Handbuch mbNET
Contents
1. _ o Alarmmanagement emeng s Status Server Configuration 1 From the home page navigation Enable bar on the left click op a autoconf at the top click JA TTT O This will display the screen be Encryption Configuration low Encryption MPPE V2 All id Authentication Configuration Authentication S Via PAP E Authentication C via CHAP Authentication via MS CHAP E Authentication via M5 CHAP T V2 ki Save Changes Figure 93 If you now check the Enable box and save this setting your server is live It will then provide dial in clients with addresses from its local network and use Its LAN address as the PPTP server address Page 68 of 229 Version 3 0 mbNET fis 2 VPN PPTP Configuration PPTP Configuration Server Clients Server Configuration Enable T Autoconfig If you wish to use other addresses set the Autoconfig option to NO and you will Local IP see the following screen Address 192 168 0 100 or Range Remote Se 192 168 0 101 110 or Range Give DNS 192 168 0 100 Client Give WINS address 7 to the Client Encryption Configuration Encryption MPPE V2 All S Authentication Configuration Authentication via PAP EN Authentication P via CHAP Authentication via MS CHAP E Authentication via MS CHAP D V2 ki save Changes Figure 94 Enable To enable the connection check the box by clicking on it Page 69 of 229 Vers2. Configuring the mbNET industrial router s integrated modem for con nection with a client PC via the Inter rt Serye roi mont see Pot n et in Modem gt Internet HA see section 9 3 Configuring the mbNET router for MANET nda ts connection with a client PC via DSL e Waben i Internet access using a DSL modem a m see section 9 4 Configuring the mbNET industrial ege Eegen router for connection to the Internet seca using another router __ ee see section 9 5 Internet Service Provider ISP Client X L Server ST M e g dialin via PC f d s ef ee ee e mr ei Y 4 1 D i imernet d Configuring the mbNET industrial SET router for VPN connection with a cli A ent client a router pose Service Provider OF dialin via router see section 9 6 Configuring an mbNET industrial cashed ISP i router for VPN connection to another l NN mbNET router router router SS gece Internet Internet Service Provider a ISP see section 9 7 Page 30 of 229 Version 3 0 mbNET 9 2 Configuring the industrial router for connection over the telephone network The following diagram shows how to connect the industrial router to a client over the public telephone network Using this type of connection the industrial router can be accessed over the telephone network via its serial interfaces see Serial Interfaces and LAN interface In th
3. Network amp Serial COM2 Security COM A LiO Manager Alarmmanagement Interface Type MPI PROFIBUS Status Protocol MPIVPROFIBUS Network Driver z Enable RFC1006 Mi Own station address Enable RFC1006 p Routing Station a the routing gateway Protocol TCP Port Enable Ports through E firewall kK Save Changes Page 192 of 229 Version 3 0 mbINE Tj 19 1 1 Creating the PLC connection Enable Driver Name Description O s sorie gest frexspsf The Name field must not contain any control characters or spaces Click the button after en tering the data waa Server Configuration Server Configuration Edit Server S7_ISOTCP SPS1 Enable Fi Driver Description Sy ant H Name PLC IP Address 92 168 0 100 If using the MPI PROFIBUS interface the IP of the router s LAN interface must be entered in the PLC IP Address field Otherwise the IP address of the PLC The slot address is the bus address with MPI PROFIBUS communication and in the case of direct Ethernet communication the slot PLC Slot Address space of the PLC on the rack generally two Page 193 of 229 Version 3 0 mbNE TT 19 1 2 Creating the tags Tags can be added if there is at least one PLC connection created dh Tag Configuration I O Manager Tags Enable Serwer Address Display Value Description Interval x 100ms Logging sesi E LO E ig e SPS1 Zi DEZ Counteri 5 e e SPS1 Ti DEZ Timei D e e SPS
4. Show lt All gt Field Version V3 E Serial number Di E Signature algorithm mdSRSA Sauer root E valid from Thursday May 10 2012 6 26 valid to Friday May 10 2013 6 26 00 subject root Public key RSA 1024 Bits Edit Properties Copy to File Figure 120 12 System Settings The most important system settings have already been outlined above in System Settings A more detailed explanation of additional system settings is given below 12 1 System WEB Using HTTPS Hypertext Transfer Protocol Secure detects https in the browser window encrypts the connection between web browser and web server Encryption is usually 40 or 128 Bit depending on key size system E Settings KG Users Certificates USB Logging BackupRestore Firmware Network Serial ka System WER Security ven HTTP or HTTPS Access from Network 1 0 Manager Alarmmanagement sa Si Status Enab nable HTTPS E HTTPS ag Port D Figure 121 Page 93 of 229 Version 3 0 mbNET The standard port for HTTP requests is TCP 80 You can change this if you HTTP Port need this port for your OpenVPN connection or if it is already being used for an other purpose If you do this however note that you will need to enter the port in the browser along with the address Firmware versions 2 0 1 and higher Enable HTTPS Clicking on the check box enables the secure Hypertext Transfer Protocol To a
5. 831 82 83 84 35 86 87 38 90 WE 92 93 Page 225 of 229 Version 3 0 mbNE T No Country S Modem operation setting __ 96 Hong Kong HK NEEN 98 Iceland IS ED 99 India IN BS 100 Indonesia ID 8 107 Japan JP le D Kiribati KI iri pm Korea Democratic People s Republic of Feed 1121IIRb B5 Micronesia Federated States of FM Moldova Republic of MD Monaco MC S ives MV ML ini MQ itius MU YT ico MX Monaco MC Mongolia MN Montserrat MS Page 226 of 229 Version 3 0 mbNET No Country Modem operation setting __ Page 227 of 229 Version 3 0 fie mbNE TT No Country Modem operation setting Cl South Georgia and South Sandwich Islands _ 196 GS B5 V V Wallis and Futuna Islands Yemen YE Yugoslavia YU Zaire ZR Zambia ZW Zimbabwe ZW U Venezuela VE Y U 39 Z VA itish VG WF EH Page 228 of 229 Version 3 0 mbNE T 26 Index A Alarm management 197 B Basic configuration 25 Brief description 8 Buttons 23 C Connection Scenarios 29 Connection status 39 D Default password 21 Digital outputs 201 Displays controls and connections 12 F Factory settings on delivery 221 Features 8 Fields 23 Firewall 150 First time operation 17 Forwarding 154 G Grounding conductor 17 H Home page 22 Ho
6. End address of the range managed by the DHCP server Neimaek Subnet mask of the range managed by the DHCP server Broadcast address of the range managed by the DHCP server Optional entry Here you can enter the address of a router that connects Gateway network clients to the Internet or to another network Here enter the rout er s LAN IP address DNS Server Optional entry of an existing network DNS server Enter the router s LAN IP address here NetBIOS WINS Server Optional entry of an existing network NetBIOS WINS server Length of time for which a client is allocated a specific IP address by a Lease Time s DHCP server P Here enter the fixed assignment between IP address and MAC address In MAC IP table other words you can specify that a device with a certain MAC address al ways receives the same IP Page 125 of 229 Version 3 0 mbNE TT 13 6 Network DNS server DNS is used to resolve IP addresses to names The factory settings on the industrial router are configured so that the DNS server is assigned by the ISP If you have a permanent industrial router connection you can add a private DNS server here This rather than the ISP assigned server will then be the preferred server Q mbNET ystem odem interne osts Dyn Syst LAN WAN Mod Int t DHCP Hosts DynDNS Network Serial lt 4 DNS Configuration Security VPN DNS Configuration 1 O Manager Alarmmanagement By default
7. LAN Settings Wizard for LAN Settings Internetconnection Wizard for setting up the Internet Connection V VPN Setting up the VPN Connection Figure 168 Protocol options i Active Connection name Connection type Figure 169 Active Check this box to activate the OpenVPN connection Connection Set Enter a name for the connection in the input field WC Geer Select the connection type YP Client lt gt Router Connection via the drop down field Only one client to network connection can be created Depending on the authentication method the client receives an IP address from a defined range or each subscriber specifies its requested address Example Client PC moNET EE BC E VPN TUNNEL VEER Lk ul lt gt ROUTING lt gt LAN 192 166 0 100 Page 169 of 229 Version 3 0 fis mbBbNE TT 18 2 1 1 No authentication or static key Connection Settings Network Settings Authentication II Protocol options Local IP adress 10 1 0 5 Peer IP adress Client NAT behind the local network The chent will send the IP of the gateway for traffic through the local network Figure 170 Local IP address Enter the IP address of the local VPN tunnel end point here e g 10 1 0 5 Peer IP address Enter the IP address of the peer VPN tunnel end point here e g 10 1 0 6 Network Client NAT behind the Al packets coming int
8. Page 148 of 229 Version 3 0 mbNE TT The router settings for this must be as shown below System COMI EREL F Network Se 68 Serial COM2 Security WN COM 1 O Manager Alarmmanagement Interface Type MP1 PROFIBUS Status Protocol MPLPROFIBUS Network Driver M Enable E RFC1O006 Own address Enable RFc1i006 T Routing Station aala a the routing gateway Protocol TCP ad Port 7002 Enable Ports a through firewall RFC1006 can be operated in parallel with this Page 149 of 229 Version 3 0 fie mbBbNE T 15 Security settings 15 1 General AMET System miss elmer ice le WAN LAN LAN WAN Forwarding NAT Network Serial fe Firewall Configuration Security VPN Settings Alarmmanagement Firewall Security maximum Security x Status ki Save Changes maximum Security 2 All incoming Packages Data from Internet are rejected All outgoing Packages Data from LAN are rejected except DNS FTP IMAP HTTP HTTPS POP3 SMTP Telnet NTP normal Security All incoming Packages Data from Internet are rejected All outgoing Packages Data from LAN are accepted minimum Security All incoming Packages Data from Internet are accepted All outgoing Packages Data from LAN are accepted ge Replace the senders IP address of all outgoing LAN packages with the LAN IP address of this router sNaT Activate lv The industrial router has an
9. We see here that our root certificate is already set as the one to use as signatory Page 82 of 229 Version 3 0 mbNET fis 10 2 2 2 Client certificate subject Once again assign the client certificate details from Internal name through emailAddress g X Certificate and Key management Create x509 Certificate Source Subject Extensions Keyusage Netscape Advanced Dette deed name Internal name cient sorgamizationName customerA Cts mmm Com stateOrProvinceName Bayern commonName denii localityName Dinkelsbuehl emailAddress support customera de add Delete IT Used keys too Generate a new key Figure 107 Then generate a key for the client certificate It is recommended that the key should be the same size as the one for the root certificate Page 83 of 229 Version 3 0 mbBbNE TT g X Certificate and Key management i 2lsl New key Of Please give a name to the new key and select the desired keysize Key propertes Name Client Keytype RSA sl Keysize 1024 bit H Figure 108 10 2 2 3 Client certificate Extensions g X Certificate and Key management Create x509 Certificate Source Subject Extensions Key usage Netscape Advanced Basic constraints Type EndEnity zl Fath length P T Critical Authority Key Identifier Validity Time range 1 ears ue l Apply Not before
10. LJ Ifthe mbNET is to be used be hind a telephone system activate the box next to Use the following dialout number and then click Next Q You can also choose whether the mbNET should send you an email with the current public ad dress use a dynamic DNS ser vice or be accessible over the In ternet via MB Connect Line s DynDNS To configure manually proceed as follows From the home page click Nep WER and MOJEM and then on the Outgoing tab LI The following screen see next page will be displayed Follow the instructions on the subsequent pages Page 42 of 229 Version 3 0 Figure 55 System LAN WAN Network Serial iv Modem Configu Security VPN Internet DHCP DN Modem Settings 1 O Manager Alarmmanagement Modem ANALOG Type Status Modem S GCl FD Figure 56 mbNET Configuring for connection over the Internet continued Q mbNET anona EE Welcome admin Site Map Wizards Help Reboot A Modem Configuration Modem Settings Alarmmana gement Modem Type GSM see TTT Init Modem SEN Init Outgoing SIM1 Outgoing SIM2 Settings SIM SMS SIM Pin Provider T mobile BH Input select Phone Number User Password Kr dummy m Authentication via iv PAP Authentication via CHAP a Timeou t Dialout 300 ki Save Changes Figure 57 For a detailed description of the MAMAR EE settings please see s
11. Select this setting if the mbNET itself does not establish an Internet connection This applies for example if your network has another router that is used for Page 119 of 229 Version 3 0 mbNE TT connecting to the Internet or if there is only incoming dial up via the public tel ephone network Q Internet via modem Using this setting establishes a connection via modem This requires access data to be entered in the settings under MAMIK Q Internet via WAN If you want to connect to the Internet using e g a DSL modem select this set ting However you also need to enter your Internet access data in the settings under UN Then restart the mbNET for the changes to take effect In addition you can PING an IP address to verify an Internet connection s availability You can set this up at different intervals for up to three different IP addresses Connection moni toring 13 4 2 Network Internet Internet Settings Q Keep connection Select this setting if the router should try to connect to the Internet immedi ately after restarting or after pressing the RESET button on the front of the router Important with this setting the connection will stay on Connection Mode On demand Select this setting if you want the router to connect to the Internet when one or more of the options listed below are selected o Connect while pushing dialout button o Connect when a signal is received at inputs 11 12 13 or 14 o Co
12. The Certificate of the My CA CA Certificate My CA My CA Root CA Root CA Unit 1 Unit 2 CA Certificate mb ROOT_CA Own Certificate mb_HOST id eege eer password verification Peer must be TLS Server __ Figure 190 CA Certificate This IS the root certificate root CA All other certificates must come from this certificate You use this certificate to authenticate your Own Certificate self to your VPN peer X 509 authentication Additional user data may be required from a Additional user and pass _ client dialing in Please note that this user word verification data must be entered in the VPN server un der System User Enter the user data of the VPN server from the System User menu here Page 183 of 229 Version 3 0 mbBbNE TT With this option you authenticate yourself using the CA certificate and the user data of the VPN server from the System User menu only Use only CA and Us er password for client veri fication This is an additional security option The server certificate must include the exten sion nsCertType server see section Creating certificates Peer must be TLS Server 18 2 3 3 2 Authentication with CA certificate and own certificate and user password This setting varies depending on the mode 18 2 3 3 3 Server Connection Settings Network Settings Authentication Protocol options Authentication process x509 ei Unit 1 has One Certificate with the p
13. Start with prio level a 1 d I Modemloggings E d I Figure 203 Page 206 of 229 Version 3 0 mbNE TT Shows outgoing connections to the Internet These can be both outgoing connec Internet tions via the modem and connections via WAN The IP addresses of the local and remote stations are displayed An active connection is indicated by a green dot You can manually connect or disconnect the Internet connection here also However it W is not recommended to use these buttons unless requested to do so by a member of the support team Information Shows the connection time and the number of bytes sent and received during the from the last most recent connection as long as the router was not restarted or switched off in the connection interim DNS Servers Shows the IP address of the DNS server Systemlog gings Shows the type of connection and the assigned IP and DNS addresses Shows the commands sent to the modem to initialize it and the status of the connec tion process The error messages that occur when establishing the connection are also displayed here Modemlog gings Page 207 of 229 Version 3 0 mbNE TT 21 6 Status DHCP Interfaces Network Modem Internet les ONS Server DynDNS NTP VPN IPSec VWPN PPTP VPN OpenVPN Diagnostics USB Alarmmanagement System KW DHCP DHCP Server DHCP leases IP Address Expires at MAC Address Name DHCP Client WAN Client Information The WAN interface
14. ping Lo ping restart 60 Figure 175 If you have decided on the method with the static key you must make a private secret en try in addition to entering the IP address see arrow Note that you must always use two Y backslashes in the path name Authenticating a Windows client with certificates ClientRouter Notepad File Edit Format wiew Help dey tun Pport 8080 lport 8080 Ech e Dr DE CBC renegq sec 3600 proto udp Nee ee ee age aa aa aa aa aaa aa aaa ag Hier die Partner IP Adresse oder ONS Namen eintragen remote GOU 23 45 123 H Hier die Zertifikate eintragen path and name of the ca certificate path and name of the own certificate key path and name of the secret keytown certificate pull Figure 176 Change the indicated options as appropriate to your circumstances Note that you must al ways use two backslashes in the path name and that you need the key of your personal omg A certificate for the directive key Page 173 of 229 Version 3 0 fie mbNE TT 18 2 1 3 3 Starting the OpenVPN connection After completing the configuration you can right click the ovpn file or start the connection via the graph ical interface in the toolbar as shown below Connect Client _Router i Wizard b Proxy Settings View Lag Edit Config Gem d Change Password i d Figure 177 18 2 2 Router router Q Using the connection wizard Click the Wizards link in t
15. t h S CO n d O pt O n 4 Co n n ect to t h e D SE ES alee ea deent or set up a new one netwo rk at my WO rkpl ace and th e n Set up an advanced connection Connect directly to another computer using your serial parallel or infrared port or Cl C k N EXT set up this computer so that other computers can connect to it Figure 44 New Connection Wizard Network Connection How do you want to connect to the network at your workplace Create the following connection Dial up connection g C h O e e e D i a A u p c o n n e cti o n el n d th e G lle a GE SE a regular phone line or an Integrated Services Digital m od e m th at yo u wi S h to u S e to S et u p d EE network MPN connection over the Internet a connection with the industrial router Figure 45 Page 37 of 229 Version 3 0 fis mbNET Configuring the router client connection over the telephone network continued Ge New Connection Wizard Connection Name Specify a name for this connection to your workplace Type a name for this connection in the following box Company Name For example you could type the name of your workplace or the name of a server you LJ Now you need to give your connection a aerer name then click NEXT Figure 46 8 New Connection Wizard Phone Number to Dial What is the phone number you will use to make this connection Type the phone n
16. udp The set rule only applies to the UDP protocol Destination IP Enter the IP to which the data packets were originally to be sent here Specify the port via which the data packets are sent to the destination IP here Forward IP Enter the IP to which the data packets are actually to be sent here Forward Port Specify the port via which the data packets are actually forwarded here Forward on all The FORWARDING setting is applied to all connections i e even incoming VPN interfaces connections If this option is not set the setting only applies to incoming packet from the Internet but not a VPN connection via the Internet Accepts the new settings and temporarily stores them Page 154 of 229 Version 3 0 mbNET fis Security settings continued 15 5 NAT This setting enables two networks in the same address range to be connected If for example a network with the address 192 168 0 0 24 is to be connected to a network with the same ad dress this is only possible if one of the two networks is assigned another address NAT tech nology is an easy way of achieving this since only the real network address LAN address and the substitute address NAT network address are required The NAT algorithm makes sure that the addresses in the data packets are only substituted in communications between these two networks This means that you do not have to adapt your entire network addressing scheme Firewall General WAN LAN
17. via which the data traffic is processed Depending on the authentication method OpenVPN either works in point to point mode with static key or no authentication or in server client mode with X 509 certificates OpenVPN can use three different authentication methods e None No certificate or key is needed Used primarily for testing the connection The tunnel data is also NOT encrypted e Static key A 1024 bit key as required by each peer is generated for the connection Similar to the password e Certificates X 509 The following certificate variants are distinguished e Each subscriber needs the same root CA and a personal certificate signed by the root CA e Like 1 but with additional username password verification e Like 2 but without a personal certificate In other words subscribers only need a root CA and username password OpenVPN can use an http proxy server as the outgoing connection This is important for integra tion into existing corporate networks with an Internet connection The transmission protocol setting UDP or TCP can be freely selected with OpenVPN The same applies to the port numbers to be used for the transmission protocol LI The settings for various OpenVPN connection scenarios are described below LJ From the start page click asd in the navigation bar on the left and 07 116 in the navigation bar at the top Page 167 of 229 Version 3 0 LI Click the button on the right to create an
18. we recommend using the more secure CHAP vari ant alongside this as PAP sends your credentials unencrypted Dial in Authentication Authentication via Authentication protocol that transfers your login credentials securely CHal CHAP lengeHAndshakeProtocol Q Now save your changes by clicking Save Figure 39 O Now click on BI MEAR and enter the following settings mbBbINE T System LAN WAN Modem DHCP DNS Server Hosts DynDNS Network Serial ke Internet Configuration Security Ge Internet Settings Internet Connections Internet Settings Alarmmanagement dereen Internet via WAN e Connection Connection monitoring ki Save Changes Figure 40 For a detailed description of the AVAT MOUR settings please see section Network Internet Internet connection Select either Internet via modem or Internet via WAN Configuring the router client connection over the telephone network continued Page 35 of 229 Version 3 0 mbNE T Q Save your changes by clicking Save Changes ki Save Changes LI Click on Figure 41 DZ and add a user with dial in rights For further notes on adding users and assigning specific rights please see section Adding users Q Finally to save your changes perma nently to the industrial router click Apply Changes wi Apply Changes Figure 42 For devices to be able to communicate with the LAN interface they must be configured using the M
19. 1 PROFIBUS SIMATIC PC Station 1 SE Subnets Ge Ethernet 1 Industrial Ethernet D Components and modules for based automation solutions with SIMATIC ISO Ind Ethernet gt Broadcom NetXtreme 57x K 588 va Insert Cho 7 Page 139 of 229 Version 3 0 mbBNE TT 14 2 4 Configure PC station This PC Station requires the integration of a CPU 412 2 PCI 6ES7 612 2QH00 0AB4 V3 4 found by selecting Simatic PC Station gt Controller gt CPU412 2 PCI and a IE_CP V6 2 1 IE General found by selecting Simatic PC Station gt CP Industrial Ethernet gt IE General gt IE_CP SW V6 2 SP1 DG HW Config SIMATIC PC Station 1 Denu BS pr do dH S g e DI SIMATIC PC Station 1 Configuration RFC1006 Ki CPU 412 2 PCI Sg x2 g oP ASE PROFIBUS PA zx KD PROFINET 10 i SIMATIC 300 ERC H E SIMATIC PC Based Control 300 400 B E SIMATIC PC Station Controller GH CPU 412 2 PCI E GES 612 20H00 04B4 e CPU 416 2 PCI 1 Wine H WinLC PN H WinLC RTX 3 CP Industrial Ethernet 0 Pc ESA Gg cP 1413 Index Module Order num Firmware MPI address Comment GIS pi 1 KrtGeed WC v6 2 1 2 cpu4i2 2ecr 6ES7612 2v34 2 CH CP 1604 ze I PE Fee E Ree Gy CP 1612 an lp ae eT Ga cP 1613 cP 1616 GIE General cof SW V6 2 i SW V6 2 SP1 CP PROFIBUS CO HMI 53 User Application H Application H Q OPC Server IE_CP Substit
20. 145 of 229 Version 3 0 Le mbNE TT In the mbNET settings enable RFC1006 routing and enter the station address of the master routing gateway AMET oe Network S i em Geet e amp Serial COM2 Security VPN COM2 1 O Manager Alarmmanagement Interface Type MPI PROFIBUS Status Protocol MPI PROFIBUS Network Driver z Enable RFC1006 NW Own station p address Enable RFC1006 E Routing Station address of the routing gatevwa Protocol TCP X Port Enable dk a firewall ki Save Changes Page 146 of 229 Version 3 0 mbNET 14 3 Connecting to S7 using the mbNET S7 driver Alternatively the licensed mbNET S7 driver can be used Once installed this is directly available as an adapter in Simatic Manager Set PG PC Interface cess Path LLDP DCP cess Point of the Application S7ONLINE STEP A gt TCP IP Broadcom NetXtreme 57e Y Standard for STEP A Interface Parameter Assignment Used TCF IP Broadcom NetXtreme 57x Properties Diagnostics BA TCP YIP gt Dell Wireless 1395 WLA BA TCP IP gt mbDIALUP 9 KS Copy a Dele V Assigning Parameters to Your NDIS CPs with TCPyIP Protocol RFC 1006 Page 147 of 229 Version 3 0 O mbBbNE TT Setting the router IP address then becomes an overall project setting in the driver properties rather than setting it project by project
21. 186 of 229 Version 3 0 mbNET 18 3 Inactivity settings Network Settings Authentication Protocol options Connection name Connection type Router lt gt Router Connection Le Link connection Connect while pushing dialout button e One of this routers has to be set to wait mode Peer address IF DNS Close connection after seconds Inactivity Figure 193 Page 187 of 229 Version 3 0 18 4 Protocol options mbNE TT If the OpenVPN connection is to be started via a digital input or the dial out button the con nection is automatically dropped after a defined time without any data traffic Authentication Protocol udp we local port 1194 peer port Misc Bind the local IP address and port Allow the peer to change the P IP address dynamically L20 compress active Ping interval seconds 10 in g restart seconds MTU bytes 1500 Fragment the bytes Regenerate a new key after 3601 seconds Send more Information to the System Protocol HTTP Proxy Enable connection through a HTTP proxy y E username a Doo y password Figure 194 Page 188 of 229 Version 3 0 on Protocol options mbNE TT Tab Description Blowfish mit CBC 128 bit Le DES mit CBC 64 bit RC mit CBC 128 bit DES EDE mit CBC 128 bit DES EDE3 mit CBC 192 bit DESX mit CBC 192 bit Blowfish mit CBC 128 bit BC ma CBC 40 ba RC mit C
22. DNS server if not assigned by the Internet service provider Systemloggings Shows the individual operations executed by the DNS server Page 209 of 229 Version 3 0 mbNE TT 21 8 Status DynDNS Interfaces Network Modem Internet DHCP ONS Server IT NTP VPN IPSec VPN PPTP VPN OpenVPN Diagnostics USB Alarmmanagement System ayy DynDNS DynDNS Updated IP Address not updated Systemloggings Figure 206 Label Function gt gt O Updated IP Ad dress Shows the current IP address assigned to the router via the Internet Systemloggings Shows all events and faults related to the DynDNS service Page 210 of 229 Version 3 0 mbNE T 21 9 Status NTP Interfaces Network Modem Internet DHCP DNS Server pynons Ey Le NTP Date and Time Fri Mar 23 09 00 50 UTC Date Time UTC 2012 Locale Date Fri Mar 23 10 00 50 CET Time 2012 Stat WTP update Systemloggings al Figure 207 Date Time UTC Shows the current system time in Universal Time Coordinates UTC Local Date Time Shows the time using the time zone setting Systemloggings Shows all notifications and error messages related to the service Page 211 of 229 Version 3 0 fie mbBONET 21 10 Status VPN IPSEC mbNET System Interfaces Network Modem Internet DHCP DNS Server DynDNS NTP VPN PPTP VPN OpenVPN Diagnostics USB Alarmmanagement System Network Serial VPN IPSec Security VPN IPSec 1 O
23. Enter the address range in CIDR notation E g 10 1 0 0 24 Enter the address range of the local network in CIDR notation Local network here Network E g 10 1 0 2 24 Settings no selected Multiple peers with dif ferent network addresses Each client is assigned the peer network address range which can establish a VPN con means that simultaneous client logins make no sense here nection Enter the network address of your peer in CIDR notation here 192 168 99 0 24 Peer network No network setting is needed on the client because it is sent to the client by the server OH The local network and the peer network must be specified OpenVPN then creates the neces sary routing entries using these entries 18 2 2 2 2 Multi client Multiple clients can dial in Page 177 of 229 Version 3 0 fis mbNE TT Connection Settings Authentication Protocol options a erc 10 1 0 024 Local network Multi peer mode yes dw Peer Name Peer network Loo C oven 192 168 99 0 24 Clienti 192 168 98 0 24 Client 192 168 97 0 24 Figure 184 With authentication with certificates multiple different cli ents can dial into the server simultaneously and are au tomatically assigned an IP address from the Client IP ad dress pool Enter the address range in CIDR notation E g 10 1 0 0 24 Client IP address pool Enter the address range of the local network in CIDR no Local network tation here E g 10 1 0 2 24 yes selected Ne
24. GSM if using a GSM device you can either keep the preset X3 command or use the GCl country code command SIM PIN If required you can enter the SIM card PIN here However the device will also GSM only work without SIM card PIN protection Provider You can select your mobile broadband provider here If it does not appear se GSM only lect Other If your provider was not shown you can also manually enter the APN Access Provider name Point Name here You can obtain details of the APN from your mobile broad GSM only band provider or from our website at http www mbconneciline de gsm grps mobilfunk html Dial in enable Click on the check box to check it and enable a client computer to connect to the mbNET via a dial up connection PPP Server IP Address Emer the IP address of the PPP server here In this case 192 168 4 100 This sets this address as the mbNET address for client computers dialing in Enter the IP address that you want the client to receive PPP Client IP Address io this case 192 168 4 101 Page 34 of 229 Version 3 0 mbNE TT From the drop down field select only following user as shown here in the example or every User with dialin rights This determines whether any user registered under System User or only one specific user can dial in to the mbNET Authentication protocol that transfers your login credentials PasswordAuthen Authentication via PAP ticationProtocol However
25. Input Input i Input 2 Input 3 Input 4 Multiples Input TTT TTT SES iL Enable Uses the Input 2 for STROBE Input 3 for IMPULS digit x1 and Input 4 for IMPULS digit 1x ki Save Changes Number Aktion Text Number Email CT This is an email E 1 This is a 5M5 2 current State Input i Input 3 Input3 Input 4 0000 The action number is defined in the Number drop down field There are different actions available depending on device model The EMail function is available with all devices the SMS option is available with devices with a mobile broadband modem Page 200 of 229 Version 3 0 mbNET fie 20 3 Digital outputs Click PAET A in the navigation bar followed by OMT The following screen for configuring the two available digital outputs is then displayed The out puts can be separately configured using the two tabs The input and drop down fields are described on the following pages oA Output Alarmmanagement Output Output 1 Output 2 Function On by Intemetconnecion _ r State Switch On current State Output 1 Output 2 Figure 198 Label Function gt O Output 1 Out Each output can be separately configured To configure an output select the corre put 2 sponding tab can chose between the following settings using the drop down field Select this setting if you do not want to evaluate the outputs for possible switching operations On with Malfunction Select this setting if the co
26. LAN WAN Forwarding Rhy ES NAT Configuration Rule Settings NAT Enable Netadress LAN Netadress NAT Netadress Remote Station TT RE Oe ee Figure 157 Label Enable Check the box by clicking it to enable the subsequent settings after they are saved f Enter the real address of the network here e g 192 168 0 0 24 Please note EES that the IP address must be entered in CIDR notation Enter the translated address of your network here e g 192 168 1 0 24 Please SERIES note that the IP address must be entered in CIDR notation Enter the address of the network to which the translated packets are to be rout ed here If the remote station also uses address translation the NAT address of the remote station must be entered here Accepts the new settings and temporarily stores them Netaddress Remote Station Page 155 of 229 Version 3 0 fie mbONET 16 VPN IPSec 16 1 Configuring a VPN IPSec connection with two routers Q The settings for a VPN connection via the IPSec protocol are de scribed below QO From the start page click in the navigation bar on the left and IST in the navigation bar at the top Q Click the button on the right to cre Figure 158 ate an IPSec connection g U The following screen appears mbNET Network Se 2 VPN IPSec Configuration Security Seier IPSec Configuration Edit Connection Connection Settings Network Settings Authentication Protocol options Al
27. Manager Connections inbound outbound Status Name Active Connectiondata lokal Connectiondata peer Status Logging Stop Connection Start Connection Client_Router Logging disconnect Systemloggings Connection Client_Router e A Systemloggings IPSec v 41 gt H Delete Logscreen Show all Logscreen Show all Figure 208 Connections in Shows both the incoming and outgoing VPN connections of the router bound outbound An active connection is indicated by a green dot The connection duration and active user are displayed After the connection is disconnected the active connection time is displayed You can manually connect or disconnect the connection here also However it is not recommended to Y use these buttons unless requested to do so by a member of the support team Page 212 of 229 Version 3 0 mbNET 21 11 Status VPN PPTP Interfaces Network Modem Internet DHCP DNS Server DynDNS NTP VPN IPSec Mi yo VPN OpenVPN Diagnostics USB Alarmmanagement System VPN PPTP PPTP Serer Clients Connections inbound User Active IP local IP remote Connmectstatus Systemloggings PPTP Logging Figure 209 The incoming VPN connections of the router are listed here An active connec tion is indicated by a green dot Server The connection duration active user local and remote IP address are displayed After the connection is disconnected you can read off the active connection time Shows the ou
28. OpenVPN connection 18 2 Connection scenarios 18 2 1 Client router LJ The connection wizard helps you to configure your connections quickly and easily To access the wizard click the Wizards link in the top right of the web interface If you have disa bled the autolaunch function for the wizard click the Start button for the wizard for VPN connections Please note that you must first select OpenVPN in the menu under the Start button for the VPN wizard You must then click Save Changes and Apply Changes so that you can con figure a connection with OpenVPN LI Select the option Connection be tween Networkclient and mbNet LJ Next select the static key If you have not yet created a static key you can use the key created by mbNET Click Next LI Clicking Next completes the configu ration of the connection Click Finish to apply your settings You must have OpenVPN installed on your computer to establish a connection You can find out more about this in section 18 2 1 3 Configuring an OpenVPN Windows client Page 168 of 229 Version 3 0 a mbBNE ET SE Figure 166 Qwiza rds Wizards Status Wizard LAN Settings X Wizard for LAN Settings Start gt Internetconnection X Wizard for setting up the Internet Connection Start gt VPN X Setting up the VPN Connection Start gt Select VPN method Figure 167 mbNETwizard Choose Your Wizard A mbNET Sy Which Wizard do you want to execute
29. Sage se scissor rsear occas losetoe nec edeuertecn ese saic ieeoanee sae pauensentueoceaece onan iar 81 10 2 2 2 Client Certificate subiect nn reenn 83 10 2 2 3 Client certificate EXICNSIONS sasxisece cece deca cdeascesinctaccecdacetaarentodsencsdetindsneiaccoadedetacticeacdeceoudeueaseasamenededesaesneiedaacdeds 84 10 2 2 4 Client Certificate Key usage 85 10 2 2 5 Client certificate NEE neeactiiedeGanahensbacaienecancuaneecesbebotecckenphateiaphetboctasesantiabigestiestanenes 85 Creating CRL files revocation liStS sccssiscsnensstacaessanvnctuvaceunesnsussnnwensucsaabentonaneeeusnesxexuaseusnseens sbanwenesdasuvneunanvanewwasas 88 importim CEMINCAates IM WIndows A E 90 DV SLO TIN e due EE 93 SVSlem WE ee eee ere eer E er arnt eaten ene e Tere cera eee 93 VS Bn E 94 E e E EE 94 i TEC SS scree rector cess dec sc secs crac ns Seve seed pcre eens sw be isa gee dons cise dees asec gees eres 94 yea ae ee 8 BEE 95 MZ 2A Deleng E 97 EE E en dE 98 12 3 1 ee ene 99 12 3 2 Rootcenificate 7 EE 100 12 3 3 Peer certificates Dec 101 KE e E 101 E EE ho gt Ensen e nae ie Er cl el ere ten er eee ee ee Bente ee ee ce eee eee ene ee ee ree rn eer ee en eee re 102 SO SUI Bee le EE 103 CLC ieee e a Me UI te EE 105 EE EN al E 106 PSU Tu 108 BN IN E 108 NetWork WAN ME 109 NetWork ModE EE 110 13 3 1 Network Modem INCOMIMAG D 110 13 3 2 Network Modem Outooimg 113 KC INL SUS oera E E 116 13 3 4 Network Modem
30. Version 3 0 fis mbBbNE TT oix Fie Import Token Help Private Keys Certificate signing requests Certificates Templates Revocation lists Database C Dokumente und Einstellungen MB Technik Eigene Dateien root_en xdb Figure 115 In the Revocation lists tab you now see the revocation list that you just created Highlight it and click Export Select pem as the export format Choose a suitable save location then confirm with OK You can now import the list using the System gt Certificates menu on the mMbNET web interface cf section CRL Restarting the VPN connection or the mbNET will enable the CRL and it will no longer be possible to establish a VPN tunnel using the revoked certificate 11 Importing certificates in Windows XP To import finished certificates you need to set up what is Known as a Certificate Management Console To do this click Start gt Run and type in MMC Then click on File Add Remove Snap in and in the next screen select Add You can then select Certificates from the list of available snap ins Page 90 of 229 Version 3 0 mbNE TT Add Remove Snap in Add Standalone Snap in Standalone Extensions Available Standalone Snap ine Shap ir Vendor ony Actives Control Microsoft Corporation Certificates Microsoft Corporation LG Component Services Microsoft Corporation m Computer Management Microsoft Corporation JS Device Manager Microsoft Corporat
31. address Peer network Do NAT for all outgoing traffic This option was introduced for compatibility with mdex It replaces the sender IP address with the current Internet IP address OH With authentication without certificates only one IP channel can be specified per connection entry local IP address and peer IP address The setting Local IP address and Peer IP address from the server must be reversed accord ingly on the client Page 179 of 229 Version 3 0 fis mbNE TT 18 2 2 4 Client authentication With certificates Connection Settings Network Settings l Authentication Protocol options Do NAT for all E outgoing traffic Figure 186 Label Description whi hier eur This option was introduced for compatibility with mdex It replaces going the sender IP address with the current Internet IP address Network Settings Q No network setting is needed on the client because it is sent to the client by the server Page 180 of 229 Version 3 0 mbNET fis 18 2 3 Authentication OpenVPN offers three fundamentally different authentication methods e None no certificate or key is needed Used primarily for testing the connection The tunnel data is also NOT encrypted e Static key a key as required by each peer is generated for the connection Similar to the pass word e Certificates X 509 the following three certificate variants are distinguished o Each subscriber needs the same root CA and a per
32. as a PPP client here and that there must be another industrial router or a computer act ing as the PPP server to handle the request Under Network Internet set the Internet connection to On demand and set the subsequent option to Connect on Sign 1 at Input To call the first number switch on input 1 To call the second number switch on input 2 and then input 1 To call the third number switch on input 3 and then input 1 To call the fourth number switch on input 2 amp 3 and then input 1 Here enter the telephone number of the relevant mobile broadband provider Tegpnonenumoer For GSM modems this number always uses the format 99 1 Page 113 of 229 Version 3 0 mbBbNE TT Enter the user name required to dial in via the relevant provider You can obtain further details on this direct from your provider For GSM modems there is more information for example at htto www mbconnectline de gsm grps mobilfunk html Enter the password required to dial in via the relevant provider You can obtain further details on this direct from your provider For GSM modems there is more Password information for example at htto www mbconnectline de gsm grps mobilfunk html Authentication via Use the default setting for the authentication protocol In principle this is preset PAP when a dial up connection is set up ae ge Use the default setting for the authentication protocol In principle this is preset via
33. change the order of rules web N Page 24 of 229 Version 3 0 mbNET fis Basic configuration of the router using the web interface 8 3 System settings Before configuring the mbNET industrial router for your particular application requirements you need to implement some specific basic settings Proceed as follows LJ On the navigation bar at the top bar on the web interface home page click and Settings WEB Users Certificates USB Logging BackupRestore Firmware This will display the system settings ec screen shown below sent Now proceed as described on the pages that follow System Information Figure 23 mbNE IT Language EF Welcome admin Site Map Wiza Info EuL WEB Users Certificates USB Logging BackupRestore Firmware Network CH System Settings Security VPN System Settings I O Manager Alarmmanagement Hostname mbNET Status Host mbNET Description System Reboot CT after h Time Settings Date Time UTC Fri Jan 13 02 26 54 UTC 2012 Locale Date Co Jan 13 03 26 54 CET 2012 Set local Date GE e JJJJ MM TT HH MM SS Timezone Berlin Germany 1 NTP Server O NTP Server Mail Settings Activate automatic no D Mail SMTP Server SMTP Port E Mail Adress nn SMTP requires r Authentification User Lo Password Co Figure 24 Page 25 of 229 Version 3 0 fie mbONET Basic configuration of the router using t
34. directed by MB Connect Line sup port personnel Shows the type of connection and the assigned IP and DNS addresses Shows the commands sent to the modem to initialize it and the status of the con nection process The error messages that occur when establishing the connection are also displayed here You can use this button to restart the internal modem This function should only be used as instructed by MB Connect Line support personnel Specifies the current network availability in percent and dBm If you have an mbNET with mobile broadband and UMTS the device will automatically change networks when UMTS becomes available again or UMTS is no longer available Shows the respective transmission method The following are possible O GSM GPRS Oo EDGE O UMTS Shows the current mobile broadband provider T Mobile Germany as shown in Fig ure 211 Shows the status of your SIM card in mbNET Shows all events and errors related to the GSM modem Page 205 of 229 Version 3 0 Le mbBbNE T 21 5 Status Internet Interfaces Network Modem DHCP DNS Server DynDNS NTP VPN IPSec VPN PPTP VWPN OpenVPN Diz les Internet Internet Manual Control of the Internet Service Internet Service Restart Internet Service Stop Internet Connection Active IP local IP remote Internet Modem O Information from the last conmection Connected sec Bytes sended Bytes received Servers IP 1 lt 14 gt Mar 23 09 58 24 Internet
35. dyns cx heipv6tb www he net dyndns static www dyndns org dyndns custom www dyndns org dhs www dhs org mbNET fis Network DynDNS continued mMmbINE IT System LAN WAN Modem Internet DHCP DNS Server Hosts _ Network Serial 1 i SR ay DynDNS Configuration Security VPN System Dynamic DNS 1 O Manager Alarmmanagement Get access to the unit via 06128342533 mbNET mymbnet biz Status The DNS name is made up of the serialnumber hostname mymbnet biz Change the hostname to get your own name The serialnumber could not be changed Enable System Oo Dynamic DNS ki Save Changes public DynDNS Service Enable _ provider user D Password a Name evel RE s ki Save Changes Figure 152 MB Connect Line DynDNS Service This option enables MB Connect Line s automatic DynDNS service The name structure is fixed in this case and can only be freely defined on one host Name Serialnumber Hostname mymbnet biz Enable sys The serial number is fixed and the host name can be anything you choose tem dynamic Example DNS Device name mbNET600 Serial number 123456789 Name on Internet 123456789 mbNET mymbnet biz The name will be globally available approx 1 2 minutes after Internet dial in Page 129 of 229 Version 3 0 mbNE TT Public DynDNS service lf you are registered with a DynDNS provider that you wish the industrial router to use check this box by clicking on it The ne
36. fixed connection between two or more LANs and ensures secure data transfer over the non secure Internet Using a tunneling protocol sets up a se cure connection called a VPN tunnel In the connection scenarios described in 9 3 and 9 4 a client can only access the router s serial inter faces for a description of serial interfaces see Serial Interfaces This does not allow for access to the LAN interface via the Internet Using a VPN connection however it is possible to reach or access subscribers connected to the LAN interface such as panel PCs The diagram below represents a VPN connection The client can be e g a PC or another industrial router pre configured for Internet access Internet gt Service i i gt Client Provider ISP Server Py e g dialin via PC z Nee AENA EE w 4 A F i NTAN AR COA Internet Service Provider D OF dialin via router ISP Figure 81 Page 58 of 229 Version 3 0 mbNET Configuring the router for VPN connection to a client 9 6 1 Connecting and configuring the router 9 6 1 1 Connecting the router A VPN connection first requires that the router has an Internet connection in place For in structions on how to configure the router for connection to the Internet you can refer to the connection scenarios already described above based on the connection mode required As a basic principle the router must be accessible via a public IP address 9 6 1 2 Adding
37. html This takes you automati cally to the relevant page on MB Connect Line s website Page 115 of 229 Version 3 0 fie mbNE TT 13 3 3 SMS menu settings ic Modem Configuration Modem Settings Modem CSM Type Modem IR Init Modem IR Init Outgoing SIM1 Outgoing SIM Settings SIM Select primary SIM card SIM card 1 Switch to secondary SIM card E when roaming is detected Switch to secondary SIM card when there is a failure with the M primary SIM card First we need to specify a primary SIM card which will always be verified or used first The secondary SIM card is always the non primary one Switching is based on two selectable criteria e The SIM card fails to initialize or to register on the cellphone network e Roaming is detected on the SIM Page 116 of 229 Version 3 0 mbNE T 13 3 4 Network Modem Callback System LAN wan DEE internet DHCP DNS Server Hosts DynDNS Serial iv Modem Configuration Security VPN Modem Settings I O Manager Alarmmanagement SE GSM Status Modem IER Init Modem Init Outgoing SIM1 Outgoing SIM2 Settings SIM Incoming Call Back Call Back enable M How to call back Activate Call Back via Phone z Figure 146 The settings below apply to the call back function This function triggers Internet dial in remotely via a tel ephone or dial up connection It must be set up so that the Internet connection will be establis
38. is disconnected Systemloggings Figure 204 Label Function gt O DHCP Server Lists the IP addresses assigned to connected clients by the DHCP server Shows the IP addresses assigned by the DHCP and the IP addresses that are not Systemloggings permitted Client Infor mation Shows information about connected clients at the WAN connection Systemloggings Shows all events and errors related to the DHCP server and client Page 208 of 229 Version 3 0 mbNET fie 21 7 Status DNS Server Interfaces Network Modem Internet DHCP PLEEG IS DynDNS NTP VPN IPSec VPN PPTP VPN OpenVPN Diagnostics USB Alarmmanagement System d DNS Server DNS Name IP Address Systemloggings lt 4 gt Mar 23 09 57 40 dnsmasg 1952 failed to access var dhcp dhcpd leases No such file or directory lt 4 gt Mar 23 09 57 40 dnsmasq 1952 checking lease file var dhcp dhcpd leases lt 4 gt Mar 23 09 57 40 dnsmasgq 1952 failed to access varfrun resoly conf No such file or directory lt 6 gt Mar 23 09 57 40 dnsmasgq 1952 read etc config hosts 1 addresses lt 4 gt Mar 23 09 57 40 dnsmasg 1952 failed to drop root privs lt 6 gt Mar 23 09 57 40 dnsmasgq 1952 serving MX record for mailhost mBNET target 127 0 0 1 lt 6 gt Mar 23 09 57 40 dnsmasgq 1952 started version 1 18 cachesize 20 pe Figure 205 Shows the name of the DNS server if not assigned by the Internet service provid er IP Address Shows the IP address of the
39. is complete restart the device NEVER INTERRUPT THE MBNET DURING A FIRMWARE UPGRADE If you do the device will no longer be able to start Page 107 of 229 Version 3 0 mbNE TT 13 Network 13 1 Network LAN LAN configuration allows you to configure the router IP address LAN address and subnet mask This is the IP address used for accessing the router from the LAN MmBNET System FUE WAN Modem Internet DHCP DNS Server Hosts DynDNS Network Serial b LAN Configuration Security VPN LAN Settings 1 O Manager Interface ROUTES Alarmmanagement Status G t S Adda 192 165 0 100 Netmask 255 255 255_0 E Save Changes Figure 142 Label To set up the LAN interface click on the tab LAN IP address Enter the router IP address To set up specific routes click on the Routes tab You can enter both net work routes in CIDR format x x x 0 24 and host routes here Netmask Enter the subnet mask of the network into which the router is to be inte grated Page 108 of 229 Version 3 0 mbNE TT 13 2 Network WAN The industrial router s WAN interface can connect a local network with a remote network or with a public network like the Internet Therefore the WAN interface is configured according to how it will be used mbNET System LAN wan Modem Internet DHCP DNS Server Hosts DynDNS Network Serial Security VPN 1 O Manager KA WAN Configuration WA
40. model the Ready LED should be solid The device is now ready for operation For further support on the mbNET indus trial router visit our online support forum at www mbconnectline de Figure 14 Page 17 of 229 Version 3 0 fie mbNE TT First time operation continued 7 1 1 Connecting the router to a con figuration PC LI Before configuring the router connect it ES to the computer using the crossover ca z ble supplied 1 To do this connect one end of the cable to the router port la f l beled LAN and the other end to your a computer s network card Figure 15 Page 18 of 229 Version 3 0 mbNE TT First time operation continued 7 2 Configuration prerequisites To configure the router you will need LJ aPC with a network card Q an Internet browser e g Mozilla Firefox or Internet Explorer LI The required settings on your PC are as follows o the computer s IP address must be set to 192 168 0 X where X is variable o the subnet mask must be 255 255 255 0 For instructions on how to create the required settings on a PC please see the next page If you already know how to set the IP address and subnet mask set them as described above and then proceed with configuration as described in in Initial Configuration SES E m r RB fe mp er Dm me CH i KEEN H Su te A l d Internet Protocol TCP IP Properties General fou can get IF setti
41. new user to the server to do this you need to change the user on the server web page under Sys tem Users The final option allows you to choose which events the client should connect for The fol lowing options are available o Connect immediately o Connect on traffic o Connect on signal high at input 1 4 LI Save your changes by clicking Save Changes Q Finally to save your changes permanently to the router click Apply Changes vPN PPTP Configuration PPTP Configuration Edit Client Enable EN Name PPTPclientConnection Host Name or IP Local IP Remote IP Authentication Encryption User E Password SS _ Start Connection Connect immediately on ki Save Changes Figure 96 ki save Changes WA Apply Changes Figure 97 Page 71 of 229 Version 3 0 fis mbNE TT For more information on J aiasettings please see section VPN PPTP Label Label Enable To enable the connection check the box by clicking on it Assign a name to the client In the example we used PPTPclientConnection Here enter the name or IP address that the client uses to contact the server Host name or IP ie the example this is 123456789 mbNET mymbnet biz The server address can be entered here Generally speaking this field can be BEES left blank Note the CIDR notation 24 after the network address Authentication Select an authentication method that is also enabled in the server set
42. or years The list below specifies how long individual certificates should be valid for e Personal certificates should be valid for 1 year e Server SSL certificates 1 year e Router certificates should be valid for 1 year external routers or 10 years internal routers e CA certificates should have an extended lifespan e g gt 10 years Click Apply to confirm the Time Range values Page 78 of 229 Version 3 0 mbNET Subject alternative name The subject alternative name is a list of alternative names for the certificate holder These can be RFC822 names email DNS names X 400 addresses EDI names URIs or IP addresses In principle any struc tured naming system is applicable If using PKIX this extension is essential when the certificate subject field is empty Issuer alternative name For issuer alternative names the same applies as for subject alternative names CRL distribution point To be able to use a public access point for certificate revocation lists you need to enter the LDAP or HTTP address of the list The address should always be prefixed with a URI universal resource indicator e g URI http de wikipedia de For the field separator use a colon If you hold local revocation lists this option is not relevant Authority Info Access This PKIX extension defines how to access additional information and services from the issuer of the certifi cate It can then provide more information abo
43. rejected If the au thentication is accepted the user data is periodically checked during the con nection Authentication via MS CHAP Proprietary authentication protocol developed by Microsoft Authentication via KN b MS CHAP V2 Proprietary authentication protocol developed by Microsoft Page 165 of 229 Version 3 0 fie mbBbNE TT 17 2 Client setting IPSec rand OpenVPN a VPN PPTP Configuration PPTP Configuration eem Clients Client Configuration Enable Name Host Name or IP Local IP Remote IP CO De EE EE Figure 165 Description Check this box by clicking it if the industrial router is to be enabled as a VPN client Name Enter a name for the client here Host Name or Enter the name or IP address under which the client accesses the server here Ex IP ample 123456789 mbNET mymbnet biz or 80 187 33 55 This entry is optional Local IP If the server is not configured to assign an IP address to the client the client can re quest the IP address entered here The settings are generally made on the VPN server This setting is for compatibility with other routers Remote IP Enter the network address of the server in CIDR notation here e g 192 168 0 0 24 in order to have a route into the server network Page 166 of 229 Version 3 0 mbNE TT 18 VPN OpenVPN 18 1 Basics about OpenVPN OpenVPN basically works with two tunnel IP addresses i e each connection has two IP addresses
44. save these temporarily by clicking Save Changes Figure 30 lf you want to undo your changes and return x emm wm to the original settings click Clear Changes Clear Changes Figure 31 To save the settings permanently on the MDNET industrial router click Apply Chang es A Apply Changes Figure 32 If any entries are missing or incorrect the rel evant error messages will appear at the top of the configuration page Re check your set tings as appropriate Please note to ensure that your settings are perma nently saved you must follow the instruc tions above Otherwise you will lose your settings if the router is switched off or re started Page 28 of 229 Version 3 0 mbNET 9 Connection Scenarios 9 1 General Now that you have completed basic configuration of the router see previous pages it needs to be connected via the appropriate connection type and configured using the web interface A description of some basic connection scenarios follows Choose the connection scenario that best applies to you and follow the instructions in the rel evant section Page 29 of 229 Version 3 0 mbNE I public telephone network mbNET industrial router Configuring the mbNET industrial geg gees IN Lime i router s integrated modem for con e RJAS to TAE cable nection with a client PC via the public telephone network PPP dial up dial meee up networking 3 see section 9 2 eg
45. sender address This means that none of the LAN subscribers need the router as a gateway This is a considerable advantage when integrating remote maintenance into existing network structures as it means that these structures do not need to be changed Security settings continued 15 2 WAN gt LAN This setting governs the incoming data traffic Le the following settings only apply to data traffic arriving from outside the network Firewall General wan Lan LAN WAN Forwarding NAT SS WAN LAN Configuration Rule Settings WAN LAN Enable Action WAN interface Source IP Source Port Protocol Destination IP Destination Port 5 dd Li eee y ACCEPT Internet tcp 80 Figure 154 WAN is always the currently active interface with the Internet as far as the mbNET firewall is concerned The following rule is determined by the setting under Network Internet Internet Connection Internet via WAN external router fixed line The WAN Ethernet connection is the interface with the Internet here The firewall therefore checks the data traffic from the WAN Ethernet to the LAN Ethernet Internet Connection Internet via Modem The modem is the interface with the Internet here The firewall therefore checks the data traffic from the modem to the LAN Ethernet All data traffic on the WAN Ethernet interface is denied with this setting Internet Connection Internet via WAN The DSL data traffic via the WAN Ethernet is the interface with t
46. the this is tificate holder emailAd BE e Personal certificates continued Page 99 of 229 Version 3 0 mbNE TT Description Issuer For an explanation see Subject certificate holder on previous page an explanation see For an explanation see Subject certificate holder on previous page certificate holder on previous page Shows how long the certificate is valid for There is a further step after clicking on this button to download right click on the link and select Save target as Download Clicking on this button allows you to reset or delete the list of imported certif icates 12 3 2 Root certificate CA A root certificate verifies whether the remote station certificate is also signed by the root certifi cate If the authentication method in the VPN settings is set to Authentication by certificate from CA this root certificate must then be imported The entry in the root certificate is used to con firm that the person dialing in has a valid certificate In other words the CA certificate holds in formation on the validity of the certificate The CA certificate is available as a CRT file and needs to be imported to the router mbNET System Info Settings WEB Users 2a0iteiccs USB Logging BackupRestore Firmware Network Serial la Certificates Security VPN Certificates Own Certificates CA Partner Certificates CRL Alarmmanagement Status import new certific
47. the DNS Servers will be given by the ISP If you are using a static connection here you can add the nameservers They will be used before the given servers from the ISP Status Servers Settings No Hosts E Strict Order IT Filter WIN2K E Domain o Cache Size TS Save Changes Figure 150 Label TI Pupnetion Settings ns tab allows you to activate or enter the DNS server settings listed below No Hosts Computer names entered under the Network Host menu are ignored Strict Order The exact order set under Servers will be adhered to Filters continuous and unnecessary requests from older Windows clients This Filter WIN2K setting is useful when using a on demand connection as it avoids every re quest resulting in a connection to the Internet Domain you can enter what is known as a domain suffix here Input the number of cached names here in other words the number of names Cache Size that are stored with IP addresses Page 126 of 229 Version 3 0 mbNET fis 13 7 Network Hosts This setting allows you to allocate one particular IP address to a specific name enabling a di rect response to DNS requests You can input and store or delete IP addresses and their as sociated names in these fields This means that the moNET must answer the request directly rather than forwarding the request to another DNS server mbNET System LAN WAN Modem Internet DHCP DNS Server DynDNS Network S
48. the Properties window for this Here you need to add this inter face by selecting nterfaces gt New gt Industrial Ethernet Properties PG PC l x General Interfaces Assignment PROFIBUS Delete Cancel Help This opens a window where you need to make the Industrial Ethernet settings for the PC Specify the PG PC subnet mask and IP address here The PG PC IP address can be from anywhere in the network range but may not overlap with other addresses on the network and must not be the real IP address of the PG PC Properties Ethernet interface x MAC address 08 00 06 01 00 00 V IP protocol is being used Gateway IP address 192 168 0 1 As Do not use router Subnet mask 255 255 255 0 C Use router Address 192 168 0 1 Subnet not networked New Properties Delete Next in the Assignment tab find the interface that you intend to use as the Ethernet Interface and link this to TCP IP Auto gt xxx the LAN card in use by clicking on the Assign button x General Interfaces Assignment ISO Ind Ethemet gt Dell Wireless 1395 ISO Ind Ethemet gt mbDIALUP 9 ISO Ind Ethemet gt TAP Win32 Adapt Assigned Interface Parameter assign _ Subnet S7ONLINE Access 4 gt E Active Page 142 of 229 Version 3 0 mbNET fis After assigning your chosen interface the window should look l
49. the router Memory Usage Shows the amount of configuration memory and temporary memory cur rently being used Tracked Connections Shows the usage of the packet filter The system information can be used to establish the cause of errors on System information the router If for example the ERROR LED on the front is flashing it may be possible to determine the cause of the error using the log Page 218 of 229 Version 3 0 mbNE TT Firmware versions 2 1 0 and higher feature a direct error logging function in the web interface This function logs all of the errors until the clear all error messages button is clicked The most recent error is also displayed on the system information page and the wizards page Simply click the last error message to go from one of these two pages directly to the error memory Error loggings Page 219 of 229 Version 3 0 fie mbONET 22 Factory settings on delivery 22 1 Username and password The router is shipped with the following username and password Username admin Password No password required 22 2 IP address of the router The router is set to the following IP address in the factory IP address 192 168 0 100 23 Loading the factory settings Follow the steps outlined below to reset the industrial router to the factory settings IMPORTANT You should first back up your configuration Once you have carried out these steps your previous settings will no longer be avail
50. the router to send emails SMTP port Hie port over which emails will be sent should be entered here Usually this is port E mail address Enter the appropriate sender address for emails from the router here SMTP requires The box should be checked or unchecked depending on ISP Ask your ISP for the authentication correct setting tear A user name and password are required for SMTP server authentication i e if the router wants to send an email to the SMTP it must first authenticate itself if nec Password essary Page 26 of 229 Version 3 0 mbNE TT Basic configuration of the router using the web interface 8 4 Security Settings To access the industrial router s web interface from outside the network Port 80 of the router s integrated firewall must be configured to receive incoming re quests Q Todo this select Security Settings WAN gt LAN LI Click on the check box to check it Figure 25 LJ From the drop down field select Accept Fig 27 Action Fi 26 D From the Protocol drop down field select tep ewes LJ In Destination Port enter 80 Protocol icp LJ Then save your settings by clicking on Save Changes Figure 27 Agt w Figure 28 Q To save permanently click Apply Changes Figure 29 Page 27 of 229 Version 3 0 fie mbONET Basic configuration of the router using the web interface 8 4 1 Save Settings When you have completed the system set tings described above
51. when a dial up connection is set up As a rule CHAP is the process used by ISPs for Internet access log in via a modem or ISDN adapter Timeout dialout in After the length of time entered here dialing attempts will stop and restart s anew Page 114 of 229 Version 3 0 mbNET fie For MDH8xx mobile broadband devices there are two Outgoing menus These are simply SIM1 and SIM2 There is also a second menu SMS settings mbNET System LAN WAN Internet DHCP DNS Server Hosts DynDNS Network Serial Security VPN iv Modem Configuration Modem Settings I O Manager Alarmmanagement Modem GSM Type Status Modem nit Modem mt C Outgoing SIM1 Outgoing SIM2 Settings SIM SMS SIM Pin LDLo y Provider Input select Phone Number User Password Se Authentication via ca PAP Authentication via CHAP kW Timeout Dialout ki Save Changes e The SIM cards can be from different providers e SIM1 and SIM2 switch if there is a network fault or while roaming e Remote control using SMS Enter the SIM card personal identification number PIN to ensure access If you would like to switch PIN security on or off you will need a cellphone Select your mobile broadband network provider e g T mobile If you want to enter an access point name APN select Other This opens a new window Provider where you can enter the APN For a list of APNs go to http www mbconnectline de qsm grps mobilfunk
52. with pote nee the Window client must be entered here In the example this is 192 168 0 100 Remote IP Ad dress Begin Assignment of client IP addresses The address range from which remote clients are assigned their IP address can Remote IP Ad be set here In the example this is 192 168 0 130 to 192 168 0 140 dress End Page 163 of 229 Version 3 0 mbBbNE TT 17 VPN PPTP 17 1 Server settings 2 VPN PPTP Configuration PPTP Configuration Server Clients Server Configuration Enable D autoconf Local IP Address 192 168 0 100 or Range Remote Address 192 168 0 101 110 or Range Give DNS Address to the Client 192 168 0 100 Give WINS Address ZZ to the Client Encryption Configuration Encryption MPPE V2 All E Authentication Configuration Authentication via PAP EN Authentication E via CHAP Authentication via MS CHAP E Authentication viaMS CHAP D V2 Figure 164 Enable Check this box by clicking it if the industrial router is to be enabled as a VPN server Autoconfi The local address of the mbNET will be used if you select yes here Read on if g you selected no Page 164 of 229 Version 3 0 A local and remote address start and end point of the tunnel is needed to set up a transmission channel You can enter either an individual IP address or an entire range here The remote range specification determines the maximum number of clients th
53. 1 DE1 DED4 FLOAT Temperature 10 e e SPS1 MBO BIN Clock pulsel a e The following address syntax must be used for this driver DBx DBXy z data block x data bit y z BOOL DBx DBBy data block x data byte y BYTE DBx DBWy data block x data word y WORD DBx DBDy data block x data double word y DWORD Fy z flag bit y z BOOL FBy flag byte y BYTE FWy flag word y WORD FDy flag double word y DWORD ly z input bit y z BOOL IBy input byte y BYTE IWy input word y WORD IDy input double word y DWORD Oy z output bit y z BOOL OBy output byte y BYTE OWy output word y WORD ODy output double word y DWORD Ply z peripheral input bit y z BOOL PIBy peripheral input byte y BYTE PIWy peripheral input word y WORD PIDy peripheral input double word y DWORD Ty Timer y TIMER Page 194 of 229 Version 3 0 mbBINE I Cy Counter y COUNTER Display format This format is used for the status display and in the logging data Description Free label field Interval x 100ms This tag is read from the PLC during this interval Logging This tag is enabled for logging if this option is checked The tag is only displayed on the Status display if this option is not checked 19 2 Configuring the logging function The logging function can be configured on the second tab under Server Configuration The logging function applies to all PLC connections weal Server Configuration Serverl
54. 1 Server no authentication or static key 176 18 2 2 2 Server authentication with Certificates ccc ccecccccccccceeeeeeeeceeeeeeeeeeeeeeeeesseeeeeceeeessseeeeeeeeeeesssaeeeeeeeeeeaaas 176 18 2 2 2 1 Single client Only one client Can dial mm 177 18 2 2 2 2 Multi client Multiple clients can dial mm 177 18 2 2 3 Client authentication No or static key 179 18 2 2 4 Client authentication With certificates ccccccssscccccsssseeeeceeeeeeeceeseceeeceaueeeeeseeaeceesssaueeeeesuaeeeeessageeeessaages 180 KE dee e E 181 18 2 3 1 POAT IG AN ON EE 181 18 2 3 2 Authentication with Static key ccccccsccccsescccceeececcseeccsscecseueeessesecessuseesseeeesseeesssueeesssueesssesesssseeeesssnseesss 181 Page 5 of 229 Version 3 0 fie mbBbNE T 18 2 3 2 1 Key management EE 182 18 2 3 3 Authentication with certificates ccccccsccccssseecceeeeeceseeeceuseecseuseeceeueeeceaeeeeseaeeeeseueeecsaueeeseueeestaneeessgeeeseaes 183 18 2 3 3 1 Authentication with CA certificate and own certificate 0 cc cceeeeceeeeeeeeeeeeeaeeeeeeeens 183 18 2 3 3 2 Authentication with CA certificate and own certificate and useripassword 184 18 2 3 3 3 SN E 184 18 2 3 3 4 EI EE 185 MOS et 187 MO ORO ON COONS asia erecta E A 188 19 VO MNI te EE 191 191 Coniguring the Gonnet d EE 192 19 1 1 Creating the PLG een de EE 193 eA eE EE 194 19 2 Configuring the logging hued TE 195 20 Alarm managemeNi E 197 20 1 G
55. 2 102 192 168 2 101 Modem Connection Active IP local IP remote User C Serial Ee Interface RS Typ Driver Port AllenBradley COM1 RS232 Allen Bradley 7001 19200 V1 1 COM MPI PROFIBUS MPI PROFIBUS 7002 USB O no usb connected Figure 22 Page 22 of 229 Version 3 0 J System information such as device model device name current firmware ver System sion and serial number of the router Interface LAN WAN Displays which network connections are currently connected to the existing network via the respective ports A green icon indicates an existing connection Internet connection A currently active Internet connection or connections is indicated by a green dot If there is no currently active Internet connection the circle is solid gray Modem connection Only incoming modem connections are shown here A green dot means that a modem connection is established The display also shows which user is connected to the modem AR This shows the current configuration of interfaces COM1 andCOM2 es on connected USB storage devices A connected storage device use 7 flash drive or external hard drive is indicated by a green dot Basic configuration of the router using the web interface 8 2 Icons buttons and fields In the rest of these operating instructions you will repeatedly encounter specific icons These are listed and explained on the next page Page 23 of 229 Version 3 0 mbNE TT types Gra
56. 2012 05 10 13 00 GMT e Not after 2013 05 10 12 54 GMT sl Midnight Localtime No well defined expiration subject alternative name Edit issuer alternative name Edit CRL distribution point Edit Authority Info Access Jocsp Edit Figure 109 Page 84 of 229 Version 3 0 mbNET As your client certificate does not need to sign any other certificate select End Entity as the Certifi cate Type Basic constraints Type End Entity Key identifier Check the box labeled Subject Key Identifier Validity You can enter a specific start and end date in the relevant fields or use the adjacent Time Range field Time Range In the dialog boxes to the right enter the number of days months or years The list below specifies how long individual certificates should be valid for e Personal certificates should be valid for 1 year e Server SSL certificates 1 year e Router certificates should be valid for 1 year external routers or 10 years internal routers e CA certificates should have an extended lifespan e g gt 10 years Click Apply to confirm the Time Range values Subject alternative name The subject alternative name is a list of alternative names for the certificate holder These can be RFC822 names email DNS names X 400 addresses EDI names URIs or IP addresses In principle any structured naming system is applicable If using PKIX this extension is essential when the certificate subject fi
57. 5 serial interfaces Network VPN 1 O Manager Alarmmanagement Status mbiNnE IT COM1 interface ESE Type nant Type User settings Baudrate Dataformat 8 Databits None Parity 1 Stopbit Handshake no Handshake M Receive loops Protocol TCP M Port Enable Ports through 8 firewall ik Save Changes Page 131 of 229 Version 3 0 mbNE TT Serial interfaces continued 8 Serial COM1 COM1 TER RS939 Type sik Type Driver Allen Bradley 19200 V1 1 AllenBradley Allen Bradley 19200 V1 1 Protocol Allen Bradley 9600 V1 1 AMK Port AMK 19200 V1 1 ASB Enable Aep 19200 V1 1 Jaka AffasCopco through atlas Copco DMC V1 1 firewall Baumuller Baumuller Bmaxx4000 LCS PLC 38400 V1 0 Baumuller Bmaxx4000 LOT 19200 V1 0 Baumuller Driveline ll 38400 V1 0 Baumuller V Regler 9600 V7 1 Serger Berger Lahr 115200 V1 0 Bosch Bosch Rho 19200_6N1 V1 0 Bosch Servomodul Typ DS V1 0 Bosch 19200 SET V1 0 Figure 153 Label Function O COM 1 Configuration options for COM1 interface The settings that follow it apply only to this interface Use this drop down field to set the interface type for COM1 The options are as Interface Type follows RS232 RS485 2 wire RS485 4 wire RS422 Driver from list Select a product brand specific driver to control your serial device User settings If no suitable driver is available or you need to enter your Drive
58. 9 0 7062 9178792 Technical support 49 0 9851 582529 0 E Mail info mbconnectline de Website www mbconnectline de Page 2 of 229 Version 3 0 mbNE TT Table of contents ao eS Ze 1 1 1 2 5 1 5 2 6 1 7 1 7 2 7 3 8 1 8 2 8 3 8 4 9 1 9 2 9 3 9 4 9 5 OUT IO BEE 8 Brif E de der ses sedansecewaaicnns eusocuneceussuevewdessadesiecenasaansonuaaasbiondeandamweamtnens 8 will 8 Safe NS CEMA NOI Ste ssw cess cw ccc ss sss et caso eects nee ease ee os eee eees esses 9 RE le et dalia EE eter eesee ec ee ent se set eet ste cee ert er ee ee eet eee ee een ere 10 What lS InGlUded IN TNE DaCK AG E 11 Displays CONIFOIS and CONNCCHON E 12 Front panel View sssini iaaea aaa E ia 12 Top bottom and back panel VIEWS ees eeeeegbeeee ergeet 14 Mia CES a E es eee aw cee cee ences eee 15 PNT Le Vo Uu En EE 15 6 1 1 Pinout of top panel terminal blocks X1 and a 15 6 1 2 Pinout of bottom panel RJ12 jack oc cccsecciccce cnncecdnceneccn se cence sendnedslseskwontiusieesncendwadeneeZeosanceslnednsatiiindenesasdanee sede sankenctves 15 6 1 3 Pinout of front panel serial interfaces COM1 and COM 15 6 1 4 Pinout of front panel LAN WAN ports ccccccseeeeeceeeeeeseececeeeeeeeeaeeeeseeeeeaaeeeseaueeeseeeessaeeessueeessaueeessaeeeesaeees 16 6 125 PInOUlOl TOME panel USB DOWN eege deeg Ee A EEan ier e eraai 16 Firsttime E CH dn Tu rossiia EE aa aE EENES 17 Connecting the router to the power supply a
59. BC 64 bit AES mit CBC 128 bit AES mit CBC 192 bit AES mit CBC 256 bit Encryption Method Figure 195 This setting must be the same on the peers UDP or TCP can be selected The default setting is Protocol UDP If the http proxy is selected TCP is automatically valid OpenVPN communication is conducted via the set local peer port ports These ports generally have the same settings The default port is 1194 Bind the local IP OpenVPN cannot change the ports dynamically while Protocol options address and port the connection is active Allow the peer to change the IP This option allows the VPN peer to change its IP ad address dynamically dress while the connection Is active LZO compress active Compression method of OpenVPN Ping interval sec A ping is sent to the VPN peer if the OpenVPN tunnel onds has not been used for n seconds The tunnel is restarted if the VPN peer does not re spond to the ping within n seconds or no data packet is received Ping restart Sec onds MTU bytes The default MTU size is 1500 bytes Fragment the UDP packets in bytes Packets bigger than n bytes will be fragmented Regenerate a new A new key will be generated after n seconds This is set key after seconds to 3600 seconds by default Page 189 of 229 Version 3 0 mbNE T Send more Infor mation to the System Protocol Enable connection through a HTTP You must check
60. Broadcom NetXtreme 57x K 1041 Y 972 insert Chg 7 14 2 2 Create subnets Create a PROFIBUS and an Industrial Ethernet subnet EE NetPro RFC1006 Network Edit Insert PLC View Options Window Help seh Sse dea HCH ERR E RFC1006 Network C Programme Step7 s7proj Rfci006 fing thang Selection of the network SSF PROFIBUS DP 48 PROFIBUS PA K PROFINET I0 Stations 2 CC Subnets PROFIBUS 1 RP Industrial Ethernet PROFIBUS Ethernet 1 Industrial Ethernet E Industrial Ethernet x ISO Ind Ethernet gt Broadcom NetXtreme 57x Kaz vs insert cho Page 138 of 229 Version 3 0 mbNET 14 2 3 Add PC station Following step 2 1 you need to add a PC station You can skip steps 2 2 to 2 3 if you are using the NETPro Import function A pre configured mbNET station is available as an annex to these instructions You can download this as a Zip file from our homepage http Awww mbconnectline de under Sup port Manuals S NetPro RFC1006 Bisi Network Edit Insert PLC View Options Window Help GR e br e A oO Ma e g s RFC1006 Network C Programme Step7 s7proj Rfci006 a S End mail Selection of the network PROFIBUS DP S82 PROFIBUS PA 482 PROFINET 10 E Stations RB Other Station PG PC SIMATIC 300 SIMATIC 400 E SIMATIC PC Station E SIMATIC 5 SIMATIC 7 400 H O Stations PROFIBUS
61. Callback ccccccccccccccecceeseeceeeeeesaeeeeeeeeeseaeeeeeeeeeeessaeeeeeeeeeesseeeeeeceeeessseeeseeeeeeesssaaeeeeeeeeessaas 117 13 3 5 Network Modem E 118 13 3 6 Remote service control commands using GM 118 NetWork Mlee E 119 13 4 1 Network Internet Internet Connections ccccceccccceeececceececeeeceeceeceeceeeceeseeeeeseaeeeseueeeeseaeeessueeessseeeeeseneeeeas 119 Page 4 of 229 Version 3 0 mbNE TT 13 5 13 6 13 7 13 8 14 14 1 14 2 14 3 15 15 1 15 2 15 3 15 4 15 5 16 16 1 17 17 1 17 2 18 18 1 18 2 13 4 2 Network Internet Internet Settings 0 ccccccseceecceceeeeeeeeseeeeeeeeceeeeeececeeeseeesseceeeeesseeaeeeeeeeesssueaeeeeeeseseaageess 120 13 4 3 Internet failover COMME CHO Micztexccesceticacncirsnesied senate eieadeudedstlegcencendnsdedepabtushandedeedaUatuensd coined esiehtweduddasdedeteccenucndoudeteracees 121 Va elt ve 125 NETWORK DNS SOPVER E 126 Network NEE 127 Network RTR LE 128 Dee WO EE 128 13 8 2 How to set up DynDNS configuration ccccceeeeeccccaeeeeeeecaeeeeeecaeueeceecsaaseeeesseaeeeesesaeceeseeaaeceessaaeeeessaaeeeessaaages 128 SCHAN IMETA e ees 131 SM sas ws se sae ccs ge senses ee E nn caine esse of enc eee E E E 131 14 14 51 EN EE 131 141 2 MPI PROFIBUS interface c cccccc acsscccncnccesecescsssecensvectaasedesenncccceuseneces ccccesusdnetedccuesnseundencccsuaseneesdsecccuaussuereseceeonss 134 14 1 3 Settings for Simatic
62. DR format x x x 0 24 or routes to individ ual subscribers here Page 110 of 229 Version 3 0 mbNET The industrial router s integrated modem is for dial in or Internet connection analog ISDN GSM where there is no available DSL or network connection NOTE OH If the modem is used for an outgoing Internet connection it cannot be used for an in coming connection mbNET LAN wan EERE internet DHCP DNS Server Hosts DynDNS System Network SS Modem Configuration Security VPN Modem Settings I O Manager Alarmmanagement Modem GSM Type Status Modem E Init Modem Init Outgoing SIM1 Outgoing SIM2 Settings SIM Incoming Call Back Dialin enable E PPP Server IP Address here 192 168 0 101 PPP Client IP Address 192 168 0 102 Dialin Authentication only following user z Authentication via PAP v Authentication via CHAP v User Password close connection after inactivity of s Figure 144 Description ANALOG If using an analog device enter the command GCl country code for country codes see Country codes for analog devices here and in the second row the command X3 do not wait for dial tone ISDN If using an ISDN device you need to enter your MSN number with the command AT Z n n MSN number If you enter n as every call will be ac cepted GSM if using a GSM device you must use the preset X3 command The GCl country code may not be used Label You need to enabl
63. Internet con nection should be allowed to fail before switching to the next interface Failover of Internet interfaces Retry interface eelere D switch to next interface Page 122 of 229 Version 3 0 mbNET fie There are additional settings for monitoring e g an Internet connection via WAN Connection monitoring PING IP yes PING IP or host 82 165 78 247 address 1 PING interwal 1 s PING IP or host address 2 i 4 PING interval 2 s PING IP or host cl address 3 PING inteval3 DZ s PING retry before switch to next Interface ki save Changes You can enter up to three different IP addresses which will then be run through in the following order If the first IP fails the second will be used If this one also fails the third will be used and once all three have been run through a test will be carried out If the set test retry limit is reached the interface will switch If the system gets to the last interface it will start again with the first Page 123 of 229 Version 3 0 fie mbNE T In addition routers with a GSM UMTS module and double SIM slot can switch between SIM1 and SIM2 S Modem Configuration Modem Settings Modem CSM Type Modem IR Init Modem IR Init Settings SIM Qutgoing SIM2 Select primary SIM card SIM card 1 Switch to secondary SIM card E when roaming is detected
64. Internet via WAN M Connection Connection monitoring Figure 70 For a detailed description of the MAMAU MOOR settings please see section Network In ternet Label Description Internet connections Here select to connect over Internet via WAN Select Connect immediately The connection will be established whenever you restart the router You can interrupt the Internet connection by means of a signal to one of the Connection Mode Lock connection by digital inputs Send IP address via Check the box by clicking on it to have the router s IP address sent to the email email address that you will enter below When an Internet connection has been established an email message will Email be sent to the email address entered here Page 50 of 229 Version 3 0 mbNE TT Configuring for connection over the Internet continued LI Save your changes by clicking Save Chang es Q Finally to save your changes permanently to the router click Apply Changes LI To finish restart the router 9 4 2 Establishing a connection between cli ent PC and router LJ Router Internet dial in Depending on the router settings see Internet Configura tion you need to either restart the router or push the Reset button For further Internet dial in settings please see section Network Internet LI Client PC Internet dial in Dial the client PC into the Internet Transmit IP address For the client to be
65. MANAGE EE 137 Enabling RFC1006 on the MbNET eege 137 142 1 Settings for NETPIO SIED WE 138 M 138 See SNO ME 139 14 2 4 ee el PC Sta OM EE 140 1 amp 2 o ele a Gy a Cf e E 141 14 2 6 Configure MONET PC Statin c cccc s s cccccccscceseesascccseccecsceasnncsccccsacssnersetccccuseaedeesnecdseasseacencteesssenunenscecdeasdsnesneceseedes 144 Connecting to S7 using the mbNET S7 driver E 147 SECU V SelUNOS sar EE EA E EE 150 NC g E E E E ccc we E E E A E E E E E EE eerect cee 150 WANSLAN isione E E E 151 LON WAN BE 152 Forwardihg sisissinssiesg na Eaa aa aaa Ea 154 CN RE 155 a fal acho oe ee 156 Configuring a VPN IPSec connection With two routers eecceeeeeeeeeeeeeeeeeeeeeeeeeasneeeeeeeeneeasaeeeeeseenaeseeeeeseeons 156 TG Wed EE 157 16 1 2 Eege 158 E IRS AUNE AUO E EE 158 IGA ed 69 06 0 ele te 162 16 1 9 L2TP Senve F COMM OUI AU CN eege ee 163 NPN TEE 164 SPESEN EE 164 Centr SERINO eoa 166 VPN OpenVPN E 167 BASICS about OpenVP Ncn esis ce seeetaete vac ceicen goatee tweeeteaey oceecca en ueueosaieaue seus etisvedseaanecussesaeeesoues 167 CONIC CLIONN SCOT d CN 168 FC Wee cee Sessa E E deneaeseeaseete 168 18 2 1 1 No authentication Or Static key 170 18 2 1 2 Authentication with Certificates A 170 18 2 1 3 Configuring an OPENVPN Windows cent 171 18 2 1 3 1 No UTM OMU Led TEEN 172 18 2 1 3 2 Authenticating a Windows client with static key 173 18 2 1 3 3 Starting the OPENVPN connechon 174 KE a E e EE 174 18 2 2
66. N Settings Interface ROUTES Alarmmanagement Status Interface Type Static IP WAN IP Sg addes Mamm Netmask 255 255 255 0 Default Pose Gateway Figure 143 Interface Type You can select from the following interface types DSL select this option if your router is directly connected to a DSL modem that connects to the Internet DHCP select this setting if there is a DHCP server on the network which is therefore auto matically assigned a new IP address by the industrial router Please also contact your network administrator to confirm this Static IP select this setting if connection to the Internet is via an existing router which is not acting as a DHCP sever or if no server is set up to assign addresses You should al so select this setting if you have received a static address from your ISP e g if you have a leased line Note also that this type of connection requires you to enter a DNS server see Network DNS Server WAN IP address P address of the router connected to the WAN port Netmask enter the subnet mask Default gateway enter details of the gateway that connects you to the Inter net i e the IP address of the existing router Page 109 of 229 Version 3 0 mbNE TT 13 3 Network Modem 13 3 1 Network Modem Incoming Network WAN continued When selecting interface type choosing DSL also requires you to select one of the following options PPPoE Select t
67. ONET LAN interface IP address as the device gateway y Communication is not via PPP addresses but via the mbNET LAN interface IP address and the IP addresses of connected devices Page 36 of 229 Version 3 0 mbNET fis Configuring the router client connection over the telephone network continued 9 2 2 Configuring a client PC to access the router You can connect directly to the router and to a remote network using a telephone line Router access must first be correctly config ured as described above Then you need to set up a Suitable dial up connection on the computer as follows Le New Connection Wizard Welcome to the New Connection LY Click on START and then Control Wizard P a n e This wizard helps you Connect to the Internet Connect to a private network such as your workplace network LY Click on NETWORK CONNEC TIONS and then NEW CONNECTION WIZARD This launches the connection wizard which will make all the necessary settings Set up a home or small office network To continue click Next The welcome screen of the connec Figure 43 tion wizard will appear Click NEXT New Connection Wizard Network Connection Type What do you want to do Connect to the Internet Connect to the Internet so you can browse the Web and read email Connect to the network at my workplace Q In Network Connection Type choose staidsiee raner paatoa nem fom home
68. P address of the local network The cli mbNET Although this means that it is then no longer ent will send the IP of possible to distinguish between senders in the LAN the gateway for traffic the LAN subscribers do NOT have to have the through the local net work mbNET entered as a gateway NOTE this can become confusing with multiple cli ents No network settings need to be made on the client side The server automatically passes all the information to the client in this mode 18 2 1 3 Configuring an OpenVPN Windows client To be able to use the OpenVPN Windows client it must first be installed on the computer The installa tion routine can be downloaded from http ooenvon net Index ophp open source downloads html The corresponding client setting can be downloaded from the mbNET via the Download link see ar row Save this file in the config folder of OpenVPN Connections Static Keys Active Connection name Config valid Download Client configuration Po e Client_Router e NS Figure 172 With manual configuration of the VPN client the setting Local IP address and Peer IP address must be reversed accordingly on the client The downloaded file corresponds to the settings for OpenVPN for Windows Open the settings file us ing a text editor to make the additional settings Page 171 of 229 Version 3 0 mbNE TT ClientRouter Notepad ole File Edit Format wiew Help Poort 8080
69. P over Lan Figure 104 Now click on OK to complete root certificate creation Your root certificate is now ready and you can now derive and sign your additional certificates 10 2 2 Creating a client certificate To create a certificate signed by this CA in the Certificates tab highlight the root certificate that you just created and click again on New Certificate Page 80 of 229 Version 3 0 mbNE TT g X Certificate and Key management File Import Token Help Private Keys Certificate signing requests Certificates al Templates Revocation lists Bh Root certificate Tootcer tific ate Database C Dokumente und Einstellunge Figure 105 The dialog box below will appear 10 2 2 1 Client certificate source First we need to select our root certificate as the one that will be used as signatory We also need to set the signature algorithm to MD5 again Page 81 of 229 Version 3 0 fie mbBbNE TT Create x509 Certificate Source Subject Extensions Key usage Netscape Advanced Signing request Sign this Certificate signing request I Copy extensions from the request Show request Modify subject of the request Signing Create a self signed certificate with the serial i f Use this Certificate for signing Rootcertificate Signature algorithm MDS e Template for the new certificate default CA r Apply extensions Apply subject Apply all Figure 106
70. Please note that XCA bundles the key and the certificate to a single file with the exten sion 012 This is what is meant by a PKCS12 file PME IT Info Settings WEB Users USB Logging BackupRestore Firmware Network Serial a SS Certificates Security M VPN Certificates 1 O Manager Own Certificates CA Partner Certificates CRL Alarmmanagement Status import new certificate Choose PKCS12 Ir Durchsuchen File erger SS certificate optional Password E Import PKCS12 File list of imported certificates Name Subject Issuer Valid Download Kee SEN May 10 11 45 00 2012 GMT mb_HOST CN Client CN Root May 10 11 44 00 2013 GMT Figure 133 Description Choose PKCS12 file certificate file selection PKCS12 file Browse provides file path for certificate file Name for this certificate optional optional entry of a name for the certificate file Import new Password certificate password entry The certificate must have been assigned a certificates password when it was created otherwise it will not import Import PKCS12 file As long as the above data have been entered correctly click ing on this button imports the certificate List of import This displays a list of the certificates already imported More certificates can be in ed certificates cluded by using Import PKCS12 file Name _s Name of the certificate in this case mb HOST SE of certificate holders in
71. RI Ring Indicator Not Connected Send request Figure 9 Page 15 of 229 Version 3 0 mbNE T Interface assignment continued 6 1 4 Pinout of front panel LAN WAN ports Sign Not Connected 12345678 Not Connected 6 BX Figure 10 6 1 5 Pinout of front panel USB port Figure 11 Page 16 of 229 Version 3 0 mbNE TT 7 First time operation d d 7 1 Connecting the router to the power supply and switching on The router is designed for installation in switch cabinets The device is designed for mounting on top hat rails based on DIN EN 50022 Please note Before connecting the router to a network or PC first ensure that it is properly con nected to a power supply otherwise it may cause damage to other equipment You should therefore follow the instructions given below IMPORTANT Connect equipotential bonding to the grounding lug on the router s top panel Figure 12 DETAIL A LJ Insert the router into the DIN rail To do this position the upper guide on the rail and then press the router downwards against the rail until fully inserted LI Connect the 10 30V DC power supply to the X1 ter minal of the router Make sure the polarity is correct Figure 13 LJ Now switch on the power supply The green Power LED should light up immedi ately After approx 90 110 seconds de pending on device
72. SB storage medium Page 216 of 229 Version 3 0 mbNET 21 15Status Alarmmanagement Interfaces Network Modem Internet DHCP DNS Sener DynDNS NTP VPN IPSec VPN PPTP VPN OpenVPN Diagnostics USB BARRED Dem System Input Output Input Input 1 Input 2 Input 3 Input 4 Oo o e Output Output 1 Output 2 Gi Messages Systemloggings Figure 213 Shows the states at the four inputs The states are queried and updated approx every three seconds Shows the states at the two outputs The states are queried and updated approx every three seconds All events and error messages related to alarm management are saved here e g SMS activity of inputs Systemloggings Page 217 of 229 Version 3 0 fis mbBbNE TT 21 16Status System Interfaces Network Modem Internet DHCP DNS Server DynDNS NTP WPN IPSec VPN PPTP VPN OpenVPN Diagnostics USB Alarmmanagement DAMI d Device Status RAM Usage 125912 KB Used 29584 KB 24 Memory Usage Configuration Hash Used 528 KB 26 Set Memory Used 150 KB 2 Tracked Connections Maximum B o 6192 Used 112 2 System informations Generate support fle and download it Systemloggings Kernel lt 6 gt Mar 23 09 56 54 kernel cdc_acm 2 1 1 0 tyACMO USB ACM device a lt 6 gt Mar 23 09 56 54 kernel usb 2 1 configuration 1 chosen from 1 choice lt 6 gt Mar 23 09 56 53 kernel usb 2 1 new full speed USB device using ixp4xx ehci and ad
73. Switch to secondary SIM card when there is a failure with the M primary SIM card First we need to specify a primary SIM card which will always be verified or used by default The sec ondary SIM card is always the non primary one Switching is based on two selectable criteria e The SIM card fails to initialize or to register on the mobile broadband network e Roaming is detected on the SIM Page 124 of 229 Version 3 0 mbNET fis 13 5 Network DHCP You can configure the industrial router as a LAN or WAN DHCP server DHCP enables you to integrate a new computer into an existing network without the need for any additional configu ration The only requirement is for the computer to be set up to acquire the IP address automat ically mbNET System LAN WAN Modem Internet Network Serial 4 DHCP Interfaces Security DNS Server Hosts DynDNS DHCP Configuration 1 O Manager LAN WAN Alarmmanagement Status LAN Configuration DHCP Server E active Begin End Netmask Broadcast Gateway DNS Server NetBIOS WINS Fee 192 168 0 100 Lease Time s 86400 ki Save Changes Figure 149 phate Fanci SOS LAN WAN Selects to configure LAN or WAN interface Checking the box for this function allows the router to be enabled as a DHCP Server active DHCP server for the relevant interface Enter the start address for the address range managed by the DHCP serv er here End
74. T 9 2 1 2 Configuring the router using the web interface LJ On the web interface home page click on NetworkBaModem mbNE IT LAN WAN System Internet DHCP DNS Serv Network Serial iv Modem Configurat VPN Modem Settings 1 0 Manager Alarmmanagement Modem ANALOG Type Status Modem Init GCI FD Modem Init Figure 37 Page 33 of 229 Version 3 0 fie mbONET Configuring the router client connection over the telephone network MmMmBINE IT LAN wan DEE internet DHCP DNS Server Hosts DynDNS Welcome admin zs i Modem Configuration Modem Settings Modem Alarmmana gement Type GSM Modem IER Init Modem mS Init x3 Outgoing SIM1 Outgoing SIM2 Settings SIM Incoming Call Back Dialin enable O LO 1a PPP Server IP Address here 192 168 0 101 PPP Client IP Address Dialin Authentication Authentication via PAP Iv Authentication via CHAP Iv User Password ee Figure 38 For more detailed information on this please see section Network Modem Label Description ANALOG if using an analog device enter the command GCl country code for country codes see Country codes for analog devices here and in the second row the command X3 do not wait for dial tone ISDN if using an ISDN device you need to enter your MSN multiple subscrib er number with the command AT Z n n MSN number If you enter n as every call will be accepted
75. VPN dial in users Q For aclient to be able to dial into the industrial router via a VPN a user must be added and have VPN dial in rights assigned under user management For instruc tions on exactly how to add a user with specific rights please see section System Users IPSEC and PPTP PPTP and IPSEC are the available protocols for a VPN connection tunneling protocol The diagram below shows a VPN configuration using PP TP Page 59 of 229 Version 3 0 fie mbBbNE TT LJ The connection wizard helps you to configure your connections quickly and easily To Configuring the router for VPN connection to a client 9 6 1 3 Configuring the router VPN server LJ On the home page click on in the navigation bar on the left and on adage in the nav igation bar at the top LI The following example should clarify the configuration A description of the different con figuration settings follows Internet Public IP address Service Client e g 123 456 789 21 Provider ISP Server k e g dialin via PC Pas SESTIAN jors o a ie IP address eg 77 180 121 116 Local IP address 192 168 0 104 Local IP address 192 170 Internet Service Provider OF dialin via router ISP q A PC IP address e g in the range of PC IP address x e g in the range of 192 168 x x 192 168 x x Figure 82 launch the wizard click on the Wizards link at the top right of your browser If you have disabled the autolaunch fu
76. WWW INFOPULSAS LT info infopulsas It MB CONNECT LINE remote maintenance solutions mbNE T HANDBOOK COM2 Jial Out fe Dial Out O Reset Reset mbNET MONET MB Connect Line GmbH e RaiffeisenstraRe 4 e D 74360 Ilsfelde Telephone 49 0 7062 9178788 e Fax 49 0 7062 9178792e Hot line 49 0 9851 582529 0 mbNE TT Copyright MB Connect Line GmbH 2008 No part of this document and its contents may be reproduced used or distributed without the express permission of MB Connect Line GmbH Damages will be claimed in the event of infringement All rights reserved These operating instructions cover the functions and application of the mbNET router We have aimed to provide the best possible description of the devices and functions However we cannot be held liable for the accuracy of the information The most up to date information is available from our website We welcome any comments or suggestions for improvement Trademarks The use of any trademark not listed herein is not an indication that it is freely available for use MB Connect Line confirms that the mbNET device MDH6xx MDH8xx complies with the basic requirements and overall provisions of European Directive 1999 5 EG To see the Declaration of Conformity visit http Awww mbconnectline de support htm Issued by MB Connect Line Remote Maintenance Solutions GmbH RaiffeisenstraBe 4 74360 Ilsfeld Germany Tel 49 0 7062 9178788 Fax 4
77. ab and open the following dialog box by clicking New Certificate Page 74 of 229 Version 3 0 mbNET fis 10 2 1 1 Root certificate source g X Certificate and Key management Create x509 Certificate Source Subject Extensions Key usage Netscape Advanced signing request Sion this Certificate signing request sl I Copy extensions from the request Show request Modify subject of the request signing Ge Create a self signed certificate with the serial 1 f Use this Certificate for signing sl Signature algorithm 5Ha 1 Template for the new certificate A cua 384 default CA Figure 100 First change the Signature algorithm to MD5 so that the certificate is compatible with the mbNET Then you can go straight to the Subject tab and create the certificate Page 75 of 229 Version 3 0 ii mbNE TT 10 2 1 2 Root certificate subject g X Certificate and Key management Create x509 Certificate Source Ver usage Netscape Advanced Distinguished name Internal name Rootcertificate countyName DE stateOrProvinceName Bayern sl TI Used keys too Generate a new key Figure 101 In the Subject tab fill in the fields from Internal Name through emailAddress For VPNs using IPSec Subject settings can later be used as an ID cf section Authentication Next create a private key by clicking on Generate a new key S Please do not use acc
78. able Switch on the device Wait until the Err LED is on Press and hold the dial out button until the Fce4 TxD2 LED lights up Press the dial out button again Fce3 RxD2 lights up Press the dial out button again Fe2 TxD1 lights up O o A WS N Finally press the dial out button one last time O The custom configuration is then deleted the industrial router is reset to the factory settings and can be reconfigured IMPORTANT The IP address of the industrial router is reset to 192 168 0 100 The computer s network settings must be changed accordingly Page 220 of 229 Version 3 0 mbNET 24 Initializing the modem General information on the AT commands The commands can be entered in the input interface modem settings in the two fields Mo dem Initialization The prefix always consists of the letters AT This does not have to be entered in the field The command consists of individual characters that are written as described below It is made up of a code and if applicable any associated values Letters can be in uppercase and lowercase Multiple commands can be combined into a com mand line Example L1M1 N5 24 1 Analog modem commands B Selects the communication standard ATBO CCITT modulation ATB1 Bell modulation B Treatment of the break signal AT Bn Send break signal to remote station n 0 9 in 100 ms units AT B3 standard Only possible with a non error corrected
79. able to access the router it must Know the router s IP ad dress The option to transmit the IP ad dress is selected during router configura tion The IP address is identified by send ing it to the email address specified dur ing configuration ki save Changes wi Apply Changes Figure 71 J Shortcut bo Connection Figure 72 IP address Z 1900 141 116 Figure 73 Page 51 of 229 Version 3 0 Configuring for connection over the Internet continued d 9 4 3 d Page 52 of 229 Version 3 0 As the router IP address changes each time it dials up to the Internet a helpful alternative is to use our DynDNS ser vice For information on setting up and us ing the MB Connect Line DynDNS ser vice please see section Network DynDNS Displaying connection status Using a PC connected to the LAN inter face you can check for an active Internet connection by clicking on Seles For further information on status messages please see section Status Messages mbNE TT System Interfaces Network Modem Network mbNET Serial we Internet Security au Internet 1 O Manager Alarmmanagement Manual Control of the Internet Figure 74 mbNET fis 9 5 Configuring the industrial router for connection to the Internet via an existing router The diagram below shows how to link the industrial router up to a network which already has a router that is set up for connection to the I
80. age 105 of 229 Version 3 0 To restore a configuration the stored file containing the router configuration must be restored i e transferred back on to the industrial router To perform a restore first click Browse then browse to the file location or directory and select the file Then click on the Restore button Saved config file mbn mbns lf the storage medium connected to the mbNET contains a configuration file the Loading a config file s will be displayed as in the example above You can then select one of the uration from a files and click on Restore You will be asked which areas of the configuration USB device you would like to restore Enable the areas that you want and confirm Finally you will be asked to restart the device 12 7 System Firmware There are two ways to update the industrial router s firmware and these are explained below _ MmbNET System Info Settings WEB Users Certificates USB Logging BackupRestore DESEN Network Serial 5 Firmware Upgrade Security GER Upgrade Method 1 O Manager aa Upgrade Method Upgrade via Network Status Upgrade via Network TFIP r Gave 192 168 0 65 Imagename Figure 140 When you click on the drop down field there are two options available for a firmware update Upgrade via USB This requires a USB storage device to be connected to the industrial router so that the file can be transferred across The firmware name image bin
81. already be connected to a suitable power source and the Power and Ready LEDs must both be solid green 9 4 1 1 Connecting the router Splitter TAE box Q Connect the router to the DSL modem as shown in the dia gram on the right mbNET industrial router Q Todo this plug one end of the straight through Ethernet cable into the LAN connector 1 of the DSL mo dem and the other end 2 into the WAN connector on the router Figure 65 Page 47 of 229 Version 3 0 mbNE I 9 4 1 2 Configuring the router using the web interface Q The connection wizard helps you to configure your connections quickly and easi ly To access the wizard click on the Wizards link at the top right of your browser If you have disabled the autolaunch function for wizards click on the Start button for the Inter net connection wizard LJ Now select the option for Ex ternal DSL modem LJ Enter your Internet login de tails You can obtain these from your Internet Service Provider Q You can also choose whether the mbNET should send you an email use a dynamic DNS service or be accessible over the Internet via MB Connect Line s DynDNS LJ Confirm and save your en tries Finally the moNET must be restarted to fully implement the settings MmMmbINE I System LAN Modem Internet DHCP DNS Server Hosts DynDNS LJ From the home page of the Network configuration Hiere Sc WAN Configuration WAN an
82. armmanagement Status Active Connection type Router lt gt Router Connection z Link connection Connect immediately One of this routers has to be set to wait mode Se E DNS Figure 159 Page 156 of 229 Version 3 0 mbNE TT 16 1 1 Connection settings Description Check this box to activate the VPN connection Enter a name for the connection in the input field Select the connection type Connection type Router lt gt Router Connection or Client lt gt Router Connection via the drop down field Please note that to communicate with another router this router must be configured for accessing the Internet and for requests from clients With a router router connection one of the following options for establishing a connection must be selected Connect immediately Link connection A connection is established following a restart or boot Connection Set only with a router router routine tings connection Connect on traffic The connection with the router or remote network is es tablished in response to requests from the local net work Wait for incoming Connection The router on standby is the so called VPN server It waits for incoming connections The appropriate peer address must be specified on the router responsible for the outgoing connections This can be an IP address or even the DNS name under which the remote router can be reached Peer address IP DNS only with a rout
83. at can dial in simultaneously Example Local IP address 192 168 0 104 Remote IP address 192 168 0 160 The VPN server can be accessed under the IP address 192 168 0 104 Only the client assigned the IP address 192 168 0 160 by the server can log in to the server Example Local IP address 192 168 0 104 Remote IP address 192 168 0 160 170 The connected clients max 10 that can dial in simultaneously are assigned the IP addresses 192 168 0 160 to 192 168 0 170 by the server 192 168 0 104 Local IP Address or Range Remote IP Ad dress or Range VPN PPTP continued to the Client router in order to resolve computer names into IP addresses and vice versa to the Client signed to a client dialed into the router Select the encryption method here via the drop down field None No encryption Encryption MPPE V2 40 40 bit encryption MPPE V2 128 128 bit encryption MPPE V2 All All encryption methods be Select the authentication method here GEESS The client keeps sending the username password combination to the host un PAP ge l S til it accepts or rejects authentication of the client Select the authentication method here This authentication method is controlled by the host When a client dials in it TEE EE is prompted by the host to authenticate itself The client sends CHAP username password using MD5 encryption The authentication is accepted if the user data sent matches the data on the host If not it is
84. ate Choose CRT File R Durchsuchen pela CT certificate optional Import CRT File list of imported certificates Name Subject Issuer Valid Download May 10 11 44 00 2012 GMT mb_ROOT_CA CN Root CN Root ge e ai g Figure 134 Label Description Page 100 of 229 Version 3 0 mbNE TT Choose CRT file enter the file location or browse the relevant drive for the certifi cate file File extension crt Name for this certificate optional optional entry of a name for the certificate file lf you do not enter a name the common name will be used Import CRT file As long as the above data have been entered correctly clicking on this button imports the certificate file This displays a list of the certificates already imported More certificates can be col List of import lected by clicking Import CRT File ed certificates For more info on Name Subject Issuer Valid from to and Download please see section Personal Certificates 12 3 3 Peer certificates IPSec Import new certificates Peer certificates are remote station certificates They are only needed if Authentication by peer certificate is selected in the VPN settings In this situation the existence of a local copy of the certificate is confirmation of its validity The remote station certificate is selected via the relevant crt file and then imported You can also import multiple crt files Q mbNET ES Info Settings WEB Users USB Logging Ba
85. ate tcp d 0 192_168 0 100 102 D DD 0 LISTEN tcp d 0 0 0 0 0 139 0 0 0 0 LISTEN F tcp d O 192 168 0 100 7001 0 0 0 0 LISTEN tcp d O 182 1en 0 100 200 D DD 0 LISTEN tcp d 0 0 0 0 0 445 0 0 0 0 LISTEN tep a 0 80 os LISTEN udp d 0 127 0 0 1 514 0 0 0 udp a 0 0 0 0 0 58242 b 0 0 0 bs 4 II Router Connections Connections to the Router Active Internet connections w o servers Proto Recv Q dend Local Address Foreign Address state tcp a 402 fffF 192_1668 0 100 60 fFFE 192_168 0_ 53a283 ESTABLISHED Figure 200 Physical Shows the physical connections via which the router is connected to other comput Connections ere Routing Table Shows all routes used Router Lis tening Ports Shows all monitored ports Router Con nections Shows all IP addresses with ports e g of computers that are connected to the rout Connections er to the Router Page 203 of 229 Version 3 0 21 4 Status Modem Interfaces Network Internet DHCP DNS Server DynDNS NTP VPN IPSec T Modem Modem Stop Refreshing Modem Connection Active User O IP local IP remote Information from the last connection Connected 0 sec Bytes sended 0 Bytes received 0 Modem Commands Modem Command Send Command Systemloggings D Modemloggings D Figure 201 GSM information Manual Control of the GSM modem GSM modem restart Signal Quality Possible 51 dBm Total 105
86. ckupRestore Firmware Network Serial Certificates Security E VPN Certificates 1 0 Manager Own Certificates CA Partner Certificates CRL Alarmmanagement Status import new certificate Choose CRT File rr Durchsuchen_ Name for this certificate optional Po Import CRT File list of imported certificates Name Subject Issuer Valid Download R oe e PF May 10 11 52 00 2012 GMT mb_Client CN Machine_Cert CN Root May 10 11 44 00 2013 GMT Figure 135 Description Choose CRT file enter the file location or browse the relevant drive for the certifi cate file File extension crt Name for this certificate optional optional entry of a name for the certificate file Import CRT file as long as the above data have been entered correctly the certifi cate file can be imported Import new certificates This displays a list of the certificates already imported More certificate files can be collected by using Import CRT file For more information on Name Subject Issuer valid from to and Download please see section Personal Certificates List of import ed certificates 12 3 4 CRL Page 101 of 229 Version 3 0 fie mbNE TT The Certificate Revocation List CRL is used to verify whether or not the computers dialing in hold valid certificates The CRL contains the serial numbers of certificates that should be blocked So if you wish to withdraw someone s dial in access rights to the router or
87. connection C Data compression setting AT CO Data compression inactive AT C1 Data compression active GCl Couniry specific setting This command configures the analog modem to the country specific setting Example GCl B5 Page 221 of 229 Version 3 0 mbNE T Initializing the modem continued L MS Loudspeaker volume ATLO 1 Low volume ATL2 Medium volume ATL3 High volume Loudspeaker mode ATMO Loudspeaker always on ATM1 Loudspeaker on until data carrier signal is detected ATM2 Loudspeaker on when the modem is ready to dial ATM3 Loudspeaker off while the number is being dialed and then after dialing until a data carrier signal is detected Selects the modulation type This command sets the modulation type and the bit rates negotiated between the local and remote modems syntax MS lt carrier gt lt automode gt lt min_tx_rate gt lt max_tx_rate gt lt min_rx_rate gt lt max_rx_rate gt Example AT MS V34 1 9600 33600 9600 33600 1200 S V23C 1200 4800 9600 V 32 through V32B 4800 7200 9600 12000 14400 V 34 V34 2400 4800 7200 9600 12000 14400 16800 19200 21600 24000 26400 28800 31200 33600 N Automode O disabled 1 enabled default AT MS Shows the current setting Selects the error correction settings AT NO Error correction switched off AT N1 Transparent transmission of any data widths via the serial interface without data buffering and error cor
88. d oo tne MEN WAN Settings Outgoing tab This will display 1 0 Manager Interface ROUTES the screen shown below Fol low the instructions below Figure 66 Page 48 of 229 Version 3 0 mbNET fie Configuring for connection over the Internet continued mbNET g Welcome admin Site Map Wizards Help Reboot Modem Internet DHCP DNS Server Hosts DynDNS Gy WAN Configuration WAN Settings Figure 67 For a detailed description of MAYR settings please see section Network WAN Interface Type Here select DSL If you are in Germany select PPPoE most commonly used protocol in Ger Connection Type many PPTP is most common in Austria Enter your Internet access user name cre meet begin Use the name provided by your ISP Enter your Internet access password PPP User Pass Ee a tar ae T LI Save your changes by clicking Save Changes Figure 68 Page 49 of 229 Version 3 0 mbNE TT Configuring for connection over the Internet continued LJ From the web interface home page click PME LJ The following screen will be displayed System LAN WAN soen EE Proceed as follows Network Serial Internet Security ke Figure 69 System LAN WAN Modem DHCP DNS Server Hosts DynDNs Serial et Internet Configuration Security Ge Internet Settings 1 O Manager EEN Internet Connections Internet Settings Alarmmanagement Internet fi l
89. dBm Quality 105 dBm 12 GSM service HSDPA and HSUPA available in currently used cell Provider Telekom Deutschland GmbH SIM card SIM1 OK GSM Modemloggings lt 12 gt Mar 23 09 57 05 GSM Modem The GSM Modem is not registered It is searching for a network lt 14 gt Mar 23 09 57 05 GSM Modem The GSM Modem does not require a SIM Pin lt 14 gt Mar 23 09 56 59 GSM Modem Switch to SIM socket sim1 lt 14 gt Mar 23 09 56 51 GSM Modem The GSM Modem is switching on a Page 204 of 229 Version 3 0 lt 14 gt Mar 23 09 56 50 GSM Modem The GSM Modem is shutting down M gt Figure 202 mbBbNE TT mbNE TT Modem Connection Information from the last connection Modem Com mands Systemlog gings Modemlog gings Manual Control of the GSM modem Signal Quality GSM service Provider GSM Mo demloggings Shows the user who dialed into the router via modem The IP address of the PPP server and PPP client remote station is displayed when a dial up connection is successfully established The connections are always incoming connections An active connection is indicated by a green dot Shows the connection time and the number of bytes sent and received during the most recent connection as long as the router was not restarted or switched off in the interim This input field can be used to issue a command directly to the internal mo dem This function should only be used as
90. ddress 00 50 C2 EA 82 CC 192 168 0 100 IP Address Received 2 0k pkts Transmitted 2 4k pkts Figure 199 Shows the settings at the router s WAN connection external connection The IP ad dress is displayed as soon as the router has a physical connection to the network or is assigned a static IP address The number of data packets received and transmit ted is displayed Shows the settings at the router s LAN connection local connection The IP address is displayed when the router has a physical connection The number of data packets received and transmitted is displayed Page 202 of 229 Version 3 0 mbNET fis 21 3 Status Network Interfaces ted Modem Internet DHCP DONS Server DynDNS NTP VPN IPSec VPN PPTP VPN OpenVPN Diagnostics USB Alarmmanagement System kel Networkstatus Networkstatus General Firewall Physical Connections Ethernet Connections If address DS type Flags Ha address Mask Device 192 1688 0 0 Omi dE dec De ai D 21 bh etho Routing Table Fernel IP routing table Destination Gateway Genmask Plags HJJ Window artt Iface 255 255 255 255 0 0 0 0 255 255 255 255 UH oo 0 etho 10 112 112 112 0 0 0 0 299 259 255 255 UH oo D pppo 192_168 1 0 0 0 0 0 255 255 255 0 ul dr D ethi 192 168 0 0 0 0 0 0 299 250 2559 0 DU dr D etho 0 0 0 0 0 0 0 0 0 0 0 0 UI dr 0 pepo Router Listening Ports Active Internet connections only servers Proto Reev Bend O Local Address Foreign Address St
91. dress 2 lt 6 gt Mar 23 09 56 50 kernel ADDRCONF NETDEV_CHANGE eth link becomes ready lt 6 gt Mar 23 09 56 50 kernel ethd link up lt 6 gt Mar 23 09 56 48 kernel ADDRCONF NETDEV_UP eth link is not ready lt 6 gt Mar 23 09 56 48 kernel ethi link dovm lt 6 gt Mar 23 09 56 48 kernel NPE C firmware functionality 0x5 revision Ox2 1 lt 6 gt Mar 23 09 56 48 kernel firmware requesting NPE C lt 6 gt Mar 23 09 56 47 kernel ADDRCONF NETDEV_UP ethd link is not ready lt 6 gt Mar 23 09 56 47 kernel eth link down lt 6 gt Mar 23 09 56 47 kernel NPE A firmware functionality 0x82 revision Ox2 0 lt 6 gt Mar 23 09 56 47 kernel firmware requesting NPE A PE ai T a a h EE dE Lesen zl le ee Den e San z gl a pen vn pn ee ee e En En Sne Em ei PN ee ee ee ee E BEE BC EE E WE ee Te NI D Error loggings Mar 23 10 23 01 gt none ovpn_cons246754 23136 Options error nobind doesn t make sense unless used with remote Mar 23 09 58 22 gt none GSM Modem There is no SIM Card inserted Please insert a SIM Card Mar 23 09 58 06 gt none GSM Modem There is no SIM Card inserted Please insert a SIM Card Mar 23 09 57 24 gt none GSM Modem There is no SIM Card inserted Please insert a SIM Card Mar 23 09 57 17 gt none GSM Modem There is no SIM Card inserted Please insert a SIM Card d i Figure 214 Label Function gt RAM Usage Shows the amount of RAM memory currently being used by
92. e and password are being requested by https 192 168 0 1 The site says cgi bin User Name admin Password Figure 19 System Serial Figure 20 mbNETwizard Choose Your Wizard n mbNET 4 Which Wizard do you want to execute LAN Settings Wizard for LAN Settings Internetconnection Wizard for setting up the Internet Connec tion lv VPN Setting up the VPN Connection Figure 21 Page 21 of 229 Version 3 0 mbBbNE TT 8 Basic configuration of the router using the web interface 8 1 Web interface home page The home page is designed to provide you with an at a glance view of the most important information on mMbNET router access or status The side 1 and top 2 navigation bars will provide the support you need when configuring the router The navigation bar at the top 2 displays the submenu for each of the main menu items listed in the navigation bar at the side 1 System Network Serial i System Information Wes VPN 3 System 1 O Manager Alarmmanagement Unittype MDH830 Status Serialnumber 19128303058 Jaara 3 0 1 2012 01 13 03 20 27 version Hostname mbNET Last error Jan 13 03 22 49 gt Email Cannot open mymbnet biz 25 Network Interface Cable IP MAC LAN O 192 168 0 100 00 50 C2 EA 86 B7 WAN O 92 608 123 90 00 50 C2 EA amp 86 B8 Internet Connection Active IP local IP remote Internet Modem 192 168
93. e current script security setting may allow this configuration to call user defined scripts 9 lt 5 gt Mar 23 11 43 41 ovpn_consWizard 17317 OpenVPN 2 1 1 arm linux SSL LZ02 EPOLL built on Jan 9 2012 8 lt 5 gt Mar 23 11 43 34 ovpn_consWizard 2336 7 lt 3 gt Mar 23 11 43 34 ovpn_consWizard 2336 6 lt 5 gt Mar 23 09 57 50 ovpn_consWizard 2336 5 lt 5 gt Mar 23 09 57 50 ovpn_consWizard 2336 4 lt 5 gt Mar 23 09 57 50 ovpn_consWizard 2334 3 lt 4 gt Mar 23 09 57 50 ovpn_consWizard 2334 expansion 4 SIGTERM hard received process exiting event_wait Interrupted system call code 4 UDP v4 link remote undef UDP v4 link local bound undef 1194 LZO compression initialized NOTE script security method system is deprecated due to the fact that passed parameters will be subject to shell Figure 210 Shows both the incoming and outgoing VPN connections of the router bound outbound An active connection Is indicated by a green dot Page 214 of 229 Version 3 0 The name local address and peer address are displayed here You can manually connect or disconnect the connection here also However it is not recom mended to use these buttons unless requested to do so by a member of the support team mbNET fis 21 13Status Diagnostics Interfaces Network Modem Internet DHCP DNS Server DynDNS NTP WVPN IPSec VPN PPTP VWPN OpenVPN esd use Alarmmanagement System L a j Diagnostics Ne
94. e following example the client is a PC with a modem connection public telephone network i M bNET industrial router TAE box i TAE box client j in Analog modem RJ45 to TAE cable a PPP client IP address PPP server IP address IP 192 168 0 102 192 168 0 101 public telephone network MbDNET industrial router NTBA Ths box i NTBA client Bad B i Re ISDN modem S0 bus ISDN S0 cable Figure 33 Page 31 of 229 Version 3 0 mbBbNE TT Configuring for connection over the telephone network continued 9 2 1 Connecting and configuring the router Before you being The router should be connected to a suitable power source and the Power and Ready LEDs should be solid green 9 2 1 1 Connecting the router Analog connection applies to device models MDH xx0 LI Connect TAE adapter to analog cable LJ Plug one end of the supplied cable into the RJ12 jack 1 on the bot tom of the router and the other end into the TAE jack 2 ISDN connection applies to device models MDH xx2 Q With an existing ISDN connection plug one end of the ISDN cable in to the jack 1 on the bottom of the router and the other end into the 2 NTBA GSM connection applies to device models MDH xx3 and MDH xx4 LI With an existing GSM connection plug the end of the GSM antenna cable into the jack on the bottom of the router Page 32 of 229 Version 3 0 Figure 34 Figure 36 mbNE T
95. e this option for the router to handle incoming dial in or ISDN connections Dial in enable You need to enable this function by checking the box so that a client comput er can access the router You need to enter the router IP address here You can use the same network area as the local network But please ensure that you do not re use assigned addresses as this may lead to address conflicts PPP Server IP Address here Page 111 of 229 Version 3 0 Here enter the IP address that the router sends to the client the remote sta tion dialing in as soon as a PPP connection is established On connection the router and the remote station establish a separate network PPP Client IP Address Specify whether a user name and password i e authentication will be re quired to dial in to the router The options are Dialin Authentication Q lonly following user only the user entered in subsequent input fields in this dialog window has rights to dial in to the router Q even user with dialin rights any user who has been assigned modem rights under user management can dial in Use the default setting PAP CHAP are types of authentication Ensure that this setting matches that of the subscribers dialing in Disabling PAP CHAP means that this authentication will not be accepted and that your sent data can be read by others User name amp pass Enter the user name and associated password for PPP dial in These fields word
96. ec Rand OpenVPN A VPN PPTP Configuration PPTP Configuration Server Clients Client Configuration Enable Name Host Name or IP Local IP Remote IP Do Ed Ed OGO y Figure 95 Clicking on the green plus sign on the far right will open the following configuration screen Page 70 of 229 Version 3 0 mbNE TT Enter a name of your choosing for the con nection Next you need to enter the public address or DynDNS name for the PPTP server For Local IP you can use the PPTP server address Generally speaking this field should be left blank as the PPTP server sends its address when it establishes a connection For Remote IP you can enter a single ad dress or a whole network We recommend using the settings shown in the screenshot on the right and entering a network address This makes the network accessible to all subscribers Please note that the network address must be in CIDR notation as shown in the screenshot on the right 192 168 0 0 24 For Authentication choose one of the meth ods supported by the PPTP server You can see what these are by looking on the PPTP server s web page under VPN PPTP Use the same type of encryption as the serv er Please note that when using MPPE en cryption you must always enable MS CHAP or MS CHAP V2 authentication For the User and Password fields the user must have been added to the PP TP server e g standard user name ADMIN without password However you can add a
97. ection Network Modem ANALOG If using an analog device enter the command GCl country code for country codes see Country codes for analog devices here and in the second row the command X3 do not wait for dial tone ISDN If using an ISDN device you need to enter your MSN number with the command AT Z n n MSN number If you enter n as every call will be accepted GSM if using a GSM device you must use the preset X3 command The GCl country code may not be used aay If required you can enter the SIM card PIN here You can select your provider here If your provider is not shown you can en Provider ter the APN Access Point Name yourself You can obtain information on the APN from our website at GSM only http www mbconnectline de qsm grps mobilfunk html or from your mobile broadband provider lf you do not see your provider listed you can enter your APN manually Ask Provider name your provider what details to enter for the APN or visit our website at http www mbconnectline de qsm grps mobilfunk html Enter the telephone number of the relevant provider For example the dial up number for an analog data call 019193384 See Phone number comment below table For GSM Modems the dial up number always uses the format 99 1 Enter user name refer to your mobile broadband provider s network details In example shown any For GSM modems you can obtain the necessary information at e g Page 43 of 229 Ver
98. eecseseeeeenseescenseeeenseeseenseesoeees 40 9 3 1 Connecting and configuring fherouter nnne 41 9 3 1 1 KEIER eege a E E OE Eaa eae E TE r OEE Ee E TE a Ei 41 9 3 1 2 Configuring the router using the web mieriace cece cece eseecceceeeseceeeeeeseceecsesseceeeeaeeeeeeeeeeseceeeeeaaeeeeesaeaeeeeesaaees 42 3232 Rouer Mene tda e E 46 9 3 3 Displaying the Internet connechon nren neenne 46 Configuring the industrial router for connection to the Internet using a DSL modem sssssssssssnnssnnnnnnnnnnnnne 47 9 4 1 Connecting and configuring fherouter nnna 47 9 4 1 1 COE CEO e T E 47 9 4 1 2 Configuring the router using the web mieriace cece c ccc eseeccccceeeeeceeeeeeeceeceeeeeceeeeaeeeceeeseaeeceeeseeeeeeeesaeeeeeeesaaees 48 9 4 2 Establishing a connection between client PC and routier 51 9 4 3 Displaying CONNECTION status cccccccceececssecccseeecauceceueeceaeeecaueecesecsuseesaneesaueecsaeessaeeesaaeessueessueessageesaaeessueessaeeess 52 Configuring the industrial router for connection to the Internet via an existing router ccscceseeeseeeeees 53 9 5 1 Connecting and Configuring fherouter nnn 54 9 5 1 1 ke ONIME CUA MEn LTE enre Rr E E R r 54 Page 3 of 229 Version 3 0 9 6 9 7 10 10 1 10 2 10 3 11 12 12 1 12 2 12 3 12 4 12 5 12 6 12 7 13 13 1 13 2 13 3 13 4 9 5 1 2 Configuring the router using the web interface ccc ceecececccceeceeeeeeeeeeeeeeaeeeeseeeeeeeseeeaee
99. eeeeeesseaeeeeeeeeeessaaaeeeeeeess 55 Configuring the industrial router for VPN CONNECTION tO a client cccceeeeeseeeeeeeneeeeseeesneeeseeenseeseoeeneeeseoeees 58 9 6 1 Connecting and Configuring the rOUter cccccccseeeccccceecseeeseeceeeeeceaesseeeeeeeseeeeseceeeessseeeseeeeeeeesseaaseeeeeesssaaaeeeeeees 59 9 6 1 1 COnMECTING DEE soiiees chert os eege gege eege 59 9 6 1 2 Adding VPN dial in RE 59 961 3 Configuring the router VPN server 60 9 6 2 Configuring a client PC for a VPN Connection to fberouter 64 9 6 3 Setting up a VPN connection between client PC and routier 66 9 6 3 1 Router imemet e e WE 66 9 6 3 2 Setting up a VPN connection from client to routier 66 Eeer SEENEN EE 66 Configuring a connection between two routers via VPN PPTP ccccccssssseeeseesseeeseeesseesseeeseeeesoneneeeseoeees 67 9 7 1 Settings for connecting two industrial routers PPTP eener 68 9 7 2 Settings for connecting two industrial routers PPTP Cents 70 Creating certificates and revocation lists USING XCA ccccsssseseeeseeeneeeeeeenseeeseeenseeeeeeeaseeeseeesaeeseeeeaseeeeoeeneesseoeenseesees 73 EELER 73 COO ALINNC COPING ALCS cscs cs cease erecta occas a 74 10 2 1 Creating a Balen ur 74 10 2 1 1 FOO ECG MCS e 75 10 2 1 2 Root certificate e TE 76 10 2 1 3 Root certificate extensions EE 77 10 2 1 4 Root certificate key usage EE 79 10 2 2 Creating a client certificate E 80 10 2 2 1 Client certificate SOU se acto
100. ehera E 197 20 2 ERGOE Hee 197 20 2 1 1811 INPUTS nee oe ne eee 198 20 3 ele ICT E oaa subadebeot axes be su axcenustande senate nesdaccean dbaxtecuanaxteacataees ieee oasscxccesostees 201 21 Status MESS ACCS ranei teres ee atavecis ateracenetarecnestecesevetonasiectesssuxetessiaxstosedeestevesscateuecenstareeunsturesexateansieesionaianetorssexetecsstxets 202 ed ON E E 202 212 Status IM CII ACCS reiia Naaa araea EE aain errioan Siriuse 202 CAR SaS NEW Or s a an ete sseeecaguuseuteetevgucadundeud ences astuaseeieceeus 203 214 Stas MOG CIN ssnin A A 204 269 ACS MO NO EE 206 2140 AUIS AGP E 208 CAT Meo oa 8 9 bool EE 209 28 OUS e ll bo eee ee se nee ener eee ent ee eae ee nen ee eee ee ee ere eee 210 AR OUSE EE 211 2610 Stal s VPNIPSEC E 212 2111 Satus VPN PPIP E 213 21 12 Status VPN OPENVPN ire sec cates see a cen coesatioeee Sannmeca me utneeusecstesenn conan soceeen sews 214 CAN LTE Ra Lull E 215 2114 Slas U E E 216 2615 Satus PILAR IVT AACS IAIN EE 217 2k10 SAUS Eege 218 22 Factory senings On EU E 220 22 1 uUsemame ANG PassWord DEE 220 222 Paddress Of TNE FOUNGN ssaa aAA aaa aA 220 23 Loading TNE e En dl e EE 220 24 IITIANIZINIG THE MOG CIN E 221 General information on the AT commande nni 221 241 Analog MOGEM Ee lr E ol TE 221 24 2 ISDN terminal adapter TA COMMANGG cccccseeceeseeecenneeecenneeseenseeseenseseoaseesenaseesoasessoaseesoenseesonnsessonseeses 223 25 PADD CIN E 224 25 1 COURTEY c
101. eld is empty Issuer alternative name For issuer alternative names the same applies as for subject alternative names CRL distribution point To be able to use a public access point for certificate revocation lists you need to enter the LDAP or HTTP address of the list The address should always be prefixed with a URI universal resource indicator e g URI http de wikipedia de For the field separator use a colon If you hold local revocation lists this option is not relevant Authority Info Access This PKIX extension defines how to access additional information and services from the issuer of the certificate lt can then provide more information about the CA additional guidelines root certificates or online verifica tion services e g OCSP Primarily where certification applications like secure mail S MIME do not return the entire certification path using this extension in the end certificate is helpful for showing the verifying application where to retrieve the next higher level CA certificate 10 2 2 4 Client certificate Key usage If you create a client certificate as an end entity you do not need any of these optional settings You can proceed straight to the next tab 10 2 2 5 Client certificate Netscape If you would like additional security you can also select the SSL Server or SSL client option for your VPN subscribers according to their role client or server The advantage of this is that OpenVPN ca
102. ent PC will display a flashing screen icon the router is connected You can display the connection properties by right clicking on the icon On a PC connected to the router clicking Seles on the sidebar and MIAJ on the navigation bar at the top will show you information on the current status of the VPN connection such as users currently dialed in or current connection status Where an industrial router has been set up as a client please see the next section for settings that will allow it to access another remote industrial router 9 7 Configuring a connection between two routers via VPN PPTP LI Instead of a client PC you can also configure another router as a client As a client a router must be configured such that the router on the other end of the connection Is its VPN server Both routers need an Internet connection For details of configuring the in dusirial router as a VPN server please see the previous section Configuring the indus trial router for a VPN connection with a client Q The following example should clarify the configuration Internet Ser vice Provider ISP i Serv Host Name xxx mymbnet biz Ke Internet Service Provider ISP Figure 92 Page 67 of 229 Version 3 0 mbBbNE TT 9 7 1 Settings for connecting two industrial routers PPTP server system IPSec OpenVPN Network Serial e n A VPN PPTP Configuration security e iias PPTP Configuration I O Manager Ee
103. ents e g Example Dinkelsbuehl instead of Dinkelsb hl in the lo e tu field Page 76 of 229 Version 3 0 mbNE TT g X Certificate and Key management New key Please give a name to the new key and select the desired keysize ey properties Keysize 1024 bit Figure 102 Select key type RSA You can select any key size and of course any name The longer the key the more secure the encryption but also the more processing power required 10 2 1 3 Root certificate extensions In the Extensions tab you will find the settings for certificate type and validity Page 77 of 229 Version 3 0 fis mbNE TT E Create x509 Certificate Je Source Subject Extensions Keyusage Netscape Advanced ic constraints Key identifier Type Certification Authority sl IV Subject Key Identifier Pathlengthf ER Gritical 7 Authority Key Identifier Validity Time range Not before 2012 05 10 12 54 GMT e 1 Years x Apply Not after 2013 05 10 12 54GMT e Midnight Localtime No well defined expiration Figure 103 Basic constraints Type Certificate Authority CA Check the box labeled Critical and Key identifier Check the box labeled Subject Key Identifier Validity You can enter a specific start and end date in the relevant fields or use the adjacent Time Range field Time Range In the dialog boxes to the right enter the number of days months
104. er router connection Page 157 of 229 Version 3 0 mbNE TT 16 1 2 Network Settings AMET Network Serial i 2 VPN IPSec Configuration Security dal on IPSec Configuration Edit Connection a od Network Settings Authentication Connection Settings Protocol options 192 168 0 0 24 Alarmmanagement Status SA Apply Changes 192 168 10 0 24 NAT Traversal vi x Clear Changes Local network Peer network Figure 160 16 1 3 Authentication Network Settings Page 158 of 229 Version 3 0 Local network Peer network only with a router router connection NAT Traversal only with a router router connection Permitted network for the client only with a client router connection Client has a fixed IP ad dress or name only with a client router connection Win2000 XP Client L2TP only with a client router connection Enter the address range of the local network in CIDR notation here E g 192 168 0 0 24 Enter the address range of the local network in CIDR notation here E g 192 168 10 0 24 This setting is necessary if the VPN connection is established via the Internet and natted between the LAN and WAN NAT Network Address Translation This setting is generally enabled Set the network accessed by the client here lt must be entered in CIDR notation If the client has a fixed static address this ad dress must be entered in this input field Set w
105. erial KK Host Configuration Security UEN IP Adress and Names 1 O Manager Alarmmanagement Here you can insert relations between IPs and names to answer requests direct Status IP Name Figure 151 Page 127 of 229 Version 3 0 13 8 Network DynDNS i L 7 MB Connect Line No log in or registra 13 8 1 General As the industrial router is assigned a unique IP address whenever it dials in to the Internet a client PC can locate it via this IP However as soon as it closes this connection and dials in again it receives a new IP address The DynDNS service makes the industrial router contactable using the same address every time It resolves addresses to names and vice versa 13 8 2 How to set up DynDNS configura tion A built in DynDNS service is included with firmware versions 1 4 0 and high er This DynDNS service is operated by tion is required To use a public version of the DynDNS ser vice you first need to register Registration is usually free and should not be particularly complicated lf you are registered for a DynDNS service that is supported by the industrial router you can input or select the options in the screen shot below Select WBO Dunc This will display the screen below Page 128 of 229 Version 3 0 mbNE T Other services ez ip www EZ IP Net dyndns www dyndns org ods www ods org tzo www tzo com easydns www easydns com www justlinux com dyns www
106. et through the port as signed above without being blocked by the firewall Page 135 of 229 Version 3 0 mbNE TT With firmware version 2 0 or higher the RxD2 LED lights up when a MPI or PRO Y FIBUS connection is established and the TxD2 LED flashes when data is being transferred over either of these connections Redirecting serial interfaces to your PC VCOM LANZ To make serial interfaces including MCI PROFIBUS available on your PC you need the VCOM LAN2 software utility VCOM LAN2 can be downloaded free of charge from www mbconnectline de VCOM LANZ installs two virtual COM interfaces on your client PC Data is then exchanged over these virtual COMs O INTERNET COM 7 lt gt COM 1 COM 8 lt gt COM 2 Run the VCOM LAN2 set up file and follow the installation instructions When installing a system you should be aware that the ports TCP UDP 254000 and 25401 de pending on settings are enabled on both client side and router side Note also that if you select the connection setting connect when the virtual COM Port was opened from an application pro gram a small amount of data may be lost while the virtual COM port is being opened as some programs send data to the port immediately before the virtual COM port has established a connec tion More information is available under VCOM LAN2 program Help Page 136 of 229 Version 3 0 mbNE TT 14 1 3 Settings for Simatic Manager lf you wish to set up a co
107. ext available addresses are suggested System ee Serial J LAN Configuration J IF protocolis being used d Gat Security A eway e IP address 192 168 0 100 ote oe eee VPN LAN Settings Subnet mask 255 255 255 0 Use router 1 O Manager Interface ROUTES eee Alarmmanagement LANIP figa680100 Subnet Status ree 168 0 not networked Netmask 255 255255 0 ki Save Changes OK Cancel Help The main NETPro window should now look like this IRE NetPro RFC1006 TE Network Edit Insert PLC View Options Window Help SURSIS ERR Gs RFC1006 Network C Programme Step7 s7proj Rfc1006 Find aail MPI 1 MPI Selection of the network F PROFIBUS DP S82 PROFIBUS PA B PROFINET I0 3 Stations EB Other Station g R H PG PC PROFIBUS 1 SIMATIC 300 PROFIBUS SIMATIC 400 E SIMATIC PC Station El SIMATIC 55 SIMATIC 7 400 H CJ Stations LC Subnets EI ES Ethernet 1 Industrial Ethernet P yl D Rd fogramming Device or PC TCI TF gt Broadcom NetXtreme 57x x 693 YO Insert Chg Page 144 of 229 Version 3 0 mbNET lf everything has worked as it should then 7CP IP Auto gt xxx network card will appear in the bottom border of the screen as PG PC interface It is recommended at this stage to assign a bus address in this case MPI to the PC station and link this with the sub
108. f the My CA CA Certificate e y e One Certificate with the private key certified by My CA own certificate The Certificate of the My CA CA Certificate My CA My CA Root CA Root CA e e Unit 1 Unit 2 CA Certificate mb_ROOT_CA Own Certificate mb_HOST Additional user and password verification yes z Do not use my own certificate for verification Use only CA and E User password verification Peer must be TLS Server _ Figure 192 Page 185 of 229 Version 3 0 mbNE T This is the root certificate root CA All other certificates must come from this certificate es You use this certificate to authenticate your em Cerncale self to your VPN peer Additional user data may be required from a Additional user and pass _ client dialing in Please note that this user word verification data must be entered in the VPN server un der System User CA Certificate X 509 authentication client Enter the user data of the VPN server from the System User menu here Do not use my own certifi cate for verification Use only CA and Us er password for verifica tion With this option you authenticate yourself using the CA certificate and the user data of the VPN server from the System User menu only This is an additional security option The server certificate must include the exten sion nsCertType server see section Creating certificates Peer must be TLS Server Page
109. for approx 35 seconds when the Rdy LED flashing device is switched on After this flashing indicates boot se Ready quence This may take up to 90 seconds depending on the type of device Fei Function 1 Fc2 Function 2 Fc3 Serial interface COM2 receiving data E HE On if MPI bus communication OK Fc4 LED off Serial interface COM2 not sending data l Serial interface COM2 sending data F 4 Function 4 LED flashing If MPI bus transferring data LED off No connection to Internet or VPN Connection to Internet ennei ve a VPN connection active a Internet or VPN connection is being established LED off Router working without errors ered LED on Router error Diagnostics under system Status see Status System Page 12 of 229 Version 3 0 Label Status Description _ gt Z o O WAN J Router WAN port customer network DSL modem WAN LED LED green Network connection available WAN LED LED flashing Network data transfer active orange LAN1 4 Local network ports e g machine network LAN LED1 4 Network connection available Dual LED LED flashing Network data transfer active orange USB te o Portable USB drive port Dialout This button establishes an Internet or VPN connection Reset IL Pushing this button restarts the router so called cold start COM1 SS COM1 port for connecting to devices with RS232 RS485 RS422 in terface COM2 COM2 port for c
110. ger ee Internet Connections Internet Settings Alarmmanagement Status Failover no r ATTIE Internet via WAM Connection Connection monitoring Figure 60 For a detailed description see Network Internet Item Label Description 3 Internet connec From the drop down field select the setting tions Internet via modem 2 Connection Mode Select Keep connection Using the drop down field you can decide whether the Internet connec 3 Lock connection by tion should be closed when one of the inputs receives a signal internal ly generated between 10 and 30V Send IP address via Enable this setting 4 Select whether the IP address should be sent to the email i email address listed 5 Email Enter the email address to which the IP address is to be sent here LI Save your changes by clicking Save Changes Q Finally to save your changes permanently to the Figure 61 Page 45 of 229 Version 3 0 Configuring for connection over the Internet continued 9 3 2 Router Internet dial in In the screen shown above the router is configured to establish an Internet con nection as soon as It Is restarted For other methods of Internet dial in please see section Network Internet LJ Transmit IP address For the client to be able to access the router it must Know the router s IP ad dress Under the configuration settings made previously the IP address is sent to the email address that was provided This allows
111. gin seconds 0 Rekeyfuzz a A a DR S 4 f4 DPD Dead Peer Detection Delay seconds Timeout seconds ree detected Hold Figure 162 You select the coding algorithms hash total algorithms etc used during the various ohases on this tab Protocol op tions PFS This setting is only supported for the router router connection PFS must be disabled if you want to set up a client router connection Page 162 of 229 Version 3 0 mbNE TT fis 16 1 5 L2TP Server Configuration The L2TP server can be used for VPN IPSec communication between the industrial router and a Windows client The only setting required here is a freely selectable local IP address The addressees for the clients should be from the same network the start and end of the range are set under the IP address field The L2TP server then works in a similar way to a DHCP server and can automatically assign the addresses from the set range to the clients di aling in mbNET Network Serial S 2 VPN IPSec Configuration Security ES IPSec Configuration 1 O Manager l Connections Settings Alarmmanagement Status L2TP Server Configuration Local IP pr rans 192 168 0 100 Remote IP Alene 192 168 0 130 Begin Remote IP Address 92 168 0 140 End ki Save Changes IPSEC Debug settings klipsdebug plutodebug ki Save Changes Figure 163 The name or IP address to be assigned to the server during communication
112. he Internet here The firewall therefore checks the data traffic from the DSL modem to the LAN Ethernet All other data traffic on the WAN Ethernet interface is denied with this setting In the case of devices with a WAN Ethernet interface this can be explicitly specified as the firewall interface under the WAN interface drop down field Page 151 of 229 Version 3 0 mbNE TT Label Check the box by clicking it to enable the subsequent settings after they are saved The following options are available for selection Drop If this option is selected it means that no data packets can pass and the packets are also deleted immediately The sender is not notified about the where abouts of the data packets Reject If this option is selected the data packets are rejected The sender is noti fied that the data packets have been rejected Accept If this option is selected the data packets can pass WAN interface This setting defines the WAN interface to which the rule is to be applied Internet or WAN Ethernet can be selected Here enter the IP for whose incoming data packets one of the set actions is to be executed If you leave the field blank the set action applies to all IP addresses Source Port Enter the port via which the data packets arrive here The following options are available for selection All The set rule applies to all protocols Protocol tcp The set rule only applies to the TCP protocol udp The set ru
113. he top right of the web inter mbNET wizard face Then click the Start button for the wizard for VPN connections followed by Next ell mBNET wi Q Select Connection between 2 Networks Fig Ree want to setup ure 158 O Select the VPN server in the following window EE and click Next LJ You must then specify the local network ad dress and subnet mask of the VPN client Fig ure 159 Figure 178 Q Enter the key of your choice in the following window or use the key generated by mbNET Page 4 of 6 ad mbNET Q Click Finish to complete the configuration Se and accept your settings Repeat this configu Please insert the IP address and the subnetmask of the Client s Local ration with the VPN client This time however dee i you must select the VPN client instead of the LAN IP VPN Client WC VPN server Subnetmask re Figure 179 Page 174 of 229 Version 3 0 Network Settings Authentication Active Connection name Wizard Connection type INTERNET Link connection Wait for incoming Connection One of this routers has to be set to wait mode Figure 180 Tab Label Description Check this box to activate the OpenVPN connection Enter a name for the connection in the in put field Select the connection type via the drop Connection type down field Connection Set Connection name tings A networ
114. he web interface Hostname Host Description To identify the device within a network provide a meaningful description here ost H Displays the current system time in Universal Time Coordinates UTC Local Date Time Assign a name to the router Displays the time based on local time zone Enter the time here in case there is no NTP server installed or in case it is una vailable Example 2007 10 30 13 33 00 Format Meaning DD Dayeg 3000 Tj Click on the drop down field and select the time zone where you are The preset imezone time zone is Berlin Germany Checking this box gives control of the router s time zone to another computer which must be entered in the next input field and displays the current system NTP server time The time is updated by NTP every two hours Registered time server 134 176 25 The mbNET has an RTC buffered clock The set time will buffer for up to 7 days without a power supply Specifies a time server for updating system time A time server IP address may be NTP server Set Local Date Time entered instead of a name If a name is entered there must be a DNS server en tered in the network settings or an existing Internet connection The NTP server simply needs to be available Mail settinas Selecting yes in Activate automatic mail means that the router will use MB g Connect Line s mail server and fixed parameters SMTP server The SMTP server is needed for
115. hed via WAN or modem Note that call back does NOT work with UMTS enabled devices Call back enable Checking this option enables the call back function Activate Call Back via Phone With this setting the MONET will connect to the Internet if called from a phone To establish a connection the mbNET must be alerted by four rings After this happens the mbNET hangs up and then starts Internet dial in This can take How to 30 40 seconds call back Log in and press a button With this setting the MONET will connect to the Internet if you have set up a di al up connection with the mbNET and you click on the Call Back button in the fii menu of the user interface After 30 seconds the mbNET will es tablish an Internet connection unless you close the dial up connection Page 117 of 229 Version 3 0 a mbBINE T 13 3 5 Network Modem SMS System LAN WAN Modem Internet DHCP DNS Server Hosts DynDNS acs SG Modem Configuration Security VPN Modem Settings I O Manager Alarmmanagement Modem GSM Type Status Modem Init Modem Init Outgoing SIM1 Outgoing SIM2 Settings SIM Incoming Call Back SMS Remote Service Control via SMS Enable Service Control via SMS Je Check the Phone Number of the Sender E Senders Phone Number 491701234567 Send a SMS when Internetconnection established M Receivers Phone Number 491 701234567 Figure 147 Label Description Enable Service Control via SMS This function enab
116. hether the client is a PC running the Win dows 2000 or XP operating system here mbNE TT _mbNET Network Serial A VPN IPSec Configuration Security IPSec Configuration Edit Connection 1 O Manager o Connection Settings Network Settings Authentication Protocol options Alarmmanagement i Status Authentication process X 509 z d Apply Changes Certificate process Authentication by peer certificate S x Clear Changes Unit 1 has f One Certificate with the private key certified by CA1 own Unit 1 Unit 2 certificate ta One copy of the Certificate from Unit 2 without the private key remote certificate CA2 Unit 2 has One Certificate with the private key certified by CA2 own certificate Unit 2 Unit 1 One copy of the Certificate from Unit 1 without the private key remote certificate CA2 W CA WM Unit 1 Unit 2 Own Certificate no valid certificates imported bi Peer Certificate no valid certificates imported v Figure 161 Authentication continued Tab Page 159 of 229 Version 3 0 Select the Authentication process via the drop down field PSK Both keys must be known before data can be exchanged between the client and router The long er the keys the more secure the connection Only one key can be specified Even if there are several PSK connections entered the key for the FIRST connection is universally valid Local ID Assign a name for your rou
117. his option if your ISP requires a PPPoE Point to Point Protocol over Ethernet connection A lot of modems are set to this option The external IP address that a remote station uses to access the router is specified by the ISP Please refer to your ISP documentation for the necessary details PPP User Login enter your Internet access user name as provided by your ISP PPP User Pass Enter your Internet access password as provided by your ISP PPTP Connection Select this option if your ISP requires a PPTP connection Point to Point mode Tunneling Protocol connection For example in Austria PPTP is used with DSL connections PPP User Login see the access user name provided by your ISP PPP User Pass see the access password provided by your ISP WAN IP address here enter the IP address of the mbNET router connected to the WAN port This is the address that devices use to access the router if they are connected to the WAN If your ISP s IP address is not automatically assigned here you should manually en ter the IP that the PPTP server uses to access the router Please re fer to your ISP documentation for the necessary details Subnet mask enter the subnet mask of the network connected to the LAN port PPTP Server IP address enter your ISP server IP address This enables you to specify routes to other networks If the local network has additional subnetworks you can specify routes for these here You can enter network routes in CI
118. ike this S7ONLINE access must be set to Active Properties PG PC Interface Parameter Assignments in the PG PC ISO Ind Bhemet gt Broadcom Net ire ISO Ind Ethemet Dell Wireless 13 95 ISO Ind Ethemet mbDIALUP 9 ISO Ind Ethemet gt TAP Win32 Adapt Assign SFONLINE Access Load The subnet ndustrial Ethernet is now linked with the PG PC COCOT EICO va RFC 1006 Network C Programme _ Step7 s7proj Ricl006 PROFIBUS DP PROFIBUS PA PROFINET IO SIMATIC 5 RW SIMATIC S7 400H abons HE Subrets jamming Device PC zd Ready FOPAP gt Broadcom NetXteme 57x Kk 632 yso insert Oe Page 143 of 229 Version 3 0 mbNE T 14 2 6 Configure mbNET PC station To configure this PC Station in this case mMoNET double click on IE General Properties IE General x General Options PROFINET Diagnostics Short Description Order No fimware IE_CP V6 2 1 Name E General Interface Type Ethernet Address 192 168 0 1 Networked No Click on Properties to set the interface parameters Enter the IP address and subnet mask here The IP address and subnet mask must be the same as those entered in the mbNET LAN settings x e Q mbNET x WAN Modem Internet DHCP DNS Server Hosts DynDNS A Parameters IT Set MAC address use ISO protocol a E F a subnet is selected ES the n
119. in dows mbBbNE TT Network Connections 9 Network Setup Wizard R b Phone and Modem Options Gei t Power Options Fe Mianet G Printers and Faxes H LU Settings H E Network Connections A Search 9 K L Local Area Connection d Regional and Language Options Q SE A Scanners and Cameras j 4 Scheduled Tasks Security Center H Taskbar and Start Men E Sounds and Audio Devices g Speech Ef Wu 49 System F Taskbar and Start Menu User Accounts G VMware Tools 0 a Printers and Faxes x 7 Help and Support Z D Turn CFF Computer emm Kr Windows Firewall RON oi Wireless Network Setup Wizard lt 4 Local Area Connection Properties General Authentication Advanced Connect using BB VMware Accelerated AMD PCNet Ad This connection uses the following items Client for Microsoft Networks A File and Printer Sharing for Microsoft Networks 2 QoS Packet Scheduler s Internet Protocol TCP IP Install Description KI K K K Transmission Control Protocol Internet Protocol The default wide area network protocol that provides communication across diverse interconnected networks C Show icon in notification area when connected Notify me when this connection has limited or no connectivity Internet Protocol TCP IP Properties General Alternate Configuration You can get IP settings a
120. integrated firewall to protect against third party and unauthorized access and connection attempts Incoming and outgoing data traffic is checked logged and al lowed or denied via this firewall The firewall can generally be configured with one of the following three settings Q maximum Security With this setting rules for allowing data traffic must be configured accordingly Both in coming and outgoing data traffic is denied For accessing the web interface from outside the network the TCP protocol and the destination port 80 must be entered and enabled in the rules If howev er you start a VPN connection access is accordingly allowed for the data packets from the VPN tunnel LJ normal Security With this setting incoming data traffic data from the Internet is denied while outgoing data traffic is allowed LJ minimum Security With this setting all incoming and outgoing data traffic is allowed The minimum Security option should only be temporarily set for test purposes since it allows all data traffic from inside to outside the network as well as access from outside the network This setting threatens the integrity of your mbNET and the connected devices Page 150 of 229 Version 3 0 mbNET SNAT This function transparently passes on the incoming data traffic from Internet or VPN connections to the LAN In other words all data packets going to the LAN are assigned the IP address of the router as the
121. ion Be Disk Defragmenter Microsoft Corp E ecuti ne Disk Management Microsoft and VERITAS SO Event Viewer Microsoft Corporation Folder Microsoft Corporation Ier Group Policy Object Editor Microsoft Corporation E Use this page to add or remove a standalone Snap in from the console snapins added to Console Root EN Description The Certificates snap in allows you to browse the contents of the certificate stores for yourself a service or a computer Description Close Remove About Figure 116 In the next window select Computer account Certificates snap in Thiz snap in will always manage certificates for My user account O Service account Computer account Figure 117 In the next screen ensure that you select This Snap in will always manage Local computer _ com puter running this console Once you have created the certificate console as described you can import a certificate Page 91 of 229 Version 3 0 mbBbNE TT First open the folder and right click on Personal gt Certificates as shown in the screenshot below and import the certificate that will be used to identify the client Be sure to select the p12 file for this Enter the password for the p12 file and then click Next In the next screen select Automatically select the certif icate store based on the type of certificate When you click Finish the relevant certificates will import No furthe
122. ion 3 0 mbNE TT Auto confi Selecting yes means that the mbNET s local network range and IP address will g be used By selecting no you can enter this information manually Local IP address or e Range This is the PPTP server address Remote IP address or Range Enter the address or address range of dial up clients here Give DNS address Here enter the address of the server currently providing name resolution Usual to the client ly you can enter the PPTP server address here Give WINS address The WINS server IP address can also be entered here for compatibility with older to the client Microsoft operating systems This option selects the type of data encryption O MPPE V2 All O MPPE V2 128 Encryption O MPPE V2 40 1 None You should only select none if it is for test purposes The data will not be transferred securely Authentication via You can select which authentication methods your PPTP server will Support PAP CHAP MS here Place a check next to your chosen methods and click on Save Changes CHAP MS CHAP Make sure that the client is also using one of the supported authentication meth V2 ods otherwise it will not be able to connect Note that when using MPPE encryption you must ALWAYS use MS CHAP or MS CHAP v2 as the authentication method For more detail on Wraimiplease see section VPN PPTP 9 7 2 Settings for connecting two industrial routers PPTP Clients IPS
123. is listed here To upgrade the firmware click Start Then restart the device Upgrade via Network Upgrade In this case you need to enter the IP address of a TFTP server and the firmware method name In this case image bin Before the upgrade can start the tftpd32 tool must be launched You can download this free of charge at http tftpd32 jounin net Once you launch the tool enter the following settings in the DHCP server tab IP poolstartingaddress P address of the router that you are upgrading Size of pool 70 Mask Network subnet mask Page 106 of 229 Version 3 0 Tftpd32 by Ph Jounin ll x Current Directory C Dokumente und Einstellungen armit Browse Server interfaces 192 168 0 4 Show Dir Titp Server Tftp Client DHCP server Syslog server Log viewer IP pool starting address 192 168 0 100 Size of pool Dn Boot File E WINS DNS Server 0000 _ Default router foooo 8 St t Mask 255 255 255 0 Domain Name Additional Option lio ae allocated at E MAC renew at 4 About Settings Figure 141 Clicking on Save will store the settings In the drop down field under Current Di rectory you need to select the folder where the firmware upgrade file is saved Do not close the tool until the upgrade is complete Now in the web interface TFTP Server field you need to enter the IP of the computer that is currently run ning Tftpd32 Now click Start Once the process
124. ist Servers Logging Configuration Interval s Max arhive E period time h FTP Upload Configuration Interval imin BPTU address EE Server Username an password ki Save Changes A storage medium must be inserted into the USB socket for the logging function This can be e g a USB stick Interval s The tags are written to the storage medium at the specified interval Max archive period time h The log file is archived and a new log file is started at the latest after Page 195 of 229 Version 3 0 fie mbNE TT the time in seconds set here FTP Upload Configuration The logged tags can also be archived on an FIP server The following settings are required for this The Maximum firewall security setting does not permit the agreement of a dynamic communication port as required during FTP communication between the client and server The router firewall must therefore be set to Normal in this case Interval min The log file is compressed and loaded onto the FTP server at the specified interval A copy of the log file also remains on the storage medium compressed Server address Enter the address of the FIP server here Server Username Enter the username for authentication on the FTP server here Server password Enier the password for authentication on the FTP server here Page 196 of 229 Version 3 0 mbNE TT Log files are in CSV format The current file is always called logfile log and i
125. ity The certificate can be issued by a higher authority called a Certificate Authority CA for short or by the actual certificate holder The certificate holder is called the Subject and whoever issues the certificate is called the Issuer Below is a screenshot of the relevant certificates tabs and the option to import a new certificate mMmbBINE IT Eege Info Settings WEB Users USB Logging BackupRestore Firmware Network Serial la Certificates Security VPN Certificates 1 0 Manager Own Certificates CA Partner Certificates CRL Alarmmanagement Status import new certificate e eee enn Durchsuchen File Name for this E certificate optional Import PKCS12 File list of imported certificates Name Subject Issuer Valid Download BE May 10 11 45 00 2012 GMT mb_HOST CN Client CN Root May 10 11 44 00 2013 GMT Figure 132 Page 98 of 229 Version 3 0 mbNET 12 3 1 Personal Certificates Personal certificates are used by the holder but issued and signed by a higher level authority CA root certificate For the router to be able to show and use its personal certificate on a re mote station the relevant PKCS12 file certificate plus private key first has to be selected and imported to the router Single or multiple PKCS files may be imported Personal certificates also always have a key which is why a PKCS12 file must be imported This is actually made up of a crt file and a pem key file
126. k to network connection can be created here Depending on the authentication method the client receives an IP address from a defined range or each subscriber specifies its requested ad dress Example LAN mbNET Client moNET Server LAN 192 168 99 100 lt gt ROUTING lt gt 10 1 0 2 RM 110 1 0 1 lt gt ROUTING lt gt 192 168 0 100 Link connection Connect when input 1 has High signal Connect when input 2 has High signal Connect when input 3 has High signal Connect when input 4 has Hagh sgnal Connect when input 1 has High agnal disconnect at Low Signal Connect when input 2 has High signal disconnect at Low Ssgnal Connect when input 3 has Hagh sgnal disconnect at Low Sagnal Connect when input 4 has High signal disconnect at Low Signal Connect while pushing dialout button Figure 181 If Wait for incoming Connection was selected for the link connection this is called mbNET inrsg evers of 229 mode and Server in the rest of the documentation Version 3 0 If Connect immediately or Start with an active internet connection was selected for the link connec tion this is called mbNET in client mode and called Client in the rest of the documentation fis mbNE TT 18221 Server no authentication or static key Authentication Protocol options Local IP adress 10 1 0 1 Peer IP adress 10 1 0 2 Local network 197 166 0 0f24 Peer network 192 166 99 Figure 182 Enter the IP address of the local VPN tu
127. l icmp The set rule only applies to the ICMP protocol ping WAN interface This setting defines the WAN interface to which the rule is to be applied Internet or WAN Ethernet can be selected Destination IP Enter the destination address of the data packets on the Internet here Enter the port via which the data packets are sent to the destination IP here CG Edits the settings in the current line Sib Page 153 of 229 Version 3 0 fis mbBbNE TT Security settings continued 15 4 Forwarding This setting forwards requests from specific IP addresses and ports to defined IP addresses and ports Firewall General WAN LAN LAN WAN NAT Ss FORWARDING Configuration Rule Settings FORWARDING Enable Source IP Source Port Protocoll Destination IP Destination Port Forward IP Forward Port Forward on all interfaces O E ee EN eee eee eee eee Figure 156 Enable Check the box by clicking it to enable the subsequent settings after they are saved You can enter the IP from which data packets are received here If an entry is made here only packets from this one address are forwarded You can specify the port via which the data packets arrive here If an entry is made Source Port e eege here only packets specifically sent via this port are forwarded The following protocols are available for selection Protocol All The set rule applies to all protocols tcp The set rule only applies to the TCP protocol
128. le only applies to the UDP protocol icmp The set rule only applies to the ICMP protocol 7 15 3 LAN gt WAN This setting governs the outgoing data traffic i e the following settings only apply to outgoing data traffic Firewall General WAN_LAN BEA WIR Forwarding NAT SS LAN WAN Configuration Rule Settings LAN WAN Enable Action Source IP Source Port Protocol WAN interface Destination IP Destination Port m ey Ce ACCEPT All WAN Ethernet 514 Figure 155 Page 152 of 229 Version 3 0 mbNE I Label Description Check the box by clicking it to enable the subsequent settings after they are saved The following options are available for selection Drop If this option is selected it means that no data packets can pass The sender is not notified about the whereabouts of the data packets Reject If this option is selected the data packets are rejected The sender is noti fied that the data packets have been rejected Accept If this option is selected the data packets can pass Enter the IP of a computer from which data packets are sent to the Internet here If you leave the field blank the set action applies to all IP addresses Source Port Enter the port via which the data packets go to the Internet here The following options are available for selection All The set rule applies to all protocols Protocol tcp The set rule only applies to the TCP protocol udp The set rule only applies to the UDP protoco
129. les the use of service control via SMS Check the Phone __ This ensures that the mbNET only accepts SMS commands from a specific Number of the number Then enter the sender s cell number in Senders Phone Number in the Sender next field Commands sent from any other number will now be rejected Send an SMS when Internet Connection Estab lished The mbNET can send you an SMS as soon as it has connected to the Internet In the next field you also need to enter the telephone number to which this SMS should be sent Please note that your cell numbers cannot begin with 0 You must use the interna tional format e g 49 for Germany 13 3 6 Remote service control commands using SMS INET START or INET STOP This controls the industrial router s Internet connection Note that you can only control an Internet connection that is active and has been established by the industrial router IPSEC START connection name or IPSEC STOP connection name PPTP START connection name or PPTP STOP connection name OPENVPN START connection name or OPENVPN STOP connection name Whichever type of VPN you select this must always be followed by the name of the con nection e g OPENVPN START Wizard In addition be aware that connection name is case sensitive REBOOT This will restart your industrial router Please note that it cannot receive any commands while restarting OUT ON or OUT OFF Using OUT ON outputnumber or OUT OFF o
130. llow remote station access you need to enter the router IP address and the HTTPS Port port In this case Port 443 12 2 System Users 12 2 1 General With user management you can LI Give users access rights to web interface administration and modem or VPN dial in LI Edit or delete existing users or add new users 12 2 2 Editing users To edit a user proceed as follows O Select and then JESS LI To select a user whose rights you want to change click on the edit button The user will be displayed in the first row along with their access settings Figure 122 Q Amend the relevant field entries and apply the changes Q Save your changes by clicking Save ki disk icon figure 124 Figure 123 LJ You can undo your changes by clicking on Clear Changes X Clear Changes Figure 124 Page 94 of 229 Version 3 0 mbNET LI Clicking on Apply Changes applies the Figure 125 12 2 3 Adding users To add a user proceed as follows e Inthe navigation bar on the left se ect SSC and then WE D In the first row of input fields enter C Settings wee DEE certificates USB Logging BackupRestore Firmware the username password and full Set 4 Usermanagement name of the user m m Usermanagement Please note Stat s Ir E all three fields must be completed other _ _ ER wise you will receive an error message Fi 5 when you save igure 126 Q In the three check boxes that follow specify which rights you want the new
131. lport 8080 Ge er BF CBC renegq sec s600 proto ud SE De ae ata ta tae hada maa aa aa aaa Hier die Partner IP Adresse oder ONS Namen eintragen remote ifconfig 10 1 0 6 10 1 0 5 route 182 168 0 0 255 255 255 0 ping 10 ping restart 60 Figure 173 18 2 1 3 1 No authentication ClientRouter Notepad Joe File Edit Format View Help reneg sec 3600 proto ud Ee ey eae E Cae Caden aaa Hier die Partner IP Adresse oder ONS Namen eintragen remote 0 23 45 123 ifconfig 10 1 0 6 10 1 0 5 route 192 168 0 0 255 255 255 0 ping 14 ping restart 60 Figure 174 To be able to establish an OpenVPN connection with your mbNET without encryption you just need to de lete the after remote Next enter the public IP address of the mbNET the address accessible via the Internet or use MB Connect Line s DynDNS service You must then enter the name specified under NAA La ADINE E g remote 0123456789 mbNET mymbnet biz Page 172 of 229 Version 3 0 mbNE TT 18 2 1 3 2 Authenticating a Windows client with static key EI ChentRouter Notepad BAX File Edit Format wiew Help dey tun rport 8080 lport 8080 comp lzo cipher BF CBC tun mtu 1500 reneg sec 3600 prota udp secret Ci Programme cpenvens contigs clieantkey txt Se aa aL Ca ad ca a Mae aaa aa Hier die Partner IP Adresse oder ONS Namen eintragen remote 80 23 45 123 ifconfig 10 1 0 6 10 1 0 5 route 192 168 0 0 255 255 255 0
132. missions for industrial environments EN 61000 6 2 2001 interference immunity for industrial environments mbBNE II 4 What ts included in the package First check that the following parts are in the product package LJ mbNET router Figure 1 mbNET router Q Straight through Ethernet cable Figure 2 Straight through Ethernet cable LJ Router variants with analog modem RJ10 RJ10 cable and RJ10 to TAE adapter LJ For router variants with ISDN modem RJ10 RJ45 cable Figure 3 Figure 4 analog IDSN connection connection cable cable LJ For router variants with GSM mo dem GSM antenna Wir sorgen t r Verbindung Schnelleinstieg zur inbetriebnahme mbNET Q Quick Start Guide Figure 5 GSM Figure 7 Quick Start antenna Guide If any of these parts are missing or damaged please contact MB CONNECT LINE GMBH Winnettener Stra e 5 D 91550 Dinkelsb hl Tel 49 0 9851 582529 0 Fax 49 0 9851 582529 99 E Mail info mbconnectline de Website www mbconnectline de Keep the box and the original packaging in case you may have to send the device for repair at a later date Page 11 of 229 Version 3 0 mbNET 5 Displays controls and connections 5 1 Front panel view al RK B Eat al A ENEE Figure 6 Label Status Description Router power source is switched off or router is not connect Pwr ed to power source power pack on The Ready LED does this
133. n What is the name or address of the YPN server LI Here enter either the DynDNS service forwarding name or the current IP address of the router gt The example in Figure 86 uses an IP address assigned by the ISP For information on setting up and using the MB Connect Line DynDNS service please see section Network DynDNS When entering the router s IP address make sure that you always enter the current IP address the IP address changes every time the router con nects to the Internet LJ You can now choose whether the connection will be available to all users or only to the current user LJ Now add a desktop shortcut to the connection v The VPN connection is now set up Type the host name or Internet Protocol IP address of the computer to which you are connecting Host name or IP address for example microsoft com or 157 54 0 1 77 180 121 116 Figure 88 New Connection Wizard Completing the New Connection Wizard You have successfully completed the steps needed to create the following connection Testserver Share with all users of this computer The connection will be saved in the Network Connections folder Add a shortcut to this connection to my desktop To create the connection and close this wizard click Finish Figure 89 Page 65 of 229 Version 3 0 mbNE TT Setting up the router for a VPN connection continued 9 6 3 Se
134. n query whether a VPN server is also equipped with SSL This option can also be enabled on the mbNET The section on OpenVPN goes into more detail on this and on the settings options If you set up your certificate with both ele ments it can be used with a VPN client or a VPN server Page 85 of 229 Version 3 0 mbNE TT g X Certificate and Key management Create x509 Certificate Source Subject Extensions Key usage Netscape Advanced Object Signing CA Base URL Revocation URL Certificate renewal URL Figure 110 In the Netscape tab no IPSec settings are required If using OpenVPN with Peer must be TLS server enabled select only the SSL Server op tion See also the screenshot above Now the certificates need to be published by highlighting the relevant ones in the Certificates tab and then clicking Export Page 86 of 229 Version 3 0 mbNE TT 3 X Certificate and Key management olx Fie Import Token Help Private Keys Certificate signing requests Certificates Templates Revocation lists es Rootcertificate ee get Yes 0i 2013 05 10 Clienti dienti No 02 2013 05 10 gen MB Technik Eigene Dateien root_en xdb Figure 111 In the menu below you can specify the save location for the certificate on your computer and also the file format d X Certificate and Key management Certifikate export Filename C Clienti p12 DER is a bi
135. nary format of the Certificate PEM is a based4 encoded Certificate PKCS37 is an official Certificate exchange format PKCS 12 is an encrypted official Key Certificate exchange format Figure 112 Page 87 of 229 Version 3 0 As your client is to be authenticated by the client certificate it also needs the private key for this certificate As shown in Figure 112 export the client certificate using export format PKCS 12 with Certificate chain When you click OK the client certificate will save to the location that you specified above The client certificate then has the file extension p12 S You must use the PEM file extension crt format when exporting the root certificate These certificates can then be imported to the mbNET router via the web interface cf section Sys tem Certificates For an explanation of how to set up these certificates for a Windows client see Importing certifi cates in Windows XP 10 3 Creating CRL files revocation lists mbBbNE TT If you wish to withdraw a team member s rights to use the VPN tunnel please read this section and create a certificate revocation list To do this re open XCA Open the database containing your team member s certificate To con firm a certificate as invalid right click on it and the dialog box below will appear a X Certificate and Key management 9 II x Fie Import Token Help Private Keys Certificate signing requests Certificate
136. nction for wizards click on the Start button for the VPN con nection wizard Otherwise check VPN set up a VPN tunnel and ensure that every thing else is unchecked Important if you configured your Internet connection manually the VPN wizard will display a warning If you have not yet set up an Internet connection for the moNET please cancel the VPN wizard and set up an Internet connection first Otherwise check the box and click Next Please note that with firmware versions 2 0 and higher to enable IPSec configuration on the wizards page you first need to click on IPSec below the Start button for the VPN wizard then on Save Changes and Apply Changes Page 60 of 229 Version 3 0 mbNET Li Here select Connection between Networkclient and mbNET and click Next Q Type in your key PSK and click Next Note that you should not use any special characters and that your client must receive the key via a secure path LJ Now you can download a ready configured Windows VPN connection for your computer from the mbNET follows mbBNE IT IPSec OpenVPN Q To configure manually proceed as OC On the home page click on in Network the navigation bar on the left and eem VPN PPTP Configuration on in the navigation bar at St SE igurati the top then on the tab marked Gage Client Server Alarmmananement e Figure 83 Q This will display the screen below Page 61 of 229 Version 3 0 Configuri
137. nd switching On s sssssnsnusnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn a 17 7 1 1 Connecting the router to a configuration bt 18 Configuration DFETCQUIS NCS nn nnnnnnnnnnn nnn nnnn nnn nnnn nennen annnm mnnn mnnn 19 7 2 1 Howto set computer address IP address and subnet mask in Ah 20 Mial ele LO te UI d e sirc E EE EEE EEEE 21 Basic configuration of the router using the web interface ccssscsssseccsseecsseeceeseecnseeeeneecensesensesoeseesenseseasesensesonaes 22 Web interface home Eege 22 icons buttons and ROT TEE 23 VS ESI SO UNG EE 25 OS UNE ul S crsaccccha tesa cance sata cine acing ene tiene eeise sae een centre ac sea niece a 27 oe We 28 CUTS Gt ONG COTES E 29 INS A ege 29 Configuring the industrial router for connection over the telephone network csssssessseseeseeeseeseenees 31 921 Connecingand COMMGUIING INE re E 32 9 2 1 1 SOUS TM TU SO US tee et 32 9 2 1 2 Configuring the router using the Web miertace 33 9 2 2 Configuring a client PC to ACCESS the router ccceeeccccceeseeceeceeeseceeeceeseceeceeeeeceeeeeaseceeseeeeeceeseeeaeeeessaaeeeseeaanes 37 9 2 3 Establishing a connection between the client PC and the mdusialrouter 39 9 2 4 Displaying and verifying connection status cccccccceecccseeeeceececeececeeeeeseeeeseeeecsueesseeeeseueessaeesseeeseeeseueesseeesseeeees 39 Configuring the industrial router for connection via the Internet ccccsse
138. ndustrial router s user management system The bottom area of the screenshot shows whether a USB is connected A connected USB devices a USB device is indicated by a green dot Please note that the drive must have a FAT FAT32 file system Other file systems Ee e g NF TS can cause problems 12 5 System Logging System logging for the mbNET can be outsourced to another computer by using a log server Page 103 of 229 Version 3 0 PME T mbNET ee Welcome admin Site Map Wizards Hi Info Settings WEB Users Certificates USB eet BackupRestore Firmware System Logging Logging Settings Alarmmana gement General Status Set debug outputto D syslog Log also to O USB Device Remote logging Enable Remote logging Remote IP 192 168 0 65 d Address Remote Port Benn ki Save Chang Figure 138 Enable Remote To enable a log server place a check in the box by clicking on it System logging Logging for the mbNET industrial router can now be outsourced to another computer Remote IP Ad Remote IP address of log server dress In this case 192 168 0 65 Remote port for log server In this case Port 514 We recommend that you do not change this port as certain applications may not work properly on a completely different port Remote Port Page 104 of 229 Version 3 0 mbNET 12 6 System Configuration Using this menu you can both back up and restore a sys
139. nection using a signal to the selected digital input Close connection after s inactivi Here enter the length of time before the connection should be closed if the router has sent no further data packets in the interim Leaving this blank switch ty es off the function 13 4 3 Internet failover connection Firmware versions 3 x x and higher have an optional failover function for the Inter net connection Internet Connections Internet Settings Failover yes e Failover of Internet interfaces Retry interface before switch to next interface M Enable Internet Interface Internet wia WAN ae E Priority ER SR Internet via Modem Connection monitoring PING IP PING IP or host 62 165 6 24 7 address 1 PING interval 1 s PING IP or host address 3 PING interval 3 s PING IP or host address 3 PING interval 3 s PING retry before switch to next interface ki Save Changes Page 121 of 229 Version 3 0 fis mbNE TT First you need to switch on this function Internet Connections Internet Settings Failover yes M In the table below you can select a priority order for the Internet interfaces The order and number or in terfaces are freely definable Priority Enable Internet Interface H 1 L Internet via WAN Ea L i Internet via Modem on The Retry interface before switch to next interface parameter specifies how many times an
140. net Finally a CPU of your choice can be added to the relevant subnet The example here uses a CPU 313 C2DP EE NetPro RFC1006 Network Edit Insert PLC View Options Window Help ee S 2 2 ae Blo ERR a Ss RFC1006 Network C Programme Step7 s7proj Rfc1006 Find MPI1 i Ent MPI Selection of the netwe EZ PROFIBUS P K PROFINET IC PROFIBUS 1 PROFIBUS EI SIMATIC SIMATIC O Stations SIMATIC 300 1 SI PG PC 1 Ethernet 1 Industrial Ethernet SIMATIC 7 300 M7 and C7 modules cent Ready TCP IP gt Broadcom NetXtreme 57x Kas vo Feste gl Routing For the station to be able to contact a subscriber from another slave network see picture you need to make the following settings SS NetPro RFC1006 O x Network Edit Insert PLC View Options Window Help aS S le EEGEN e Ss RFC1006 Network C Programme Step7 s7proj Rfc1006 Bl xl MPI 1 1 Fine afai MPI Selection of the network PROFIBUS DP 382 PROFIBUS PA K PROFINET I0 PROFIBUS 1 PROFIBUS SIMATIC 300 SIMATIC 400 E SIMATIC PC Station El SIMATIC 5 SIMATIC S 400 H Stations EI g PGIPC 1 Subnets Ethernet 1 Industrial Ethernet 3 SIMATIC 57 300 M7 300 and C7 modules central tack Ready TCP IP gt Broadcom NetXtreme 57x Kai Y 4 neet Chg Page
141. new CO n nectio n Set up a home or small office network Connect to an existing home or small office network or set up a new one 8 Set up an advanced connection LJ n th e WI zard th at appears se ect Connect directly to another computer using your serial parallel or infrared port or J set up this computer so that other computers can connect to it Connect to the network at my workplace Figure 86 New Connection Wizard Network Connection How do you want to connect to the network at your workplace Create the following connection Dial up connection Connect using a modem and a regular phone line or an Integrated Services Digital Network ISDN phone line Virtual Private Network connection Connect to the network using a virtual private network YPN connection over the LJ On the next screen select VPN con Coes nection Figure 87 New Connection Wizard Connection Name Specify a name for this connection to your workplace Type a name for this connection in the following box Company Name Testservel For example you could type the name of your workplace or the name of a server you will connect to Q Now enter a name for the VPN con nection Figure 89 Page 64 of 229 Version 3 0 mbNE TT Setting up the router for a VPN connection continued Configuring a client PC for a VPN connec tion to the router continued New Connection Wizard YPN Server Selectio
142. ng the router for VPN connection to a client mbNE TT mbNET IPSec aa OpenVPN A VPN PPTP Configuration PPTP Configuration l O Manager Server Chents Status Server Configuration Enable D Autoconfig ne Di Local IP Address s 192 168 0 100 lt s 1921680 101 110 Address Eet tothe Ma Encryption Configuration Encryption MPPE V2 All Authentication Configuration Authentication G Authentication via CHAP z Authentication v via MS CHAP m Authentication via MS CHA P T ki Save Changes Figure 84 For a detailed description of the J isettings please see section VPN PPTP Page 62 of 229 Version 3 0 Language Welcome admin Site Map Wizards Help Reboot mbNE TT Description Enable To enable the connection check the box by clicking on it lf you select yes here the PPTP server will be configured using the Auto mbNET s LAN address This setting needs to be tried out first You should config only enter your PPTP server settings manually if there is an address con flict Enter any local address in this input field In the example it is 192 168 10 100 Note you can also use the router s LAN IP address You should only re host your PPTP server in a different address space if there is an address conflict Enter the remote addresses here In the example 192 168 10 160 170 Remote IP address or This assigns the IP addresses of the co
143. ngs assigned automatically if your network supports this capability Othernwise You need to ask your network administrator for the appropriate ID sett Obtain an IF address automatically Use the following IP address IF address 192 768 O X 255 255 255 0 Subnet mask Default gateway Use the following DNS server addresses Preferred ONS server Ee Alternate DNS server Figure 16 Page 19 of 229 Version 3 0 First time operation continued 7 2 1 How to set computer address IP address and subnet mask in XP To set the IP address proceed as follows LI Page 20 of 229 Version 3 0 First select Control Panel from the Windows Start menu 1 and then double click on Network Connec tions 2 Right click on Local Area Con nection 3 and select Properties In the next window double click on Internet Protocol TCP IP 4 In the next window enter the ap propriate IP address An appropri ate IP address would be e g 192 168 0 2 Please note the Internet IP address must be 192 168 0 X and must not al ready be in use by another net work subscriber In Subnet mask enter 255 255 255 0 and in Default gateway enter the router IP Ad dress as shown in the section on Router IP Address Where a DNS server is in use there is an option to select Ob tain DNS server address auto matically To save and close the settings click OK on each of the open w
144. nication with S7 via e VCOMLAN2 PC adapter in SIMATIC Manager e RFC1006 e mbNETS7 driver direct installation in SIMATIC Manager System COMI EEH F Network e8 Serial COM2 Security WN COM 1 O Manager Alarmmanagement Interface Type MPI PROFIBUS Status Protocal MPLPROFIBUS Network Driver hi Enable RFC1006 Ea Own station address Enable RFc1i006 T Routing Station SE the routing gateway Protocol TOP Port 7002 Enable Ports through E firewall VCOM LAN2 PC adapter MPI PROFIBUS Baud rate If you select VCOM LAN2 PC adapter the PG PC interfaces must be in stalled on a PC adapter MPI PROFIBUS For bus speeds higher than 1 5 Mbit s this must be manually assigned Protocol MPI PROFIBUS network driver Page 134 of 229 Version 3 0 mbNET ENO TET enabling this option launches the installation of network drivers on the client ihe Dispensing with separate driver installation and using the TCP IP Au to option with a PG PC interface is only possible if the RFC1006 option is enabled Instructions on this are available on our website support pages un der the heading RFC1006 RFC1006 uses TCP Port 102 Enable RFC1006 You can select to enable the RFC1006 protocol here Own station address lf RFC1006 is enabled assign a unique MPI DP station address for the rout er Note the connected router will use this station address to log into the MPI DP network This is necessary if y
145. nnect on traffic Don t lock select this option if you want to prevent the Internet connection from being Close closed by a signal to a digital input connection if Input Input2 Input3 Input4 select this option if you want to be able to interrupt the Internet connection using a signal to one of the selected digital inputs Here you can set whether to have an email containing the current public IP ad dress sent to a pre specified email address If you select send IP address via email your need to enter your email address here However you can also enter it manually in this field tab is only displayed if Internet connection via WAN or modem has been selected along with On demand for the connection mode The following settings options will be displayed To connect to the Internet when a data packet is sent check this box In other Connect on traffic words an Internet connection will be established if the LAN is trying to contact a subscriber outside of the LAN Connect MEN If you wish an Internet connection to be triggered by pressing the Dial out but pushing Dialout ton on the front of the router check this box button Connect on Sign 1 J Bene EIER Select this option if you want to prevent the Internet connection from being at Input ea triggered by a signal to one of the digital inputs Page 120 of 229 Version 3 0 mbNE TT Q Inputt Input2 Input3 Input4 Select this option if you want to establish a con
146. nnected clients within the range of Range 192 168 10 160 192 168 10 170 Important It is essential that the address or address range entered here is in the same address space as the local IP address chosen above Give DNS Address to Enter the DNS server address the client In this case 192 168 0 100 router IP address Encryption Use the default setting MPPE V2 All Authentication Use the default setting via CHAP and MS CHAP V2 Local IP address or Range LI Save your changes by clicking Save Changes Q Finally to save your changes permanently to the Apply Cha e router click Apply Changes wo pply Changes Figure 85 Page 63 of 229 Version 3 0 mbNE TT Setting up the router for a VPN connection continued 9 6 2 Configuring a client PC for a VPN connection to the router LJ To proceed with set up the client PC must have an existing Internet connection For information on set ting up a client PC please see sec tion Configuring a client PC for router access New Connection Wizard Network Connection Type What do you want to do Connect to the Internet Connect to the Internet so you can browse the Web and read email LI n Windows Co ntrol Panel Connect to the network at my workplace j Connect to a business network using dial up or YPN so you can work from home cl ick O n Netwo rk Co n n ect l O n S and a field office or another location th e n O n Create a
147. nnection to a Siemens control system you first need to verify the settings in Simatic Manag er by selecting Extras Setup PG PC interface gt PC adapter PROFIBUS or PC adapt er MPI and then clicking on Properties This will open a menu screen with a Local Connection tab The transmission rate here MUS be set to 38400 14 2 Enabling RFC1006 on the mbNET Properties PC Adapter PROFIBUS PROFIBUS Local Connection Connection to Enable the RFC1006 option under the Serial Interfaces COM2 menu Specify the own station address for the mbNET vie Serial COM2 COM2 Interface Type MPI PROFIBUS Protocol MPIVPROFIBUS Network Driver x Enable RFC1006 q Own station address Enable RFCi006 T Routing Station o the routing P gateway Protocol TCP S Port Enable Forts through E firewall ki save Changes Page 137 of 229 Version 3 0 mbBbNE T 14 2 1 Settings for NETPro Step 7 Launch the NETPro application in Simatic Manager dz NetPro RFC1006 a lol xi Network Edit Insert PLC View Options Window Help seh Soe aa E IJ RFC1006 Network C Programme Step7 s7proj Rfc1006 nn Eind a E d Selection of the network SF PROFIBUS DP Ei PROFIBUS PA K PROFINET I0 Stations 2 CC Subnets PROFIBUS DP slaves for x SIMATIC 7 M7 and C7 distributed rack ISO Ind Ethernet gt
148. nnel Local IP address end point here e g 10 1 0 1 Enter the IP address of the peer VPN tunnel end point here e g 10 1 0 1 Enter your network address in CIDR nota Pocal nator tion here 192 168 0 0 24 Enter the network address of your peer in PSSE ERENR CIDR notation here 192 168 99 0 24 Peer IP address Network Settings With authentication without certificates only one IP channel local IP address and peer IP ad dress can be specified per connection entry With manual configuration of the VPN client the setting Local IP address and Peer IP address must be reversed accordingly on the client 18 2 2 2 Server authentication with certificates With authentication with certificates multiple clients can dial into the server simultaneously and are auto matically assigned an IP address from the Client IP address pool There are two different operating modes in server mode with certificates Page 176 of 229 Version 3 0 mbNE TT 18 2 2 2 1 Single client Only one client can dial in Connection Settings Network Settings Authentication Protocol options Client IP adress pool 10 1 0 024 Local metwork 192 168 0 0 24 Multi peer mode Peer network 192 168 99 0 24 Figure 183 Tab With authentication with certificates multiple different clients can dial into the server not simultaneously and are automatically Client IP address pool assigned an IP address from the Client IP address pool
149. nt to establish the connection This ID is selected when the certificate is created see the section Cre CA2 CA SW ating certificates and revocation lists using XCA un der the tab Subject It is the certificate subject and must be entered as follows C country S T state L city O organization OU dep artment CN certificate_name E email_address If some fields on the Subject tab were left blank when the certificate was created the corresponding entries must be omitted cf the section Creating cer tificates and revocation lists using XCA Peer Certificate Only if Authentication by peer certificate was se lected Select the corresponding certificate via the drop down field Unit 2 Unit 1 Page 161 of 229 Version 3 0 mbNE T 16 1 4 Protocol options mbNET Network Serial H H 2 VPN IPSec Configuration Security what IPSec Configuration Edit Connection 1 O Manager es Connection Settings Network Settings Authentication Protocol options Alarmmanagement Status Phase 1 IKE ISAKMP Coding algorithm 3DES 192 z wg Apply Changes Hash total algorithm SHAI X Clear Changes Lifetime of ISAKMP SA Aggressive Mode a Phase 2 ESP IPSec SA Coding algorithm 3DES 192 Hash total algorithm SHA1 PFS Perfect Forward Secrecy active Lifetime of IPSec SA seconds Do initiate Renogatition keys before end rekey active Number of tries for connection startup 0 no limit Rekeymar
150. nternet The existing router must first be assigned the right settings This operating mode is particularly useful if you need to set up a connection between the MONET industrial router and a VPN gateway mbNET industrial router Router Internet Standard gateway WAN IP IP 192 168 1 1 address 192 168 1 100 Figure 75 Page 53 of 229 Version 3 0 fie mbBbNE TT Configuring the router for connection to the Internet via an existing router 9 5 1 Connecting and configuring the router 9 5 1 1 Connecting the router LJ Connect the router to the existing router as shown in the diagram on ege the right Internet SS nmn Q Todo this plug one end of the crossover cable 1 into the 1 WAN connector on the MONET router and the other end into the LAN connector 2 of the existing network router mbNET industrial router Figure 76 Page 54 of 229 Version 3 0 mbNE TT 9 5 1 2 Configuring the router using the web interface Q The connection wizard helps you to configure your connec tions quickly and easily To ac cess the wizard click on the Wizards link at the top right of your browser If you have disa bled the autolaunch function for wizards click the Start button for the Internet connection wiz ard LJ Now select the option External router Firewall Q At this point you have a choice between automatic recognition of your network and interface de tails or entering them manuall
151. o the LAN receive the sender IP Settings local network The cli address of the mbNET Although this means that it is ent will send the IP of then no longer possible to distinguish between send the gateway for traffic ers in the LAN the LAN subscribers do NOT have to on the local net have the mbNET entered as a gateway With authentication without certificates only one IP channel local IP address and peer IP address can be specified per connection entry With manual configuration of the VPN client the setting Local IP address and Peer IP aa dress must be reversed accordingly on the client 18 2 1 2 Authentication with certificates Authentication Protocol options Client IP adress pool 101004 Client NAT behind the local network The chent will send the IP P of the gateway for traffic through the local network Figure 171 Page 170 of 229 Version 3 0 With authentication with certificates multiple clients can dial into the server simultaneously and are auto matically assigned an IP address from the Client IP Client IP address pool address pool Enter the address range in CIDR nota tion E g 10 1 0 0 24 corresponds to the subnet mask 255 255 255 0 The option Client NAT behind the local network The client will send the IP of the gateway for traffic Network Settings through the local network assigns all packets com Client NAT behind the ing into the LAN the sender I
152. odes TOF ANaIOG E ET 224 26 Je EN 229 Page 6 of 229 Version 3 0 mbNE TT Page 7 of 229 Version 3 0 mbNE TT 1 Introduction 1 1 Brief description The mbNET industrial router offers you optimum flexibility and security making remote communication with your systems both easy and secure Thanks to its compact design the MONET router will fit into any switch cabinet and with its multiple interfaces and drivers is the perfect solution for integrating different control systems The mbNET router is configurable using a web interface 1 2 Features Q Fully configurable using web interface via locally connected computer or remotely Deployable worldwide using different modem connections ISDN analog mobile broadband plus access via LAN and Internet LJ Secure connection using an integrated firewall with IP filter NAT and port forward ing VPN with AES DES 3DES DESX Blowfish or RC2 encryption and authentica tion via pre shared key PSK static key or certificate X 509 Q Alarm management o fully configurable digital inputs and outputs and the ability to send via email SMS or Internet dial up o via remote output switching in the event of a fault or with an active Inter net connection Q Integrated server secures all settings keys and certificates and allows data sharing within the network via connected USB flash or hard drive Q Variable RS232 RS485 RS422 RS interface or optional MPI PROFIBUS fo
153. onfiguring the router Before you begin The router should be connected to a suita Y we power source and the Power and Ready LEDs should be solid green 9 3 1 1 Connecting the router Analog connection only applies to device models MDH xx0 LI Connect TAE adapter to ana log cable LJ Plug one end of the supplied cable into the RJ12 jack 1 on the bottom of the router and the other end into the TAE jack 2 Leg eee reg remeg Figure 52 ISDN connection only applies to device models MDHOx2 LJ Plug one end of the supplied cable into the jack 1 and the other end into 2 the NTBA GSM connection only applies to device models MDHxx3 and xx4 LJ Plug one end of the supplied antenna cable into the jack Figure 54 Page 41 of 229 Version 3 0 mbNE TT Configuring for connection over the Internet continued 9 3 1 2 Configuring the router using the web interface LJ You can configure your connec tions quickly and easily using the connection wizard To do this click on the Wizards link at the top right of your browser If you have disabled the autolaunch function for wizards click on the Start button for the Internet con nection wizard LI Here choose the Modem option and click Next Q If your ISP is already stored on the mbNET click on use a Pro vider from list Alternatively you can enter your own by choosing enter APN manually and enter ing your ISP details
154. onnecting to devices with MPI interface Page 13 of 229 Version 3 0 5 2 Top bottom and back panel views Top DETAIL A Digital input 14 10 30V Digital input 13 10 30V OV DC connection Digital output A2 Digital output A1 Bottom GSM UMTS variant Analog ISDN modem variant alki 4 SiM 2 COTTA TT LRE O keee SA SIM card slot Antenna connection Page 14 of 229 Version 3 0 mbNE T mbNE TT 6 Interfaces 6 1 Pin assignment 6 1 1 Pinout of top panel terminal blocks X1 and X2 10 30V DC OV DC connection DETAIL A e Figure 7 6 1 2 Pinout of bottom panel RJ12 jack Pin ISDN Analog 1 NotCGonnecte Mot Connected 2 TX Not Connected 2 By Db S 2 P Las 5 kr Not Connected 6 _ NotConnected Mot Connected Figure 8 6 1 3 Pinout of front panel serial interfaces COM1 and COM2 RS 485 DCD Data Carrier 2 RxD Receive Data_ RxD Receive Data GND 24V P 3 TxD Transmit TxD Transmit Data Data circuit B 6 DTR Data Terminal 5Volts only in 4 Send request Ready wire operation 8 5 Ground signal Ground signal GND 5V 200mA 9 ER Zeck Ee Not Connected 5V output eady RTS Request to Send amp W Po n TxD Transmit Data 24V supply input Fa CTS Clear to Send RxD Receive Data Data circuit A 9
155. ort a key or generate it yourself All imported keys can be downloaded as a copy under Download Connections static Keys generate new static key SG RE static key import new static key Choose static key Durchsuchen_ File Import state key file list of imported static keys Name Download Wizard_Static_Key Static_key_Client1 Static_key Router Figure 189 Label Description Name for this static key Enter the name of the key to be generated here Static Keys Choose static key file A key previously generated on another system can be imported here Page 182 of 229 Version 3 0 mbNET fis 18 2 3 3 Authentication with certificates There are three different types of authentication with certificates 1 Each subscriber needs the same root CA and a personal certificate signed by the root CA 2 Like 1 but with additional username password verification 3 Like 2 but without a personal certificate In other words the stations only need a root CA and username password 18 2 3 3 1 Authentication with CA certificate and own certificate Connection Settings Network Settings Authentication Protocol options Authentication process L M Unit 1 has gr One Certificate with the private key certified by My CA own Unit 41 Unit 2 certificate Fa Ka The Certificate of the My CA CA4 Certificate My CA e He CA Unit 2 has One Certificate with the private key certified by My CA own certificate
156. ou are using RFC1006 communication exclu sively In a mixed operation of connections using network drivers and RFC1006 the router always logs in using the address assigned to the first connection used Enable RFC1006 routing This option enables routing via RFC1006 otation address of the routing gateway lf RFC1006 routing is enabled you must enter the address of the routing gateway 14 see example below Note to access a slave subscriber station in a subnetwork that is not directly con nected the master gateway must be assigned as the PLC routing gateway station address on the router Example The PLC master is connected to the router e g address 13 via MPI Bus e g address 14 and a subscriber station e g address 5 is connected to the master PROFIBUS e g address 4 To now be able to access the sub scriber with address 5 on the PROFIBUS via the router 13 using MPI rout ing needs to be enabled More information on installation is available via our Support Portal at www connectline com MPI PROFIBUS Select from the Seo fom the folowing ee options baud rate PG PC Interface Seo fom the folowing optens mm ng aag 3Mbit s 6Mbit s and 12Mbit s Select the protocol for communicating with the connected device Protocol The following options are available TCP and UDP Enter the port that will be used for communication Enable ports through fire wall Checking this box means that you can access the Intern
157. r certificate imports are required The CA certificate is automatically im E ported Nor is it necessary to save the console Wi Console File Action View Favorites Window Help e Mme SS e Console Root Issued B E Certificates Local Computer Aert Personal ca All Tasks d Request New Certificate a LJ Enterprise View d aio Intermed New Window from Here Trusted P Untrustec Mew Taskpad View C Third Part Refresh Trusted P H spc Export List Help Contains operations that can be performed on the object Get Figure 118 Double clicking on the relevant certificate displays its properties In the General tab you can check amongst other things which CA issued the certificate how long it is valid for and whether you have a pri vate key for it This is very important when using certificates for web server publishing ertificate General Details Certification Path Certificate Information This certificate is intended for the following purpose s e All issuance policies All application policies Issued to root Issued by root TT e You have a private key that corresponds to this certificate p Issuer Statement Figure 119 There is more information about the issued certificate in the Details tab Page 92 of 229 Version 3 0 mbNE TT Kee ate Ax General Details Certification Path
158. r con necting control systems Page 8 of 229 Version 3 0 mbNET 2 Safety instructions e The router is built to the latest technological standards and recognized safety standards see Declaration of Conformity e The router must be installed in a dry location No liquid must be allowed to get inside the router as this could result in electric shocks or short circuits e The router is for indoor use only e Never open the router chassis Unauthorized opening and improper repair can pose a danger to the user Unauthorized modifications are not covered by the manufacturer s warranty Opening up the device voids the warranty e The router must be disposed of in line with European regulations and German legislation on electronics and electronic device and not as general household wasie Page 9 of 229 Version 3 0 3 Technical data Voltage V DC Power consumption Digital inputs Digital outputs IP protection class Area of application Operating temperature Storage temperature Weight Humidity Dimensions max General license Page 10 of 229 Version 3 0 mbNE TT 10 30V Max 300mA at 24V 4 digital inputs 10 30V fuse protected 2 digital outputs 200mA max output 0 50 C 20 60 C Approx 650 g 0 95 non condensing 124 mm x 48 mm x 124 mm H x W x D RS232 485 RS422 MPI PROFIBUS LAN 10 100 Mbit s dependent on device EN 61000 6 4 2001 interference e
159. r has no certificate or an invalid certificate no VPN tun nel can be established between the two devices if the authentication setting on the mMbNET is X 509 To understand how to create certificates please see the next section Page 73 of 229 Version 3 0 fis mbBbNE TT 10 2 Creating certificates Christian Hohnstadt s XCA freeware program is useful for creating certificates Using this program makes it easy to create X 509 certificates as well as the necessary private keys You can download the program from htip sourceforge net projects xca free of charge and install it in Windows in the usual way run the exe file When you launch XCA for the first time a new database has to be created to manage the certificates To do this click File and then New DataBase d X Certificate and Key management lol x File Import Token Help New DataBase ests Certificates Templates Revocation lists Open DataBase crl o Generate DH parameter lag Leer Set as default DataBase Close DataBase Ctrl F4 Dump Database Change DataBase password Import old db_dump Undelete items Database C Dokumente und Einstellungen MB Technik Eigene Dateien root_en xdb Figure 99 After choosing a name file save location and password for the database you can open it and start creat ing a root CA certificate 10 2 1 Creating a root certificate To create a root certificate click on the Certificates t
160. rection AT N2 V 42LAP M or MNP 4 error correction The modem hangs up if a failsafe connection cannot be established AT N3 V 42LAP M or MNP A error correction A non failsafe connection will be attempted if a failsafe connection cannot be established AT N4 V 42LAP M error correction the modem hangs up if this is not possible AT N5 MNP error correction the modem hangs up if this is not possible Initializing the modem continued Page 222 of 229 Version 3 0 mbNE TT Message output dial tone detection This command controls how the modem reacts to the dial tone and busy signal and how it displays the CONNECT messages ATXO No busy and dial tone detection i e NO CARRIER is displayed in response to a failed dialing attempt Messages OK CONNECT RING NO CARRIER ERROR and NO AN SWER are displayed ATX1 Like ATXO but CONNECTxxx messages with speed specification ATX2 Busy tone detection disabled dial tone detection enabled Messages OK CONNECT RING NO CARRIER ERROR NO AN SWER and NO DIAL TONE are displayed ATX3 Busy tone enabled dial tone detection disabled Messages OK CONNECT xxx RING NO CARRIER ERROR NO AN SWER ATX4 Busy tone and dial tone detection enabled Messages OK CONNECTxxx RING NO CARRIER ERROR NO AN SWER and NO DIAL TONE 24 2 ISDN terminal adapter TA commands B Z Defines the transmission protocol in the B channel ATBO V 110 asynchronous ATB3 PPP asynchronous to synchrono
161. rivate key certified by My CA own certificate The Certificate of the My CA CA Certificate Unit 2 has One Certificate with the private key certified by My CA own certificate The Certificate of the My CA CA Certificate Unit 1 Unit 2 MyCA My CA Root CA Root CA Unit 1 Unit 2 CA Certificate mb ROOT CA Z Own Certificate mb_HOST Additional user and es ki password verification L Use only CA and User password for client verification Figure 191 Page 184 of 229 Version 3 0 mbNE TT Description CA Certificate This IS the root certificate root CA All other certificates must come from this certificate You use this certificate to authenticate your Own Certificate self to your VPN peer Additional user data may be required from a Additional user and pass _ client dialing in Please note that this user word verification data must be entered in the VPN server un der System User X 509 authentication server With this option you authenticate yourself using the CA certificate and the user data of the VPN server from the System User menu only Use only CA and Us er password for client veri fication 18 2 3 3 4 Client Connection Settings Network Settings Authentication Protocol options Authentication process x 509 Z Unit 1 has gen One Certificate with the private key certified by My CA own Unit 1 Unit 2 certificate een Own The Certificate o
162. rresponding output of the industrial router is to be set to signal level 1 in the event of a malfunction On by Internetconnection Select this setting if the corresponding output of the industrial router is to be set to 1 in the event of an active Internet connection For example an active Internet connec tion can then be indicated by an LED connected at output O1 or O2 Page 201 of 229 Version 3 0 mbNE TT or This button can be used to switch the currently selected output on and off The text Off or On above the button shows the current output state in the same way as the LED icons under current State Green LED icon Signal level 1 at output Gray LED icon Signal level 0 at output 21 Status messages 21 1 General The industrial router must be analyzed using certain status information when errors occur For example a flashing ERROR LED indicates that a system error has occurred on the router The cause of the error can be determined e g via using the list The various status displays are described below 21 2 Status Interfaces mbNET System Int E ETH Network Modem Internet DHCP DNS Server DynDNS NTP WPN IPSec VPN PPTP VWPN OpenVPN Diagnostics USB Alarmmanagement System Network E Interfaces Security e VPN WAN eth 1 I O Manager MAC Alarmmanagement Address Status 00 50 C2 EA 82 CD IP Adian 192 168 1 100 Received 0 pkts Transmitted 0O pkts LAN ethO MAC A
163. rs own configuration parameters These can be entered manually Baud rate Enter the baud rate for communication here Data format Select one of the settings for data bits parity or stop Page 132 of 229 Version 3 0 mbNE TT AS L Handshake Select a handshake flow control option Receive loops This is a start counter for serial signals i e how many cycles the system goes through until it sends the data packet mens Stoeber Stromag Sutron Tsx37 Tsx47 Tsx57 Vectron Vega Sensor Select the driver that you want to load Device drivers can be selected for the fol lowing brands AllanBradley AMK ASB AtlasCopco Baum ller Berger Bosch B amp R DanfossVLT Elau F Tron GE_Fanuc Hitachi for T Indramal Q2000 KEB Driver Kuhnke KEB Lauer Lenze Locon Micro_Innovation Mitshubishi Moller Mo toman Npos Omron Parker Hauser CompaxC3 Phoenix Pilz PLC Direct Pri mo Proface Promicon Quin SCS Automata Seidel Kollmorgen SEW Sie Voelkel Grenzlastregler Winloc Select the protocol for communicating with the connected device Options are TCP and UDP Port Enter the port that will be used for communication Enable ports Checking this box means that you can access the serial devices via the public through firewall address through the port assigned above without being blocked by the firewall Protocol Page 133 of 229 Version 3 0 fie mbBNE TT 14 1 2 MPI PROFIBUS interface Commu
164. s Templates Revocation lists E Deg Rootcertificate rootcertificate d Yes 01 2013 05 10 K 2013 05 10 Export 2013 05 10 Import Import PKCS 12 Import from PKCS 7 Rename Delete Show Details Export Import PKCS 12 E Import PKCS 7 Delete from Security token Trust Plain View TA Renewal Unrevoke Paste PEM data Columns Database C Dokumente und Einstellungen MBTechnik Eigene Dateien root_en xdb Figure 113 Clicking on Revoke flags the relevant certificate with a red X and it is no longer valid To remove the flag and make the certificate entry valid again click on Unrevoke as shown in the screenshot Page 88 of 229 Version 3 0 mbNE TT Next right click on the associated root certificate The following dialog box will appear olx Fie Import Token Help Private Keys Certificate signing requests Certificates Templates Revocation lists 02 2013 05 10 03 2013 05 10 Properties Generate CRL Database C Dokumente und Einstellungen MB Technik Eigene Dateien root_en xdb A Figure 114 You can create a revocation list here using CA gt Generate CRL as shown in the screenshot above Please ensure that under hash algorithm you also select MD5 There are no check boxes to enable for extensions The CRL must now be exported and then imported to the mbNET To export proceed as fol lows Page 89 of 229
165. s stored in the subdirec tory logfiles on the USB stick Archived files use the following naming convention log file log Date yyyymmdd _ Time hhmmssmss3 gzip 20 Alarm management 20 1 General The alarm management function can be used to LJ query the states at the four digital inputs and depending on the result send an appropriate text to an email address you have specified LI switch two digital outputs independent of each other in the event of a fault when there is an active Internet connection or manually 20 2 Digital inputs mbl System Input Output Click in the navigation Network bar followed by Uu Seil gt Input Security IN Alarmmana 1 O Manager The following screen for configuring the four beer available digital inputs is then displayed The P inputs can be individually configured using the Figure 196 four different tabs Page 197 of 229 Version 3 0 fie mbNE TT Alarmmanagement continued Input Alarmmanagement Input Input 1 Input 2 Input 3 Input 4 Multiplex Input Enable wf Query on KE Action EMal we EMad em Reboot current State Input 1 Input 2 Input 3 Input 4 9000 Figure 197 Label Function gt gt SO Each input can be separately configured Select the input to be configured by The input is enabled by checking the box This is how you determine whether the input in question is to be enabled activated Query on Set the input level for
166. sion 3 0 mbNE T http www mbconneciline de gsm grps mobilfunk html In most cases any user name can be used Enter password from provider details In example shown any Password For GSM modems you can obtain the necessary information at e g http www mbconneciline de gsm grps mobilfunk html In most cases any password can be used Authentication via Use the default setting for the authentication protocol This is set by default PAP when a dial up connection is set up Authentication via Use the default setting for the authentication protocol This is set e g when a CHAP dial up connection is set up Timeout dialout in Enter a time of 300 5 minutes in the example shown here after which dial s ing attempts will stop Q Save your changes by clicking Save Changes Figure 58 Please note Dial up providers change their tariffs frequently MB Connect Line cannot be held re sponsible for possible price changes Page 44 of 229 Version 3 0 mbNE TT Configuring for connection over the Internet continued LJ From the web interface home page click OB OTT and mbiNE The following screen will be dis seen a at adem RE System LAN WAN Modem played Network Follow the instructions below i Sek ke Internet Security Figure 59 System LAN WAN Modem EE DHCP DNS Server Hosts DynDNS Serial S es Internet Configuration Security KEN Internet Settings 1 O Mana
167. sonal certificate signed by the root CA o Like 1 but with additional username password verification o Like 2 but without a personal certificate In other words subscribers only need a root CA and username password 18 2 3 1 No authentication Connection Settings Network Settings Authentication Protocol options a aaa no authentcaton pm Figure 187 This setting should primarily be used for test purposes It provides a quick and easy way of testing the connection with a peer e g whether the correct ports are enabled The data is sent UNENCRYPTED in this mode 18 2 3 2 Authentication with static key Connection Settings Network Settings Authentication Protocol options Authentication SES process tate key e Static key Wizard Stapc_Key e Figure 188 With symmetric encryption authentication and encryption decryption of the data is performed using one and the same key static key The advantage of symmetric encryption is its speed encryption and decryption take much less time than with asymmetric encryption since the symmetric key is se cure from a size of 90 bits The asymmetric key on the other hand must be at least 1024 bits The disadvantage of symmetric encryption is that stations need to exchange keys Each subscriber must obtain the key in a secure manner A previously imported or generated key can be selected in the screen shown above Page 181 of 229 Version 3 0 fie mbBONET 18 2 3 2 1 Key management You can imp
168. splays the date of the most recent update Next update Displays the date of the next scheduled blacklist update 12 4 System USB You can connect a USB device flash or external drive to the industrial router s USB port and make this available to network users as an additional drive To set up the USB port select on the navigation bar on the left and IEJ on the naviga tion bar at the top This will display the screen shown below Page 102 of 229 Version 3 0 mbNET fis mbNET gie Welcome admin Site Map Wizards Help Reb tes REJ D ogging BackupRestore Firmware fork Serial System USB Security USB Access from Network nager Jarmmana gement Enable Status Workgroupname mbNET Servemame M e Share data to 7 USB devices O usb not connected IS Save Changes Figure 137 Enable Seel whether to enable connection of a USB device with the industrial router Select whether to enable connection of a USB device with the industrial rauer to enable connection of a USB device with the industrial router Se Enter the name of the workgroup through which users can access the drive Enter a name under which the USB drive will appear in the above mentioned workgroup E to Select whether users will have read only access to the USB drive or can also save USB device data to it Share data to Specify whether to give access rights to network users who are not registered under the i
169. ssigned automatically if your network supports this capability Otherwise you need to ask your network administrator for the appropriate IP settings Obtain an IP address automatically Use the following IP address Obtain DNS server address automatically Use the following DNS server addresses Figure 17 mbNE TT First time operation continued 7 3 Initial configuration Proceed as follows Open your browser and enter the router s IP address in the address bar The factory setting is 192 168 0 100 Log into the router using the following set tings CT User name admin CT Password no password required Firmware versions lower than 1 2 0 On successful log in you will be taken to the configuration interface home page see screenshot right With firmware versions 1 2 0 and higher a connection wizard will launch simplifying network Internet and VPN connection set up The wizard is easy to use and takes you through the configuration process step by step You can also launch the wizard manually To do this click on Wizards at the top right of your browser window mbNET Administration Microsoft Internet Explorer File Edit Yiew Favorites Tools Help Q sack S sl a Le ES Search P Favorites 4 SY ee ddre Address http 192 168 0 100 sl EJ co Figure 18 Authentication Required y 4 user nam
170. sting router In this case 192 168 1 1 Ey Enter the subnet mask In this case 255 255 255 0 Page 56 of 229 Version 3 0 mbNET Configuring the router for connection to the Internet via an existing router LI On the web interface home page click on Aides DOIS Q The following screen will be displayed Follow the instructions on the subsequent pages system LAN WAN Modem DHCP DNS Server Hosts DynDNS Serial ws Internet Configuration Security VPN Internet Settings MO Manages Internet Connections Internet Settings Alarmmanagement Internet Internet via WAN external router fixed line Connection Connection monitoring Save Changes Figure 79 For a detailed description of the AMOC DAD settings please see section Network Internet hem Label Desertgogon From the drop down field select connect to Internet via WAN external AN router fixed line so that the Internet connection will be made by the tion existing router This option means no Internet connection because the mbNET itself is not connecting to VY the Internet Q Save your changes by clicking Save Changes Q Finally to save your changes permanently to the Figure 80 After applying the changes please restart the router Page 57 of 229 Version 3 0 mbNE TT 9 6 Configuring the industrial router for VPN connection to a client Setting up a virtual network reduces the cost of a
171. tem configuration The configuration can be saved e g to a connected USB drive before making major changes and if necessary restored onto the industrial router mbINE T Info Settings WEB Users Certificates USB Logging le lt facets Firmware Network Serial A Backup and Restore Security Backup Configuration I O Manager Alarmmanagement Name this configuration le ea Status include certificates M and keys Save on USB device Overwrite K existing File k encrypt the configuration Je mbns GEO passphrase repeat encrypt passphrase Restore Configuration Saved contig file mbn mbns ee passphrase Durchsuchen Figure 139 Name this config Assign a meaningful name to the configuration uration In this case mbNET Backu Backs up the configuration After clicking on this button you will be prompted to H enter a location e g the USB drive letter Include certifi This configures the system to copy an mbNET Please note that this configura cates and keys tion file should only be used for one device Save on USB de If a USB storage medium is connected the configuration can also be stored vice there If this option is not enabled and a configuration file already exists at the same location the new configuration will not be stored Either change the name of one of the files or choose a different save location for the new configuration Overwrite existing file P
172. ter here This name must be communicated to the peer Peer ID Enter the name of the peer here X 509 You can choose between two authentication Authentication processes via the drop down field Authentication by certificate from CA The root certificate certificate authority CA for short and a personal certificate including key p12 Unit 1 ene file must be imported into the router for this See De e Om the section System Certificates The remote sta R W tion must have the same root certificate and a certif icate signed by the CA including key My CA My CA e Root CA Authentication by peer certificate a The certificates can be signed by different CAs A Unit 1 personal certificate key p12 file must be imported into each router Each router must also have a copy of the respective peer certificate naturally WITH Root CA E Page 160 of 229 Version 3 0 OUT the key crt file Own Certificate Select the router s personal certificate via the drop down field Local ID This ID is normally assigned by the certifi cate This field can be left blank Peer Certificate Select the peer certificate here Peer ID This ID can only be assigned by the certificate if Au thentication by peer certificate was selected The Unit 1 Unit 2 field can be left blank in this case If however Au ove e Leg thentication by certificate from CA was selected R Go A you must specify the peer ID in case you wa
173. tgoing VPN connections of the router An active connection is indi cated by a green dot The connection duration active user local and remote IP address are displayed The connections are logged After the connection is disconnected you can read off the active connection time Clients Systemloggings Connection Shows all notifications and error messages related to the PPTP service Page 213 of 229 Version 3 0 21 12Status VPN OpenVPN Network Serial Security VPN I O Manager Alarmmanagement DM IT ke OpenVPN OpenVPN Connections inbound outbound Status Connections in Name Active Wizard O Systemloggings Connection Wizard 14 lt 5 gt Mar 23 11 43 41 ovpn_consWizard 17319 13 lt 5 gt Mar 23 11 43 41 ovpn_consWizard 17319 12 lt 5 gt Mar 23 11 43 41 ovpn_consWizard 17317 11 lt 4 gt Mar 23 11 43 41 ovpn_consWizard 17317 expansion 10 lt 4 gt Mar 23 11 43 41 ovpn_consWizard 17317 mbNE TT Welcor System Interfaces Network Modem Internet DHCP DNS Server DynDNS NTP VPN IPSec VPN PPTP Diagnostics USB Alarmmanagement System Common Name Connectiondata Connectiondata Logging Stop Connection Start Connection lokal peer Logging disconnect UDP v4 link remote undef UDPv4 link local bound undef 1194 LZO compression initialized NOTE script security method system is deprecated due to the fact that passed parameters will be subject to shell NOTE th
174. the PLC behind it you just need to create a CRL XCA makes this easy Q mMmbINE IT Info Settings WEB Users USB Logging BackupRestore Firmware Network Serial jm Certificates Security VPN Certificates I O Manager Own Certificates CA Partner Certificates CRL Alarmmanagement Status import new certificate revocation list crl Choose CRL File Durchsuchen address url Import CRL File list of imported certificate revocation lists Issuer Update URL last updated next update C de ST bw Le dk b O mbel www updatecri de Aug 15 07 44 19 2008 GMT Sep 14 07 44 19 2008 GMT A CN joe_ChefCA emailAddress bach mbconnectline de Figure 136 Choose CRL File enter the file location or browse the relevant drive for the blacklist file Importing File extension pem new certifi Update download address url the PEM file can be regularly updated by en cates tering the download address Import CRL file as long as the above data have been entered correctly the blacklist file can be imported List of im This displays a list of the certificates already imported More certificate files can ported certifi be collected by using Import CRL file cate revoca For more information on Name Subject Issuer valid from to and Download tion lists please see section Personal Certificates See section Personal Certificates Update URL Displays the update address for the blacklist file Last updated Di
175. the industrial router in this drop down field The available y signal levels are 1 and 0 There are three possible actions Oo EMail O SMS O System Reboot Enter the text to be sent to the specified email address in this input field The following special characters are permitted in the text AUO He 28 amp c gt EMail Mobile Enter the email address or phone number to which the industrial router should send the text when the input is activated and the relevant signal level has resulted Phone in the action being initiated You can read off the current state at the inputs via the LED icons at the bottom of the screen Gray indicates state 0 green indicates state 1 20 2 1 Multiplex inputs Page 198 of 229 Version 3 0 mbNE TT fi Brief description There are four digital inputs on the mbNET An action assignment number can be communicat ed serially via three of these inputs 2 4 i e one input is STROBE one is IMPULS_x1 and one is IMPULS_1x The pulse at IMPULS_ x1 one digit and IMPULS_ 1x tens digit can be counted with a rising edge at STROBE The action is executed in accordance with the entered action with a falling edge at STROBE Graph Input 2 STROBE Input 3 IMPULS t1 t2 t2 t2 x1 Input 4 IMPULS 1x t1 gt 50 ms t2 gt 100 ms The action 52 is initiated in the sample graph Page 199 of 229 Version 3 0 mbNE TT Action table os ge input Alarmmanagement
176. this box if you want to establish your proxy connection with the Internet via an http proxy server This corresponds to the verb 3 setting of OpenVPN The default is off HTTP proxy name vali the IP address or DNS name of the proxy server Enter the port via which your proxy server accepts re HTTP proxy port quests here e g 8080 or 3128 HTTP proxy lf your proxy server requests authentication enter a val username id username and the associated password Page 190 of 229 Version 3 0 mbNET 19 UO Manager The I O Manager integrated in the router performs the following functions e Displays PLC variables e Reads variables from the PLC and saves them to the USB stick at a set interval logging e Places the logged archives GZIP on an external FTP server at a fixed interval Variables of the type flags times counters inputs outputs data blocks and peripherals can cur rently be read from an S7 controller via RFC1006 The PLC can communicate directly with the router via its Ethernet interface or via the MPI PROFIBUS interface of the router Limits e Max 4 connections to the controllers e Max 256 tags variables per connection e The maximum size of a tag is one DWORD 32 bits Page 191 of 229 Version 3 0 mbNE TT 19 1 Configuring the connection If using the MPI PROFIBUS interface of the router the RFC1006 protocol must first be activated for this interface Q mbNET
177. tings Encruption We recommend selecting MPPE V2 encryption Note that if you select none i your data will NOT be sent securely Enter the user name and password of a user who has been added to the E word PPTP server as a system user e g ADMIN without password Start connection Select Keep connection A connection will be established on restart or boot on up It is also possible to start the connection only for specified events Enter the address of the remote station or the address for a whole network Remote IP We recommend entering a network address In the example 192 168 0 0 24 Page 72 of 229 Version 3 0 mbNE TT 10 Creating certificates and revocation lists using XCA 10 1 Certificates overview Zertifikat Zertifikat a teeny Sd ree eeben em Import CA Server certificate certificate signed by CA to Server and Client Import Server certificate to JSNqQW Jo doydeyod 3 o o gt a ee er o ct sc a Gi rtr o Figure 98 Any subscriber communicating over a VPN connection needs 2 certificates One certificate must be signed by a CA Certificate Authority Each subscriber must have the CA certificate plus a server or cli ent certificate In our case the server may be the mbNET or a separate server The client is either a computer or another mbNET The certificates are required to set up a secure VPN tunnel and are used to authenticate the VPN subscriber If the subscribe
178. tings for Authentica E E tion via CHAP and i Authentication via PAP must be the mow P gt same as those on the router other _ ma en Y wise no connection can be estab sevens lished cy BR Save this user name and passwbrd for the following users b a is S ki D oo 3 LJ Click Connect Figure 49 v You have established a con nection to the router 9 2 4 Displaying and verifying connec tion status mbINE I On a computer connected to the router s S System Interfaces Network Intern LAN interface clicking on SAIS EI Bi shows whether a user has dialed in to the Serial r hadam router and where there is an established EELA VPN 1 0 Manager Modem Stop Refreshing Alarmmanagement Modem Connection Active Status User O connection who has dialed in Figure 50 Page 39 of 229 Version 3 0 fie mbBbNE TT 9 3 Configuring the industrial router for connection via the Internet The following diagram shows how to connect the industrial router to a client computer via the Internet The client is a computer with a modem connection MDNET industrial router Internet Service Provider Internet Service Provider Client ISP ISP IP LE IP geen Modem 123 456 789 21 s 77 180 121 116 E ee BE Internet SS Figure 51 Page 40 of 229 Version 3 0 mbBNE I Configuring for connection over the Internet continued 9 3 1 Connecting and c
179. tting up a VPN connection be 9 6 3 1 tween client PC and router Router Internet dial in LJ Depending on the connection mode the router must be con figured for Internet access con nected to the Internet and ac cessible via the IP address 9 6 3 2 Setting up a VPN connection from client to router LI Double click on the VPN con nection icon and in the next screen enter the user name and password to which you as signed VPN dial up rights in the router s user management set tings 9 6 3 3 Additional settings Page 66 of 229 Version 3 0 LI Double click on the VPN con nection icon and then click Properties In the Networking menu tab you can set the VPN type to LT2P or PPTP Select PPTP VPN Connect Testserver User name Password Save this user name and password for the following users Figure 90 Testserver Properties General Options Security Networking Advanced Type of WFM PPTP VPN Automatic FFTF PH L2TP IPSec WPM This connection uses the following items Internet Protocal TCP YIP QoS Packet Scheduler JS File and Printer Sharing for Microsoft Networks El Client for Microsoft Networks Description Transmission Control ProtocolInternet Protocol The default Wide area network protocol that provides communication across diverse interconnected networks Figure 91 mbNET Setting up the router for a VPN connection continued The cli
180. twork Multiple peers with dif Settings ferent network addresses can establish a VPN With authentication with certificates and this operating mode multiple clients can dial into the server simultane connection ously and are automatically assigned an IP address from the Client IP address pool The local network top and the peer network must be specified Each client is assigned a network in the list be low these Depending on the authentication setting with certificate name or username the CN common name in the certificate or username will be used OpenVPN cre ates an appropriate routing entry for the client currently dialing in Peer Name OH No network setting is needed on the client because it is sent to the client by the server Page 178 of 229 Version 3 0 mbNET 18 2 2 3 Client authentication No or static key Connection Settings Network Settings Authentication Protocol options Local IP adress 10 1 0 2 Peer IP adress 10 1 0 1 Local network 192 166 0 0 24 Peer network 192 166 99 0 24 Do NAT for all E outgoing traffic Figure 185 Tab Enter the IP address of the local VPN tunnel end point here e g Local IP address 10 1 0 2 Enter the IP address of the peer VPN tunnel end point here e g 10 1 0 1 N rk Sna Local network Enter your network address in CIDR notation here 192 168 0 0 24 Enter the network address of your peer in CIDR notation here 192 168 99 0 24 Peer IP
181. twork Utilities Ping TraceRoute NS Lookup TCPDOUMP z i Options TCPDUMP Figure 211 Label Function gt gt gt O After an Internet address or IP address is entered the ping command can de termine whether the address in question can be reached This is e g an easy way of determining whether there is an Internet connection active This command provides more information about the network connection be TraceRoute tween the router and a remote or other computer It traces and displays the route This function can be used to check whether name resolution NS Looku htto www mbconnectline de 88 12 12 34 takes place If this function ends in H an error message check whether there is a DNS server address under Network DNS in your mbNET or whether your network s DNS server is available Page 215 of 229 Version 3 0 fis mbNE TT 21 14Status USB Interfaces Network Modem Internet DHCP DNS Server DynDNS NTP VPN IPSec VPN PPTP VPN OpenVPN Diagnostics HGH Alarmmanagement System S USB Devices All connected devices excluding system hubs Vendor Model Type Version Mounted USB SCSI devices Figure 212 Label Functio gt O Shows all connected The manufacturer model type and version are displayed for connected devices connected USB storage media system hubs Mounted USB SCSI Shows how the USB storage medium is integrated in the router s file sys devices tem and the file system created on the U
182. umber below Phone number LJ Enter the telephone number of your re i You might need to include a 1 or the area code or both If you are not sure m ote statio n th e n u m ber th at accesses SE need os extra bl ie ep ga Aide dling on your telephone If you the industrial router Figure 47 e New Connection Wizard Completing the New Connection Wizard You have successfully completed the steps needed to create the following connection Dial up connection Share with all users of this computer Q Click Finish The connection will be saved in the Network Connections folder C Add a shortcut to this connection to my desktop To create the connection and close this wizard click Finish Figure 48 Page 38 of 229 Version 3 0 mbNE TT fie Configuring the router client connection over the telephone network continued Connect Testserver LEa 9 2 3 Establishing a connection between the client PC and the industrial router Q Double click on the connection that you created using the instructions in the previous section User name Password LJ In this window enter the user name and password that you created previ ously when configuring the modem If you selected the option every User with dialin rights you can enter the Caneel Properties user name and password of any user who has dial in rights pases aR madres BEE The default set
183. us conversion PPP asynchronous sin gle link ATB4 HDLC transparent ATB5 Byte transparent B channel data ATB10 X 75 transparent ATB13 V 120 ATB20 X 31 B channel X 25 B channel ATB21 X 31 D channel Defines the transmission rate in V 110 mode ATNO Automatic connection speed ATN1 Connection speed 1 200 bps ATN2 Connection speed 2 400 bps ATN3 Connection speed 4 800 bps ATN4 Connection speed 9 600 bps ATN5 Connection speed 19 200 bps Defines the MSN multiple subscriber number All calls are accepted if the number is set to asterisk default setting An MSN generally has to be entered as this is required by most PBX sys tems The MSN must also be enabled for the data service AT Z n Sets MSN to n Page 223 of 229 Version 3 0 mbNE TT 25 Appendix 25 1 Country codes for analog devices as 6 Angola AO BB 8 Antarctica AQ DR 9 AntiguaandBarbuda AG BS 45 B5 Brunei BN Brunei BN S Bhutan BT Bolivia BO R F F F ia BG BF 45 Christmas Island CX BS Page 224 of 229 Version 3 0 mbNET No Country S Modem operation setting Cocos Keeling Islands CC 61 62 63 64 El Salvador SV 65 67 70 71 72 Finland FI 73 74 75 GF 76 ES 78 81 82 83 84 85 87 88 89 Guatemala GT BB 91 92 93 60 DI 62 63 64 65 66 67 68 69 70 EE WE 74 75 French Guiana GF BB 77 78 80
184. user to have Choose whether the user o Can make settings in the mg interface Administra Administration Modem Dialin VPN Dialin L o Can connect to the industri al router s modem Modem dialin e Ce C o Can connect to the industri Figure 127 al router via VPN VPN dial in Q Click the applicable option box to place a check in it e Figure 128 Page 95 of 229 Version 3 0 O mbiNE T porary save Figure 129 To apply the changes to the router click Apply Changes Page 96 of 229 Version 3 0 mbBbINE tT 12 2 4 Deleting Users To delete a user proceed as follows LI In the navigation bar on the left se lect and then LJ Select the row that contains the user name password and so on and click the icon to Delete To apply the settings to the router per Figure 130 manently click Apply Changes Figure 131 You will now no longer be able to log in or authenticate this user via the web interface mo Y dem or VPN Page 97 of 229 Version 3 0 mbNE TT 12 3 System Certificates A key component of VPN connections with IPSec or OpenVPN is the trust relationships between two or more communications peers Authentication settings are made during configuration as explained in the section Authentication For secure communication authenticity needs to be verified Certificates help to ensure also that the right peers are communicating with each other A certificate is proof of the holder s ident
185. ut the CA additional guidelines root certificates or online verification services e g OCSP Primarily where certification applications like secure mail S MIME do not return the entire certification path using this extension in the end certificate is helpful for showing the verify ing application where to retrieve the next higher level CA certificate 10 2 1 4 Root certificate key usage In the Key usage tab you will find key usage and extended key usage options Neither key should be critical i e you should leave the boxes marked Critical unchecked To create a root certificate please select the following values in the left hand column e Certificate Sign e CRL Sign Selecting these options means that your root certificate can sign the client certificate and revoca tion lists Page 79 of 229 Version 3 0 g X Certificate and Key management Create x509 Certificate Digital Signature Non Repudiation Key Encipherment Data Encipherment key Agre mbBbNE T TLS Web Server Authentication TLS Web Client Authentication Code Signing E mail Protection Time Stamping Microsoft Individual Code Signing Microsoft Commercial Code Signing Microsoft Trust List Signing Microsoft Server Gated Crypto Microsoft Encrypted File System Netscape Server Gated Crypto Microsoft EFS File Recovery IPSec End System IPSec Tunnel IPSec User IP security end entity Microsoft Smartcardlogin OCSP Signing EAP over PPP EA
186. ute for any Industrial Ethernet module PROFINET IO Controller E d ions ISO TCP IP 57 connections The finished station must now be saved and appears in NETPro The MPI DP address must match the settings entered in own station address on the mbNET Page 140 of 229 Version 3 0 mbNE T 14 2 5 Add PC PG station itz NetPro RFC1006 lolx Network Edit Insert PLC View Options Window Help LEIEN TTIE IJ RFC1006 Network C Programme Step7 s7proj Rfc1006 PROFIBUS DP Ml PROFIBUS PA K PROFINET IO Stations RB Other Station i o E PG PC PROFIBUS 1 SIMATIC 300 PROFIBUS SIMATIC 400 SIMATIC PC Station E SIMATIC 5 SIMATIC 7 400 H C Stations E Subnets Ethernet 1 Industrial Ethernet e H ISO Ind Ethernet gt Broadcom NetXtreme 57x BE meee kee Pl Now you need to add a PC PG station IE NetPro RFC1006 loj x Network Edit Insert PLC View Options Window Help GH R aloe idl Blo Sima Ra II RFC1006 Network C Programme Step7 s7proj Rfc1006 PROFIBUS DP 82 PROFIBUS PA 38 PROFINET IO PROFIBUS 1 E Stations PROFIBUS i d eg SIMATIC 300 SIMATIC 400 E SIMATIC PC Station E SIMATIC 5 SIMATIC 7 400 H C Stations E Subnets Ethernet 1 Industrial Ethernet Page 141 of 229 Version 3 0 fis mbBbNE T Double clicking on PG PC Station opens
187. utputnumber you can also switch your Page 118 of 229 Version 3 0 mbNET router s inputs on or off e g OUT ON 1 switches on output 1 OUT OFF 1 switches off output 1 IN STATUS The IN STATUS command returns input status GSM CMD Using the GSM CMD at command you can send any AT command to the modem The modem response will be returned to the sender s number by SMS e g GSM CMD AT cops returns network and provider details Please note that only the first 160 char acters of the modem response will be transmitted 13 4 Network Internet Router Internet dial in is dependent on connection type and on the appropriate configuration of specific settings 13 4 1 Network Internet Internet Connections System LAN WAN Modem DE DHCP DNS Server Hosts DynDNS Serial es Internet Configuration Security VPN Internet Settings I O Manager Internet Connections Internet Settings Alarmmanagement Status Failover deier Connection Internet via WAN external router fixed line Connection monitoring ki Save Changes Figure 148 Label Function gt gt O The failover function makes it possible to switch between different Internet con Failover enable nections When this is enabled you can set up a priority order for Internet in tion terfaces based on device model The following options are available from the drop down field Internet connec Q Internet via WAN external router fixed line
188. w to set computer address IP address and subnet mask 20 Icons 23 Initial configuration 21 Initializing the modem 222 Interfaces 15 L LAN gt WAN 152 N NAT 155 Network DHCP 125 Network DNS server 126 Network DynDNS 128 Network Hosts 127 Network Internet 119 Network LAN 108 Network Modem 110 Network WAN 109 P Password 221 Pin assignment 15 S Safety instructions 9 Save Settings 28 Security settings 150 151 155 Security Settings 27 Serial interfaces 131 Status Alarmmanagement 218 Status DHCP 209 Status Diagnostics 215 216 Status DNS Server 210 Status DynDNS 211 Status Interfaces 202 Status Internet 207 Status Modem 205 Status Network 204 Status NTP 212 Status System 219 Status USB 217 Status VPN IPSEC 213 Status VPN PPTP 214 Status messages extract 202 System Certificates 98 99 100 101 102 System Configuration 105 System Firmware 106 System Logging 104 System USB 103 System WEB 93 System settings 25 T Technical data 10 U Username and password 221 Username 221 V VPN connection 58 W WANSLAN 151 Web interface 22 What is included in the package 11 Page 229 of 229 Version 3 0
189. will only be available if you selected only following user Here you need to enter the length of time before the existing connection is to be dropped if no data has been transferred in the interim If you leave this blank or enter 0 the connection will not be dropped Authentication via PAP CHAP Close connection af ter S inactivity Page 112 of 229 Version 3 0 mbNE TT 13 3 2 Network Modem Outgoing mbNET System LAN WAN Internet DHCP DNS Server Hosts DynDNS Network SR ie Modem Configuration Security VEN Modem Settings 1 0 Manager Alarmmanagement Modem GSM Type Status Modem Modem E Modem EE Init Outgoing SIM1 Outgoing SIM2 Settings SIM SMS SIM Pin ES Provider Input select Phone Number User Password Kiwi Authentication via a PAP Authentication via CHAP E Timeout Dialout ki Save Changes Figure 145 The following settings apply to outgoing modem connections If you would like to call multiple terminals set this option to yes You will then see three more fields where you can enter numbers that will be se lected on receipt of a signal at digital inputs 2 to 4 Enter the numbers and user credentials for PPP dial in in these additional fields Switch on the first and one or two of the other three inputs to start dialing Note that you need to switch on the one two other inputs before switching on the first Also note that the industrial router is acting only
190. xt time the industrial router dials into the Internet and receives a current IP address from the ISP it will announce this address to the DynDNS service l Using the drop down field select the name of the provider with whom you are regis Provider tered e g DynDNS Enter the user name that you used to register for the DynDNS service User Enter the password that you used to register for the DynDNS service Host Name Enter the name that you assigned to the industrial router for the DynDNS service This field is for whenever the industrial router name changes e g after a new Inter Interval s net dial in Enter the time interval after which the industrial router will inform the DynDNS provider of the new IP address Page 130 of 229 Version 3 0 mbNE I 14 Serial interfaces 14 1 General Both serial interfaces can be accessed via a dial up or Internet connection using a known IP address Serial interface COM1 can be directly configured to RS232 RS485 and RS422 using the web interface and any associated control commands can be forwarded to the connected controller or device Depending on device model COM2 is an MPI PROFIBUS interface on one model and on oth er models it is the same as COM1 The MPI PROFIBUS interface allows remote access to con trol systems e g S7 300 400 and supports baud rates of up to 12Mbit s Clicking on the Q button will display the following screen 14 1 1 RS232 48
191. y LJ Read through the information and after clicking Next you can 8 a due mbNET complete the wizard by clicking 5 Finish A restart IS required to System LAN Modem Internet DHCP DNS Server Hosts DynDNS complete the process ierch 8 KN WAN Configuration LJ From the home page of the con WAN Settings figuration interface click AE t Interface ROUTES Work WAN This will display the screen shown be low Figure 77 Page 55 of 229 Version 3 0 fis mbBbNE TT Configuring the router for connection to the Internet via an existing router m b NET Language TTT Welcome admin Site Map Wizards Help Reboot System LAN Modem Internet DHCP DNS Server Hosts DynDNS Serial Gy WAN Configuration Security VPN WAN Settings 1 O Manager Interface ROUTES Alarmmanagement Interface Status Type Static IP BR WAN IP Address Netmask 255 255 255 0 Default Gateway 192 168 1 1 ke Save Changes 192 168 1 100 Figure 78 For a detailed description of the Tite settings please see section Network WAN As in the example shown select Static IP MENACE TYPE This setting also requires a DNS server see Network DNS server WAN IP Here enter the IP address of the mbNET connected to the WAN port Address In the example 192 168 1 100 Enter details of the gateway that connects you to the Internet i e the IP Default Gateway address of the exi
192. y LED connection inactive cable or USB device discon j O O nected Green LED connection active cable or USB device connect ed This button appears wherever there are settings that can be changed It saves the current configuration temporarily i e if the router is restarted any changes to settings will be lost To save settings permanently click button no 5 Daea emm lf you saved your settings temporarily See no 2 you can undo nl UU the changes by clicking on this button acon J This permanently stores and applies all saved changes This is a check box Clicking on a box enables disables the op tion associated with it If input is required in a field that looks like this it must be en tered manually Clicking on a checked box will present the available options as Ia drop down field gt Clicking on this field allows you to change edit settings in the em associated row To reverse changes made to the associated row click on this button Use this to do a temporary save of the settings that you are cur rently working on To save changes to the router permanently click button no 5 ki Save Changes d This inserts additional input rows The currently displayed row must contain values or data before you click on this button If not an error message will appear at the top of the open configuration page This deletes the input of the row that you are currently working on This enables you to
193. you to access the router via the IP address As the router IP address changes each time it dials in to the Internet there is an alternative which is to use our DynDNS service For infor OH mation on setting up and using the MB Connect Line DynDNS service please see section Net work DynDNS 9 3 3 Displaying the Internet connection Provided that you can access the router you can see information on the status of the Internet con nection by clicking Q For information on status messages please see section Status Messages Page 46 of 229 Version 3 0 mbONET IP address 777 180 121 116 Figure 62 System Interfaces Network Modem roy Network Serial 3 we Internet Security MEN Internet 1 0 Manager Alarmmanagement Manual Control of the Internet Figure 63 mbNET 9 4 Configuring the industrial router for connection to the Internet using a DSL modem The diagram below shows how to connect the mbNET industrial router to a client PC over the Internet using a DSL modem The client needs to use an existing Internet connection or to set one up MDNET industrial router Internet Service Provider Internet Service Provider ISP Client ISP ISP mmm 1200 8321 77 180 121 116 E n Internet Am emm i sz E bs SE DSL modem Figure 64 Configuring for connection over the Internet continued 9 4 1 Connecting and configuring the router Before you begin The router must
Download Pdf Manuals
Related Search