RuggedCom RX1100 Network Router User Manual
Contents
1. Rulesets Rule Set Geescht Rule Set Statu akan FR Rule Set Status Action attack responses Disable misc Y Disable smtp Disable backdoor Enable multimedia x Enable F snmp Enable bad traffic Y Disable mysql Y Disable sql Y Disable chat x Enable D netbios Jv Disable telnet A Disable ddos Y Disable ontp Y Disable tftp Y Disable dns Y Disable E oracle Y Disable virus x Enable dos Y Disable other ids Y Disable web attacks x Enable experimental Y Disable F p2p X Enable web cai Y Disable exploit Y Disable policy x Enable web client Y Disable finger Y Disable F pop2 Y Disable web coldfusion XK Disable ftp Y Disable fl pop3 Y Disable web frontpage Y Disable icmp 4 Disable D orn x Enable web iis Pi Disable icmp info x Enable rpc Y Disable H web mise Y Disable ima Y Disable rservices Y Disable web php Y Disable info Ge Enable scan sf Disable xii S i Disable local Y Disable shellcode x Enable Look up a rule by its Snort ID number Look Up Rule Figure 196 Snort Main Menu part 3 The Rulesets section selects the rules to apply on monitored interfaces Each ruleset reflects a collection of rules that are related The link under the Action field will disable or enable all of the rules in a ruleset Individual rules in a ruleset may be modified by following the set name link2. Figure 157 Current Routing amp Interface Table This menu displays the current routing table and the state of the router s interfaces Select the Refresh link in order to refresh the display The entries under the Destination field reflect the network or host which can be reached through this route The default entry matches any packet which has not already matched another route The entries under the Via field reflect the address of the gateway to route packets through to reach the target network The field is blank for non gateway routings The entries under the Device field reflect the name of the interface this route belongs to Packets using this route will be sent on this interface The entries under the Metric field reflect the the cost of this route The route with the lowest metric matching a destination is used The entries under the Protocol field reflect the system that created the route It is one of kernel default interface routes core dynamic routing protocol routes redirect routes added due to ICMP redirect message or static for manually added routes The entries under the Source field reflect the source address to use when originating a packet to a destination matching this route Note that packets routed through the router have their own source address Note that if the sending application decides to it can manually specify the source address The entrie
3. HeadOffice Edit Add new Parameter Value Description Connect at boot HeadOffice gt Which client connection to start automatically at boot Save Figure 83 Configure Modem PPP Client To edit an existing connection click the Edit link for that connection To create a new connection click Add new link To have the router automatically dial a connection at boot and keep it up all the time select which connection should be used from the drop down list of available connection profiles in the Connect at boot list Modem PPP Client Modem PPP Client pppo Connection name HeadOffice PPP Username myuser Password errr rrr Dial type DTMF K Phonenumber 5551234 Defaultroute Use peer DNS le Save l Saving will reset ppp link to update settings delete Figure 84 Configure Modem PPP Client The Connection Name field determines what name will be used to refer to this connection when choosing which connection to dial automatically at boot or which connection to use as a backup for another link The PPP Username field determines the user name to use when connecting to the PPP server as specified by your provider The Password field determines the password to use when connecting to the PPP server The Dial type field determines the type of dialing system to use on the phone line Either DTMP Tone dialing or Pulse Almost all phone systems support DTMF and DTMF is
4. Link Alarms In Service GREEN Data mode idle OFF Zero supp code OFF Ctrl mode idle OFF Out of service code OFF Out of frame code OFF Valid DSU NL loopback OFF Unsigned mux code OFF Rx loss of signal Refresh Clear Statistics Figure 75 DDS Link Statistics 86 RuggedCom Chapter 8 Configuring Frame Relay PPP And DDS Frame Relay And PPP Interface Statistics Frame Relay And PPP Interface Statistics are as described in the Configuring Frame Relay PPP And T1 E1 chapter DDS Loopback When at least one logical interface is configured and that interface is active a DDS Loopback test can be performed This menu can be reached from a link on the DDS WAN Interfaces menu The remote equipment must be able to loop allowing the entire entire line to be verified If the remote equipment is another RuggedCom router starting a line loopback will verify both cards and the line DDS has no standard for performing digital loopback For more information on DDS loopback refer to the T1 E1 Loopback section in the chapter Configuring Frame Relay PPP And T1 El Current Routes amp Interface Table The table provided by this command is as described in the Networking menu Network Utilities sub menu It is also provided here as a convenience Upgrading Software For some customers access to remote sites in accomplished solely by a DDS connection Usually a software upgrade will
5. Address Pools for Subnet Pool Address Ranges Option 82 Clients clientname remote id circuit id Add an address pool Figure 172 DHCP Subnet Configuration The settings specific to the Subnet menu are the subnet description Network address and mask The Subnet description field is used to describe the subnet as desired The Network address and Netmask fields of the subnet help to specify the span of assigned addresses Within a subnet you can great hosts groups of hosts and address pools RuggedCom 209 RuggedRouter User Guide DHCP Group Configuration Module Index Create Host Group Group Details Group description Hosts in this group A Group assigned to R Toplevel y ran client Yes No Default Default lease time Default secs Boot filename None Maximum lease time gt Default C secs Boot file server This server Server name Default Lease length for BOOTP e p Lease end for BOOTP e e clients Forever secs clients Never e Dynamic DNS domain e C Dynamic DNS enabled yes No Default Core Default EE A rENeTIA Default Dynamic DNS hostname From client domain Allow unknown clients Allow Deny Ignore Default Create Higurei73 DHCP Group Coanparatom ea a The settings specific to the Group menu are the group description and Use name as client hostname fields The Group description field is used
6. Redistribute Connected metric type metric Hostname oenen Opaque LSA enable E Enable Opaque LSA capability disabled Passive Default enable a Set new interfaces passive by default enabled Refresh Timer fo oo Set refresh timer 10 1800 Seconds 10 RFC 1583 Compatibility enable Enable compatibility with obsolete RFC1583 OSPF current is RFC2178 disabled enable Redistribute routes for directly connected interfaces to OSPF area routers enable disable 1 2 0 16777214 disabled 2 unset Redistribute Kernel d d enable le metric type metric Redistribute kernel routes to OSPF area routers enable disable 1 2 0 16777214 disabled 2 unset Redistribute RIP Router ID I enable metric type le metric a Redistribute rip routes to OSPF area routers enablefdisable 1 2 0 16777214 disabled 2 unset Identifier of router Often the main IP address of the router A B C D highest IP of system Save Figure 122 OSPF Global Parameters RuggedCom 147 RuggedRouter User Guide The Enable Password field sets the password to be used for the enable command of ospfd This is used by the telnet interface of ospfd to control access to the configuration The Telnet Password field sets the password to be used for telnet access to ospfd This is used as the login password of ospfd when locally telnetting to port 2604 of the router The
7. Figure 74 Edit Logical Interface PPP The fields and buttons in this menu are the same as those described in the Editing A Logical Interface PPP section of the previous chapter DDS Statistics When at least one logical interface is configured DDS Link and logical interface statistics will be available These statistics are available from links on the DDS WAN Interfaces menu Link Statistics are provided through the View Link Statistics link at the bottom of each interface table Frame Relay and PPP statistics are available through Statistics links under the interface name column of each interface table Link Statistics 56K 1 Link Layer Statistics Receive Statistics Transmit Statistics Number of frames received 7 Number of frames transmitted 3 Number of bytes received 160 Number of bytes transmitted 168 Receive Throughput Transmit Throughput D Received frames discarded too short Transmit frames discarded length error Received frames discarded too long o 09 9 90 Received frames discarded link inactive Receive Errors Transmit Errors Number of transmitted abort frames missed Tx interrupt Number of receiver overrun errors Number of abort frames received Number of transmit underruns D Number of receiver CRC errors 0 D D Number of times receiver disabled Number of abort frames transmitted
8. Down Proxy ARP C Yes No Media Type Auto Negotiation gt irtual interfaces 0 Add virtual interface Yirtual Lan interfaces 0 Add virtual lan interface Note If IP Address is set as None netmask and Broadcast will automatically set as None Save Delete Figure 43 Editing a Network Interface This menu allows you to make changes to the currently active interfaces The Save button will activate any changes and will not affect the permanent configuration The IP Address field sets the IP address for this interface The Netmask fields set the IP network mask for this interface Setting this to Automatic causes the mask to be set to the usual class A B or C network mask as derived from the interface address The next field can be used to specify the mask manually The Broadcast fields set the IP broadcast address for this interface Setting this to Automatic causes the address to be set to the usual address as derived from the interface address The next field can be used to specify the broadcast address manually The MTU fields sets the Maximum Transfer Unit of an interface This limits the maximum size of frames on the interface The Status field provides a way to disable the interface or bring it back into service The MAC address field displays the current Media Access Control address and allows it to be modified The Proxy ARP fields display whether the interface has proxy arp activated The Media Type field dis
9. ModBus does not employ flow control so XON XOFF should not be configured The RuggedRouter maintains configurable timers to help decide replies and requests are complete and to handle special messages such as broadcasts The RuggedRouter will also handle the process of line turnaround when used with RS485 Broadcast RTU Polling Broadcast polling allows a single host connected RuggedRouter to fan out a polling stream to a number of remote RTUs The host equipment connects via a serial port to a RuggedRouter Up to 32 remote RuggedRouters may connect to the host server via the network Initially the remote servers will place connections to the host server The host server in turn is configured to accept the required number of incoming connections 186 RuggedCom Chapter 19 Configuring Serial Protocols The host will sequentially poll each RTU Each poll received by the host server is forwarded i e broadcast to all of the remote servers All RTUs will receive the request and the appropriate RTU will issue a reply The reply is returned to the host server where it is forwarded to the host Serial Protocols Concepts And Issues Host And Remote Roles RuggedRouter either places a TCP connection or accepts one The connection can be made from the field or remote equipment to the central site or host equipment vice versa or bi directionally Connect from the host to the remote if e The host end uses
10. Verify the web server by opening a web browser on another host on the network and entering the URL http followed by the IP address Apache was installed with Note that you may also verify Apache from a browser on the web server itself by browsing http localhost If properly set up the Apache default web page will be shown Tf you can see this it means that the installation of the Apache web server software on this system was successful You may now add content to this directory and replace this page Seeing this instead of the website you expected This page is here because the site administrator has changed the configuration of this web server Please contact the person responsible for maintaining this server with questions The Apache Software Foundation which wrote the web server software this site administrator is using has nothing to do with maintaining this site and cannot help resolve configuration issues The Apache documentation has been included with this distribution You are free to use the image below on an Apache powered web server Thanks for using Apache E APACHE Figure 239 Apache Default Web Page Apache serves the web pages contained in the directory known as the DocumentRoot You must change the document root by from the desktop clicking Start gt All programs gt Apache HTTP Server gt Configure Apache Server gt Edit the Apache httpd conf file Search the file for the DocumentRoot variable and
11. e match source IP Mask 0 0 0 0 0 gt queue low Note that the snmp www ssh and telnet keywords are defined in the file etc services so we can use their mnemonics here We could also have used the raw port numbers 161 80 22 and 23 respectively The TcpModbus port number is not common and must be explicitly entered The webmin port number of 10000 reflects the fact that web traffic from a router is issued on this port Each of the port based filters must match a source port Matching is being applied to packets from the service at the well known source port to an unknown and variable destination port number Finally note that the final traffic filter essentially suppresses TOS inspection by directing all unmatched traffic onto the low queue 170 RuggedCom Chapter 16 Configuring Traffic Prioritization Traffic Prioritization Main Menu Traffic Prioritization Interfaces Interface Prioritized Queues Filters Statistics ethi Yes 4 d ethi Statistics eth2 No wippp Yes 4 Z wippp Statistics Figure 141 Traffic Prioritization Main Menu This menu displays network interfaces for which prioritization may be activated Prioritization may be configured by following the Interface column link The Statistics of prioritized interfaces may be viewed by following the links in the Statistics column Interface Prioritization Menu wippp Prioritization Prioritiztion
12. 149 RuggedRouter User Guide The Transmit Delay field controls the estimated number of seconds to transmit a link state update packet This should take into account transmission and propagation delays of the interface The Passive Interface option controls if an interface is active or passive Passive interfaces do not send LSAs to other routers and are not part of an OSPF area The Authentication field controls the type of authentication to use when communicating with other routers It can be none null just check for message corruption or message digest which cryptographically signs each message with a shared key The Message Digest Keys fields allows for addition and deletion of keys to use for areas connected to this interface when authentication is set to message digest OSPF Network Areas Network Areas Network Areas Area ID A B C D Area Address Netmask A B C D M Action 0 0 0 0 192 168 2 0 24 Delete 0 0 0 0 192 168 1 0 24 Delete H Add Figure 124 Network Areas OSPF uses areas to control which routes are distributed between routers To adda network to an area enter the area id and the network address and netmask and click Add To delete an entry click the Delete button beside the entry All networks routes that are part of the same area will be distributed to other routers in the same area OSPF Status This status menu shows various pieces of information about
13. Chapter 7 Configuring Frame Relay PPP And T3 Editing A T3 Interface Module Ind H aoe Edit T3 Interface Interface T3 1 Parameters Convert this interface to E3 Framing C Bit Line Decoding B3ZS gt Clocking Normal v Save Figure 65 Edit T3 Interface This menu allows you to display and configure T3 Trunk parameters The Framing field determines the framing format used Your line provider will indicate the correct format The Line Decoding field reflects the line encoding decoding scheme Almost all T3s now use B3ZS The Clocking field selects whether to accept or provide clocks In normal use the central office provides clocks and your setting should be Normal You may also connect to another router by using a cross over cable and selecting a Master clocking option on one of the two routers Editing A Logical Interface Frame Relay Edit New Logical Interface 13 5 Frame Relay Parameters Station Type CPE FR DTE Interface x Signalling type ANSI x Link Failure Leaves IP interface up Ki 1391 10 T392 fie N391 6 N392 6 N393 4 EEK Type Off y EEK Timer 5 New Logical Interface DLCI Local Address Netmask Remote Address Default Gateway Description Save Figure 66 Edit T1 Interface This menu allows you to display and configure logical interface fields for Frame Relay The menu is composed of two tables The first table provides
14. Files only exist in archive ArchiveOct 14 2006 0000 rric3 rri File Name Timestamp ruagedrouter backuprestore conf Oct 13 2006 09 08 19 Figure 215 Archive Differences List The resulting menu shows the differences between the two selected targets Files in this table are sorted by the change time most recent changes first Files that exist in only one of the targets are shown separately Following the links under File Name column will show a files difference between the two targets The difference will be shown by two methods The difference between the two targets will be first be shown in a side by side scrollable comparison The difference will also be shown in a window that shows differing lines 246 RuggedCom Chapter 26 Maintaining The Router Show Difference Difference on hosts between ArchiveOct 18 2006 1205 and Current Configuration Side by Side Difference Display 127 0 0 1 localhost localdomain localhost rrjc6 127 0 0 1 localhost localdomain localhost ruggedrouter The following lines are desirable for IPv6 capable hosts The following lines are desirable for IPv6 capable hos Sch ip6 localhost ip6 loopback AT ip6 localhost ip6 loopback fe00 0 ip6 localnet fe00 0 ip6 localnet ff00 0 ip6 mcastprefix ff00 0 ip6 mcastprefix ff02 1 ip6 allnodes ff02 1 ip6 allnodes ff02 2 ip6 allrouters ff02 2 ip6 allrouters ff02 3 ip6 allhosts ff02 3 ip6 allhosts 7 Differing
15. The Connection Statistics table reflects established TCP connections Network and serial connections can be paired by examining the Target Serial Port s field The Status field describes whether a network connection is established or in the process of being established Note All counts are from the router s perspective The Rx Packets count reflects packets received from the network the contents of which are transmitted at the protocol and reflected in the Tx Chars field The Refresh button will cause the page to be reloaded The Continuous Display button will cause the browser to continuously reload the page showing the differences in statistics from the last display The difference is not a real time rate in bytes or packets per second Protocol Specific Packet Error Statistics The Raw Socket Packet Errors field reflect the number of times that a network message was received and could not be enqueued at the serial port because of output buffering constraints This is usually symptomatic of a remote peer that uses a higher baud rate or local flow control RuggedCom 191 RuggedRouter User Guide Serial Protocols Trace Menu Line Trace Specifying large numbers of ports entries and capture time can result in a greate deal of output Port Trace on ports 1 E 2 E 3 E 4 E All Ports Je Message RX TX Jo Hex dump Je Incoming Outgoing Connections le Maximum number of entries to capture 6 Maximum time
16. The Lookup Addresses field causes ping to resolve IP addresses to domain names This can make ping behave very slowly if DNS is not properly configured The Display link level header field causes this header to be displyed The Perform HEX ASCII dump field will cause the data content of the captured packets to be displayed This option generates a large amount of data The Verbosity fields specify the level of decoding which tcpdump supplies The Ignore hostname Only hostname selector excludes or selects the IP address specified in the next field If the SSH box is selected SSH traffic from The IP will be excluded shown Ifthe Webmin traffic box is selected Webmin traffic from The IP will be excluded shown Ifthe All traffic box is selected traffic from The IP will be excluded shown This option provides a filter capability to tcpdump an interface and to block the users own traffic from being displayed The Ignore protocols Only protocols selector excludes or selects the protocols specified in the next fields The Ports to trace field specifies TCP UDP ports to trace Enter a list of ports separated by spaces to trace more than a single port Frame Relay Link Layer Trace A WAN Interface Frame Relay Link Layer Trace A WAN Interface Interface to capture on w4frl6 sl Maximum packets captured 20 maximum 1000 Maximum capture time 20 maximum 240 sec Trace It Figure 154 Frame Relay Trace Menu Frame Relay tracing uses
17. The Minimum Security field selects the level of security used by this user It may be No Authentication no authentication or encryption Authentication Only authentication by MD5 or SHA1 authentication methods no encryption or Authentication with Privacy authentication by MD5 or SHA1 encryption by DES or AES ciphers The OID field further restricts access to an Object Identifier OID tree at or below a specified OID The Authentication Protocol Authentication Passphrase Privacy Protocol and Privacy Passphrase fields configure the protocols and passphrases used depending on the Minimum Security field These settings are shared between agent and remote user Note that if authentication and privacy are both used but only the authentication passphrase is provided snmpd will use the authentication passphrase as the privacy passphrase Note also that if any notifications are enabled a read only user named internal will be automatically created to satisfy the requirements of the event MIB 250 RuggedCom Chapter 26 Maintaining The Router Trap Configuration Trap Generation Options T Enable Authentication Traps T Enable link up down traps Apply Figure 223 Trap Configuration page Trap Options The Trap Configuration page manages SNMP trap destinations Under Trap Generation Options you may enable the generation of notifications on authentication failures or IP interface link up down events SNMP V
18. The Syslog logging level fields determines the facility and priority of log messages generated by Openswan Public Key Module Index Show Public Key The public RSA key shown below should be copied into the configuration of other systems connecting to this one in the section related to this host Os AQ0701 AQbU4M29D6It j rU 4gaj cuRk VXYCF6SPHrhMDXq fZIagTHDhNZKSpF98i Vr yEf ft shBL6ZQq FBDogAQURSJC8sS44rx5SqQPTZXICGAF9 Cb 2d7hyKSEuMOUUr Sf rit Za 4g vhivniYadx8CvpZAS4Zv z6eQLZNnAoVD9JueADNbuskl HSCh8bmAGWr XdRF6c rh ft QLu4TOODRoHgBBHrWxcQd3h7alk Xvse3LH 8dd rCDTxebIs4a64t QH7 fif xH22ht Th3iNyElidsnawHAWddOvCBgEE2pjdYb fJ1Dd1ijUy0enuy zbBbj O7aNAewRqYMDA3s Gd j VDQok XnFcnuzj b n UeMSHzvRf Figure 108 Show Public Key This menu displays the RuggedRouters s public RSA key Preshared Keys Module Index Preshared Keys Remote Address Local Address Pre shared key 201 172 152 6 176 42 67 9 IamApreSharedkey 61 181 222 40 176 42 67 9 AnudderSecretKey Add a new secret key Figure 109 Preshared Keys This menu creates deletes and edits pre shared keys used by VPN connections using secret key encryption Select the links under the Remote Address column to edit or delete a secret key The menu will not allow more than one entry to have a specific pair of IP addresses The menu will not allow a password shorter than eight characters in length RuggedCom 129 RuggedRouter User Guide Lis
19. A Line loopback command causes frames received from the T1fE1 line to be looped back to the line A notification is presented for each frame received during this test amp loopback test will take down the interface which may be undesirable when it is in use Select Loopback type No loop y Number of Loops 20 maximum 1000 Time to run test 20 maximurn 240 sec Start Loopback Figure 60 T1 E1 Loopback Menu The loopback test provides a means to test the digital and analog hardware of your T1 El hardware and the TUE line The sender transmits a number of frames which are looped back to it The returning frames are verified for correctness A digital loopback is started first verifying the digital section of the interface Ifa loopback stub is inserted in the interface jack a remote loopback will verify the interfaces digital and analog sections Ifthe remote equipment is able to loop the entire T1 E1 line can be verified If the remote router is another RuggedCom router a starting a line loopback will verify both cards and the line This router will display the count of loopback frames as they arrive T1 E1 Interface T1 E1 Interface Sender A eee es ae Line Digital Loopback Test O ES Loopback Remote Loopback Test i Remote Loopback Test WS a Digital Analog Analog Digital Figure 61 T1 E1 Loopback The Select Loopback Type field selects the loopback The Number of Loops field controls the frames sent during di
20. Click this button to make the current configuration active by killing the running syslog process and restarting it Figure 230 System Logs System logs are records of activities that have occurred on the router sorted into specific categories System logs can be invaluable when debugging configuration changes As such most of your use of the logs will be simply in viewing them Syslog Factory Defaults Although new logs can be created and the type of information saved in existing logs changed the factory defaults are as follows e messages This log file catches a wide variety of generic information excluding authentication cron and mail messages This should be the first log you inspect when starting to debug a problem e syslog This log file catches all information with the exception of authentications Syslog contains all that messages contains and more Examine this log if you can not find relevant information in messages e auth log This log file catches authentication requests View auth log when you are trying to debug a problem in which a user is not able to sign on to a service such as web management or ssh e critical This log catches reports of critical failures There should never be any messages in this log Your RuggedCom support representative may ask you to inspect this file e kern log This log contains messages issued by the kernel the most central part of the operating system This log alw
21. Edit BOGE Time Int rfac S tt a io Gets Ai ibi dt 63 PPPoE On Native Ethernet meras tl ds 64 Edit PPPOE Interact tie ies races oats ge Ee ee 65 EE 66 Current Routes amp Interface leegen 66 Chapter 6 Configuring Frame Relay PPP And T1 E1 ccsccssscssscsssccseccseccessceseneseecessenceesesnes 67 TAO LUC et A E a adas 67 TVEL Oe EE 67 eege 67 Location Of Interfaces And Labeling Ia 68 LED WR EE 68 Incl d d WIth A ais tate e EE 68 Rb EE 68 TIEI Network is A AN 69 RuggedCom 7 RuggedRouter User Guide Strategy For Creating Interact cama eave 69 Naming Of Logica Interfaces tess ds 70 Editing A THEI Interact a n 71 EI EE ee EE ee 71 ESOS A een 71 Editing A Logical Interface Frame Relay ni dedi dE 72 Frame Relay Link Para Meter aia 12 Frame Relay DECIS do ais 73 Editing A Logical Interface PRP EE 73 TEL E 74 Lilo ASES E Er 74 Frame Relay Interact eege eege T3 PPP Interface ee 76 DR I GET 71 Current Routes amp Interface Table ita 78 Upgrading EE 78 Upgrading eu A E AA E e A AA ii 78 Chapter 7 Configuring Frame Relay PPP And Th wcsscesscccessetevessasiesadsncnteascadsdatacdessnedbactiantonssawatiests 79 A A O a a 79 A NA NO 79 Location Of Interfaces And Labeling id ia 79 LED Designations weg esa a 79 EE EE eer EE 80 ER 80 Naming Of logical Intertaces in 80 Editing A TS Interfac a bd 81 Editing A Logical Interface Frame RL A n 81 Editing A Losical Interface PPP Y ostia ic adenda c
22. If the main trunk is on a private network employ a routing protocol to ensure that an alternate route to end network is learned after the backup trunk is raised Ensure that OSPF RIP are configured to operate on the secondary trunk assigning it a higher metric cost than that of the main trunk If the main trunk is on a public network employ the transfer default route feature Link Backup Main Menu Bes Link Backup St Sei Sa Sa Link Backup Configurations Link Backup Logs Link Backup Status Test Link Backup Figure 130 Link Backup Main Menu Note that Link backup is disabled by default and may be enabled via the System folder Bootup And Shutdown menu Link backup can be configured through the Link Backup Configuration link Link backup status and logs can be viewed through the Link Backup Status and the Link Backup Log link after the daemon has been started A link backup configuration can be tested through the Link Backup Test link Link Backup Configuration Halts Link Backup Configurations Name Main Interface Backup Interface Enabled ethi gt eth2 jethi eth2 yes Add new Apply Configuration his applies the current settings by restarting the link backup deamon Figure 131 Link Backup Configuration This menu displays existing main backup link relationships Following the links under the Name field to an existing pair will edit them or adds a new one The Apply Configuration
23. Right click the link and save the file manually Otherwise Internet Explorer will rename the file after uploading preventing its use in a subsequent archive restore Archive Restore Archive Restore Restore one of the following configuration archives by selecting its name Archive Name Version Archive Comment Archive Oct 20 2006 0949 ruqgedrouter 1 9 0 latestarchive 1 9 0 Archive Oct 19 2006 1553 ruqgedrouter 1 9 0 setup ethi IP address ArchiveOct 18 2006 1205 1 8 0 configuration for rr1 8 0 ArchiveOct 19 2006 1506 1 8 4 Automatic nightly backup at Oct192006 1506 factorydefaults 1 9 0 Factory defaults Figure 212 Archive Restore Menu The restore process begins by selecting an archive to restore from Following an archive link will restore the archive and reboot the router Note Some manually and even automatically created archives are not possible to restore If the router was upgraded after the archive was created the archive will have old confusing and possible missing configurations The Version field indicates this The latestarchive and factorydefault archives always have the current release version and are always able to be restored If an archive has a lower version number it will not be restorable The latestarchive and factorydefault archives are always able to be restored Click on one of the links under Archive Name to start the restore Starting the restore r
24. RuggedRouter User Guide Uploading And Downloading Files Upload Download Files To The Router Download files from the specified URLs to this router URLs to download File or directory to download to TT Create directory if needed Owned by user Owned by group Default Download mode a Immediately and show progress In background at date is Apr cl 2006 Fei and time 3 Ei Download URLs to router Send files from your current host to the router Files to upload Browse Browse Browse Browse File or directory to upload to Feat IT Create directory if needed Owned by user 0 SS Owned by group Default C cal Extract ZIP or TAR files C Yes then delete Yes No Send to router Upload a file from the router to your host Upload to your host Figure 238 Upload Download menu The Upload Download Files menu provides a means to transfer files to and from the router The Download files from the specified URLs to this router part of the menu allows you to have the router download files from ftp and http servers You need to specify at least the file URL and the directory to download it to You may also decide to create directories cited in the download path at download time set the user group ownership of the file and postpone the download to a specific time The Send files from your current host to the router part of the menu allows you to send file
25. metric bl parra Redistribute kernel routes to RIP area routers enable disable 0 16777214 le zz E metric disabled unset T e Redistribute Kernel enable ee A Redistribute OSPF Redistribute ospf routes to RIP area routers enablefdisable 0 16777214 Kater disabled unset Passive Default enable Set new interfaces passive by default enabled Update Timer 30 Routing table update timer 5 2147483647 30 Timeout Timer 180 Routing information timeout timer 5 2147483647 180 Garbage Collection Timer 1120 Garbage collection timer 5 2147483647 120 Save Key Chains Key Chain Name Action main edit Add Figure 126 RIP Global Parameters The Enable Password field sets the password to be used for the enable command of ripd This is used by the telnet interface of ripd to control access to the configuration The Telnet Password field sets the password to be used for telnet access to ripd This is used as the login password of ripd when locally telnetting to port 2604 of the router The Hostname field sets the hostname for the rip daemon This value is only used as a a reference for convenience The telnet interface prompt will contain this hostname The router s system wide hostname is used if this field is left blank The Default Information Originate field when enabled causes the router to advertise its default route to the RIP network The Default Metric
26. Bae Generic Options Server list Peers list Restart ntpd daemon Click this button to restart the ntpd client daemon This will apply configuration parameters Figure 176 NTP Server Note that the NTP server is disabled by default and may be enabled via the System folder Bootup And Shutdown menu When enabled any configuration changes may be made to take effect by selecting the Restart ntpd daemon button The View GPS Status and View GPS log sub menus appear if the router is equipped with a Precision Time Protocol card Generic Options NTP Generic Options INTP OPTIONS Multicast address gt Default Custom Broadcast Client No si Custom address Save options Figure 177 NTP Generic Options Set the Broadcast Client option to Yes if you wish to act on NTP broadcast messages The default multicast address used for NTP is 224 0 1 1 Select a custom multicast address with the Custom address field if you wish to use a different addresses 214 RuggedCom Chapter 22 Configuring NTP Servers Configuration NTP Server List IP ADDRESS VERSION KEY PREFERRED CHECK pool ntp org Default 4 None No Contact 127 127 1 0 Default 4 None No Contact 10 0 0 214 Default 4 None Yes Contact Create new Figure 178 NTP Server List The servers under the IP address column are used as primary synchronization devices Clicking on a link will
27. Network Host Netmask Gateway Interface Metric Comment 1 h 92 168 200 0 255 255 255 0 eth4 Not Installed interface is not active 2 192 168 12 0 255 255 255 0 2 2 2 2 W1ppp Installed ST Wf WE zf zf Save Manually Entered Static Routes Network Host Netmask Gateway Interface Metric Action 192 168 240 0 255 255 255 0 eth2 Save to Confiqured Static Routes Note This router has the following network interfaces dummy0 ethi eth2 eth4 ipsecO wippp Figure 35 Routing And Gateways This menu allows you to configure the default gateway address and static routes Static routes specify a way to forward subnets of traffic that cannot be associated with the subnets of configured interfaces The gateway address is the address that is used to forward traffic that can not be routed to configured interfaces or to static routes This menu also allows user to convert manually entered static routes to permanently configured static routes Default Route Table The first table of this menu configures the default gateway address Note Don t configure a default gateway if you plan to provide one from a WAN PPPoE or modem interface Don t manually configure configure the default gateway in the etc network interfaces file configure the default gateway from this menu If the default gateway is configured but the actual default gateway in use is different the menu will display a warning accompanied by the actual gateway Use
28. Timeout 10 Look Up Figure 152 Host Menu The Hostname field accepts the host name or IP address to ping The Type field selects the type of information to capture The Nameserver fields select the server to use to resolve with If Default is left selected the DHCP DNS or local resolv conf setup will be used Otherwise the address supplied will be used The Timeout field specifies the maximum time to wait before abandoning a lookup Trace Menu The trace menu contains three sections providing the the capability to trace network interfaces Frame Relay Interfaces and Serial server interfaces The latter two menus will appear only if you have configured Frame Relay or Serial server interfaces Tcpdump A Network Interface Tcpdump A Network Interface Interface to capture on wlppp gt Maximum packets captured 20 maximum 1000 Maximum capture time 20 maximum 240 sec 7 DNS Look up addresses IT Display link level header perform HEX ASCII dump verbosity off 1 2 f3 Ignore hostname y protocols ssH Webmin traffic all traffic Ignore protocols v tcp J upp icmp J arp J verre temp ospr esp J am Ports to trace 500 50 25 53 Tcpdump It Figure 153 Tepdump Menu The Interface to capture on field specifies the interface to show traffic on RuggedCom 179 RuggedRouter User Guide The Maximum packets captured and Maximum capture time fields limits the amount of traffic captured
29. URL of Help Text none Use Upgrade Repository O alternate ue Note If you specify an alternate URL to host the help text you must install release specific help directories in the form RELEASE html The router currently expects to find an rr1 12 0 html directory there Save Changes Figure 18 Webmin Configuration Menu Change Help Server RuggedCom 39 RuggedRouter User Guide Logging The Web management package provides context sensitive help in each of its menus When a help link is selected the router instructs the browser to open the help text from a help server In this way the router does not waste large amounts of disk space storing help text and network bandwidth sending large web pages By default the router directs the browser to the same server used to upgrade the router This is as specified in the Maintenance menu Upgrade System sub menu Change Repository Server command This command allows you to disable Web management help use the upgrade repository server as well as specify a new server If you specify an alternate web server to host the help text you must install release specific help directories below the document root The menu suggests the currently expected directory The actual help files are provided with every release under the html directory at the repository server Module Index Logging Webmin can be configured to write a log of web server hits in the standard CLF log file format If logg
30. accounts of the router at one of its IP addresses described above The router is shipped with default passwords of admin for either of these accounts The RuggedRouter Setup Shell Signing in as the rrsetup user will automatically enter the configuration shell shown below Quitting the shell with cancel or by entering escape will cause the connection to close Figure 1 RuggedRouter Setup Main Menu The shell provides a number of configuration commands described below Configuring Passwords The Change Passwords command changes the rrsetup and root account passwords These passwords should be changed before installing the router on the network 28 RuggedCom Chapter 1 Setting Up And Administering The Router Figure 2 RuggedRouter Setup Password Change Menu Configuring IP Address Information The Change Port IP Address command configures port IP addresses and gateways Figure 3 RuggedRouter Interfaces Setup Menu Each port number X has a default address of 192 168 X 1 and a mask of 255 255 255 0 The Configure Default Gateway Settings command configures the default gateway The Configure DNS Client Settings command configures the DNS server address If the router is part of a domain enter the domain name in the Search Domain field Figure 4 RuggedRouter DNS Client Menu Setting The Hostname The Set Hostname command sets the hostname shown in shell prompts and Web Management Configuring R
31. amp P2 Make break ratio of 39 61 at 20 pulses second amp P3 Make break ratio of 33 67 at 20 pulses second Compression control C0 Disable data compression negotiation C1 Enable MNP5 compression negotiation C2 Enable V 42bis compression negotiation C3 Enable MNPS and V 42bis compression negotiation default Line quality monitoring control E0 Disable line quality monitor and auto retrain E1 Enable line quality monitor and auto retrain E2 Enable line quality monitor and fallback fallforward default S registers S6 X Wait time for dialtone detection 2 255 seconds default 2 S7 X Wait time for carrier detection 1 255 seconds default 50 S8 X Pause time for comma in dial string 0 255 seconds default 2 S9 X Carrier detect response time 50 255 1 seconds default 6 S10 X Loss of carrier to hangup delay 50 255 1 seconds default 14 S11 X DTMF tone duration 50 255 01 seconds default 95 S29 X Hook flash dial modifier time 0 255 01 seconds default 70 Country Code selects which country s dialing system to work with If this is not set correctly the modem might not be able to dial or connect Speaker Volume controls how load the modem speaker is Speaker Mode controls whether the speaker on the modem is on or off RuggedCom 97 RuggedRouter User Guide Modem PPP Client Connections Modem PPP Client Connections Connection Name Action
32. ccococccnnccccononanononnnonocononanananenonoconconannanononenoninonoss 97 When the toen bara E Eai 97 LED NR GE A O E N 97 Modem Main EE 98 Modemi Configuratio 45 ccc adie A O ona 98 Modemi PEP Client Connection a n a a a dE ea 100 Modem PPP EE 100 Modem PPP EE 101 Modern Incoming Call Logs noisa roari da 102 MOI RELE E 102 Modem PPP Connection e o 103 Current Routes amp Interface Tableros inae a ii 103 Chapter 11 Configuring The Firewall asocia irradia 105 ee EE 105 Firewall Fundamentals a a a o AAEE EASE alii 105 EE RE 105 Linux netfilter iptables And The Shoreline Firewall A 105 Network Address ET 106 PORO e 107 Shot Wall Quick SUD iach nenioo adherens o T E E A AS 107 Shore Wall Terminology And Conc rita a a 108 EE feet A Eder 108 Interface Sinnai a cidos 108 O eebe 109 NO 109 Masqueradine And SNA Data 110 EE 111 Configuring The Tutelle ee dan id 113 Route Based Virtual Private Networking ii ccscccescsstesciecsdesescecasccventdeisseuasesevstcessdencisdsarectedes 113 Policy Based Virtual Private Networkmg nono nonancconcncnnos 113 RuggedCom 9 RuggedRouter User Guide Virtual Private Networking To A DM eeeret getrei ege ES 114 Firewall MAMA Oe 114 Network EE 116 Network ru 117 Network Zone E 119 DET Pals A E A a 119 MASUNOS aos 120 Firewall E 121 Statie KE EE 122 ACTIONS WEN StOP Ped DEE 123 Chapter 12 Configuring An IPsec VPN ai A da 125 Intr d ction RR aa etre TTS 125 VPN BTV
33. keysizemax 256 17 algorithm ESP auth attr id 251 name null keysizemin 0 keysizemax 0 oon 18 algorithm IKE encrypt id 7 name OAKLEY_AES CBC blocksize 16 keydeflen 128 19 algorithm IKE encrypt id 5 name OAKLEY 3DES_CBC blocksize 8 keydeflen 192 20 algorithm IKE hash id 2 name OAKLEY_SHA hashsize 20 21 algorithm IKE hash id 1 name OAKLEY_MD5 hashsize 16 22 algorithm IKE dh group id 2 name OAKLEY_GROUP_MODP1024 bits 1024 23 algorithm IKE dh group id 5 name OAKLEY_GROUP_MODP1536 bits 1536 24 algorithm IKE dh group id 14 name OAKLEY_GROUP_MODP2048 bits 2048 25 algorithm IKE dh group id 15 name OAKLEY_GROUP_MODP3072 bits 3072 26 algorithm IKE dh group id 16 name OAKLEY_GROUP_MODP4096 bits 4096 27 algorithm IKE dh group id 17 name OAKLEY GROUP _MODP6144 bits 6144 28 algorithm IKE dh group id 18 name OAKLEY_GROUP_MODP8192 bits 8192 29 stats db_ops c curr_ent total_cnt maxsz context 0 6144 36 trans 0 6144 336 attrs 0 6144 224 30 openswantest 10 0 0 0 8 204 50 190 89 204 50 190 91 192 168 1 0 24 erouted eroute owner 2997 31 openswantest ike_life 3600s ipsec_life 28800s rekey_margin 540s rekey_fuzz 100 keyingtries 0 32 openswantest policy PSK ENCRYPT TUNNEL PFS UP prio 24 8 interface eth2 33 openswantest newest ISAKMP SA 3093 newest IPsec SA 2997 34 openswantest IKE algorithms wanted 5_000 1 5 5_000 1 2 5_000 2 5 5_000 2 2 flags strict 35 op
34. on the Ethernet interface that hosts the local network here eth1 via the Networking Menu Ethernet sub menu boot time entry Proxy ARP setting When a host on ethl arps for the remote client address the router will answer on behalf of the client 136 RuggedCom Chapter 12 Configuring An IPsec VPN This page intentionally blank RuggedCom 137 RuggedRouter User Guide Chapter 13 Configuring Dynamic Routing Introduction This chapter familiarizes the user with e Enabling The Dynamic Routing Suite e Enabling And Starting OSPF and RIP e Configuring OSPF and RIP e Obtaining OSPF and RIP Status e OSPF and VRRP Quagga RIP and OSPF Dynamic routing is provided by the Quagga suite of routing protocol daemons Quagga provides three daemons for managing routing the core ripd and ospfd The core daemon handles interfacing with the kernel to maintain the router s routing table and to check link statuses It tells RIP and OSPF what state links are in what routes are in the routing table and some information about the interfaces The ripd and ospfd daemon handles communications with other routers using the RIPv2 and OSPFv2 protocol decides which routers preferred to forward to In complex legacy networks both RIP and OSPF may be active on the same router at the same time Usually one on them is employed RIP Fundamentals The Routing Information Protocol determines the best path for routing IP traffic over
35. public network Configure the firewall to accept connections from a specific domain 12 Configure remote system logging to forward all logs to a central location RuggedCom 265 RuggedRouter User Guide This page intentionally blank 266 RuggedCom Appendix A Setting Up A Repository Appendix A Setting Up A Repository The RuggedCom software upgrade mechanism requires a repository of software to available The following instructions detail e Requirements for a repository server e Initial set up of a repository e Upgrading the repository to the latest release e Maintain separate releases streams for different groups of routers e Setting up one router to test new releases e Configuring the network routers Repository Server Requirements In order to establish a repository you will need a host that is accessible to the routers that will be upgraded This host must be able to act as a web server or ftp server The host must also be able to access the RuggedCom web site in order to download new releases of software from RuggedCom The server requirements are fairly modest The principal requirements are for disk space bandwidth and the ability to serve an adequate number of http sessions Each software release will require approximately 50 Mb of disk space Note that this figure includes an entire software image most upgrades will involve the transfer of only a small fraction of this amount A large numbe
36. take place After you are satisfied that the upgrade was successful you can proceed to unzip the rr1 2 zip file into your ruggedrouter directory or copy the rr1 dists rr1 2 and rr1 dists current directories into or the ruggedrouter directory Ensure that the remainder of the routers to be upgraded have a Repository server field to http server xyz net ruggedrouter and the Release Version field to rr1 They can now be upgraded An Alternate Approach You can eliminate the need for separate release and test directories by making your routers upgrade to a specific major and minor releases In this approach you will always extract releases to the same directory e g ruggedrouter All routers will be configured with a Repository server field set to http server xyz net ruggedrouter and the Release Version field initially set to rr1 1 When you need to upgrade to rr1 2 you will visit the routers and update the Release Version field This method is simpler but has the disadvantage that you need to visit each of the routers This can become unwieldy when there are many routers to manage 268 RuggedCom Appendix A Setting Up A Repository Upgrading Considerations The RuggedRouter offers you the ability to perform automatic daily upgrades specify the download time and limit the download bandwidth These tools automate the upgrade process and minimize the impact of upgrading on the net
37. 0 24 network and start sending to Router 2 instead of Router 1 After the failure all routers still know how to reach the entire network and the clients on 1 1 2 0 24 can still send on the network using the same gateway address The clients will see only a MAC address change of the gateway and experience a few seconds of network outage When the link returns VRRP will switch back to the master and the routes will return to their normal state Note that if the Router wan link fails Router will see routes to Router3 via the Router 1 Router 2 wan and Ethernet links Ifthe faster Router 1 Router 2 Ethernet path fails Router 1 will fall back to the Router 1 Router 2 wan link Note that it would not be useful to leave the Ethernet 1 1 2 0 24 subnets out of the area and turn on redistribute connected as OSPF would not use the subnets for routing Dynamic Routing Dynamic Routing BGP O RIP EE Core OSPF RIP Ols is Enable Protocols Core OSPF RIP Figure 116 Dynamic Routing Menu Before dynamic routing protocols can be used quagga must be enabled in the Bootup and Shutdown menu After quagga is enabled RIP or OSPF itself must be enabled in the Enable Protocols menu of Dynamic Routing The Core menu configures link related items such as link detect and link cost The RIP and OSPF menu configure these protocols for each interface Enable Protocols Enable Protocols Enabled Protocol EI
38. 10 0 0 0 255 255 255 0 Allow from all addresses Q Only allow from listed addresses Deny from listed addresses T Resolve hostnames on every request Save Figure 16 Webmin Configuration Menu IP Access Control Webmin uses a secure communications method called Secure Sockets Layer SSL to encrypt traffic with its clients Webmin guarantees that communications with the client is kept private But Webmin will provide access to any client that provides the correct password rendering it vulnerable to brute force attacks The best way of addressing this problem is to restrict access to specific IP addresses or subnets By default IP access control allows all IP addresses to access Webmin 38 RuggedCom Chapter 2 Webmin Configuration If your router is being used on a completely private network or IP access control is being provided by the firewall you may leave IP Access Control disabled Select the Allow from all addresses field and Save If you wish to restrict access to a single address or subnet select the Only allow from listed addresses field Enter a single IP address or a subnetted address If you wish to deny access to a specific subnet select the Deny from listed addresses field Enter a single IP address or a subnetted address If DNS is configured you may allow and deny based upon hostname Partially qualified domain names such as foo com are acceptable The Resolve hostnames on
39. 138 RuggedCom Chapter 13 Configuring Dynamic Routing OSPF Fundamentals The Open Path Shortest First OSPF protocol routing determines the best path for routing IP traffic over a TCP IP network based on link cost and quality Unlike static routing OSPF takes link failures and other network topology changes into account Unlike the RIP routing protocol OSPF provides less router to router update traffic RuggedRouter routing protocols are supplied by the Quaaga routing package The RuggedRouter OSPF daemon ospfd is an RFC 2178 compliant implementation of OSPFv2 The daemon also adheres to the RFC2370 Opaque LSA and RFC3509 ABR Types extensions OSPF network design usually involves partitioning a network into a number of self contained areas The areas are chosen to minimize intra area router traffic making more manageable and reducing the number of advertised routes Area numbers are assigned to each area All routers in the area are known as Area routers If traffic must flow between two areas a router with links in each area is selected to be an Area Border router and serves as a gateway Link State Advertisements When an OSPF configured router starts operating it issues a hello packet Routers having the same OSPF Area hello interval and dead interval timers will communicate with each others and are said to be neighbors After discovering its neighbors a router will exchange Link State Advertisements in order to dete
40. D greO D D D D D D D D Refresh Continuous Display Figure 156 Interface Statistics Menu This menu provides basic statistics for all network interfaces The Refresh button will cause the page to be reloaded The Continuous Display button will cause the browser to continuously reload the page showing the differences in statistics from the last display The difference is not a real time rate in bytes or packets per second Note that detailed statistics for T3 T1 E1 DDS and ADSL are available within the menus that configure those interfaces RuggedCom 181 RuggedRouter User Guide Current Routing amp Interface Table Current Route amp Interface Table Routing Table Destination Via Device Metric Protocol Source Te Weight 213 186 238 136 30 wippp kernel 213 186 238 138 203 50 190 88 29 eth2 kernel 203 50 190 89 192 168 254 0 24 eth1 kernel 192 168 254 254 11 0 0 0 8 eth1 kernel 11 0 0 251 default 213 186 238 137 wippp Refresh Interface Status Device Link Up Address Netmask Bcast Peer MTU Txqueuelen ethi Yes 11 0 0 251 255 0 0 0 11 255 255 255 1500 1100 eth1 0 Yes 192 168 254 254 255 255 255 0 192 168 254 255 1500 eth2 Yes 203 50 190 89 255 255 255 248 203 50 190 95 1500 1100 lo Yes 127 0 0 1 255 0 0 0 16436 0 wippp es 213 186 238 138 255 255 255 252 213 186 238 137 1500 11
41. DHCP server is only configured to provide that lease through a relay agent with the right option 82 fields added the server will send the client a NAK to disallow use of the lease Enabling this option disables this reject message so that the renewal request that the DHCP relay agent sends a moment later which the DHCP server accepts since it has the right option 82 fields added will be the only message for which the client receives a reply Ifthe DHCP server and clients are not on the same subnet this option is not required The meaning of the value of many fields depends on the client s interpretation of the field so the actual meaning of a field is determined by the client See the documentation of the client to determine what values are required by the client for special options RuggedCom 203 RuggedRouter User Guide Example DHCP Scenarios And Configurations Single Network With Dynamic IP Assignment In this example the eth1 interface is provided with IP address 192 168 1 1 24 while addresses 192 168 1 101 through 192 168 1 200 are assigned to the clients The router serves as the default gateway 1 Enable eth in the Edit Network Interfaces menu 2 Click add a subnet and configure it for network address 192 168 1 0 with netmask 255 255 255 0 3 Set the assigned address range to 192 168 1 101 192 168 1 200 4 Click Create then edit the subnet just created and click Edit Client Options 5 Set defau
42. Day Time Process Evento mar s 11 38 30 fustfsbinfirigb 1609 GPS lock locked Refresh Figure 182 GPS Log The GPS Log menu displays the log of recent GPS events RuggedCom 217 RuggedRouter User Guide Chapter 23 Configuring SSH Introduction This chapter familiarizes the user with e Configuring SSH Authentication e SSH Networking And Access Control e Setting SSH Client Options SSH Fundamentals Secure Shell is a program to allow logging into another host to remotely execute commands and to move files from one machine to another It provides strong authentication and secure communications over insecure channels The program that accepts the SSH client s connection is an SSH server The SSH server can be programmed to enforce conditions to increase security These conditions can be imposed upon specific hosts or upon all hosts in general SSH has had two major revisions of the protocol upon which it is based SSH v1 and v2 SSH v1 relied upon the RSA authentication scheme while SSH v2 relies upon RSA or DSA SSH v1 is known to be insecure and should not be used SSH operates upon TCP port 23 by default Open this port if you use a firewall SSH also provides TCP forwarding a means to forward otherwise insecure TCP traffic through SSH Secure Shell Included With SSH Your RuggedRouter software includes scp an SSH utility to perform secure copying of files and directories over the network If
43. FTP Option field specifies FTP User name Password or to use anonymous FTP The SCP Option field specifies SCP User name and Bandwidth Limitation when the Export Method is SCP The Show Router SSH Key link will display the ssh public key for this router which can be used in the configuration server to accept SCP from the router The Server Path Option field specifies the configuration server hostname or IP address and the directory in which to save archives RuggedCom 243 RuggedRouter User Guide Archive History Archive History The total size of all archived configurations is 1098966 bytes Click on an archive to upload a copy of it Archive Name Version Archive Comment ArchiveOct 19 2006 1553 ruqgedrouter 1 2 0 setup eth1 IP address IT latestarchive 1 9 0 setup eth1 IP address E ArchiveOdt 18 2006 1205 1 8 0 configuration for rr1 8 0 archiveOd 19 2006 1506 1 8 4 Automatic nightly backup at Oct192006 1506 factorydefaults 1 9 0 Factory defaults Remove Selected Archives Upload archives from your current host to this router Archive to upload Browse Upload To Router Figure 209 Archive History The Archive History menu displays current archives sorted by date most recent first Following the link of an archives under the Archive Name field upload a copy of it Selecting an under the Archive Name field and applying the Remove Selected Archives
44. ID is not recognized By default login is allowed for all groups The account selector button can be user to build up a list of allowable groups The Deny users and Deny members of groups fields specify users and groups to deny connections to RuggedCom 221 RuggedRouter User Guide Chapter 24 Configuring IRIGB And IEEE1588 Introduction This chapter familiarizes the user with e EEE 1588 Configuration e IRIGB Configuration e Viewing IRIGB and IEEE1588 Status IEEE1588 Fundamentals The IEEE 1588 working group Precise Timing Protocol PTP standard details a method of synchronizing a clocks over networks including Ethernet The RuggedRouter provides a special hardware assisted PTP capability as provided by the RuggedCom PTP card When used in conjunction with the cards Global Positioning System GPS receiver the router can provide nanosecond accuracy via IEEE 1588 Additionally IEEE1588 may be used in GPS failure situations to synchronize to a remote source and provide accurate time for IRIG B PTP Network Roles The IEEE 1588 standard describes regular clocks as devices having a single PTP port that can issue and receive PTP messages PTP boundary clocks are clocks have have multiple PTP ports offering the ability to serve time to more than one subnet at a time The RuggedRouter can serve as a regular clock and communicate with boundary clocks The set of devices that can communicate using the PT
45. IEEE1588 is locked the router will use IEEE1588 server as a reference clock When IEEE1588 is synchronized IRIG B timestamps are accurate to within microsecond or sub microseconds If GPS and IEEE1588 have not yet locked the router will use an NTP server or peer as areference clock NTP typically requires less than two minutes after boot to synchronize When NTP is the reference clock IRIG B timestamps can be accurate to within ms Before NTP is able to synchronize the router will use the local clock to obtain the time and will emit IRIG B timestamps on a one second basis How The Router Selects A Reference Clock The router can be configured to use the following as reference clocks GPS IEEE1588 NTP and the local clock e GPS NTP and the local clock e GPS and IEEE1588 e GPS If the router is configured to use multiple reference clocks it will start sending timestamps using the best ever locked reference clock local clock is always locked If better reference clock is locked later the router will step i e suddenly change the time and use the new reference clock If the current reference clock becomes unavailable the router will keep running with its own high precision timing hardware It will use this hardware until the last used reference clock is locked or a higher quality reference clock is available If the router is configured to use only GPS no timestamps will be issued until GPS locks If GPS fails the rou
46. Interface State column reflect the link state of the monitored interface or none if an interface is not configured RuggedCom 167 RuggedRouter User Guide Chapter 16 Configuring Traffic Prioritization Introduction This chapter familiarizes the user with e Enabling Disabling Traffic Prioritization e Viewing Traffic Prioritization Statistics Traffic Prioritization Fundamentals The RuggedRouter is able to prioritize traffic transmitted on network interfaces including Ethernet T1E1 DSL and PPP ports giving preferential treatment to certain classes of traffic It is important to note that prioritization can only be applied to outbound traffic inbound traffic can not be prioritized The two key elements of prioritization are traffic queues and filters Each prioritized interface has its own unique set of these elements Priority Queues Prioritization establishes a number of queues each holding packets of differing priority When the interface is ready to transmit a packet it selects a packet from the highest priority queue first If the interface is busy transmitting when packets arrive they are enqueued in the appropriate queue If the interface is not transmitting when the frame arrives to be enqueued the frame is immediately transmitted Prioritization will not add additional delay to a stream of packets of differing priority Prioritization will simply reorder the sequence of transmission of packe
47. Labeling Unlike the Ethernet ports which are statically located the location of T1 E1 T3 DDS and ADSL ports in your router depends upon the number of ports and how they were ordered Refer to the labeled hardware image as presented in the Webmin home page To make labeling easy to understand all T1E1 T3 DDS and ADSL ports are assigned a unique port number that relates to the LEDs on the status panel LED Designations The RuggedRouter includes two sources of LED indicated information about T3 lines the T3 card itself and the LED Panel One LED is associated with each line next to the interface jack This LED is red when the link is disconnected flashes green when the link is connecting and remains solid green when the link is established The RuggedRouter also indicates information about T3 ports on the LED Panel A pair of LEDs will indicate traffic and link status of the port Consult the section Using The LED Status Panel to determine which LEDs correspond to the port RuggedCom TI RuggedRouter User Guide T3 Configuration T3 E3 J Lt Sei E T3 E3 is T3 E3 Trunks And Interfaces Current Route amp Interface Table Figure 62 T3 Trunks And Interfaces This menu allows you to display and configure T3 Trunks as well as display the routes and status of the network interfaces T3 Network Interfaces T3 E3 WAN Interfaces T3 E3 Trunks Channels and Logical Interfaces Refresh thi
48. Lines Display lcl lt 127 0 0 1 localhost localdomain localhost rric gt 127 0 0 1 localhost localdomain localhost ruggedrouter Note lines beginning with lt belong to ArchiveOct 18 2006 1205 lines beginning with gt belong to Current Configuration Copy This File To Current Configuration Figure 216 Show Difference for selected file between two targets The Copy This File to Current Configuration button will be present when the destination archive is the Current Configuration It allows user to copy the selected file from the old archive to current configuration Note It is possible to damage your router through use of this feature Ensure that the configuration file copied makes sense in the current version of the router Note that the copying configurations may not make any actual operating changes until the systems that own them are restarted If the source archive has a file that is not present in the Current Configuration it is possible to view that file and then copy it into Current Configuration SNMP Configuration The SNMP menus provide the following configuration features e System information e agent network addresses e Community access to the agent e SNMP trap delivery The SNMP the Simple Network Management Protocol protocol is used by network management systems and the devices they manage SNMP is used to manage items on the device to be managed as well as by the device itself to report
49. Netmask Remote Address Default Gateway and Description fields are as described in the previous section T3 Statistics When at least one logical interface is configured T3 Link and logical interface statistics will be available These statistics are available from links on the T3 WAN Interfaces menu Link Statistics are provided through the View Link Statistics link at the bottom of each interface table Frame Relay and PPP statistics are available through Statistics links under the interface name column of each interface table Link Frame Relay And PPP Interface Statistics are as described in the Configuring Frame Relay PPP And T1 E1 chapter with the exception that T3 provides only AIS LOS OOF and YEL alarms Current Routes amp Interface Table The table provided by this command is as described in the Networking menu Network Utilities sub menu It is also provided here as a convenience 80 RuggedCom Chapter 7 Configuring Frame Relay PPP And T3 Upgrading Software For some customers access to remote sites in accomplished solely by a T3 connection Usually a software upgrade will stop the system being upgraded perform the upgrade and then restart it If T3 port was upgraded in this way the upgrade would fail as the T3 link was taken down Instead T3 software upgrades modify only the software on the disk You must schedule a reboot in order to run the new version of T3 software RuggedCom 81
50. OK found send ATSO 0 0d 03 17 14 41 56 03 17 14 41 56 03 17 14 41 56 waiting for OK found rt send ATW2L3M0 0d waiting for OK found 03 17 14 41 56 send AT Od 03 17 14 41 56 03 17 14 41 57 waiting for OK found waiting Refresh i This page shows the latest log entries for incoming calls This is mainly useful when trying to debug a problem with establishing incoming connections Modem PPP Logs PPP Logs Refresh i Mar 7 Mar Mar 51811515 H 7 17 19 22 chat 3192 OK al LL 1 Lil 7 19 22 chat 3192 got it 7 19 22 chat 3192 send ATDT1 M 7 19 22 chat 3192 expect CONNECT 7 17 19 22 chat 3192 M N mung z HEHE Mar Mar ar x M 17 17 19 31 chat 3192 ATDT1 M M 7 17 19 31 chat 3192 NO DIALTONE 17 19 31 chat 3192 failed 17 19 31 chat 3192 Failed NO DIALTONE 7 17 19 31 pppd 785 Connect script failed l Ei Refresh i Figure 87 PPP Logs This page shows the PPP logs This is mainly useful when trying to debug a PPP connection problem 100 RuggedCom Chapter 10 Configuring PPP and Modem Modem PPP Connection Logs PPP Connection Logs Refresh Month Day Time Mar 17 Event User Local IP userl 1 2 3 4 disconnect user Remote IP 16 03 12 connect 16 03 42 Speed Duration 5 6 7 8 33600
51. OSPF Open Shortest Path First v2 IPv4 e RIP Routing Information Protocol IP44 Apply Settings Figure 117 Enable Protocols Menu This menu enables RIP and OSPF for dynamic routing RuggedCom Chapter 13 Configuring Dynamic Routing Core Core al Core Sa Core Core Core Global Parameters Core Interfaces View Core Configuration Figure 118 Core Menu The Core routing daemon handles communications between the kernel of the router and the other dynamic routing protocols Core handles link detection and monitoring static routes and routes for directly connected interfaces on the router It also manages adding routes to the kernel routing table based on the routes discovered by other dynamic routing protocols Core is always enabled whenever dynamic routing is enabled as it is required by all other dynamic routing protocols Core Global Parameters Core Global Parameters Parameter Value Description Possible values default value Enable Password ittttttrrtrt Enable password For configuration access string without spaces previous password Telnet Password Vtt Telnet password For port 2601 access string without spaces previous password Hostname router214 Identifier of router Often the DNS name of the router string without spaces no hostname Router ID 10 1 1 21 si Identifier of router Often the main IP address of the router A B C D highest IP of s
52. Priority bo Advert Interval p Gratuitous ARP Delay 5 Extra Interface to Monitor wippp gt Gateway address mask 1 1 1 253 24 Add another Gateway Save Delete Figure 139 VRRP Instance The Name field is purely for informational purposes The Interface field configures the interface that VRRP packets are sent upon The Virtual Router ID field determines the VRID number Ensure that all routers supplying the same VRIP have the same VRID The value of the VRID varies from 1 to 255 The Advert Interval field configures the time between VRRP advertisements Ensure that all routers supplying the same VRID have the same interval Note VRRP will not work properly if the advertisement interval is different in the master and backup routers The Gratuitous ARP Delay field controls the number of seconds after the router changes between master and backup state that a second set of gratuitous ARPs are sent This mechanism offers a second chance to teach the switching fabric and hosts of the new provider of a gateway address The Extra Interface To Monitor field causes VRRP to release control of the VRIP if this interface stops running This prevents the situation where a host forwards information to a gateway router that itself has no way to forward the traffic The Gateway address mask and Add another Gateway fields configure the VRIP gateway addresses associated with this VRID Both an IP address and appropriate subnet
53. Queues Note that you must have at least a low normal and high priority queue The high queue must be of higher priority than the normal queue which must be of higher priority than the low queue If you delete a priority queue any filters which use that queue will be adjusted to point at the next lowest queue Queue Name Move Add high Fait normal FL low ee Prioritization Filters Packets are matched against filters frorn the following table in ascending order When a match occurs the packet is entered onto the respective target queue If mo matches occur the packet s TOS bits are inspected and the packet is entered onto the low normal or high queue Source IP Netmask Source Port Dest IP Netmask Dest Port Protocol target Queue Move add Edit 172 168 12 1 22 514 high TE Transmit Queue Length Packets from the above prioritzation queues are collected on to a transmit queue prior to transmission Limiting the size of this queue increases performance by preventing the buffering of a number of lower priority frames Length Remove Prioritization Use the following button to remove prioritization from wippp Delete and Apply Figure 142 Interface Prioritization Menu This menu allows you to add delete and configure queues and filters Add a new queue or filter by by clicking on the add above or add below arrows in the Add field You may also edit a manually created queue
54. ROMS a aeons Malan Wed pede anaes 144 A A RA alacant eee 144 Configuring OSPF Bik Os a arios 144 OSPF Authentication cda 144 KE Zetting 144 OSPF And Antis poong a 145 Administrative Distance ll 145 OSPF And VRRP Example Network session 146 A EE 146 K EE 146 Dynamic Routing e uk scien kas oath cet Pecan A de a eked 147 Enable Protocol O E AC gages Od Is ces ec ata Se da ida 148 COTE Rea ct ha ea Nia td ad lel all ee 148 Gore Global Par anne tens erageet EE E DEE 148 Core Interface Karen et ee eege 149 View COREE OE UM E A ORGA 149 OSP O EE 150 OSPF Global Para meters jade 150 COS PE tera A A e dan 152 OSPF NetWork EE 153 OSPF A TE A 153 View OSPF Configurations ost oi cate 153 EE 154 RIP Bal Par aie Pete E Sea ROS be ies 154 RIP Key CAS ada Eege 155 LN ACG A ENEE 156 RIE co td ia cil o A ast 157 KIEREN 157 View UP CONE EEN 157 Chapter 14 Configuring Link Backip x vxg iecccat assert in A tetas taus 159 A EE 159 Link Backup Fandemia A ii 159 Path MN NR a idas 159 Use Of Routing Protocols And The Default Route 160 Link Baek Man Min isis 160 Link Backup CONTI o 160 Edit Link Backup CORONA o 161 Emk Back p Lor url Gores hated 162 er ET 162 estan BACH EE 162 Chapter 15 Contouring VRRP ip Aso hides tact A a ate Madea doles nua tues 165 A EE 165 Y RIPE UI atte O O 165 The Problem With Static Eeer 165 The VRRP SOUTO a RS A vue a aE aS 165 VRRP mind as eases 166 RuggedCom 11 RuggedRouter User Guide VR
55. The Minimum Security Authentication Protocol Authentication Passphrase Privacy Protocol and Privacy Passphrase fields are as described above MIB Support The RuggedRouter supports the following MIBs MIB Name MIB Description IF MIB The MIB module to describe generic objects for network interface sub layers SNMPv2 MIB The MIB module for SNMPv2 entities TCP MIB The MIB module for managing TCP implementations IP MIB The MIB module for managing IP and ICMP implementations UDP MIB The MIB module for managing UDP implementations SNMP VIEW BASED ACM MIB View based Access Control Model for SNMP SNMP FRAMEWORK MIB The SNMP Management Architecture MIB SNMP MPD MIB The MIB for Message Processing and Dispatching SNMP USER BASED SM MIB The management information definitions for the SNMP User based Security Model 252 RuggedCom Chapter 26 Maintaining The Router Radius Authentication The Radius protocol described in RFC 2865 provides a means for carrying authentication authorization and configuration information between a client the router which desires to authenticate its links and a shared Authentication Server Transactions between the router and RADIUS server are authenticated through the use of a shared secret which is never sent over the network In addition any user passwords are sent encrypted between the router and RADIUS server to eliminate the
56. The Network to masquerade fields determine the interface or subnet on the private network that you wish to masquerade The Except for networks field restricts traffic from the specified subnet The SNAT address field is used to determine whether masquerading or SNAT is being performed If checked the entered IP address is used as a SNAT address Firewall Rules Module Index Firewall Rules This table lists exceptions to the default policies for certain types of traffic sources or destinations The chosen action will be applied to packets matching the chosen criteria instead of the default Add a new firewall rule Action Source Destination Protocol Source ports Destination ports Move Add ACCEPT Any Host 206 30 180 94 in zone DMZ Any ke ES DNAT Host 66 11 180 161 in zone Internet Host 11 0 0 30in zone Local TCP Any ssh t ke tL ACCEPT Any Zone DMZ TCP Any ssh de ke 4 Add a new firewall rule Manually Edit File Click this button to manually edit the Shorewall file etc shorewall rules in which the entries above are stored Figure 99 Firewall Rules This menu allows you to add delete and configure firewall rules These rules are inspected and applied before the default policies are used Add a new rule by selecting the Add a new firewall rule link or by clicking on the add above or add below images in the Add field Reorder the policies by clicking on the arrows under the M
57. The Source Port and Dest Port fields specify the port numbers used to match an outgoing packet You may specify either a raw number or a mnemonic as specified in the etc services file This setting matches both udp and tcp ports unless the Protocol field specifies udp or tcp The Protocol field specifies a protocol to match against currently either tcp udp icmp ospf vrrp or ipsec The Target Queue field selects one of the available priority queues Prioritization Transmit Queue Length The WAN protocols supplied by the RuggedRouter rely upon transmit queues to ensure their efficiency Even as a packet is starting to be transmitted other packets can be lining up behind it Normally there is only one queue the transmit queue and packets are transmitted from it in the order in which they arrived The transmit queue is a means of enhancing performance Prioritization favors some packets over others by transmitting them with preference 172 RuggedCom Chapter 16 Configuring Traffic Prioritization Prioritization works by establishing queues at the required priority levels filling the transmit queue with them in priority order The aim of establishing low latency for certain traffic is foiled when transmit queue lengths are large because multiple low priority packets may have queued before a high priority packet arrives at the router RuggedCom recommends that the transmit queue length be left at its minimum default valu
58. The goal of Radius Authentication is usually to severely restrict the distribution of this password limiting regular access to server based authentication Note Users employing the WEBMIN service are the exception to this rule Being entirely managed via radius they cannot access web management if radius is down The user has the option of designating specific servers to authenticate either Logins PPP or Webmin sessions or to have one server authenticate combinations of service or all services The radius server providing the WEBMIN service must also be configured to supply a privilege level field which will be used in upcoming releases to provide operator levels of privilege See the appendix on Radius Server Configuration for more information Helpful Hint RuggedCom 253 RuggedRouter User Guide Some users set the rrsetup and root account passwords to difficult to guess strings that are unique to each router then employ a common password for all routers in radius The router specific strings are restricted to a very few personnel A larger set of expert users are granted the rights to SSH login using the radius root account passwords Yet another set of users are granted access via Webmin user accounts Radius authentication is logged to the authorization log file auth log Details of each authentication including time of occurrence source and result are included Radius Authentication Configuration R
59. Treat NTP sync d grandmasters as stratum 2 2 12 Treat Local clock sync d grandmaster as stratum 10 2 12 LU Treat NTP sync d grandmasters as stratum is the stratum number of grandmaster when it does not have GPS locked but have locked with remote NTP server Treat Local clock sync d grandmaster as stratum is the stratum number of grandmaster when it only have locked with local clock Save Figure 190 IEEE1588 Configuration Menu This menu allows you to configure IEEE 1588 parameters The 1588 Working Mode field allows configures whether the router will be forced to 1588 slave mode or determine its role by the BMC algorithm The Preferred Master Clock field configures the router to be preferred master clock The Subdomain Name field allows you to choose which domain you want the router to participate in There are four domains available each mapped to a different multicast IP address The Sync Interval field configures the rate at which SYNC messages are issued The router NTP daemon uses GPS as a clock source when it is available and with IEE1588 when GPS is not available The Treat NTP sync d grandmaster as stratum field assigns the stratum number when grandmaster clock synchronized with remote NTP server but not GPS The Treat Local Clock sync d grandmaster as stratum field assigns the stratum number when grandmaster clock synchronized with local clock but not NTP server or GPS 226 RuggedCom IRIGB Status Cha
60. User Dialin Properties Microsoft Specifies that the user s dial in properties are ignored MS Quarantine IPFilter Microsoft Specifies the IP traffic filter that is used by the Routing anc MS Quarantine Session Timeout Microsoft Specifies the time in seconds that the connection can rer Tunnel Tag Microsoft Description not yet defined USR ACCM Type U S Robotics Inc Description not yet defined USR AT Call Input Filter U S Robotics Inc Description not yet defined USR AT Call Output Filter U S Robotics Inc Description not yet defined USR AT Input Filter U S Robotics Inc Description not yet defined USR AT Output Filter U S Robotics Inc Description not yet defined USR AT RTMP Input Filter U S Robotics Inc Description not yet defined e 4 gt Figure 243 IAS Window Add Attribute 6 Inthe Multivalued Attribute Information window click the Add button 21x Attribute name Vendor Specific Attribute number 26 Attribute format Io ctetString Attribute values Move lp h Down GK Cancel Figure 244 IAS Window Multivalued Attribute Information 7 Inthe Vendor Specific Attribute Information window select radio button Enter Vendor Code and input 15004 to the editbox Select the radio button Yes It conforms and click the button Configure Attribute 21x Attribute name Vendor Specific Specify network access server vendor E Select from list RADIUS Standard Enter Vendor
61. a port redirector that must make the connection e The host end is only occasionally activated and will make the connection when it becomes active e A host end firewall requires the connection to be made outbound Connect from the remote to the host if the host end accepts multiple connections from remote ends in order to implement broadcast polling Connect from each side to other if both sides support this functionality Use Of Port Redirectors Port redirectors are PC packages that emulate the existence of communications ports The redirector software creates and makes available these virtual COM ports providing access to the network via a TCP connection When a software package uses one of the virtual COM ports a TCP connection is placed to a remote IP address and TCP port that has been programmed into the redirector Some redirectors also offer the ability to receive connections Message Packetization The server buffers received characters into packets in order to improve network efficiency and demarcate messages The server uses three methods to decide when to packetize and forward the buffered characters to the network e Packetize on Specific Character e Packetize on timeout and e Packetize on full packet If configured to packetize on a specific character the server will examine each received character and will packetize and forward upon receiving the specific character The character is usually a lt CR gt
62. alarm conditions and other events The first version of SNMP V1 provides the ability to to send a notification of an event via traps Traps are unacknowledged UDP messages and may be lost in transit SNMP V2 adds the ability to notify via informs Informs simply add acknowledgment to the trap process resending the trap if it is not acknowledged in a timely fashion RuggedCom 247 RuggedRouter User Guide SNMP V1 and V2 transmit information in clear text which may or may not be an issue depending the facilities the data is transmitted over and are lacking in the ability to authenticate a user SNMP V3 adds strong authentication and encryption SNMP Configuration Main Menu SNMP Configuration sume D System Configuration Network Addressing Configuration Access Control Trap Configuration Figure 217 SNMP Main Configuration page In order to enable snmpd the snmp daemon at each and every boot use the System folder Bootup And Shutdown menu Note Prior to ROX 1 10 0 SNMP was manually configured used the com2sec group view and access directives If so configured the SNMP menu will prompt you to convert the configuration to one it can manage System Configuration System Configuration System Variables System name A System location Maint shed 3 System contact Dept System description hformer 15 27 mgmt Save Figure 218 System Configuration page Th
63. by following its link under the Queue Name column and edit a filter by following it s Edit link Reorder the queues and filters by clicking on the arrows in the Move field Some restrictions apply with queues You are not allowed to reorder queues in a way that violates the priority implicit in their name The Transmit Queue Length Selector allows you to make a tradeoff between latency and performance RuggedCom 171 RuggedRouter User Guide Remove prioritization by selecting the Delete and Apply button Prioritization Queues wippp Queue Configuration Queue Configuration wippp Queue Name extra high Save and Apply Delete and Apply Figure 143 Prioritization Queue Configuration This menu allows you to edit the name of of a priority queue and to delete the queue If you delete a queue referenced by filters the filters will be adjusted to use the next lowest queue Prioritization Filters wippp Filter Configuration Filter Configuration wippp Source IP Netmask o Source Port Po Dest IP Netmask 172 123 44 86 Dest Port ssh Protocol Target Queue extra high x Save and Apply Delete and Apply Figure 144 Prioritization Filter Configuration This menu allows you to edit and delete traffic filters The Source IP Netmask and Dest IP Netmask fields specify the IP addresses and masks used to match an outgoing packet Use 0 0 0 0 0 to generate an all packets match
64. contains the configuration and status of OSPF on the router The OSPF Global Parameters OSPF Interfaces and Network Areas menus configure OSPF The Status and View OSPF Configuration menu display the actual status and configuration file contents of OSPF OSPF Global Parameters Parameter value Description Possible values default value Enable Password Telnet Password prere Iran Enable password For configuration access string without spaces previous password Telnet password For port 2604 access string without spaces previous password Originate Default Metric N ABR Type standard si Set OSPF ABR type standard ciscofibrmm shortcut standard ce Ses TWD 100 Calculate OSPF interface cost according to bandwidth 1 4294967 Mbps 100 Bandwidth Default Information enable E Advertise default route disabled Control distribution of default information 1 16777214 20 Distance Define an administrative distance unset 1 255 unset not used Distance OSPF External A Distance OSPF Inter area Define an administrative distance external unset 1 255 unset use Distance Define an administrative distance inter area unset 1 255 unset use Distance Distance OSPF Intra area Define an administrative distance intra area unset 1 255 unset use Distance WI Identifier of router Often the DNS name of the router string without spaces no
65. every request field forces Webmin to perform a hostname lookup for every user access The result of this will be that a dynamically assigned IP with a DNS entry with a Dynamic DNS registrar will be able to be checked against the IP Access Control list just like a fixed address This method is useful for administrators who travel or simply don t have a fixed address at their normal location Note This is not efficient if you have more than a few domain names entered in the IP Access Control list due to the high overhead of performing a name lookup for every hostname in the list on every request Ports And Addresses Module Index Ports and Addresses IP addresses and ports Listen on IPs and ports Bind to IP address Listen on port Any address gt Specific port zl 10000 Ka Same as first gt Save Figure 17 Webmin Configuration Menu Ports and Addresses This command allows you to restrict access to Webmin from one particular network interface on your server Ifyour Webmin server has a non routable local address and a routable Internet address you should decide whether anyone will ever need to be able to access the Webmin server from outside of your local network If not simply configure Webmin to listen on the local interface By default Webmin listens on TCP port 10000 for clients It is possible to change this default behaviour Change Help Server Help Change Help Server URL
66. field sets the default metric to be used for RIP routes which don t have another metric specified The Distance field sets the administrative distance to use for all routes unless overridden by other distance settings RuggedCom 151 RuggedRouter User Guide The Redistribute Connected fields control distribution of connected routes When enabled RIP will advertise routes to directly connected interfaces to other RIP routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute Kernel fields control distribution of kernel routes When enabled RIP will advertise routes from the kernel routing table which includes static routes entered by the administrator to other RIP routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute RIP fields control distribution of routes learned by RIP When enabled RIP will advertise routes learned by RIP The Passive Default option controls the default active passive state of new interfaces When enabled all new interfaces will be passive by default The passive state of individual interfaces is controlled from the RIP Interfaces configuration The Update timer field controls how often RIP sends out routing table updates The Timeout Timer field controls how long information stays in the routing table after it is received without an update The Garbage Collec
67. found in texts referenced in the About This Guide section of the user guide What And How Gauntlet Protects Gauntlet protects against unauthorized access to critical assets including the router itself Gauntlet allows connection from known management devices to assets behind the firewall operating on known TCP UDP port numbers Gauntlet does not encrypt communications which occur in the clear such as the Telnet protocol Protocols such as SSH and HTTPS offer their own encryption and are suitable for use with Gauntlet Gauntlet And The Firewall Gauntlet integrates tightly with the firewall opening it for communications between vetted clients and critical assets on a demand basis There are three steps in activating the Gauntlet security appliance 1 The firewall must be configured with some default rules required by the appliance described below and then activated or restarted 2 The rrsetup utility must be used to configure a Gauntlet passphrase and enable the Gauntlet daemon 3 The Gauntlet daemon and Shorewall must both be enabled in the Webmin Bootup and Shutdown Menu to Start at boot Shorewall requires you to assign the router interfaces to zones and then control traffic between these zones Typically the zone for WAN interfaces is named net while the zone for local interfaces is named loc The following instructions assume those names The gauntlet daemon requires rules for certain ports shown below to be inst
68. function as a gateway between areas When multiple areas are used on a network area 0 is the backbone area All areas must have a router connecting them to area 0 Defines the ID of the router By default this is the highest IP assigned to the router It is often a good idea to configure this value manually to avoid the router id changing if interfaces are added or deleted from the router During elections for designated router the router id is one of the values used to pick the winner Keeping the router id fixed will avoid any unexpected changes in the election of the master router Hello Interval and Dead Interval The hello interval is the time between transmission of OSPF Hello packets The dead interval is the time to wait without seeing an OSPF Hello packet before declaring a neighboring router dead and discarding its routes It is recommended that the dead interval be at least four times the hello interval for reliable operation Lower values of these settings will help to speed up the change in network routes when the topology of the network changes It will also increase the load on the router and the links due to higher traffic caused by the increase in messages Lower values will also put limits on the number of routes that can be distributed within an area as will running over slower links Note OSPF will not work properly if the Hello Interval and Dead Interval are not identical on every router in an area Active Pass
69. here Each interface on the router is listed Clicking on settings displays a menu of configuration options for that interface Clicking on status displays the current status of the interface including link state IP address and traffic counts Clicking Remove inactive interfaces purges the list of any interfaces which are no longer configured on the router The Bandwidth field sets the bandwidth value to assume for the interface when automatically calculating a cost for using the link on this interface By default all interfaces are treated as 10Mbit 10000 Kbps OSPF by default uses an automatic cost of 10 for all links by calculating is as reference bandwidth 100Mbit divided by the link bandwidth 10Mbit Ifa manual cost is assigned to the interface in OSPF this value is ignored RIP does not use this parameter The Link Detect field controls core s link detect feature on the interface When link detect is enabled routes through the interface will only be advertised to other routers when the link is up This option is usually desirable View Core Configuration This menu shows the current configuration file for the Core interfaces 146 RuggedCom OSPF Chapter 13 Configuring Dynamic Routing OSPF ser OSPF Global Parameters OSPF Interfaces Figure 121 OSPF Menu OSPF Global Parameters OSPF NET OSPF WORKS Network Areas Status E View OSPF Configuration This menu
70. host s IP is dynamically assigned The System identifier fields provide IPsec with a way to determine which section of the connection applies to which host Left to Default the parameter will use the public IP address from above Set to None the router will use an empty id You can override these with an IP address or hostname The Private subnet behind system fields determine if this system has an internal network connected to it that the other host should be granted access to Enter a network address and prefix length into this field If you enter a subnet of 0 0 0 0 0 in this field this connection will serve as a default route for all traffic The System s public key fields provide an RSA key if RSA keying is to be used If you want to use secret keying select None When you first create a connection this field is filled in for you with the local system s RSA key If you are filling in this field for the remote system the key can be obtained from the Show Public Key page on that system Select Certificate File and provide a certificate if using X 509 certificates The Next hop to other system fields determine the address to forward traffic to in order to reach the other system Unless you have an unusual network setup this field should be set to Default route Note If you set Next hop to other system to default you must configure a default route You can check for the existence of a default route with the Network Configurati
71. imported at the remote router IPsec and Router Interfaces The IPsec daemon requires router interfaces to exist before it starts If none of the interfaces needed by IPsec exist IPsec will check for them every minute until at least one does Note that in the unlikely event that IPsec uses multiple network interfaces a stop of any of those interfaces will cause all tunnels to stop IPsec may have to be manually restarted after configuring network interfaces when multiple tunnels exist VPN Main Menu Before Key Generation IPsec VPN Configuration Openswan version U2 2 0 K2 4 27 10 486 rr No host key appears to listed in the file etc ipsec secrets One must be generated for your system before you can define any VPN connections Generate key for host ruggedrouter Figure 104 IPsec VPN Configuration Menu Before Key Generation Upon the first entry to this menu you will prompted to generate a VPN host key Key generation will require about 30 seconds to complete after which the menu appearance will change VPN Main Menu The new menu appearance will resemble that of the following menu with the exception that you will be warned that VPN networking is not enabled Enable VPN networking via the System folder Bootup And Shutdown menu Figure 105 IPsec VPN Configuration Menu Before After Generation 126 RuggedCom Chapter 12 Configuring An IPsec VPN IPsec VPN Configuration Openswan version U2 2 0 K2 6 8 16
72. in seconds to capture over 5 16 13 36 428 TCPCONN Opening connection to 10 0 10 2 50001 8964 for serial port 1 16 13 36 445 TCPCONN Opened connection to 10 0 10 2 50001 8964 for serial port 1 16 13 36 445 RAWSOCKET port 1 open info 8058a3c map 80551f0 buf O Length O 16 13 37 132 TCPCONN Rx Data 240b from 10 0 10 2 50001 8964 for serial port 1 16 13 37 133 RAWSOCKET Transmitting message on port 1 length 240 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 1234567890123456 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234 176 bytes truncated 16 13 37 144 TCPCONN Rx Data 120b from 10 0 10 2 50001 8964 for serial port 1 Start Trace Figure 163 Serial Protocols Trace Menu This menu displays decoded serial port and network activity The desired traffic sources number of messages and length of time to capture are entered and the Start Trace button is pressed The menu will display up to the provided number of messages waiting up to the specified number of seconds The Trace on ports selections feature a list of serial ports with unused entries greyed out The default is All Ports which selects all ports The Message RX TX field allows log entries to be printed for each received or transmitted message and method of packetization If the Hex Dump field is selected th
73. interfaces RuggedCom does not automatically perform the firmware upgrade Instead the scheduling of the upgrade is left to the user The upgrade can be performed by signing on to the platform via the console or ssh and running the command usr sbin update wanfirmware Ifthe ssh connection has been made over an active TIE1 interface the connection will fail but the upgrade will continue The upgrade can also be scheduled for a specific time by using the System menu Scheduled Commands sub menu Set the Commands to execute field to asr sbin update wanfirmware proceed set the Run in directory field to root and set the Run at time field to the desired upgrade time After the upgrade completes alarms recommending an upgrade will be cleared 76 RuggedCom Chapter 7 Configuring Frame Relay PPP And T3 Chapter 7 Configuring Frame Relay PPP And T3 Introduction This chapter familiarizes the user with e Configuring Frame Relay and PPP Links e Viewing status and statistics e Upgrading Firmware T3 Fundamentals A T3 is a communications circuit upon which has been imposed a digital signal 3 DS3 signaling scheme The scheme allows 672 timeslots of 64 Kbps DSO information to be multiplexed to a 44 736 Mbps circuit Channel groups and fractional lines are not supported The RuggedRouter provides you the ability to operate Frame Relay or PPP over your physical interfaces Location Of Interfaces And
74. mask must be provided for each gateway The Save button saves the virtual instance The Delete button deletes the virtual instance After you save or delete an instance you must restart the daemon to action your change 166 RuggedCom Chapter 15 Configuring VRRP Viewing VRRP Instances Status VRRP Instances Status e ____ ________ Instance Current State Time Of Change To Current State VRRP Interface State Monitored Interface State VRID_10 Master Fri Dec 9 07 37 34 EST 2005 eth1 is Up wippp is Up VRID_11 Master Fri Dec 9 07 37 33 EST 2005 eth is Up none Refresh Display Figure 140 VRRP Instances Status The VRRP Instances Status menu displays the current status of VRRP instances This menu does not update status in real time Click on the Refresh Display button to update to the current status The entries under the Instance column reflect the name of VRRP instances existing as of the last restart of keepalived The entries under the Current State column reflect the state VRRP instances An instance can be in one of Master master for the VRIP Backup backup for the VRIP or Fault VRRP interface or Monitored interface is down The entries under the Time Of Change To Current State column reflect when the current state was entered The entries under the VRRP Interface State column reflect the link state of the interface that the instance runs upon The entries under the Monitored
75. menu configures the end to end backup feature This method assigns two interfaces as a primary secondary backup pair and monitors the primary link to detect a failure After a failure occurs traffic is shunted to the secondary until the primary is restored Note that in order for end to end backup to work the primary interface must act as the default interface End to end backup is not currently enabled it can be enabled through the System folder Bootup And Shutdown menu End To End Routes Primary Interface wlppp gt Peer IP Address on Primary 192 168 16 2 Secondary Interface ethl yl Peer IP Address on Secondary 192 168 17 2 Fail Over Time Seconds 1 0 lt Fail Over Time lt 60 Generate Alarms DG Yes No Save Save and Apply Figure 40 End To End Backup This menu allows you to display and configure end to end backup In order to start end to end backup at each and every boot you must enable it via the System folder Bootup And Shutdown menu The menu will remind you if the feature is not enabled The Primary Interface field determines the primary interface The interface selected should be configured to supply the default gateway The Peer IP Address on Primary field sets the IP address to probe for connectivity on the primary interface The Secondary Interface field determines the secondary interface The Peer IP Address on Secondary field sets the IP address to probe for connectivity on the seco
76. menu will be useful 37 Further concerns such as ensuring robustness measuring and optimizing performance are dealt with by reading the guide fully RuggedCom 5 RuggedRouter User Guide Table Of Contents About this User Gu ii 1 Applicable Firmware REO ie 1 Who Should Use This User 1 sas dd 1 How To Use This User Cdra is 1 Document COM VSN OS E 2 Qu ick start Recommendations 2 Table Of COSTS E 6 Tablas 18 Chapter 1 Setting Up And Administering The Route 28 Inttod ctioi eegent 28 Access MMS oa 28 Accounts And Password Management nie 28 Default Con E 28 Accessing The RuggedRouter Command Prompt 29 From the Console Port ooo 29 From SSH srl ee E 29 The RugssdR outer Setup Shell vta 29 Configuring PASOS iia 30 Configuring IP Address Information tele pda 30 Setting The E 31 Configuring Radius SCHEER eeE EENEG 31 Enabling And Disabling The SSH and Web Server session diana 31 Enabling And Disabling The Gauntlet Security Applance 32 Configuring The Date Time And Timezone smc iia 32 Displaying Hardware IO O ii 33 Restoring A Configuration iia 34 The RuggedRouter M Web rana dai 35 Using a Web Browser to Access the Web InterTace eceunoscnisisiionicnmsdie cas diversidad 35 SSL Certificate Man MaS idad 35 The Structure of the Web BE 35 Usina The LED Status Panel radial ia a i EE AEE Ei af Obtaining Chassis Information pi A 38 Chapter 2 Webmin Confheuratnon 39 PA ctio id 39 Webmin Configuration Menu
77. offers the advantage of attributing actions in logs to the specific user as opposed to the root user Default Configuration Your RuggedRouter is shipped from the factory with the following defaults e Ethernet ports are enabled and have an address of 192 168 X 1 where X is the port number e WAN and modem ports are disabled e IRIG B output ports are disabled e Setup account rrsetup password admin e Superuser account root password admin e SSH and Web Management interfaces are enabled by default All other services including Serial Protocol Server DHCP server NTP server End to RuggedCom 27 RuggedRouter User Guide End Backup Server VPN Server NFS OSPF RIP protocol and firewall are disabled by default Accessing The RuggedRouter Command Prompt From the Console Port Attach a terminal or PC running terminal emulation software to the RS232 port on the rear of the chassis The terminal should be configured for 8 bits no parity operation at 38 4 Kbps Hardware and software flow control must be disabled Select a terminal type of VT100 Once the terminal is connected pressing lt CR gt will prompt for the user to login as and that user s password Sign in as either the rrsetup or root user The router is shipped with default passwords of admin for either of these accounts From SSH Use an SSH agent running the version 2 protocol SSH to either the rrsetup or root
78. pair of LEDs will indicate traffic and link status of the port Consult the section Using The LED Status Panel to determine which LEDs correspond to the port Included With T1E1 TIET includes wanpipemon a utility that can capture traces from the T1E1 line T1 El T1 E1 Sei Egan T1 E1 e T1 E1 Trunks And Interfaces Current Route amp Interface Table Figure 50 T1 E1 Trunks And Interfaces This menu allows you to display and configure T1 or El Trunks as well as display the routes and status of the network interfaces 66 RuggedCom Chapter 6 Configuring Frame Relay PPP And T1 E1 T1 El Network Interfaces T1 E1 WAN Interfaces T1 E1 Trunks Channels and Logical Interfaces Refresh this page T1 1 Not Running Channel Assigned time slots Channelized interface 1 ALL Channel Name Description Local Address Netmask Remote Address Default Gateway Assign a new Frame Relay logical interface Assign a new PPP logical interface Edit T1 1 Parameters Figure 51 T1 E1 Network Interfaces Initial Configuration This menu allows you to display and configure T1 E1 Trunk parameters Channels and the logical interfaces that run on them A table is presented for each interface Note that the interface number is the same regardless of whether it is a T1 or El interface Interface numbers are as described by the WAN labels as shown in the home page chassis diagram The status of the tru
79. possibility that someone snooping on an insecure network could determine a user s password Radius deals with categories of authentication known as services The router supports user logins via the LOGIN service PPP connections via the PPP service and non root Web management via the WEBMIN service The WEBMIN service allows operator actions to be logged under their login name as opposed to root The router uses Radius to authenticate e Serial port embedded modem and SSH console logins to the root account e SCP and SFTP SSH file copies and file transfers to the root account e Logins to the rrsetup configuration rrsetup account e PPP Incoming connections on the embedded modem specific user accounts e Web Management logins root and radius user accounts Radius server redundancy is supported Multiple Radius servers usually operating from a common database may be used to authenticate a new session If the first configured Radius server does not respond subsequent servers will be tried until a positive negative acknowledgment is received or all servers have been tried Each server is configured with an associated timeout which limits the duration of the request to it An authentication request could thus require up to the sum of the timeouts of all configured servers If no Radius servers are configured or are able to authenticate the request logins are authenticated from the system account stored on the router
80. primary connection you probably want this option enabled The Use peer DNS checkbox enables automatically setting the DNS server entries that the PPPoE server recommends Enable this option unless you provide your own name servers The MTU field defines the MTU size to request when connecting to the PPPoE server In some cases the PPPoE provider may provide a smaller MTU in which case the smaller setting will be used or it may refuse to alter the MTU and use whatever it considers to be the default Note If the negotiated MTU is different from the requested MTU a warning will be displayed on the Networking ADSL menu Editing A Logical Interface Bridged Figure 79 Edit Logical Interface Bridged 92 RuggedCom Chapter 9 Configuring PPPoE Bridged Mode On ADSL Help Edit Logical Interface Interface w Ladel Parameters Convert this interface to PPPoE Description JADSL Bridged Mode vPI l0 Attempt ATM Autoconfiguration E vci 35 Use DHCP Jo Local IP Address 169 254 0 1 Netmask 255 255 0 0 Remote IP Address 169 254 0 2 Use as Default Route No Gateway Save delete The Description field attaches a description to the logical interface viewable from the network interfaces menu The VPI field determines the VPI number the connection uses The default of 0 is correct for most providers The Attempt ATM Autoconfiguration option causes the router to attempt to automatically determine the VPI and
81. ra 39 IP Acess e EE 39 Etgen de 40 Change Help SEV ai 41 A A A A 41 Authentication EE 42 Webmin Events Lop ii Ai 43 Chapter 3 Configuring The St E 45 Ia D E 45 6 RuggedCom Table Of Contents Boot p And SOLO Mir daa 45 Change Password Command Zeta ee ee 46 Sleigh eech 46 Sched led Cron JOS A A A A a 48 E KE EE 49 SUS EE 49 Chapter 4 Configuring Network Si A iaa 51 egene en e DEE 51 Network CON AI EE 51 Core SEU A A A A AA A A AAA 52 Dummy Interfaces eranen AAA AA A A a i e 52 QUES And EE 53 Default Route Tables mcret ls REE E E o 53 Configured Statie ROUTE Saprissa 53 Manually Enter d Statie ROUt S nn idids 54 Static VAI CASE eu EE 55 DINSA dia tds 56 Host Add ra toi 56 End Lo End Bache ps senses svat testis ated a canal aaa 56 Configuring End To End Back A 58 Current Routing amp Interface Table ni cia 58 Chapter 5 Configuring Eet E 59 Introd cti t EE 59 Eth r et Interface Fundamentals sneon nipi eera e a E E E Ea 59 LED Designations A A A A EAE aS IA 59 VLAN Interface Pind arin tals a caidas cs ctnaezensiba reas eavatlsctlaecash doachaugedavieceadawanssanlacecteecwiess 59 LAN EE 59 RuggedRouter Functions Supporting VL ANS 60 PPPoE On Native Ethernet Interfaces Fundamental 60 Ethernet eege Va ctl conte Pace eae dh eau lanes Income Ee 61 Ethernet We aces sicatussi sed atacs iris tao ri dba 61 Editing Currently Active E 62 Virtua METI A Sek Satu O A 63 Virtual Lan Interact na ea a toes 63
82. set Figure 7 RuggedRouter Date Time Timezone Menu Once set the router will account for Daylight Savings time RuggedCom 31 RuggedRouter User Guide Displaying Hardware Information The Display Hardware Information command describes commissioned hardware Figure 8 RuggedRouter Hardware Information Menu 32 RuggedCom Chapter 1 Setting Up And Administering The Router nestoring A ContTiguration The Restore A Previous Configuration command provides a means to restore a previously taken snapshot of the configuration of the router Note The router will reboot immediately after restoring configuration The user is first prompted to select either the factory default configuration or a previously made archive Note Restoring the factory defaults will reset IP addresses and may make the router impossible to reach from the network Figure 9 Selecting a configuration to reload Initially your RuggedRouter will have no previously saved configurations The factory defaults will always be available Figure 10 Selecting a previously made configuration Once a configuration is selected the archive will be restored After the configuration is restored the router will reboot immediately RuggedCom 33 RuggedRouter User Guide The RuggedRouter Web Interface The RuggedCom Web interface is provided by an enhanced version of the popular Webmin interface Using a Web Bro
83. setup Metis 2 ed alaneculivens ias 31 Enabling And Disabling from Wefbumn goude eege aa ida 45 Shell Accessing PTO a dl an eo all id Console GE 29 Cl EE 29 SI ele EE 45 49 KC EE IN CCESS Eu EE 225 RuggedCom 281 RuggedRouter User Guide E EE 224 OTRO VATS dee saints a Gace Macias 223 TEE 223 o AA A NO 225 NA A 225 EEN 225 SSL Certificate Wan nara ds o 35 Statie ROUTES aooe dci 53 PIEL Interfaces noires s A A Ad Configuratii OM ssia r n a li 68 80 Converting between T land Bl td A As 71 81 SI EAEE A A EE E IEE SE ES 71 Frame Relay Logical Interfaces E ata 72 82 A AA a a E A isk dee tate nual Aas 73 82 TT SSNS a E 71 Up radi ng Pipi Wate A acl aunt enue oA a 78 Bien EE 78 83 89 RK EE 183 A O nie asda a aD aay ao tenet aca ae ai ENER Bee EE RE 32 Changing through Webmin issectae i dE EE ees 49 EIERE Changing Through setup EE 32 Virtual Lan RE NN 63 SUDO Kee 60 Kn A A A eR IC NES APE A TEO AN EENEG EE ee Eeer 125 MEMOS EE 132 Encryption Protocol fais vat Ee EE 126 Bundamentall A 125 141 142 NAT E EE 131 Police Vs Role Based gated Sesto a RO 126 Preshared EE 131 PUBIC Resina a taba 131 Server CONO Ee 130 SIE 135 VRRP EE A O eaaiehageatvlae gaa ET cig EEIE EES 165 E E E 165 A O ROT 184 Kee 35 Web Ser EE 280 282 RuggedCom
84. stop the system being upgraded perform the upgrade and then restart it If DDS port was upgraded in this way the upgrade would fail as the DDS link was taken down Instead DDS software upgrades modify only the software on the disk You must schedule a reboot in order to run the new version of DDS software RuggedCom 87 RuggedRouter User Guide This page intentionally blank 88 RuggedCom Chapter 9 Configuring PPPoE Bridged Mode On ADSL Chapter 9 Configuring PPPoE Bridged Mode On ADSL Introduction This chapter familiarizes the user with e Configuring PPPoE and Bridged Mode Links e Viewing status ADSL Fundamentals An ADSL Asymmetric Digital Subscriber Line line is a communications link running over regular POTS telephone service The link is asymmetric supporting data transfer at up to 8 Mbps from the network and up to 1 Mbps to the network The actual bandwidth depends upon the distance between the router and telco central office the maximum distance of which may be up to 5480 m An ADSL card must connect to a central ADSL DSLAM for its connection ADSL shares ordinary telephone lines by using frequencies above the voice band ADSL and voice frequencies will interfere with each other If the line will be used for both data and voice a splitter should be installed to divide the line for DSL and telephone ADSL is almost always used to make a connection to the Internet via an ISP There are
85. suggest a DNS server which you can configure via the Networking Network Configuration DNS Client menu Location Of Interfaces And Labeling Unlike the Ethernet ports which are statically located the location of ADSL ports in your router depends upon the number of ports and how they were ordered Refer to the labeled hardware image as presented in the Webmin home page To make labeling easy to understand all T1E1 T3 DDS and ADSL ports are assigned a unique port number that relates to the LEDs on the status panel LED Designations The RuggedRouter includes two sources of LED indicated information about ADSL lines the ADSL card itself and the LED Panel Four LEDs are associated with the line next to the interface jack Power Green indicates when the card is active and powered Link Green indicates when the DSL link is established 90 RuggedCom Chapter 9 Configuring PPPoE Bridged Mode On ADSL TX Red indicates when data is being transmitted over DSL RX Red indicates when data is being received over DSL While connecting the LEDs are flashing sequentially The RuggedRouter also indicates information about ADSL ports on the LED Panel A pair of LEDs will indicate traffic and link status of the port Consult the section Using The LED Status Panel to determine which LEDs correspond to the port ADSL Configuration a b ma Sei if ADSL ADSL a ADSL Interfaces PPP Logs Current Route amp Interface Ta
86. the Save button below the table to change the default gateway setting Configured Static Routes This table configures static and host routes RuggedCom 51 RuggedRouter User Guide The Network Host and Netmask fields describe the remote network the static route will reach If the netmask field is not entered or a netmask of 255 255 255 is entered the routing will define a host route Any other netmask will define a network route If the network field is cleared the route will be deleted upon the next save The Gateway field describes an address that is used as the next hop to forward traffic to If this field is not specified than traffic is forwarded to the Interface The Interface field describes the network interface this static route will use The interface does not need to be active or even exist but the route will not be installed until both are true You do not need to provide an interface but doing so will cause the menu to warn you if the gateway is not owned by the interface The menu provides a list of currently configured interfaces for your convenience The Metric field specifies an integer cost metric for the route which is used when choosing among multiple routes in the routing table that most closely match the destination address of a packet being forwarded The route with the lowest metric is chosen The Comment field shows the status of the static route and provides a basic cause when the route is not ins
87. the current OSPF status The status of each interface is shown the current database the current OSPF neighbors and the current OSPF routing table View OSPF Configuration This menu shows the current configuration file of OSPF RIP RIP RIP Sei RIP RIP RIP RIP Global Parameters RIP Interfaces Status View RIP Configuration Figure 125 RIP Menu This menu contains the configuration and status of RIP on the router 150 RuggedCom Chapter 13 Configuring Dynamic Routing The RIP Global Parameters and RIP Interfaces configure RIP The Status and View RIP Configuration menu display the actual status and configuration file contents of RIP RIP Global Parameters RIP Global Parameters Parameter Value Description Possible values default value Enable Password pete Enable password For configuration access string without spaces previous password Telnet Password peso Telnet password For port 2604 access string without spaces previous password H Identifier of router Often the DNS name of the router string without spaces no ostname hostname lin enable jo Advertise default route disabled Originate Default Metric 1 Control distribution of default information 1 16 1 Distance Define an administrative distance unset 1 255 unset not used enable Redistribute routes for directly connected interfaces to RIP area routers gar Espia enablefdisable 0 16777214 disabled unset
88. the public gateway Router IPSec Configuration Transfer the cacert and the router s certificate to the router If your authority prepares a Certificate Revocation List CRL you will want to transfer that as well The cacert file should be renamed cacert pem and installed in etc ipsec d cacerts The CRL file should be renamed to crl pem and installed in etc ipsec d crls The router s certificate must be installed in etc ipsec d certs It s public key file e g router key must be installed in etc ipsec d private and a line RSA router key Password where Password is the pass phrase that was used to generate the certificate must be added to the end of the etc ipsec secrets file Note The Maintenance Menu Upload Download Files sub menu provides a method to transfer the files directly to the indicated directories Enable IPSec from the Bootup and Shutdown menu Visit the IPSec VPN menu and generate a public key Visit the Server Configuration menu and associate the ipsec0 interface with the desired interface the connection will arrive on here wl ppp Create a connection for the clients Set the parameters as follows RuggedCom 133 RuggedRouter User Guide Parameters Value Comments At IPsec Startup Add connection We wish to add the connection when the client starts it Authenticate by rsasig X 509 certificates provide RSA Connection Type Tunnel Encryption Protocols As desired Compress Data As des
89. the so called roaming client X509 Certificates may be used to authenticate the connection Certificates are digital signatures that are produced by a trusted source namely a Certificate Authority CA For each host the CA creates an certificate that contains CA and host information and signs the certificate by creating a digest of all the fields in the certificate and encrypting the hash value with its private key The encrypted digest is called a digital signature The host s certificate and the CA public key are installed on all gateways that the host connects to When the gateway receives a connection request it uses the CA public key to decrypt the signature back into the digest It then recomputes its own digest from the plain text in the certificate and compares the two If both digests match the integrity of the certificate is verified it was not tampered with and the public key in the certificate is assumed to be the valid public key of the connecting host NAT Traversal Historically IPSec has presented problems when connections must traverse a firewall providing Network Address Translation NAT The Internet Key Exchange IKE used in IPSec is not NAT translatable When IPSec connections must traverse a firewall IKE messages and IPSec protected packets must be encapsulated as User Datagram Protocol UDP messages The encapsulation allows the original untranslated packet to be examined by IPSec Other Configuratio
90. time and services offered by the router The root account provides a full shell Attach a PC running terminal emulation software to the RS232 port and apply power to the chassis default baud rate data bits parity 38400 8 n 1 no hardware software flow control Set the terminal type to VT100 Press ENTER to obtain a login prompt Initial Configuration Before Attaching To The Network Login as the rrsetup user with password admin Change the root and rrsetup passwords from the shell Record the passwords in a secure manner If Radius authentication will be employed configure at least one authentication server address Configure the router s hostname IP address subnet mask and gateway addresses for the built in Ethernet ports For an RX1100 router the Gauntlet Security application may be configured with the passphrase allocated to the network the network address of the Command and Control Center CCC Note that you must also configure and activate the firewall before using the Gauntlet Ensure that the date time and timezone fields are correctly set If Web or SSH services will not be used these can be disabled from the setup shell RuggedCom About this User Guide 10 11 12 13 14 Es 16 17 18 19 20 21 All further configuration is accomplished through the web management interface Attach the configuring host to one of the Ethernet ports configured above Poin
91. to describe the group as desired The Use name as client hostname field determines whether host entries should use the hosts entry name as the client hostname to provide to the client Within a group you can create hosts DHCP Host Configuration im SE E e A A Host Details Host description Host assigned to A ES Toplevel sl Hardware Address ethernet zll gt Fixed IP address Default lease time Boot filename C None 7 Maximum lease time Default secs Default secs e Boot file server This server Server name Default Lease length for BOOTP eo p Lease end for BOOTP e e clients Forever secs clients Never Dynamic DNS domain o Dynamic DNS enabled Ces No Default Default 7 name PS EES Default Dynamic DNS hostname From client domain Allow unknown clients Allow Deny Ignore Default gt The Host description field is used to describe the host as desired The Host name field is the unique name to refer to the host within the DHCP configuration 210 RuggedCom Chapter 21 Configuring The DHCP server The Hardware address field is the Ethernet MAC of the client associated with the host entry The Fixed IP address field is the IP to assign to the matching client DHCP Pool Configuration gt Module Index Edit Address Pool In subnet 192 168 2 0 255 255 255 0 Address pool options Address ranges 192 1
92. to listen on 254 Access Control page SNMP V1 and V2C cicssscocs cceseccenccvenrvestescsncesncoesnduicnaaeavenssenset cre 254 Access Control page SNMP E ni de 255 Trap Configuration page Trap OPINAS sti tits 256 Trap Destinations V1 and VE di 256 Trap Destinations EE 256 Radius Authentication Main Mentee EE od 259 Radius Authentication Server Parameters is 5 0 cc joscssiessaccesocsedyee canteens uscocteesaeyteesersestene 259 Radius Authentication Main Menu cescssssesssccsssescesecesececeeecesnseeeeeesecesnenesesneees 260 Chassis Parameters Menu doi 261 a cc teenie Gila ce a RR OA 262 Changing a Syslog entry to remote log ii is 263 Software Upgrade NM iS a a aata EA A ao 265 Upgr de t 2 AA e 267 Chang Ee Ee EE 267 Avtomatic Upgrade A ia 268 Upgrading All E E 268 installing A New Packard 269 Upload Download MM ia da 271 Apache Default Web Pare a diia 278 A eege 280 IAS Window Edit Remote Access Police 282 RuggedCom 25 RuggedRouter User Guide Figure 242 IAS Window Edit Protilessicissscsaxs secaaccsaicenscivockaeioasdeesssvoaravioasdoves seca london 282 Figure 243 IAS Window Add tee ita ade ia ee ee 283 Figure 244 IAS Window Multivalued Attribute InformatiON conoconcninnnnccnncnocnnocononcnnnnnncnrncnncnnnos 283 Figure 245 IAS Window Vendor Specific Attribute Iniormapon 283 Figure 246 IAS Window Configure VSA RFC compiantt 284 26 RuggedCom Chapter 1 Set
93. two methods for establishing the connection PPPoe and Bridged mode ADSL uses the ATM protocol to communicate with the central office DSLAM ATM uses virtual channels to route traffic and the DSL connection needs to know which virtual channels to use Most providers use VPI 0 and VCI 35 There are exceptions to this Some providers that use different settings are listed in the following table Provider VPI VC Typical Provider 0 35 Bell South 8 35 New Edge 0 38 Sprint 8 35 US West Qwest 0 32 PPPoE Bridged Mode Fundamentals In PPPoE Point to Point Protocol Over Ethernet the PPP dial up protocol is used with Ethernet over ADSL as the transport PPPoE supports the protocol layers and authentication widely used in PPP and enables a point to point connection to be established in the normally multipoint architecture of Ethernet As your PPPoE connection is established a PPP interface will be created The name will be pppX where X is the same as the interface number Use this interface name in firewall rules RuggedCom 89 RuggedRouter User Guide Authentication Addresses and DNS Servers PPP authentication utilizes PAP or CHAP Your ISP will provide you with a user ID and password which you will enter in the GUI The authentication process will assign a local IP address and addresses of the ISPs DNS servers to the router You should use these DNS servers unless you wish to provide you
94. under the Rule Set field resulting in a menu such as the following Edit Ruleset Current Rules in x11 rules Rule Signature Status Action alert tcp EXTERNAL_NET any gt HOME_NET 6000 msg X11 MIT Magic Cookie detected Disable 1 flow established content MIT MAGIC COOKIE 1 reference arachnids 396 Y Edit classtype attempted user sid 1225 rev d Delete E s d Disable 2 alert tcp EXTERNAL_NET any gt HOME_NET 6000 msg X11 xopen flow established content 1 00 Y edit OB 00 00 00 op 00 op 00 00 00 reference arachnids 395 classtype unknown sid 1226 rev d Dale ta o Add Rule Figure 197 Snort Ruleset Edit Each rule can be individually enabled disabled or deleted Most rules will include a reference link to more information about the vulnerability the rule detects It is possible to add your own rule or one obtained from the open source community e g www bleedingsnort com Rule Lookup by SID The Look Up Rule button accepts a SID and displays its rule You may elect to disable the rule or learn more information about it Network Settings Figure 198 Snort Network Settings 232 RuggedCom Chapter 25 Configuring The Snort IDS Network Settings Snort Network Settings Network Variable Setting Description HOME_NET L0 0 0 0 8 IP Addresses in the local subnet EXTERNAL_NET HOME_NET IP A
95. use Plain text MDS RFC compliant MDS old ripd Mode compatible Text Use Split Horizon Yes with poisoned reverse si Use a split horizon No Yes Yes with poisoned reverse No Save Figure 127 RIP Interfaces 152 RuggedCom Chapter 13 Configuring Dynamic Routing Parameters specific to one interface are configured here Each interface on the router is listed Clicking on settings displays a menu of configuration options for that interface Clicking Remove inactive interfaces purges the list of any interfaces which are no longer configured on the router The Passive Interface option controls if an interface is active or passive Passive interfaces do not send RIP updates to other routers The Receive Version field controls which versions of RIP messages will be accepted from Either version 1 2 or both versions can be accepted By default both RIP versions are accepted The Send Version field controls which versions of RIP messages to send to other routers Either version 1 2 or both versions can be sent By default only RIP version 2 messages are sent The Authentication fields choose the authentication mode this port uses A port can either use no authentication use a specific authentication string used the same was as the string in a key or use a specific key chain s settings By default no authentication is used The Authentication mode field chooses the mode of authentication used Options are plai
96. with a local router address of 172 16 17 18 a remote router address of 172 19 20 21 and a remote subnet of 192 168 2 0 24 Note Ifyou are connecting to a CISCO router the local router address corresponds to the CISCO IOS source address and the remote router address corresponds to the destination address You may also set a cost for the tunnel If another method of routing between Router1 and Router2 becomes available the tunneled packets will flow through the lowest cost route You can optionally restrict the packets by specifying the local egress device in the case of routerl wlppp 174 RuggedCom Chapter 17 Configuring Generic Routing Encapsulation GRE Main Menu Generic Routing Encapsulation Tunnels Tunnels Tunnel Name Remote Net Local Ip Remote IP Local Egress Port Cost Tunnel Status grel 192 168 22 0 24 1 1 1 1 2 2 2 2 w1ppp o Active Add a new GRE tunnel Figure 147 GRE Main Menu This menu displays configured GRE tunnels The tunnel status will be active if the tunnel was successfully created GRE Configuration Menu New Tunnel Configuration new tunnel This menu will prefix gre to the tunnel name upon saving legal tunnel names are 12 characters or less in length and contain only a z or 0 9 Tunnel Name 1 Remote Net 172 28 16 2 Local IP 193 23 45 67 Remote IP 121 13 2 56 Cost Local Egress Port any y Save and Apply Figure 1
97. 0 milliseconds inclusive of off The Call Dir field configures whether to accept an incoming connection place an outgoing connection or do both The Max Conns field configures the maximum number of incoming connections to permit when the call direction is incoming The Remote IP field configures the address used when placing an outgoing connection The Remote Port field selects the TCP destination port used in outgoing connections The Local Port field selects the local TCP port to use to accept incoming connections 190 RuggedCom Chapter 19 Configuring Serial Protocols Serial Protocols Statistics Menu Serial Protocols Statistics Refresh Continuous Display Port Statistics Port Protocol Rx Chars Tx Chars Packet Errors Parity Errors Framing Errors Overrun Errors D rawsocket 7446748 9462400 o o 2 o reset Connection Statistics Remote IP Remote Port Local Port Rx Packets Tx Packets Target Serial Port s Status 10 0 10 2 50001 29705 42 7 1 Active Refresh Continuous Display Figure 162 Serial Protocols Statistics Menu This menu presents statistics of serial port activity and established connections The menu also allows you to reset a port forcing call hang up and re establishment The Port Statistics table provides a record for each active serial port The number of historical received and transmitted characters as well as errors will be displayed
98. 1 2 3 4 5 6 7 8 Mar 17 Refresh Bytes Received Bytes Sent 33600 0 00 31 OKiB OKIB Figure 88 PPP Connection Logs This page shows a list of PPP connections It shows who connected when they connected and disconnected the connection speed and session traffic Current Routes amp Interface Table The table provided by this command is as described in the Networking menu Network Utilities sub menu It is also provided here as a convenience RuggedCom 101 RuggedRouter User Guide This page intentionally blank 102 RuggedCom Chapter 11 Configuring The Firewall Chapter 11 Configuring The Firewall Introduction This chapter familiarizes the user with e Enabling Disabling The Firewall e Elements of Firewall design e How to configure the Firewall e Checking Firewall configuration Firewall Fundamentals Firewalls are software systems designed to prevent unauthorized access to or from private networks Firewalls are most often used to prevent unauthorized Internet users from accessing private networks intranets connected to the Internet When the RuggedRouter firewall is used the router serves a gateway machine through which all messages entering or leaving the intranet pass The router examines each message and blocks those that do not meet the specified security criteria The router also acts as a proxy preventing direct communication between co
99. 1 and V2c Trap Destinations No 1 or 2c trap destinations are currently defined Add an SNMP 1 or 2c Trap Destination Type Vl Trap gt IP Address Trap Community Add Figure 224 Trap Destinations V1 and V2c The SNMP V1 and Vic Trap Destinations part of the menu allows the creation and deletion of trap destinations The Type field specifies the exchange used with this destination either V1 trap V2c trap or V2c inform The IP address and Trap Community fields specifies the receivers IP address and community name SNMP V3 Trap Destinations No 3 trap destinations are currently defined Add an SNMP 3 Trap Destination Type Marap IP Address et User Name Ir Engine ID O AO EAS No Authentication Ka Authentication Protocol MDS zl Authentication Passphrase Privacy Protocol DES zl Privacy Passphrase A Add Figure 225 Trap Destinations V3 RuggedCom 251 RuggedRouter User Guide The SNMP V3 Trap Destinations part of the menu allows the creation and deletion of V3 trap destinations The Type field specifies the exchange used with this destination either V3 trap or V3 inform The IP address and Trap Community fields specifies the receivers IP address and user name The Engine ID parameter is necessary for inform type notification destinations only and must be configured by the trap receiver in order to receive these notifications
100. 13 34 07 EDT 2007 Figure 229 Chassis Parameters Menu This menu displays the chassis temperature and if hardware version 2 the voltage levels of chassis power supplies and a record of the last power down time The system will highlight red any out of range value The monitored values are described below Parameter Description temp Motherboard temperature VcoreA VCoreB Redundant 3 3V power supply voltages 3 3 PS1 3 3 PS2 Redundant 3 3V power supply voltages 5V 5V power supply voltage 12V 12V power supply voltage VBat Battery voltage The last power down time reflects the time power was removed from the chassis as a result of a power failure commanded reboot or an watchdog initiated reboot System alarms will be generated for out of range parameters and watchdog initiated reboots 256 RuggedCom Chapter 26 Maintaining The Router System Logs System Logs Add a new system lo Log destination Active Messages selected File var loq messages Yes info notice warn auth authpriv none cron daemon none mail none View File var log sysloq Yes auth authpriv none View File var log auth log Yes auth authpriv View File var log critical Yes crit View File var log kern log Yes kern View File var log cron log No cron File var log daemon log No daemon All users Yes emerg Add a new system log Apply Changes
101. 1536 Kbps channel referred to as a clear channel Not all channels need be used It is quite common to purchase N channels of 64Kbps bandwidth and leave the remainder unused this is known as fractional T1 The telephone network terminates the T1 line and maps each of the channels through the T1 network to a chosen T1 line Individual and bonded DSOs from more than one remote T1 can be aggregated into a full T1 line often referred to as central site concentration Whereas the T1 line itself is referred to as the physical interface groups of DSOs form channels and the protocols that run on the channels are known as a logical interfaces The RuggedRouter provides you the ability to operate Frame Relay or PPP over your logical interfaces An El is is a communications circuit conforming to European standards possessing 32 64 Kbps channels of which one is usually reserved for signaling information Frame Relay Frame Relay is a packet switching protocol for use over the WAN The RuggedRouter provides the ability to construct point to point IP network connections over Frame Relay Each Frame Relay interface provides a link between a local and peer station One of the stations must be configured as a Data Communications Equipment DCE device often known as the Switch while the peer station must be configured as a Data Terminal Equipment DTE device often known as Customer Premises Equipment CPE The DCE is responsible for man
102. 165 General Configuration Mendo ds ias 201 Figure 166 EEN nd eek o o o O 201 Figure 167 GOOSE Mea sud aar a a a tees 201 Figure 168 GOOSE Statistics EE 202 Fig re 169 Activity Tr ce Menu creces das 203 Figure 170 DHCP Servet MSI snus datada 212 Figure 171 DHCP Shared Network CONT OO DEE 213 Figure 172 DHCP Subnet Configura ido 214 Figure 173 DHCP Group CON AMM A A A A 215 Figure 174 DHCP Host COn ur erecta dd Arba 215 Figure 175 DHCP Beleeg Lee 216 E E A IES 219 Pitre 177 NTP Generic ODIOS aiii de io iD aci 219 Figure 178 NTP Server E 220 AS IN A a E 221 Figure 180 NTP Lar o dee es adds pora o ds de 221 Figure Sl GPS EHS A A A EOE 222 Figures OSA a dc E Etc 222 Fiore 183 E EE 224 Figure 184 SSH Server Authentication Messi iii ds 224 Figure 185 SSH Server NI OO ia 223 Figure 186 SSH Server Access a ads 225 Figure 187 IRIGB 1588 MAME area 230 RuggedCom 23 RuggedRouter User Guide Figure 188 IRIGB TEEE1588 General Configuration men 230 Figure 189 IRIGB Configuration MUA hae eis ee cae eS eae 231 Figure 190 IEEE1588 Configuration Me EE 231 Figurs 191 TRIG BiG EE 232 PIU 192 TEEEL S88 Stats sete ana eee aid 232 Fig re 193 TRIG B GPS SAUS a e A o eel 233 Figure 194 Snort Main Menu part Lia s 236 Figure 195 Snort Mail Men part Liers creta A eiia eo ie EnEn a 236 Figure t96 Snort Mam Menu PAS ns tus deste E E A a te 237 Figure KEE REN EE 237 Fig re 198 Snort Ee TEE 238 Figure 199 Snort Pre
103. 2 16 0 1 0 lo D Errors D D Round Trip Times Remote IP Transmitted Received Minimum RTT Average RTT Maimum RTT Std Deviation 115 40 3 8 3 o 0 000 ms 0 000 ms 0 000 ms 0 000 ms 121 22 54 7 3 0 0 000 ms 0 000ms 0 000ms 0 000 ms 172 16 0 1 3 o 0 000 ms 0 000 ms 0 000 ms 0 000 ms 76 44 3 1 3 o 0 000 ms 0 000 ms 0 000 ms 0 000 ms Refresh Continuous Display Figure 168 GOOSE Statistics Menu This menu presents statistics of GOOSE activity at the Ethernet and Network Layers The Ethernet Statistics table provides a record for each GOOSE tunnel The number of historical received and transmitted characters as well as errors will be displayed The Connection Statistics table reflects UDP connections Network and Ethernet connections can be paired by examining the L2 MAC Address field Note All counts are from the router s perspective The Rx Packets count reflects packets received from the network the contents of which are transmitted at the protocol and reflected in the Tx Chars field The Round Trip Times table reflects the measured RTT to each remote daemon The minimum average maximum and standard deviation of times is presented Wntries with a large difference between the Transmitted and Received fields indicate potential problems The Refresh button will cause the page to be reloaded The Continuous Display button will cause the brow
104. 255 0 3 Save it 4 Add a new shared network 5 Name the shared network for example eth1 and select the subnet 192 168 1 0 to be included in the shared network 6 Save it 7 Edit the shared network again 8 Add a new subnet and configure it for network address 192 168 2 0 with netmask 255 255 255 0 9 Save the new subnet and then save the shared network settings 10 Edit the subnet just created and click Edit Client Options 11 Set default routers to 192 168 2 1 and save it 12 Click add an address pool to the subnet 13 Set the address range to 192 168 2 101 to 192 168 2 200 14 Click Create 15 Edit the pool by clicking on the link for the pool with address range 192 168 2 101 192 168 2 200 16 Click add an option82 chent 17 Give the client a unique alpha numeric name for example subnet0102 18 Set the remote id to the switch MAC address 00 0A DC 11 22 00 in this case 19 Set the circuit id to the switches circuit id identifier to the port 00 02 00 02 for VLAN 2 port 2 on a RuggedCom switch 20 Click Create 21 Click Save 22 Repeat steps 8 through 20 for vlan3 through vlan4 changing the subnet default routers pool address range and circuit id for each vlan 23 Restart the DHCP server or apply changes 206 RuggedCom Chapter 21 Configuring The DHCP server DHCP Server Main Menu eee DHCP Server ISC DHCPd version 3 0 4 Subnets and Shared Networks Dis
105. 4 digits For example if the input is 2 it will be automatically changed to 0002 Edit Boot Time Interfaces Edit Bootup Interface Boot Time Interface Parameters Name ethl IP Address None From DHCP From BOOTP 10 128 10 248 Netmask 255 0 0 0 Broadcast 10 255 255 255 MTU Automatic Activate at boot CS ves No Proxy ARP C yes No Media Type Auto Negotiation H Virtual interfaces 0 Add virtual interface Virtual Lan interfaces 0 Add virtual lan interface Save Save and Apply Figure 46 Editing a Boot Time Interface RuggedCom 61 RuggedRouter User Guide This menu allows you to make permanent changes to interfaces and to immediately apply those changes if desired The Save button will save changes to the permanent configuration The Netmask Broadcast MTU Virtual Interfaces Proxy ARP and Media Type controls are as described above The IP Address fields allow you to manually specify an IP address for this interface or to obtain the address from DHCP or from BOOTP The Activate at boot fields allow you permanently disable the interface without actually deleting it The Save and Apply button applies any changes after they have been saved The Delete and Apply button deletes both the boot time and active interface The Delete button deletes the boot time interface but leaves the active interface in existence PPPoE On Native Ethernet Interfaces PPPoE Interfaces PPPoE Interfac
106. 48 GRE Tunnel Configuration Menu This menu allows you to add or edit a tunnel The Tunnel Name field will be presented if the tunnel is being created The tunnel name is purely for informational purposes A network routing device with this name will be created In order that the name not collide with those used by other interfaces it will be prefixed with gre The Remote Net field configures the target network whose traffic is forward through the tunnel It may be a individual IP address or subnetted IP address such as 192 168 0 0 24 The Remote Net must not used by another tunnel The Local IP field configures the IP address of the local end of the tunnel The Remote IP field configures the IP address of the local remote of the tunnel Note Each tunnel must have a unique combination of local and remote addresses or it will not be activated The Cost field configures the routing cost associated with networking routing that directs traffic through the tunnel The cost will default to zero if left unset The Local Egress Port configures a port to bind the tunnel to If set tunneled packets will only be routed via this port and will not be able to escape to another device when the route the to endpoint changes RuggedCom 175 RuggedRouter User Guide This page intentionally blank 176 RuggedCom Chapter 18 Network Utilities Chapter 18 Network Utilities Introduction This chapter familiari
107. 486 rx Existing VPN connections No IPsec VPN connections have been defined yet Add a new IPsec VPN connection Add defaults for all connections Import connection from file Global options and policies e WN WIN Gs Server Configuration Preshared Keys Show Public Key List Certificates IPsec Status IPsec VPN Networking is currently stopped You may start it via the System folder Bootup And Shutdown menu After a VPN connection is created this menu will display an icon for the connection as shown in the next view of the VPN Configuration menu The Add defaults for all connections link allows you to create a profile that will apply to all connections for items such as key type encryption protocol and compression These defaults can then be overridden on a per connection basis The Add a new IPsec VPN connection link creates a new connection and its icon The Import connection from file link creates new connections from imported data Select the Server Configuration icon to configure server parameters Select the Preshared Keys icon to create delete and edit pre shared keys Select the Show Public Keys icon to display the server s public key Select the IPsec Status icon to display information about the server s capabilities and any current connections After a VPN connection is created this menu will include a Start Connection button that can start or restart VPN connections This button is
108. 68 2 11 192 168 2 11 Dynamic BOOTP 5 Dynamic BOOTP Failover Peer None Clients to allow Clients to deny Default lease time Default secs Boot filename None Maximum lease time Default secs Boot file server This server l Server name Default E Lease length for LO e Lease end for y e fo i BOOTP clients Forever moe BOOTP clients Mever Dynamic DNS o Dynamic DNS e e KI f enabled f Yes No Default domain name Default i Dynamic DNS reverse e Default e Dynamic DNS e Georg rc domain hostname Allow unknown clients C allow Deny Ignore Default Option 82 clients Client Name Remote ID Circuit ID slav2p5 00 0A DC 11 22 33 00 02 00 05 Add an option82 client Save Delete Figure 175 DHCP Pool Configuration n GE The settings specific to the Address Pool menu are the Failover peer and Clients to allow deny The Failover peer field is the IP address of a DHCP peer server if a fail over pool is created The Clients to allow deny field can be used to control which clients can get IP address from the pool See documentation for dhcpd3 for syntax and allowed values Very rarely needed The Allow unknown clients setting already handles the most common use of this option RuggedCom 211 RuggedRouter User Guide Chapter 22 Configuring NTP Introduction This chapter familiarizes the user with e Enabling Disabling NTP e Setting servers and pe
109. AAAI GAS eh as ta dee 125 IPsec Modes TE 125 Policy Vs Rovite Based VPN Sisi ts 126 Supported Encryption Protocols a a ataca Az 126 Public Key And Pre shared Kn A en sates E EE tdo 127 X509 EENEG 127 NAT MT sd ct on ia 127 Other Configuration Supporting IPS ise in 128 The Openswan Configuration Process iii da eEdeeEeEe 128 IPsec and Router Interact asa 128 VPN Main Menu Before Key EIC A AA 128 VEN Mantis Men ageet dada 129 Servet Configuratio Nese nieee a e it 130 P blic Key eege 131 Presha red EE 131 E A cons ae e sang e aTa EAS r aeea Sea tual Eain 132 A EE AE the E O A T 132 IPsec VPN Connection De a NS ica 132 Left Right System s EN 134 EXport Conti a o ea 134 Showing IPsec Status tl Ai A 135 IPSec X 509 Roaming Client Example a A 136 Select EE 136 HEEL 137 VPN Networking Paranieters deed 137 Chent Configuration di a 137 Router IPSec C Omi O uration esau aie cats cacao daa 137 Firewall IPSec COOL EE 138 Ethernet Port Configuration issenensis ieren eni aa i Ee ES a E AASS 139 Chapter 13 Configuring Dynamic Routing id diia 141 ee A AT SAA E 141 Casa RTP and OS PR cco nies EE 141 RIP Fundamentals static idea italia rie 141 OSCE TUI EE 142 Link State EHS ENEE 142 Key OSPP And RIP Parameters isis A o ia 143 Met rk ATI EE Ee Ee Ie 143 10 RuggedCom Table Of Contents Router ID A can neh dpa mena gee an aces 143 Hello Interval and Fiegen eerste 143 Aetive Passive Interface DEl dad 143 Redistib tinge
110. ABR Type field select which method to use on area border routers to manage inter area routes Standard follows RFC2178 Cisco and IBM follow RFC3509 Shortcut is covered by the draft ietf ospf shortcut abr 00 txt document Standard requires all ABRs to have a backbone connection The other three methods allow for ABRs that do not have a backbone connection The Auto Cost Reference Bandwidth field sets the reference bandwidth used to calculate auto costs for OSPF interfaces The auto cost is the reference bandwidth divided by the interface bandwidth By default this is 100Mbit 10Mbit auto cost of 10 The interface cost is set in the Core Interface configuration for each interface The cost for each interface can also be set in the OSPF Interface configuration to override the auto cost calculation The Default Metric field sets the default metric to be used for OSPF routes which don t have another metric specified The Default Information Originate field when enabled causes the router to advertise its default route to the OSPF network The Distance field sets the administrative distance to use for all routes unless overridden by other distance settings The Distance External field sets the administrative distance to use for all external routes backbone routes The Distance Inter area field sets the administrative distance to use for all routes between areas The Distance Intra area field sets the administrative distance to use for all routes
111. Code 15004 Specify whether the attribute conforms to the RADIUS RFC specification for vendor specific attributes No It does not conform Configure Attribute Figure 245 IAS Window Vendor Specific Attribute Information 276 RuggedCom Appendix E Radius Server Configuration 8 In the Configure VSA RFC compliant window in the vendor assigned attribute number editbox input 2 in the Attribute format listbox select String in the Attribute value editbox input the desired privilege level in the above case it is operator in your case currently you should input root Configure YSA RFC compliant ax Wendor assigned attribute number 2 Attribute format String h Attribute value roo Cancel Figure 246 IAS Window Configure VSA RFC compliant RuggedCom 277 RuggedRouter User Guide Index EE EE 28 SM 28 ADSL ug Bridged Mode Logical Interfaces vr Ria 95 EIERE 93 Mod aida ia Modem Con EE e ira 98 MER e 94 Upgrading SoftWare A E o A ees 96 Apache Web Sao 278 Authenticating Webmin SESSIONS ee ee SEENEN 42 Configuratio oseese aero A Backing Up and RS IND ran Ns 247 Console Por E 29 IK Changing Through setup Mita 32 Changing Larus 49 DDS Interfaces sirsie oe nE E A ci AOTC UT A OR bas ads 86 Frame Relay Logical Interac eegene gen Eege eet Eed Sdt te 87 PPP Logical Interfaces eier 88 Upgrading E 83 89 Detatll Coat WAY conidios Configuring T
112. Edit T1 1 Parameters Figure 53 T1 E1 Network Interfaces After Interface Creation Naming Of Logical Interfaces Webmin names the logical interfaces for you but allows you to provide a description All interfaces start with a w to identify them as wan interfaces followed by the physical interface number Unchannelized hardware interfaces supply only one channel that can be composed of a varying number of timeslots logical interface You may configure one PPP interface or up to 990 Frame Relay DLCI interfaces The next part of the identifier is either ppp or frX where X the frame relay channel number Channelized hardware allows more than one logical interface The next part of the identifier indicates the channel the interface uses with a c followed by the lowest channel used The final part of the identifier is either ppp or fr and the frame relay channel number Note Once a channel is created and an interface is constructed on it the name of the interface will never change This will remain true even if the number of timeslots on the channel is changed This property is desirable since interface names used by features such as OSPF RIP and the firewall can rely on the interface name Channel re assignments can however lead to a non intuitive relationship between channels and timeslots Editing A T1 E1 Interface Figure 54 Edit T1 Interface 68 RuggedCom Chapter 6 Configuring Fra
113. El reflect the European variants The Clocking field performs the same function as that described for T1 RuggedCom 69 RuggedRouter User Guide Editing A Logical Interface Frame Relay Edit Logical Interface w2fr16 T1 2 Channel 1 Frame Relay Parameters Station Type CPE FR DTE Interface si Signalling type ANSI v Link Failure Leaves IP interface up sl 7391 10 7392 16 N391 l6 N392 6 N393 4 EEK Type Request y EEK Timer 6 Logical Interfaces on T1 2 Channel 1 Name DLCI Local Address Netmask Remote Address Default Gateway Description warri 16 192 168 0 2 255 255 255 255 192 168 15 2 Main Control wafri7 17 192 168 3 3 255 255 255 255 192 168 37 2 Backup Control Add another DLCI to this channel Save Delete this logical interface Figure 55 Edit Logical Interface Frame Relay This menu allows you to configure Frame Relay link and logical interface fields Frame Relay Link Parameters The first table presents the link parameters and applies to all logical interfaces The Station Type field determines whether the router acts as a customer premises equipment or as a frame relay switch When a Frame Relay network provider is used the CPE interface should be chosen When the connection is end to end it is typical to set the central site end to switch and the remote end to be CPE The Signaling type field reflects the Frame Relay link
114. I Add a new static NAT entry Manually Edit File Click this button to manually edit the Shorewall file etc shorewall nat in which the entries above are stored This menu allows you to add delete and static NAT translations Add a new translations by selecting the Add a new static NAT entry link or by clicking on the add above or add below images in the Add field Reorder the translations by clicking on the arrows under the Move field Clicking on a link under the External Address field will allow you to edit or delete the rule as shown below You may also make changes by manually editing the rule file thi Create Static NAT Static NAT entry details External address 204 226 111 45 External interface wlppp gt virtual Internal address 192 168 0 1 Active for all hosts yes C No Active for firewall system O Yes No Create Figure 102 Creating a Static NAT Entry The External address and Internal address fields specify the addresses to translate describe the information to match against the incoming connection request in order to apply this rule The External interface field specifies the interface to perform the translation upon The Active for all hosts field is used to specify whether access to the external IP from all firewall interfaces should undergo NAT Yes or yes or if only access from the interface in the INTERFACE column should undergo NAT The Active
115. IS by clicking on Start menu Control Panel Administrative Tools Internet Information Services Right click on Internet Information Services Connect and enter the host computer s IP address e g 192 168 0 1 Verify the IIS web server by opening a web browser on another host on the network and entering the URL http followed by the IP address IIS was installed with followed by ruggedcom e g http 192 168 0 1 ruggedrouter Visit the router you wish to upgrade and visit the Maintenance menu Upgrade System sub menu Click on the Change Server button and set the Repository Server field e g http 192 168 0 1 ruggedcom Set the Release Version field to rrl Save the configuration and return to the Maintenance menu Set the Only show which packages would be upgraded radio button to No and click on the Upgrade Now button to start the upgrade RuggedCom 273 RuggedRouter User Guide Appendix E Radius Server Configuration This section describes how to configure popular radius servers to supply a Vendor Specific field privilege level which is used by Webmin to assign assign specific capabilities to Webmin users on a per user basis Currently the only privilege level is that of root but RuggedCom will be introducing additional levels in upcoming releases FreeRadius The following steps to add Vendor Specific attributes to the freeradius radius server 1 Locate your dictionary file usually in usr share f
116. Keys Key ID Message digest key Action j A Add Figure 123 OSPF Interfaces Parameters specific to one interface are configured here Each interface on the router is listed Clicking on settings displays a menu of configuration options for that interface Clicking on status displays the current status of the interface including link state and current OSPF status on the interface If an interface is not part of an area it will show up as OSPF not enabled on interface Clicking Remove inactive interfaces purges the list of any interfaces which are no longer configured on the router The Cost field controls the administrative cost of routing over this interface By default the cost is auto calculated as the ospf reference bandwidth divided by the core interface bandwidth By default this is 100Mbit 10Mbit cost 10 The Priority field controls the priority associated with this interface By default the priority of interfaces is 1 The router with the highest priority wins elections for designated router for an area The Hello Interval field controls how often hello packets are sent to other routers in the area This value must match on all router interfaces in an area The Dead Interval field controls how long to wait for hello packets before declaring another router dead This should normally be set to 4 times the hello interval The Retransmit Interval field controls the delay between retransmissions RuggedCom
117. MP OUTING teeta NN SS 190 Broadcast RTU Polling Fas tras o as 190 Serial Protocols Concepts And Issues A o 191 ee 191 Use Of POR Kette ee EE 191 12 RuggedCom Table Of Contents Message Packet A A 191 Useof Turnaround De NS 192 Serial Protocols Main Tele 192 Assign PROTOCOLS MU E 193 Port Settings VICI o tal 193 RawSocket A E 194 Serial Protocols Statistics E EE 195 Protocol Specific Packet Error Statistics ri iia ca 195 Serial Protocols Draco Meis land 196 Serial Protocols Sertrace Ulsa e teste Age 197 Chapter 20 Configuring GOOSE Tumels iuiin ii 199 dee e EE 199 IEC 61350 GOOSE Fundamental ii tdci 199 Laver 2 Tinnel Daemon A EE 199 Lay r Tunnels Mata Melinda 200 General Conti ura EE E 201 GOOSE Tunnels E EE 201 GOOSE Statistics Menta Aa 202 Activity Trace Men A o os 203 Chapter 21 Configuring The DHCP server 205 es e WE 205 TG PP ert tals an tl 205 DHCP Network Organizados a ias 205 DHCP Client Options deniro en didas 205 Option 82 Support with Disable NAK cada ti a id ita 207 Example DHCP Scenarios And Configurations cccccecsceescesssceeseeeeeeeeseeeeecesecessneeeeeneaeeeees 208 Single Network With Dynamic IP Assignment 208 Single Network With Static IP Asetgenment 208 Single Network With Option82 Clients On One Switch 208 Multiple Subnets On Separate VLANs Using Option82 On One Switch 209 DHCP Servet Mal Men totales conos o es ias 212 DHCP Shared Network Conf it iii 213 DHCP Subnet Om
118. Network name The Shared network description field is used to describe the shared network as desired The Network name field is a unique name to assign to the shared network It could be the name of the interface the shared network is on for example Within a shared network you can great subnets hosts and groups of hosts 208 RuggedCom Chapter 21 Configuring The DHCP server DHCP Subnet Configuration gt Z gt gt Module Index Edit Subnet Subnet Details Subnet description Local Network Network address 192 168 2 0 Netmask 255 255 255 0 Address ranges 192 168 2 101 192 168 2 200 J Dynamic BOOTP E IT Dynamic BOOTP Shared network lt None gt x Default lease time Default secs Boot filename None Maximum lease time Default 7 secs Boot file server This server Server name Default Lease length for BOOTP Fo ove C sees EE for BOOTP Grp Ir e e clients Dynamic DNS enabled yes No Default Dynamic DNS domainname Default e EE Default Dynamic DNS hostname From client domain Allow unknown clients C Allow Deny o Ignore Default Server is authoritative 5 Disable NAK of option82 for this subnet C Yes Default No clients for this subnet s Hosts directly in this a Groups directly in this a subnet subnet cd vv Save Edit Client Options List Leases Delete Add a new host Add a new host group Yes Default No
119. None 4 T tL Any Any REJECT None None EFE Add a new default policy Manually Edit File Click this button to manually edit the Shorewall file etc shorewall policy in which the entries above are stored Figure 95 Firewall Default Policies This menu allows you to add delete and configure default policies Add a new policy by selecting the Add a new default policy link or by clicking on the add above or add below images in the Add field Reorder the policies by clicking on the arrows under the Move field Clicking on a link under the Source zone field will allow you to edit or delete the policy as shown below You may also make changes by manually editing the policy file Module Ind H S ER Edit Default Policy Default policy details Source zone Internet gt Destination zone lt Any gt x Policy DROP gt Syslog level lt Logging disabled gt Traffic limit None Limit Burst Save Delete Figure 96 Editing A Firewall Default Policy The Syslog level field causes a log entry to be generated every time the rule is followed The Traffic limit fields allow you to place an upper limit upon the rate at which the rule is applied The Limit field is the steady state rate and is of the form X sec or X min where X is the number of allowed rule followings The Burst field denotes the largest permissible burst and defaults to five if not configured Masquerading Mod
120. ON option RuggedCom 115 RuggedRouter User Guide The norfc1918 option causes packets arriving on this interface and that have a source or destination address that is reserved in RFC 1918 to be dropped after being optionally logged The nobogons option causes packets arriving on this interface that have a source address reserved by the IANA or by other RFCs other than 1918 to be dropped after being optionally logged The routefilter option invokes the Kernel s route filtering anti spoofing facility on this interface The kernel will reject any packets incoming on this interface that have a source address that would be routed outbound through another interface on the firewall The proxyarp option causes Shorewall to set proxy arp for the interface Do not set this option if implementing Proxy ARP through entries in etc shorewall proxarp The maclist option causes all connection requests received on this interface to be subject to MAC address verification May only be specified for Ethernet interfaces The nosmurfs option causes incoming connection requests to be checked to ensure that they do not have a broadcast or multicast address as their source Any such packets will be dropped after being optionally logged according to the setting of SMURF_LOG_LEVEL in etc shorewall shorewall conf The logmartians option causes the martian logging facility will be enabled on this interface See also the LOG_MARTIANS option in etc
121. P protocol IP multicast transmissions are said to be in the PTP subdomain This is usually a set of PTP devices connected by a switched network or direct links The best clock in the subdomain is known as the master clock The master clock of a boundary clock is known as the grandmaster clock The protocol negotiates among PTP ports to identify the device with the highest quality clock source Ports issuing messages from the master clock are said to be masters while those that will receive the messages are s aves When a port will not participate in the protocol its status is passive When the network architect knows the relative quality their clock s time sources they may configure a specific clock to be the preferred master PTP Master Election PTP clocks exchange SYNC messages containing information which is used by the PTP Best Master Clock BMC algorithm Several factors will affect the choice of best master clock including the preferred master clock setting the clock identifier grandmaster settings and clock stability The clock identifier is the measure of PTP clock quality and is one of the following PTP Identifier Descrption GPS The PTP clock is a primary reference standard traceable to a recognized standard source of time such as GPS The router uses this identifier when GPS is locked 222 RuggedCom Chapter 24 Configuring IRIGB And IEEE1588 NTP The PTP clock is a secondary reference s
122. P server and 1t is assumed but not required that network address translation will be applied at the client end Each of the clients should appear on the local network on a specific IP address In this example the clients are laptop PCs wIppp A Router pr Eyaco e Internet GE eth1 iii 192 168 17 3 10 0 1 1 Local Network Laptop 10 0 0 0 8 IPSec Client Figure 114 End To End Backup Example Select A Certificate Authority Begin by constructing the required certificates You may construct the certificates using a RuggedRouter or a third party tool The device that is used to build the certificates is known as the certificate authority There are advantages and disadvantages to using the router itself as the authority It is convenient to use if it is the only router in the network and many clients will be connecting to it On the other hand if the router holds the certificate authority and is compromised all certificates must be constructed again Ensure that the the Certificate Authority generates certificates with a reasonable life and generates keys of at least 1024 bits in length 134 RuggedCom Chapter 12 Configuring An IPsec VPN Generate X 509 Certificates Use the authority to produce a certificate authority public certification cacert and a certificate for each of the clients and a certificate for the router The certificate authority will require some information
123. RP M in Menta 168 VRRP Configuration seseante tee 168 Editing A VRRP stan e Ed aS 169 Viewing VRRP Instances MAS A Ao 170 Chapter 16 Entreprener ee Eegen 171 O A Ee ed 171 Traffic Prioritization Fundamentals ii 171 Priority eu 171 O EE 171 TOS Prioritization EE 172 Included With Traffic Prioritization adi a t 172 aia ee 173 Traffic Prioritization Main Wei Wes A tng Mey A A A A Ata 174 Interface Priotitizai n VISO seism ie a i O aA Eet hdeadsehees 174 Prioritization QUEUES ti aida 175 A ak cas cul ou A RNA 175 Prioritization Transmit Queue Lai ld til ac 176 ProHtZza te a da 176 Chapter 17 Configuring Generic Routing Encapsulation ooooonnccnncninonocononcnancononnncnnnnnnonanonanccnnnnno 177 A kees 177 GRE Pundit eege eelere 177 GRE Main Mer eg 178 GRE Configuration Mn e A E 178 Ch pter 18 Network Utilities via ini 181 legen EE 181 Network Utilities Man Mena A Levonuye Deet 181 Pine EE 182 Traceroute Ee A A A ERAS 182 NS EE 183 Taco IA Sta is el Ee 183 Tepdump A Network tera rin idas 183 Frame Relay Link Layer Trace A WAN Interf ce A 184 Serial brace A Se al Server E 185 Interface Statistics Me ni a tia 185 Current Routing amp Interface Table cinc ln t 186 tre E Eeer ege 187 Chapter 19 Configuring e E d EE 189 eene EE EE 189 Serial IP Port Fear es iii 189 LED DESOTO 4 4 ocho Merc A E 189 Serial Protocols Applications iiaccivs scaaeshvecdes ita 190 Character Enea stil ation a tado 190 E
124. Reliability e MMC Minimize Monetary Cost As any or all of these bits may be set in a packet at a time there are 16 possible combinations The router maps these combinations into the high normal and low priority queues as shown in the following table MD MT MR MMC Descriptions Priority Queue 0 0 0 0 Normal Service Normal 0 0 0 1 Minimize Monetary Cost Low 0 0 1 0 Maximize Reliability Normal 0 0 1 1 MR MMC Normal 0 1 0 0 Maximize Throughput Low 0 1 0 1 MT MMC Low 0 1 1 0 MT MR Low 0 1 1 1 MT MR MMC Low 1 0 0 0 Minimize Delay High 1 0 0 1 MD MMC High 1 0 1 0 MD MR High 1 0 1 1 MD MR MMC High 1 1 0 0 MD MT Normal 1 1 0 1 MD MT MMC Normal 1 1 1 0 MD MT MR Normal 1 1 1 1 MD MT MR MMC Normal Included With Traffic Prioritization Your RuggedRouter software includes the priostats command line utility which can be used to show cummulative and one second interval statistics in a format similar to those of the GUI RuggedCom 169 RuggedRouter User Guide Prioritization Example A remote site router connects to a private network via a T1 line The router uses OSPF to manage an alternate routing but its primary purpose is to allow access to a switched network of RuggedServers implementing TcpModbus gateways TCP UDP port 502 The router and switches are managed through their Web interfaces but can me managed through SSH as well The RuggedServer
125. RuggedRouter RX1000 RX1100 User Guide 0 Rugged Operating System on Linux RuggedCom Inc 30 Whitmore Road Woodbridge Ontario Canada L4L 774 Web www ruggedcom com Tel 905 856 5288 Fax 905 856 1995 Toll Free 888 264 0006 RucceDbRouTERM User GuIDE FOR USE WITH RXLOOO RX1100 Probucts Version 1 12 6 May 14 2008 RuggedCom 30 Whitmore Road Woodbridge Ontario Canada L4L7Z4 Tel 905 856 5288 Fax 905 856 1995 Toll Free 888 264 0006 support ruggedcom com http www ruggedcom com Disclaimer RuggedCom Inc makes no warranty of any kind with regard to this material RuggedCom shall not be liable for errors contained herein or for consequential damages in connection with the furnishing performance or use of this material Warranty Five 5 years from date of purchase return to factory For warranty details visit www ruggedcom com or contact your customer service representative COPYRIGHT Apr 2008 RuggedCom Inc ALL RIGHTS RESERVED This document contains proprietary information which is protected by copyright All rights are reserved The RuggedRouter includes components licensed under the GPL and BSD style licenses The full licences of such are included in an associated document No part of this document may be photocopied reproduced or translated to another language without the prior written consent of RuggedCom Inc Linux is the registere
126. RuggedRouter User Guide This page intentionally blank 82 RuggedCom Chapter 8 Configuring Frame Relay PPP And DDS Chapter 8 Configuring Frame Relay PPP And DDS Introduction This chapter familiarizes the user with e Configuring Frame Relay and PPP Links e Viewing status and statistics e Upgrading software DDS Fundamentals A Digital Data Services DDS line is a North American digital transmission method that operates at 56 Kbps synchronously over an unloaded 4 Wire metallic pair circuit The DDS line is typically a telephone grade network connection often called the local loop A Data Terminal Equipment DTE device attaches to the line and transmits data to the telephone company TELCO which routes the data to a remote DDS line A short haul synchronous data line driver known as a CSU DSU terminates the line and attaches to the DTE The DSU part of the DSU CSU manages the format of the data signal while the CSU manages electrical levels isolation and provides loopback to the TELCO RuggedCom DDS port provides an integrated DTE DSU and CSU Location Of Interfaces And Labeling Unlike the Ethernet ports which are statically located the location of T1 E1 DDS and ADSL ports in your router depends upon the number of ports and how they were ordered Refer to the labeled hardware image as presented in the Webmin home page To make labeling easy to understand all T1E1 T3 DDS and ADSL ports are ass
127. S is the most CPU intensive cipher AES The Advanced Encryption Standard protocol cipher uses a 128 bit block and 128 192 or 256 bit keys This is the most secure protocol in use today and is much preferred to 3DES due to its efficiency Public Key And Pre shared Keys In public key cryptography keys are created in matched pairs called public and private keys The public key is made public while the private key is kept secret Messages can then be sent by anyone who knows the public key to the holder of the private key Only the owner of the private key can decrypt the message 124 RuggedCom Chapter 12 Configuring An IPsec VPN When you want to use this form of encryption each router configures its VPN connection to use the RSA algorithm and includes the public signature of its peer The RuggedRouter s public signature is available from the output of the Show Public Keys menu In secret key cryptography a single key known to both parties is used for both encryption and decryption When you want to use this form of encryption each router configures its VPN connection to use a secret pre shared key The pre shared key is configured through the Pre shared Keys menu Note Use of pre shared keys require that the IP addresses of both ends of the VPN connection be statically known so they can t be used with sites with dynamic IPs X509 Certificates When one side of the VPN connection is placed from a dynamic IP
128. Secrecy fields will enable PFS causing keys to be exchanged in a manner which provides attackers that have compromised a key with no advantage in decoding previously intercepted packets or with subsequent packets Not all clients support PFS RuggedCom 131 RuggedRouter User Guide Left Right System s Settings Left system s settings Public IP address From default route 7 Automatic any Address or hostname 206 73 193 8 System identifier Default None IP address Hostname eee None behind system within system 10 0 0 0 8 rosa Z 8 None DW Entered below Automatic any 8 Certificate File OSAQNIQUBPv rCqwwrNMFLEPViQzPh23qgiy6ExwWoWaobpBBNkASkC6hIcj u ioMiPzFYEEgX1JAwyOR EswGiFpf5XNLNMypCwywdLT1JcSxDRrj jB7iTacj 55uG0JOHRWKZMEBxD focOxw4i LgbNz aZxf70Sjb tiXZXRugbTOm7 aACIONdHLZ7NAhqRyUjl1hv2raPa4SF59sd9aa5 LrNiyRyHU3tECxBGwbr4M6mHX bDUBXSTTYnlwrklps 7peQs4JpoxJjsORwGa9YWRrLSbYiS97J2g0dAMvbaKqM ABMZS2uE4Xj FnYLtFw J41YVsj jJerEwygqHefUYESA7ikKngGHscYKPpi4g8Gw8e2qeI5 pedi Default Automatic 7 Default route IP address Figure 112 Editing A VPN Connection Part 2 The Public IP address fields determine the IP address of the side of the connection being edited Check the Address or hostname field and provide a fixed IP address or hostname Ifthis side reflects a remote client whose IP address changes select Automatic Yoany Use From default route if the
129. Serial Protocols Main Menu Serial Protocols RAW 4 x P O MODE pta E 92 1 492 1 wpe RS485 2 245 2 243 O TIN Assign Protocols Port Settings Raw Socket Serial Protocols Line Trace Statistics Figure 158 Serial Protocols Server Main Menu Note that the Serial Protocols server is disabled by default and may be enabled via the System folder Bootup And Shutdown menu The Assign Protocols menu assigns a serial protocol to one of your serial ports The Port Settings menu configures the serial port and its electrical protocol If any of your serial ports are configured as RawSocket protocol this menu will configure them The Serial Protocols Statistics menu will show you the status and statistics for any established sessions The Line Trace menu will provide a line activity trace for the serial ports 188 RuggedCom Chapter 19 Configuring Serial Protocols Assign Protocols Menu Assign Protocols Assigning a protocol to a port will make it available for configuration via a menu in the main page TIR i rawsocket v none none Lol Le none Save Changes Figure 159 Assign Protocols Menu This menu associates a protocol with a serial port Unused ports should be left associated with none Changing an association will immediately close the calls of the old protocol Port Settings Menu Port Settings Note that all changes are made immediately Port speed D
130. The release process involves the following steps l 2 The downgrade image file is downloaded from RuggedCom to a web server The router to downgrade is attached via one of its Ethernet ports to the web server either directly or via a network configured and tested The router can also load a specific configuration archive on to the target router This file is also loaded on the web server The router is rebooted and is forced to enter its boot selection menu by pressing the down arrow key of an attached terminal continuously The router will offer a menu that will provide the option Software Downgrade Utility Select this option and press enter The router will prompt for the required information The router will downgrade the software and reboot This will require five to ten minutes to complete Note The router must not lose power or be interrupted during the downgrade process The process involves a complete rewrite of the operating image Interruption will require that the router be returned to the factory to have the software restored RuggedCom suggests minimization of problems by using a standalone PC as the web server and by powering both the PC and the router from an uninterruptible power source UPS The following information will be requested during the download The Ethernet port to use whether to use DHCP or assign a static IP address and a network mask A gateway IP address if one is needed T
131. VCI used on the connection This does not work with all providers and may case the connection to fail even if the link light is on If this option is used it should only be used to find out what the correct values are if your provider isn t willing to help you and when the correct values are found it should be disabled with the correct values entered in the VPI and VCI fields instead The VCI field determines the VCI number the connection uses The default of 35 is correct for most providers The Use DHCP field forces the router to fetch its IP address from the peer via DHCP Note that DHCP is selected the local and remote IP addresses are immediately dummied out to 169 254 0 1 and 169 254 0 2 the netmask is set to 255 255 0 0 and default gateway option is suppressed The Local IP Address field defines the IP address for this interface The Netmask field defines the network address mask The value 255 255 255 255 specifies a point to point connection which is almost always correct The Remote IP Address field defines the IP address for other side of this interface As most WAN links are of point to point type there is only one host connected to the other end of the link and its address is known in advance This option is the address of the other end of the link and is usually assigned by the network administrator or Internet service provider The Gateway IP Address field defines the IP address to use as the gateway for sending to other site
132. VPN Connection Details describes parameters relating to the connection itself The next two sections Left System s Settings Right System s Settings describe IP networking parameters and RSA signatures at each peer These two sections are identical and are described once IPsec VPN Connection Details Module Ind e Ze Edit Connection IPsec VPN connection details Connection name Remote_16 At IPsec startup Authenticate by Default rsasig secret secretirsasig Connection type Tunnel host or network Ka Encryption Protocols Default allowonly Jo aes256 Jo aesi92 Jo aes128 Jo 3des des Compress data Yes No Default Perfect Forwarding Secrecy yes No Default Figure 111 Editing A VPN Connection Part 1 The Connection name field associates a name with the connection Do not embed whitespace in the name 130 RuggedCom Chapter 12 Configuring An IPsec VPN The At IPsec startup field determines what happens to the connection after Openswan starts and includes the options Ignore Add connection Start Connection Route and Default A value of Ignore will cause the connection to be ignored A value of Add connection will cause the connection to be established when explicitly started via command line or the IPsec VPN Configuration menu Start Connection button If Start connection is chosen then the connection will be authorized when Op
133. YuiP23ya G5kdYRAme y AKCFC6x6acN1104Jkb9BDvwIX1 hSHrwCeMY3 L C5DcLeG2P269nBqfR1 XkSU m4c ee END PGP SIGNATURE inb d 12 01 0001 RuggedRoute j 12 11 0015 LED Board Ge 12 10 0008 P1 88 300VDC and 85 264VAC Rev c2 arborea 11 0002 2 X 10 100TX RJ45 Rev b2 y Serial card Upgrade Inventory Figure 233 Upgrade to RX1100 This menu allows you to upgrade your router The display usefully provides a description of the current hardware in the router inventory Change Repository Server Change Repository Server Repository server ftp rcengO2 eng lan debian386 Release Version rrl Use rrX Y to ugrade to that specific release or rrX to upgrade to the latest release Save Changes Figure 234 Change Repository Server This menu defines the server used to upgrade software The Repository server field accepts a URL containing the domain name or IP address of an http or ftp server along with the directory on the server containing the upgrades The release version field accepts a software release string such as rr1 or rr1 7 or rr1 7 2 If you configure this field with only a major release number such as rr1 the router will always pick the latest release at the server As an example if the router is running with release rr1 7 and release rr1 7 2 becomes available the latter will be used If you configure this field with a major minor patch release number such as rr1 7 2 the router
134. _decode http_inspect_server server default profile all ports 80 8080 8180 o fi 32771 telnet_decode sfportscan proto all memcap 10000000 sense_level Status Enabled Disabled 7 Enabled Disabled Enabled Disabled Enabled Disabled 7 Enabled Disabled Enabled Disabled Enabled Disabled Enabled Disabled 7 Enabled Disabled Save Changes Reset Changes Figure 199 Snort Preprocessors Preprocessors are plug in modules that operate on the captured packets Preprocessors perform a variety of transformations to make it easier for snort to classify packets The configuration of preprocessors is beyond the scope of this user guide Alerts amp Logging Figure 200 Snort Alerts RuggedCom 233 RuggedRouter User Guide Alerts amp Logging Logging Destination Local syslogging to Facility LOG_AUTH var log auth log vf Remote syslogging to Address Port 514 Facility LOG_USER v Local Alert file varflog snortf alert User name to mail snort Alert file summaries to Save Changes Reset Changes Alerts generated by snort are stored by one of three methods as local syslog messages remotely sylogged messages and in an alert file When the Local syslogging method is chosen the destination log file may be selected When the Remote syslogging method is chosen the IP address of the remote syslog host must be identi
135. a 93 ADSEWAN Interfaces n a ii 93 Edit Logical Interface PPPOE si E 94 Edit Logical Interface BS idad 95 RuggedCom 19 RuggedRouter User Guide Figure 80 Figure 81 Figure 82 Figure 83 Figure 84 Figure 85 Figure 86 Figure 87 Figure 88 Figure 89 Figure 90 Figure 91 Figure 92 Figure 93 Figure 94 Figure 95 Figure 96 Figure 97 Figure 98 Figure 99 Figure 100 Figure 101 Figure 102 Figure 103 Figure 104 Figure 105 Figure 106 ADSL Link E ae 96 Moda le 98 Edit tele 98 Contiotire Modem PPP Cl A A ta 100 Configure Modem PPP Client A A vasa nenavioanbeess 100 Confioure Modena PPP Sr a to do 101 Income Call tes 102 O 102 PPP C nnection Logs mereinen e Eeer 103 Starting Shorewall Firewall Men sess ccsvcneas Geesse eise Eed 114 Shorewall Firewall M geet EE 115 Firewall eet 116 Firewall Network Inert aces A EE 117 Editing a Firewall Network Interfaces cic cic 053 turna cate 117 Firewall Zone TOSS a 119 Firewall Default Policies e 119 Editing A Firewall Default Bole acid 120 Firewall Masquerading And SNA T iscccdeccssiccscidsavteedetacsiccdiaasdersssecscdcssisasvesaastesdtaachinestvevses 120 Editing A Masquerading RUNG geed 120 O 121 Editing A RUE 121 State NAT satan vate streamate ed o ans 122 Creatine a Static NAT Emi yo sc A A da 122 Actions Meel WE 123 IPsec VPN Configuration Menu Before Key Generation 2 0 0 0 ce eeeeceeseeseeeeteeeeneeees 128 IPsec VPN Configuration Men
136. a TCP IP network based on the number of hops between any two routers It uses the shortest route available to a given network as the route to use for sending packets to that network The RuggedRouter RIP daemon ripd is an RFC1058 compliant implementation of RIP support RIP version 1 and 2 RIP version 1 is limited to obsolete class based networks while RIP version 2 supports subnet masks as well as simple authentication for controlling which routers to accept route exchanges with RIP uses network and neighbor entries to control which routers it will exchange routes with A network is either a subnet or a physical interface it must to be a broadcast capable interface Any router that is part of that subnet or connected to that interface may exchange routes A neighbor is a specific router to exchange routes with specified by its IP address For point to point links T1 E1 links for example one must use neighbor entries to add other routers to exchange routes with The maximum number of hops between two points on a RIP network is 15 placing a limit on network size Link failures will eventually be noticed although it is not unusual for RIP to take many minutes for a dead route to disappear from the whole network Large RIP networks could take over an hour to converge when link or route changes occur For fast convergence and recovery OSPF is a much better choice RIP is a fairly old routing protocol and has mostly been superseded by OSPF
137. a remote host computer Remote logging enables central collation of logs and preserves logs in the events of security incidents Remote logging does not require any file storage on the router and as such does not suffer from loss of information around unplanned power failures On the other hand remote logging cannot record events that occur before network connectivity to the logging host is established Remote logging can replace disk logging or can augment it If you wish to replace disk logging for some information type select the appropriate link under the System Logs sub menu Log Destination column Enter the URL of the logging host under the Syslog server on Module Index Edit System Log Log destination Log to File varflog authlog Sc jv Sync after each message Named pipe Es 3 Syslog server on logger xyy col Local users cal e Call logged in users Logging active yes No Message types to log Facilities Priorities Clan y DG Many jauth authpriv None all Atorabove KM y 9 Many None All atorabove zl si Save View logfile Delete Figure 231 Changing a Syslog entry to remote log If you wish to remote log in addition to disk log some log type you must duplicate the log entry and the configure the logging host Duplicate the entry by using the Add a new system log link on the System Logs sub menu Finally you may forward all information to the remote lo
138. ace RJ45 socket This LED is off when the link is disconnected remains solidly on when the link is established and flashes briefly from on to off when traffic occurs The LED Panel also summarizes this information LEDs 1 4 reflect traffic on Ethernet port 1 4 LEDs 5 8 reflect the link status of the same ports VLAN Interface Fundamentals VLAN Tag A virtual LAN VLAN is a group of devices on one or more LAN segments that communicate as if they were attached to the same physical LAN segment VLANs are extremely flexible because they are based on logical instead of physical connections When VLANs are introduced all traffic in the network must belong to one or another VLAN Traffic on one VLAN cannot pass to another except through an intranetwork router or layer 3 switch The IEEE 802 1Q protocol specifies how traffic on a single physical network can be partitioned into VLANs by tagging each frame or packet with extra bytes to denote which virtual network the packet belongs to A VLAN tag is the identification information that is present in frames in order to support VLAN operation The 4 byte VLAN tag is inserted into the Ethernet frame between the Source MAC Address field and the Length Type field The first 2 bytes of the VLAN tag consist of the 802 1Q Tag Type and are always set to a value of 0x8100 RuggedCom 57 RuggedRouter User Guide The last 2 bytes of the VLAN tag contain the following information the f
139. ader and Encapsulating Security Payload ESP protocols The firewall must accept this traffic in order to allow IPsec If the firewall serves as the VPN gateway add the following rules Action Source Zone Destination Zone Protocol Dest Port ACCEPT all fw ah ACCEPT all fw esp ACCEPT all fw udp 500 110 RuggedCom Chapter 11 Configuring The Firewall IPSec traffic arriving at the firewall is directed to openswan the IPSec daemon Openswan then decrypts the traffic and forwards it back to shorewall on the assigned ipsecX interface You will also need a rule to allow traffic to enter from this interface For example if openswan creates interface ipsecO when its connections are established and ipsec0 is in the zone vpn you would need the following rule ACCEPT vpn loc Note that if your firewall itself is required to communicate with the VPN you will need rules such as the following ACCEPT vpn fw tcp ssh Policy Based Virtual Private Networking Begin configuration by creating local network and vpn zones Identify the network interface that carries the encrypted IPsec traffic and make this interface part of zone ANY in the interfaces menu as it will be carrying both traffic for both zones Visit the Zone Hosts menu and for the network interface that carries the encrypted IPsec traffic create a zone host with zone VPN the correct subnet and the IPsec zone option checked If you plan to have VPN tunnels to multip
140. adius Authentication Configure Radius Authentication Address Port Secret Timeout Services Move Add 205 133 87 42 default etek 2 LOGIN TL 186 42 4 130 default rr 2 WEBMIN PTL 198 44 160 1 default kd 2 PPP t TL Figure 226 Radius Authentication Main Menu Radius Authentication is configured from within the the Maintenance menu Miscellaneous sub menu This menu allows you to add delete and Radius servers Add a server by by clicking on the add above or add below arrows in the Add field You may also edit a server by following its link under the Address field Reorder the servers by clicking on the arrows under the Move field Edit Radius Server Parameters Edit Radius Server Para meters Radius Server Parameters Hostname IP 205 133 87 42 Port Number default C Shared Secret V i Timeout 2 1 20 Seconds Service LOGIN y Save Test Delete Figure 227 Radius Authentication Server Parameters This menu configures tests and deletes radius server entries The Hostname IP field configures the server IP address The Port Number fields selects the default port number of 1812 or selects another specific port The Shared Secret field configures the unique password used by this server The time Timeout field selects the maximal time to wait before trying the next server The Service field configures whether the server authenticates LOGIN WEBMIN PPP LOGIN or any combination of these type
141. adius Authentication The Set Radius Authentication command configures the address of a Radius server if available RuggedCom 29 RuggedRouter User Guide Figure 5 Radius Server Configuration menu The Hostname IP and Port Number fields configures the server location The Shared Secret field configures the unique password used by this server The time Timeout field selects the maximal time to wait before trying the next server The entry created for both LOGIN and PPP Login can be changed from the web interface Enabling And Disabling The SSH and Web Server By default SSH and Web Management are enabled The Disable SSH and Disable Web Management commands allows these services to be disabled The servers will be immediately stopped If access to the shell has been made through ssh the session will continue but no new sessions will be allowed Upon disabling the services the titles in the main menu will change to Enable SSH and Enable Web Management to reflect the disabled state Enabling a service automatically restarts it 30 RuggedCom Chapter 1 Setting Up And Administering The Router Enabling And Disabling The Gauntlet Security Appliance The Gauntlet security Appliance requires a pass phrase unique to your network This menu will configure it Figure 6 Gauntlet Setup Menu Configuring The Date Time And Timezone The Set The Date Time And Timezone command allows these parameters to be
142. aging the link advertising connections to the DTE and switching packets between connections The DTE raises individual connections and sends data on them When using a T1 El line to access a public Frame Relay provider configure the Router as a DTE RuggedCom 65 RuggedRouter User Guide Unlike PPP a Frame Relay link can provide multiple up to 990 connections Each connection is identified by a Data Link Connection Identifier DLCI and must match at the DCE and DTE The use of multiple connections can support meshed network interconnections and disaster recovery Location Of Interfaces And Labeling Unlike the Ethernet ports which are statically located the location of T1 E1 DDS and ADSL ports in your router depends upon the number of ports and how they were ordered Refer to the labeled hardware image as presented in the Webmin home page To make labeling easy to understand all T1E1 T3 DDS and ADSL ports are assigned a unique port number that relates to the LEDs on the status panel LED Designations The RuggedRouter includes two sources of LED indicated information about TIET lines the T1E1 card itself and the LED Panel One LED is associated with each line next to the interface jack This LED is red when the link is disconnected flashes green when the link is connecting and remains solid green when the link is established The RuggedRouter also indicates information about T1E1 ports on the LED Panel A
143. alert definition entries matching with selected category The Create New Definition button allows you to create a user defined alert definition entry Click on one of the link under the Codepoint column allows you to change the configuration for that alert definition entry RuggedCom 237 RuggedRouter User Guide Change Alert Definition Change Alert Definition Alert Definition Parameters Codepoint chassis 3 Category chassis Ka Name Power Supply 2 Failure Subsystem chassis Severity Critical Y Alarmable Je Enabled E Renotify Interval second Disabled C 1 86400 seconds Type Simple vf Parameters for Shell Sample Interval 30 86400 secon ds Command Comparator Greater than si Threshold And Repeats 0 1000000 times And Until 0 1000000 seconds Not Cleared Repeats 0 1000000 times Not cleared Until 0 1000000 times Parameters for RMON Device Name MIB Variable Sample Interval 30 86400 seconds Startup Event Rising sl Rising Threshold Falling Threshold Save Figure 205 Change Alert Definition Menu This menu allows you to change an existing alert definition entry The Codepoint is the key part of the alert definition entry and does not allow to be changed The Category configures which category the alert definition entry belongs to The Name configures the name of the alert definition which will be displayed by webmin login or email forwarder when an act
144. alled Contact RuggedCom support for assistance if you wish to reassign these ports 1 Visit the Shorewall Network Zones sub menu and create the net and loc IPv4 zones 2 Visit the Network Interfaces sub menu and assign interfaces to the zones 3 Visit the Default Policies sub menu and assign the following policies Source zone Destination zone Policy fw any ACCEPT loc net ACCEPT all any REJECT 4 Visit the Firewall Rules sub menu and assign the following rules Action Source zone Destination zone Protocol Sre Port Dst Port ACCEPT net fw UDP any 30000 ACCEPT net fw UDP any 30001 Gauntlet net loc Gauntlet net fw TCP any 31000 Gauntlet net fw TCP any 31002 240 RuggedCom Chapter 26 Maintaining The Router Gauntlet net fw TCP any 10000 The order of rules is significant Rules inserted before this set will not be protected by Gauntlet Any rule appearing after the gauntlet chain rules will automatically be ignored Consult with RuggedCom support for assistance If you want to grant SSH access to the router replace 10000 in the last rule with 22 10000 When adding these rules via Webmin for those rules where you select Gauntlet from the Action pulldown list be sure to leave the log to syslog level set to lt Don t log gt If you manually edit the etc shorewall rules file then do not specify any loglevel in your Gauntlet rules 5 Ensure that the firewall is enabled in the Bootup and Shutdown Menu an
145. allow you to edit that server By default the router includes the links pool ntp org and 127 127 1 0 The pool ntp org address selects a random low stratum server from a pool of ntp servers on the Internet The 127 127 1 0 is known as a pseudo address and points to the local hardware clock of the router This address allows the router to act as a high stratum NTP server to locally connected devices while in a standalone mode If you are operating in a private network you will want to delete both of these addresses and substitute that of a locally known low stratum server The Version field indicates the version of the NTP protocol used to communicate with this host Change this only if it is known that the host requires a version other than 4 The Key field provides an authentication key associated with this host The Preferred field determines whether this host is preferred over other hosts in the list The Check field link leads to a page that displays the result of an NTP query to this host Use this feature to determine if the configured host is active Peers Configuration This menu allows you to enter and edit peers Peers are NTP servers of the same stratum as the router and are useful when contact is lost with the hosts in the NTP servers menu The per peer configuration information is as described in the previous menu RuggedCom 215 RuggedRouter User Guide Viewing The NTP Status NTP Status EP Refresh F
146. an be performed by simply accepting all traffic to and from the zone containing the IPSEC interfaces It is possible to use a tunnel to provide the default route by making the subnet at the other end of the tunnel be 0 0 0 0 0 With policy based VPNs Openswan will not generate IPSEC interfaces The routing table is not involved in deciding which packets should go to the ipsec layer Only traffic matching the tunnel s local and remote subnets are forwarded to it Normal traffic is routed by one set of rules and VPN traffic is routed based on different rules The firewall is configured with a vpn zone of zone type IPSEC As IPsec packets are received openswan decodes them policy flags them as IPSEC encoded and presents them as arriving on the same interface they originally arrived at Firewall rules must be written to allow traffic to and from tunnels based upon the the normal form of source destination IP addresses and IP protocol and port numbers These by virtue of the zones they match use the policy flagging inserted by netkey and routes them to the proper interface Route based VPNs are the default This type of VPN is recommended as it is simpler to configure Supported Encryption Protocols Openswan supports the following standard encryption protocols 3DES Triple DES Uses three DES encryptions on a single data block with at least two different keys to get higher security than is available from a single DES pass 3DE
147. ancsipseacastsaaarordsbannesciabaesateseauacciavesassehoanasehthancstanoaaehesaneoestannss 258 Radius Authentication Configuration e da 259 Edit Radi s Server Parameters tt seis Sorel ee er Abe 259 A ee 260 CHASSIS PATA a A oo 261 A E O 262 Syslog Factory Det ele 262 Remote Ee AAA O 263 Usada EE 265 RuesedRouter Software PondamentalS EE 265 When A Software Upgrade Requires A Rchoot 266 A tomatie UA da 266 Elteren RA Eltere Nee heh ete ela 267 Change Reposit ry o VE ee dee 267 Automatic Upgrade ia darlas 268 Uer 268 Stalin A New AA aa 269 Pre upgrade Post upgrade pi al 269 Uploading And Downloading Files vi issctseadevscanssatvectsanetsaslcccteveadans Zeg gerade Eege 271 Chapter 27 Security CONSI E 272 Ire E 272 ee E EE 272 Appendix A Setting Up A Repository 00 0 ccceescessecenecessecesecesceceseceseecsaeceseeceaeeeseecseaeeeeeeeeeeennas 274 Repository Server Requirements ta ia atada aaa 274 Initial Repository Setups id A A eS ae ica Nias tai e 274 Upgrading The Repositoty enne Lee Eeer 275 RuggedCom 15 RuggedRouter User Guide Settne Up The E ld 275 An Alternate E a coe Suid seas suche a lus cis pea Lees leida 275 Upgrading Considerations e 276 Appendix B Downgrading Router Software sssssseseesessssesetssssressessessresreestrsressresrssessressreessreess 217 Appendix C Installing Apache Web Server On Windows 278 Appendix D Installing US Web Server On Windows ccceccceescceeseeeee
148. and final thing to occur in establishing a VPN The third group lines 18 28 describes IKE capabilities and defines the various encrypted key exchange algorithms and their parameters At least one set of values must match between the left and right hand side VPN devices This is also frequently referred to as the Phase 1 parameters because the key exchange process is the first thing to occur in establishing a VPN RuggedCom 133 RuggedRouter User Guide The fourth group lines 30 39 describe connection describe VPN connections here openswantest The first line is particularly useful since it indicates the connection addresses subnets and that the connection is active erouted If there are no entries then the VPN hasn t been established at all If there are entries but no STATE QUICK_ R2 IPsec SA established lines then the IPSec parameters are configured but the tunnel hasn t been established This can be normal tunnels become active once the Phase 1 and Phase 2 security associations are created and this usually only occurs after traffic is flowing The associations then get torn down after a timeout period IPSec X 509 Roaming Client Example This example details how to set up IPSec connections using X 509 certificates on the router The router will provide an IPSec gateway to a number of remote clients that connect via an Internet connection Each of the clients will fetch an IP address locally from a DHC
149. and misuse attacks from within the protected network Snort examines packets received on selected interfaces applies rules from its database and generates alerts to warn of vulnerabilities Which Interfaces To Monitor Typically the router will have an interface to an external network and interfaces comprising the local network The firewall will cite these interfaces as belonging to the net and local zones A key decision is whether to monitor traffic outside or inside of the firewall Monitoring traffic outside the firewall on the external network interface has the advantage that attacks the firewall is blocking can be seen This method however will generate a large number of alerts Additionally firewall rules installed to eliminate vulnerabilities will not prevent future alerts since traffic is monitored before the firewall Finally this method will not detect misuse of the local ports Monitoring traffic inside the firewall on all local interfaces has the advantage that the number of alerts decreases as vulnerabilities are eliminated at the firewall It s also good to monitor as much of the internal traffic as possible Snort Rules The router supplies a variety of prepackaged rules Each rule contains a unique Signature Identifier SID The SID is included in reported alerts as part of a Snort unique rule ID a three digit number of the form generator SID revision The generator field reflects the
150. and restore configurations e Configure SNMP access e Configure Radius Authentication e View system logs e Upgrade the software of the router e Upgrade the router type to RX1100 e Upload Download files to and from the router Using The LED Status Panel Figure 13 LED Status Panel 36 RuggedCom Chapter 1 Setting Up And Administering The Router The LED status Panel provides the console port indicates the status of hardware software and can initiate a controlled reboot The LEDs are organized into three primary groups the port group GPS PPP group and the Alarm Power Supply group The display possibilities are as follows LED 1 4 Ethernet port 1 4 is active when green LED 5 8 Ethernet port 1 4 has link when green and failed when red LED 9 12 WAN port 1 4 is active when green LED 13 16 WAN port 1 4 has link when green and failed when red LED 17 20 WAN port 5 8 is active when green LED 21 24 WAN port 5 8 has link when green and failed when red PPP DATA PPP Modem port is active when green PPP LINK PPP Modem port has link when green GPS LOCK The PTP card GPS system has satellite lock A Major Alarm exists when red Power supply 1 working properly when green and failed when red Power supply 2 working properly when green and failed when red Figure 14 Meaning of LEDs The software will cause the ALARM LED to become active for various reasons Any condition that causes the ALARM LED to become activ
151. at the MAC destination address should be in the range 01 0c cd 01 00 00 to 01 0c cd 01 01 ff RuggedCom 195 RuggedRouter User Guide GOOSE Packets received from the network are stripped of their network headers and forwarded to Ethernet ports configured for the same multicast address The forwarded frames contain the MAC source address or the originating device and not that of the transmitting interface The VLAN used will be that programmed locally for the interface and may differ from the original VLAN The frame will be transmitted with the highest 802 1p priority level p4 Packets received from the network will also be forwarded to any other remote daemons included in the group Note Avoid network configurations where the daemons can form a traffic loop The simplest such configuration is a triangle network where each daemon forwards to two other routers Frames arriving at one router will start cycling in clockwise and counterclockwise directions To avoid such GOOSE storms frames forwarded to the network are tagged with an initial time to live count The count is decremented at each relay to the network and prevents the frame from being relayed indefinitely Layer 2 Tunnels Main Menu Help E Layer 2 Tunnels GOOSE 021 192 1 2 245 2 245 General Configuration GOOSE Tunnels GOOSE Statistics Activity Trace Restart Layer 2 Tunnels daemon Click this button to restart the Layer 2 Tunnelss daemon with t
152. ataBits Party StopBits How Control type Current Protocol GEIER none i E none zi frs x ENE wone A E wone a fe x Save Changes Figure 160 Port Settings Menu rawsocket none This menu configures the serial settings and electrical protocol associated with a serial port Changes are made immediately RawSocket Menu Raw Socket Note that changes are made immediately causing call placement to start Port Pack Cher Pack Timer Turnaround Gall Dir Max Conne Ram IP Ram Port lac Port la fic foo f four Af r7e o xoi2 50001 Save Changes Figure 161 Raw Socket Menu This menu configures the Raw Socket settings for each port Changes are made immediately RuggedCom 189 RuggedRouter User Guide The Pack Char field configures the numeric value of the ASCII character which will force forwarding of accumulated data to the network The Pack Char must be between 0 and 255 inclusive or the value off If configured off accumulated data will be forwarded based upon the packetization timeout parameter The Pack Timer field configures the delay from the last received character until when data is forwarded The Pack Timer must be between 5 and 1000 milliseconds inclusive The Turnaround timer field controls the amount of delay if any to insert between the transmissions of individual messages out the serial port The Pack Timer must be between and 100
153. ate a damaged resource or unwind a change Archives can be created manually including user comments or by the Automatic nightly backup which captures all changes over the previous 24 hours The nightly backup archives can be automatically transferred via scp or ftp to a designated server The nightly backup archives are kept on the router for a configurable number of days and then deleted The most recently made archive is never destroyed Manually created archives are never destroyed If you make a configuration change you later wish to reverse you can restore a previously made archive completely An archive difference tool is provided showing the difference between one archive and either another archive or the current configuration Changes in configuration can also be detected and unwound by applying the previous state of a router on a file by file basis Archive filename is user definable and can include any of date time host name and or release version Archives can be uploaded to the router and restored The router prevents the restoration of archives having other than current software version A factory defaults file is included Note the following caveats Chassis specific items such as serial number hardware inventory and MAC addresses are not saved Log and history files are not saved Information stored in the root and user accounts are not saved 242 RuggedCom Chapter 26 Maintaining The Router Ge
154. ays displays messages issued at boot time and should rarely be added to after that Your RuggedCom support representative may ask you to inspect this file e cron log initially disabled This log file contains messages from the cron systems notifying of tasks started through cron Your RuggedCom support representative may ask you to enable and inspect this log e daemon log initially disabled This log file contains messages from daemons programs that run continuously in the background Your RuggedCom support representative may ask you to enable and inspect this log RuggedCom 237 RuggedRouter User Guide Left unrestricted the logging system would consume all available disk space causing the router to fail The router limits the memory used by the logging system by storing logs in a volatile i e lost after a reboot file system which is limited in size Such a system will lose logging information when a power failure occurs too much logging is generated or as the result of a user commanded reboot The router deals with this problem by storing compressed versions of three key files messages auth log and critical to the permanent disk The log files are saved every 180 seconds and upon an orderly reboot The log files are restored during the next boot All other files but these are cleared Remote Logging Remote logging often referred to as remote syslogging is the process of forwarding log entries to
155. ble Figure 76 ADSL Interfaces This menu allows you to display and configure ADSL interfaces The PPP Logs menu will display a log of PPP releated information The Current Routes menu will display the routes and status of the network interfaces ADSL Network Interfaces ADSL WAN Interfaces ADSL Interfaces Refresh this page ADSL 3 Up Name Description Local Address Netmask Remote Address ppp3 over w3adsl Up Comment 216 58 41 159 255 255 255 255 192 168 200 1 View ADSL 3 Link Statistics Figure 77 ADSL WAN Interfaces This menu allows you to display and configure ADSL interfaces and the protocols that run on them A table is presented for each interface Interface numbers are as described by the ADSL labels as shown in the home page chassis diagram The status of the physical interface its corresponding logical interface and link statistics are provided This menu presents connection statuses but does not update them in real time Click on the Refresh this page link to update to the current status Editing A Logical Interface PPPoE Figure 78 Edit Logical Interface PPPoE RuggedCom 91 RuggedRouter User Guide Module Index Edit Logical Interface Interface Parameters Convert this interface to bridged Description JADSL Link VPI lO Attempt ATM Autoconfiguration vcr 35 PPPoE Username Imycompany xyz com Password Pore Defaultroute v Use pe
156. button will apply changes by restarting the link backup daemon RuggedCom 157 RuggedRouter User Guide Edit Link Backup Configuration Halo Edit Link Backup Configuration Configure eth1 to eth2 link backup Name leth1 gt eth2 lv Enable this configuration Jo Transfer default gateway Backup gateway 192 168 2 254 po Bring up backup link on demand Main ping test target 10 128 10 222 Ping Interval ho Ping timeout 2 seconds Ping retry count Bo Startup delay 60 seconds Main path down timeout 60 seconds Main path up timeout 60 seconds Save Delete Figure 132 Link Backup Configuration Set the Name field to supply an identification of the pair This field initially defaults to the main_link_name gt backup_link name The Enable this configuration field enables this backup The Transfer default gateway field causes the gateway to be transferred to the backup link upon failure of the main link path If the backup interface is point to point such as PPP the Backup gateway IP address can be automatically determined Non point to point interfaces such as Ethernet must be configured with one The Bring up backup link on demand option allows protocols such as DHCP to be used to fetch an address when required The Startup Delay field configures the length of time to wait for the main link to come up at the start of day Note If Startup Delay is too low backup will be falsely tr
157. button will delete the archive Note that only manually backup archives can be deleted Automatic nightly backup archives will automatically aged out The latestarchive and factorydefaults archives will never be deleted The Archives to upload fields select archives to upload to the router The Browse button will allow you to select an archive Applying the Upload to Router button will upload the specified archive to the router Archive Backup Archive Backup Archive Comment Comments entered into the following field will be stored in the archive m Backup archive file name Specify the archive name here do not specify the file extension as it will be automatically generated larchiveOct 20 2006 0945 ruggedroute Start Backup Figure 210 Archive Backup This menu allows the user to manually create an archive It accepts a comment which will be included in the archive file The input box above the Start Backup button shows the candidate archive file name which can be changed by user Starting the backup results in the following display Archive Backup Created ArchiveOct 20 2006 0949 ruggedroutertgz Upload A Copy Of This Archive Figure 211 Archive Backup Complete 244 RuggedCom Chapter 26 Maintaining The Router The created archive can be immediately uploaded if desired by following the Upload A Copy Of This Archive link Note If you use the Internet Explorer web browser you must
158. by adding subnet 1 1 2 0 24 to their area descriptions Router 3 must also include 2 2 2 0 24 in its area description so that its existence is advertised The point to point T1 E1 interfaces and Ethernet interfaces on Router 1 and 2 must be made active The Ethernet interface on Router 3 can be left passive since it does not participate in OSPF advertisements Router and 2 must enable link detect to stop advertising 1 1 1 0 24 in the event of a link failure VRRP Operation Router 1 and 2 have VRRP setup on their Ethernet connection so that they can both function as the gateway for the clients on their network segment Normally Router 1 is the VRRP master and only in case of a link failure to the switch or the router failing will Router 2 take over the virtual IP The virtual IP used as the gateway is 1 1 2 254 Each router also has its own IP on the network so that each can be reached individually RuggedCom 143 RuggedRouter User Guide If Router 1 or its Ethernet link fail VRRP will detect the link being down and remove the direct route to the 1 1 2 0 24 VRRP on Router 2 will stop seeing messages from Router 1 elect itself master and will take over the gateway for the network OSPF on router 1 will notice the link being down and the route to 1 1 2 0 24 disappearing and will use information from router 2 install a route to 1 1 2 0 24 via Router 2 Router 3 will notice than Router 2 is now a more direct path to 1 1 2
159. c hosts can be populated with frequently used but unchanging addresses DNS refers to any configured DNS servers The DNS servers fields allow you to specify in order the serves to resolve from The Search domains fields allow you to specify the domain name of the network the router is located within This allows short names relative to the local domain to be used Ifyou do not specify a domain name the router will try and extract this information from the host addresses Host Addresses Host Addresses IP Address Hostnames 192 168 12 12 leftside_controller 192 168 13 3 rtu9 Add a new host address Figure 38 Host Addresses This menu allows you to display and configure host addresses Host addresses are useful when a non changing IP address is often used or when DNS is not configured Follow the Add a new host address link to add an address End To End Backup End To end backup is method of using two interfaces to ensure a reliable end to end connection between two routers using alternate routing without the need to configure routing protocols The two interfaces are assigned as a primary secondary backup pair The primary interface serves as the gateway If connectivity to the target is lost from the primary interface traffic is migrated to the secondary interface When connectivity is restored on the primary path traffic will be restored to it Figure 39 End To End Backup Example 54 RuggedC
160. cal syslog and 500 entries second to the alert file Alerts at rates exceeding the above rates will not be recorded Snort will require 5 Mbytes of system memory to start with an additional 15 Mbytes of memory for each interface monitored Snort IDS Main Menu This menu configures the snort IDS and is composed of three sections Note that snort is disabled by default and may be enabled via the System folder Bootup And Shutdown menu If snort is running configuration changes must be made active by restarting it The Restart Snort button will restart snort listing the interfaces it is active upon Global Configuration Interfaces Snort IDS Global Snort Configuration 209 116 1 Fee pn em e gt itp xys m ma waw seg El E i e Network Settings PreProcessors Alerts amp Logging Edit Config File Figure 194 Snort Main Menu part 1 The Global Configuration menu section configures parameters that apply to all interfaces Interfaces Interface Status Action Interface Status Action Interface Status Action jetha Y Disable eth2 Y Disable u1ppp x Enable Figure 195 Snort Main Menu part 2 The Interfaces section selects the interfaces snort will monitor You must restart snort after changing interfaces RuggedCom 231 RuggedRouter User Guide Rulesets
161. change it to the directory where your RuggedRouter release are kept Restart Apache by clicking Start gt All programs gt Apache HTTP Server gt Control Apache Web Server gt Restart RuggedCom 271 RuggedRouter User Guide Return to the web browser used earlier to verify Apache and refresh the screen It should now reflect the contents of your RuggedRouter release directory You should now be able to perform an upgrade from a router 272 RuggedCom Appendix D Installing IIS Web Server On Windows Appendix D Installing IIS Web Server On Windows A number of customers have asked for advice and instructions on setting up an IIS web server on Windows Begin by identifying a host computer that has IIS and its physical and logical location on the network The Repository Server Requirements of the appendix Setting Up A Repository provide some guidance on host requirements Start to install IIS by clicking on Start menu Control Panel Add or Remove Programs Add remove Windows Components In the resultant menu check the Internet Information Services IIS box and select next Figure 240 Installing IIS Apache serves the web pages contained in the directory known as th Download the desired release e g rr1 9 0 zip from the RuggedCom website Create the directory ruggedcom under the IIS root directory C Inetpub wwwroot Unzip the rr1 9 0 zip file within C Inetpub wwwroot ruggedcom Start to enable I
162. cheduled Cron Jobs Chassis RX1000 F ruggedrouter Any major alarms such as the failure of hardware components PS 1 88 300YDC and 85 264VAC Rev c2 ET ETH2 SER 1 SER 2 SER 3 SER 4 lolol le O L system Hostname system Time Networking Network Configuration Ethernet ITU E1 SECHS Modem ADSL DDS Shorewall Firewall AlPsec VPN Dynamic Routing VRRP L GRE Tunnels Traffic Prioritization Network Utilities Servers IRIGB Serial Protocols DHCP Server NTP Server AISSH Server Maintenance Backup And Restore SISNMP Configuration Radius Authentication L system Logs L Upgrade System Upload Download Files 5 Logout Version Serial Number User Remote IP Hostname Time Uptime Disk Usage Memory Usage Temperature Major Alarms TE1 1 TE1 2 TE1 3 TE1 4 System summary Webmin 1 160 2 rr224 in ROX1 10 0 RX1K 0805 0041 root 10 128 10 10 ruggedrouter Fri Apr 27 17 07 03 2007 17 07 07 up 16 min 1 user load average 0 46 0 26 0 15 75 15 34 5 C 94 1 F none Figure 12 RuggedRouter Web Interface Main Menu Window The index frame presents a number of entries with associated icons The icon logs out of Webmin The 4 icon forces home page window to be redisplayed The Y icon signifies that the next level contains a menu of menus The 4 icon signifies that clicking the entry will run a s
163. cket examination The netfilter system is an interface built into the Linux kernel that allows the IP network stack to provide access to packets RuggedCom 103 RuggedRouter User Guide The netfilter system uses rulesets collections of packet classification rules that determine the outcome of examination of a specific packet The rules are defined by iptables a generic table structure syntax and utility program for the configuration and control of netfilter In practice an iptables rule file and a script are all that are needed to load the netfilter system with rules on upon router start up The iptables rules however are somewhat difficult to configure and manage The Shoreline Firewall often known as shorewall offers a more convenient approach Shorewall is really just a front end to netfilter maintaining the information used to generate the iptables rules in a less complicated form Shorewall itself does not provide a graphical front end and instead assumes administrators will have a fair amount of familiarity with reading and editing Linux configuration files The RuggedRouter comes with a GUI front that simplifies some of the management aspects Network Address Translation Network Address Translation NAT enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic The NAT function of netfilter makes all necessary IP address translations as traffic passes between the int
164. clock source and high jitter would report a stratum of 4 IRIGB Fundamentals IRIGB outputs are provided by the Precision Time Protocol Card option The Inter Range Instrumentation Group IRIG IRIG B standard details the format of an output signal containing information for the current day hour minute and second in UTC format broadcast at the start of each second The RuggedRouter complies to IRIG Standard 200 04 generating formats IRIGB002 and IRIGB003 PWM and IRIGB122 and IRIGB123 AM IRIGB Output Formats The router provides three ports by which the signal is distributed namely e An Amplitude Modulated AM sinusoidal output port PTP1 e Two TTL voltage level output ports PTP2 and PTP3 which may be configured as either pulse per second PPS or pulse width modulated PWM The signal can be used to synchronize intelligent devices to a high quality time source called the reference clock The router uses a global positioning satellite GPS receiver NTP or the router s local clock as the reference clock RuggedCom 223 RuggedRouter User Guide Reference Clocks The GPS provides the highest quality reference clock It will always be used when it is available but may require some time after boot before becoming acquired or GPS locked Typically GPS lock is usually acquired within five minutes of boot When GPS is the reference clock IRIG B timestamps are accurate to within ns If GPS has not yet locked and
165. ction Description ACCEPT Allow the connection request to proceed DROP The connection request is simply ignored No notification is made to the requesting client REJECT The connection request is rejected with an RST TCP or an ICMP destination unreachable packet being returned to the client DNAT Forward the request to another system and optionally another port REDIRECT Redirect the request to a local tcp port number on the local firewall This is most often used to remap port numbers for services on the firewall itself The remaining fields of a rule are as described below Action The action as described in the previous table Source Zone The zone the connection originated from Destination Zone The zone the connection is destined for Protocol The tcp or udp protocol type Destination Port The tcp udp port the connection is destined for RuggedCom 109 RuggedRouter User Guide Source Port The tcp udp port the connection originated from Original The destination IP address in the connection request as it was Destination IP received by the firewall Rate Limit A specification which allows the rate at which connections are made to be limited User Group A method of limiting outbound traffic from the firewall to a specific user group of users and a specific application Some examples will illustrate the power of the rules file Rule Action Source Zone Destination Zone Protocol Dest Sourc
166. ctions by all users field should be left selected The Log changes made to files by each action field causes verbose logging and should be left enabled 40 RuggedCom Chapter 2 Webmin Configuration Authentication Module Index Authentication When enabled password timeouts protect your Webmin server from brute force password cracking attacks by adding a continuously expanding delay between each failed login attempt for the same user When session authentication is enabled each logged in users session will be tracked by Webmin making it possible for idle users to be automatically logged out Be aware that enabling or disabling session authentication may force all users to re login Authentication and session options Disable password timeouts Enable password timeouts 7 Block hosts with more than 3 failed logins for 300 seconds Jv Log blocked hosts logins and authentication failures to syslog Disable session authentication Enable session authentication Jv Auto logout after EN minutes of inactivity Save Figure 20 Webmin Configuration Menu Authentication This menu allows you to configure what Webmin will do when a number of failed logins from the same IP address occur If the Enable password timeouts field is selected the host will be blocked for the specified period of time Ifthe Log blocked hosts logins and authentication failures to syslog field is selected warning
167. d apply the firewall configuration to effect the changes Note You must ensure that the firewall is configured and enabled when using the Gauntlet Security Appliance Gauntlet Status Menu Gauntlet integrates tightly with the firewall opening it for communications between vetted clients and critical assets on a demand basis Status Gauntlet Status current time Fri Jul 20 16 48 04 2007 Gauntlet is up Up since Fri Jul 20 15 56 37 2007 AccPac last changed Fri Jul 20 15 04 58 2007 Gauntlet Opened Rules chain Gauntlet proto from to info 1 tcp 192 168 0 211 212 12 12 12 ltep dpt 69 2 tcp l192 168 0 211 172 16 44 83 tcp dpt 42 Refresh Figure 206 Gauntlet Security Appliance Menu The status menu provides a list of validated open connections Upgrading Gauntlet During an upgrade the Gauntlet daemon may be required to restart During the upgrade all existing Gauntlet protected connections will be closed RuggedCom 241 RuggedRouter User Guide Backup And Restore System Backup And Restore S OSTI OSION m Mee CO Medd CO General Configuration Archive History Archive Backup Archive Restore Archive Differences Figure 207 System Backup And Restore The Backup And Restore system provides the following features All configuration settings are saved in a configuration archive Archives can be used to clone routers replic
168. d Do 0 Received frames discarded link inactive Receive Errors Transmit Errors Number of receiver overrun errors lo Number of transmitter PCI errors Number of receiver CRC errors lo Number of transmitter PCI latency warnings Number of receiver Abort errors lo Number of transmitter DMA descriptor errors o ojojo Number of receiver corruption errors lo Number of transmitter DMA descriptor length errors Number of receiver PCI errors o Number of receiver DMA descriptor errors lo Link Alarms laLOS OFF Los OFF RED OFF ais OFF veL OFF oor or Refresh Clear Statistics Figure 57 T1 E1 Link Statistics The Link Alarms indicate ongoing problems ALOS LOS Loss of Signal This alarm indicates a complete absence of synchronization pulses on the line RED Red Alarm This is a local equipment alarm It indicates that the incoming signal has been corrupted for a number of seconds This equipment will then begin sending a yellow alarm as its outbound signal AIS Alarm Indication Signal or BLUE alarm This alarm indicates the total absence of incoming signal as a series of continuous transitions an all 1 s pattern is received YEL Yellow Alarm This alarm is transmitted to the network and alerts it that a failure has been detected OOF Out of Frame This alarm signifies the occurrence of a particular density of framing error events Thi
169. d console rootlogin password Leave unchanged Set to eee Re enter Save Figure 24 System Menu Change Password Command This command changes only the root account password used to login to Webmin and the root account via the serial console or SSH Scheduled Commands Scheduled Commands New scheduled command Run in directory y Commands to execute Run on date 27 May 2005 ot Run at time 200 Current date 27 May 2005 Current time 10 10 Create Figure 25 Scheduled Commands This menu allows you to schedule a command to run in the future RuggedCom 45 RuggedRouter User Guide Begin by selecting the time and date you wish to run the command at using the Run on date and Run at time fields Use the Run in directory field to enter a directory to run the command in or simply use Finally enter the command to execute in the Commands to execute field Note that the command will remain scheduled after reboot After the command is entered the Scheduled Commands menu will display any commands and allow you cancel them Scheduled Commands Job ID Run as user Run at Created on Commands to execute al root Sat May 28 03 00 00 2005 Fri May 27 11 45 42 2005 reboot Figure 26 Scheduled Commands Displaying a Command 46 RuggedCom Chapter 3 Configuring The System Scheduled Cron Jobs A Cron job is a combination of a com
170. d entries greyed out The default is All Protocols The Message Decode field causes received transmitted frame entries to include protocol specific information Ifthe Hex Dump field is selected the first 64 bytes of packet content is displayed The Packets field causes received transmitted packet entries to be displayed The RTT Measurement field displays Beacon messages used for RTT measurement Note Specifying large numbers of ports entries and capture times can result in a great deal of output Specifying a large capture time may require the web page to wait that interval if activity is infrequent RuggedCom 199 RuggedRouter User Guide This page intentionally blank 200 RuggedCom Chapter 21 Configuring The DHCP server Chapter 21 Configuring The DHCP server Introduction This chapter familiarizes the user with e DHCP Server Configuration e Use of Option 82 DHCP Fundamentals Dynamic Host Configuration Protocol DHCP is a method for centrally and consistently managing IP addresses and settings for clients offering a variety of assignment methods IP addresses can be assigned based on the Ethernet MAC address of a client sequentially or by using port identification provided by a DHCP relay agent device DHCP Network Organizations The information to assign addresses in DHCP is organized to deal with clients at the host group subnet pool and shared network level Hosts entries assig
171. d trademark of Linus Torvalds in the U S and other countries GauntletA is the registered trademark of Teltone Corporation About this User Guide About this User Guide This guide is concerned with aiding the user in the configuration and operation of the RuggedRouter using the RuggedCom command line setup menu and web management interfaces Specifically this guide details aspects of Accessing the User Interfaces Security Configuring the router Status determination Performance measurement Uploading and downloading files Dealing with alarms This guide also details operation of the RX1100 Gauntlet security appliance This guide is intended solely for the purpose of familiarizing the reader with the ways that the RuggedRouter can be used to support Routing over Ethernet T1 E1 T3 ADSL DDS and Frame Relay as well as act as a Serial server and time synchronization device Applicable Firmware Revision This guide is applicable to RuggedRouter ROX 1 12 6 software revision Who Should Use This User Guide How To This guide is to be used by network technical support personnel who are familiar with the operation of networks Others who might find the book useful are network and system planners system programmers and line technicians Use This User Guide Each chapter has been prepared with a feature description an application section and a description of the default mode of operation It is recommended that you
172. ddress 192 168 1 1 The switch has all ports in VLAN 1 The switch base MAC address is 00 0A DC 11 22 00 204 RuggedCom Chapter 21 Configuring The DHCP server Assign a client at switch port 2 address 192 168 1 102 Assign a client at switch port 3 address 192 168 1 103 Assign multiple clients at switch port 4 dynamic addresses 192 168 1 151 through 192 168 1 200 The router serves as the default gateway 1 Enable eth in the Edit Network Interfaces menu 2 Add a new subnet and configure it for network address 192 168 1 0 with netmask 255 255 255 0 3 Enable the Disable NAK of option82 clients for this subnet option to prevent confusing some DHCP clients due to the client being on the same network as the DHCP server and the DHCP relay agent the switch 4 Save it then edit the subnet just created and click Edit Client Options 5 Set default routers to 192 168 1 1 and save it 6 Click add an address pool to the subnet 7 Set the address range to 192 168 1 102 to 192 168 1 102 8 Click Create 9 Edit the pool by clicking on the link for the pool with address range 192 168 1 102 192 168 1 102 10 Click add an option82 chent 11 Give the client a unique alpha numeric name for example client0102 12 Set the remote id to the switch MAC address 00 0A DC 11 22 00 in this case 13 Set the circuit id to the switches circuit id identifier to the port 00 01 00 02 for VLAN 1 port 2 on a RuggedC
173. ddresses in the exernal subnet DNS_SERVERS HOME_NET Addresses of DNS servers in the local subnet SMTP_SERVERS HOME_NET Addresses of SMTP servers in the local subnet HTTP_SERVERS HOME_NET Addresses of HTTP servers in the local subnet SQL_SERVERS HOME_NET Addresses of SQL servers in the local subnet TELNET_SERVERS HTTP_PORTS SNMP_SERVERS HOME_NET HOME_NET 80 ORACLE_PORTS AIM_SERVERS SHELLCODE_PORTS 180 1521 64 12 24 0 23 64 12 28 0 23 64 12 161 0 24 64 Addresses of TELNET servers in the local subnet Addresses of SNMP servers in the local subnet A single port number or range eg 80 8080 of ports which serve http Ports you want to look for SHELLCODE on Ports you want to look for ORACLE attacks on Known AIM servers Save Changes Reset Changes This menu allows you to configure the IP addresses and ports of servers in the local and external network The Home Net field defaults to ANY and designates the IP subnet of any local ports on the router Configuring a specific subnet can reduce the number of alerts generated PreProcessors PreProcessors Snort Preprocessor Settings Preprocessor Options stats_interval 0 hash 2 frag2 stream4 disable_evasion_alerts detect_scans stream4_reassemble http_inspect global iis_unicode_map unicode map 1252 rpc
174. dia 73 O 63 WebAccess BA SRT ae Tere an A me ee re E pe eee 39 GN E AAA O O vorednaysonstaubande 35 IPV O SUPPO uns ii dato Sege e cha os 52 STEE ee O tp t Formats uereg egen eege 228 R fer nce CLOCKS adi 229 LEE ere D E 52 emp echo dgnore broadcasts EE 52 Eeler e 52 TEE deg e ed 32 EED EE scr ir odia 37 L RE ERT EC 92 KIK 85 RuggedCom 279 RuggedRouter User Guide Ethernet POrts a se Ree 59 189 LED E 37 Modem PS EE 97 dE FOE 68 79 E EE 79 Et EE EUREN as 160 Path HERR tia 159 KEE 162 ENEE Configuring Webmin Events Log O asis 41 INA EE 221 222 Viewing Webmin Eeer EE ee 43 ENEE 212 LOPD dalla THE O Mest AN aed cn Dit a A RO AS 77 Modem iman aha sec A Rai CONO O O Guay E AO E R nonselect 98 cone EE 102 A A 100 ER N idos ade 103 EE 102 A 101 SA araoa vans etsens nad cipeead sta anaesaty bang shaahdansabbaseaatadareasatylanss 55 e AE api ii iO a Ga awed reo A ere ee 181 189 217 Fundamental on et e eG dla OER ESS ip ed ath EE 171 177 217 IVETE CASEI a A A E E E 217 NTP Sanity E A rasca 218 PR a dl a e ae a e la O Rio 217 A A A Ee ei 217 Et DEE 217 tege e e 218 OS Psic data Active vs Passive Interf ces 143 153 156 Admi istr tive Eeer 145 A O 145 A tege Eege E E E A 143 AU ENCAMINA A EE 144 153 Hello And Dead Intervals 143 153 TOR COS EET E E EEEE EE AANE E EEE wack 144 149 151 Links DIE E E o E E EE E EA ee Ee 144 149 Link State Advertisement sos a oo 142 NADOS A ta 142 Operatio
175. e Original Port Port Destination IP 1 ACCEPT net 204 18 45 0 24 fw 2 DNAT net loc 192 168 1 3 tcp ssh http 3 DNAT net 204 18 45 0 24 loc 192 168 1 3 tcp http 130 252 100 69 4 ACCEPT fw net icmp 5 ACCEPT net 204 18 45 0 24 fw icmp 8 1 This rule accepts traffic to the firewall itself from the 204 18 45 0 24 subnet If the default policy is to drop all requests from net to the firewall this rule will only traffic from the authorized subnet 2 This rule forwards all ssh and http connection requests from the Internet to local system 192 168 1 3 3 This rule forwards http traffic from 204 18 45 0 24 which was originally directed to the firewall at 130 252 100 69 to the host at 192 168 1 3 in the local zone If the firewall supports another public IP address e g 130 252 100 70 a similar rule could map requests to another host 4 and 5 These rules allow the firewall to issue icmp requests to the Internet and to respond to icmp echo requests from the authorized subnet Rules are defined in the file etc shorewall rules and are modified from the Firewall Rules menu Configuring The Firewall And VPN Route Based Virtual Private Networking Begin configuration by creating local network and vpn zones all as zone type IPV4 The openswan daemon will have created ipsecX interfaces which should be added to the vpn zone in the interfaces menu The IPsec protocol operates on UDP port 500 and using protocols ah Authentication He
176. e meaning of each option is the same in each case while the type of target determines which clients it applies to RuggedCom 201 RuggedRouter User Guide In DHCP settings at a more specific level overrides higher levels For example you can configure a DNS server for all clients the create a group that overrides the setting This allows defaults to be set at a high level to apply to most clients while exceptions can be places just where they are needed Many settings are only supported by certain specific types of clients and are ignored by the majority of clients Basic options you should pay attention to include Address ranges The range of addresses to use for dynamic IP clients Default lease time The default length of leases assigned to clients if the client doesn t request a lease length Maximum lease time The maximum length of leases allowed to clients If a client requests a higher value it will be refused Client hostname The hostname the client should use Default routers The default gateway the client should use Domain name The DNS domain name the client should use DNS servers The IPs of the DNS servers the client should use NTP servers The IPs of the NTP servers the client should use Static routes Static routes the client should use Time servers The IPs of the time servers the client should use Lesser used client options include Subnet mask The subnet mask the client should use Rare
177. e Relay or PPP to the channels by following the Assign Protocol links The resultant menus will allow you select the desired channel If you are assigning multiple DLCIs assign the first DLCI used by that interface and configure the Frame Relay Link Parameters and that DLCIs network parameters RuggedCom 67 RuggedRouter User Guide After assigning the first DLCI you may revisit the interface through the link under the Name field and add additional DLCIs Once all channels have been assigned the Assign links will no longer appear as shown below Note that any of the Frame Relay interfaces on a channel in this case wlc4frl6 and w1c4fr17 may be used to edit the Frame Relay Link Parameters T1 E1 WAN Interfaces T1 E1 Trunks Channels and Logical Interfaces Refresh this page T1 1 Up Channel Assigned time slots Channelized interface 1 1 2 2 3 3 4 4 24 Channel Name Description Local Address Netmask Remote Address Default Gateway 1 wicippp Up Feeder Station 6 192 168 100 1 255 255 255 255 192 168 100 2 none 2 w1c2ppp Up Feeder Station 13 192 168 101 1 255 255 255 255 192 168 101 2 none 3 wic3ppp Up Feeder Station 19 192 168 102 1 255 255 255 255 192 168 102 2 none 4 wic4fri6 Up Main Control Center 185 42 16 101 255 255 255 255 145 7 81 221 none 4 wic4fr17 Up Backup Control Center 181 22 44 16 255 255 255 255 171 141 13 12 none
178. e System name System location System contact and System description fields configure descriptive parameters for the router Network Addressing Configuration For reference the set of currently configured and active IP addresses is listed near the the top of the page Client IP Address Source IP AAA Figure 219 Network Addressing Configuration page Client Address 248 RuggedCom Chapter 26 Maintaining The Router The Client address Source IP field specifies the address from which snmpd will send notifications Ifthe field is blank the default behaviour will be to transmit the notification from the IP address of the interface from which the message leaves the router Snmpd will return to this behavour if the configured address is not available when it starts Addresses to listen on Interface Name IP Address Listening lo 127 0 0 1 enabled disabled ethi 10 128 10 233 enabled disabled eth2 192 168 32 1 enabled disabled dummy0 172 99 45 68 enabled disabled New NOTE snmpd is currently configured to listen on all active IPV4 interfaces Figure 220 Network Addressing Configuration page Addresses to listen on The table of Addresses to listen on includes the list of currently configured and active IP addresses and whether the address is currently listened on The New field allows for the addition of other IP addresses Snmpd will use these addresses providing
179. e first 64 bytes of packet content is displayed The Incoming Outgoing Connections field allows regular network level entries such as call connections and received transmitted messages to be displayed Note that some unexpected but unusual network messages may be displayed if they occur Note Specifying large numbers of ports entries and capture times can result in a great deal of output Specifying a large capture time may require the web page to wait that interval if activity is infrequent 192 RuggedCom Chapter 19 Configuring Serial Protocols Serial Protocols Sertrace Utility The command line sertrace utility offers the ability to trace the activity of serial ports in real time A port range may be specified to limit the output to specific ports The level of traffic to trace and the type of decoding may be specified The tool may also be used to force the port to transmit an output test message The following is an example of sertrace use RuggedRouter sertrace h Trace Serial Protocol Server Activity Usage sertrace dtr ser ser ser ser ser n the absence of parameters RuggedRouter 0 56 18 4 0356 319 9 s 0 56 47 497 RAWSOCKET 74 68 65 20 7 66 6f 78 20 6a 74 68 65 20 6c 0 56 47 545 RAWSOCKET 74 68 65 20 7 66 6f 78 20 6a 74 68 65 20 6c 0 56 4 7 545 TCPCONN Tx Data from port 1 44b to 10 0 10 236 499 p portrange server d protocol decode server t tcp level events server
180. e of 1 Higher values however may strike a balance between latency an performance Prioritization Statistics Prioritization Statistics For wippp O 100 extra high 20 93 KB high Irrzrrzrzrrrrzrtrrtrttrzt 2 48 MB Normal ERLEEK 1 39 MB Low Irrrtrrrrttrtrttrtrtzt 2 12 MB Refresh Clear Statistics And Refresh Figure 145 Prioritization Statistics This menu displays the percentage of interface traffic that has been transmitted from each priority queue The Refresh button causes the statistics to be updated The Clear Statistics And Refresh button causes the statistics to be cleared and then captured after a one second interval RuggedCom 173 RuggedRouter User Guide Chapter 17 Configuring Generic Routing Encapsulation Introduction This chapter familiarizes the user with e Enabling Disabling GRE e Viewing GRE Status GRE Fundamentals The RuggedRouter is able to encapsulate multicast traffic and IPv6 packets and transport them through an IPv4 network tunnel The GRE tunnel can transport the traffic through any number of intermediate networks The key parameters for GRE in each router are the tunnel name local router address remote router address and remote subnet Y H w2ppp Router 1 Router 2 172 16 17 18 fe 172 19 20 21 ethl 192 168 1 1 192 168 2 1 eth2 192 168 1 0 8 192 168 2 0 8 Figure 146 VRRP Example In the above example Router 1 will use a GRE tunnel
181. e serial port does The same login is used for both The PPP server fields allows the modem to answer incoming calls and setup a PPP connection to the remote system to provide network access The Radius Authentication fields will force incoming PPP connections to authenticate against the Radius servers configured in the Maintenance menu Radius Authentication sub menu The Dial in Console and PPP Server can be enabled at the same time The router will automatically detect if an incoming call is PPP or console only Is the PPP client is enabled it will try to maintain the PPP link at all times and hence block incoming calls most of the time Enabling the PPP Client at the same time as the Dial in Console and or PPP Server is not recommended 96 RuggedCom Chapter 10 Configuring PPP and Modem Rings before answer controls how many times to let the modem ring before answering the call if Dial in console or PPP Server is enabled Additional Modem AT Init Codes allows extra AT codes to be entered if required Permitted codes are Blind dial X0 Ignore dialtone busy signal Blind dial X4 Monitor and report dialtone busy signal default Guard tone control amp GO0 Disable guard tone default amp G1 Enable guard tone at 550Hz amp G2 Enable goard tone at 1800Hz Pulse dialing control amp PO Make break ratio of 39 61 at 10 pulses second default amp P1 Make break ratio of 33 67 at 10 pulses second
182. e stored Figure 91 Firewall Network Zones This menu allows you to add delete and configure zones Add a new zone by selecting the Add a new network zone link or by clicking on the add above or add below images in the Add field The Zone Type field controls the type of traffic carried in the zone The Firewall system zone type is built in to the fw zone A zone type of IPSEC is used with policy based VPNs A zone type of IPV4 is used with normal traffic and route based VPNs Reorder the zones by clicking on the arrows under the Move field Note Ifyou define a vpn zone whose traffic is received via a network zone it is essential that the vpn zone be declared before the network zone Clicking on a link under the Zone ID field will allow you to edit or delete the zone Note that if you delete a zone you should remove any rules that reference it Note There must be exactly one zone of type firewall Do not delete this zone Network You may also make changes by manually editing the zone file Interfaces Module Index Network Interfaces Each of the network interfaces on your system that you want Shorewall to manage should be listed on this page and associated with the zone that it is connected to The loopback interface lo must never be listed Add a new network interface Interface Zone name Broadcast address Options Move Add wippp net Automatic None ita 4 ethi loc Automatic None tt an 3 eth2 dmz Au
183. e to IP ICMP overhead The Time between pings field limits the rate at which pings are sent The Pattern s to send Hex field specifies a pattern to fill the packet sent This is useful for diagnosing data dependent problems in a network For example specifying ff will cause the sent packet to be filled with all ones Traceroute Menu Traceroute Hostname T Verbose Output How many Hops 30 E Lookup Addresses Packet Length 40 T Use ICMP instead of UDP i Interface Trace It Figure 151 Traceroute Menu The Hostname field accepts the host name or IP address to trace the route to The Verbose Output field causes ping to present the maximum of output The Lookup Addresses field causes ping to resolve IP addresses to domain names This can make ping behave very slowly if DNS is not properly configured The Use ICMP instead of UDP field causes traceroute to probe with ICMP packets The How many Hops field limits the maximum number of hops that traceroute will attempt to map 178 RuggedCom Chapter 18 Network Utilities The Packet Length field specifies the size of the data in the traceroute packet The Interface field specifies the network interface to obtain the source IP address for outgoing probe packets Otherwise the router will manually set the address based on the actual interface taken Host Menu Host Hostname Type Network address A gt Nameserver C Default G E
184. e user belongs to 274 RuggedCom Appendix E Radius Server Configuration Permission Grant remote access permission 3 Double click the policy name you created In the popup window click Edit Profile button AEPTest_other Properties Figure 241 IAS Window Edit Remote Access Policy 4 In Edit Profile window Click Add button Edit Dial in Profile Figure 242 IAS Window Edit Profile RuggedCom 275 RuggedRouter User Guide 5 In Add Attribute window select Vendor Specific line and click Add button Paa attribute zx To add an attribute to the Profile select the attribute and then click Add To add an attribute that is not listed select the Vendor Specific attribute Attribute Name endo L eseggen 2 Tunnel Server Auth D RADIUS Standard Specifies the name used by the tunnel terminator during th Tunnel Server Endpt RADIUS Standard Specifies the IP address of the server end of the tunnel 4 Tunnel Type RADIUS Standard Specifies the tunneling protocols used cific RADIUS Standard ihes the support of proprietary NAS features Cisco AV Pair Cisco Specifies the Cisco AY Pair VSA Allowed Certificate O1D Microsoft Specifies the certificate purpose or usage object identifiers Generate Class Attribute Microsoft Specifies whether IAS automatically generates the class al Generate Session Timeout Microsoft Specifies whether IAS automatically generates the session Ignore
185. e warned before starting an upgrade when a reboot is required The only exception is the unattended automatic upgrade Automatic Upgrade It can be programmed to check a server on your network at a specific time each day upgrading to the newest release RuggedCom understands that some administrators may wish to pre test package upgrades on specific machines before performing a network wide upgrade It is also possible to manually control the upgrade process on a per machine per package basis The upgrade system allows you to restrict the maximum amount of bandwidth consumed by an upgrade Most upgrades will involve relatively modest amounts of data transfer especially over an Ethernet class network But when the router is accessed over a low speed WAN link even a small upgrade can temporarily consume 100 of the links bandwidth This can disrupt mission critical applications The bandwidth limiting feature limits only the upgrading process leaving regular traffic unregulated 260 RuggedCom Chapter 26 Maintaining The Router Upgrade to RX1100 Upgrade Inventory This router has an RX1000 order code In order to upgrade to an RX1100 contact your sales manager and provide them with following inventory record When your salesperson returns you an updated record overwrite the current record and press the Upgrade Inventory button A reboot will then be required Product information OrderCode RX1000 F 1D8DBOFGF
186. e will activate the critical fail relay The Web interface displays the alarms Pressing the pushbutton for more than five seconds will reboot the router Obtaining Chassis Information The chassis displays the hardware inventory at boot time This information is captured in the var log messages file after boot The Web Management interface home page displays the chassis serial number RuggedCom 37 RuggedRouter User Guide Chapter 2 Webmin Configuration Introduction This chapter familiarizes the user with configuring the router through the Webmin menu and describes the following procedures e Configuring the IP Address and Subnet Mask e Configuring the Gateway Address e Viewing the Webmin Log Webmin Configuration Menu Webmin Configuration Webmin version 1 150 203 116 1 ftp xys DU de IP Access Control Ports and Addresses Authentication Figure 15 Webmin Configuration Menu IP Access Control Module Index IP Access Control The Webmin server can be configured to deny or allow access only from certain IP addresses using this form Hostnames like foo bar com and IP networks like 10 254 3 0 or 10 254 1 0 255 255 255 128 can also be entered You should limit access to your server to trusted addresses especially if it is accessible from the Internet Otherwise anyone who guesses your password will have complete control of your system Access control options 127 0 0 1
187. each forwarder e By configuring different forwarders low severity and high severity control centers can be set up Each alert is mapped to an alert definition entry which is predefined by a daemon who owns the alert or by a user All alert definition entries are configurable by user An alert filter is a user defined configuration to define the forwarders destination of active alerts Any active alerts with Renotify Interval set to non zero value and matches with the filter level will be forwarded to the defined forwarder destination Alert Menu Alerts All Alerts View by All Alerts Higher than Emergency Alert Critical Error Warning Notice Info Debug Category chassis performance interface daemon Alert Name Specific Severity Date Action Chassis 3 3 PS2 out of range Error Fri Oct 5 14 47 25 2007 Clear Alert Power Supply 2 Failure Failure Critical Fri Oct 5 08 33 45 2007 Clear Alert Upgrade made changes Upgrade made changes Warning Thu Oct 4 15 15 48 2007 Clear Alert D E Alert Configuration Alert Definition Configuration Figure 201 Alert Main Menu RuggedCom 235 RuggedRouter User Guide This menu displays active alerts and allows you to change alert system configuration and alert definitions Follow the All Alerts link to show all alerts Follow the severity links Emergency Debug or the category links chassis daemon to to limit the alert view Note
188. edRouter releases are obtained from the RuggedCom web site as ZIP files Download the ZIP file to your regular and or test release directories and unzip them You may delete the original ZIP file if desired The ZIP file name will be in the form rrX Y zip The major release number X is changed when major new functionality often hardware related is offered The minor release number Y is increased when minor functionality is added or bug repairs are made The first RuggedRouter upgrade release is rr1 1 zip The zip file will extract to a directory that has the same name as the major release e g trl As subsequent release are made they will also be extracted into this directory Up The Routers The name of the release directory and the major and minor release names from the zip file tells you how to set up the routers Suppose you have just unzipped rrl 2 zip into ruggedroutertest on a server available to the network at server xyz net The major release is rrl and the minor release is 2 You have chosen this directory because you want to test the release on a specific machine before propagating it to the network Login to the test router and visit the Maintenance menu Upgrade Software Change Repository Server sub menu Change the Repository server field to http server xyz net ruggedroutertest and the Release Version field to rr1 You can proceed to upgrade the router manually or wait for the next nightly upgrade to
189. efault Route and Static Multicast Routing sub menus You can configure the NTP server through the Servers menu NTP Server sub menu See the chapter Configuring NTP for more details You can configure SSH through the Servers menu SSH Server sub menu SSH can be set up to issue a login banner from this menu See the chapter Configuring SSH for more details Traffic prioritization can be configured on the network interfaces through the Networking menu Traffic Prioritization sub menu See the chapter Traffic Prioritization for more details SNMP is disabled by default You can configure SNMP by following the instructions in the Appendix on SNMP You may allow read and write access set community names enable traps and program the router to issue traps with a specific client address If your router is an RX1100 you may configure and activate the Snort Intrusion Detection system and the Gauntlet Security Appliance If you decide to forward daily email summaries you must configure a mail forwarder in the Maintenance menu Miscellaneous sub menu Outgoing Mail sub menu RuggedCom About this User Guide 35 When your routers configuration is stable it is recommended that the configuration should be uploaded from the router and stored as a backup The Maintenance menu Backup And Restore sub menu will be useful 36 Should you need to transfer files to or from the router the Maintenance menu Upload Download Files sub
190. em Introduction This chapter familiarizes the user with e Configuring PPP Client e Configuring PPP Server e Configuring Dial in console e Viewing status Modem Fundamentals The modem allows connections to be made over standard telephone lines PPP is used to run network traffic over a modem link PPP Mode Fundamentals PPP Point to Point Protocol is a protocol for linking two systems over a serial line As your PPP connection is established a PPP interface will be created The name will be ppp0 Use this interface name in firewall rules Authentication Addresses and DNS Servers PPP authentication utilizes PAP or CHAP Your ISP will provide you with a user ID and password along with a phone number which you will enter in the GUI The authentication process will assign a local IP address and addresses of the ISPs DNS servers to the router You should use these DNS servers unless you wish to provide your own You will obtain either a dynamic or static IP from your ISP Firewall configuration should be performed as is appropriate When the Modem Connects The modem may be configured to connect at boot time LED Designations The RuggedRouter provides a pair of LEDs to indicate information about the modem PPP connection PPP Link will be green when the modem PPP link is established It will flash while a connection is being established or a console dial in session is active PPP Data will flash g
191. enswan is started but not activated until an incoming request arrives A value of Route will cause a route and only the route for packets to be established discarding packets sent there which may be preferable to having them sent elsewhere based on a more general route e g a default route The Authenticate by fields select the authentication method If Default is selected the value in the Defaults for all connections record is used If rsasig or secret rsasig is selected then the System s public key of each of the Left System s Settings and Right System s Settings sections must include an RSA signature string or an X 509 certificate must be in use If secret is selected then the Preshared key menu must contain a key indexed by the Public IPs of the Left and Right systems The Encryption Protocols fields select the encryption protocol used If Default is selected the value in the Defaults for all connections record is used If allow only is selected the protocols in aes256 aes192 aes128 and 3des are included in a list At connection time the two peers will compare their capabilities and select the strongest common protocol largest aes over smaller aes and aes over 3des The Compress data fields will select whether data should be compressed If Default is selected the value in the Defaults for all connections record is used The Perfect Forward
192. enswantest IKE algorithms found 5_192 1_ 128 5 5_192 1_ 128 2 5_192 2 160 5 5_192 2 160 2 36 openswantest IKE algorithm newest 3DES_CBC_192 MD5 MODP1536 37 openswantest ESP algorithms wanted 3_000 1 3_000 2 flags strict 38 openswantest ESP algorithms loaded 3_000 1 3 000 2 flags strict 39 openswantest ESP algorithm newest AES_256 HMAC_SHA1 pfsgroup lt Phase1 gt 40 3126 openswantest STATE _QUICK_I1 sent QI1 expecting QR1 EVENT_RETRANSMIT in 9s 41 3093 openswantest STATE_MAIN_R3 sent MR3 ISAKMP SA established EVENT SA REPLACE in 1050s newest ISAKMP 42 2997 openswantest STATE_QUICK_R2 IPsec SA established EVENT SA REPLACE in 19773s newest IPSEC eroute owner 43 2997 openswantest esp df9839e9 204 50 190 91 esp 8e2d7255 204 50 190 89 tun 0 204 50 190 91 tun 0 204 50 190 Figure 113 IPsec Status The IPsec Status button produces a window of text similar to that of the above figure except that line numbers have been inserted for purposes of illustration The first group lines 1 5 describes configured interfaces The second group lines 7 17 describes ESP capabilities In this group we can see encryption capabilities lines 7 13 and authentication capabilities lines 14 17 At least one set of values must match between the left and right hand side VPN devices This is also frequently referred to as the Phase 2 parameters because the data encryption process is the second
193. ent protocol IEC61850 uses Layer 2 multicast frames to distribute its messages and hence is incapable of operating outside of a switched Ethernet Network The GOOSE tunnel feature provides a capability to bridge GOOSE frames over a WAN GOOSE tunnels provides you with the following features e GOOSE traffic is bridged over the WAN via UDP packets e One GOOSE traffic source can be mapped to multiple remote router Ethernet interfaces in mesh fashion e To reduce bandwidth consumption GOOSE daemons may be located at each of the legs and at the center of a star network The centrally located daemon will accept GOOSE packets and re distribute them e Statistics reports availability of remote GOOSE daemons packet counts and Round Trip Time RTT for each remote daemon e When Virtual Router Redundancy Protocol VRRP is employed GOOSE transport is improved by sending redundant GOOSE packets from each VRRP gateway Layer 2 Tunnel Daemon Details The GOOSE protocol is supported by the Layer 2 Tunnel Daemon The daemon listens to configured Ethernet interfaces and to the network itself upon a configurable UDP port The Media Access Control MAC destination address of frames received from Ethernet is inspected in order to determine which GOOSE group they are in The frames are then encapsulated in network headers and forwarded with MAC source and destination addresses intact to the network as GOOSE packets IEC61850 recommends th
194. equires that the Client IP address be set to an IP that would be valid on one of the ethernet subnets that the router is connected to If this setup is used other machines on the ethernet subnet will be able to communicate with the remote system as if it was connected directly to the ethernet subnet The Idle timeout field controls how many seconds to wait when there is no traffic on the PPP connection before hanging up the connection Setting it to 0 or blank will disable the timeout The User table contains a list of users and passwords which are allowed to connect to the router by PPP Each user can also have an optional list of subnets to create static routes to whenever their connection is established To edit the list of routes click on the route list for the user To remove a user click Delete To add a user enter the username and password and click Add To change a password enter the username and new password and click Add and the password will be updated on the existing entry Modem Incoming Call Logs Figure 86 Incoming Call Logs RuggedCom 99 RuggedRouter User Guide Incoming Call Logs Refresh Date Time vent 03 17 14 41 52 03 17 14 41 52 03 17 14 41 52 03 17 14 41 53 03 17 14 41 53 03 17 14 41 56 03 17 14 41 56 mgetty interim release 1 1 33 Apr10 check for lockfiles locking the line lowering DTR to reset Modem send d d d d d dAT amp FS2 255 0d waiting for
195. er DLCIs assigned to the channel will free the channel up Editing A Logical Interface PPP Edit Logical Interface wicippp T1 1 Channel 1 PPP Parameters Name Local Address Netmask Remote Address Default Gateway Description wiclppp 2 2 2 2 255 255 255 255 1 1 1 1 Feeder Station 6 Save Delete Figure 56 Edit Logical Interface PPP The Local Address Netmask Remote Address Default Gateway and Description fields are as described in the previous section RuggedCom 71 RuggedRouter User Guide T1 E1 Statistics When at least one logical interface is configured T1 E1 Link and logical interface statistics will be available These statistics are available from links on the T1 E1 WAN Interfaces menu Link Statistics are provided through the View Link Statistics link at the bottom of each interface table Frame Relay and PPP statistics are available through Statistics links under the interface name column of each interface table Link Statistics T1 1 Link Layer Statistics Receive Statistics Transmit Statistics Number of frames received 25520 Number of frames transmitted 23193 Number of bytes received 14639786 Number of bytes transmitted 6929719 Receive Throughput o Transmit Throughput lo Received frames discarded too short Transmit frames discarded length error 0 oO Received frames discarded too long o Transmit frames realigne
196. er DNS lv MTU 1452 Save delete This menu allows you to display and configure logical interface fields for PPPoE and to convert the interface to Bridged Mode By default interfaces are created with PPPoE If you want the interface to be Bridged Mode click on the Convert this interface to bridged link The Description field attaches a description to the logical interface viewable from the network interfaces menu The VPI field determines the VPI number the connection uses The default of 0 is correct for most providers The VCI field determines the VCI number the connection uses The default of 35 is correct for most providers The Attempt ATM Autoconfiguration option causes the router to attempt to automatically determine the VPI and VCI used on the connection This does not work with all providers and may case the connection to fail even if the link light is on If this option is used it should only be used to find out what the correct values are if your provider isn t willing to help you and when the correct values are found it should be disabled with the correct values entered in the VPI and VCI fields instead The PPPoE Username field determines the username to use when connecting to the PPPoE server as specified by your provider The Password field determines the password provided to the PPPoE server The Default Route checkbox enables automatically setting a default route using this interface whenever it connects If this is your
197. erial ports Tracing Serial Port activity Serial IP Port Features RuggedCom Serial IP provides you with the following features Raw Socket Protocol A means to transport streams of characters from one serial port on the router to a specific remote IP address and TCP port 4 independent serial ports per product Baud rates of 1200 2400 4800 9600 19200 38400 57600 115200 or 230400 bps Supports RS232 RS422 and RS485 party line operation XON XOFF flow control Support a point to point connection mode and a broadcast connection mode in which up to 32 remote servers may connect to a central server TCP IP incoming outgoing or both incoming outgoing connections mode configurable local and remote TCP port numbers Packetize and send data on a full packet a specific character or upon a timeout Support a turnaround time to enforce minimum times between messages sent out the serial port Debugging facilities include connection tracing and statistics LED Designations The Quad TriplePlay Serial card includes transmit and receive LEDs The transmit LED is leftmost when the card is in the top slot and will light while characters are being transmitted The receive LED is rightmost when the card is in the top slot and will light while characters are being received Serial port numbers are as described by the SER labels as shown in the home page chassis diagram RuggedCom 185 RuggedRouter User Guide Se
198. ers e Setting generic NTP options e NTP Tools NTP Fundamentals NTP Network Time Protocol is an Internet protocol used to synchronize the clocks of computers to some time reference Variants of NTP such as SNTP Simple NTP a reduced functionality NTP and XNTP Experimental NTP exist NTP itself is available in versions 3 and 4 the RuggedRouter includes version 4 NTP is a fault tolerant protocol that allows an NTP daemon program to automatically select the best of several available time sources or reference clocks to synchronize to Multiple candidates can be combined to minimize the accumulated error Temporarily or permanently wrong time sources are detected and avoided The NTP daemon achieves synchronization by making small and frequent changes to the router hardware clock The NTP daemon operates in a client server mode both synchronizing from servers and providing synchronization to peers If NTP has a number of servers to choose from it will synchronize with the lowest stratum server The stratum is a measure of the number of servers to the most highly accurate reference clock A reference clock itself appears at stratum 0 A server synchronized to a stratum n server will be running at stratum n 1 You will generally configure lower stratum NTP hosts as servers and other NTP hosts at the same stratum as peers If all your configured servers fail a configured peer will help in providing the NTP time It is generally a
199. es Ethernet Interface Name MTU use Peer DNS Default Route Status eth1 Add PPPoE interface eth2 pppi2 1452 Enable Enable Inactive eth3 Add PPPoE interface eth4 Add PPPoE interface Figure 47 List PPPoE Interfaces This menu allows you to display and configure the PPPoE interfaces on all available Ethernet ports The PPPoE Interfaces table allows you to add a PPPoE interface on an Ethernet ports or change PPPoE interface parameters of created interfaces Only one PPPoE interface can be created on each Ethernet port The Ethernet field shows all available Ethernet ports The Interface Name field shows created PPPoE interfaces and provides a link to edit the existing configuration or create a new one The MTU Use Peer DNS and Default Route fields are the configured information for PPPoE interfaces The Status field shows the current PPPoE link status 62 RuggedCom Chapter 5 Configuring Ethernet Interfaces Edit PPPoE Interface Edit PPPoE Interface on eth2 Interface Parameters PPPoE Username jusername ruggedcom Password prota Default Route Je Use Peer DNS Y MTU 1452 Save Delete Figure 48 Editing a PPPoE Interface This menus allows you to edit a PPPoE interface The PPPoE Username field determines the username to use when connecting to the PPPoE server as specified by your provider The Password field determines the password provided to the PPPoE
200. eseeeeseeeeeesseeneeeseeeeeeaaees 280 Appendix E Radius Server Confgeuraton 281 Pre a a oi 281 Windows Internet Authentication EU A 281 MINER so ec acess NO 285 16 RuggedCom Table Of Figures Table Of Figures Figure 1 RuggedRouter Setup Main ME a 29 Figure 2 RuggedRouter Setup Password Change Menu 30 Figure 3 RuggedRouter Interfaces Setup Me inician irc A A ban aites 30 Figure 4 RuggedRouter DNS Client Mi acia 30 Figure 5 Radius Server Configuration Men cai cxcsascessavosiseasvssnisesndeansvaveestenesavaneotossayeaivacessevednaeavenezen 31 Figure 6 Gatntlet Setup Men scada dcir 32 Figure 7 RuggedRouter Date Time Timezone Menu 32 Figure 8 RuggedRouter Hardware Information Menu 33 Figure 9 Selecting a E EE E EE 34 Figure 10 Selecting a previously made CONTIQULA OM lt sc ccciseisecesessseeesveassicciansasivnacdtssevanssusvaananedeienss 34 Figure 11 Signing On To The Router With A Web Browser 35 Figure 12 RuggedRouter Web Interface Main Menu Wmd 36 Fig re 13 LED Status Pad 37 Figure 14 Meaning of LED iia AAA 38 Figure 15 Webmin Configuration Ma ia 39 Figure 16 Webmin Configuration Menu IP Access Control 39 Figure 17 Webmin Configuration Menu Ports and Adresses 40 Figure 18 Webmin Configuration Menu Change Help Server 4 Figure 19 Webmin Configuration Menu Logemg 41 Figure 20 Webmin Configuration Menu Autbentteatton 42 Fietire 21 Webmin Events Log aa sad 43 Figure 22 Bootup and Shutd
201. ess Address is an optional IP address that you wish to masquerade as Note The presence of the Address field determines whether masquerading or SNAT is being used Masquerading is used when only Interface and Subnet are present SNAT is used when Interface Subnet and Address are present Protocol optionally takes on the name of protocols e g tcp udp that you wish to masquerade Ports optionally takes on the ports to masquerade when protocol is set to tcp or udp These can be raw port numbers or names as found in file etc services Some examples should illustrate the use of masquerading Rule Interface Subnet Address Protocol Ports 1 ethl eth2 2 pppt eth2 66 11 180 161 3 pppt 192 168 0 0 24 66 11 180 161 4 wlppp ethl 100 1 101 16 5 wlppp ethl 100 1 101 16 tcp smtp 1 In this masquerading rule port eth2 is connected to the local network and eth is connected to a DSL modem Traffic from the subnet handled by eth2 should be translated to whatever IP is assigned to the modem Internet clients will not be able to determine the router s public address unless some form of dynamic dns is employed 108 RuggedCom Chapter 11 Configuring The Firewall 2 In this SNAT rule a static address of 66 11 180 161 is acquired from the ISP Traffic from the subnet handled by eth2 should be translated to 66 11 180 161 as it sent to the Internet over ppp The at the end of ppp causes Shorewall to match any ppp i
202. est packets LCP Communications Errors Packets discarded unknown LCP code Received LCP packets too large Received packets invalid or out of sequence Configure Acks jo Received packets invalid Configure Naks or Configure Rejects o Configure Naks or Configure Rejects with bad Identifier o General Communications Errors Number discards bad header lo Number discards unknownfunsupported protocol E Refresh Clear Statistics Number discards unknownfunsupported protocol too large for Protocol Reject jo Figure 59 PPP Link Statistics 74 RuggedCom Chapter 6 Configuring Frame Relay PPP And T1 E1 T1 E1 Loopback When at least one logical interface is configured a T1 E1 Loopback tests can be performed This menu can be reached from a link on the T1 E1 WAN Interfaces menu T1 2 Loopback Loopback Settings Note A Digital loopback command causes test frames to be transmitted through the digital sections of the T1 E1 interface The frames are looped back immediately before the analog tranceivers received by the software and verified A Remote loopback command causes test frames to be transmitted through the analog tranceiver to the T1 E1 line and verifies frames received from the line You must arrange for the line to be remotely looped back e g Line loopback or employ a loopback stub for this test to succeed
203. esults in the following display Restoring Are you sure you want to restore configuration with Archive ArchiveOct 16 2006 1729 Note The chassis will restart immediately after the restore is complete Start Restore Figure 213 Start Restore To begin the restoring process click the Start Restore button Archive Difference Tool Figure 214 Archive Differences Menu RuggedCom 245 RuggedRouter User Guide Archive Differences Select Archives to Show Differences Archive Name Version Archive Comment IT latestarchive 1 9 0 I archiveOct 18 2006 1205 1 8 0 configuration for rr1 8 0 PF archiveoct 19 2006 1506 1 8 4 Automatic nightly backup at Oct192006 1506 I factorydefaults 1 9 0 Factory defaults Current Configuration 1 9 0 Current Configuration on router Note select two and only two targets Show Differences The Archive Difference menu shows the difference between two targets The first target must be an archive while the second target can be either another archive or the current configuration Choose two and only two targets and click the Show Differences button Archive Differences List Differences between archive ArchiveOct 14 2006 0000 rrjc3 rri and Current Configuration File Name ArchiveOct 14 2006 0000 rric3 rri Current Configuration network interfaces Oct 12 2006 17 14 59 Oct 16 2006 17 14 27 hostname Oct 12 2006 17 16 41 Oct 16 2006 16 39 23
204. fied Modifying the Facility field will determine how the alert is logged on the remote host When the alert file method is chosen a daily analysis of the file can be emailed to the user provided in the User Name field Note the you must also visit the Maintenance menu Miscellaneous sub menu Outgoing Mail sub menu in order to configure a mail forwarder Edit Config File Snort is extremely flexible and not all capabilities have been described in this user guide This menu provides the user with the ability to make raw configuration changes to the snort configuration file from within Webmin 234 RuggedCom Chapter 26 Maintaining The Router Chapter 26 Maintaining The Router Introduction This chapter familiarizes the user with e Viewing Alerts e Configuring and monitoring the Gauntlet Security Appliance e Backing up and restoring configurations e Configuring SNMP e Configuring Radius Authentication e Configuring Outgoing Mail e Using System Logs e Upgrading Software e Using Pre upgrade Post upgrade scripts e Uploading and downloading files Alert System The alert system provides the following features e Generates alerts displaying them locally and or forward them via email messages e Alerts are set and cleared by the daemons that own them Active alerts are locally displayed and can be cleared manually e Multiple forwarders can be configured a configurable filter level controls alert forwarding to
205. for firewall system field is used to specify whether packets originating from the firewall itself and destined for the EXTERNAL address are redirected to the internal ADDRESS Actions When Stopped Figure 103 Actions When Stopped 120 RuggedCom Chapter 11 Configuring The Firewall Module Index When Stopped By default when the Shorewall firewall is stopped it will deny access from all hosts This page allows you to define hosts or networks that will still be accessible Add a new stopped address Interface Accessible addresses Add lwippp 204 56 67 98 Ti Add a new stopped address Manually Edit File Click this button to manually edit the Shorewall file etc shorewall routestopped in which the entries above are stored This menu allows you to control which addresses the firewall will accept connections from after it has been stopped Add a new translations by selecting the Add a new stopped address link or by clicking on the add above or add below images in the Add field Reorder the translations by clicking on the arrows under the Move field Clicking on a link under the Interface field will allow you to edit or delete the rule as shown below You may also make changes by manually editing the rule file RuggedCom 121 RuggedRouter User Guide This page intentionally blank 122 RuggedCom Chapter 12 Configuring An IPsec VPN Chapter 12 Configuring An IPsec VPN Introduc
206. from the kernel routing table which includes static routes entered by the administrator to other OSPF routers in the area Normally only routes that fall within the scope of the network areas will be advertised The Redistribute RIP fields control distribution of routes learned by RIP When enabled OSPF will advertise routes learned by RIP The Router Id field sets the router id to use for the ospf daemon This value is used as a unique identifier for the dynamic routing protocol to identify which router sent which route advertisement By default it uses the highest IP assigned to an interface on the router It is recommended that this value be set to a unique fixed IP on each router OSPF Interfaces OSPF Interface Configuration ethi Parameter Value blank default Description Possible values default value feni autocost Debt ere Priority 1 Priority of interface 0 255 1 Hello Interval 10 Time between sending hello packets 1 65535 Seconds 10 Dead Interval 40 Time before considering a router dead 1 65535 Seconds 40 Retransmit Interval 5 Time between retransmits 3 65535 Seconds 5 Transmit Delay 1 Transmission delay 1 65535 Seconds 1 Passive Interface passive E Control interface passive setting not passive Authentication default gt Type of authentication to use default none message digest null default Save E Message Digest
207. g packages that could be installed During a real upgrade the router will try and download the scripts from the same location as is configured by the Change Repository Server page The router will attempt to download a file named pre upgrade and execute it before the upgrade starts After the upgrade completes including webmin the router will attempt to download a file named post upgrade and execute it The scripts start with bin bash or usr bin perl and be designed to produce consistent results in the event they are subsequent run a second time It is possible that the upgrade can be interrupted after the preupgrade script runs and re started at a later date The result of running the pre upgrade script is included in the upgrade output If ran through the automatic upgrade the scripts output can be viewed by through the View Log File of Last Upgrade button on the Software Upgrade System page Example of a post upgrade script The following post upgrade script will send an email notification when upgrade completes assuming ssmtp is configured properly echo Subject Software upgrade for Release rrl 9 0 on hostname completed gt tmp mail echo To controlcenter ruggedcom com gt gt tmp mail echo Software upgrade for Release rr1 9 0 on hostname completed at date gt gt tmp mail echo gt gt tmp mail cat tmp mail ssmtp controlcenter ruggedcom com rm f tmp mail RuggedCom 263
208. g Timeout multiplied by the Ping retry count plus the Main path down timeout In the case of a dial backup configuration also be sure to take into account the call setup and modem connection times Add to this a time that will allow time to navigate the webmin menus to observe that Link Backup status link states and routing are all as expected before during and after the Link Backup test 160 RuggedCom Chapter 14 Configuring Link Backup This page intentionally blank RuggedCom 161 RuggedRouter User Guide Chapter 15 Configuring VRRP Introduction This chapter familiarizes the user with e Configuring VRRP e Enabling And Starting VRRP e Obtaining VRRP Status VRRP Fundamentals The Virtual Router Redundancy Protocol VRRP eliminates a single point of failure associated with statically routed networks by providing automatic failover using alternate routers The RuggedRouter VRRP daemon keepalived is an RFC 2338 version 2 compliant implementation of VRRP The Problem With Static Routing Many network designs employ a statically configured default route in the network hosts A static default route is simple to configure requires little if any overhead to run and is supported by virtually every IP implementation When dynamic host configuration protocol DHCP is employed hosts may accept configuration for only a single default gateway Unfortunately this approach creates a single point of failure Los
209. g down var log syslog Nov 13 17 03 35 linkd 25541 llinkd configured and started war log syslog Now 13 17 03 35 llinkd 25545 Start monitoring link backup set eth1 gt eth3 Refresh Figure 133 Link Backup Log The link backup log displays the log of recent backup events Link Backup Status Eia Link Backup Status Main Interface Backup Interface Reachabl nk Backup bi Device Link State Device Link State slats A Jethi gt eth2 eth1 Up Jet Down No Initiate backup path Refresh Figure 134 Link Backup Status The link backup status menu displays the status of links managed by the feature Test Link Backup K D Hale Test Link Backup Test duration 5 minutes Name Main Interface Backup Interface Enabled Action Current time 17 20 19 isthi gt eth2 ethi vg yes Start Test Refresh Figure 135 Test Link Backup The test link backup menu tests a link backup by discarding all data received on the main interface This convinces the daemon that the main trunk is unusable and forces it to fail over to the backup trunk RuggedCom 159 RuggedRouter User Guide The Test Duration field controls the amount of time to run before restoring service to the main trunk Please note that this duration must take into account the timing parameters of the backup configuration The duration should comfortably exceed the Ping Interval plus the Pin
210. gedCom Chapter 6 Configuring Frame Relay PPP And T1 E1 Frame Relay DLCIs The second table provides a listing of all DLCIs available on the channel Only the DLCI selected from the main menu can be edited although another DLCI can be added by following the Add another DLCI to this channel link The DLCI Number refers to the Data Link Connection Identifier This number should be provided to you by your provider The Local IP Address field defines the IP address for this interface The Netmask field defines the network address mask The value 255 255 255 255 specifies a point to point connection which is almost always correct The Remote IP Address field defines the IP address for other side of this interface As most WAN links are of point to point type there is only one host connected to the other end of the link and its address is known in advance This option is the address of the other end of the link and is usually assigned by the network administrator or Internet service provider The Use as Default Route fields allow you to install a default route to be used while the interface is active If specified the gateway address should reside within the host portion of the subnetted remote IP address The Description field attaches a description to the logical interface viewable from the network interfaces menu The Delete this logical interface button removes the currently selected interface Repetitive use of this button on oth
211. gger by creating a new system log entry and specifying All Facilities and all priorities and checking the Syslog server on field with an appropriate address 258 RuggedCom Chapter 26 Maintaining The Router Upgrade System Software Upgrade System Upgrade to RX1100 Gain access to the RX1100 feature set including Intrusion Detection Systems and Gauntlet Security Upgrade To RX1100 Change Repository Server The router currently upgrades from http rceng02 eng lan debian386 release rridevel and does not use bandwidth limiting The router is currently operating release software rri Change Server Automatic Upgrade The router is not configured to automatically upgrade Change Settings Install a New Package Selec the location to install a new package from From local file ERI C From uploaded file Ir Browse O From ftp or http ur Install Upgrade All Packages Resynchronize package list update O re NO Only show which packages would be upgraded ye No Upgrade Now Figure 232 Software Upgrade System The Software Upgrade system provides the following features e Upgrading from either HTTP or FTP servers e Upgrade traffic bandwidth limiting to prevent disruption to mission critical applications e Automatic daily upgrades from a central server at a scheduled time e Manually initiated upgrades from a central server e Manually initiated upgrades of
212. gital and remote loopback This parameter is not used during line loopback The Time to run test field limits the time the sender will transmit and the router running line loopback will wait RuggedCom 75 RuggedRouter User Guide Running a loop test on an active interface will immediately cause it to go down The loop test automatically initializes the trunk after completing the test Current Routes amp Interface Table The table provided by this command is as described in the Networking menu Network Utilities sub menu It is also provided here as a convenience Upgrading Software For some customers access to remote sites in accomplished solely by a T1 or El connection Usually a software upgrade will stop the system being upgraded perform the upgrade and then restart it If T1E1 was upgraded in this way the upgrade would fail as the T1E1 link was taken down Instead T1E1 software upgrades modify only the software on the disk You must schedule a reboot in order to run the new version of T1E1 software Upgrading Firmware RuggedCom T1E1 interfaces reside upon PCI interface cards These cards contain FLASH memory which from time to time will be required to be upgraded The upgrade process will take down the T1E1 links upgrade the firmware and then restart the interfaces Note The upgrade process requires upwards of 15 minutes for each PCI interface card Because of the lengthy duration required to upgrade the
213. good idea to configure one at least one server and peer The NTP daemon will know about the NTP servers and peers to use in three ways e It can be configured manually with a list of servers to poll from e It can be configured manually with a list of peers to send to e It can look at advertisements issued by other servers on multicast or broadcast addresses Note that if multicasting or broadcasting is used it is strongly recommended to enable authentication unless you trust all hosts on the network NTP uses UDP IP packets for data transfer because of the fast connection setup and response times UDP offers The NTP protocol uses port UDP port 123 Note that if your router employs a firewall and acts as a client it must open UDP port 123 Additionally if the router acts as a server the firewall must allow connection requests on port 123 as well 212 RuggedCom Chapter 22 Configuring NTP The NTP Sanity Limit NTP changes the system through stepping and drifting Stepping is a sudden change of time whereas drifting is a slow gradual time change NTP will step the system time when its starts This is almost always at boot time Stepping the time afterwards can cause protocols such as OSPF that rely upon accurate real time to fail The router deals with this problem by restarting these protocols if they are running when NTP restarts After booting NTP uses drifting to achieve synchronization by making small a
214. gure 138 Figure 139 Figure 140 Figure 141 Figure 142 Figure 143 Figure 144 Figure 145 Figure 146 Figure 147 Figure 148 Figure 149 Figure 150 Figure 151 Figure 152 Figure 153 Figure 154 Figure 155 Figure 156 Figure 157 Figure 158 Figure 159 Figure 160 Link Backup AUS a A aa 162 ia TE IN 162 CAT 166 VRRP Main Men ds 168 VRRP Configurations eae a bd 168 KT ee 169 VRRP Instances Status aia ie 170 Traffic Prioritization Marche insasncysteesiunvens ceuysoxedantqunddeageneganyversanepeodedeceel iaa 174 Interface Priontz tion E AAA Aaa 174 Prioritization Queue Configuration ssicccicscoscessascesscsseacstesdocadevccnuasdandesearcavdavsbesdecenensatees 175 Prioritization Filter ContipuratO a A oo 175 Late Eege EE 176 VRRP o EE 177 GRE Main Men EE 178 GRE Tunnel Configuration Mes iia A 178 Network Utilities Main Ment tee ee 181 Pins EE 182 Traceroute ME a A ad USS 182 A A A A RP EE 183 Tepd mp Mi a E 183 Frame Relay Trace MM idas 184 Seral Server Pare TM as 185 Interface Statistics Md 185 Current Routing amp Interface Table cin llo a D 186 Serial Protocols Server Main Met ii ia 192 Assign PROTOCOLS MEU AA AA 193 A EE 193 22 RuggedCom Table Of Figures Figure 1617 Raw Socket Monti 194 Figure 162 Serial Protocols Statistics Meng nada tt iia 195 Figure 163 Serial Protocols Trace ME is oie dde e dd dd 196 Figure 164 Layer 2 Tunnels Main Mei ENEE elisa 200 Figure
215. h id 231 IEEE1588 CONSUMO A a Ii 231 LE EE EE 232 Uf i B DA Dre hc e E RC CU ei E 232 IRIGB TCG ii E at 233 Chapter 25 Configuring The Snort ID Si dde 235 AS EE 235 Snort le Een EH EEN 235 Which Interfaces To Montor a a a a a a E 235 SHOL RULES PEE EE EEE oe E ees 235 Alerting Med iria tiaro a coat 236 Performance And Resourceg 236 Snott IDS Main TE EE 236 Ren CO NEE e EE 236 dE aa EES 236 RU SS A A a lid 237 R le Look p EE 238 Network Settings A A A A 238 IPLEPTOGCES A EA E EIA N ETA EEA E AA TE NT RETAN 238 Alerts LO a ad 239 Edt Conie Eilersen n Petes ay ara ee 239 Chapter 26 Maintaining The ROA A 240 et tee elt ele EE 240 Alert System EE EE 240 14 RuggedCom Table Of Contents Alert E EE 240 Alert COMM Our atin E 241 Alert Filter Configuration A A a E 242 Alert Definition Commer an ir A chal dowd A AO estas 242 Change Alert DM ed eege 243 Car E is 245 What And How Gauntlet Protects iia di ti lis 245 Gauntlet Arid The Fra iaa 245 Gauntlet Status Menter arrani eis ec sees gave Da Badass 246 Upgrading Gante sacra rs or shadeanpeasasaeneene EES Snap E NS 246 Back p Ad REO dd dt 247 Genera CON EN Aa IR O a a a 248 E DEE 249 PRTC VS DLV aD 1 o MEE A A A A 249 Archive O a 250 Archive Difference EE 251 SEI EE EEN 252 SNMP Configuration Main ME AS 253 System CORA Uta ee 233 Network Addressing Confteuraton 253 Access O O RN 254 Ee Ee 256 ET ee road 257 Radi s AUthenticatiOtissa cssiasccsstssasesctav
216. he URL of the image file on the web server The URL of the configuration archive file on the web server if one is used 270 RuggedCom Appendix C Installing Apache Web Server On Windows Appendix C Installing Apache Web Server On Windows A number of customers have asked for advice and instructions on setting up a web server on Windows RuggedCom recommends the Apache web server because it is secure robust easy to install and configure as well as being able to be installed on a wide variety of Windows platforms Begin by identifying a host computer and its physical and logical location on the network The Repository Server Requirements of the appendix Setting Up A Repository provide some guidance on host requirements The Apache installation process will prompt you for an IP address and domain name with which to serve the web pages Later in the install you will also need to provide the directory where the RuggedRouter releases will be kept Ensure that a web servers is not already installed Obtain Apache by visiting the web page of www apache org Visit the HTTP Server portion of the web site and click on the Downloads page Identify the latest version of Apache and find its Win32 version usually under httpd binaries win32 You should be able to find a Microsoft System Installer Version e g apache _2 0 55 win32 x86 no_ssl msi as well as platform specific notes Download and install this version
217. he current configuration This will restart all protocols Figure 164 Layer 2 Tunnels Main Menu Note that the Layer 2 Tunnels daemon is disabled by default and may be enabled via the System folder Bootup And Shutdown menu The General Configuration menu changes parameters that apply to all protocols The GOOSE Tunnels and GOOSE Statistics menu configures and display statistics for these tunnels The Activity Trace menu will provide a protocol trace When enabled any configuration changes may be made to take effect by selecting the Restart Layer 2 Tunnels daemon button 196 RuggedCom Chapter 20 Configuring GOOSE Tunnels General Configuration Menu Help General Configuration Layer 2 Daemon Parameters Daemon UDP Listen Port h 311 Beacon Interval 60 Seconds Save Changes Figure 165 General Configuration Menu This menu configures the daemon settings The Daemon UDP Listen Port field configures port used by the daemon to communicate with other daemons Note All Layer 2 Tunnel daemons in the network must use the same port number If the router employs a firewall ensure that a hole is opened for each of the remote daemons using on this port number The Beacon Interval field configures how often a Round Trip Time RTT measurement message is sent to each remote peer The interval takes the values Off to disable RTT measurement or a time of 10 3600 seconds GOOSE Tu
218. he router at a DNS server Select the Host Addresses icon to locally configure IP address hostname mappings Select the End To End Backup icon to configure an end to end backup connection Select the Current Routing amp Interface Table icon to view the routing table The Apply Configuration button serves to restore the permanently saved changes and restart Ethernet networking RuggedCom 49 RuggedRouter User Guide Core Settings Core Settings Core Settings IPV6 Support C Yes No Antispoofing Yes No Ignore All ICMP ECHO requests yes No Ignore ICMP Broadcasts DG Yes No Syncookie Protection DG Yes No Save and Apply Figure 33 Core Networking Settings This menu allows you to configure core networking settings The IPV6 Support field determines where IPV6 interfaces are created and supported at boot time Set this option to yes if you need these interfaces Disabling these interfaces removes them from interface displays and OSPF RIP A change will take effect at the next boot The Antispoofing field corresponds to the kernel rp filter setting Setting Antispoofing to yes will cause the kernel to reject incoming packets if their source address doesn t match the network interface that they re arriving on which helps to prevent IP spoofing If you modify this parameter the setting be applied to all active interfaces change the default setting for new interfaces and those crea
219. hrough Routing And Gateway Men 53 Configuring Through Setup SHEN ad 30 JD a LE E A rien A Client Optiot aaa 205 e EE 208 Fundamental iia aia 205 Beete E 207 i E 56 Downgrading Router EE eege 277 D mmy EE 52 PR O A Eu ene H NEE 260 End To End Daer eege Ee 56 Ethernet Ima iii cd ACV a 62 Boot Too 63 PLOTAREA daa 62 AVT a ni A e Eeer 63 A ee ae Nee eee ae Ir 105 Frame Rela OIR A pia oo EEE CTO End RCC AAV Ss fa ada 73 O iiss leave dab atu Se ee aaa snd A uaa douse Aes 67 Link iaa dida 12 A o E eee ee eee 72 278 RuggedCom CET 72 EE 72 Signaling typen rel cutis ste A SEENEN Eege 72 Station PE E usa ato ce che ang vassals A A NES 72 E EE 72 ee 72 Ce Sb cz wae basen A ea asd cea leg sana Pa done ea oa 245 Generic Routing Encapsulation E OORT OU UTNE eA ee Ee 177 CCOO Ett diia Ree ie 201 A A EE 199 e 202 Tracing ACV SA ER AS AAA ES anna 203 AS SEV EE 41 LOSE EE 56 Eet ee AA St Changing fron W COMM A A on beens taunianosuneisn a a a 49 Configuring through setup oia 31 IP Ee e 52 Core Networking Sens EE 52 Tonore AN ICMP ECHO kc csc er Ode 52 lonore TEMP Broadcasts scisacscseatevansaizaaansttsawsottehsenneed creeds nnen oa EOE EAE OPSET SEEE ECAA 52 Syncookie Protection A oe 52 NA a ee EE E SIE LAE A A A EE OTTER OE TATE SRE a PO AE Configuring Through EEN eege O 30 DDS Frame EE 82 87 DDS Eeer RS 88 End To End Bar A o 58 Ethernet Ee 62 Look p By Host EE 56 Modem PU aah AS 101 PPP A oh 95 EVEI Frame RelA is
220. i our E 214 DHCP Group ComP aura tt Om ies ssi cass cicadas E 215 DHCP Host Cont Uta iii 215 DHCP Pool Con oiratOne ese uch Ee 216 Chapter 22 Config ring ME 217 A a aa aa e aea ole eE n A EA iae a A a E eie a aie TEE 217 RR ai NEEN daa cs 217 Th NTP Sanity iin EE 218 NTP And The Precision Time Protocol Card e 218 Included With NTP A ATA Ai A A ci 218 NTP Server Man Menu EE 219 Generic OPON EE Een eege 219 Servers Configuratori o aiia aE da iii 220 P ers Config ration seein n A A EA AE E a s 220 Viewing The NTP Statu alas Is 221 Viewing The NTP LOS etnias a is ba 221 RuggedCom 13 RuggedRouter User Guide Viewing hs GPS MUA A id 222 Viewing The GPS E 222 Chapt r 23 Config ring SSH A 223 NS EE 223 SSH Fundamentals A a care 223 Tnchided WithSS He a EE Ee oe 223 SS HM Men lee e eal o ee 224 DIEDERT GELD suerte eessen ee 224 Ns EE 225 SN EEN 225 Chapter 24 Configuring IRIGB And TEEE1588 ccccssccssccsstssseccssccesccesssssecssscccsssneceeeseness 221 ek tee elt Oe EE 227 TEEE1588 Fondamentale 227 PTP Network Roles las tals donc ee geg 227 PTP Master lebt id a SE tadas 227 Synchronizing NTP from TERELES EEN 228 TRIGB Fundamentals dada da A 228 IRIGB Q tp t ien a A tol ive 228 Keteteneesstloeke ege e dl bale A OE le dole lobe ee 229 How The Router Selects A Reference Clock 229 GPS Cable COMPE a 229 TRIGB TEEE1588 Main Men 230 General CONO A E et hia need auc 230 IRIGB C nfig ra tio
221. iggered at start up The Ping Interval field configures how often pings are sent The Ping timeout field configures the duration before immediately retrying a ping The Ping retry count field configures the number of ping retries before construing a path failure Note The maximum time to discover a path failure is the length of the Ping Interval and the product of the Number of missed pings before fail over and the Ping timeout The Main path down timeout field specifies the number of seconds the main trunk must be down before starting the backup trunk The Main path up timeout field specifies the number of seconds the main trunk must have returned to service before stopping the backup trunk You may delete a link backup configuration through the Delete button 158 RuggedCom Chapter 14 Configuring Link Backup Note If you delete a link backup configuration that has failed over or is failing over to its backup trunk the link daemon will stop attempting the link backup and restore the main trunk even if the main trunk is still down Link Backup Logs Help Link Backup Logs Refresh var log syslog 0 Nov 13 16 12 04 linkd 8529 linkd configured and started var log syslog 0 Nov 13 16 12 04 linkd 8532 Start monitoring link backup set eth1 gt eth3 var log syslog 0 Now 13 16 19 50 linkd 8529 linkd received a TERM signal var log syslog 0 Nov 13 16 19 50 linkd 8529 shuttin
222. igned a unique port number that relates to the LEDs on the status panel LED Designations The RuggedRouter indicates information about DDS ports on the LED Panel A pair of LEDs will indicate traffic and link status of the port Consult the section Using The LED Status Panel to determine which LEDs correspond to the port RuggedCom 83 RuggedRouter User Guide DDS Configuration a a DDS DDS Trunks And Logical Interfaces Current Route amp Interface Table Figure 69 DDS Trunks And Interfaces This menu allows you to display and configure DDS Trunks The Current Routes menu will display the routes and status of the network interfaces DDS Network Interfaces DDS WAN Interfaces DDS Trunks and Logical Interfaces Refresh this page DDS 1 Not Running Name Description Local Address Netmask Remote Address Default Gateway Assign a new Frame Relay logical interface Assign a new PPP logical interface Figure 70 DDS WAN Interfaces This menu allows you to display DDS trunks and configure the logical interfaces that run on them A table is presented for each interface Interface numbers are as described by the DDS labels as shown in the home page chassis diagram The status of both the physical interface and its corresponding logical interface is shown If no interfaces have been configured the menu will provide links to Frame Relay and PPP configuration menus This men
223. igure 179 NTP Status The NTP Status menu displays possible sources and currently used reference clocks Viewing The NTP Log NTP Log Time Process 11 29 05 localhost 11 29 05 localhost 11 29 05 localhost 11 29 05 localhost 11 29 05 localhost 11 29 05 localhost 11 29 05 localhost 11 29 05 localhost 11 29 05 localhost 11 29 05 localhost 11 32 23 localhost 11 32 23 localhost 11 33 27 localhost 11 48 32 localhost 11 48 32 localhost 11 52 53 localhost 12 06 50 localhost 12 15 26 localhost 12 15 26 localhost Day CON e Oct e Oct e os e oe e CON a mm Oct e Oct fe os e os e Oct fje ce e Oct e os e os e oe e os ie Figure 180 NTP Log The NTP Log menu displays the log of recent NTP events 216 RuggedCom Chapter 22 Configuring NTP Viewing The GPS Status IRIGB GPS Status refresh Latitude Longitude GPStock Number of Satellites 3723 2475 121583416 n e Figure 181 GPS Status If the router is equipped with a Precision Time Protocol card this page will shows the status of the GPS module The Latitude and Longitude fields show the current position of the GPS antenna The GPS Lock field show the GPS lock status The Number of Satellites shows how many satellites are currently being tracked by the GPS module The Tracked Satellite Status table shows the ID and signal strength of tracked satellites Viewing The GPS Log GPS Log Refresh Month
224. ing is enabled you can also choose whether IP addresses or hostnames are recorded and how often the log file is cleared When enabled logs are written to the file var log webmin miniserv log When logging is enabled Webmin will also write a more detailed log of user actions to the file var log webmin webmin log This log can be viewed and analysed with the Webmin Actions Log module to see exactly what each Webmin user has been doing Webserver logging options Disable logging Enable logging Jv Log resolved hostnames Use combined log format including referrer and user agent T Clear logfiles every 1168 hours Q Log actions by all users root 4 Only log actions by kd Log actions in all modules Bootup and Shutdown po Change Passwords Command Shell Custom Commands Disk and Network Filesystems y Only log actions in Jv Log changes made to files by each action Save Figure 19 Webmin Configuration Menu Logging This menu allows you to log actions taken by Webmin administrators It is also possible to log actions based on the module where the actions are performed The Log resolved hostnames field will cause Webmin to provide a hostname rather than just an IP address for the client computer that performed an action The Clear logfiles every hours field causes Webmin to rotate its own logs and keep them from overfilling the disk with old logs Currently the Log a
225. ingle menu The menu system entries are composed of the Webmin System Servers Networking and Maintenance menus The Webmin Menu provides the ability to RuggedCom 35 RuggedRouter User Guide e Configure the sign on password e Specify session timeouts e Restrict the Subnet of IP addresses that can login e Configure and view Webmin event logs The System Menu provides the ability to e Change the router password e Enable and disable applications from running e Reboot the router e Schedule one time and periodic tasks to run e Change the router s name hostname e Change the time and date The Servers Menu provides the ability to e Control and configure the Serial Protocol DHCP NTP IRIGB and SSH servers The Networking Menu provides the ability to e Configure the network interfaces e Configure static IP and Multicast Routings and configure a default gateway e Select a DNS server and edit local host addresses e Configure End To End Backup e Configure DDS T1 El T3 and ADSL Networking e Configure the embedded modem e Set up the firewall e Set up Virtual Private Networking e Configure Routing protocols such as OSPF and RIP e Configure Virtual Router Redundancy Protocol VRRP e Configure Traffic Prioritization e Perform pings traceroutes host lookups and line tracing The Maintenance Menu provides the ability to e Manage the Gauntlet Security Appliance e Backup
226. ired Perfect Forwarding Secrecy As desired Recommend yes NAT Traversal No Required when the router acts as a client and is behind a NAT firewall Left System Settings Router s side Public IP Address Address or hostname IP of public gateway System Identifier Default Private subnet behind system 10 0 0 0 8 System s public key Certificate File router pem Next hop to other system Default Right System Settings Laptop side Public IP Address Automatic System Identifier Default Private subnet behind system 10 0 1 0 24 Assign IP based on client from within this subnet System s public key Entered below cert Derive identity from incoming certificate Next hop to other system Default Apply the configuration to restart the server and create an ipsecO interface Firewall IPSec Configuration Create firewall Zones vpn and net Ensure that the WAN interface here wlppp and ipsecO interface are present in the Shorewall Network Interfaces The WAN interfaces should be in zone net while ipsecO should be in zone vpn Add the following firewall rules Action Source Zone Destination Zone Protocol Dest Port ACCEPT all fw ah ACCEPT all fw esp ACCEPT all fw udp 500 ACCEPT vpn loc Restart the firewall to install the rules Ethernet Port Configuration Because the remote client will be assigned a local IP address but is reachable only through the IPSec connection proxy ARP must be employed Activate proxy ARP
227. irst 3 bits are a User Priority Field that may be used to assign a priority level to the Ethernet frame The next 1 bit is a Canonical Format Indicator CFI used in Ethernet frames to indicate the presence of a Routing Information Field RIF The last 12 bits are the VLAN Identifier VID which uniquely identifies the VLAN to which the Ethernet frame belongs RuggedRouter Functions Supporting VLANs Functions Supported Comments Static Route and Default Y Route Static Multicast Routing Y End To End backup Y PPPoE N Shorewall Firewall Y IPSec N Netkey policy based VPNs supports VLAN Klips route based VLANs do not support VLAN VRRP Y Traffic Prioritization Y Dynamic Routing Both OSPF and RIP support VLAN GRE Tunnel Y DHCP Server Y PPPoE On Native Ethernet Interfaces Fundamentals The RuggedRouter supports PPPoE Point to Point Protocol Over Ethernet over both external modems described here and internal interfaces described in the chapter PPPOE On ADSL The PPPOE On ADSL chapter contains more useful information on PPPOE Authentication Addresses DNS Servers and MTU Issues Only one PPPoE interface can be created on each Ethernet Interface Each PPPoE interface name is assigned internally The name is pppX where X is 10 plus the native Ethernet interface the PPPoE is created upon e g a PPPoE on eth is ppp11 58 RuggedCom Chapter 5 Configuring Etherne
228. its five minutes before restarting If you really want the router to remain powered but permanently inactive you must issue the shutdown connect a terminal to the serial port wait for the router to enter the shutdown shell and issue a CTRL C Once again if you accidentally shutdown the router it will restart after five minutes 44 RuggedCom Chapter 3 Configuring The System Change The second part of the menu allows you to program specific actions at boot time The script will be run after all regular boot actions have completed Run On Boot Commands entered below will be run at boot time bin bash echo Subject Router hostname rebooted gt tmp mail echo To controlcenter ruggedcom com gt gt tmp mail echo Reboot ocurred on date gt gt tmp mail echo gt gt tmp mail cat tmp mail ssmtp controlcenter ruggedcom com rm f ftmpfmail Save Save And Run Now Figure 23 Bootup and Shutdown Part 2 The actions may be a series of commands that can be executed at the command line Each entered line is executed independently of the previous line so change directory commands will not be effective Always specify the absolute path of files used in commands Selecting Save And Run Now will run the script and show its output allowing you to debug it Password Command Change Password Change Password This module can be used to change the root password used to login with webmin ssh an
229. ity 100 VRID 10 Priority 50 VRID 10 Monitor wl ppp VRID 11 VRIP 1 1 1 252 VRID 11 VRIP 1 1 1 252 VRID 11 Priority 100 VRID 11 Priority 50 VRID 10 Monitor w2ppp Switch Switch Host 1 Host 2 Figure 136 VRRP Example In this example traffic from host will be sent through router 1 and traffic from host2 through router 2 A failure of either router or its wan link will be recovered by the other router Note that both routers can always be reached by the hosts at their real IP addresses Other VRRP parameters are the Advertisement Interval and Gratuitous ARP Delay The advertisement interval is the time between which advertisements are sent A backup router will assume mastership four advertisement intervals after the master fails so the minimum fail over time is four seconds If a monitored interface goes down a master router will immediately signal an election and allow a backup router to assume mastership RuggedCom 163 RuggedRouter User Guide The router issues a set of gratuitous ARPs when moving between master and backup state These unsolicited ARPs teach the hosts and switches in the network of the current MAC address and port associated with the VRIP The router will issue a second set of ARPs after the time specified by the Gratuitous ARP delay 164 RuggedCom Chapter 15 Configuring VRRP VRRP Main Menu VRRP AAN AN VRRP Configu
230. ive Interface Default OSPF regards router interfaces as either passive or active sending OSPF messages on active interfaces and ignoring passive interfaces By default newly created interfaces are viewed as passive from OSPF until they are configured active This is more efficient and secure for the router The default type for new interfaces is controlled by the passive interface default option in the OSPF Global Parameters Note The default setting of Passive Interface Default means that you must explicitly configure interfaces active before OSPF will attempt to use them Redistributing Routes Routes for subnets which are directly connected to the router but are not part of the OSPF area or RIP network can be advertised if redistribute connected is enabled in the OSPF or RIP Global Parameters Static routes and other routes handled by the kernel can also be redistributed if redistribute kernel is enabled 140 RuggedCom Chapter 13 Configuring Dynamic Routing Link Detect When link detect is enabled for an OSPF RIP active interface OSPF or RIP will be notified when the interface goes down and will stop advertising subnets associated with that interface OSPF and RIP will resume advertising the subnet when the link is restored This allows OSPF and RIP to detect link failures more rapidly as the router does not have to wait a dead interval to time out Link Detect will also cause redistributed routes to sta
231. ive alert exists The Subsystem configures which subsystem the alert definition entry belongs to The Severity configures the severity level of the alert The severity level is sorted from highest priority to lowest priority The Alarmable configures whether the matched alert should trigger the critical relay and alarm LED on the LED panel of the router The Enabled configures whether the alert system should monitor and record matched active alert If Enabled is not checked matching active alert will be ignored The Renotify Interval configures how often should the matched active alert be notified according to alert filter configuration setting If it is disabled no notification will be forwarded The Type configures type of the alert definition entry There are three types available Simple Shell and RMON Currently only the first two types are supported If users choose Shell type they should complete parameters under Parameters for Shell table The Parameters for Shell table allows user to configure additional parameters if the alert definition entry type is Shell The Sample Interval configures how often should the system run configured shell command to get a sample The Command configures the shell command to run The Comparator configures how to compare with the shell command result 238 RuggedCom Chapter 26 Maintaining The Router The Threshold configures the threshold to compare with the shell command resul
232. ive distance from 0 to 255 is a rating of the trustworthiness of a routing information source For a given route the protocol having the lowest administrative distance will be chosen By default the distances for a connected interface is 0 and for a static route is 1 By default OSPF will set an administrative distance of 110 and RIP will set a distance of 120 142 RuggedCom Chapter 13 Configuring Dynamic Routing OSPF And VRRP Example Network This network consists of three routers connected in a ring with T1 E1 links Router 1 and 2 and the switched network represent a remote site in which the routers supply a redundant gateway to the hosts via VRRP and the T1 E1 links supply a redundant network connection to the rest of the network Host 3 5 559101 GW 2 2 2 254 __ semeuuei ies get 2 2 2 254 1 1 1 6 1 1 1 3 SN Router 3 wippp 1 1 1 5 1 1 1 4 wlppp w2ppp w2ppp wlppp Router 1 11 12 SEN Router 2 OA MAD VRIP 1 1 2 254 VRIP 1 1 2 254 Priority 100 Priority 50 PF Arca 0 Switch p Host l fp 112 101 IP 1 1 2 102 Hoste GW 1 1 2 254 GW 1 1 2 254 Figure 115 OSPF And VRRP Example Area And Subnets As the OSPF design is simple an area of 0 is used The three point to point T1 E1 links are placed in the area by adding 1 1 1 0 24 to it Router 1 and 2 will include their Ethernet links
233. le remote sites ensure that a zone host entry exists for each or collapse them into a single subnet Create another zone host for the same interface with a network zone using a wider subnet mask such as 0 0 0 0 0 It is important that the vpn zone be declared before the net zone since the more specific vpn zone subnet must be inspected first Host Zone Interface Subnet IPsec Zone vpn wlppp 192 168 1 0 24 Yes net wlppp 0 0 0 0 0 No The IPsec protocol operates on UDP port 500 and using protocols ah Authentication Header and Encapsulating Security Payload ESP protocols The firewall must accept this traffic in order to allow IPsec Action Source Zone Destination Zone Protocol Dest Port ACCEPT net fw ah ACCEPT net fw esp ACCEPT net fw udp 500 IPSec traffic arriving at the firewall is directed to openswan the IPSec daemon Openswan then decrypts the traffic and forwards 1t back to shorewall on the same interface that originally received 1t You will also need a rule to allow traffic to enter from this interface ACCEPT vpn loc Virtual Private Networking To A DMZ If the firewall is to pass the VPN traffic through to another device e g a VPN device in a DMZ then establish a DMZ zone and install the following rules ACCEPT net dmz ah ACCEPT net dmz esp ACCEPT net dmz udp 500 ACCEPT dmz net ah ACCEPT dmz net esp ACCEPT dmz net udp 500 RuggedCom 111 RuggedRouter User Guide Firewall Main Menu Module Co
234. li alii 82 A a A al haa eta 82 Current Routes amp Interface ee Ee 82 Upgrading SoftWare si vest a E clase ota a A AO TE a ETA 83 Chapter 8 Configuring Frame Relay PPP And DD 85 o EE 85 DDS He 85 Location Of Interfaces And Labeling naa a it 85 EDDIE O DU ista 85 DDS Contorno 86 DDPS Network EE 86 Naming Of Logical Interact O ar 87 Editing A Logical Interface Frame Relay eege usteet 87 Editing A Logical Intettace PPP Las coat 88 DOS Statistics scsi ii 88 A EE 88 Frame Relay And PPP Interface Statistics i 20k A ee 89 DDS Loopbatk tua tddi 89 Current Routes ege 89 lot deer 89 Chapter 9 Configuring PPPoE Bridged Mode On AIDS 91 8 RuggedCom Table Of Contents eler te EE 91 ADSE Fundamentals oerien ee 91 PPPoE Bridged Mode Fundamentals ccc8 cases vast A Wana Na 91 Authentication Addresses and DNS Servers wi cccccccccccccccccsessssssscccecsesesssssssscecsesessssssssseceeeess 92 PPPOE MTU ISSUES enn EE 92 Bridged Mid ee Ee leeden 92 Location Of Interfaces And Labeling ria 92 CED RRE Oe 92 ADSE CO Bratt OM a A 93 ADSL Network Interfaces iia pri adds 93 Editing A Logical Interface PPPOE uti aa 94 Editing A Logical Interface Bridged tad E dE 95 A DSE AUIS ere EE 96 Current Routes amp Interface Table A a dde 96 Upgrading SoftWare A a A Meee oven 96 Chapter 10 Configuring PPP and Modem 97 egene EE 97 Mode FU da e EE 97 PPP Mode Fundamentals ds ee 97 Authentication Addresses and DNS Servers
235. link based configuration which affect all DLCIs The second table provides configuration parameters for individual DLCIs After the first DLCI has been configured revisiting that DLCI will display a menu that allows additional DLCIs to be configured RuggedCom 79 RuggedRouter User Guide Edit Logical Interface wifri6 T3 1 Frame Relay Parameters Station Type CPE FR DTE Interface y Signalling type ANSI v Link Failure Leaves IP interface up gt T391 10 T392 16 N391 6 N392 6 N393 4 EEK Type Off gt EEK Timer 5 Logical Interfaces on T3 1 Channel 1 Name DLCI Local Address Netmask Remote Address Default Gateway Description wifri 16 192 168 20 1 255 255 255 255 192 168 20 2 DLCI 16 wifrl 17 192 168 21 1 255 255 255 255 192 168 21 2 DLCI 17 Add another DLCI to this channel Save Delete this logical interface Figure 67 Edit Logical Interface Frame Relay The fields and buttons in this menu are the same as those described in the Editing A Logical Interface Frame Relay section of the Configuring Frame Relay PPP And T1 E1 chapter Editing A Logical Interface PPP Edit New Logical Interface T3 1 PPP Parameters Local Address Netmask Remote Address Default Gateway Description 2 2 2 2 255 255 255 255 1 1 1 1 South Office Save Figure 68 Edit Logical Interface PPP The Local Address
236. lt route via 10 0 0 253 Cannot determine ethernet address for proxy ARP a 18 09 24 05 pppd 2857 local IP address 216 58 41 159 09 24 05 pppd 2857 Feo 09 24 05 pppd 2857 primary DNS address 216 58 97 21 BH E O ES EN E La Aug 18 Aug 18 Aug 18 a remote IP address 192 168 200 1 09 24 05 pppd 2857 secondary DNS address 216 58 97 20 This menu displays the native Ethernet and internal ADSL interface PPPoE connection messages This is mainly useful when trying to debug a PPP connection problem Current Routes amp Interface Table The table provided by this command is as described in the Networking menu Network Utilities sub menu It is also provided here as a convenience 64 RuggedCom Chapter 6 Configuring Frame Relay PPP And T1 E1 Chapter 6 Configuring Frame Relay PPP And T1 El Introduction This chapter familiarizes the user with e Frame Relay and PPP Terminology and Issues e Configuring Frame Relay and PPP Links e Viewing status and statistics e Upgrading Firmware T1 El Fundamentals A TI is a communications circuit upon which has been imposed a digital signal 1 DS1 signaling scheme The scheme allows 24 timeslots of 64 Kbps DSO information as well as 8 Kbps of signaling information to be multiplexed to a 1544 Kbps circuit The 24 DSOs can be used individually as standalone channels bonded into groups of channels or can be bonded to form a single
237. lt routers to 192 168 1 1 and save 6 Restart the DHCP server or apply changes Single Network With Static IP Assignment In this example the eth1 interface is provided with IP address 192 168 1 1 24 Assign address 192 168 1 101 to a DHCP client with MAC 00 11 22 33 44 01 Assign address 192 168 1 102 to a DHCP client with MAC 00 11 22 33 44 02 Assign address 192 168 1 103 to a DHCP client with MAC 00 11 22 33 44 03 The router serves as the default gateway 1 Enable eth in the Edit Network Interfaces menu 2 Click add a subnet and configure it for network address 192 168 1 0 with netmask 255 255 255 0 3 Click Create then edit the subnet just created and click Edit Client Options 4 Set default routers to 192 168 1 1 and save it 5 Click add a new host 6 Set the hardware address to Ethernet 00 11 22 33 44 01 and the fixed IP to 192 168 1 101 Assign the client a hostname as well 7 Click Create 8 Repeat steps 5 through 7 for the other hosts with the appropriate address MAC and hostname for each client 9 Restart the DHCP server or apply changes Single Network With Option82 Clients On One Switch In this example the eth1 interface is provided with IP address 192 168 1 1 24 A a switch connected to ethl and uses address 192 168 1 2 24 The switch port 1 is connected to the router while its ports 2 through 8 provide DHCP relay support The switch has its DHCP relay server address set to router s a
238. ly needed Broadcast address The broadcast address the client should use Rarely needed Log servers The IPs of the LOG servers the client should use Swap server The IP of the swap server the client should use Normally only used for diskless network booted clients Root disk path The path the client should use for its root device Normally only used for diskless network booted clients NIS domain The NIS domain the client should use NIS servers The IPs of the NIS server the client should use Font servers The IPs of the font servers the client should use Normally only used for X terminals XDM servers The IPs of the XDM servers the client should use Normally only used for X terminals NetBIOS name servers The IPs of the Netbios name servers the client should use NetBIOS node type The NetBIOS name resolution method the client should use NetBIOS scope The NetBIOS scope the client should use Time offset The offset from a time server the client should be using Custom options allows you to add additional DHCP options required by a client BOOTP and Dynamic DNS related options include 202 RuggedCom Chapter 21 Configuring The DHCP server e Boot filename The filename the client should request from a tftp server to boot from This only applies to network booted clients e Boot file server The IP address of the tftp server to boot from This only applies to network booted clients e Server name The ho
239. management protocol used which include ANSI T1 617 Annex D LMI and Q 933 signaling The Link Failure field determines whether the IP interface should reflect the state of the T1 connected disconnected If you are using SNMP enable this option as SNMP uses the state of the interface to determine the state of the connection The T391 Link Integrity Verification polling timer is valid at the CPE and indicates the number of seconds between the transmission of In channel Signaling messages The T392 verification of polling cycle timer is valid at the Switch and indicates the expected number of seconds between the reception of In channel Signaling messages transmitted by the CPE The N391 counter is valid at the CPE and defines the frequency of transmission of Full Status enquiry messages The N392 counter is valid at both the CPE and the Switch and defines the number of errors during N393 events which cause the channel to be inactive The N393 counter is valid at both the CPE and the Switch and is an event counter for measuring N392 The EEK Type field controls whether End to End Keepalive messages are sent while operating as a CPE device If this option is set to Off EEK is disabled If this option is set to Request EEK messages are sent every EEK Timer x T391 seconds This timer may be configured from 1 to 100 periods in duration Your network provider will inform you of what is proper for these parameters 70 Rug
240. mand to run and a definition of the times at which to run it The Scheduled Cron Jobs allows you to create delete and edit these jobs Scheduled Cron Jobs There are no cron jobs on this system Create a new scheduled cron job Figure 27 Webmin Scheduled Cron Jobs Initially there will be no scheduled jobs Follow the create link to create one Create Cron Job Job Details Execute cron job as froot a Active Yes No Command Input to command When to execute Minutes Hours Days Months Weekdays C all C all all Can AT Selected Selected Selected Selected Selected Sunday Monday Tuesday Wednesday Thursday Friday Saturday D JO Om P WNE September October November December 1 2 3 4 5 6 7 8 9 1 1 Note Ctrl click or command click on the Mac to select and de select minutes hours days and months Create Figure 28 Creating a Cron Job Begin the construction of the job by selecting a user to execute as For most purposes root will suffice Enter this user in the Execute cron job as field Enter the command to execute and any input to the command in the Command field Select the times the script is to run from the When to execute table remember to check the selected button above any column you edit The Active radio button at the top of the menu tempo
241. me Relay PPP And T1 E1 Module Index Edit T1 Interface Interface T1 2 Parameters Convert this interface to E1 Framing ESF D Line Decoding B8ZS gt Clocking Normal gt Line Build Out CSU 0dB Save This menu allows you to display and configure T1 or El Trunk parameters By default the interface is set for T1 operation The Convert this interface to El link will set the interface for El operation and allow you to configure its settings If logical interfaces use a channel above 24 and an attempt to convert from El to T1 will prompt to delete the logical interface first T1 Settings The Framing field determines the framing format used Your line provider will indicate the correct format Modern facilities usually employ Extended Super Frame ESF an enhanced T1 format that allows a line to be monitored during normal operation The Line Decoding field reflects the line encoding decoding scheme Almost all Tls now use B8ZS The Clocking field selects whether to accept or provide clocks In normal use the central office provides clocks and your setting should be Normal You may also connect to another router by using a cross over cable and selecting a Master clocking option on one of the two routers The Line Build Out field tunes the shape of the T1 pulses and adjusts their amplitude depending upon distances and the desired attenuation El Settings The Framing and Line Decoding fields for
242. meout period 0 discarded In channel Signalling frames due to a format error D In channel frames received with an invalid Send Seq Numbers received 0 In channel frames received with an invalid Receive Seq Numbers o received Number of unsolicited responses from the Access Node D timeouts on the T391 timer 26978 consecutive timeouts on the T391 timer D Sieg that N392 error threshold was reached during N393 monitored o events Refresh Clear Statistics Figure 58 Frame Relay Statistics Note that the Frame Relay Trunk Statistics and Frame Relay Trunk Communications Errors tables are common to all Frame Relay DLCIs on the trunk RuggedCom 73 RuggedRouter User Guide PPP Interface Statistics wippp Statistics Protocols Statistic Receive Transmit Number of LCP packets 58342 58351 Number of PAP packets 0 lo Number of CHAP packets 0 jo Number of IP packets 18322 58816 LCP Statistic Number of Config Request pkts Receive Transmit Number of Config Ack packets Number of Config Nack packets Number of Config Reject packets Number of Term Reqst packets Number of Terminate Ack packets Number of Code Reject packets Number of Protocol Rej packets 3 3 0 0 0 0 0 0 oO BW oO oO ol ol CO o Number of Echo Request packets Number of Echo Reply packets Number of Discard Requ
243. messages will be added to the syslog Enabling the Enable session authentication field activating Auto logout after will cause an individual administrators session to be logged out after the specified period RuggedCom 41 RuggedRouter User Guide Webmin Events Log Webmin Events Log Search the Webmin log for actions In any module In module At any time For today only Between Han zi E and Han zi aj Which modified any file That modified file ec A ec Search Figure 21 Webmin Events Log This menu allows you to search the Webmin log for changes made by yourself or other administrators 42 RuggedCom Chapter 2 Webmin Configuration This page intentionally blank RuggedCom 43 RuggedRouter User Guide Chapter 3 Configuring The System Introduction This chapter familiarizes the user with e Enabling and disabling processes such as SSH and Web Management e Changing The Password e Shutting down and Rebooting the system e Scheduling one off and periodic commands e Examining system logs e Changing the hostname e Changing the system time and timezone Bootup And Shutdown Bootup and Shutdown Action Start at boot Running now Description dhep3 server No No DHCP Server TF end2endb Yes Yes End To End Backup Route Daemon lipsec No No Virtual Private Networking E ntp server Ye
244. mon error 8 Log to facility auth si with priority debug si Figure 107 Server Configuration The Protocol Stack field configures whether route based or policy based VPNs are used Following the link will take the user to menu that requests a reconfirmation and then changes the style of VPN The Network interfaces for IPsec table configures the association between ipsec interfaces and the real interfaces upon which they become available If the Default field is selected Openswan will use its current default Default route interface at the time of writing to associate the named ipsec interface with If the Default route interface field is selected Openswan will use the real interface owning the default route to associate the named ipsec interface with If the Default field is selected Openswan will use its current default Default route interface at the time of writing to associate the named ipsec interface with If the Listed below field is selected Openswan will establish the real to ipsec interfaces listed 128 RuggedCom Chapter 12 Configuring An IPsec VPN Note When connections become active Openswan assigns them to ipsec interfaces You must plan on these interfaces being the source of incoming traffic in firewall rules The NAT Traversal fields enable and disable this feature Enable Nat Traversal if this router originates the VPN connection and the VPN connection passes through a firewall
245. mp to match The Source ports and Destination ports fields specifies the requests tcp or udp port numbers to match The Original destination address field matches the requests destination IP address Note Ifyou use are using DNAT to port forward enter the original destination address here and the forwarded address in the Destination zone or port fields Only hosts in zone with address sub field The Rate limit expression fields specifies a rate limit control of the form X sec or X min where X is the number of allowed requests in the time period A burst limit field Y where Y is the maximum consecutive number of requests and defaults to five if not configured The Rule applies to user set fields allow advanced users to match the rule against specific users and groups This matching only takes place when the source of the traffic is the firewall itself Static NAT Figure 101 Static NAT RuggedCom 119 RuggedRouter User Guide Sr ran Static NAT The static network address translation entries in this table can be used to set up a 1 1 correspondence between an external address on your firewall and an RFC1918 address of a machine behind your firewall Static NAT is often used to allow connections to an internal server from outside your network Add a new static NAT entry External address External interface Internal address Move Add 204 62 138 24 wippp 10 0 0 1 Ha 3 204 62 138 25 wippp 10 0 0 2 T
246. mputers on the Internet and intranet Proxy servers can filter the kinds of communication that are allowed between two computers and perform address translation Stateless vs Stateful Firewalls Firewalls fall into into two broad categories stateless and stateful session based Stateless or static firewalls make decisions about a traffic without regard to the history simply opening a hole for the traffic s type based upon TCP or UDP port number Stateless firewalling is a relatively simple affair easily handling web and email traffic Stateless firewalls suffer from disadvantages however All holes opened in the firewall always open there is no opening and closing connections based on outside criteria Static IP filters offer no form of authentication Stateful firewalling adds considerable complexity the firewalling process by tracking the state of each connection A stateful firewall also looks at each packet and apply tests but the tests applied or rules may be modified depending on packets that have already been processed This is called connection tracking Stateful firewalls can also recognize that traffic on connected sets of TCP UDP ports is from a particular protocol and manage it as a whole Linux netfilter iptables And The Shoreline Firewall The RuggedRouter employs a stateful firewall system known as netfilter a set of loadable kernel modules that provides capabilities to allow session based pa
247. much faster at dialing DTMF is recommended whenever possible The Phonenumber field specifies the number to dial to connect to the PPP server The Default Route checkbox enables automatically setting a default route using this interface whenever it connects If this is your primary connection you probably want this option enabled The Use peer DNS checkbox enables automatically setting the DNS server entries that the PPPoE server recommends Enable this option unless you provide your own name servers 98 RuggedCom Chapter 10 Configuring PPP and Modem Modem PPP Server Modem PPP Server pppo Server IP address i234 0 Client IP address 6678 Client Nameserver 2 2 22 Proxy ARP Idle timeout Seconds Save Username Password Static Routes Action userl passwordl1 2 192 168 0 0 24 192 168 1 0 24 Delete user2 password2 1 192 168 34 0 24 Delete user3 password3 4 1 0 0 0 8 2 0 0 0 8 Delete user4 password4 none Delete E EE Add Figure 85 Configure Modem PPP Server The Server IP address field controls which IP the router will use for the PPP connection The Client IP address field controls which IP to assign the to remote system which it connects The Client Nameserver field controls which nameserver if any the client should use for DNS lookups The Proxy ARP option makes the router attempt to proxy ARP the remote IP onto a local ethernet subnet This r
248. n WIth VRRP ri A A EE e 146 Redistributing EE 144 PAS WOU Sse ceased EE Chansing from Wibal a e tt 46 Changing through setup MD da 30 REEL 28 A cata cates Oe EE 280 RuggedCom On ADSL Interfaces eer Eeer 91 On Native bierger Interfaces eege 64 Precision Time Protocol Card ia TIERCE UE edd 228 AA A or EE 218 PEP Master Elections eher aaa bois 227 PTP Network Role A ia da Lera 227 PELI ZA indica CONAM EE 171 DEU NEE 171 A TAN 171 STATISTICS o EE 176 TOS EE EE 172 Bei e 172 Rache AUTRE CAMA A ee aha sees eens Console E O Yee dunia aa ai 258 PPP COnNECHONS e avi cc do be cala 98 SERA eech 31 SOP EE 258 SP A A A a ea al ota ese ed 258 O From Mertes A Ee 45 E Rane EE 38 Repo yssiron ese eerden aoa AOA aar roK a Tanie A AET EEOAE TRIE EANNA ENS Bandwidth Considerations cccccccccsccccsesesssssscsscccccsessessssssssseceessessssssssscesseeeessssssssseseseeesseeeess 276 GEET 274 A A OM TNR NAS ion NS LARSEN E PRE POM ACAD ats SPER EAT 274 ROUEN OATH CAG WAYS a ta ravages 53 Routing Protocol ii ls Ospina AR E E lA 141 DR A ASA As 141 LA A a ta a id dE SN 141 Routing t bl EE eer 58 186 Scheduled Command tia 46 Scheduled Cron JOOS is 48 KE EE TP ACCESS pret A A Sos aa R R 39 SSH ACCESS Controla a a ta 225 Webmin listening Address A io dis 40 AN eben Pass Word ee ed de e e ds eo eebe ee 46 Sera NUMIDELS EET EE EE 38 EES erdeelt eege ee cach Stee ata Aa 197 SEVEN AAA EE thie iid Enabling and Disabling from
249. n Supporting IPSec If the router is to support a remote IPSec client and the client will be assigned an address in a subnet of a local interface you must activate proxy ARP for that interface This will cause the router to respond to ARP requests on behalf of the client and direct traffic to it over its connection IPSec relies upon the following protocols and ports e protocol 51 IPSEC AH Authentication Header RFC2402 e protocol 50 IPSEC ESP Encapsulating Security Payload RFC2046 e UDP port 500 RuggedCom 125 RuggedRouter User Guide You must configure the firewall to accept connections on these ports and protocols See the Configuring The Firewall chapter Configuring The Firewall And VPN section for details The Openswan Configuration Process Each VPN connection has two ends in the local router and the remote router The Openswan developers designed the configuration in such a way that the configuration record describing a VPN connection can be used without change at either end One side of the connection typically the local side is designated the left side and the other is designated the right side A convenient method is to configure both ends simultaneously having two browser windows up The relevant information is cut and pasted from window to window This module also includes tools to export and import the connection data The configuration can thus be generated at one router exported and
250. n be employed instead RuggedCom 105 RuggedRouter User Guide 7 If your hosts must accept sessions from the Internet configure the rules file to support Destination Network address Translation DNAT Which hosts need to accept connections from whom and on which ports 8 Configure the rules file to override the default policies Have external connections been limited to approved IP address ranges Have all but the required protocols been blocked 9 If you are supporting a VPN add additional rules 10 Check the configuration using the Shorewall Firewall menu Check Firewall button 11 Activate the firewall It is usually a good idea to port scan the firewall after activation and verify that logging is functioning ShoreWall Terminology And Concepts This section provides background on various Shorewall terms and concepts References are made to the section where configuration applies zones A network zone is a collection of interfaces for which forwarding decisions are made for example Name Description net The Internet loc Your Local Network dmz Demilitarized Zone fw The firewall itself vpnl IPSec connections on wlppp vpn2 IPSec connections on w2ppp You may create new zones if you wish For example if all of your Ethernet interfaces are part of the local network zone disallowing traffic from the Internet zone to the local zone will disallow it to all Ethernet interfaces If you wanted some i
251. n specific settings to a client based on its Ethernet MAC address Groups allow identical settings to be created for a group of hosts making it simpler to manage changes to the settings for all the hosts contained within the group Groups contain hosts Pools contain ranges of IP addresses to hand out to clients with access rules to determine which clients should receive addresses from that pool Subnets control settings for each subnet that DHCP serves A subnet can include a range of IP address to hand out to clients Only one subnet can contain dynamic IP address ranges without any access restrictions on any given physical port since DHCP doesn t know which subnet a client should belong to when the request is received Subnets contain groups pools and hosts Shared networks are used when multiple subnets should be served by a single physical port This applies both when using a DHCP relay agent connected to the port with additional subnets behind the relay agent or when multiple virtual networks exist on one physical interface Each subnet then gets its own subnet definition inside the shared network rather than at the top level Shared networks contain subnets groups and hosts DHCP Client Options The following options apply to single hosts subnets of hosts pools potentially discontinuous ranges of addresses shared networks a single physical networks for which distinct subnets of hosts coexist and request addresses and groups Th
252. n text the default MDS following the RIP authentication RFC and MD5 using the method used by the old ripd implementation The Use Split Horizon field controls use of the RIP split horizon feature RIP v2 only It can be disabled or enabled and if enabled it can optionally enable the poisoned reverse feature Split horizon controls whether routes learned through an interface should be allowed to be advertised back out that interface By default RIP advertises all routes it knows about to everyone which makes it take a very long time for dropped links to age out of the network The split horizon prevents advertising those routes back out the same interface which helps to control this problem Some network topologies with rings of routers will still have some issues with aging out dead routes even with split horizon enabled but they will still age out faster If fast network recovery is desired use OSPF RIP Networks Networks Neighbors Neighbor Action 10 128 10 244 Delete PO Add Networks Subnet x x x x x or Interface Action Add eth gt Add Figure 128 RIP Networks Neighbors are specific routers with which to exchange routes using the RIP protocol This can be used when you want to explicitly control which routers are part of your RIP network RuggedCom 153 RuggedRouter User Guide Networks are used when you want to add any router that is part of a specific subnet o
253. nd frequent changes to router hardware clock If the synchronizing server s clock differs from the hardware clock by more than 1000 seconds the NTP daemon construes a major problem and terminates Usually NTP will succeed in synchronizing the clock at boot time If it fails to synchronize the clock perhaps due to a downed WAN link the NTP daemon may terminate The router however will note the termination and will restart the NTP daemon NTP And The Precision Time Protocol Card If the router is equipped with a Precision Time Protocol card NTP will treat the Global Positioning System signals received from the card when GPS locks as a stratum 0 reference clock The router will always preferentially use this reference above all others Included With NTP Your RuggedRouter software includes the ntpq ntpdc ntptrace and ntp keygen command line utilities The ntpq utility program can be used to monitor the NTP daemon operations and determine how well it is running The ntpdc utility program is used to query the NTP daemon about its current state and to request changes in that state The ntptrace utility is a utility trace a chain of NTP servers back to the primary source The ntp keygen utility can be used to generate secure public keys for authentication RuggedCom 213 RuggedRouter User Guide NTP Server Main Menu NTP Server a B NTP Status View NTP Log View GPS Status View GPS log
254. ndary interface The Fail Over Timer field determines the amount of time the primary link must be failed before directing packets down the secondary link The Generate Alarms field determines whether alarms are generated upon configuration problems and link failures The Save button will save changes to the configuration file The Save and Apply button will save changes restart the end to end backup daemon Current Routing amp Interface Table This menu displays the current routing table and the state of the router s interfaces Consult the Network Utilities chapter for details of this menu 56 RuggedCom Chapter 5 Configuring Ethernet Interfaces Chapter 5 Configuring Ethernet Interfaces Introduction This chapter familiarizes the user with e Reading the Ethernet LEDs e Configuring Ethernet Network Interfaces e Configuring VLANs e Configuring PPPoE Ethernet Interface Fundamentals RuggedCom manufactures dual Ethernet Interface boards in a variety of formats Some most notably the optical interfaces have the same outward appearance but different order numbers A complete set of descriptions is displayed on the console during boot and can be found after boot in the file var cache ruggedrouter inventory LED Designations The RuggedRouter includes two sources of LED indicated information about Ethernet ports the front panel LEDs and the LED Panel A LED is associated with each port next to the Ethernet interf
255. neral Configuration General Configuration General Configuration Options Automatic Night preg ic Nightly Schedule at 00 si 00 sl Archive Name Includes Date Time Jo Hostname Router Version _ Archive Aging Remove after 5 1 30 Days Configuration Server Options Export Method C of scp em FTP Option Username router42 Password bam J Use Anonymous SCP Option Username Bandwidth Limiting Disabled gt Show Router SSH Key Server Path Option Hostname IP H 96 88 41 3 Directory larchive router42 Save Figure 208 General Configuration Setup This menu configures the backup system The Automatic Nightly Backup field specifies when the nightly backup is scheduled The automatic export to a server will start if enabled immediately after the backup completes The Archive Name Includes field selects text fields Date Time Hostname Router Version included in archive name The Archive Aging field specifies how long nightly backup archives are kept Note that the most recently made nightly backup will never be deleted Manually made archives are never aged and must be manually deleted The Configuration Server Options table allows user define the configuration server The Export Method field selects the method of exporting backup archives to a server If the Export Method field is set to FTP the FTP Options are used If the Export Method field is set to SCP the SCP Options are used The
256. new versions for testing purposes e Manually initiated installs of new packages for testing purposes RuggedRouter Software Fundamentals You may be required to upgrade the router in order to take advantage of new features security improvement and bug repairs RuggedCom 259 RuggedRouter User Guide Your RuggedRouter software is provided in releases of the form rrX Y Z The platform release number X changes when new hardware platforms are released The major release number Y is increased when important new features are added This is called a Major release The minor release number Z is increased when minor functionality is added or bug repairs are made This is called a Minor release The actual software of the RuggedRouter is composed of a number of packages Each package contains all of the files necessary to implement a set of related commands or features such as a firewall or ssh client A router upgrade involves replacing some of these packages with newer versions and with adding new packages The upgrade system handles all this for you When A Software Upgrade Requires A Reboot Software release upgrades that involve changing to a new linux kernel require a reboot Releases that force a reboot are always Major releases but note that some major releases may not require a reboot Minor releases will never require a reboot The upgrades release notes will state whether a reboot will occur You ar
257. nfig Shorewall Firewall Shorewall version 2 2 3 m EY z g g Network Network Zone Hosts Si Firewall Masquerading a Static NAT When Stopped Zones Interfaces hosts Policies Rules nat routestopped zones interfaces policy rules Click this button to start Shorewall with the current configuration with the shorewall start command Start Firewall This will start Shorewall providing a report on the activation After Shorewall starts cleanly cause it to start at boot time by enabling it through the System folder Bootup And Shutdown menu Check Firewall pde to have Shorewall validate your firewall configuration with the shorewall check Figure 89 Starting Shorewall Firewall Menu The above figure shows the firewall menu prior to configuration Configure the firewall through the provided menus The Check Firewall button can be selected after each menu configuration to check the existing configuration and provide notice of items still to be configured When the firewall is fully configured the Start Firewall button may be selected Starting the firewall in this way will provide more detail in the event of a problem If the firewall starts cleanly the menu appearance will change to that of the figure below In order to start the firewall at each and every boot you must enable it via the System folder Bootup And Shutdown menu 112 RuggedCom Chap
258. nks physical and logical interfaces are shown This menu presents connection statuses but does not update them in real time Click on the Refresh this page link to update to the current status Strategy For Creating Interfaces Initially each interface will be configured as T1 and will have a single channel that includes all timeslots 1 24 Channelized cards can have their timeslots reassigned to make additional channels Unchannelized cards may have timeslots removed from their single timeslot If the interface is to be an El convert it using the Edit T1 1 Parameters link If the interface is channelized and you need to have more than one channel construct the channel groups with the desired bandwidths This can be done by editing the single initially configured channel and removing timeslots The unassigned timeslots will be displayed on the main menu in a link that creates channels as shown below Channel Assigned time slots Channelized interface 1 1 2 2 Timeslots 3 24 are unused assign a new channel Channel Name Description Local Address Netmask Remote Address Default Gateway Assign a new Frame Relay logical interface Assign a new PPP logical interface Edit T1 1 Parameters Figure 52 T1 E1 Network Interfaces After Channel Creation Once all timeslots have been assigned to channels the Timeslots link will no longer appear Note that you do not have to assign all timeslots Assign Fram
259. nnels Menu Help GOOSE Tunnels Ethernet Interface Multicast Address Remote Tunnel Addresses eth2 0002 01 0c cd 01 00 00 172 16 0 1 76 44 3 1 None D1 0c cd 01 01 80 121 22 54 7 115 40 3 8 Add a new GOOSE tunnel Figure 166 GOOSE Menu This menu displays GOOSE tunnels Configure an existing tunnel by following the link under the Ethernet Interface field or add a new tunnel Help Edit GOOSE Tunnel GOOSE Tunnel Ethernet Interface eth2 0002 v Multicast Address 01 0c cd 01 00 00 Remote Daemon 172 16 0 1 Add a new Daemon Save Delete Figure 167 GOOSE Menu This menu configures a GOOSE tunnel The Ethernet Interface field configures suitable i e VLAN eligible interfaces to listen for GOOSE frames upon You may set this field to none if the intent is simply to relay network packets RuggedCom 197 RuggedRouter User Guide The Multicast Address field configures the address to listen for The Remote Daemon and Add a new Daemon fields specify the IP addresses of remote daemons GOOSE Statistics Menu Help GOOSE Statistics Refresh Continuous Display Ethernet Statistics Interface L2 MAC Address Rx Frames Tx Frames Rx Chars Tx Chars Errors eth2 0002 01 0c cd 01 00 00 0 0 o lo Connection Statistics Interface L2 MAC Address Remote IP Rx Packets ke Packets Rx Chars Tx Chars eth2 0002 01 0c cd 01 00 00 17
260. nterface 3 This example is much the same as the previous one only the subnet is explicitly described and could include traffic from any of the Ethernet ports 4 In this SNAT rule traffic from the subnet handled by only port eth should be translated to 100 1 101 16 as it sent to the Internet on tl el port wlppp 5 This example is much the same as the previous one excepting that only smtp from eth will be allowed Masquerading and SNAT rules are defined in the file etc shorewall masq and are modified from the Masquerading menu Rules The default policies can completely configure traffic based upon zones But the default policies cannot take into account criteria such as the type of protocol IP source destination addresses and the need to perform special actions such as port forwarding The Shorewall rules can accomplish this The Shorewall rules provide exceptions to the default policies In actuality when a connection request arrives the rules file is inspected first If no match is found then the default policy is applied Rules are of the form Action Source Zone Destination Zone Protocol Destination Port Source Port Original Destination IP Rate Limit User Group Actions are ACCEPT DROP REJECT DNAT DNAT REDIRECT REDIRECT CONTINUE LOG and QUEUE The DNAT REDIRECT CONTINUE LOG and QUEUE actions are not widely used used and are not described here A
261. nterfaces but not others to access the Internet you could create another zone Zones are defined in the file etc shorewall zones and are modified from the Network Zones menu Interfaces Shorewall Interfaces are simply the Ethernet and WAN interfaces available to the router You must place each interface into a network zone If an interface supports more than one subnet place the interface in zone Any and use the zone hosts setup see below to define a zone for each subnet on the interface An example follows Interface Zone ethl loc eth2 loc eth3 Any eth4 dmz wlppp net 106 RuggedCom Chapter 11 Configuring The Firewall Note In order to improve security the router will create a zone unusd and unused interfaces to this zone when Shorewall starts A policy is also installed that blocks access from unusd to all other zones Hosts Policy Interfaces are defined in the file etc shorewall interfaces and are modified from the Network Interfaces menu Shorewall hosts are used to assign zones to individual hosts or subnets on an interface which handles multiple subnets This allows the firewall to manage traffic being forwarded back out the interface it arrived on but destined for another subnet This is often useful for VPN setups to handle the VPN traffic separately from the other traffic on the interface which carries the VPN traffic An example follows Zone Interface IP Address or Network l
262. o the router and your network is private a VPN or firewalled it should be safe to have your browser permanently accept the certificate If you want to be really sure that the Webmin server you are connecting to is really your own the only solution is to order a certificate from an authority like Verisign that is associated with your router s hostname and will be recognized by web browsers The Structure of the Web Interface The Web interface presents an web page with two frames The leftmost or index frame selects subsystems to configure and is always displayed 34 RuggedCom Chapter 1 Setting Up And Administering The Router The rightmost or configuration frame presents the configuration for the currently selected subsystem or in the case of signing on the home page window The home page window presents an annotated view of the front of the chassis as well as a number of important system parameters These parameters include The router uptime and load averages for the past 1 5 and 15 minutes Under normal operation the load average should be less than 2 0 The disk usage A disk usage higher than 92 requires attention The memory usage indicating the amount of memory used by applications Under normal operation memory usage should be less than 60 The chassis temperature Arr5 Webmin Webmin Configuration Webmin Events Log System L Bootup and Shutdown L Change Password L Scheduled Commands L S
263. ocal eth3 10 0 0 0 8 guests eth3 192 168 0 0 24 Interfaces are defined in the file etc shorewall hosts and are modified from the Network Hosts menu Shorewall policies are the default actions for connection establishment between different firewall zones Each policy is of the form Source zone Destination zone Default action You can define a policy from each zone to each other You may also use a wildcard zone of all to represent all zones The default action describes how to handle the connection request There are six types of actions ACCEPT DROP REJECT QUEUE CONTINUE and NONE The first three are the most widely used and are described here When the ACCEPT policy is used a connection is allowed When the DROP policy is used a request is simply ignored No notification is made to the requesting client When the REJECT policy is used a request is rejected with an TCP RST or an ICMP destination unreachable packet being returned to the client An example should illustrate the use of policies Source Zone Destination Zone Policy loc net ACCEPT net all DROP all all REJECT The above policies will e Allow connection requests only from your local network to the Internet If you wanted to allow requests from a console on the RuggedRouter to Internet you would need to add a policy of ACCEPT fw zone to net zone e Drop ignore all connection requests from the Internet to your firewall or local network and e Reject all
264. ocations managing multiple main backup link relationships When the backup link is a modem many profiles of dialed numbers can exist each serving as a distinct backup link The feature can back up a permanent high speed WAN link to a permanent low speed WAN link This is used when OSPF cannot be employed such as on public links The feature can be used to migrate the default route from the main to the backup link The time after a main link failure to backup link startup and the time after a main link recovery to backup link stop are configurable The status of the system and a method of testing fail over is provided Path Failure Discovery In order to discover the failure of a primary path here through Network A the link backup daemon will both inspect the link status of the main link and send a regular ping to a designated host In this way failures of network links within the cloud are discovered It is essential that the host always respond to the ping Another option is to configure a dummy address within the router and ping that address C Network A A L ki Figure 129 Link Backup Main Menu 156 RuggedCom Chapter 14 Configuring Link Backup The daemon will construe the main link as having failed even if its link status is up if the remote host fails to respond to configurable number of pings after waiting a configurable timeout for each ping Use Of Routing Protocols And The Default Route
265. om Chapter 4 Configuring Networking Network A A Y a a 192 168 16 2 Router 2 192 168 17 3 The backup is end to end because connectivity is determined by the availability of an interface on the target system and not a local link In the above figure interface wlppp acts as the primary interface and eth acts as the secondary interface The router tests the primary path by probing 192 168 16 2 on router 2 A failure of the either wlppp network A or the remote link on router2 will render the primary path as failed If the primary path fails the routing table will be modified to direct packets out the secondary ethl in the above figure Presumably the secondary is a higher cost and perhaps lower throughput path In the initial deployment of this feature the secondary path was implemented with Ethernet CDMA modem The modem featured a low latency connection time initiated by the reception of packets but had a low bandwidth capability and high monetary cost Note that the feature must be implemented at both routers Ifthe feature is only implemented at router 1 the second router s gateway will still point towards Network A after a failure of the primary path Packets from router 1 would reach router 2 through the secondary but the responses would disappear in the black hole of the failed path RuggedCom 55 RuggedRouter User Guide Configuring End To End Backup End To End Backup This
266. om switch 14 Click Create 15 Click Save 16 Repeat steps 6 through 15 for clients 192 168 1 103 changing the pool address range and circuit id 17 Repeat steps 6 through 15 for port 4 using the address range 192 168 1 151 to 192 168 1 200 and the circuit id for port 4 18 Restart the DHCP server or apply changes Multiple Subnets On Separate VLANs Using Option82 On One Switch In this example the eth1 interface is provided with IP address 192 168 1 1 24 A switch connected to eth and using address 192 168 1 2 24 The switch port 1 is connected to the router while its ports 2 through 8 provide DHCP relay support The switch has its DHCP relay server address set to router s address 192 168 1 1 The switch has all ports in VLAN 1 The switch base MAC address is 00 0A DC 11 22 00 RuggedCom 205 RuggedRouter User Guide The switch port 2 is on vlan2 using subnet 192 168 2 0 24 and should assign addresses 192 168 2 101 to 192 168 2 200 and default gateway 192 168 2 1 The switch port 3 is on vlan3 using subnet 192 168 3 0 24 and should assign addresses 192 168 3 101 to 192 168 3 200 and default gateway 192 168 3 1 The switch port 4 is on vlan4 using subnet 192 168 4 0 24 and should assign addresses 192 168 4 101 to 192 168 4 200 and default gateway 192 168 4 1 1 Enable eth1 in the Edit Network Interfaces menu 2 Add a new subnet and configure it for network address 192 168 1 0 with netmask 255 255
267. on menu Current Routing amp Interface Table icon A default route will be indicated by a default in the Destination column Export Configuration Selecting the Export Configuration button provides a means to capture the connection specification in such a way as to be importable at the remote router 132 RuggedCom Chapter 12 Configuring An IPsec VPN Showing IPsec Status 1 interface lo lo 127 0 0 1 2 interface eth1 eth 10 0 0 253 3 interface eth2 eth2 204 50 190 89 4 interface w1ppp w1ppp 206 186 238 138 5 Ymyid none 6 debug none algorithm ESP encrypt id 2 name ESP_DES ivlen 8 keysizemin 64 keysizemax 64 algorithm ESP encrypt id 3 name ESP_3DES ivlen 8 keysizemin 192 keysizemax 192 algorithm ESP encrypt id 7 name ESP BLOWFISH ivlen 8 keysizemin 40 keysizemax 448 10 algorithm ESP encrypt id 11 name ESP_NULL ivlen 0 keysizemin 0 keysizemax 0 11 algorithm ESP encrypt id 12 name ESP_AES ivlen 8 keysizemin 128 keysizemax 256 12 algorithm ESP encrypt id 252 name ESP_SERPENT ivlen 8 keysizemin 128 keysizemax 256 13 algorithm ESP encrypt id 253 name ESP_TWOFISH ivlen 8 keysizemin 128 keysizemax 256 14 algorithm ESP auth attr id 1 name AUTH_ALGORITHM_HMAC MDS keysizemin 128 keysizemax 128 15 algorithm ESP auth attr id 2 name AUTH_ALGORITHM HMAC SHAI keysizemin 160 keysizemax 160 16 algorithm ESP auth attr id 5 name AUTH_ALGORITHM HMAC _ SHA2 256 keysizemin 256
268. or Frame Relay The menu is composed of two tables The first table provides link based configuration which affect all DLCIs The second table provides configuration parameters for individual DLCIs After the first DLCI has been configured revisiting that DLCI will display a menu that allows additional DLCIs to be configured Edit Logical Interface wifri7 56K 1 Frame Relay Parameters Station Type CPE FR DTE Interface y Signalling type ANSI v Link Failure Leaves IP interface up gt 7391 10 7392 16 N391 6 N392 6 N393 4 56K 1 Channel 1 Default Gateway Description Name DLC Local Address Netmask Remote Address 22232 Link 123 1 1 1 1 255 255 255 255 2 2 2 2 wtfri6 16 ERE paraz 17 3 3 3 3 255 255 255 255 fa 4 4 4 Link 456 Add another DLCI to this channel Save Delete this logical interface Figure 73 Edit Logical Interface Frame Relay multiple DLCIs The fields and buttons in this menu are the same as those described in the Editing A Logical Interface Frame Relay section of the Configuring Frame Relay PPP And T1 E1 chapter 85 RuggedCom RuggedRouter User Guide Editing A Logical Interface PPP Edit Logical Interface wippp 56K 1 PPP Parameters Name Local Address Netmask Remote Address Default Gateway Description wippp 1 1 1 1 255 255 255 255 2 2 2 2 2 2 2 2 f 1 internet link Save Delete
269. or an lt LF gt character but may be any ASCII character RuggedCom 187 RuggedRouter User Guide If configured to packetize on a timeout the server will wait for a configurable time after receiving a character before packetizing and forwarding If another character arrives during the waiting interval the timer is restarted This method allows characters transmitted as part of an entire message to be forwarded to network in a single packet when the timer expires after receiving the very last character of the message This is usually the only packetizer selected when supporting ModBus communications Finally the server will always packetize and forward on a full packet i e when the number of characters fills its communications buffer 1024 bytes Use of Turnaround Delays Some RTU protocols such as ModBus use the concept of a turnaround delay When the host sends a message such as a broadcast that does not invoke an RTU response it waits a turnaround delay time This delay ensures that the RTU has time to process the broadcast message before it has to receive the next poll When polling is performed network delays may cause the broadcast and next poll to arrive at the remote server at the same time Configuring a turnaround delay will enforce a minimum separation time between each message sent out the port Note that turnaround delays do not need to be configured at the host computer side and may be disabled there
270. or more details If your router is equipped with Serial Interfaces the Servers menu Serial Protocols sub menu will allow you to configure them with an operating protocol See the chapter Configuring Serial Protocols for more details If your router is equipped with a Precision Time Protocol Card the Servers menu IRIGB sub menu will allow you to enable and configure its output ports See the chapter Configuring IRIGB for more details Additional Configuration You may wish to configure a backup interface to use in the event of a failure of your default gateway interface This can be done in the Networking menu Network Configuration End To End Backup sub menu If you are planning to connect your router to the Internet configure the firewall and then activate it This can be done in the Networking menu Shorewall Firewall sub menu The router provides a default event logging configuration You can modify this configuration through the Maintenance menu System Logs sub menu Remote logging can be activated here The routers SSH and Web Management interfaces are enabled by default The routers DHCP server IPsec VPN server NTP server OSPF RIP protocol VRRP protocol and firewall are disabled by default To changes these services visit the System menu Bootup and Shutdown sub menu You can install static IP and Multicast routings for Ethernet and WAN interfaces via the Networking menu Network Configuration Routing and D
271. organization that generated the rule official snort rules having values less than 1 000 000 The SID is a unique number to reflect an individual rule while the revision reflects improvements to the rule The main Snort IDS menu provides the capability to disable individual and groups of rules It is also possible to add unique rules to the database and to replace the existing set of rules with more experimental rules from the community Alerting Methods Alerts generated by snort are stored by one of three methods as local syslog messages remotely sylogged messages and in an alert file When the local syslog method is chosen the destination log file may be selected 230 RuggedCom Chapter 25 Configuring The Snort IDS When the alert file method is chosen a daily analysis of the file can be emailed The SIDs referenced in alerts can be used to quickly locate the rule via the main Sort IDS menu The rule itself often contains HTML links to Internet resources such as www securityfocus com and cve mitre org These provide more in depth descriptions of the vulnerability Performance And Resources The performance impact of snort varies with the number of interfaces monitored the number of rules enabled the packet rate and the logging method Snort has been empirically determined to use about 20 of the CPU clock cycles at its maximum processing rate The router is capable of recording about 300 entries second to the lo
272. oseconds Save Figure 188 IRIGB IEEE1588 General Configuration menu This menu allow you to configure general parameters The Reference Clock Selection field selects the order in which to prefer reference clocks The Cable Compensation field specifies the value in nanoseconds that will be used to compensate for the cable type and length The compensation is done using integer nanosecond values Fractional decimal values will be truncated RuggedCom 225 RuggedRouter User Guide IRIGB Configuration lp Hala IRIGB Configuration IRIGB Options AM Port 1 PTP 1 Output OFF y TIL Port 2 PTP2 Output OFF y TIL Port 3 PTP3 Output OFF yl Save Figure 189 IRIGB Configuration menu This menu allow you to configure IRIGB parameters The save button will save the changes of configuration permanently The AM Port 1 PTP1 Output field enables or disables the amplitude modulated output of this port The TTL Port 2 PTP2 Output and TTL Port 3 PTP3 Output fields sets the output formats of these ports to PPS PWM and OFF IEEE1588 Configuration Help e e s IEEE1588 Configuration IEEE1588 Options IEEE1588 Working Mode Master or Slave v Preferred Master Clock je Subdomain Name DefaultPTPdomain 224 0 1 129 vf Sync Interval seconds 2 y The following options determine how IEEE1588 grandmaster clocks are represented to NTP based upon the quality of their clock source
273. other connection requests RuggedCom 107 RuggedRouter User Guide Note that a client on the Internet that is probing the RuggedRouter s TCP UDP ports will receive no responses and will not be able to detect the presence of the router A host in the local network on the other hand will fail to connect to the router but will receive a notification Note that order of policies is important If the last rule of this example were entered first then no connections at all would be allowed Policies are defined in the file etc shorewall policy and are modified from the Default Policy menu Masquerading And SNAT Masquerading and Source NAT SNAT are forms of dynamic NAT Masquerading substitutes a single IP address for an entire internal network Use masquerading when your ISP assigns you an IP address dynamically at connection time SNAT substitutes a single address or range of addresses that you been assigned by your ISP Use SNAT when your ISP assigns you one or more static IP addresses that you wish to one or more internal hosts The masquerading SNAT entries are defined in the file etc shorewall masq and are modified from the Masquerading menu Each entry is of the form Interface Subnet Address Protocol Port s Interface is the outgoing WAN or Ethernet interface and is usually your Internet interface Subnet is the subnet that you wish to hide It can be an interface name such as eth1 or an subnetted IP addr
274. ove field Clicking on a link under the Action field will allow you to edit or delete the rule as shown below You may also make changes by manually editing the rule file Figure 100 Editing A Firewall Rule 118 RuggedCom Chapter 11 Configuring The Firewall Module Ind D UE Edit Firewall Rule Firewall rule details Action ACCEPT y and log to syslog level lt Don t log gt gt Source zone lt Any gt y IT Only hosts in zone with addresses Destination zone or port DMZ DI Jv Only hosts in zone with addresses 206 30 180 94 For DNAT or REDIRECT fill in the new destination address or port here Protocol lt Any gt gt Source ports Q Any E Ports or ranges Q Any Ports or ranges For DNAT or REDIRECT fill in the original destination port here Original destination address Si for DNAT or REDIRECT Rate limit expression No limit Rule applies to user set All users Save Delete Destination ports The following fields describe the information to match against the incoming connection request in order to apply this rule The Action field specifies the final action of the rule The and log to syslog field determines whether logging will take place and at which logging level The Source zone field specifies the zone the request originates from The Destination zone or port field specifies the requests destination zone The Protocol field specifies the protocol tcp udp or ic
275. own Part E 45 Figure 23 Bootup and Shutdown Part e NA 46 Figure 24 System Menu Change Password Commande 46 Figure 25 Scheduled COMAS rad 46 RuggedCom 17 RuggedRouter User Guide Figure 26 Scheduled Commands Displaying a Commande 47 Figure 27 Webmin Scheduled Cron TOD A Ee 48 Figu re 28 Crcatinga Crono 48 Figure 29 Scheduled Cron Jobs menu displaying cron jobs 49 Eeer 30 System HOS tira nites a paca scales sts ieie sR ops aos E ien cae aae EE aoa 49 Fig re LAO O eo 49 Figure 32 Network Configuration Mesina itinere 51 Figure 33 Core Networking Settings sessesssesseeseessessroseossessreserssesseosorssesseessestessocssseessseeesseeessseres 52 Fig re34 Dummy Ee EE 52 Figure 35 Routing And Gateways a 53 Fig te 36 Static Multicast ROMO aa 55 E Ee ebe 56 a INCITS eege EEN 56 Figure 39 End To End Backup Example scsnsesacecassaextsuasdeareovonsaentyancetbansest cungsdansecbtaraantebvdadetaunscayua 57 Figure 40 End To End Baku sess il ii 58 E Ethemet E EE 61 Figure 42 Current and Boot Time Ethernet Confeuraton 61 Figure 43 Editing a Network Interlacescciisiscccviicscisitadicstscitecussscavalesaisastsvsstacseestassassvlactvavesiassiatoraaede 62 Figure 44 Creating Ee ER 5 2 as o a 63 Figure 45 Creating an Virtual Lan E 63 Figure 46 Editing a Boot Time Interface sateen bcssvcnessasaeseussvacedscndteantcanecueduadeeaveessiaceseionse 63 EUA Past PEP Ee EE 64 Figure 48 Editing a PPPOE Interface cnt ga
276. p rO E SSO S E 238 Figure DOO Snor Alet EE 239 Figure 201 Alert Mai Mi sor mai aes a ieie eera ga Eassa ane 240 Figure 202 Alert Configuration Kent A A A A ad 241 Figure 203 Alert Filter Configuration Me abel 242 Figure 204 Alert Definition Configuration MenU cccsstcosnssssssscenssecsnssentesducevevensssanavensneseaie 242 Figure 205 Change Alert Definition Mei ida dia 243 Figure 206 Gauntlet Security Appliance Men 246 Figure 208 System Backup And Restores 24g i a A R e 247 Figure 208 General Contour OA a 248 Fig re2097Archive a le td dll dee 249 Fig re 2 ULA E ET 249 Figure 211 Archive Backup Completes iii iii 249 Figure 212 Archive Restore Men s sesysuzedsentnce cohttentaxnvonaentysenytany nnd tntnatannean EES SES 250 OUTS A O 250 Figure 214 Archive Differences Met 251 24 RuggedCom Table Of Figures Figure 215 Figure 216 Figure 217 Figure 218 Figure 219 Figure 220 Figure 221 Figure 222 Figure 223 Figure 224 Figure 225 Figure 226 Figure 227 Figure 228 Figure 229 Figure 230 Figure 231 Figure 232 Figure 233 Figure 234 Figure 235 Figure 236 Figure 237 Figure 238 Figure 239 Figure 240 Figure 241 Archive Differences E E 251 Show Difference for selected file between two Iorgets 252 SNMP Main Configuration Dae ideo dice 253 System Config ration PAE ta 253 Network Addressing Configuration page Client Address 253 Network Addressing Configuration page Addresses
277. play nets and subnets by Assignment File structure Name IP address Add a new subnet Add a new shared network Network Netmask Description Parent 192 168 2 0 255 255 255 0 Local Network Add a new subnet Add a new shared network Hosts and Host Groups No hosts or groups have been defined Add a new host Add a new host group Edit Client Options Edit DHCP client options that apply to all subnets shared networks hosts and groups Edit Network Interface Set the network interfaces that the DHCP server listens on when started List Active Leases List leases currently issued by this DHCP server for dynamically assigned IP addresses Apply Changes Click this button to apply the current configuration to the running DHCP server by stopping and restarting it Herel DACP Server Mena SS The DHCP Server main menu shows the subnets configured for DHCP as well as any groups and hosts New subnets groups and hosts can be added and existing entries can be edited and optionally deleted The Edit Client Options button allows you to set global client settings for the DHCP server Settings made here apply to all clients unless overridden at a lower level in the configuration The Edit Network Interface button allows you to select which interfaces DHCP should listen for DHCP requests on Note that you must also have a subnet matching the IP address of the selected interface configured in DHCP in orde
278. plays the current media type Copper interfaces may be configured to Auto negotiable 10 BaseT Half Duplex 10 BaseT Full Duplex 100 BaseT Half Duplex and 100 BaseT Full Duplex modes 60 RuggedCom Chapter 5 Configuring Ethernet Interfaces Virtual Interfaces Use virtual interfaces when you have an Ethernet port that has multiple real IP addresses assigned to it e g as with a port provided by an an Internet Service Provider Create Active Interface Active Virtual Interface Parameters Name eth1 IP Address Netmask Automatic Broadcast Automatic MTU Default Status DG up Down Create Figure 44 Creating an Virtual Interface The only new parameter is the virtual interface descriptor which must be a numeric value As an example a virtual interface numbered 0 on eth appears as eth1 0 in interface descriptions and routing tables Virtual Lan Interfaces Click the link Add Virtual Lan Interface when you want to create a VLAN interface Create Active Interface Active Yirtual Lan Interface Parameters Name eth1 4 digits maximum IP Address Netmask Automatic Broadcast automatic MTU Default C Status Co Up Down Create Figure 45 Creating an Virtual Lan Interface The only new parameter is the vlan id which must be a numeric value between 1 and 4094 The vlan id will be changed automatically as 4 digits prefixed with 0 if the input is less than
279. pter 24 Configuring IRIGB And IEEE1588 IRIGB Status ERIGE Status GPS Lock Current Reference Clock LOCAL refresh Figure 191 IRIGB GPS Status This page shows whether GPS is locked and the source of the current reference clock IEEE1588 Status Help IEEE1588 Status Local Clock Port IP MAC 192 168 75 3 00 0a dc 0a 15 42 Time Quality standard deviation 7 ns GrandMaster MAC Local Time Clock IEEE1588 ye EE 1588 Time Offset Time Master IP MAC Source Status 10139739 zoop Hmmm slave Dan 2a asiasia WT 2 000000023 GET ent _ P0 0aides05 25 00 10 33 47 2008 a SLAVE ET DT 2 000000020 GET 25100 __ P0 0aides05 25 00 10 33 95 2008 O at an 23 19139195 2000 0000000006 A eise _ Od Oaidei0s 25 00 IS ee FEEESSE ens WT WT 0000000001 GE aen _ P0 0ardes08 25 00 Je e a Dian 23 19 9406 2000 DT rt fOoooooooot GT nt 00 01de 05 25 00 In A slave Dian 2a a919i z000 22000000006 GT ent _ P0 0aides05 25 00 Show Continuously Reset Time Quality Calculation Figure 192 IEEE1588 Status This page shows the historical status of IEEE1588 on the router The line above the table provides the local clock IP address MAC address and the time quality information The table will contain entries made when the clock source or status changes The current local time on the router the IEEE1588 status IEEE1588 and UTC time the offset from master in seconds the ma
280. r connected to a specific network interface to be part of your RIP network Both neighbors and networks can be used at the same time Note For point to point links T1 E1 links for example one must use neighbor entries to add other routers to exchange routes with Also note that RIP v1 does not send subnet mask information in its updates Any defined networks are restricted to the classic in the sense of Class A B and C networks RIP v2 does not have this failing RIP Status This status menu shows various pieces of information about the current RIP status The status of each interface is shown the current database the current RIP neighbors and the current RIP routing table View RIP Configuration This menu shows the current configuration file of RIP 154 RuggedCom Chapter 13 Configuring Dynamic Routing This page intentionally blank RuggedCom 155 RuggedRouter User Guide Chapter 14 Configuring Link Backup Introduction This chapter familiarizes the user with e Configuring link backup e Obtaining system status e Testing link backup Link Backup Fundamentals Link backup provides an easily configured means of raising a backup link upon the failure of a designated main link The main and backup links can be Ethernet CDMA or Dial Modem TE1 DDS ADSL or T3 The only requirement is that the main link be a permanent link raised at boot time The feature can back up to multiple remote l
281. r of such releases could easily be stored on a system of only modest capabilities In practice only one or two releases are usually all that need be kept The bandwidth requirements are determined by the many factors including the number of routers size of upgrade when the routers upgrade bandwidth limiting at each router and network bandwidth capability Most web servers can serve files to the limit of the network interface bandwidth so even a modest e g 486 class machine would prove acceptable The server should be able to accept at least as many http or ftp connections as there are upgradable routers in the network In practice you will configure the routers to have staggered upgrade times in order to minimize the impact of upgrading on the network A large upgrade or a low bandwidth limiting value at each router may cause all the routers to be upgrading at any one time Initial Repository Setup You must create a directory on the web server to hold the releases for the router The directory can have any name such as ruggedrouter Some administrators like to designate one router to test the impact of new software This will require a directory such as ruggedroutertest to be created These directory names will be used in examples in the remainder of this section Ensure that the web server publishes these directories RuggedCom 267 RuggedRouter User Guide Upgrading The Repository Setting Rugg
282. r own You will obtain either a dynamic or static IP from your ISP Firewall configuration should be performed as is appropriate PPPoE MTU Issues The use of PPPoE introduces a limitation of the maximum length of packets The maximum Ethernet frame is 1518 bytes long 14 bytes are consumed by the header and 4 by the frame check sequence leaving 1500 bytes for the payload For this reason the Maximum Transmission Unit MTU of an Ethernet interface is usually 1500 bytes This is the largest IP datagram which can be transmitted over the interface without fragmentation PPPoE adds another six bytes of overhead and the PPP protocol field consumes two bytes leaving 1492 bytes for the IP datagram This reduces the MTU of PPPoE interfaces to 1492 bytes Packets received by hosts via Ethernet that are sized to the Ethernet MTU will be too large for the PPPoE connections MTU and will be fragmented Large packets from hosts on the Internet will be fragmented by the ISP The router will re assemble these packets but at the cost of increased latency Configuring smaller MTUs at your hosts may reduce latency Bridged Mode In bridged mode the router simply employs the ADSL interface as a carrier of Ethernet frames The interface will be created at boot time with a 1500 byte MTU No authentication information is required for bridged mode Your ISP will provide you with one or more IP addresses and an appropriate subnet mask Your ISP will also
283. r raw packet display server p ports to capture e g 1 3 6 7 server s ports to send a test message out on when s Enter keys are pressed sertrace p 1 s 1 05 TCPCONN Listening on TCP Port 50002 from port 1 44 TCPCONN Connection opened from 10 0 10 236 4991 50002 Transmitting message on port 1 length 44 all decoding on all ports is provided 75 69 63 6b 20 62 72 6f 77 6e 20 the quick brown 75 6d 70 65 64 20 6f 76 65 72 20 fox jumped over 61 7a 79 20 64 6f 67 the lazy dog Received message on port 1 length 44 3 ms by timer 75 69 63 6b 20 62 72 6f 77 6e 20 the quick brown 75 6d 70 65 64 20 6f 76 65 72 20 fox jumped over 61 Ta 79 20 64 6f 67 the lazy dog 50002 RuggedCom 193 RuggedRouter User Guide This page intentionally blank 194 RuggedCom Chapter 20 Configuring GOOSE Tunnels Chapter 20 Configuring GOOSE Tunnels Introduction This chapter familiarizes the user with e Configuring GOOSE Tunnels e Viewing GOOSE Tunnel status and statistics e Tracing GOOSE activity 1EC61850 GOOSE Fundamentals IEC61850 is an international standard for substation automation It is a part of the International Electrotechnical Commission s IEC Technical Committee 57 TC57 architecture for electric power systems One feature of IEC61850 is the fast transfer of events Transfers of Generic Substation Events GSEs are accomplished through the GOOSE Generic Object Oriented Substation Ev
284. r to actually have DHCP listen for requests on a port The List Active Leases button shows you which dynamic IP leases are currently assigned to clients The Start Server button starts the server to check the configuration To permanently enable DHCP you should enable it in the bootup and shutdown menu The Apply Changes button applys new settings to the running DHCP server Use this after making any changes to the configuration RuggedCom 207 RuggedRouter User Guide DHCP Shared Network Configuration Shared Network Details Shared network description Network name Default lease time Default 7 secs Boot filename None Maximum lease time Default 7 secs Boot file server This server Server name Default C Lease length for BOOTP E e Lease end for BOOTP E e liens Forever secs cliente Never Dynamic DNS enabled Yes No Default tia DNS domain Default E Dynamic AND Default Dynamic DNS hostname IS From client domain Allow unknown clients C Allow Deny Ignore Default Server is authoritative Disable NAK of option82 for this shared network C Yes Default No clients for this shared C Yes Default No network i Hosts directly in this shared A Groups directly in this shared A Subnets in this shared 192 168 20 f network network network j Create i The settings specific to the Shared network menu are the Shared network description and
285. ranet and Internet NAT is often referred to in Linux as IP Maquerading NAT itself provides a type of firewall by hiding internal IP addresses More importantly NAT enables a network to use more internal IP addresses Since they re used internally only there s no possibility of conflict with IP addresses used by other organizations Typically your internal network will be setup to use one or more of the reserved address blocks described in RFC1918 namely 10 0 0 0 8 10 0 0 0 10 255 255 255 172 16 0 0 12 172 16 0 0 172 31 255 255 192 168 0 0 16 192 168 0 0 192 168 255 255 As packets with these address reach the NAT gateway their source address and source TCP UDP port number is recorded and the address port number is translated to the public IP address and an unused port number on the public interface When the Internet host replies to the internal machine s packets they will be addressed to the NAT gateway s external IP at the translation port number The NAT gateway will then search its tables and make the opposite changes it made to the outgoing packets and forward the reply packets on to the internal machine Translation of ICMP packets happens in a similar fashion but without the source port modification NAT can be used in static and dynamic modes Static NAT masks the private IP addresses by translating each internal address to a unique external address Dynamic NAT translates all internal addresses to one or more exte
286. rarily disables the job After selecting the Create button the Scheduled Cron Jobs menu will display the job Figure 29 Scheduled Cron Jobs menu displaying cron jobs RuggedCom 47 RuggedRouter User Guide Scheduled Cron Jobs Create a new scheduled cron job User Active Command Move root Yes 4 Yes T Follow the link of a specific job in order to delete the job edit it or test the command part of the job by running it immediately If you have multiple jobs the arrows in the Move column will alter the order in which they are presented System Hostname System Hostname Hostname Hostname ruggedrouter Save Figure 30 System Hostname The Hostname field modifies the hostname as presented in the web server and shell sessions Note that the new hostname will only appear in new sessions System Time System Time System Time Day Date Month Year Hour Friday 3 J june Ka 2005 10 si Jas cl 07 si Apply Timezone Canada East Saskatchewan a Canada Mountain Canada Newfoundland Current location Canada Pacific Change timezone Figure 31 System Time This menu provides a method to set the time and timezone of the router Note Changing the system may confuse protocols such as OSPF and RIP which depend upon an accurate system time Ifyou use OSPF or RIP changing the time from this menu will resta
287. ration VRRP Instances Status Restart VRRP daemon Click this button to restart the VRRP daemon This will apply configuration parameters Figure 137 VRRP Main Menu Note that VRRP is disabled by default and may be enabled via the System folder Bootup And Shutdown menu VRRP can be configured through the VRRP Configuration link before the daemon is started When enabled any configuration changes may be made to take effect by selecting the Restart VRRP daemon button The VRRP Instances Status link presents the status VRRP instances existing as of the last restart of keepalived VRRP Configuration VRRP Configuration Router Identification Router Name rs Save VRRP virtual IP Instances 9 Name VRID Interface Monitored Interface Gateway address mask Local Interface IP VRID 10 10 ethi wippp 1 1 1 253 24 1 1 1 200 lvRID 11 11 ethi 1 1 1 252 24 1 1 1 200 Add a new instance Figure 138 VRRP Configuration Set the Router Name field to supply an identification of the router for VRRP logs This field initially defaults to the current hostname The VRRP instances under the Name column define virtual IP groups Clicking on a link will allow you to edit that instance RuggedCom 165 RuggedRouter User Guide Editing A VRRP Instance Edit VRRP Instance Virtual IP Instance Parameters Name VRID_10 Interface fethi gt Virtual Router ID ho
288. re 36 Static Multicast Routing This menu allows you to configure static multicast routing The Configured Static Multicast Routes table shows configured multicast routes New routings may be added by completing the bottom row of the table and selecting the Save button Routings may be deleted by clearing the routings Multicast IP Address field and selecting the Save button The Multicast IP Address field specifies the multicast IP address to be forwarded The Input Interface field specifies the interface upon which the multicast packet arrives The Source IP Address specifies the multicast packet s expected source IP address The Output Interface specifies the interface to which the matched multicast packet will be forwarded The Comment field shows the current status of the the routing The Note field below the table shows current active interfaces In order to start Multicast routing at each and every boot you must enable it via the System folder Bootup And Shutdown menu RuggedCom 53 RuggedRouter User Guide DNS Client DNS Client DNS Client Options Hostname ruggedrouter Resolution order Hosts y DNS ei DNS servers 10 0 0 214 Search domains None Listed eng Lan Save Figure 37 DNS Client This menu allows you to display and configure various DNS client fields The Resolution Order selector determines the order of sources for resolving domain names into IP addresses The Hosts file et
289. reen when there is traffic on the PPP link RuggedCom 95 RuggedRouter User Guide Modem Main Menu Modem if q m m Sei Sei Sei Sai Sei Sei it l Modem Modem Modem Modem Modem Modem Modem Modem PPP Client Modem PPP Incoming Call PPP Logs PPP Connection Current Route amp Configuration Server Logs Logs Interface Table Modem Connection Status Status No connection Refresh Figure 81 Modem Interface This menu allows you to display and configure the modem interface Modem Configuration Modem Configuration Parameter Value Description Dial in Console enable Enable dial in console access PPP Server enable Enable incoming PPP connections Radius Authentication enable E Radius Authenticate for incoming PPP connections Rings before answer 1 Number of rings to wait before answering 1 10 Additional Modem AT Init Codes Any extra AT codes to use when initializing the modem Country code United States y Set modem country code Speaker Volume 0 y Set modem speaker volume Speaker Mode off v Set modem speaker mode Save Note Changing the country code will cause the modem to reset Active connections will be lost Figure 82 Edit Modem Configuration This menu allows you to configure the modem settings and features The Dial in console fields allows the modem to answer incoming calls and present a login just like the consol
290. reeradius 2 In your dictionary directory open the file dictionary add the line SINCLUDE dictionary ruggedcom to the end of it 3 Create a file dictionary ruggedcom under the dictionary directory containing ext lt The RuggedCom Vendor Specific dictionary Version Id dictionary RuggedCom v 1 3 4 1 2005 11 30 22 17 24 aland Exp For a complete list of Private Enterprise Codes see http www isi edu in notes iana assignments enterprise numbers VENDOR RuggedCom 15004 BEGIN VENDOR RuggedCom ATTRIBUTE RuggedCom Privilege level 2 string END VENDOR RuggedCom 4 Users are assigned by adding lines to the file etc freeradius user Note that currently the only privilege level is that of root For example to assign a user john with a password of test add the following line john Auth Type Local User Password test 4 RuggedCom Privilege level root 5 Restart your freeradius server Windows Internet Authentication Service The following steps to configure your IAS server 1 Create groups used for different privilege level for example if the privilege level is root you can create a group called Radius RuggedRouter_root Add the users having this privilege level to this group 2 Use the New Remote Access Policy Wizard to create a custom policy with the following settings Conditions NAS Identifier matches with webmin Windows Group matches with the group th
291. rial Protocols Applications Character Encapsulation Character encapsulation is used any time a stream of characters must be reliably transported across a network The character streams can be created by any serial device The baud rates supported at either server need not be the same If configured the router will obey XON XOFF flow control from the end devices One of the routers is configured to listen to TCP connection requests on a specific TCP port number The other server is configured to connect to its peer on the listening port number The RuggedRouter will attempt to connect periodically if the first attempt fails and after a connection is broken The RuggedRouter can be used to connect to any device supporting TCP e g a host computer s TCP stack or a serial application on a host using port redirection software RTU Polling The following applies to a variety of RTU protocols besides ModBus RTU including ModBus ASCII and DNP The remote router communicates with host equipment through e native TCP connections e another RuggedRouter s via a serial port or e aport redirection package which Supports TCP If a RuggedRouter is used at the host end it will wait for a request from the host encapsulate it in a TCP message and send it to the remote side There the remote RuggedRouter will forward the original request to the RTU When the RTU replies the RuggedRouter will forward the encapsulated reply back to the host end
292. rmine the network topology Every 30 minutes by default the entire topology of the network must be sent to all routers in an area If the link speeds are too low the links too busy or there are too many routes then some routes may fail to get re announced and will be aged out Splitting the network into smaller areas to reduce the number of routes within an area or reducing the number of routes to be advertised may help to avoid this problem In shared access networks i e routers connected by switches or hubs a designated router and a backup designated are elected to receive route changes from subnets in the area Once a designated router is picked all routing state changes are sent to the designated router which then sends the resulting changes to all the routers The election is decided based on the priority assigned to the interface of each router The highest priority wins If the priority is tied the highest router id wins Key OSPF And RIP Parameters Network Areas Network areas determine the regions within which routes are distributed to other routers The subnets at a particular router can be added to its OSPF Area The router will advertise these subnets to all routers in its area Note OSPF areas must be designed such that no single link failure will cause the network to be split into two disjoint networks RuggedCom 139 RuggedRouter User Guide Router ID A router can be part of multiple areas and
293. rnal address es 104 RuggedCom Chapter 11 Configuring The Firewall Port Forwarding Port forwarding also known as redirection allows traffic coming from the Internet to be sent to a host behind the NAT gateway Previous examples have described the NAT process when connections are made from the intranet to the Internet In those examples addresses and ports were unambiguous When connections are attempted from the Internet to the intranet the NAT gateway will have multiple hosts on the intranet that could accept the connection It needs additional information to identify the specific host to accept the connection Suppose that two hosts 192 168 1 10 and 192 168 1 20 are located behind a NAT gateway having a public interface of 213 18 101 62 When a connection request for http port 80 arrives at 213 18 101 62 the NAT gateway could forward the request to either of the hosts or could accept it itself Port forwarding configuration could be used to redirect the requests to port 80 to the first host Port forwarding can also remap port numbers The second host may also need to answer http requests As connections to port 80 are directed to the first host another port number such as 8080 can be dedicated to the second host As requests arrive at the gateway for port 8080 the gateway remaps the port number to 80 and forwards the request to the second host Finally port forwarding can take the source address into account Ano
294. rt and stop being advertised based upon the status of their interface links Configuring OSPF Link Costs Link cost is used when multiple links can reach a given destination to determine which route to use OSPF will by default assign the same cost to all links unless provided with extra information about the links Each interface is assumed to be 10Mbit unless told otherwise in the Core Interface configuration The reference bandwidth for link cost calculations is 100Mbit by default in the OSPF Global Parameters The reference bandwidth divided by the link bandwidth gives the default cost for a link which by default is 10 Ifa specific bandwidth is assigned to each link the costs will take this into account It is also possible to manually assign a cost to using a link in the OSPF Interface Configuration for each interface for cases where the speed of the link is not desired as the method for choosing the best link OSPF Authentication OSPF authentication is used when it is desirable to prevent unauthorized routers from joining the OSPF network By enabling authentication and configuring a shared key on all the routers only routers which have the same authentication key will be able to send and receive advertisements within the OSPF network Authentication adds a small overhead due to the encryption of messages so is not to be preferred on completely private networks with controlled access RIP Authentication RIP authentication is
295. rt them This page intentionally blank 48 RuggedCom Chapter 4 Configuring Networking Chapter 4 Configuring Networking Introduction This chapter familiarizes the user with e Configuring Routing and Gateways e Configuring DNS e Entering host addresses e Configuring a pair of End To End Backup Interfaces e Viewing Routing Tables Network Configuration Network Configuration 2a Ej E 2118 ES E n 10 2124 10 2124 Im KERNEL 10 2 16 DNS 10 2103 ml Un man wan CO ER Core Settings Dummy Routing and Static DNS Client Host End ToEnd Current Route Interface Default Route Multicast Addresses Backup amp Interface Routing Table Click this button to activate the current boot time interface and routing settings as they normally Apply Configuration would be after a reboot Warning this may make your system inaccessible via the network and cut off access to Webmin Figure 32 Network Configuration Menu This menu allows you to configure IP networking parameters Select the Core Settings icon to configure kernel networking settings such as antispoofing and syncookies filtering Select the Dummy Interface in order to to assign an IP Address to the router that is independent of its interfaces Select the Routing and Default Route icon to assign a gateway address Select the Static Multicast Routing icon to configure static multicast routes Select the DNS Client icon to point t
296. rts higher priority than this level will be displayed on the webmin home page The Default Filter Level for Command Line configures the lowest alert level to show when user login by console or ssh The Save button saves all changes of general configuration The Create New Filter button allows you to create a new forwarder filter for active alerts 236 RuggedCom Chapter 26 Maintaining The Router Alert Filter Configuration Change Filter Configuration Filter Parameters Forward Destination Type EMail z jadmin example com Filter Level Comparator Greater Than y Filter Level I Emergency T alert J critical J Error Jv Warning Notice Info Debug Forward Destination Use comma to seperate multiple email addresses Save Figure 203 Alert Filter Configuration Menu Delete This menu configures an alert filter which defines the forwarder destination for active alerts matching with defined filter level The Forward Destination Type configures the type of filter Currently only type Email is supported The Forward Destination configures the destination matching with the Forwarder Destination Type Note that multiple email addresses should be separated by comma The Filter Level Comparator configures the way to match with defined filter level The Filter Level configures what filter level is to be compared Note that Emergency has the greatest filter level and Debug has the lowest filter level Aler
297. s 254 RuggedCom Chapter 26 Maintaining The Router Outgoing Mail Outgoing Mail SMTP Settings Forward to Mail Hub H 72 16 52 63 Belongs to Domain lruggedcom com Hostname lrouterl 3 Save Figure 228 Radius Authentication Main Menu Outgoing Mail is configured from within the the Maintenance menu Miscellaneous sub menu This menu controls where emails originated by the router are forwarded to The Forward to Mail Hub field specifies an IP address or domain name of a host that accept mail from the router The Belongs to Domain field specifies the email domain the router is part of This information is written into the email header upon transmission The Hostname field specifies the hostname to be written into the email header upon transmission Helpful Hint You can generate emails from scheduled commands and scripts with echo To ops myco echo e Subject Hello n some command sendmail t RuggedCom 255 RuggedRouter User Guide Chassis Parameters Help Chassis Para meters Parameter Current value Allowable Range temp 34 0 C 40 C to 85 0 C VCore A 2 54 Y 2 37 V to 2 62 V VCore B 1 20 Y 1 14 Vto 1 26 Y 3 3 PS1 3 30 V 3 14 V to 3 47 V v 5 05 V 4 76 V to 5 24 Y 12V 412 46 Y 10 82 V to 13 19 V 12V 11 92 V 13 20 V to 10 80 V VBat 3 01 Y 2 40 V to 3 60 V Last Power Down Time Power lost at Fri Sep 21
298. s This is usually the same as the Remote IP Address ADSL Statistics Figure 80 ADSL Link Statistics RuggedCom 93 RuggedRouter User Guide ADSL 3 Link Layer Statistics ADSL Statistics Link status Connected Modulation oe GMT Down Rate 1184 kbps Up Rate 544 kbps Local SNR Ratio 22 dB Remote SNR Ratio 3 dB Refresh When at least one logical interface is configured ADSL Link statistics will be available These statistics are available from links on the DDS WAN Interfaces menu The Local SNR Ratio is an effective indicator of line quality SNR values above 40 db correspond to excellent line quality while values below 10 db result in marginal operation or failure Current Routes amp Interface Table The table provided by this command is as described in the Networking menu Network Utilities sub menu It is also provided here as a convenience Upgrading Software For some customers access to remote sites in accomplished solely by an ADSL connection Usually a software upgrade will stop the system being upgraded perform the upgrade and then restart it If ADSL was upgraded in this way the upgrade would fail as the ADSL link was taken down Instead ADSL software upgrades modify only the software on the disk You must schedule a reboot in order to run the new version of ADSL software 94 RuggedCom Chapter 10 Configuring PPP and Modem Chapter 10 Configuring PPP and Mod
299. s eth2 Auto Negotiation No IP Address No Netmask Yes eth2 0001 Ethernet VLAN 192 168 0 2 255 255 255 0 Yes eth2 0002 Ethernet VLAN 172 16 0 2 255 255 0 0 Yes eth3 Auto Negotiation 192 168 13 1 255 255 255 0 No eth4 Auto Negotiation 192 168 14 1 255 255 255 0 No Figure 42 Current and Boot Time Ethernet Configuration This menu allows you to display and configure the Ethernet interfaces in the router The Current Configuration table allows you to try out changes on the existing interfaces before making permanent changes Any changes made take effect immediately but will not be present after the next boot The entries in this table can also be used to temporarily disable or re enable an interface The Boot Time Configuration table router allows you make changes to the permanent configuration of any interface RuggedCom 59 RuggedRouter User Guide The Network Configuration menu Apply Configuration button applies permanent changes and restart Ethernet networking If only temporary changes have been made the permanent configuration will be re applied In either table edit the desired interface by clicking on its link under the Name column Editing Currently Active Interfaces Edit Active Interface Active Interface Parameters Name eth1 IP Address C None 10 128 10 248 Netmask C automatic 255 0 0 0 Broadcast C Automatic 7 10 255 255 255 MTU C Default 1500 Status up
300. s NAAA da 65 Figure 49 Display PPP LoS A ia 66 Figure 50 TI EL Trunks And Tree ergeet recinte Abde 68 Figure 51 T1 E1 Network Interfaces Initial Configuration cessssscesscssessssontosennesesnerenaneens 69 Figure 52 T1 E1 Network Interfaces After Channel Creapon 69 18 RuggedCom Table Of Figures Figure 53 Figure 54 Figure 55 Figure 56 Figure 57 Figure 58 Figure 59 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 Figure 65 Figure 66 Figure 67 Figure 68 Figure 69 Figure 70 Figure 71 Figure 72 Figure 73 Figure 74 Figure 75 Figure 76 Figure 77 Figure 78 Figure 79 T1 E1 Network Interfaces After Interface Creation o da 70 SEET Fee EE 71 Edit Logical Interface Frame Ra A E 72 Edit Logical Interface PRO a a oa 73 EVEL o O a a ogee eens 74 Frame Relay Statistics nic zeus cues SEA EE Egger 75 PPP EE 76 TEL Loopback Men EE de AN e E 77 T3 Trunks And Titer faces E 80 T3 Network Interfaces Initial CON UTM ii A 80 T3 Network Interfaces Initial ConfiSuratioR AS 80 Ls MFM E 81 Edit TI Titer A O 81 Edit Logical Interface Frame Relais A 82 Edit Logical Interface PPP EE 82 DES Dt et eg 86 DDS ER EE 86 DDS WAN Interfaces after logical interface assigmment 86 Edit Logical Interface Frame Relay single DEC ia cea bas 87 Edit Logical Interface Frame Relay multiple DC 87 Edit Logical interlace PRO did 88 DOE a edad Gast natn ase 88 ADSL Interface Scenie i rr a A
301. s Yes NTP Server portmap No Yes RPC Services Needed by NFS NIS rsh rlogin rexec and rcp I quagga Yes Yes Routing Protocols TT shorewall No na Firewall 1 eeh Yes Yes SSH Server M webmin Yes Yes Web Management Interface Note Stopping Webmin will immediately hang this Web session Start Selected Now And At Boot Stop Selected Now And At Boot Reboat System Seet a AE A lie reboot the system All currently logged in users will be disconnected and all Click on this button to prepare the system for removing power The system will reboot into a power down shell and Shutdown System wait for 300 seconds during which time it will be safe to remove power After this period the router will reboot into the normal operating mode Figure 22 Bootup and Shutdown Part 1 This menu allows you to enable disable services and to perform actions at boot The first part of the menu manages services Check the box for the desired service and click on Start Selected to start the service and have it start at the next boot Click on Stop Selected to stop the service and not have it start at boot The Reboot System button will cause the system to reboot The Shutdown System button shuts down the system in order to remove power Note The RuggedRouter never enters a permanent shutdown state If the RuggedRouter is instructed to shutdown either from Webmin or from a shell command it will reboot into a command line shell that wa
302. s alarm could signify that the wrong framing mode is configured 72 RuggedCom Chapter 6 Configuring Frame Relay PPP And T1 E1 Frame Relay Interface Statistics w4fri6 Statistics DLCI Receive Statistics Duct Transmit Statistics Information frames received o Information frames transmitted Information bytes received Information bytes transmitted Received I frames discarded due to inactive DLCI I frames received with Discard Eligibility DE indicator set I frames received with the FECN bit set ololo ololol I frames received with the BECN bit set Frame Relay Trunk Statistics Full Status Enquiry messages sent 51997 Link Integrity Verification Status Enquiry messages sent 0 Full Status messages received o Link Integrity Verification Status messages received o CPE initializations o Current Send Sequence Number 204 Current Receive Sequence Number Current N392 count Current N393 count Frame Relay Trunk Communications Errors I frames not transmitted after a tx int due to exessive frame length D I frames not transmitted after a tx int due to excessive throughput o Received frames discarded as they were either too short or too long D discarded I frames with unconfigured DLCI D discarded I frames due to a format error o App didn t respond to the triggered IRQ within the given ti
303. s are managed through Telnet An SNMP network management polling application tracks the status of all devices It is generally wise to ensure that control and management capabilities are always provided OSPF and SSH Telnet should be assigned to the highest priority queue OSPF packet are small and do not consume much bandwidth SSH and Telnet are not often used but must be available when required TcpModbus traffic is ensured a low latency by assigning it the next lowest queue Web traffic will be used to manage the router and switches and should be assigned to a still lower queue All other traffic can be assigned to a final queue In all four queues are required The system provides three basic queues high normal and low and a fourth the extra high can be manually added Traffic filters are inspected in the order in which they are entered To reduce load and improve performance the filters should be entered in an order which recognizes the most frequent traffic under normal conditions The best filter order is probably e match source port 502 gt queue high e match protocol OSPF gt queue extra high e match source port snmp gt queue extra high e match source port www gt queue normal e match source port 10000 gt queue normal e match source port ssh gt queue extra high e match source port telnet gt queue extra high
304. s from your host machine directly to the router You need to specify at least one file to send and the directory to upload it to Clicking on a browse button will open a file search dialog box Select the file to upload to the router and close the dialog box Click upon the Send to router button to start the transfer You may also decide to create directories cited in the upload path at upload time set the user group ownership of the file and extract tar or zip files The Upload a file from the router to your host part of the menu allows you to send files from the router a specified your host machine You need to specify the file to send You may specify the files path directly or click on the browse button to open a file search dialog box Select the file to upload and close the dialog box Then click the Upload to your host button 264 RuggedCom Chapter 27 Security Considerations Chapter 27 Security Considerations Introduction This chapter describes actions to take to secure the RuggedRouter Security Actions 1 Change the root and rrsetup passwords from the rrsetup shell before attaching the router to the network 2 If Radius authentication is being employed configure authentication servers 3 Restrict the IP addresses which Web management will accept connections from See the Webmin menu IP Access Control sub menu Restrict the Ethernet ports which Web management will accept connections from See the Webmin men
305. s of the router supplying the default route or the router s WAN connection results in isolating the hosts relying upon the default route There are a number of ways that may be used to provide redundant connections to the host Some hosts can configure alternate gateways while others are intelligent enough to participate in dynamic routing protocols such as Routing Information Protocol RIP or Open Shortest Path First routing protocol OSPF Even when available these approaches are not always practical due to administrative and operation overhead The VRRP Solution VRRP solves the problem by allowing the establishment of a virtual router group composed of a number of routers that provide a specific default route VRRP uses an election protocol to dynamically assign responsibility for the virtual router to one of the routers in the group This router is called the VRRP Master If the Master or optionally its WAN connection fails the alternate i e backup routers in the group elect a new Master The new master provides the virtual IP address and issues a gratuitous ARP to inform the network of where the gateway can be reached Because the host s default route does not change and MAC address is updated packet loss at the hosts is limited to the amount of time required to elect a new router VRRP Terminology Each physical router running VRRP is known as a VRRP Router Two or more VRRP Routers can be configured to form a Virt
306. s page T3 1 Not Running Name Description Local Address Netmask Remote Address Default Gateway Assign a new Frame Relay logical interface Assign a new PPP logical interfac Edit T3 1 Parameters Figure 63 T3 Network Interfaces Initial Configuration This menu allows you to display and configure T3 Trunk parameters A table is presented for each interface Interface numbers are as described by the WAN labels as shown in the home page chassis diagram The status of the trunks physical and logical interfaces are shown This menu presents connection statuses but does not update them in real time Click on the Refresh this page link to update to the current status The menu will change after assignment of a logical interface providing links to logical interface and link statistics T3 2 Down Name Description Local Address Netmask Remote Address Default Gateway w2ppp Down SC Statistics No description 192 168 20 1 255 255 255 255 192 168 16 2 none Edit T3 2 Parameters View T3 2 Link Statistics Figure 64 T3 Network Interfaces Initial Configuration Naming Of Logical Interfaces Webmin names the logical interfaces for you but allows you to provide a description All interfaces start with a w to identify them as wan interfaces followed by the interface number The next part of the identifier is either ppp or fr and the frame relay DLCI number 78 RuggedCom
307. s under the ToS field reflect the ToS value a packet must match to be routed by this route The entries under the Weight field reflect the relative bandwidth or quality of this link within a multi path route Note that multi path routes are shown with multiple lines for a single destination 182 RuggedCom Chapter 18 Network Utilities Interface Status This menu also summarizes the interface status The entries under the Device field reflect the name of the device The entries under the Link up field reflect the current link state of interface The entries under the Address field reflect the local address of interface The entries under the Netmask field reflect the netmask applied to this interface The entries under the Beast Peer field reflect the broadcast address for the interface or the peer address if the interface is a point to point interface The entries under the MTU field reflect the Maximum Transmission Unit size for the interface The entries under the Txqueuelen field reflect the transmit queue length for the interface RuggedCom 183 RuggedRouter User Guide This page intentionally blank 184 RuggedCom Chapter 19 Configuring Serial Protocols Chapter 19 Configuring Serial Protocols Introduction This chapter familiarizes the user with RawSockets Applications Configuring Serial ports for RawSocket Viewing Serial Port and TCP Connection status and statistics Resetting S
308. ser to continuously reload the page showing the differences in statistics from the last display The difference is not a real time rate in bytes or packets per second Activity Trace Menu Figure 169 Activity Trace Menu 198 RuggedCom Chapter 20 Configuring GOOSE Tunnels Help Activity Trace Specifying large numbers of protocols entries and capture time can result in a greate deal of output Trace Layer 2 Tunnelss Trace on protocols GOOSE AIl Protocols M Message Decode e Hex dump Je Packets E RTT Measurement Messages Je Maximum number of entries to capture 2 Maximum time in seconds to capture over 10 12 40 06 723 GOOSE Received message from eth2 0002 length 56 DST MAC 01 0c cd 01 00 00 SRC MAC 00 19 5b fd 39 fe APP ID 94 Ox5e Bl Oc cd 01 00 00 00 19 5b fd 39 fe 88 b8 00 Se NAMES 00 12 00 00 00 00 00 00 00 00 00 00 00 00 aa aa aa aa aa aa aa aa aa Ba aa aa AA AA AA BA BABA aa aa aa aa aa aa aa aa 12 40 06 724 GOOSE Transmitted Packet to 172 16 0 1 1311 length 60 Start Trace This menu displays decoded GOOSE activity The desired traffic sources number of messages and length of time to capture are entered and the Start Trace button is pressed The menu will display up to the provided number of messages waiting up to the specified number of seconds The Trace on protocols selections feature a all to short list of protocols with unuse
309. sers will always need to enter their password even if their public key has been set up RuggedCom 219 RuggedRouter User Guide Networking Networking Networking options Listen on addresses All addresses Entered below Address Port Default 7 Listen on port Default 22 j22 Accept protocols IT ssHvi M ssH v2 Disconnect if client has A E d Forever 600 STEE CG wes No Time to wait for login aoe Allow TCP forwarding Yes No panera es to forwarded Yes No Save Figure 185 SSH Server Networking The Listen on addresses fields determine an IP addresses and port upon which SSH will accept a connection The Listen on port field determines the port number SSH will listen on assuming Listen on addresses is set to All addresses The Accept Protocols fields determine which versions of SSH will be allowed The Disconnect if client has crashed field determines whether the SSH server should periodically check to see if the client is still alive The Time to wait for login field determines the maximum time from a connection request until login completes after which the client will be disconnected The Allow TCP forwarding field specifies whether TCP forwarding is permitted If this option is set clients on a remote network can tunnel TCP connections to machines on the RuggedRouter s network The Allow connection to forwarded ports field specifies whether remote ho
310. server The Default Route checkbox enables automatically setting a default route using this interface whenever it connects If this is your primary connection you probably want this option enabled The Use peer DNS checkbox enables automatically setting the DNS server entries that the PPPoE server recommends Enable this option unless you provide your own name servers The MTU field defines the MTU size to request when connecting to the PPPoE server In some cases the PPPoE provider may provide a smaller MTU in which case the smaller setting will be used or it may refuse to alter the MTU and use whatever it considers to be the default The Save button will update all of the changes The current PPPoE link will be connected The Delete button will delete the PPPoE interface closing the current PPPoE link RuggedCom 63 RuggedRouter User Guide PPP Logs Aug 8 09 23 59 pppa 2849 Plugin rp pppoe so loaded Aug 09 23 59 pppd 2857 pppd 2 4 4 started by root uid O Aug 18 09 24 00 pppd 2857 PPP session is 831 Aug 8 1 09 24 00 pppd 2857 Using interface ppp12 de EE 18 09 24 00 pppd 2857 Connect ppp12 lt gt eth2 18 09 24 05 pppd 2857 09 24 05 pppd 2857 18 18 09 24 05 pppd 2857 8 jis 09 24 05 pppd 2857 gt ug Ele BB Dt Aug Aug Aug Aug PAP authentication succeeded SS peer from calling number 00 90 1A 40 2A B9 authorize not replacing existing defau
311. shorewall shorewall conf Network Zone Hosts Module Index Create Zone Host Zone host details Zone local Interface ethl x IP address or network 192 168 22 0 24 Host options Create Figure 94 Firewall Zone Hosts E IPsec zone This menu allows you to add delete and configure interfaces hosting multiple zones Add a new zone host by selecting the Add a new zone host link or by clicking on the add above or add below images in the Add field Reorder the hosts by clicking on the arrows under the Move field The Zone field selects a zone that will correspond to a subnet on the interface in question The Interface field describes that interface and the IP address or network field describes the subnet Selecting the IPSEC zone Host Option field will identify that the traffic to host in this zone is encrypted The Save and Delete buttons will allow you to edit or delete the zone host You may also make changes by manually editing the policy 116 RuggedCom Chapter 11 Configuring The Firewall Default Policies Module Index Default Policies This page allows you to configure the default actions for traffic between different firewall zones They can be overridden for particular hosts or types of traffic on the Firewall Rules page Add a new default policy Source zone Destination zone Policy syslog level Traffic limit Move Add loc net ACCEPT None None ak EE Det Any DROP None
312. shown in the next view of the VPN Configuration menu RuggedCom 127 RuggedRouter User Guide The Apply Configuration button restarts the server to activate any configuration changes that have been made restarting VPN connections IPsec VPN Configuration Openswan version U2 2 0 K2 4 27 10 486 rr Existing VPN connections e e e e Defaults for all connections Connection Remote 16 Connection Remote 20 Connection Service 2201 Add a new IPsec VPN connection Import connection from file Global options and policies 2 S SS A Server Configuration Preshared Keys Show Public Key IPsec Status Start Connection d en E 3 Select a connection from the list next to this button and click it to attempt its immediate establishment Remote Le Click this button to activate the current configuration by re starting the running OpenSwan IPsec server Remote_20 gn process Any established connections will be terminated Service_2201 Figure 106 IPsec VPN Configuration After Connections Have Been Created Server Configuration Module Index Server Configuration Global VPN server settings Protocol Stack klips Route Based IPSec Switch to netkey Policy Based IPSec Natwork interfaces for IPsec Default None Default route interface Listed below Real interface IPsec interface El ipsecO y NAT Traversal Coves No Syslog logging level D Default dae
313. st and traffic shaping configurations The Clear Configuration button will remove the firewall rules completely and eliminate any protection they offer In some cases you might wish to do this temporarily to determine if the firewall is responsible for an application problem The Stop Firewall button will stop the firewall Note that you should add an entry to the When Stopped menu to allow access from your management station while the firewall is stopped If you do not do this you lose web ssh access and have to gain access via the console in order to restart the firewall Stopping the firewall will not disable it Disable the firewall via the System folder Bootup And Shutdown menu The Show Status button presents a variety of information summarizing the status of the firewall and routing system The Check Firewall button tests the current configuration to ensure it is valid RuggedCom 113 RuggedRouter User Guide Network Zones Module Index Network Zones The zones listed on this page represent different networks reachable from your system defined by name and type of zone Add a new network zone Zone ID Zone type Move Add fu Firewall system 4 T L Ypn IPsec t y T tL local 1Pv4 TA LC wan po Ti Add a new network zone Manually Edit File Click this button to manually edit the Shorewall file etc shorewall zones in which the entries above ar
314. ster IP MAC address and grandmaster MAC address are provided RuggedCom 227 RuggedRouter User Guide IRIGB Log IRIGB Log Refresh ime 13 26 09 fusr sbinfirigb 19332 Receive SIGINT signal and exit 13 28 42 fusr sbin irigb 30328 eps lock not locked 13 28 43 fusr sbinfirigb 30328 set GPS as the current reference clock for PTP Card 13 28 45 fusr sbinfirigb 30328 Set GPS as the current reference clock for PTP Card 13 29 16 fusr sbinfirigb 30328 set LOCAL Clock as the current reference clock for PTP Card 13 29 16 fusr sbinfirigb 30328 Sync time from LOCAL Clock to PTP Card Mar Mar Mar Mar BEBER aii Mar Mar r 8 Refresh Figure 193 IRIGB GPS Status This page reflects reference clock changes in IRIG B 228 RuggedCom Chapter 24 Configuring IRIGB And IEEE1588 This page intentionally blank RuggedCom 229 RuggedRouter User Guide Chapter 25 Configuring The Snort IDS Introduction This chapter familiarizes the user with e Configuration of Snort as an Intrusion Detection System e Generating a daily snort analysis email Snort Fundamentals The snort Intrusion Detection System IDS provides a type of security management system for the router Snort gathers and analyzes information on various network interfaces to identify possible security breaches which include both intrusions attacks from outside the protected network
315. stname of the boot server This only applies to network booted clients e Lease length for BOOTP clients How long the IP assigned to a BOOTP client should be considered valid e Lease end for BOOTP clients Cut off date for all BOOTP client leases e Dynamic DNS enabled Should DNS information be updated on the DNS server when a client receives an IP address e Dynamic DNS domain name The domain name to update dynamic DNS information in e Dynamic DNS hostname Use the specified hostname for clients or use the hostname supplied by the client e Dynamic DNS reverse domain The reverser DNS domain to update dynamic information in for the reverse DNS entry e Dynamic DNS reverse domain The reverser DNS domain to update dynamic information in for the reverse DNS entry Lesser used DHCP server configurations include e Allow unknown clients Should DHCP accept requests from clients it has never seen before or only from clients that have already received leases in the past e Server is authoritative If the server is authoritative it will send deny messages to any client which tries to renew a lease which the server knows the client shouldn t have e Option 82 Support Option 82 Support with Disable NAK If DHCP relay clients option 82 clients are used on the same subnet as the DHCP server some clients will immediately try to renew a lease right after receiving it by requesting a renewal directly from the DHCP server Since the
316. sts on the client network are allowed to connect to ports forwarded for the client Access Control Access Control Network and login access control options Only allow users Can C SC Only allow members of groups DG al C bes Deny users D None aie Deny members of groups A None o A Ese Save Figure 186 SSH Server Access Control 220 RuggedCom Chapter 23 Configuring SSH The Only allow users field specifies the users allowed to connect by SSH The specification can be a list of user name patterns separated by spaces Login is allowed only for user names that match one of the patterns and can be used as wild cards in the patterns Only user names are valid a numerical user ID is not recognized By default login is allowed for all users If the pattern takes the form USER HOST then USER and HOST are separately checked restricting logins to particular users from particular hosts The account selector l button can be user to build up a list of allowable users The Only allow members of groups field specifies the group in the Unix sense of users allowed to connect by SSH The specification can be followed by a list of group name patterns separated by spaces If specified login is allowed only for users whose primary group or supplementary group list matches one of the patterns and can be used as wild cards in the patterns Only group names are valid a numerical group
317. t your web browser at the address for that port use https and specify a port number of 10000 e g https 192 168 1 1 10000 or otherwise if configured in step 4 Login with the root user and password configured above If radius authentication is configured and a server is available you may also login via a radius user Basic Web Based Configuration Change the router password from the System menu Change Password sub menu If you are using the web management interface you may wish to restrict the allowed users to a specific subnet This can be done in the Webmin menu Webmin Configuration IP Access Control sub menu If you are planning to SSH in to the router you may wish to restrict the allowed users to a specific subnet This can be done in the Servers menu SSH Server Networking sub menu The router s local hostname may configured in the System Menu System Hostname sub menu The router may be configured to log to a remote server by the Maintenance menu System Logs sub menu See the chapter Maintaining The Router for more details The router s DNS settings may configured in the DNS Clients sub menu You may also specify the IP addresses of frequently used hosts See the chapter Configuring Networking for more details Physical Interface Related Ethernet port parameters may be changed in the Networking menu Ethernet sub menu The Ethernet Interfaces sub menu will configure the IP address subnet mask gatewa
318. t Certificates moduls Index List Certificates Certificate Name in Certificate Key file in Secret for certificate in etc ipsec d certs etc ipsec d private etc ipsec secrets laptop ruggedcom com pem exists not configured rceng02Cert pem not present not configured root pem exists configured Figure 110 List Certificates This menu lists available certificate files their corresponding key files and details whether a public key for the certificate is configured VPN Connections The IPsec main menu Add a new IPsec VPN connection link leads to the Create Connection menu creating a new connection and its icon Selecting the connection s icon from the IPsec main menu displays the same menu allowing editing and deletion An IPsec connection is composed of three types of information There is information about the the local host the remote host and about the overall connection between them The configuration data has been designed in such a way that there are identical connection specifications on both ends Because of this connection specifications are written in terms of left and right participants rather than in terms of local and remote Which participant is considered left or right is arbitrary IPsec figures out which one it is being run on based on internal information The Create Edit Connection menu is reflects this organization by being split into three sections The first section IPsec
319. t Definition Configuration Alert Definition Configuration View Alert Definition by Category chassis Refresh Codepoint Category Name Subsystem Severity Enabled Alarmable Renotify Interval second Type chassis 1 chassis Inventory Problem chassis error yes yes o simple chassis 2 chassis Power Supply 1 Failure chassis critical yes yes o simple chassis 3 chassis Power Supply 2 Failure chassis critical yes yes o simple chassis 4 chassis Ledboard Push Button chassis error yes yes o simple chassis 5 chassis Ledboard chassis error yes yes o simple chassis 6 chassis Modular slot 1 chassis error yes yes D simple chassis 7 chassis Modular slot 2 chassis error yes yes D simple chassis 8 chassis Ethernet interface module 1 chassis error yes yes o simple chassis 9 chassis Ethernet interface module 2 chassis error yes yes o simple chassis 10 chassis PCI slot 1 chassis error yes yes o simple chassis 11 chassis PCI slot 2 chassis error yes yes o simple chassis 12 chassis Chassis chassis error yes yes o simple Create New Definition Figure 204 Alert Definition Configuration Menu This menu displays matched alert definition entries It also allows user to change the an alert definition entry or create a new entry An alert definition entry defines an alert which will be monitored by the system The View Alert Definition by Category allows you to display
320. t Interfaces Ethernet Ethernet PPPoE Interfaces Ethernet Interfaces cl PPP Logs Current Route amp Interface Table Apply Configuration Click this button to activate the current boot time interface and routing settings as they mormally would be after a reboot Warning this may make your system inaccessible via the network and cut off access to Webmin Figure 41 Ethernet Menu This menu allows you to configure Ethernet interface parameters as well as display the routes and status of all network interfaces Select the Ethernet Interfaces icon to configure Ethernet interfaces The Network Interfaces menu lets you edit the permanent configuration of Ethernet interfaces or simply try out changes The Apply Configuration button serves to restore the permanently saved changes and restart Ethernet networking Ethernet Interfaces Help Ethernet Interfaces Current Configuration Name Interface Type IP Address Netmask Status ethi Auto Negotiation 10 128 10 231 255 0 0 0 Up eth2 Auto Negotiation Up eth2 0001 Ethernet VLAN 192 168 0 2 255 255 255 0 Up eth2 0002 Ethernet VLAN 172 16 0 2 255 255 0 0 Up eth3 Auto Negotiation 192 168 13 1 255 255 255 0 Down eth4 Auto Negotiation 192 168 14 1 255 255 255 0 Down Boot Time Configuration Name InterfaceType IP Address Netmask Activateatboot ethi Auto Negotiation 10 128 10 231 255 0 0 0 Ye
321. t to see whether the condition is true or false The And Repeats configures how many times the condition must be true before the alert is generated The And Until configures how many seconds the condition should be true before an alert is generated The Not Cleared Repeats configures how many times the condition must be false before the alert is cleared The Not cleared Until configures how many seconds the condition must be false before an alert is cleared The Parameters for RMON table allows user to configure additional parameters if the alert definition entry type is RMON type The Device Name configures the name of the device to be monitored The MIB Variable configures the MIB variable being monitored The Sample Interval configures how often samples should be generated The Rising Threshold configures the value that will trigger an event when the value of the variable increments past this value The Falling Threshold configures the value that will trigger an event when the value of the variable decreases past this value The Startup configures the condition that will cause the initial event RuggedCom 239 RuggedRouter User Guide Gauntlet Security RX1100 owners can use the Gauntlet security appliance to restrict access to critical assets This section details how to activate Gauntlet and determine currently negotiated sessions Details and recommendations on applying the Gauntlet system to networking may be
322. tallable The Save button below the table will save the routes and immediately install them The following sanity checks will be made for static routes e The Netmask can not be 0 0 0 0 e Ifthe interface is active the static route will be installed if it can not be installed it will be treated as illegal e A routings Gateway address must be owned by the routings interface Delete routes by removing their Network Host addresses before saving Manually Entered Static Routes This table will be shown if there are active static routes which are not in the Configured Static Routes table Following a routes Save to Configured Static Routes link will make the route permanent Note There are situations where manually entered routes should not be converted e g routes dynamically added by IPsec and GRE tunnels Making these routes permanent may cause the daemons that add them to fail 52 RuggedCom Chapter 4 Configuring Networking Static Multicast Routing Static Multicast Routing Configured Static Multicast Routes Route Multicast IP Address Input Interface Source IP Address Output Interface Comment dl 239 156 10 2 ethl 192 168 31 51 ett Installed 2 239 144 11 3 eth2 192 168 41 10 Jethi Installed Not Yet Installed output interface 3 239 121 78 3 ethl 177 9 44 5 jwlppp Eco ee eee Save Note This router has the following network interfaces ethi eth2 eth3 eth4 Figu
323. tandard reference clock The router uses this identifier when it has synchronized with remote NTP server DFLT After the router has power cycled but before any GPS or NTP locks have occurred PTP favors preferred masters over normal masters GPS over NTP over DFLT higher clock stability over lower clock stability Synchronizing NTP from IEEE1588 If GPS is unavailable and PTP becomes a slave the NTP server will view the received IEEE1588 time as any other source of time The quality i e stratum of IEEE1588 information is determined by the type of clock source at the master the number of Boundary Clock hops and the measured network jitter The number of Boundary Clock hops is the number of IEEE1588 devices the original time source is relayed through and not Ethernet hops and is always 1 or higher The measured network jitter factor is 0 if jitter is higher than 1 microsecond and 1 if less than 1 microsecond PTP Identifier Stratum reported to NTP GPS 1 Number of Hops 1 if low jitter NTP user configurable value default 2 Number of Hops 1 if low jitter DFLT user configurable value default 10 Number of Hops 1 if low jitter The stratum number reported will be limited to a range of 1 to 16 to comply with NTP As an example a directly connected PTP clock having a GPS clock source and low jitter would report a stratum of 1 With defaults a 2 hop away PTP clock having a NTP
324. tart a Webmin only upgrade Webmin will start another program to manage the upgrade and will self terminate Webmin will automatically restart after the upgrade completes after which time you may log back in 262 RuggedCom Chapter 26 Maintaining The Router Installing A New Package Install a New Package Select the location to install a new package from From local file uae From uploaded file Browse C From ftp or http URL Install Figure 237 Installing A New Package The Install A New Packages feature uploads and installs packages to the router Select the From local file option if you have already moved the package to the router through http ftp or scp You may either enter the full path from the root directory to the package or use the file selector to identify the package Select the From uploaded file option if you have the file locally on your workstation You may either enter the location of the file on your local file system browse selector Brass to identify the package Select the From ftp or http URL if you know the network address of the package Complete the installation by selecting the install button Pre upgrade Post upgrade scripts bin bash The pre upgrade and post upgrade script feature allows you to execute a user defined script before and after a software system upgrade The scripts run only when there are packages to install they will not run when showin
325. te Figure 93 Editing a Firewall Network Interfaces The dhep option should be selected if interface is assigned an IP address via DHCP or is used by a DHCP server running on the firewall The firewall will be configured to allow DHCP traffic to and from the interface even when the firewall is stopped You may also wish to use this option if you have a static IP but you are on a LAN segment that has a lot of laptops that use DHCP and you select the norfc1918 option see below The arp_filter option causes this interface to only answer ARP who has requests from hosts that are routed out of that interface Setting this option facilitates testing of your firewall where multiple firewall interfaces are connected to the same HUB Switch all interfaces connected to the single HUB Switch should have this option specified Note that using such a configuration is strongly recommended against The routeback option causes Shorewall to set up handling for routing packets that arrive on this interface back out the same interface The tepflags option causes Shorewall to make sanity checks on the header flags in TCP packets arriving on this interface Checks include Null flags SYN FIN SYN RST and FIN URG PSH these flag combinations are typically used for silent port scans Packets failing these checks are logged according to the TCP_FLAGS LOG LEVEL option in etc shorewall shorewall conf and are disposed of according to the TCP_FLAGS_DISPOSITI
326. ted at bootup The Ignore All ICMP ECHO field corresponds to the kernel emp echo ignore all setting Setting Ignore All ICMP ECHO to yes will cause the kernel to reject incoming ICMP ECHO request packets The Ignore ICMP Broadcasts field corresponds to the kernel icmp echo ignore broadcasts setting Setting Ignore ICMP Broadcasts to yes will cause the kernel to reject incoming ICMP ECHO request packets if their destination address is a broadcast address The Syncookie Protection field corresponds to the kernel tcp_syncookie setting Setting Syncookie Protection to yes will cause the kernel to protect against SYN flood attacks Dummy Interface Dummy Interface Dummy Interface Parameters Device name dummy0 IP Address 4 12 1 1 Save Figure 34 Dummy Interface 50 RuggedCom Chapter 4 Configuring Networking This menu allows you to configure a dummy interface Normally the router is reachable on any of its interface addresses whether the interface is active or not When OSPF and link detection is used inactive interfaces are not advertised to the network and thus not reachable A dummy interface is always advertised and thus reachable Routing And Gateways Routing and Default Route Default Route None or from DHCP ol Gateway 1 0 0 0 245 Current default gateway is 2 2 2 2 via wippp Save Configured Static Routes Line
327. ter 11 Configuring The Firewall Module Config Shorewall Firewall Shorewall version 2 2 3 TY L Network Network Zone Hosts A Firewall Masquerading Gen Static NAT NAT When Stopped Zones Interfaces hosts Policies Rules nat routestopped i zones interfaces policy rules Apply Configuration parda TE to activate the current Shorewall configuration with the shorewall restart Click this button to activate just the Blacklist and Traffic Shaping tables with the shorewall Refresh Configuration SR a aa Clear Firewall Click this button to clear the Shorewall firewall with the shorewall clear command This will allow access from all hosts without restriction Stop Firewall Click this button to shut down Shorewall with the shorewall stop command This will block E access from all hosts except those in the When Stopped table Show Status Click this button to view Shorewall s tables and rules from the shorewall status command Click this button to have Shorewall validate your firewall configuration with the shorewall Check Firewall EE GEES Figure 90 Shorewall Firewall Menu The Apply Configuration button must be used after making configuration changes It is recommended that the Check Firewall button be used first to verify that any changes made are valid The Refresh Configuration button can be used to activate changes to the blacklisted ho
328. ter will keep running with its own high precision timing hardware When GPS returns the time will be stepped back to the GPS reference clock GPS Cable compensation GPS signals received by the antenna will be delayed in time depending upon the type and length of the cable to the router This delay will introduce inaccuracy in the calculated time and position The RuggedRouter provides a method to account for this delay The table below gives some examples of the delay that can be expected for a given dielectric type Please note that cable characteristics varies from one manufacturer to the other Dielectric Type Time Delay in ns m ns ft Solid Polyethylene 4 62 1 54 Foam Polyethylene FE 3 81 1 27 Foam Polystyrene FS 3 36 1 12 Air Space Polyethylene ASP 3 45 3 63 1 15 1 21 Solid Teflon ST 4 38 1 46 Air Space Teflon AST 3 39 3 60 1 13 1 20 224 RuggedCom Chapter 24 Configuring IRIGB And IEEE1588 IRIGB IEEE1588 Main Menu Ip em IRIGB IEEE1588 me d veel L pa y fe P m E Ze ES Ge LG O General Configuration IRIGB Configuration IEEE1588 IRIGB Status IEEE1588 Status IRIGB LOG Configuration Figure 187 IRIGB 1588 Main Menu This menu allows you to configure IRIGB and IEEE1588 display its current status and review historical changes General Configuration General Configuration Reference Clock Selection GPS lEEE1588 NTP LOCAL Cable Compensation 3 nan
329. that active alerts are volatile and will be regenerated after reboot If you clear an alert manually it will appear if the condition occurs again You may disable the alert permanently by disabling the alert from its entry in the definition menu The Clear Alert link under the Action column allows you to clear the alert Clicking on the Alert Name Specific Severity and Date column headers will sort the alerts by those types Select Alert Configuration to change the generic configuration and alert filter configurations Select Alert Definition configuration to change the alert definition entries Alert Configuration Alert Configuration General Configuration This Router s URL used in email message https 10 128 10 247 10000 Default Filter Level for Webmin Warning gt Default Filter Level for Command Line Error si Save Alert Filters Forward Destination Forward Destination Type Filter Level Comparator Filter Level admin example com Email Greater Than amni o Create New Filter Figure 202 Alert Configuration Menu This menu configures the general information and forward filters for the alert system The This Router s URL configures the link to access this router This information will be used in the email forwarder which user can click on the link in the email to access the router The Default Filter Level for Webmin configures the lowest alert level to show on webmin All active ale
330. that is shared by all certificates e g a Country Name C a State Or Province Name S an Organization name O and some per client information e g a Common Name CN and an Email address E Together this information forms the Distinguished Name DN and is used by the router and client to validate each other VPN Networking Parameters The first step is to identify the key parameters required The router public gateway here vpn xyz com and its gateway interface wlppp must be known The local network subnet 10 0 0 0 8 and each clients internal network address here 10 0 1 1 must be known All client addresses should be assigned from a subnet of the local network e g 10 0 1 0 24 A number of encryption parameters should be decided upon depending upon the client capabilities Avoid selecting 3DES if possible due to its high overhead Client Configuration Depending upon the client you may be required to produce the certificate in a P12 format and may be required to include an export password as well This password will be required to be known be the personnel that configure the client in order to import the certificate Install the client IPSec software and import the cacert and the clients own certificate and key Configure the client with the router public gateway the clients internal network address and the desired encryption parameters At this point the client should be able to use its Internet connection to ping
331. the wanpipemon utility The Interface to capture on field specifies the interface to show traffic on The Maximum packets captured and Maximum capture time fields limits the amount of traffic captured Serial Trace A Serial Server Port Serial Trace A Serial Server Port Trace on ports il al al Al allports Message RX TX T Hex dump r Incoming Outgoing Connections E Maximum packets captured 20 maximum 1000 Maximum capture time 20 maximum 240 sec Serial Trace It Figure 155 Serial Server Port Trace Menu The Trace on ports fields specify the serial port to show traffic on 180 RuggedCom Chapter 18 Network Utilities The Message RX TX and Incoming Outgoing Connections fields causes data packets and Connection activity to be included in the trace The Hex dump field causes the content of data packets to be displayed The Maximum packets captured and Maximum capture time fields limits the amount of traffic captured Interface Statistics Menu Interface Statistics Interface rxbytes txbytes lrxpackets txpackets rxerrors txerrors rxpackets dropped txpackets dropped ethi 2929760066 1963432594 178990610 190887111 3424 d 7803 D eth2 2434814540 3980034925 52321546 45735310 189 D 388 D wippp 3840032131 558453888 210385859 182328223 0 D D 0 ipsecO 1645008043 3266025576 7851971 8937116 D 1035 12092 11026 ipsecl D D D D D D D D ipsec2 D D D D D D D D ipsec3 D D D D o D D
332. ther way to solve the above problem could be to dedicate two hosts 200 0 0 1 and 200 0 0 2 and have the NAT gateway forward requests on port 80 from 200 0 0 1 to 192 168 1 10 and from 200 0 0 2 to 192 168 1 20 Shorewall Quick Setup For users familiar with Shorewall the following will serves as a reminder of how to build the firewall New users may wish to read the ShoreWall Terminology And Concepts section before continuing 1 Logically partition your network into zones Will you establish a DMZ Will all Ethernet interfaces need to forward traffic to the public network Which interfaces are to be treated in a similar fashion 2 Assign your interfaces to the zones If using T1 E1 have you created your TUE interfaces prior to building the firewall 3 Set the default policies for traffic from zone to zone to be as restrictive as possible Has the local zone been been blocked from connecting to the DMZ or firewall Does the DMZ or firewall need to accept connections Which connections should be dropped and which reset What logs are kept 4 How is the network interface IP assigned i e dynamically or statically Do hosts at the central site need to know the local address 5 If your network interface IP is dynamically assigned configure masquerading 6 If your network interface IP is statically assigned configure Source Network address Translation SNAT Ifa sufficient number of IP addresses are provided by the ISP static NAT ca
333. they are active at the time it starts By default snmpd listens on all interfaces Access Control SNMP V1 and V2c Community Names Delete Ji Add an SNMP 1 or v2c Community Name Community Name Access read only sl Source IP OID Add public read write Figure 221 Access Control page SNMP V1 and V2c The first part of the Access control page allows the creation and deletion of SNMP V1 and V2c community names The Community Name field selects the name of the community The Access field determines whether the community is read only or read write The Source IP field may be used to specify an IP address or range e g 10 0 0 0 24 from which access to this community name may be made The OID field further restricts access to an Object Identifier OID tree at or below a specified OID RuggedCom 249 RuggedRouter User Guide SNMP V3 User Names No 3 users are cuurently defined Add an SNMP 3 User User Name Ir Access read only gt Minimum Security No Authentication y OID Authentication Protocol MDS d Authentication Passphrase FO y Privacy Protocol DES Privacy Passphrase Ir Add Figure 222 Access Control page SNMP V3 The second part of the Access control menu allows creation and deletion of V3 users The User Name field selects the name of the new user The Access field determines whether the community is read only or read write
334. ting Up And Administering The Router Chapter 1 Setting Up And Administering The Router Introduction This chapter familiarizes the user with the RuggedCom Serial Console interface the RuggedRouter Setup script and signing on to the Web interface This chapter describes the following procedures e Running the Setup Script e Signing on the Web Interface e Signing on to the Command Prompt e Restoring the default configuration Access Methods You can access the router through the console Ethernet ports WAN ports and the modem port Accounts And Password Management The router provides an rrsetup account which provides a shell that quickly configures such items as passwords addresses date time and services offered by the router It is very useful to sign in to this shell first harden the router and configure network addresses in order that the router be reachable from the network through Web Management The rrsetup password should be changed recorded securely and restricted to qualified personnel The root account provides a superuser capability for SSH shell access and the Web server The password should be changed recorded securely and restricted to qualified personnel The root and rrsetup accounts may be also be managed through radius authentication The Web management agent can be accessed through the root account It may also be accessed through a number of radius accounts via radius authentication This
335. tion This chapter familiarizes the user with e Configuring IPsec VPN Global Options e Creating VPN Connections e Enabling And Starting IPsec e Obtaining VPN Status VPN Fundamentals IPsec Internet Protocol SECurity uses strong cryptography to provide both authentication and encryption services Authentication ensures that packets are from the right sender and have not been altered in transit Encryption prevents unauthorized reading of packet contents These services allow you to build secure tunnels through untrusted networks Everything passing through the untrusted network is encrypted by the IPsec gateway and decrypted by the gateway at the other end The result is a Virtual Private Network VPN a network which is effectively private even though it includes machines at several different sites connected by the insecure Internet The IPsec protocols were developed by the Internet Engineering Task Force IETF and will be required as part of IPv6 the next generation Openswan is the open source implementation of IPsec used by the RuggedRouter The protocols used by IPsec are the Encapsulating Security Payload ESP and Internet Key Exchange IKE protocols ESP provides encryption and authentication ensuring that a message originated from the expected sender and has not been altered on route IKE negotiates connection parameters including keys for ESP IKE is based on the Diffie Hellman key exchange protocol which allows
336. tion Timer field controls how long expired entries are remembered before being purged RIP Key Chains The Key Chains table configures authentication keys used on the interfaces By defining the keys in a key chain the same settings can be applied to multiple groups of interfaces Without key chains the same settings would have to be entered for each interface separately Key chains also allow multiple keys to be entered in a single key chain with a start time for when that key should become valid as well as the duration the key is valid This allows multiple keys to be set up with automatic transitions from one key to the next over time A key consists of a key string which is the value used for authentication It also has the optional lifetime to accept RIP messages with the key and the optional lifetime to send RIP messages with that key RIP Interfaces RIP Interface Configuration eth1 Parameter Value blank default Description Possible values default value Passive Interface passive P Control interface passive setting not passive Receive Version 1 2 y RIP version to accept from other routers 1 2 1 2 both 1 2 Send Version 2 gt RIP version to transmit to other routers 1 2 1 2 both 2 o None Authentication CG String ruggedcom Authentication to use None Specified string Specified key chain None 8 Key Chain main si Authentication Text E Mode of authentication to
337. tomatic None Ti Add a new network interface Manually Edit File Click this button to manually edit the Shorewall file etc shorewall interfaces in which the entries above are stored Figure 92 Firewall Network Interfaces 114 RuggedCom Chapter 11 Configuring The Firewall This menu allows you to add delete and configure network interfaces Add a new interface by selecting the Add a new network interface link or by clicking on the add above or add below images in the Add field Reorder the interfaces by clicking on the arrows under the Move field Clicking on a link under the Interface field will allow you to edit or delete the interface Note that if you delete an interface you should remove any rules that reference it You may also make changes by manually editing the interfaces file Note If you use a WAN interface in the firewall the interface will be referred to by its name Some WAN changes such as changing the number of channels used by a T1 E1 logical interface will change the name Ensure that the entries in this menu reflect the correct interface names Module Index Edit Network Interface Network interface details Interface ethl Zone name Local v Broadcast C None Automatic address Options E arp_filter routeback E tcpflags E dhcp norfc1918 L nobogons routefilter E proxyarp madlist nosmurfs E logmartians Save Dele
338. ts to send higher priority packets first Note that it is possible in indefinitely stall the transmission of packets from a lower priority queue if a traffic from a higher queue saturates the interface Note The router mandates that you must have at least a low normal and high priority queue Additionally the high queue must be of higher priority than the normal queue which must be of higher priority than the low queue Filters For each packet to be transmitted on a prioritized interface the packet is compared against each of the filters on that interface until a match is found The matching filter directs the packet onto a specific queue If no matching filter is found the packets Type of Service TOS bits in its IP header are examined and used It is possible to match on source and destination IP address mask pairs source and destination port numbers and protocols The 0 0 0 0 0 address mask matches any IP address Protocols that can be matched upon include tcp udp icmp ospf vrrp and ipsec 168 RuggedCom Chapter 16 Configuring Traffic Prioritization TOS Prioritization The priority of an IP packet can be derived from its Type of Service field The TOS field has the following format 7 6 5 4 3 2 1 0 TOS Bits PRECEDENCE MD MT MR MMC O The four TOS bits the TOS field are defined as e MD Minimize Delay e MT Minimize Throughput e MR Maximize
339. two parties without any initial shared secret to create one in a manner immune to eavesdropping IPsec Modes IPSec has two basic modes of operation In transport mode IPSec headers are added as the original IP datagram is created The resultant packet is composed of an IP header IPSec headers and IP payload including a transport header Transport mode is most commonly used between IPsec end stations or between an end station and a gateway In tunnel mode the original IP datagram is created normally and then encapsulated into a new IP datagram The resultant packet is composed of an new IP header IPSec headers old IP header and IP payload Tunnel mode is most commonly used between gateways the gateway acting as a proxy for the hosts behind it Policy Vs Route Based VPNs The RuggedRouter supports two main modes of VPN policy and route based VPN RuggedCom 123 RuggedRouter User Guide With route based VPNs Openswan generates an IPSEC interface for each VPN tunnel As the tunnel is brought up a route for the subnet at the other end of the tunnel is created through that interface Any traffic destined for tunnel s remote subnet is forwarded to the IPSEC interface and encoded and transmitted The firewall is configured with a vpn zone zone type IP V4 the IPSEC interface is included in the zone As IPsec packets are received openswan decodes them and directs the decoded packet to the IPSEC interface Firewalling c
340. u Ports and Addresses sub menu 4 Review the IP networking settings provided in the Network Configuration menu Core Settings sub menu You may wish to tighten some settings especially Ignore All ICMP ECHO requests 5 Restrict the users that the SSH server will allow to connect See the SSH Server menu Access Control sub menu 6 If the router is an RX1100 and you wish to use the Snort Intrusion Detection System activate and configure it 7 If the router is an RX1100 and you wish to use the Gauntlet security appliance activate and configure it 8 If SNMP will be used limit the IP addresses which can connect and change the community names Configure SNMP to raise a trap upon authentication failures 9 Only enable the services you need and expect to use 10 The RuggedRouter comes with the following login banner Replace the contents of the file etc issue and etc issue net in order to change it WARNING You are attempting to access a private computer system Access to this system is restricted to authorized persons only This system may not be used for any purpose that is unlawful or deemed inappropriate Access and use of this system is electronically monitored and by entering this system you are giving your consent to be electronically monitored We reserve the right to seek all remedies for unauthorized use including prosecution 11 If using a firewall configure and start the firewall before attaching the router to the
341. u Before After Generation oooconconoconocononccconanonanncnnnnncnns 129 IPsec VPN Configuration After Connections Have Been Created 130 20 RuggedCom Table Of Figures Figure 107 Figure 108 Figure 109 Figure 110 Figure 111 Figure 112 Figure 113 Figure 114 Figure 115 Figure 116 Figure 117 Figure 118 Figure 119 Figure 120 Figure 121 Figure 122 Figure 123 Figure 124 Figure 125 Figure 126 Figure 127 Figure 128 Figure 129 Figure 130 Figure 131 Figure 132 Figure 133 EE EIERE eier geed dee Eeer ee geg 130 Show Publie Keyes oer RI a IA is 131 Preshared si ds a oO 131 List Comicastle 132 Editing A VPN Connection Part LA A A ii 132 Editing A VPN Connection Part 2c icant A NN lee 134 IPSEC Status t 135 End To End Backup Example ss iwiscseduesssdsiazstzcganp ters cigarra 136 OSPF And rn 146 Dynamic Routing Merida 147 Enable Protocol METI a Gade EEN 148 COEM a Ro 148 Core Global Parameters ege dee ee eg 148 Core Interface Parameters emiten leia 149 OS o 150 OSPEGlobalP arameo capado 150 OSPE tera ero Saari ias 152 Network EE 153 RPM CIM osc r A O Read R 154 AL ico eet EE 154 RIP oa 156 TAS e Ee deele 157 Link Backup Main MA OU AR A AS 160 Bink Backup Main Menu a A AAA 160 Bink Backup CONSUMO ri ti aleta 160 Link Backup CONSUMO a A A AA A A 161 Eme CRI LO lines 162 RuggedCom 21 RuggedRouter User Guide Figure 134 Figure 135 Figure 136 Figure 137 Fi
342. u presents connection statuses but does not update them in real time Click on the Refresh this page link to update to the current status The menu will change after assignment of a logical interface providing links to logical interface and link statistics DDS 1 Connecting ES Remote Default Name Description Local Address Netmask as rR wippp Down ee Statistics No description 10 2 1 1 255 255 255 255 10 2 1 2 none View S6K 1 Link Statistics Figure 71 DDS WAN Interfaces after logical interface assignment 84 RuggedCom Chapter 8 Configuring Frame Relay PPP And DDS Naming Of Logical Interfaces Webmin names the logical interfaces for you but allows you to provide a description All interfaces start with a w to identify them as wan interfaces followed by the interface number The next part of the identifier is either ppp fr and the frame relay DLCI number Editing A Logical Interface Frame Relay Edit New Logical Interface 56K 1 Frame Relay Parameters Station Type CPE FR DTE Interface Signalling type ANSI v Link Failure Leaves IP interface up gt T391 fio 7392 16 N391 l6 N392 e N393 la A Remote Address Default Gateway Description DLC Local Address Netmask 9 Figure 72 Edit Logical Interface Frame Relay single DLCI This menu allows you to display and configure logical interface fields f
343. ual Router Each VRRP Router may participate in one or more Virtual Routers 162 RuggedCom Chapter 15 Configuring VRRP Each Virtual Router has a user configured Virtual Router Identifier VRID and an Virtual IP address or set of IP addresses on the shared LAN Hosts on the shared LAN are configured to use these addresses as the default gateway One router in the Virtual Router Group will be elected as the Master all other routers in the group will be Backups Each router in the group will run at a specific Priority The router with the highest priority is elected Master The value of Priority varies from 1 to 255 VRRP can also monitor a specified interface and give up control of a VRIP if that interface goes down In the following network host 1 uses a gateway of 1 1 1 253 and host 2 uses a gateway of 1 1 1 252 The 1 1 1 253 gateway is provided by VRID 10 In normal practice router will provide this virtual IP as its priority for VRID 10 is higher than that of router 2 If router 1 becomes inoperative or if its wl ppp link fails it will relinquish control of VRIP 1 1 1 253 to router 2 In a similar fashion host 2 can use the VRID 11 gateway address of 1 1 1 252 which will normally be supplied by router 2 Central Site O ES Network wlppp ae w2ppp Remote Remote Router 1 Router 2 1 1 1 200 1 1 1 201 VRID 10 VRIP 1 1 1 253 VRID 10 VRIP 1 1 1 253 VRID 10 Prior
344. ule Index Masquerading Entries on this page set up network address translation for traffic routed between some network and a particular interface Add a new masquerading rule Outgoing interface Network to masquerade SNAT address add wippp Network on ethl 206 176 248 148 IT EN Add a new masquerading rule Manually Edit File Click this button to manually edit the Shorewall file etc shorewall masq in which the entries above are stored Figure 97 Firewall Masquerading And SNAT RuggedCom 117 RuggedRouter User Guide This menu allows you to add delete and configure masquerading and SNAT rules Add a new rule by selecting the Add a new masquerading rule link or by clicking on the add above or add below images in the Add field Reorder the policies by clicking on the arrows under the Move field Clicking on a link under the Outgoing interface field will allow you to edit or delete the rule as shown below You may also make changes by manually editing the rule file Module Index Edit Masquerading Rule Masquerading rule details Outgoing interface wlppp yl Jv Only for destination 100 1 1 1 Network to masquerade Subnet address Subnet on interface eth1 gt E Except for networks SNAT address C None D 206 176 248 148 Save Delete Figure 98 Editing A Masquerading Rule The Only for destination field restricts the masquerading to the specified IP address
345. use this guide along with the following applicable documents RuggedRouter Installation Guide Rugged MediaConverter Installation Guide RuggedCom Fiber Guide Gauntlet Command and Control Center CCC User Manual Gauntlet Virtual Polling Controller VPC User Manual Gauntlet System Installation Manual Gauntlet System Best Practices RuggedCom RuggedRouter User Guide Document Conventions This publication uses the following conventions Note Means reader take note Notes contain helpful suggestions or references to materials not contained in this guide Helpful Hint This type of note often indicates useful shortcuts or methods employed by other RuggedCom customers Quick Start Recommendations The following description is included to aid those users experienced with communications equipment that may wish to attempt to configure the router without fully reading the guide l 2 Locate mount the chassis in its final resting place and apply power The router can be configured through its web management interface or for advanced users through ssh The default Ethernet addresses for ports one through four are 192 168 1 1 through 192 168 4 1 Two shell accounts rrsetup and root are provided Both accounts have a default password of admin The web management interface uses the root account password The rrsetup account provides a shell that configures such items as passwords addresses date
346. used when it is desirable to prevent unauthorized routers from joining the network RIP authentication is supported by per interface configuration or the use of key chains Separate key chains spanning different groups of interfaces and having separate lifespans are possible By enabling authentication and configuring a shared key on all the routers only routers which have the same authentication key will be able to send and receive advertisements within the RIP network OSPF And Antispoofing Antispoofing is the process of discarding packets arriving on an interface because they match the subnet of another configure interface This is not a normal occurrence in conventional routing This situation can arise in OSPF when routers are multiply connected If for example two routers are connected by lower speed wan and higher speed Ethernet links packets on subnets native to the wan will still be forwarded via Ethernet because of cost If antispoofing is enabled the packet will be discarded at the peer OSPF router RuggedCom 141 RuggedRouter User Guide Note Ensure that Antispoofing is disabled if you are constructing the above described type of OSPF network Antispoofing can be disabled in the Network Configuration menu Core Settings sub menu Administrative Distances The router may work with different routing protocols at the same time as well as employing local interface and statically assigned routes An administrat
347. will only upgrade from that release The Bandwidth Limiting selector allows you to select the bandwidth available for upgrading software RuggedCom 261 RuggedRouter User Guide Automatic Upgrading Automatic Upgrade Upgrades enabled Yes No Upgrade Time jor 3p Save Changes Figure 235 Automatic Upgrade Check the Upgrades enabled field to activate daily upgrades Use the Upgrade Time fields to select the time to upgrade Selecting different times on each router can be used to even out traffic flows in the network Upgrading All Packages Upgrade All Packages Resynchronize package list update ves No Only show which packages would be upgraded yes No Upgrade Now Figure 236 Upgrading All Packages The Upgrading All Packages feature works by obtaining a list of the latest packages and then either showing what needs to be upgraded or actually doing an upgrade The Resynchronize package list field selects whether to obtain the list You only need to obtain the list once so checking No can save you some time if your first pass was Only show This is especially true if the network link is a low speed WAN link The Only show which packages would be upgraded field controls whether to show what needs to be upgraded or actually do an upgrade Note Webmin manages the upgrade of other packages When Webmin must upgrade itself the process requires an extra step You will be requested to s
348. within an area The Hostname field sets the hostname for the ospf daemon This value is only used as a a reference for convenience The telnet interface prompt will contain this hostname The router s system wide hostname is used if this field is left blank The Opaque LSA field controls the opaque LSA option This feature is covered in RFC2370 This feature is sometimes used to distribute application specific information through a network using OSPF LSAs The Passive Default option controls the default active passive state of new interfaces When enabled all new interfaces will be passive by default The passive state of individual interfaces is controlled from the OSPF Interfaces configuration The Refresh Timer field controls how frequently OSPF LSA refreshes occur The RFC 1583 Compatibility field controls support for RFC1583 compatibility If this option is enabled OSPF will be compatible with the obsolete RFC1583 version of OSPF By default it is compatible with RFC2178 version of OSPF only The Redistribute Connected fields control distribution of connected routes When enabled OSPF will advertise routes to directly connected interfaces to other OSPF routers in the area Normally only routes that fall within the scope of the network areas will be advertised 148 RuggedCom Chapter 13 Configuring Dynamic Routing The Redistribute Kernel fields control distribution of kernel routes When enabled OSPF will advertise routes
349. work When automatic daily upgrades are used you may wish to stagger the upgrade time of the routers If your network has a natural ebb flow period of traffic activity schedule the upgrades during this time As an example if you have 20 routers to upgrade and they must be upgraded over an eight hour period configure each router to start its upgrade 20 minutes after the previous router Be careful with limiting download bandwidth in the router Typical upgrades will involve less than 5 MBytes of traffic If bandwidth limiting is employed and set to 8 Kbps the upgrade will require upwards of 1 5 hours to complete Administrators should also be wary of routers which concentrate locally connected routers as the upgrade bandwidth consumed on the network link could reach the sum of all bandwidth limiting settings Routers using Frame Relay with CIR under subscription may also encounter lengthier downloads because of retransmission RuggedCom 269 RuggedRouter User Guide Appendix B Downgrading Router Software RuggedCom recognizes that customers may need to downgrade router software Routers being added to the network have more recent version than that standardized for the network Network staff may wish to regain confidence in the software of an exposed router by downgrading it to its current version essentially reloading its software Network staff may wish to explore how features operated on a previous release
350. wser to Access the Web Interface Start a web browser session and open a connection to the router by entering a URL that specifies its hostname or IP address e g https 179 1 0 45 10000 Once the router is contacted start the login process by clicking on the Login link The resulting page should be similar to that presented below Login to RuggedCom Webmin You must enter a username and password to login to the Webmin server on myrouter Username Password Login Clear Figure 11 Signing On To The Router With A Web Browser Enter the root user name and the appropriate password for that user then click on the Login button The router is shipped with a default administrator password of admin Once successfully logged in the user will be presented with the main menu SSL Certificate Warnings Your browser may complain about the SSL certificate that Webmin issues This happens because the default SSL certificate that comes with Webmin is not issued by a recognized certificate authority From a security point of view this makes the certificate less secure because an attacker could theoretically redirect traffic from your server to another machine without you knowing which is normally impossible if using a proper SSL certificate Network traffic is still encrypted though so you are safe against attackers who are just listening in on your network connection If you are initiating the connection t
351. y address proxy arping and media type of each interface See the chapter Configuring Ethernet Interfaces for more details If your router is equipped with T1 E1 WAN interfaces the Networking menu T1 E1 sub menu will allow you to configure them with Frame Relay or PPP connections See the chapter Configuring Frame Relay PPP And T1 El for more details If your router is equipped with T3 WAN interfaces the Networking menu T3 sub menu will allow you to configure them with Frame Relay or PPP connections See the chapter Configuring Frame Relay PPP And T3 for more details If your router is equipped with DDS interfaces the Networking menu DDS sub menu will allow you to configure them with Frame Relay or PPP connections See the chapter Configuring Frame Relay PPP And DDS for more details If your router is equipped with ADSL interfaces the Networking menu ADSL sub menu will allow you to configure them See the chapter Configuring PPPoE On ADSL for more details If you wish to use PPPOE with an external ADSL modem the Networking menu Ethernet sub menu will configure it RuggedCom RuggedRouter User Guide 22 23 24 25 26 27 28 29 30 31 32 33 34 If your router is equipped with an embedded modem the Networking menu Modem sub menu will allow you to configure it with PPP or incoming console connections See the chapter Configuring PPP And Modem f
352. you decide to create you own user accounts the ssh keygen utility can be used to populate the account with SSH keys 218 RuggedCom Chapter 23 Configuring SSH SSH Main Menu SSH Server OpenSSH_3 8 1 209 116 1 ftp us A 4 MU meg Authentication Networking Access Control Apply Changes Click this button to apply the current configuration and restart the SSHd process Figure 183 SSH Server Note that the SSH server is enabled by default and may be disabled via the System folder Bootup And Shutdown menu When enabled any configuration changes may be made to take effect by selecting the Apply Changes button Authentication Authentication Login and authentication options Allow authentication by password O yes No Permit logins with empty passwords C yes No Allow RSA authentication CG Yes No Pre login message file CS None Save Figure 184 SSH Server Authentication Menu The Allow authentication by password field determines whether to allow clear text tunneled passwords If set to Yes the user will be allowed to enter a password for authentication if validation cannot be done using a public key The Permit logins with empty passwords field when password authentication is allowed specifies whether the server allows login to accounts with empty passwords The Allow RSA authentication field specifies whether pure RSA authentication is allowed If this is set to No u
353. ystem i Save Figure 119 Core Global Parameters The Enable Password field sets the password to be used for the enable command of core This is used by the telnet interface of core to control access to the configuration The Telnet Password field sets the password to be used for telnet access to core This is used as the login password of core when locally telnetting to port 2601 of the router The Hostname field sets the hostname for the core daemon This value is only used as a a reference for convenience The telnet interface prompt will contain this hostname The router s system wide hostname is used if this field is left blank The Router Id field sets the router id to use for the core daemon This value is used as a unique identifier for the dynamic routing protocol to identify which router sent which route advertisement By default it uses the highest IP assigned to an interface on the router Itis recommended that this value be set to a unique fixed IP on each router Core Interface Parameters Figure 120 Core Interface Parameters RuggedCom 145 RuggedRouter User Guide Core Interface Configuration eth1 Parameter Value blank default Description Possible values default value Bandwidth 110000 Bandwidth to use in autocost calculation 1 10000000 kbps Link Detect enable i Control interface link detect setting enable disable disabled Save Parameters specific to one interface are configured
354. zes the user with e Pinging hosts e Running a traceroute e Performing a host lookup e Tracing line activity e Showing interface statistics Network Utilities Main Menu Network Utilities im gt LS 192 1 ii zl 2 245 Traceroute Host Interface Statistics Statistics Current Route amp Route amp Interface Table Hostname Ping Traceroute Host Ping It Traceroute It Look Up Figure 149 Network Utilities Main Menu The lower part of the menu provides quick pinging tracerouting and lookup of hosts The upper part leads to menus providing more configurable options for these commands Additionally Ethernet WAN and Serial port tracing is provided A summary of interface statistics and the current routing table is provided RuggedCom 177 RuggedRouter User Guide Ping Menu Ping Hostname T Verbose Output y Lookup Addresses How many Packets 5 Packet Size 56 1 Time between pings Pattern s to send Hex Ping It Figure 150 Ping Menu Seconds The Hostname field accepts the host name or IP address to ping The Verbose Output field causes ping to present the maximum of output The Lookup Addresses field causes ping to resolve IP addresses to domain names This can make ping behave very slowly if DNS is not properly configured The Packet Size field specifies the size of the data in the ping packet The true length of the packet is 28 bytes larger du
Download Pdf Manuals
Related Search