDevice Router also provides a MIB file located in the file Moxa EDRG903 MIB my on the EtherDevice Router Series utility CD ROM for SNMP trap message interpretation
64. n SVNWRST Scan ICMP Death Limit pkt s SYN Flood Limit pktis Null Scan Description Factory Default Enable or Disable Enable or disable the Null Scan None Xmas Scan Description Factory Default Enable or Disable Enable or disable the Xmas Scan None NMAP Xmas Scan Description Factory Default Enable or disable the NMAP Xmas None Enable or Disable SYN FIN Scan Description Factory Default Enable or Disable Enable or disable the SYN FIN Scan None FIN Scan Description Factory Default Enable or disable the FIN Scan Enable or Disable None NMAP ID Scan Description Factory Default Enable or Disable Enable or disable the NMAP ID Scan None 3 40 EDR G903 G902 Features and Functions SYN RST Scan Enable or Disable Enable or disable the SYN RST Scan I CMP Death Enable or Disable Enable or disable the CMP Death defense Packet Second The limit value to activate CMP Death defense SYN Flood Enable or Disable Enable or disable the Null Scan function Packet Second The limit value to activate SYN Flood defense VPN Virtual Private Network Overview This chapter describes how to use the EtherDevice Router to build a secure Remote Automation network with the VPN Virtual Private Network feature A VPN provides a highly cost effective solution of establishing secure tunnels so that data can be exchanged in a secure manner L Field site Center site WMI VPN Secure Tunne
65. n uses e mail to alert the user when certain user configured events take place Three basic steps are required to set up the Auto Warning function 3 58 EDR G903 G902 Features and Functions 1 Configure Email Event Types Select the desired Event types from the Web Browser Event type page a description of each event type is given later in the Email Alarm Events setting subsection 2 Configure Email Settings_ To configure the EtherDevice Router s email setup from a browser interface enter your Mail Server s P Name IP address or name Account Name Account Password the sender s email address and the email address to which warning messages will be sent 3 Activate your settings and if necessary test the email After configuring and activating your EtherDevice Router s Event Types and Email Setup you can use the Test Email function to see if your e mail addresses and mail server address have been properly configured Event Type Email Warning Event Settings System Events F Cold Start Warm Start E Power Transition On 0f E Power Transition Of On A DICO FJ DIC On El Config Change E Auth Failure Port Events WAN El El WAN2 El E LAN m El Email Warning Event Types can be divided into two basic groups System Events and Port Events System Events are related to the overall function of the router whereas Port Events are related to the activity of a specific port Warm Start The EtherDevice Router is rebo
66. nable VRRP Interface Setting Entry Enable E VirtusllP 192 168 127 250 Virtual RouterID 1 1255 Priority 100 1 254 Preemption Mode Track Interface WAN LAN VRRP Interface Table DAN Preemption Enable Interface IP Address Virtual IP Priority mM Track Interface Mode WAM 192 168 3 5 INIT 192 188 3250 1 100 Enable WAN E on semeez t ts2sensz72500 1 100 Enebe AN a The Virtual Router Redundancy Protocol VRRP feature can solve the problem with static configuration VRRP enables a group of routers to form a single virtual router with a virtual IP address The LAN clients can then be configured with the virtual router s virtual IP address as their default gateway The virtual router is the combination of a group of routers and is also known as a VRRP group Enable VRRP Interface Setting Entry Enables VRRP entry Disabled Virtual IP L3 switches routers in the same VRRP group must be set to 0 0 0 0 the same virtual IP address as the VRRP ID This virtual IP address must belong to the same address range as the real IP address of the interface Virtual Router ID Virtual Router ID is used to assign a VRRP group The L3 switches routers which operate as master backup should have the same ID Moxa L3 switches routers support one virtual router ID for each interface IDs can range from 1 to 255 Priority Determines priority in a VRRP group The priority value range is 100 1 to 255 and t
67. ncept NOTE NOTE NAT Network Address Translation is a common security function for changing the IP address during Ethernet packet transmission When the user wants to hide the internal IP address LAN from the external network WAN the NAT function will translate the internal IP address to a specific IP address or an internal IP address range to one external IP address The benefits of using NAT include e Uses the N 1 or Port forwarding Nat function to hide the Internal IP address of a critical network or device to increase the level of security of industrial network applications e Uses the same private IP address for different but identical groups of Ethernet devices For example 1 to 1 NAT makes it easy to duplicate or extend identical production lines The NAT function will check if incoming or outgoing packets match the policy It starts by checking the packet with the first policy Index 1 if the packet matches this policy the EtherDevice Router will translate the address immediately and then start checking the next packet If the packet does not match this policy it will check with the next policy The maximum number of NAT policies for the EtherDevice Router is 128 N to 1 NAT If the user wants to hide the Internal IP address from users outside the LAN the easiest way is to use the N to 1 or N 1 NAT function The N 1 NAT function replaces the source IP Address with an external IP address and adds a logical port num
68. nimum maximum ee Enable bandwidth for each priority users can set up _ Fram All m Source IP All pe the incoming or outgoing policies for Ethernet L traffic providing the setup meets all of the Poen Al following conditions service BylP z Destination IP All dl Priority Priority 0 Enable or Disable Enable or Disable Enable or disable this Incoming or Outgoing Policy Disabled Packet To From All All WANI or WANZ2 Select the direction of Ethernet traffic for this policy WAN1 To For outgoing policy WAN2 From For incoming policy Protocol All TCP UDP 1 CMP Select the Protocol for in this Policy TCP Factory Default By IP 3 54 EDR G903 G902 Features and Functions Priority Priority 0 1 2 3 Select the priority for this policy Source IP All IP Address Select the Source IP address for this policy All Single IP Address Range IP Address Source Port All Port number Select the Source port number for this policy All Single Port number Range Port number Destination IP All IP Address Select the Destination IP address for this policy All Single IP Address Range IP Address Destination Port All Port number Select the Destination port number for this policy All Single Port number Range Port number The following table shows the management of outgoing traffic The maximum bandwidth from LAN to WAN is 100 Kbytes 10 Kbyte is reserved for traffic that matc
69. nly How Dual WAN Backup Works A power utility at a field site connects to a central office via two different ISPs Internet Service Providers ISP A uses Ethernet and ISP B uses satellite for data transmission with Ethernet used as the major connection and the satellite as the backup connection This makes sense since the cost of transmitting through the satellite is greater than the cost of transmitting over the Ethernet Traditional solutions would use two routers to connect to the different ISPs In this case if the connection to the primary ISP fails the connection must be switched to the backup ISP manually The EtherDevice Router s WAN backup function checks the link status and the connection integrity between the EtherDevice Router and the ISP or central office When the primary WAN interface fails it will switch to the backup WAN automatically to keep the connection alive ISP A WAN1 Ethernet Primary ISP B jj Satellite WAN2 Center site Backup Field site When configuring the EtherDevice Router choose one of the two following conditions to activate the backup path e Link Check WAN1 link down e Ping Check Sends ping commands to a specific IP address e g the IP address of the ISP s server from WAN1 based on user configurable Time Interval Retry and Timeout When the WAN backup function is enabled and the Link Check or Ping Check for the WAN1 interface fails the backup interface WANZ2 will be enab
70. nnect Interface WAN we Local Network 192 168 127 254 Remote Network 0000 Enable or Disable VPN Tunnel Enable or Disable Name of VPN Tunnel Description Max of 16 characters User defined name of this VPN Tunnel None NOTE The first character cannot be a number L2TP over IPSec Enable or Disable Description Enable or Disable VPN Connection Type Description Site to Site Features and Functions LT2P tunnel Remote VPN Gateway 0 0 0 0 Startup Mode Start in initial Netmask 255 255 255 0 Netmask 0 0 0 0 Enable or Disable this VPN Tunnel Disable Factory Default Factory Default Enable or Disable IPSec tunnel over L2TP protocol function None Factory Default VPN tunnel for Local and Remote subnets are fixed Site to Site Site to Site Any VPN tunnel for Remote subnet area is dynamic and Local subnet is fixed Remote VPN Gateway IP Address Remote VPN Gateway s IP Address None Connection Interface WAN1 The interface of the VPN Tunnel WAN1 WAN2 If the user enables the WAN backup function WAN1 would be Default Route l the primary default route and WAN2 would be the backup route Startup Mode Start in Initial This VPN tunnel will actively initiate the connection with the Start in Initial Remote VPN Gateway Wait for Connecting This VPN tunnel will wait remote VPN gateway to initiate the connection NOTE The maximum number of Starts in the initial VPN tunnel is 5 The maximum num
71. nterval of LLDP messages Unit is in seconds 30 sec LLDT Table Port The port number that connects to the neighbor device Neighbor ID A unique entity that identifies a neighbor device this is typically the MAC address Neighbor Port The port number of the neighbor device 3 62 EDR G903 G902 Features and Functions Neighbor Port Description A textual description of the neighbor device s interface Neighbor System Hostname of the neighbor device Using Monitor You can monitor statistics in real time from the EtherDevice Router s web console Monitor by System Access the Monitor by selecting System from the left selection bar Monitor by System allows the user to view a graph that shows the combined data transmission activity of all the EtherDevice Router s 3 ports Click one of the three options Total Packets TX Packets or RX Packets to view transmission activity of specific types of packets Recall that TX Packets are packets sent out from the EtherDevice Router and RX Packets are packets received from connected devices The Total Packets option displays a graph that combines TX and RX activity The graph displays data transmission activity by showing Packets s i e packets per second or pps versus sec seconds The graph is updated every few seconds allowing you to analyze data transmission activity in real time Monitor System Total Packets System y Total Packets y
72. o reconfigure the original subnet into different subnets and without the need to reconfigure the IP address of existing devices e EtherDevice Router only has one IP address Network mask and Gateway e VPN NAT WAN backup VRRP DHCP Dynamic DNS are not supported in this mode Network Mode Router Mode Router Firewall VPN WAT iei Bridge Mode Bridge Mode Firewall Address Information for Bridge Mode IP Address 192 168 127 254 Subnet Mask 255 255 255 0 Gateway User could select the appropriate operation mode and press Activate to change the mode of EtherDevice Router Change operation mode would take around 30 60 seconds to reboot system If the webpage is no response after 30 60 seconds please refresh webpage or press F5 3 12 EDR G903 G902 Features and Functions WAN1 Configuration WAN1 Configuration Connection Connect Mode Disable Enable Connect Type Dynamic IP e Connection Note that there are there are three different connection types for the WAN1 interface Dynamic IP Static IP and PPPOE A detailed explanation of the configuration settings for each type is given below Connection Mode Enable or Disable Enable or Disable the WAN interface Connection Type Static IP Dynamic IP Setup the connection type Dynamic IP PPPoE Detailed Explanation of Dynamic IP Type WAN1 Configuration Connection aie 3 Enable Connect Type Dynamic IP w PPTP Dialup
73. on Type Data Encryption SNMP V1 V2c V1 V2c Read Community string Uses a community string Community match for authentication SNMP V3 MD5 or SHA Authentication based Provides authentication based on MD5 or SHA on HMAC MD5 or HMAC SHA algorithms 8 character passwords are the minimum requirement for authentication Provides authentication based onHMAC MD5 or HMAC SHA algorithms and data encryption key 8 character passwords and a data encryption key are the minimum requirements for authentication and MD5 or SHA Authentication based Data encryption on MD5 or SHA key These parameters are configured on the SNMP page A more detailed explanation of each parameter is given encryption below 3 56 EDR G903 G902 Features and Functions SNMP Read Settings System Information ONMP Versions V3 only Contact Person admin Auth Type MDS Data Encryption Key 110150000 Community Community Name 1 public Access Control 1 Read Only Community Name 2 private Access Control 2 Read Only Trap Targets Target IP Address 1 0 0 0 0 OX DOLEO Target IF Address 2 0 0 0 0 Target IF Address 3 0 0 0 0 o EJ SNMP Versions Disable Select the SNMP protocol version used to manage the secure Disable V1 V2c V3 or router V1 V2c or V3 only Contact Person Admin or Admin privilege allows access and authorization to read and Admin user write the MIB file User privilege only allows rea
74. oring functions The following topics are covered in this chapter Configuring Basic Settings Network Settings Network Redundancy Static Routing and Dynamic Routing Network Address Translation NAT Firewall Settings VPN Virtual Private Network Traffic Prioritization Configuring SNMP Using Auto Warning Using Diagnosis Using Monitor Using System Log Using HTTPs SSL 0 000000000 0 0 0 EDR G903 G902 Features and Functions The Overview page is divided into three major parts Interface Status Basic function status and Recent 10 Event logs and gives users a quick overview of the EtherDevice Router s current settings s Overview Interface Status More Recent 10 EventLog More Port 10AN Wan 1 PA Connect WANT link on 2010 4 7 16 50 49 Port 2 Opt Wan 2 PLA Disconnect WANT link off 2010 47 16 51 58 Port 3 LAN LAN NIA Connect LAN link off 2010 47 16 52 1 WAN link on 2010 47 16 52 50 LAN link on 2010 47 16 52 54 NAT Configuration Change 2010 47 16 54 32 Nene Baden Eaadion Disable densi eiia change id DDNS Disable dis Configuration Change 2070 47 16 55 27 Dos Disable oe auth ok SOTO 18 22 49 WAN Backup Disable admin auth ok 2010 47 18 38 5 Qos Disable Click More at the top of the Interface Status table to see detailed information about all interfaces Interface Status More PPPOE Port 10WAN Wan 1 PA Connect Pon 2 Opt Wan 2 NA Disconnect Port 3 LAN LAN PA Connect
75. ority 1 MIN BW 20 KByte s MAX BYY 20 KByte s Priority 2 MIN BW 30 KByte s MAX BW 30 KByte s Priority 3 MIN BW 40 KByte s MAX BW 40 KByte s Outgoing Traffic Configuration LAN to WAN2 Enable Y MAX Bandwidth 100 KByte s Default Priority Priority 3 Priority 0 MIN BW 10 KByte s MAX BW 10 KByte s Priority 1 MIN BW 20 KByte s MAX BW 20 KByte s Priority 2 MIN BW 30 KByte s MAX BW 30 KByte s Priority 3 MIN BW 40 KByte s MAX BW 40 KByte s Traffic Prioritization Configuration Enable or Disable Enable or Disable Enable or disable the Traffic Prioritization function Disabled 3 53 EDR G903 G902 Features and Functions Max Bandwidth 1 to 1 000 000 The maximum bandwidth for total incoming or outgoing traffic 100 KBytes s KBytes s Default Priority Priority 0 1 2 3 A packet without matching any incoming outgoing policy will Priority 3 adhere to the default priority Minimum Bandwidth of Priority 0 1 2 3 1 to 1 000 000 The minimum bandwidth for Priority 0 1 2 3 Priority 0 10 KBytes s KBytes s Priority 1 20 KBytes s Priority 2 30 KBytes s Priority 3 40 KBytes s Maximum Bandwidth of Priority 0 1 2 3 1 to 1 000 000 The maximum bandwidth for Priority 0 1 2 3 Priority 0 10 KBytes s KBytes s Priority 1 20 KBytes s Priority 2 30 KBytes s Priority 3 40 KBytes s Outgoing Incoming Policy Setup After configuring the mi
76. ost unique feature is that even though the ping command is entered from the user s PC keyboard the actual ping command originates from the EtherDevice Router itself In this way the user can essentially control the EtherDevice Router and send ping commands out through its ports There are two basic steps required to set up the Ping command to test network integrity 1 Select which interface will be used to send the ping commands You may choose from WAN1 WANZ2 and LAN 2 Type in the desired IP address and click Ping LLDP Function Overview Defined by IEEE 802 11AB Link Layer Discovery Protocol LLDP is an OSI Layer 2 Protocol that standardizes the methodology of self identity advertisement It allows each networking device such as a Moxa managed switch router to periodically inform its neighbors about itself and its configuration In this way all devices will be aware of each other LLDP Settings General Settings LLDP Enable Message Transmit Interval 30 Port Events Neighbor ID Neighbor Port Neighbor Port Description Neighbor System cs EJ The router s web interface can be used to enable or disable LLDP and to set the LLDP Message Transmit I nterval Users can view each switch s neighbor list which is reported by its network neighbors LLDP Setting Enable LLDP Enable or Disable Enable or disable LLDP function Message Transmit I nterval Factory Default 5 to 32768 sec Set the transmit i
77. oted such as when network parameters are Memme AN DI Off Digital Input is triggered by on to off transition DI On Digital Input is triggered by off to on transition Config Change A configuration item has been changed Auth Failure An incorrect password is entered Port Events Warning email is sent when Link ON The port is connected to another device Link OFF The port is disconnected e g the cable is pulled out or the opposing device shuts down 3 59 EDR G903 G902 Features and Functions E mail Setup Email Warning Events Settings Email Alert Configuration Email SMTP Server Address PORT User Name Password sender Address ist Recipient Address 2nd Recipient Address 3rd Recipient Address 4th Recipient Address Main Server P Name Description Factory Default IP address The IP Address of your email server None Port Description Factory Default Port number The port number of your email server None Account Name Description Factory Default Max 30 Characters Your email account name typically your user name None Email Password Description Factory Default Max 30 characters The Password of your email account None Sender Email Address Description Factory Default IP address The IP Address of the email sender None Recipient Email Address Max 50 characters You can set up to 4 email addresses to receive alarm emails None from the EtherDevice Router Send Test
78. rioritization Auto Warning Diagnosis Monitor System Log goahead WEBSERVER Best viewed with IE 5 above at resolution 1024 x 768 00 90 e8 00 90 0b gt EDR G903 Secure Router www moxa com Serial NO 1 Firmware V1 0 build 10031916 WAN2 MAC 00 90 e8 00 90 0a LAN MAC 00 90 e8 00 90 09 WAN2 IP 0 0 0 0 LAN IP 192 168 127 254 Overview Update Port 1 WAN Van 1 N A Connect LAN link off 2000 1 1 1 30 45 Port2 0pt Van 2 N A Disconnect LAN link on 2000 1 1 2 18 14 Port 3 LAN LAN N A Connect LAN link off 2000 1 1 2 18 39 LAN link on 2000 1 1 3 2 8 LAN link off 2000 1 1 3 2 12 per ack Wan 2 Backup Function Disable DDNS Disable LAN E on 2000 1 1 7 12 40 admin auth ok 2000 1 1 8 14 37 Dos Disable A Check Alive Disable admin auth ok 2000 1 1 8 43 41 QoS Disable 3 Features and Functions In this chapter we explain how to access the EtherDevice Router s configuration options perform monitoring and use administration functions There are three ways to access these functions 1 RS 232 console 2 Telnet console and 3 web browser The web browser is the most user friendly way to configure the EtherDevice Router since you can both monitor the EtherDevice Router and use administration functions from the web browser An RS 232 or Telnet console connection only provides basic functions In this chapter we use the web browser to introduce the EtherDevice Router s configuration and monit
79. ry Default IP Address Offered IP range is for the L2TP clients 0 0 0 0 Login User Name Description Factory Default Max to xx character User Name for L2TP connection NULL Login Password Description Factory Default NULL Max to xx character Password for L2TP connection 3 50 EDR G903 G902 Features and Functions Examples for Typical VPN Applications Site to Site I PSec VPN tunnel with Per shared Key The following example shows how to create a secure LAN to LAN VPN tunnel between the Central site and Remote site via an Intranet network yyy WT ld Wl Li EDR G903 1 EDR G903 2 Central site Network Intranet Network Remote site Network 100 100 1 0 24 100 100 2 0 24 100 100 3 0 24 VINA NPN Secure Tunnel O Ethernet Switch VPN Plan e All communication from the Central site network 100 100 1 0 24 to the Remote site Network 100 100 3 0 24 needs to pass through the VPN tunnel e Intranet Network is 100 100 2 0 24 e The configuration of the WAN LAN interface for 2 EtherDevice Routers is shown in the following table EDR G903 Configuration EtherDevice Router 1 EtherDevice Router 2 Interface Setting WAN IP 100 100 2 1 100 100 2 2 LAN IP 100 100 1 1 100 100 3 1 Based on the requirement and VPN plan the recommended configuration for VPN PSec is shown in the following table Te iguration Etherbevice Router 2 Etherbevice Router 2 Local Network 100 100 1 0 100 100 3 0 Remote N
80. s Detail Interface Status WANT MAC Address DHCP _IP 192 168 2106 255 255 255 0 00 09 ad 00 00 03 Disable 0 0 0 0 Disable Connect 531874 39333 750705528 37464481 Gateway 0 o 192 168 2 1 0 0 0 0 WAN2 MAC Address STATIC_IP 0 0 0 0 0 0 0 0 00 09 ad 00 00 02 PPTP Enable PPTP IP Address PPPoE Disable 0 0 0 0 Disable Disconnect PPTP Gateway 0 0 0 0 0 0 0 0 LAN Connect Type IP Address STATIC_IP 192 168 127 254 255 255 255 0 00 09 ad 00 00 01 PILA Connect 386347 538273 41326230 751454253 0 0 0 0 0 0 0 DNS Server List 192 168 2 1 3 2 EDR G903 G902 Features and Functions Click More at the top of the Recent 10 Event Log table to open the EventLogTable page Recent 10 Event Log More WAN link on 2010 47 16 50 49 WAN link off 2070 47 16 51 58 LAN link off 2010 47 16 52 14 EventLog Table Page 36 36 y System Startup Time 351 63 2010 47 16 52 1 d0h13m s LAN link off 352 63 2010 47 16 52 50 d0h13m56s WAN link on 353 63 2010 47 16 52 54 d0h14m0s LAN link on 354 63 2010 47 16 54 32 0d0h1im38s NAT Configuration Change 355 63 2010 47 1655712 0d0h16m18s Filter Configuration Change 356 63 2010 47 16 55 27 0d h1t m33s Filter Configuration Change 357 63 2010 47 18 22 49 0d1h43m55s Login auth ok 358 63 2010 47 18 38 5 0d1h59m11s admin auth ok Configuring Basic Settings The Basic Settings group includes the most commonly used settings required by administrators to maintain and control the EtherDevic
81. s consol mode connection lan Set the IP address of LAN interface list Print command list no Set the admin password to null password Set the admin password ping Send echo messages quit Exit this consol mode connection reboot Reboot this device re load Reload default configuration and reboot this device show Show running system information ssh Open a ssh connection telnet Open a telnet connection EDR G9H3H m The following table shows a list of commands that can be used when the EtherDevice Router is in console serial or Telnet mode Login by Admin account lan lan ip address A B C D netmask A B C D Set the IP address of LAN interface Example lan ip address 192 168 127 10 netmask 255 255 255 0 password password admin password Set the admin password Example Password admin 1234 password user password Set the user password Example Password user 1234 ping ping IP address Send echo message Example ping 192 168 127 10 reload default config Reload default configuration and Reboot this device 2 3 EDR G903 G902 Getting Started telnet telnet IP address Open a telnet connection Example telnet 192 168 127 10 telnet IP address port number Open a telnet connection with port number Example telnet 192 168 127 10 23 ssh IP address Open a ssh connection Example ssh 192 168 127 10 Login by User account exit quit Exit this consol mode connection ping ping IP address Ping remote devi
82. sword for the PPPoE server None WAN2 Configuration includes DMZ Enable WAN2 Configuration Connection Connect Mode Disable Enable Backup Connect Type Dynamic IP Connection Note that there are there are three different connection types for the WAN2 interface Dynamic IP Static IP and PPPoE A detailed explanation of the configuration settings for each type is given below Connection Mode Enable or Disable Enable or Disable the WAN interface None Enable Wane omo DMZ Enable DMZ mode can only be enabled when the connection type is set to Static IP 3 15 EDR G903 G902 Features and Functions Connection Type Static IP Dynamic IP Configure the connection type Dynamic IP PPPoE Detailed Explanation of Dynamic IP Type WAN2 Configuration Connection Connect hlode 8 Di Enable 2 Backup Connect Type Dynamic IP PPTP Dialup PPTP Connection E Enable IP Address User Mame Password DNS Optional for dynamic IP or PPPoE Type Server 1 Server 2 Server 3 192 168 2 1 PPTP Dialup Point to Point Tunneling Protocol is used for Virtual Private Networks VPN Remote users can use PPTP to connect to private networks from public networks PPTP Connection Description Factory Default Enable or Disable the PPTP connection None Enable or Disable IP Address Description Factory Default IP Address The PPTP service IP address None User name Description Factor
83. tem File Update by Remote TETAS aaa A A AA AA AA 3 10 System File Update by Local I mMportEXpOr secre aia 3 10 ROSCA geen E e nr mrt ter rr ter ter errr rrr rrr rrr rrr rrr rrr rrr rr rrr rrr rrr errr rrr rrr rr rrr 3 11 RESCE TO Factor Det Ulsa tl ts io 3 11 NetWork Sen ii taaan da 3 12 Mode COn NqutatO Mascarada 3 12 WANT CORTO UFO AAA AAA as eta eae ea aa GENTE 3 13 WAN2 Configuration includes DMZ Enable ccc ccccccc cece eee eee eee eee e eee eee eee ee EEE EE SSeS EE EEG E EEE EE ES 3 15 Jamno DMZ TOC es cree ee dnd en ae AOT T en ne eer ene ae eee 3 19 A A A a A 3 19 DRAE Severa tt A IA anaan IRE cmenanenanananenanaeadacaane 3 20 A A O O 3 21 DHCP Leased E E CE 3 22 A e eo A AE EEEE AA A AE 3 22 Network RedundaneY iaaii aae o E E E T a aaa iG 3 23 WAN Backup CEDR GOOS Oly ares a a AAAA RAA 3 23 Virtual Router Redundancy Protocol VRRP si cioias testi tant ioral rera ce Gace eae ress ene AER 3 25 Static Routing ANd Dynamic ROUTING c cece cece cence eee cra ren 3 26 SONC ROUNO ta dd dnde didad ns 3 26 RIP Routing Information Protocol cccccccccccccccccncnccnnconcnnnnnccn nr rr rar rr rr rr 3 27 Boong e T ali A E e T de IAE TTT 3 28 Network Address Translation NAT iii A e 3 28 NAT CONCORD DO A 3 28 A a a II II ror Tee 3 28 EA A A hat oe 3 29 EET A O Detects E E E E E 3 31 Firewall SCUINOS serene esua E a aesa ea e ts ae ed 3 33 FIrOwWaAll PONCY CONG ear ence ees eu ene EE R R cnc eee EE R ERE AEE en
84. the network Current Time User adjustable Time The time parameter allows configuration of the local time in None hh mm ss local 24 hour format Current Date User adjustable date The date parameter allows configuration of the local date in None yyyy mm dd format yyyy mm dd Daylight Saving Time Daylight Saving Time also know as DST or summer time involves advancing clocks 1 hour during the summer to provide an extra hour of daylight in the evening Start Date User adjustable date The Start Date parameter allows users to enter the date that None daylight saving time begins End Date User adjustable date The End Date parameter allows users to enter the date that None daylight saving time begins Offset User adjustable date The offset parameter indicates how many hours forward the None clock should be advanced System Up Time Indicates the ED G903 s up time from the last cold start The unit is seconds Time Zone User selectable time The time zone setting allows conversion from GMT Greenwich GMT zone Mean Time to local time Changing the time zone will automatically correct the current time You should configure the time zone before setting the time Enable NTP SNTP Server Enable this function to configure the EtherDevice Router as a NTP SNTP server on the network Enable Server synchronize Enable this function to configure the EtherDevice Router as a NTP SNTP client It
85. ver The function supports 3 configurable syslog servers and syslog server UDP port numbers When an event occurs the event will be sent as a syslog UDP packet to the specified syslog servers Syslog Setting Enable y Syslog Server 1 192 168 127 100 Port Destination 514 1 65535 Enable Syslog Server 2 Port Destination 1 65535 Enable syslog Server 3 Port Destination Activate Syslog Server 1 2 3 IP Address Enter the IP address of the Syslog Server used by your None network Port Destination Enter the UDP port of the Syslog Server 514 1 to 65535 Using HTTPs SSL To secure your HTTP access the EtherDevice Router supports HTTPS SSL to encrypt all HTTP traffic Perform the following steps to access the EtherDevice Router s web browser interface via HTTPS SSL 1 Open Internet Explorer and type https lt EtherDevice Router s IP address gt in the address field Press Enter to establish the connection E https 192 168 127 254 3 65 EDR G903 G902 Features and Functions 2 A warning message will appear to warn the user that the security certificate was issued by a company they have not chosen to trust Security Alert E xj L Information you exchange with this site cannot be viewed or re changed by others However there is a problem with the site s Security certificate The security certificate was issued by a company you have not chosen to trust View the certificate to deter
86. y Default Max 30 Characters The Login username when dialing up to PPTP service None Password Description Factory Default None Max 30 characters The password for dialing the PPTP service Example Suppose a remote user IP 10 10 10 10 wants to connect to the internal server private IP 30 30 30 10 via the PPTP protocol The IP address for the PPTP server is 20 20 20 1 The necessary configuration settings are shown in the following figure 3 16 EDR G903 G902 Features and Functions WAN IP WAN IP 61 32 10 10 72 51 30 30 PPTP IP Client PPTP IP Server 20 20 20 2 32 20 20 20 1 32 10 10 10 10 24 30 30 30 10 24 Static Route Next Hop Destination Netmask Address 255 255 255 0 20 20 20 1 10 10 10 0 255 255 255 0 20 20 20 2 Note If the OS is Linux the Next Hop is 20 20 20 1 DNS Doman Name Server optional setting for Dynamic IP and PPPoE es Server 1 2 3 IP Address The DNS IP Address NOTE The priority of a manually configured DNS will higher than the DNS from the PPPoE or DHCP server Detailed Explanation of Static I P Type WAN2 Configuration Connection E DMZ Enable Address Information IP Address 192 168 1 1 Gateway 0 0 0 0 Subnet Mask 209 255 255 0 PPTP Dialup PPTP Connection E Enable IF Address User Name Fassword DNS Optional for dynamic IP or PPPoE Type Serer 1 Server Server 3 192 168 2 1 0 0 0 0 0 0 0 0 Address Information
Download Pdf Manuals
Related Search