Moxa EDR-810
Contents
1. Ethernet Protocol Port Number IPSec NAT Traversal UDP a500 IPSec NAT traversal TOP 4500 Fib data FCP FiP data UDP EJ 21 FTP control UDP 21 SSH TCP E SSH UDP E EJ 009 as HTTP Te EJ HTTP UDP EJ 1 1293 1 UDP E LFRUTP TCP 1701 TAF amp LATP UDP 1701 PC 373 PPTP UDP 1723 Radius authentication TOP 1812 Radius authentication UDP E RADIUS accounting TCP 1813 RADIUS accounting UDP 1813 Industrial Secure Router User s Manual Firewal Policy Check Policy Setup rerit 8 The Industral Secure Router supports a PolieyCheck function for maintaining the firewall policy list The PolicyCheck function detects firewall policies that may be configured incorrectiy PolicyCheck provides an auto detection function for detecting common configuration errors In the Firewall policy Mask Include and Cross conflict When adding a new firewal policy the user just needs to click the PolicyCheck button to check each policy warning messages will be generated that can be used for further analysis Ifthe user decides to ignore a warning message the Industrial Secure Router firewall will run the configuration provided by the user The three mast types of configuration errors are related ta Mask Include and Cross Conflict Mask Policy X is masked by Policy Y2. Interface Port Forward mode Setting Description Factory Default WANE Select the Interface for this NAT Policy wan wana Protocol Port Forward mode Setting Description Factory Default Select tne Protocol for NAT Policy ro Ic a une WAN Port Port Forward mode Setting Description Factory Default 1 to 65535 Select a specific WAN part number None LAN DMZ IP Port Forward mode Setting Description Factory Default 1P Address translated IP ad ress in the internal network None LAN DMZ Port Port Forward mode Setting Description Factory Default 1 to 65535 The translated port number in the internal network None 76 Firewall The following topics are covered in this chapter a a a Policy Concept Policy Overview Policy Configuration gt Layer 2 Policy Setup Only in Bridge Mode for EDR G902 6903 gt Quick Automation Profile Policy Check Modbus TCP Policy Denial of Service DoS Defense Industria Secure Router User s Manual Firewall Policy Concept A firewall device is commanly used to provide secure traffic control over an Ethernet network as illustrated in the following figure Firewall devices are deployed at critical paints between an external network the non secure part and an internal network the secure part WAN ExtomalorUnsscure area Internal or Secure
3. Roaming User internet Network EOR Ne Fixed IP 1001003 0 24 VPN Secure Funes VPN Plan Alicommunication from the Roaming user no fixed IP to the Remote site Network 100 100 3 0 24 needs pass through the VPN tunnel Communication goes through the Internet The configuration ofthe WAN LAN interface for the Industrial Secure Router is shown in the following table Configuration Industrial Secure Router 1 100 100 2 1 Interface Setting TANT 100 100 3 1 Based the requirement and VPN plan the recommended configuration for L2TP over IPSec is shown in the following table Configuration Industrial Secure Router 1 LP Server Seting L2TP Server Mode WANT Enable Local IP LATP Server 1P 10010041 ofer IP Range 100 100 4 1 100 100 4100 Login User Password UserDt 7 12345 Hume Seting Connection Type Ste to Site Any Tunnel Enable cal Network 10010031729 Same as LAN Interface Startup mode Wait for Connection Key Exchange Pre Shared Key 12345 Data Exchange Encryption Algorithm DES Harsh Algorithm E 9 12 10 Diagnosis The Industrial Secure Router provides Ping tools and LLDP for administrators to diagnose network systems The following topics are covered in this chapter Ping a top Industrial Secure Router User s Manual Ping Use Ping Command to test Network Integrity 5 wami
4. For example if the remote user IP 10 10 10 10 connects to the EtherDevice Router and changes the accessible IP address to 10 10 10 12 or deselects the Enable checkbox accidently after the remote user clicks the Activate button connection to the EtherDevice Router wil be lost because the IP address is not in the Etherbevice Router s Accessible IP list Ff Enable the accessible IP list Dieable wil allow al IP s connection mM AN Enable Index P Address ET If the user enables the SetingCheck function with the Accessible IP lst and the confirmer Timer is set to 15 seconds then when the user clicks the Activate button on the accessible IP lst page the EtherDevice Router will execute the configuration change and the web browser wil try ta jump to the Setting Check Confirmed page automatically Because the new IP lst does not include the Remote user s IP address the remote user cannot connect tothe SettingCheck Confirmed page After 15 seconds the EtherDevice Router wil back to the original Accessible IP List setting allowing the remote usar to reconnect to the EtherDevice Router and check what s wrong with the previous setting Industri Secure Router User s Manual EDR G902 G903 Series Features and Functions N The page cannot be displayed trg the allowing lek the Rates buman or wy agin te ek Internet Oona the ome redd by yaur eea arse neon LAN aamin rie proveer
5. Industria Secure Router User s Manual EDR 810 Series Features and Functions Link Aggregation Link aggregation involves grouping links into a link aggregation group A MAC client can treat link aggregation groups as if they were single link The Moxa industrial secure router s port trunking feature allows devices to communicate by aggregating up to 4 trunk groups with a maximum of 8 ports for each group If one ofthe 8 ports fails the other seven ports will automatically provide backup and share the traffic Port trunking can be used to combine up to ports between two Moxa switches or industrial secure routers IF ali ports both switches are configured as 1008aseTX and they are operating in full duplex the potential bandwidth of the connection will be 1600 Mbps The Port Trunking Concept Moxa has developed a port trunking protocol that provides the following benefits Greater flexibility in setting up your network connections since the bandwidth of a link can be doubled tripled or quadrupled Redundancy it one link is broken the remaining trunked ports share the traffic within this trunk group Load sharing HAC client trafic can be distributed across multiple links To avoid broadcast storms or loops in your network while configuring a trunk first disable or disconnect all ports that you want to ad to the trunk or remove from the trunk After you finish configuring the trunk enable re conne
6. See sur eres ore being eem Tau oan sat Merete Minds to amine our ri cov network eannasten serge Gt Jour network adrinietretar has enable th sting 1 Gic monty and en cick oternet If the new configuration does nat block the connection from the remote user to the EtherDevice Router the user wil see the SettingCheck Confirmed page shown in the following figure Click Confirm to save the configuration updates Press Contem bution to ese the change Industria Secure Router User s Manual EDR G902 G903 Series Features and Functions System File Update by Remote TFTP The EtherDevice Router supports saving your configuration ie to remote TFTP server ar focal host to allow other EtherDevice Router routers to use the same configuration at a later time or saving the Log f for future reference Loading pre saved firmware or a configuration file from the TFTP server or local host is also supported to make it easier to upgrade or configure the EtherDevice Router Uparade Software or Configuration TFTP ServeriPhiame Configuration Fla and fane Fle Path anc Name Log le Path and Name TFTP Server Setting Description Factory Default TP Address of TETP The IP ar name of the remate TFTP server Must be configured None Server before downlcading or uploading ils Configuration File Path and Name
7. Certificate Generation Cerificate Request Caminon cect som ER ease ia Common name moe con The user must fil in the following information to generate the Root certification Country name 2 Letter code Certificate Days State or Province Name Locality Name Organization Name Organization Unit Name Commen Name Email Address After keying in of the information press Activate to generate the Root Certification Industrial Secure Router User s Manual Virtual Private Network VPN NOTE The default setting for Certificate Day is 0 which means that the certification will not be terminated unless modified by the user Certificate Setting Cerificate Setting conte as m Ornantasonauntname oa conser soseatgnca cm ets Parent After Root Certification is activated the user can generate different certifications for different VPN Tunnels The user needs to fil in the following information and press Add and Activate to add the new certificate to the Certificate List Certificate Days Organization Unit Name Certificate Name Email Address Certificate Password Certificate List 210 Wes supongan com cns The user can then choose certificates from the list an
8. The Trunking Status table shows the Trunk Group configuration status Trunking Status E Port Mirror The Port Mirror function can be used to monitor data being transmitted through a specifie port This is done by setting up another port the mirror port to receive the same data being transmitted from or bath ta and fram the port under observation Using a mirror port allows the network administrator to sniff the observed port to keep tabs on netur activity Port Mirroring 2 Fa Fs Wenige Be re rer arcon m Industrial Secure Router User s Manual EDR 810 Series Features and Functions Port Mirroring Settings Setting Description Monitored Port Select the number of the ports whose network activity wil be monitored Multiple port selection is acceptable Watch Direction Select one ofthe folowing two watch direction options Input data stream Select this option to monitor only those data packets coming into the Moxa Industrial secure router s M Output data stream Select this option to monitor only those data packets being sent out through the Moxa industrial secure router s port Bi directional Select this option to monitor data packets both coming into and being sent out through the Moxa industrial secure router s port lec the number of the port that wil be used to monitor the activity of the monitored port Using Virt
9. The Ping function uses the ping command to give users a simple but powerful tool for troubleshooting network problems The function s most unique feature is that even though the ping command is entered from the user s PC keyboard the actual ping command originates from the Industrial Secure Router itself In this way the user essentially contral the Industrial Secure Router and send ping commands out through its ports There are basic steps required to set up the Ping command to test network integrity 1 Select which interface will be used to send the ping commands You may choose from and LAN 2 Type in the desired IP address and cick Ping LLDP LLDP Function Overview Defined by IEEE 802 1148 Link Layer Discovery Protocol LLDP is an OSI Layer 2 Protocol that standardizes the methodology of self identity advertisement It allows each networking device such as Moxa managed switch router to periodically inform its neighbors about itself and its configuration In this way all devices will be amare of each other LLDP Settings General settings Port Events The router s web interface be used to enable or disable LLDP and to set the LLDP Message Transmit Interval Users can view each switch s neighbor ist which is reported by its network neighbors LLDP Setting Enable LLDP Setting Description Factory Default Enable or Disable Enable or
10. Verity Password Setting Description Factory Default Max 30 characters the ONS server password None Domain name Setting Description Factory Default Max 30 characters The DNS servers domain name None Industria Secure Router User s Manual EDR 810 Series Features and Functions Security User Interface Management User Interface Management Enable Tenet TelnetPort 23 ssh ssHPot 22 m HITPPot 80 yj unes Enable MOXA Utility Setting Description Factory Default Select Deselect Select the appropriate checkboxes to enable MOXA Selected usity Enable Telnet Setting Description Factory Default Select Deselect Select the appropriate checkboxes to enable Telnet Selected Port 23 Enable SSH Setting Description Factory Default Select Deselect Select the appropriate checkboxes to enable SSH Selected Port 22 Enable HTTP Setting Description Factory Default Select Deselect Select the appropriate checkboxes to enable HTTP Port 80 Enable HTTPS Setting Description Factory Default Select Deselect Select the appropriat Selected 443 E Industrial Secure Router User s Manual EDR 810 Series Features and Functions Authentication Certificate Authentication Certificate SSL Certificate creates Date Re Generate SSH Key
11. 2 wana uw 20202018 19116812220 AccEPT to 20 20 20 30 Suppose the user next adds a new policy with the following configuration Index input Output Protocol source 1P Destination Target 3 wana fian 20 20 20 20 192 168 127 20 ACCEPT ter clicking the PalicyCheck button the Industrial Secure Router will issue a message forming tne user that policy 3 is ineluded in policy 2 because the 1P range of policy 3 is smaller than the IP range of policy 12 and the Target action is the same Cross Conflict Policy X cross conflicts with Policy Y Two firewall policy configurations such as Source IP Destination IP Source port and Destination port in policy X and policy Y are masked and the action target Accept Drop is different die inden lel For example two firewall policies are shown in the following table findex input Output Protocol Source 1P Destination 1P Target 1 wani jum 10 10 10 10 19216812210 ACCEPT B wai uw 20202020 19216812725 ACCEPT to 20 20 20 20 Suppose the user next adds a new policy with the following configuration Index input Output Protocol Source 1P Destination IP Target 3 wana flan 20 20 20 25 192 168 127 20 DROP to 192 168 127 20 The source IP range in policy 3 is smaller than policy 2 but the destination IP of policy 2 is smaller than policy 3 and the target actions Accept
12. Diagnostic Get Com Event Counter 11 Diagnostics Get Com Event Log i2 Report Slave ID 17 Read Device Identification Industrial Secure Router User s Manual Firewall Denial of Service DoS Defense The Industral Secure Router provides 9 different DoS functions for detecting or defining abnormal packet format traffic The Industrial Secure Router will drop the packets when it detects an abnormal packet format The Industrial Secure Router wil alsa monitor some trafic parameters and activate the defense process when abnormal traffic conditions are detected m n ShiFiosd Null Scan Umt is Setting Description Factory Default Enable or Disable Enable or disable the Null Sean None Xmas Scan Setting Description Factory Default Enable or Disable Enable or disable the Xmas Scam None NMAP Xmas Scan Setting Description Factory Default Enable or Disable Enable or disable the NHAP JXmas None SYN FIN Scan Setting Description Factory Default Enable or Disable Enable or disable the SYN FIN Sean None FIN Scan Setting Description Factory Default Enable or Disable Enable or disable the FIN Sean None NMAP ID Scan Setting Description Factory Default Enable or Disable Enable or disable the Sc
13. creates Date ReGererste n SSL Certificate Re generate Setting Description Factory Default Enable the SSL Cerificate Regenerate Deselect SSH Key Re generate Setting Description Factory Default Enable the SSH Key Re genarate Deselect Trusted Access The Moxa industrial secure router uses an IP address based fitering method to control access Trusted Access Enable the accessible IP list Disable will allow all P s connection Accept all connection from LAN Port Index IP Address 1 2 a 4 5 7 B E 0 You may add or remove IP addresses to limit access to the Moxa industrial secure router When the accessible 1P list enabled only addresses on the list will be allowed access to the Moxa industrial secure router Each IP address and netmask entry can be tailored for different situations Industrial Secure Router User s Manual EDR 810 Series Features and Functions Grant access to one host with a specific IP address For example enter IP address 192 168 1 1 with netmask 255 255 255 255 to allow access to 192 168 1 1 Grant access to any host a specific subnetwork For example enter IP address 192 168 1 0 with netmask 255 255 255 0 to allow access to all IPs on the subnet defined by this IP address subnet mask combination Grant access to all hosts sure the accessible IP list is not enabled Remove the c
14. networks that support IP multicast send only one copy of the desired information across the network unti the delivery path that reaches group members diverges To make more efficient use of network bandwidth it is only at these points that multicast packets are duplicated and forwarded A multicast packet has multicast group address in the destination address field ofthe packet s IP header Benefits of Multicast The benefits of using IP multicast are tuses the most efficient sensible method to deliver the same information to many receivers with only one It reduces the load on the source for example a server since it wil not need to produce several copies of the same data 323 Industrial Secure Router User s Manual EDR 810 Series Features and Functions It makes efficient use of network bandwidth and scales well as the number of multicast group members Works with other IP protocols and services such as Quality of Service Q95 Multicast transmission makes more sense and is efficient than unicast transmission for some applications For example multicasts are often used for video conferencing since high volumes of traffic must be sent to several end stations at the same time but where broadcasting the traffic to all end stations would cause a Substantial reduction in network performance Furthermore several industrial automation protocols such as Allen Bradley EtherNet IP Siemens Profibus and Foundation F
15. the packet Range Address This Firewall Polly will check multiple Destination IP addresses in the packet Destination Port Setting Description Factory Default Port number This Firewall Paley wil check Destination port numbers in Ai the packet Single Port number This Firewall Policy wil check single Destination Port numbers in the packet Tange Port number This Firewall Pay wil check multiple Destination pare lrumbers in the packet NOTE The Industrial Secure Routers firewall function check if incoming or outgoing packets match the firewall policy It starts by checking the packet with the first policy Index 1 ifthe packet matches this policy it wil accept or drop the packet immediately and then check the next packet IF the packet does not match this policy it will check with the next policy NOTE The maximum number of Firewall policies for the Industrial Secure Router is 256 Layer 2 Policy Setup Only in Bridge Mode for EDR G902 G903 When the Industrial Secure Router is in Bridge Mode referring to section af Mode Configuration in Network Settings it provides an advanced Layer 2 firewall policy for secure traffic control which depends on the folowing parameters Ere Tas RGCEPT mes From TE Te e gewe Peat E cestnston mac osage zonaz is Interface From To Setting Description Fac
16. 09900 Moxa industrial secure router is powered up Dr OFF Digital input state s 0 DI Digita input state is 17 Configuration Change Any configuration item has been changed Authentication An incorrect password was entered There are four response actions available the EDS E series when events are triggered nation Description The industrial secure router wil send notfication to the irap server when event 1s triggered EMail me industrial secure router wil send notification to the email server defined in the Email Setting Te industrial secure router record ta syslog server defined in Syslog Server Setting Talay me Industrial secure router supports digital inputs to Integrate sensors When event triggered the device wil automate alarms by relay output Severity Severity Description Emergency System is unusable Acton must taken immediately Creal Critical conditions Eror Error conditons Warning Warning conditions Notice Normal but significant condition Information Informational messages Debug Debug level messages 340 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Port Event Settings Port Events are related to the activity of a specifie port Port Event Settings EMERG gt EMERG EMERG gt EMERG EMERG EMERG Port Events Warn
17. Denial of Service 038 Defense 8 13 9 Virtual Private Network VPN Overview IPSec Configuration Global Settings 1 Settings 1 Status X 509 Certificate L2TP Server Layer 2 Tunnel Protocol EY L2TP Configuration 9 Examples for Typical VPN Applications 1 10 Diagnosis Ping t A MIB Groups 1 Introduction Welcome to the Moxa Industrial Secure Router series the EDR G902 EDR G902 and EDR 810 The all in one Firewall NAT VPN secure routers are designed for connecting Ethernet enabled devices with network IP security The following topics are covered in this chapter Overview Package Checklist O Features gt Industrial Networking Capability gt Designed for Industrial Applications gt Useful Utility and Remote Configuration Industrial Secure Router User s Manual Introduction Overview As the world s network and information technology becomes more mature the trend is to use Ethernet as the major communications interface in many industrial communications and automation applications In fact entirely new industry has sprung up to provide Ethemet products that comply with the requirements of demanding industrial applications Moxa s Industrial Secure Router series is a Gigabit speed all in one Frawal VPN Router for Ethernet security applications in sensitive remote control and monitoring networks The Industrial Secure Router supports one WAN one LAN and a user
18. Drop of these two policies are different I the user clicks the PollcyCheck button the Industrial Secure Router will issue a message informing the user that policy 3 is in Cross Conflict with policy 2 is cross confit ito rule Industria Secure Router User s Manual Firewal Modbus TCP Policy Modbus TCP is a Modbus protocol used for communications over TCP IP networks connecting over port 502 by default Some have experimented with using Modbus over UDP on IP networks which removes the overheads required for TCP The folowing table shows the Modbus TCP frame format Modbus TCP Frame Format Description Lengi Function Transaction Identifier 2 bytes Synchronization between messages of server amp cient Protocol Identifier 2 bytes The value is 0 for Modbus TCP protocol Length Field 2 bytes Number of remaining following bytes in this ram 1byte Slave Address 255 is used for device broadcast information Function code Tove Define message type Data bytes in bye Data block with additional information Modbus Policy Setup The Industrial Secure Router provides Modbus policy inspection of Modbus TCP packets which allows users to control Modbus TCP traffic based on the following parameters Modbus Policy Add a Modbus TCP Filtering Rule Check the checkbox and input the correspondent Modbus TCP paramete
19. Features and Functions SettingCheck SettingCheck Configuraiton npo snaze ose SettingCheck is a safety function for industrial users using a secure router It provides double confirmation mechanism for when a remote user changes the security policies such as Firewall filter NAT and Accessible IP list When a remote user changes these security polices SettingCheck provides a means of blocking the connection from the remote user to the Frewal VPN device The only way to correct a wrong setting is to get help from the local operator or go to the local site and connect to the device through the console port which could take quite bit of time and money Enabling the SettingCheck funcion will execute these new policy changes temporarily until doubly confirmed by the user If the user does not click the confirm button the EtherDevice Router will revert to the previous setting Firewall Policy Enables or Disables the SettingCheck function when the Firewall policies change NAT Policy Enables or Disables the SettingCheck function when the NAT policies change Accessible IP List Enables or Disables the SettingCheck function when the Accessible IP List changes Layer 2 Fitter Enable or disable the SettingCheck function when the Layer 2 fiter changes Timer Setting Description Factory Default 10 to 3600 sec The timer wait this amount of time to double confirm when the user changes the policies
20. Manual EDR G902 G903 Series Features and Functions Example Suppose a remote user IP 10 10 10 10 wants to connect to the internal server private I 30 30 30 10 via the PPTP protocol The IP address for the PPTP server is 20 20 20 1 The necessary configuration settings are shown in the folowing figure wan tional setting for Dynamic IP and PPPoE types Server 1 2 3 Setting Description Factory Default 1P Address The ONS iP address None NOTE The priority of a manually configured DNS wil higher than the DNS fram the PPPOE or DHCP server Detailed Explanation of Static IP Type WAN1 Configuration Connection Address Information PETE Dialup DNS Optional for dynamic or PPPOE Type Address Inf 1P Address Setting Description Factory Default IP Address The interface None Subnet Mask Setting Description Factory Default IP Address The subnet mask None p Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Gateway Setting Description Factory Default 1P Address The Gateway IP address None Detailed Explanation of PPPoE Type WAN1 Configuration Connection Enable PPPoE Dialup DNS Optional for dynamic IP or PPPOE Type PPPoE Dialup User Name Setting Descript
21. and RX Packets activity The graph displays data transmission activity by showing Packets s packets per second or pps versus sac seconds The graph is updated every few seconds allowing the user to analyze data transmission activity in real time Industrial Secure Router User s Manual EDR 810 Series Features and Functions Monitor System Total Packets See Tus Pss Total Poker Pacts in previous 5 se pte of ae Port Statistics Access the Monitor by selecting Monitor from the left selection bar Manitor by System allows the user to view graph that shows the combined data transmission activity of all of the Moxa industrial secure routers ports Click one of the four opbons Total Packets TX Packets RX Packets or Error Packets to view transmission activity of specific types of packets Recall that TX Packets are packets sent out from the Moxa Industral secure router RX Packets are packets received from connected devices and Error Packets are Packets that did not pass TCP IP s error checking algorithm The Total Packets option displays a graph that combines Tk RX and TX Error RX Error Packets activity The graph displays data transmission activity by showing Packets s i e packets per second or pps versus sec seconds In fact three curves are displayed the same graph Uni cast packets in lue Multicast packets in red and Broad cast packets in amber The g
22. aroa Firewall Poly Incoming ougong Protocol TOP UDP Sauce P Port Destnaton PiPot Accept Policy Overview The Industrial Secure Router provides a Firewall Policy Overview that lists Firewall policies by interface direction From LAN Filter List Bos v Select the From interface and To interface and then click the Show button The Policy list table wil show the policies that match the From To interface Interface From To Setting Description Factory Default QUANT WANZ LAN Select the From Interface and To interface From All ta Al WANE WANE LAN Policy Configuration The Industrial Secure Routers Firewall policy provides secure traffic control allowing users to control network traffic based on the following parameters Industrial Secure Router User s Manual Firewall Enable Tapes ACCEPT i Setting Description Factory Default Enable or Disable Enable or disable the selected Firewall policy Enabled Interface From To Setting Description Factory Default QUANT WANZ LAN Select the From Interface and To interface From Al to All WANE WANE LAN Quick Automation Profile Setting Description Factory Default Refer to the Quick Automation Profis Select the Protocol parameters in this Firewall Po
23. different VIDS None Quick Setting Panel Click the triangle ta open the Quick Setting Panel Use this pane for quick and easy configuration of VLAN settings 3 22 Industrial Secure Router User s Manual EDR 810 Series Features and Functions ETO VIAN Input muki port numbers in the Port column and Port Type Tagged VLAN ID and untagged VLAN ID and then click the Set to Table button to create VLAN ID configuration table VLAN Table VLAN Table Use the 802 1Q VLAN Table to review the VLAN groups that were created Joined Access Ports Trunk Ports and Hybrid Ports and also Action for deleting VLANs which have no member ports In the list Multicast Multicast fitering improves the performance of networks that carry multicast traffic This section explains multicasts multicast fitering and how multicast fitering can be implemented on your Moxa industrial secure The Concept of Multicast Filtering What is an IP Multicast multicast is a packet sent by one host to multiple hosts Only those hosts that belong to specific multicast group will receive the multicast Ifthe network is set up correctly a multicast can only be sent toan end station subset of end stations on a LAN or VLAN that belong to the multicast group Multicast group members can be distributed across multiple subnets so that multicast transmissions can occur within a campus LAN or over i3 WAN In addition
24. page Sym Start Tie The system startup tme related to is event Event Evens that have occured The following events willbe recorded in the EtherDevce Roter Eventi og Table Event Status Syon configuration BH Configuration Siac Rave Canfiguraton change acvatad Configuration Configuration change activated Fier Configuration Configuration change gos Reda Configuration change activated Qes Downstream Configuration change activated 095 Upstream Configuration Change TP Configuration Change activated Enable Disable su Configuration Change activated Enable Disable DONS Coniguration Change aivated Enable Disable WAN Bas Configuration E rk on nk 1 change wan Link on nk ff 1 change wat Link on Unk ff change Configuration change activated Togn Authentication Fall Authentication Pas incon Enable Disable Power transition On 27000 Power transition OF gt On 423 Industria Secure Router User s Manual EDR G902 G903 Series Features and Functions Di transition gt Di transition On gt Off Cole stare Factory default Warm start System restart Warm start Firmware Upgrade Warm start Configuration Upgrade Darm start NOTE The maximum number of event entries is 1000 Syslog This function provides the event logs for the syslog server The function supports 3 configu
25. parameters and user privilege provides read access only You wil be able to view the configuration but wil not be able to make modifications Password Change Ain re 2 ay at e lds lanka Pesword i se then youl be retired Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Account Setting Description Factory Default admin admin privilege allows the user to modify all configurations Admin User Fuser privilege only allows viewing device configurations Password Setting Description Factory Default fold password Type current password when changing the password None 16 Characters New password new password when changing the password one max 16 Characters Retype password IF you type a new password in the Password field you willbe None max 16 Characters required to retype the password in the Retype new password Field before updating the new password Time The Time configuration page lets users set the time date and other settings An explanation of each setting is given below System Time Time Sening Curent Date EC E Ee anna Daylight Saving Time fest Time Update stem UpTine Timezone VENT Greenvie Wenn Tine Dublin Edu Lisbon Lerden 5 Enable NPSNIP Sense 2047 Suma Jame The EtherDevice Router has a time calibrati
26. remote VAN gateway to imitate the NOTE The maximum number of Starts in the i ioa VPN tunnel is 100 Local Network Netmask 1D Waits for connecting Setting Description Factory Default TP Address IP adress of local VPN network IP adaress of LAN interface Subnet Mask Subnet Mask of focal VPN network INetmask of LAN interface 1 ID for indentfving the VPN tunnel connection The Local 10 must be equal to the Remote ID of the VPN Gateway Otherwise the VPN tunnel cannot be established successfully None Remote Network Netmask ID Setting Description Factory Default TP Address IP address of Remote VPN network 0 0 0 0 Subnet Mask Subnet Mask of local VPN network 0 0 0 0 Industrial Secure Router User s Manual Virtual Private Network VPN T5 Yar indenting the VPN tunnel connection he Local 1D must be equal to the Remote ID of the VPN Gateway Otherwise tne VPN tunnel cannot be established Key Exchange IPSec phase I Key Exchange IPSec Phase 1 KE Mode Mam uentcaton Node pas Enero Martem Hash Ager sw M Dic v E ELAR TINE hoa IKE Mode Setting Description Factory Default Ham Main IKE Made bath tne Remote and Local VPN gateway wil negotiate which Eneryption Hash algorithm and DH g
27. take a couple of minutes to complete including the boot up time Upload Configuration Data To importa configuration to the Industrial Secure Router cick Browse to select a configuration Fe already saved on your computer The upgrade procedure will proceed automatically ater clicking Import Restart Restart Wis incon wh esa the sjstm E This function is used to restart the Industrial Secure Router Reset to Factory Default Reset to Factory Default Thie dal dun Be el perius stings il best The Reset to Factory Default option gives users a quick way of restoring the Industrial Secure Routers configuration settings to the factory default values This function is available in the console utility serial or Telnet and web browser interface NOTE After activating the Factory Default function you will need to use the default network settings to re web browser or Telnet connection with your Industrial Secure Router establish Port Port Settings Port settings are included to give the user control over port access port transmission speed control and port type MOI or MDIX Industrial Secure Router User s Manual EDR 810 Series Features and Functions Port Setting ers mS Enable Setting Description Factory Default Checked Allows data transmission through the port Enabled Unchecked Immediatel
28. the Industrial Secure Reuters IP address from the Windows Run window You may also issue the Telnet command from the MS DOS prompt 8 z name ot aren o deme cr Seren cedar con fdr etd 2 Refer to instructions 6 and 7 in the RS 232 Console Configuration 115200 None 8 1 VT100 section on page 2 2 Using a Web Browser to Configure the Industrial Secure Router The Industral Secure Routers web browser interface provides convenient way to modify the router s configuration and access the built in monitoring and network administration functions The recommended web browser is Microsoft Internet Explorer 6 0 with JVM Java Virtual Machine installed NOTE Touse the Industrial Secure Routers management and monitoring functions from a PC host connected to the same LAN as the Industrial Secure Router you must make sure that the PC host and the Industrial Secure Router are connected to the same logical subnet NOTE Before accessing the Industral Secure Routers web browser first connect the Industrial Secure Routers R345 Ethernet LAN ports to your Ethernet LAN or directly to your PC s Ethernet card NIC You use either a straight through or cross over Ethernet cable NOTE The Industrial Secure Router default LAN IP address is 192 168 127 254 Perform the folowing steps to access the Industrial Secure Router s web browser interface 1 Start Internet Explorer and type the Industr
29. the Static Routing Table wil not be added to the Industrial Secure Routers routing table unti you click the Activate button RIP Routing Information Protocol RIP is a distance vector routing protocol that employs the hop count as a routing metric RIP prevents routing rom looping by implementing a limit on the number o hops allowed in a path from the source to a destination The RIP Setting page is used to set up the RIP parameters RIP Setting RIP stato Dii s RIP Version ap verson v ev RIP Distribution sme RIP Enable Interface a C30 773 r3 192 18 128264 2 RIP state Setting Description Factory Default Enabie Disabie Enable or Disable RIP protocol Disable RIP Version Setting Description Factory Default Select RIP protocol version RIP Distribution Setting Description Factory Default State Check the checkbox to enable the Redistibuted Static Route Unchecked function The entries that are set in a static route will be re distributed if this option is enabled RIP Enable Interface Setting Description Factory Default WAN Check the checkbox to TAN Check the checkbox to enable RIP in the LAN interface Industrial Secure Router User s Manual Routing RIP Interface Table EDR 810 series only Setting Description Factory Default Enable Disable Check the checkbox ta enable RIP for each i
30. the remote user clicks the Activate button connection to the Industrial Secure Router wil be lost because the IP address is not in the Industrial Secure Routers Accessible IP list Enable the accessible IP list Disable will allow al P s connection E uw Enable Index IP Address 343 Industrial Secure Router User s Manual EDR 810 Series Features and Functions It the user enables the SettingCheck function with the Accessible list and the confirmer Timer is set to 15 seconds then when the user clicks the Activate button on the accessible IP list page the Industrial Secure Router will execute the configuration change and the web browser will try to jump to the SettingChack Confirmed page automaticaly Because the new IP list does not include the Remote user s IP address the remote user cannot connect to the SettingCheck Confirmed page After 15 seconds the Industrial Secure Router wil roli back to the anginal Accessible IP List setting allowing the remote user to reconnect to the Industrial Secure Router and check what s wrong with the previous setting N The page cannot be displayed your browse sets Pease ry te flowing lok the ten futon er fue tae tis abd amer To tose jour somecionsatngs dice the Tools menus nd then dick Internet Options or tha Connections acl Settings Te should male toon ed by teur ocal arce ANI or erie 5
31. time alarm messages Even when contro engineers are out of the control room for an extended period of time they can stil be informed of the status of devices almost instantaneously when exceptions occur The Moxa industrial secure outer supports diferent approaches to warn engineers automatically such as email syslog and relay output It also supports one digital input to integrate sensors into your system to automate alarms by email and relay output Industrial Secure Router User s Manual EDR 810 Series Features and Functions System Event Settings System Events are related to the overall function of the switch Each event can be activated independentiy with nt warning approaches Administrator also can decide the severity of each system event System Event Settings old Sint ENERG Wamsan 1 EMERG TD poweri masono EMERG TD emeinesenoeom F a T Ponari Transiton OfOn a EMERG T Powsr2Tanston 0 0n n ENERG mo 1 ENERG T Cows Change a B EWERG E amran EMERG System Events Description Cola Start Power is cut off and then reconnected Warm Start industrial secure router is rebooted such as when parameters are changed IP address subnet mask et Power Transition industrial secure router s powered down Power Transition
32. versus seconds The graph is updated every few seconds allowing you to analyze data transmission activity in Monitor System Total Packets Monitor by Port Access the Monitor by Part function by selecting the WAN2 or LAN interface from the let drop down st You can view graphs that show All Packets TX Packets or RX Packets but in this case only fer an individual port The graph displays data transmission activity by showing Packets s packets per second or pps Versus sec seconds The graph is updated every few seconds allowing you to analyze data transmission activity in real time Monitor LAN Total Packets a2 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions System Log The industrial secure router provides EventLog and Syslog functions to record important events EventLog EventLogTable Fess a BEREREN RN E EL ons Poet Posertanson 00 On 2 E atin oe x EM ain po B ES anser Lilian E Eid Eres Simp erone Description rs chow how mes the dics been reboot eren aar Date baad on Row the cant dae stn th Bai Sting pape ine undated based on te current me 15 set nthe Basic Seng
33. 0 Sur administer has enabled hi sting 1 Chek Tools mona en cick Intermet It the new configuration does not block the connection from the remote usar to the Industrial Secure Router the user wil see the SettingCheck Confirmed page shown in the following Figure Clic Confirm to save the configuration updates System File Update by Remote TFTP The Industral Secure Router supports saving your configuration to a remote TFTP server or local host to allow other Industrial Secure Routers to use the same configuration at a later time or saving the Log fle for future reference Loading pre saved firmware or configuration fle from the TFTP server or local host is also supported to make it easier to upgrade or configure the Industrial Secure Router Industrial Secure Router User s Manual EDR 810 Series Features and Functions Upgrade Software or Configuration EP Name Finware Fie Path and Name a Log ile Path and Name TFTP Server Setting Description Factory Default TP Adress of TETP The IP or name of the remate TFTP server Must be configured None Server before downloading or uploading Files Configuration File Path and Name Setting Description Factory Default Max 40 Characters The path and flename ofthe Industrial Secure Routers configuration fie in the TFTP server None Firmware File Path an
34. 00 Not Limited 100 ste a Not Limited 100 Meitsisec Not Limited 100 Mbisisec E Not Limited 300 Mise Net Limited 100 wise 5 Not Limited 00 Wot Limited 100 Mbits sec Not Limited 300 Not Limited 100 7 Not Limited 100 Mbits sec Not Limited 100 Mbisisec a Not Limited 709 wise Net Limited 100 Mise Not Limited 1000 Mbitsisec Nol Limited 1000 Not Limited 1000 Mosse Not Limited 1000 Ingress Policy Setting Description Factory Default mit AI Select the ingress rate imit for different packet types Limit Broadcast 330 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Limit Broadcast Multicast Flooded Unicast Limit Broadcast Multicast Limit Broadcast Ingress Egress Rate Setting Description Factory Default Ingress Egress Rate Select the ingress egress rate limit of max throughput for ali packets from the following options Not Limited 39 5 10 15 25 35 50 65 MAC Address Table The address table shows the MAC address list pass through Moxa industrial secure router The length af time Ageing time 15 to 3825 seconds is the parameter defines the length of time that a MAC address entry can remain in the Moxa router When an entry reaches its aging time it ages out and is purged from the router effectively cancelin
35. 02 G903 Series Features and Functions Click More at the top of the Recent 10 Event Log table to open the EventLogTable page EventLogTable Page 3658 LCEUTUENCENNUCONNCILICIITIOONN Configuring Basic Settings The Basic Settings group includes the most commonly used settings required by administrators to maintain and control the EDR 6903 System Identification The system identification section gives you an easy way to identify the different switches connected to your network System Identification Router name Setting Max 30 Characters pos Factory Default FrewallVPN router Description This option is useful for specifying the rale application different EDR G903 units E g Factory Router 1 Seria No of this switch Router Location Setting Description Factory Default Max 80 Characters specify the locaton of different EDR G9O unis E g production ine 1 Device Location Router Description Setting Description Factory Default Max 30 Characters Use this field to enter more detailed description of the EDR 6903 unit None Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Maintainer Contact Info Setting Description Factory Default Max 30 Characters Enter the contact info
36. 100 100 1 0 28 100 100 2 0 24 1004100302 vet secure J le sweer VPN Plan communication from the Central site network 100 100 1 0 24 to the Remote site Network 100 100 3 0 24 needs to pass through the VPN tunnel Intranet Network is 100 100 2 0 24 The configuration of the WAN LAN interface for 2 Industrial Secure Routers is shown in the following table Configuration Industrial Secure Router 1 Industrial Secure Router 2 EDR G903 WAN iP 100 100 2 1 10010022 Interface Setting LAN IP 10010011 10010031 lowing table Based the requirement and VPN plan the recommended configuration far VPN IPSec is shown in the Eonfiguration Industrial Secure Router 1 Industrial Secure Router 2 Tunnel Seting Connection Typs Site to Site 5 te Ste Remote VPN 10010022 10010021 gateway Startup mode Walt for Connection artim inal Local Network 7 100 100 3 0 7 Netmask 255 255 255 0 25 255 255 0 Remote Network 100 100 307 100 100 1 0 7 Netmask 25 255 255 0 255 255 255 0 Key Exchange Pre Shared Key 12345 12345 Data Exchange Encryption Harsh 3085 SHAT DES SHAE Industrial Secure Router User s Manual Virtual Private Network VPN L2TP for Remote User Maintenance The following example shows how Roaming user uses L2TP over IPSec to connect to the remote site network prn ity EDR G903
37. Address Translation Interface N 1 mode Setting Description Factory Default Select tne Interface for this NAT Policy fauto wana wana The Industrial Secure Router provides a Dual WAN backup function for network redundancy If the interface is set to Auto the NAT Mode is set to N 1 and the WAN backup function is enabled the primary WAN interface is WANL Ifthe WANS connection fails the WAN interface of this N 21 policy will apply to WAN2 and switch to WAN2 for N t outgoing traffic until the WANS interface recovers 1P Range Setting Description Factory Dsfauit 1P adress Select the Internal IP range for IP transiaton to WANIP None WAN IP 1 mode Setting Description Factory Default 1P address The IP address of the user selected interface WAN2 None ana Auta in this N to 1 policy a NAT Rule Checked the Enable checkbox and input the correspondent NAT parameters in the page and then click New Insert to add it into the NAT List Table Finally cick Activate to activate the configuration Delete a NAT Rule Select the item in the NAT List Table then click Delete to delete the item Modify NAT Rule Select the item in the NAT List Table Modify the attributes and cick Modify to change the configuration Activate NAT List Table After adding deleting modifying any NAT Rules be sure to Activate it NOTE The Industrial Secure Router wil
38. Industrial Secure Router User s Manual Second Edition August 2013 www moxa com product MOXA 2013 Moxa Inc All rights reserved Reproduction without permission is prohibited Industrial Secure Router User s Manual The software described in this manual is furnished under a license agreement and may be used only in accordance with the terms of that agreement Copyright Notice Copyright 2013 Moxa Inc All rights reserved Reproduction without permission is prohibited Trademarks The MOXA logo is registered trademark of Moxa Inc All other trademarks or registered marks in this manual belong to thelr respective manufacturers Disclaimer Information in this document is subject to change without notice and does not represent a commitment on the part of Moxa Moxa provides this document as is without warranty of any kind either expressed or implied including but not limited to its particular purpose Moxa reserves the right to make improvements and or changes to this manual or to the products and or the programs described in this manual at any time Information provided inthis manual is intended ta be accurate and reliable However Moxa assumes no responsibility for its use ar for any infringements on the rights of third parties that may result from its use This product might include unintentional technical typographical error Changes are periodically made to the information herein to correct such e
39. Max 20 characters user cefined Host Name ofthis PPPOE server None Password Setting Description Factory Default Max 30 characters _ The logi password for the PPPOE server None LAN Configuration Add a VLAN Interface Inputa name ofthe VLAN interface select a VLAN ID and assign an IP address Subnet Mask for the interface Checkenark the Enable checkbox to enable this interface Delete 2 VLAN Interface Select the item in the VLAN Interface List and then cli Delete to delete the item Modify a VLAN Interface Select the item in the VLAN Interface List Modify the attributes and then click Modify to change the configuration Activate the VLAN Interface List After adding deleting modifying any VLAN interface be sure to cick Activate Network Service DHCP Settings Global Settings DHCP Server Mode Dynamic Static IP Assignment Porteasea iP assignment DHCP Server Mode Setting Description Factory Default Disable Select the DHCP Server Mode Disabled Dynamic Static 1 Assignment Port based IP Assignment Industrial Secure Router User s Manual EDR 810 Series Features and Functions DHCP Server The Industral Secure Router provides a DHCP Dynamic Host Configuration Protocol server function for LAN Interfaces When configured the Industrial Secure Router wil automatically assign an IP address to a Ethernet device from a defined IP ran
40. N Tunnel Setting Description Factory Default Enable or Disable Enable or Disable this VPN Tunnel Disable Industrial Secure Router User s Manual Virtual Private Network VPN Name of VPN Tunnel Setting Description Factory Default Max of 16 characters User defined name of this VPN Tunnel Nore NOTE first character cannot be a number L2TP over IPSec Enable or Disable Setting Description Factory Default Enable or Disable Enable or Disable IPSec tunnel over LTP protocol function None connection Type Setting Description Factory Default Site to Ske VPN tunnel for Local and Remote subnets are fixed Sie to Ste 5 to Site anv VPN tunnel for Remote subnet ares is dynamic and Local subnet is fixed Remote VPN Gateway Default Route Setting Description Factory Default TP Address Remote VPN Gateway s IP Address None Connection Interface Setting Description Factory Default WANE interface of the VPN Tunnel WANE wana IF the user enables the WAN backup function WANE would be the primary default route and WAN2 would be the backup Startup Mode Setting Description Factory Default Start in Inti This VPN tunnel wil actively initiate the with the Start in Initia Remote VPN Gateway Wait for Connecting This VPN tunnel will wait
41. Series Features and Functions Start Date Setting Description Factory Default User speciied date Species the date that Daylight Saving Time begins None End Date Setting Description Factory Default User specified date Specifies the date that Daylight Saving Time ends None Offset Setting Description Factory Default User specfed hour Species the number of hours that the time should be set forward during Daylight Saving Time None NOTE Changing the time zone will automatically correct the current time Be sure to set the time zone before setting the tme Time Server 1P Name Setting Description Factory Default TP address or name of The IP or domain address 2 9 19216811 time stetime gov tm gov None TP address or name oF secondary time server The Moxa switch wil try to locate the secondary NTP server iF the first NTP server fails to connect Enable NTP SNTP Server Setting Description Factory Default Enable Oisable Enables SNTP NTP server functionality for cients Disabled Since industrial Ethernet devices are often located at the endpoints of a system these devices will not always know what is happening elsewhere on the network This means that an industrial secure router that connects to these devices must provide system maintainers with real
42. Setting Description Factory Default Max 40 Characters The path and filename of the EtherDevice Routers None configuration fie in the TFTP server Firmware File Path and Name Setting Description Factory Default Max 40 Characters The path and filename ofthe EtherDevice Routers firmware None Log File Path and Name Setting Description Factory Default 40 Characters The path and filename of the EtherDevice Routers log fle None After setting up the desired path and filename click Activate to save the setting Next lick Download to download the file from the remote TFTP server or click Upload to upload a fle to the remote TFTP server System File Update by Local Import Export Upgrade Software or Configuration Configuration Fle Leo Fe ru upgrate Upload Configure Data p oo Configuration File Click Export to export the configuration fle of the EtherDevice Router to the local host 40 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Log File Click Export to export the Log fle of the EtherDevice Router to the local host NOTE operating systems wil open the configuration file and log fle directiy in the web page In such cases Fight click the Export button and then save as Upgrade Firmware impart a firmware fie into the Etherbevice Router click Browse to select a firmw
43. Terminal tab select VTL00 for Terminal Type and then cick OK to continue 5 The Console login screen will appear Use the keyboard to enter the login account admin or user and then press Enter to jump to the Password field Enter the console Password the same as the Web Browser password leave the Password feld blank if a console password has not been set and then press Enter NOTE The default password for the EDR series with firmware v3 0 and later is maxa For previous firmware Versions the default password is blank For greater security please change the default password after the frst tog in 6 Enter a question mark 2 to display the command list in the console The following table lists commands that can be used when the Industrial Secure Router Telnet mode console serial or Login by Admin Account Command Description Exit Command Line interface Ext Command Line Interface reload Perform Cold Restart Terminal Configure Terminal Page Length Importer Export Fe E Save Running Configuration to Flash ping Send Echo Messages Clear Information Show System Information configure Enter Configuration Made Using Telnet to Access the Industrial Secure Router s Console You may use Telnet to access the Industrial Secure Routers console utility over a network To access the EDR s functions over t
44. The Source Destination IP range or Source Destination port number of policy X is smaller or equal to policy IY but the action target Accept Drop is different For example two firewall policies are shown below Index input Output Protocol Source iP Destination IP Target 1 wani jus 10 10 10 10 19216812710 ACCEPT 2 wana uw 20202020 9215812720 ACCEPT to 20 20 20 30 Suppose the user next adds a new policy with the following configuration Index input output Protocol Source iP Destination IP Target 3 wa uw 20202020 792 168 127 20 DROP ter clicking the PalicyCheck button the Industrial Secure Router wil issue a message farming Ene user that policy 3 is masked by policy 2 because the IP range of policy 3 is smaller than the IP range of policy 12 and the Target action is different vets snastecby eta Industrial Secure Router User s Manual Firewall Include Policy X is included in Policy Y The Source Destnation IP range or Source Destination port number of policy X is less than or equal to policy IY and the action target Accept Drop is the same In this case policy X wil increase the leading of the Industrial Secure Router and lower its performance For example two firewall policies are shown in the following table Index input Output Protocol Source TP Destination te Target 1 wani fan Ar 10101020 19216812710 ACCEPT
45. UID is used with Modbus TCP devices that are composites of several Modbus devices It may used to communicate via devices such as bridges and gateways which use a single IP address to support multiple independent end units Function code defines the message type and the type of action required by the stave The parameter contains byte of information Valid function codes are in the range 1 to 255 Not all Modbus devices recognize the same set of function codes The most common codes are supported for quick settings and user defined function codes are also supported Most function code addresses a single address range of addresses The Industrial Secure Router provides code for deep data inspection function codes The following table shows the various reading writing and other operations Function Name Function Code Physical Discrete Inputs Read Discrete Inputs 2 Read Cols 1 Bit Access Internat Bits or Physical ee Write Single Write Multiple Coils Physical Input Registers Read Input Register Write Single Register E a Read Holding Registers 3 ls Write Multiple Registers 16 l iAess internal Registersor Physical Output Registers e24 Write Multiple Registers Mask Write Register 22 Read FIFO Read Fie Record 20 File Record Access Write File Record 2r Read Exception Status 7
46. actory Default Max 30 Characters I character data encryption key is the minimum requirement for data encryption None Community Name Setting Description Factory Default Max 30 Characters Use a community string match for authentication Public 3 40 Industria Secure Router User s Manual EDR 810 Series Features and Functions Access Control Setting Description Factory Default Access control type after matching the community string Read Write Read only Public MIB Target IP Address Setting Description Factory Default TP Address Enter the Ip address of the Trap Server used by your network 0 0 0 0 Dynamic DNS Dynamic DNS Domain Name Server allows you to use a domain name to connect to the Industrial Secure Router The Industrial Secure Router can connect ta 4 free ONS servers and register the user configurable Domain name in these servers Dynamic DNS Dynamic DNS Service Service Setting Description Factory Default gt Disable Disable or select the ONS server Disable gt frecdns afraid org gt www 3322 org gt members dyndns org gt dynupdate no ip com User Name Setting Description Factory Default 30 characters The DNS servers user name None Password Setting Description Factory Default Max 30 characters The DNS servers password None
47. afety function for industrial users using a secure router It provides double confirmation mechanism fer when a remote user changes the security policies such as Firewall filter NAT and Accessible IP list When a remote user changes these security polices SettingCheck provides a means of blocking the connection from the remote user to the Frewal VPN device The only way to correcta wrong setting is to get hel from the local operator or go to the local site and connect ta the device through the console port which could take quite bit of time and money Enabling the SettingCheck function will execute these new policy changes temporarily until doubly confirmed by the user If the user does not click the confirm button the Industrial Secure Router will revert to the previous setting Firewall Policy Enables or Disables the SettingCheck function when the Firewall policies change NAT Policy Enables or Disables the SettingCheck function when the NAT policies change Accessible IP List Enables or Disables the SettingCheck function when the Accessible IP List changes Timer Setting Description Factory Default 10 to 3600 sec The timer warts this amount of time to double confirm when the 180 sec user changes the policies For example IF the remote user IP 10 10 1010 connects to the Industrial Secure Router and changes the accessible IP address to 10 10 10 12 or deselects the Enable checkbox accidently after
48. al you set up the fan Range adaress Index This Modius policy wil check mulipie Data Address indexes in the packet Jon page 3 52 Function cede manvally Address Setting Description Factory Default Address Index This Modbus policy wil check al Data Address Index inthe Al packet Single Address Index This Modbus policy wil check single Data Address Index the packet Single P Adress This Modbus policy will check single Source TP addresses in the packet Range IP Address This Modbus poli wil check multiple Source IP addresses n the packet Target Setting Description Factory Default Accent The packet wil penetrate the firewall when it matches this Accept Modbus policy Drop The packet will not penetrate the firewall when it matches this Modbus policy Source 1P Setting Description Factory Default AI qP Address Modbus policy wil check Source IP addresses in the Al packet Industrial Secure Router User s Manual Firewall Destination IP Setting Description Factory Default AI Ad ress Modbus policy wil check all Destination IP addresses in the Al packet Single P Address This Modbus policy will check single Destination IP addresses in the packet Range IP Address This Modbus policy wil check multiple Destination IP addresses in the packet Unit identifier
49. an None SYN RST Scan Setting Description Factory Default Enable or Disable Enable or disable the SYN RST Sean None ICHP Desth Setting Description Factory Default Enable or Disable enable or disable the ICNP Death defense None Packet Sacond Ihe imi value to activate ICMP Death defense None SYN Flood Setting Description Factory Default Enable or Disable Enable or disable the Null Scan funcion None Packt Second limit value to activate SYN Flood defense None Industrial Secure Router User s Manual Firewall Virtual Private 9 Network VPN The following topics are covered in this chapter Overview IPSec Configuration gt Global Settings gt Sec Settings gt IPSec Status gt X509 Certificate L2TP Server Layer 2 Tunnel Protocol gt Configuration Examples for Typical VPN Applications Industrial Secure Router User s Manual Virtual Private Network VPN Overview In this section we describe how to use the Industrial Secure Router to build secure Remote Automation network with the VPN Virtual Private Network feature A VPN provides a highly cost effective solution of Establishing secure tunnels so that data can be exchanged in secure manner oo Genter site ZZA NPN Secure Tunnel There are two common applications for secure remote communication in an industrial automation networ
50. are fie already saved on Your computer The upgrade procedure will proceed automatically after clicking Import This upgrade procedure will ake a couple of minutes ta complete including the boot up ime Upload Configuration Data import a configuration file to the EtherDevice Router click Browse to select a configuration file already saved on your computer The upgrade procedure will proceed automatically after clicking Import Restart Restart he unten val restar the system This function is used to restart the EtherDevice Router router Reset to Factory Default Reset to Factory Default Tris function wil reet settings othe factory defaut values Be aware that previous settings vl bo lost The Reset to Factory Default option gives users quick way of restoring the EtherDevice Routers in the console utiity serial or configuration settings to their factory default values This function is availa Telnet and web browser interface NOTE After activating the Factory Default function you will need to use the default network settings to reestablish web browser or Telnet connection with your EtherDevice Reuter p Industria Secure Router User s Manual EDR G902 G903 Series Features and Functions Network Settings Mode Configuration Network Mode EtherDevice Router provides Router Mode and Bridge Mode operation for different applications Network Mode Router Mage Router F
51. ault DES Encryption Algorithm in data exchange DES aes Industria Secure Router User s Manual Virtual Private Network VPN 192 AES 256 Hash Algorithm Setting Description Factory Default Hash Algorithm in dala exchange SHAT mos shar sunass Dead Peer Detection Dead Peer Detection is a mechanism to detect whether or not the connection between a local secure router and remote IPSec tunnel has been lest Dead Peer Detection Dea 30 Timeout 0 seront Action Action when a dead peer is detected Setting Description Factory Default Hold Hole this VPN tunnel D Restat Reconnect this VPN tunnel lear this Disable Disable Dead Peer Detection Delay Setting Description Factory Default Delay time seconds The period of dead peer detection messages 30 sec Timeout Setting Description Factory Default Timeout seconds Timeout to check i the connection Is alive ar not 120 IPSec Status The user can check the VPN tunnel status in the IPSec Connection List This list shows the Name of the IPSec tunnel IP address of Local and Remote Subnet Gateway and the established status of the Key exchange phase and Data exchange phase IPSec Connection List X 509 Certificate 509 is a digital certificate method commonly used for IPSec Authenticat
52. cific subnet The settings ofthe Static Route will be added to the routing table and stored in the Industrial Secure Router RIP Routing Information Protocol RIP is distance vector based routing protocol that can be used to automatically bull up a routing table in the Industrial Secure Router The Industrial Secure Router can efficiently update and maintain the routing table and optimize the routing by identfying the smallest metric and mast matched mask prefix Static Routing The Static Routing page is used to configure the Industrial Secure Router static routing table Static Routing p E 10010703 oona be DES State Routing 1812 NN Enable Click the checkbox to enable Static Routing Name The name of this Static Router list Destination Address You can specify the destination IP address This option is used to specify the subnet mask for this IP address Next Hop This option is used to specify the next router along the path to the destination Metric Use this option to specify a cost for accessing the neighboring network E Industrial Secure Router User s Manual Routing Clickable Buttons Add For adding an entry to the Static Routing Table Delete For removing selected entries from the Static Routing Table Modify For modifying the content of a selected entry in the Static Routing Table NOTE The entries in
53. ckup WAN automatically to keep the connection alive sa 1 yn ms M 00 Center ste denm Flea ste When configuring the EtherDevice Router choose ane of the two following conditions to activate the backup path nk Check WANS link down Ping Check Sends ping commands to a specific IP address e g the IP address of the ISP s server from WANI based on user configurable Time Interval Retry and Timeout When the WAN backup function is enabled and the Link Check or Ping Check for the WANE interface falls the backup interface WAN2 will be enabled as the primary interface 4 20 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions WAN Backup Configuration WAN2 Configuration Connection Connec Type 1P Select Backup for the WAN2 DMZ Connect Mode and then go to the Network Redundancy gt WAN Backup setting page for the WAN Backup configuration Link check Setting Description Factory Default Enable or Disable Activate Backup function by checking the ink status of WAN Disabled Ping Check Setting Description Factory Default Enable or Disable Activates the Backup function Funable to ping fromthe EtherDevice Router to a specified IP address 1P Seting Description Factory Default 1P address The EtherDevice Router wil check the ping integrity of this 1P None Address if the Ping Check function is Enabl
54. configurable WAN DMZ interface EDR G903 that provides high flexibility for different applications such as WAN redundancy or Data FTP server security protection The Quick Automation Profile function ofthe Industrial Secure Routers firewall supports most common Fieldbus protocols including EtherCAT EtherNet IP FOUNDATION Fieldbus Modbus TCP and PROFINET Users can easily create a secure Ethernet Fieldbus network from a user friendly web UI with a single click In addition wide temperature models are available that operate reliably in hazardous 40 to 75 C environments Package Checklist The Industrial Secure Routers are shipped with the following items If any of these items are missing or damaged please contact your customer service representative for assistance 1 Moxa Industrial Secure Router R045 to DB9 console port cable Protective caps for unused ports DIN rail mounting kit attached to the Industrial Secure Routers rear panel by default Hardware installation guide printed CD ROM with user s manual and Windows utility Warranty card Features Industrial Networking Capability Router Frewal VPN all in one L WAN 1 LAN and 1 user configurable WAN or DMZ interface Network address translation N o 1 1 to and port forwarding Designed for Industrial Applications Dual WAN redundancy function Firewall with Quick Automation Profile for Fieldbus protocols Inteligent PolicyCheck and SettingC
55. ct the ports 1 all ports on both switch units are configured as 100BaseTX and they are operating in full duplex mode the Potential bandwidth of the connection will be up to 1 6 Gbps This means that users can double triple or quadruple the bandwidth ofthe connection by port trunking between two Moxa switches Each Moxa industrial secure router can set a maximum of 4 port trunking groups When you activate port trunking certain settings on each port will be reset to factory default values or disabled Communication redundancy will be reset 802 19 VLAN will be reset Multicast Filtering wil be reset Port Lock will be reset and disabled Set Device IP wil be reset Mirror will be reset After port trunking has been activated you can configure these items again for each trunking port Port Trunking The Port Trunking Settings page is where ports are assigned to a trunk group Industrial Secure Router User s Manual EDR 810 Series Features and Functions Port Trunking o Step 1 Select the desired Trunk Group Step 2 Select the desired Member Ports cr Available Ports Step 3 Use Up and Down to modify the Group Members Trunk Group maximum of 4 trunk groups setting Description Factory Defaut Fret Trka Species the current trunk group iz depends on switching chip capability some Moxa switches only support 3 trunk Trunking Status
56. ction based on information from an NTP server or user specified time and date Functions such as automatic warning emails can therefore include time and date stamp NOTE The Moxa industrial secure router does not have a real time cack The user must update the Current Time and Current Date ta set the initial time forthe Maxa switch after each reboot especialy when there is no NTP server on the LAN of Internet connection Date and Time Tee sangs NTPISNTP Server Seronge TimeZone Settings Daylight Saving Tine System Up Time Guinan lem Tine Month Week Day H i Hl 1H Indicates how long the Moxa industrial secure router remained up since the last cold start Current Time Setting Description Factory Default User specied time indicates time in format None Clock Source Setting Description Factory Default local Configure clock source from local me NTP Configure cock source from NTP En Configure dock source from Time Zone Setting Description Factory Default ime zane Species the time Zone which 1s used to determine the local GMT Greenwich time offset from GMT Greenwich Mean Time Mean Time Daylight Saving Time The Daylight Saving Time settings are used to automatically set the Moxa switeh s time forward according to national standards Industria Secure Router User s Manual EDR 810
57. ction on that Enabled iF IGMP Particular VLAN Snooping is enabled Querier Setting Description Factory Default Enable Disable Enables or disables the Moxa Industrial Secure Routers querer Disabled and V3 VIVA Enables the Moxa Industrial Secure Router to send Vi VZ checktox IGMP snooping version 1 and 2 queries V3 Enables the Moxa Industrial Secure Router ta send IGMP snooping version 3 queries Static Multicast Querier Port Setting Description Factory Default Select the ports that wil connect to the multicast routers Disabled These ports will receive all multicast packets from the source This option is only active when IGMP Snooping is enabled NOTE router or layer 3 switch is connected to the network itwil act as the Querier and consequently this Querier option will be disabled on all Moxa layer 2 switches IF al switches on the network are Moxa layer 2 switches then only one layer 2 switch will act as Querier IGMP Table The Moxa Industral secure router displays the current active IGMP groups that were detected View IGMP group setting per VLAN ID on this page 3 26 Industrial Secure Router User s Manual EDR 810 Series Features and Functions The information shown in the table includes Auto Learned Multicast Router Port This indicates that a multicast router connects to sends packets from these portis Static Multicast Router Port Displays t
58. d Name Setting Description Factory Default Max 40 Characters The path and filename of the Industrial Secure Routers None Firmware fie Log File Path and Name Setting Description Factory Default 40 Characters The path and flename of the Industrial Secure Routers log fie None After setting up the desired path and filename click Activate to save the setting Next click Download to download the fie from the remote TFTP server or click Upload to upload a to the remote TFTP server System File Update by Local Import Export Upgrade Software or Configuration Configuration File Log Fie ES Upgrade Firmware Upload Configure Data ru Configuration File Click Export to export the configuration fle of the Industrial Secure Router to the local Log File Click Export to export the Log fie of the Industrial Secure Reuter to the local host host NOTE Some operating systems will open the configuration file and log directiy in the web page In such cases Fight click the Export button and then save as Industrial Secure Router User s Manual EDR 810 Series Features and Functions Upgrade Firmware To importa firmware fi into the Industrial Secure Router click Browse to select a firmware fie already saved your computer The upgrade procedure will proceed automatically after clicking Import This upgrade procedure wil
59. d press the PKCS 12 Export button to generate a p12 for a local certificate and press Certificate Export to generate a ert fle for certificates on a Remote VPN gateway Local Certificate Upload Label Name Subject PRCS I2 Upload E Import Password Upload the p12 local certificate on this page The Password must be the same as the p12 certificate fle IF the Password is not correct the certificate import process will fll Label User defined name for this local certificate Name Subject Show the Name and subject when the certificate is imported successfully or the user selects the certificate on the list PKCS 12 Upload Use Browser to select the p12 file and press the Import button Import Password The Password for the p12 certificate Industria Secure Router User s Manual Virtual Privat Network VPN Remote Certificate Upload Label Name Subject Cemhaeupx EE Upload the ert Remote certificate this page Label User defined name for this local certificate Name Subject Show the Name and subject when the certificate is imported successfully or the user selects a certificate from the list Certificate Upload Use the Browser to select a p12 fle and press the Import button L2TP Server Layer 2 Tunnel Protocol L2TP is a popular choice for remote roaming users for VPN applications since an L2TP client is built in to the Microsoft Windows operating system Since L2TP doe
60. ddress The LAN interface 1P address 192 168 127 254 Subnet Mask Setting Description Factory Default Communication Redundancy Moxa industrial secure router provides a communications redundancy function WAN backup EDR G903 only The industrial secure router has two WAN interfaces WANT is the primary WAN interface and WAND is the backup interface When the industrial secure router detects that connection WANT has failed Link down or Ping fails it will switch the communication path from to WAN2 automatically When WANA recovers the major communication path wil return to WAN WAN Backup EDR G903 only How Dual WAN Backup Works power utility at field site connects to a central office via twa different ISPs Internet Service Providers ISP A uses Ethernet and ISP B uses satelite for data transmission with Ethernet used as the major connection and the satelite as the backup connection This makes sense since the cost of transmitting through the satellite is greater than the cost of transmitting over the Ethernet Traditional solutions would use two routers to connect to the different ISPs In this case if the connection to the primary ISP fails the connection must be switched to the backup ISP manually The EtherDevice Router s WAN backup function checks the link status and the connection integrity between the EtherDevice Router and the ISP or central office When the primary WAN interface als it will switch to the ba
61. disable LLDP function Enable Message Transmit Interval Setting Description Factory Default 519 32768 sec Set the transmit interval of LLDP messages Unit is n seconds 30 sec 10 2 Industria Secure Router User s Manual Diagnosis LLDT Table Port The port number that connects to the neighbor device Neighbor ID A unique entity that identifies a neighbor device this is typically the MAC address Neighbor Port The port number of the neighbor device Neighbor Port Description A textual description of the neighbor devices interface Neighbor System Hostname of the neighbor device 10 3 MIB Groups The Industrial Secure Router comes with built in SNMP Simple Network Management Protocol agent software that supports cold start trap line up down trap and RFC 1213 MIB II The standard MIB groups that the Industrial Secure Router series support are MIBILI System Group SysORTable MIB 11 2 Interfaces Group MIB 11 4 IP Group ipAd rTable IpNetToMediaTable IpGroup IpBasicStatsGroup IpStatsGroup MIB ILS ICMP Grou TempGroup TempinputStatus TempOutputstats MIB 11 6 TCP Group tepConnTable TepGroup Tepstats MIBILZ UDP Group udpTabie Uapstats MIB 11 11 SNMP Group SnmpBasicGroup Snmpinputstats SnmpOutputstats Public Traps Cola Start Link Up Link Down Authentication Failure Private Traps Configuration Changed Power On Power OfF Di T
62. e m Tees cmm sw cst iss rg TEP sene PF sewer NE EXE oo Fiter List The following table shows the Quick Automation Profile for Ethernet Fieldbus Protocol and the corresponding port number Ethernet Fieldbus Protocol Port Number EtherCat port TCP EZ Ehercat port UDP 34980 EU 1 0 UDP 2222 Messaging TCP ass Messaging UDP asus FF Annunciation TCP 3089 FF Annunciation UDP 1089 FF Fieldbus Message TCP 7090 FF Fieldbus Message UDP 1000 FF System Management TCP 1091 System Management UDP 1091 FF LAN Redundancy Port 22 FF LAN Redundancy Port UDP 3622 LonWorks TCP 2540 LonWorks UDP LonWorksz LonWorks2 UDP Industria Secure Router User s Manual Firewall Modbus Ez Modbus UDP 502 4062 PROFInet RT Unicast UDP ELA PROFinet RT Multicast TCP 3863 PROFInet RT Multicast UDP 3863 PROFinet Context Manager TCP 34964 PROFinet Context Manager UDP 34964 TEC 70 5 104 TCP 2404 TEC 60870 5 104 UDP 2404 DNP TCP 20000 DNP UDP 20000 The Quick Automation Profile also includes the commonly used Ethernet protocols listed in the following table
63. e group between the Remote and VPN DHS modp 1536 Gateways DHi4 modp 2048 Negotiation Time Setting Description Factory Default Negotiation time The number of alowed reconnect tmes when startup mode is O 1f the number is 0 this tunnel will always t connecting ta the remote gateway when the VPN tunnel is not created successfully IKE Lifetime Setting Description Factory Default IKE Hfetime hours ufetme for IKE SA hr Rekey Expire Time Setting Description Factory Default Rekey expire ime Start to Rekey before IKE Wetime expired 9 min minutes Rekey Fuzz Percent Setting Description Factory Default 0100 8 The rekey expire time will change randomly to enhance the 100 2 fuzz percent is the maximum random change margin of the Rekey expire time 100 means the rekey expire time wil not change randomly Data Exchange IPSec phase II Data Exchange IPSec Phase 2 PeredFowariSere O SALE Time min Encryption agortnm wes v Hash Algontnm v Perfect Forward Secrecy Setting Description Factory Default Enable or Disable Uses different security key for different IPSec phases to Disable enhance security SA Lifetime Setting Description Factory Default SA lifetime minutes for SA in Phase 2 280 Encryption Algorithm Setting Description Factory Def
64. ed NOTE The IP address for Ping Check function should be on the network segment of WANA Interval Setting Description Factory Default T to 1000 User can set up differant Ping Interval for a diferent network 180 sec Retry Setting Description Factory Default 15100 User can configure the number of IF the number ar 3 continuous retries exceeds this number the EtherDevice Router wil activate the backup path Timeout Setting Description Factory Default 700 t 10000 ms The timeout criterion of Ping Check 3000 me aai Industria Secure Router User s Manual EDR G902 G903 Series Features and Functions Monitor You can monitor statistics in real ime from the EerDevie Routers web cons Monitor by System Access the Monitor by selecting System from the left selection bar Monitor by System allows the user to view graph that shows the combined data transmission activity of all the EtherDevice Routers 3 ports Click one ofthe three options Packets TX Packets or RX Packets to view transmission activity of specific types of Packets Recall that TX Packets are packets sent out from the EtherDevice Router and RX Packets are packets received from connected devices The Total Packets option displays a graph that combines TX and RX activity The graph displays data transmission activity by showing Packets s Le packets per second or pps
65. er for Enabled Inspecting Type of Service ToS bits in the IPVA frame to determine the priority of each frame Inspect COS Setting Description Factory Default Enable Oisable Enables or disables the Moxa industrial secure router for Enabled 3 28 Industrial Secure Router User s Manual EDR 810 Series Features and Functions inspecting 02 1 CoS tags in the MAC frame ta determine the priority of each frame high priority queue option is applied to each port Port Priority Setting Description Factory Default Port priority The port priority has 4 priority queues Low normal medium 3tNormal NOTE The priority of an ingress frame is determine in the following order 1 Inspect ToS 2 Inspect CoS Port Priority NOTE The designer can enable these classifications individually or in combination For instance if a hot higher Priority port is required for a network design Inspect TOS and Inspect CoS can be disabled This setting leaves oniy port default priority active which results in all ingress frames being assigned the same priority on that port CoS Mapping CoS Mapping of t s o 2 Noma gt 3 Wm 4 s Meme Lr ime i Value and Priority Queues Setting Description Factory Default LowNormal Maps different CaS values to 4 different egress queues Low Medium High Normal Medi
66. er s Manual EDR 810 Series Features and Functions Static 1P Select WAN Pot LANIP Configuration Service Enable Connect Type Address Information IP Address Gateway sunat Mask PPTP Dialup PPTP Connection User Name Password E Enanie IP Address PPPOE Salet WAN Port Configuration Senice Enable Connect Type 22508 PPPoE Dialup UserName Password HostName Step 4 Enable services Check Enable DHCP Server to enable the DHCP server for LAN devices The default P address range will be set automatically To modify the IP range go to the DHCP Server page N 1 NAT will be also enabled by faut WAN Routing Quick Setting Industrial Secure Router User s Manual EDR 810 Series Features and Functions Step 5 Activate the settings Click the Activate button NOTE Anexstng configuration wi js overwritten by new settings when processing WAN Routing Quick Setting System The System section includes the most common settings required by administrators to maintain and control a Moxa switch System Information Defining System Information items to make different switches easier to Identify that are connected to your network System Identification Router Name Setting Description Factory Default 30 characters This option is useful for differentiating between the roles ar Firewall VPN Route
67. es Features and Functions E time of the connected device Rene Default Gateway Setting Description Factory Default TP Address The default gateway for the connected device 000 DNS Server Setting Description Factory Default The ONS server for the connected device 0 0 0 0 NTP Server Setting Description Factory Default The NTP server for the connected device 0 0 0 0 Client List Use the Client Lit to view the current DHCP clients SNMP Settings The Industral Secure Router supports SNMP V1 V2c V3 SNMP VI and SNMP V2c use a community string match for authentication which means that SNMP servers access all objects with read only permissions using the community string public default value SNMP V3 which requires that the user selects an authentication level of MDS or SHA is the most secure protocol You can also enable data encryption to enhance data security SNMP security modes and security levels supported by the Industrial Secure Router are shown in the following table Select the security made and level that will be used to communicate between the SNMP agent and manager Protocol UI Setting Authentication Type Data Encryption Method Version SNMP VI Vac VI V2c Read Communtystring Uses a community string Community match for authentication VS MDS or SHA Authentication based Provides authentication based on MOS o
68. es forthe WAN interface Dynamic IP Static IP and PPPoE A detailed explanation of the configuration settings for each type is given below Connection Mode Setting Description Factory Default Enable or Disable Enable or Disable the WAN interface Enable Connection Type Setting Description Factory Default Static 1P Dynamic 1P Setup the connection type Dynamic 1P PPPOE Detailed Explanation of Dynamic IP Type WAN Configuration PPTP Dialup Point to Point Tunneling Protocol is used for Virtual Private Networks VPN Remote users can use PPTP to connect to private networks from public networks PPTP Connection Setting Description Factory Default Enable or Disable Enable or Disable the PPTP connection None 1P Address Setting Description Factory Default 1P Address The PPTP service 1P address None 332 Industria Secure Router User s Manual EDR 810 Series Features and Functions User Name Setting Description Factory Default Max 30 Characters The Login username when dialing up ta PPTP service None Password Setting Description Factory Default Max 30 characters The password for dialing the PPTP service Nore MPPE Encryption Setting Description Factory Default None Encrypt Enable or isse the MPPE encryption None Example Suppose a remote user IP 10 10 10 10 wants to con
69. ettings The Industral Secure Router provides 2 Global Settings for VPN applications IPSec Global Setting Comecon V IPSecNAT T Ename 9 2 Industrial Secure Router User s Manual Virtual Private Network VPN All IPSec Connection Users can Enable or Disable all VPN services with this configuration NOTE The factory default setting is Disable so when the user wants to use VPN function make sure the setting Is enabled IPSec NAT T IF there is an external NAT device between VPN tunnels the user must enable the NAT T NAT Traversal function IPSec Settings IPSec Quick Setting The Industrial Secure Routers Quick Setting mode can be used to easily set up site to site VPN tunnel for two Industrial Secure Router unis sion ree ee When choosing the Quick setting mode the user just needs to configure the following Tunnel Setting Security Setting gt Encryption Strength Simple AES 128 Standard AES 192 Strong AES 256 gt Password of Pre Shared Key NOTE The Encryption strength and Pre Shared key should be configured identically for both Industrial Secure Router IPSec Advanced Setting sening advanced sting Tunnel Setting Tunnel Setting name YPN Connection Twe Remote VPN Gateway Status ode Stati Loess Network 102180127254 2552552550 o Remete nomor 0000 Enable or Disable VP
70. from the web browser An RS 232 or Telnet console connection only provides basic functions In this chapter we use the web browser to introduce the Industrial Secure Routers configuration and monitoring functions The following topics are covered in this chapter Quick Setting Profi 0 Interface System gt WAN gt System Information gt LAN gt User Account 0 Network Service gt Date and Time gt DHCP Settings Waring Notification SNMP Settings gt Settingcheck gt Dynamic DNS gt System File Update by Remote TFTP 0 Security gt System File Update by Local Import Export gt User Interface Management gt Restart gt Authentication Certificate gt Reset to Factory Default gt Trusted Access Port gt RADIUS Server Settings gt Port Settings 0 Monitor gt Link Aggregation gt Interface Statisties gt The Port Trunking Concept gt Port Statistics gt Port Mirror gt Event Log Using Virtual LAN gt The VLAN Concept gt Configuring Virtual LAN Multicast gt The Concept of Multicast Filtering gt IGMP Snooping gt IGMP Snooping Settings gt IGMP Table gt Stream Table gt Static Multicast MAC QoS and Rate Control gt ToS DSCP Mapping MAC Address Table Industria Secure Router User s Manual EDR 810 Series Features and Functions Quick Setting Profile The EDR 810 series supports WAN Routing Quick Setting which creates a routing function between LAN ports and WAN ports def
71. g frame forwarding to that specifie port The MAC Address table be configured to display the following Moxa industrial secure router MAC address groups which are selected from the drop down list All MAC Address List Age Time s Al E a TOO TNR EET HN 2 B 10903521835 wn H 4 poe 1 Drop Down List AU Senis Remis show al of the Mora industria secure routers MAC addresses ALL Learned Select this tam to show all of the Moxa industrial secure router s Learned MAC addresses ALL Static Select this to shaw of the Moxa industrial secure routers Stab State Lock and Static Multicast MAC addresses ALL Multicast Select this em to show all of the Moxa industrial secure routers Static Multicast addresses Porex Select this ter to show all of the MAC addresses dedicated ports The table displays the following information MAC Address Feld shows the MAC address field shows the type of this MAC address Port This field shows the port that this MAC address belongs to 33i Industria Secure Router User s Manual EDR 810 Series Features and Functions Interface WAN WAN Configuration VLAN ID Moxa Industrial Secure Router s WAN interface is configured by VLAN group The ports with the same VLAN be configured as one WAN interface Connection Note that there are three different connection typ
72. ge Dynamic IP Assignment Dynamic IP Assignment DHCP Server Enable Disable Setting Description Factory Default Enable Disable Enable or disable DHCP server function Disable Pool First IP Address Setting Description Factory Default IP adress The first IP adress of the offered IP address range for 0 0 0 0 DHCP cients Pool Last IP Address Setting Description Factory Default TP Adress The last IP address of the offered IP address range for 0 0 0 0 DHCP cents Setting Description Factory Default Netmask The netmask for DHCP dents 0 0 0 0 Lease Time Setting Description Factory Default The ease time of the DHCP server None Default Gateway Setting Description Factory Default IP Address The default gateway for DHCP cients 0 0 0 0 DNS Server Setting Description Factory Default IP Adress The ONS server for DHCP clients 0 0 0 0 NTP Server Setting Description Factory Default TP Adress The NTP server for DACP clients 0 0 0 0 336 Industrial Secure Router User s Manual EDR 810 Series Features and Functions NOTE 1 The DHCP Server is only available for LAN interfaces 2 The Pool First Last IP Address must be in the same Subnet on the LAN Static DHCP Use the Static DHCP list to ensure that devices connected to the Industrial Secure Router always use the same IP adress The static DHCP li
73. gher than the DNS from the PPPOE or DHCP server Detailed Explanation of Static IP Ty pe WAN2 Configuration Connection 5 Enable Address Information Dialup DNS Optional for dynamic IP or PPPOE Type Address Information 1P Address Setting Description Factory Default 1 Address The interface 1P adress None Industria Secure Router User s Manual EDR G902 G903 Series Features and Functions Subnet Mask Setting Description Factory Default 1P Address The subnet mask None Gateway Setting Description Factory Default 1P Address The Gateway IP address None Detailed Explanation of PPPoE Type Connection PPPoE Dialup Hosts WAN2 Configuration DNS Optional fer dynamic IP and PPPOE Type User Name Setting Description Factory Default 30 characters The User Name for logging in ta the PPPOE server None Host Name Setting Description Factory Default 30 characters User defined host name for tis PPPOE server None Password Setting Description Factory Default 30 characters The login password for is PPPOE server None Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Using DMZ Mode A DMZ demilitarized z
74. gure 802 19 VLAN on the Moxa switch use the 802 19 VLAN Settings page to configure the ports E Industrial Secure Router Us ers Manual EDR 810 Series Features and Functions 802 1Q VLAN Settings 302 10 VLAN Settings Management VLAN 1D Setting Description Factory Default VLAN ID From 1 4094 Assigns the VLAN ID ofthis Moxa switch Port Type Setting Description Factory Default Port type is used to connect Trunk lect Trunk port type to connect another 802 10 VLAN aware wien Dr Select yard portis connect another Access 6021Q VIAN aware switch or another LAN that combines tagged and or untagged devices and or other switches hubs Setting Description Factory Default VLAN ID From 1 4094 Sets the default VLAN 10 for untagged devices that connect to the port Tagged VLAN Setting Description Factory Default VLAN 1D From 1 409 This feld wil be active only when selecting the Trunk or Hybrid por type Set the other VLAN ID for tagged devices that connect ta the port Use commas to separate different VIDS None Untagged VLAN Setting Description Factory Default VAN 1D from 1 4094 This feld wil be active only when selecting the Trunk or Hybrid port type Set the other VLAN ID for tagged devices that connect to the port and tags that need to be removed in egress packets Use commas to separate
75. he ONS server for the selected device 0 0 0 0 NTP Server Setting Description Factory Default IP Aderess The NTP server for the selected device 0 0 0 0 Clickable Buttons Ada Use the Add button to input a new DHCP ist The Name Static IP and MAC address must be different from any existing ist Delete Use the Delete button to delete Static DHCP list Click on a list to select it the background color of the device will change to blue and then cick the Delete button Modify modify the information fora particular ist click on Ist to select it the background calor of the device will change to blue modif the information as needed using the check boxes and text input boxes near the top cf the browser window and then cick Modify IP Port Binding Port based IP Assignment IP Port Binding Enable Disable Setting Description Factory Default Enable Oisable Enable or disable IP Port Binding function Disable Port Setting Description Factory Default IP Address Set the desired IP of the connected devices None Static 1P Setting Description Factory Default IP Ad ress The 1P adaress of the connected device None Setting Description Factory Default The netmask for the connected device 00 0 0 Lease Time Setting Description Factory Default 338 Industrial Secure Router User s Manual EDR 810 Seri
76. he network by either Telnet or a web browser from a PC host that is connected to same LAN as the Industrial Secure Router you need to make sure that the PC host and the Industrial Secure Router on the same logical subnet Te do this check your PC hosts IP address and subnet mask By default the LAN IP address is 192 168 127 254 and the Industria subnet mask is 255 255 255 0 for a Cass C subnet If you do not change these values and your PC host s subnet mask is 255 255 0 0 then its IP address must have Industria Secure Router User s Manual Getting Started the form 192 168 0000 On the other hand if your PC host s subnet mask is 255 255 255 0 then its IP address must have the form 192 168 127 x00 NOTE Touse the Industrial Secure Routers management and monitoring functions from a PC host connected ta the same LAN as the Industrial Secure Router you must make sure that the PC host and the Industrial Secure Router are connected to the same logical subnet NOTE Before accessing the console utility via Telnet first connect the Industrial Secure Routers KOAS Ethernet LAN ports to your Ethernet LAN or directly to your PC s Ethernet card NIC You can use either a straight through or cross over Ethernet cable NOTE The Industrial Secure Router default LAN IP address is 192 168 127 254 Perform the folowing steps to access the console utility via Telnet 1 Click Start gt Run and then telnet to
77. he static multicast querer poris Querier Connected Port Displays the port which is connected to the querier Actas a Querier Displays whether or not ths VLAN is a querer winner of a election Group Displays the multicast group addresses Port Displays the port which receive the multicast stream the port the multicast stream is forwarded to Version Displays the IGMP Snooping version Fiter Mode Indicates the multicast source address is included or excluded Displays Include or Exclude when IGMP v3 is enabled Sources Displays the multicast source address when IGMP v3 is enabled Stream Table This page displays the multicast stream forwarding status It allows you to view the status per VLAN ID IGMP Snooping Stream Table IDIMALLLICHEMEH ILLI NENNEN 72171 c 4 RR RR Stream Group Multicast group IP address Stream Source Multicast source IP address Port Which port receives the multicast stream Member ports Ports the multicast stream is forwarded to Static Multicast MAC State Multicast MAC Address NOTE 01 00 5 X XX Ot on this page Is the IP multicast MAC address Please activate IGMP Snooping for automatic classification MAC Address Setting Description Factory Default Integer Input the number of the VLAN that the host with this MAC None address belongs to E Industrial Secure Router User s Manual EDR 810 Series Features and Functions Join Por
78. heck tools 40 to 75 C operating temperature T models Long haul transmission distance of 40 km or 80 km with optional mini GBIC lt Redundant dual 12 to 48 VDC power inputs 130 rugged high strength metal case DIN rail or pane mounting ability Useful Uti y and Remote Configuration Configurable using a Web browser and Telnet Serial console Send ping commands to identify network segment integrity 12 2 Getting Started This chapter explains how to access the Industrial Secure Router for the first time There are three ways to access the router 1 serial console 2 Telnet console and 3 web browser The serial console connection method which requires using a short serial cable to connect the Industrial Secure Router to a PC s COM can be used if you do not know the Industrial Secure Router s IP adress The Telnet console and web browser connection methods can be used to access the Industrial Secure Router over an Ethernet LAN or over the Internet web browser can be used to perform all monitoring and administration functions but the serial console and Telnet console only provide basic functions The following topics are covered in this chapter RS 232 Console Configuration 115200 None 8 1 VT100 C Using Telnet to Access the Industrial Secure Router s Console 0 Using a Web Browser to Configure the Industri Secure Router Industrial Secure Router User s Manual Getting S
79. heckmark from Enable the accessi list The folowing table shows additional configuration examples Hosts That Need Access Input Format Any host Disable 1921681120 192 168 1 120 255 255 255 255 192 168 1 1 to 192 168 1 0 255 255 255 0 192 168 0 1 to 192 168 255 254 192 168 0 0 255 255 0 0 192 168 1 1 to 1921651126 192 168 1 0 192 168 1 129 to 192 168 1254 19216811287 285 255 255 128 RADIUS Server Settings RADIUS Setting Radius Status Setting Description Factory Default Enable Disable Enable to use the same setting as Auth Server Disable Server Setting Setting Description Factory Default RADIUS Server Specifies the IP name of the server None RADIUS Port Specifies the port of the server 1812 RADIUS Secret Specifies the shared key of the server Monitor Interface Statistics Access the Monitor by selecting Monitor from the left selection bar Monitor by System allows the user to View a graph that shows the combined data transmission activity of all of the Moxa industrial secure router s ports Click one of the three options Total Packets TX Packets or RX Packets to view transmission activity of specific types of packets Recall that TX Packets are packets sent out from the Moxa industrial secure router and RX Packets are packets received from connected devices The Total Packets option displays graph that combines TX
80. hould have the same ID Moxa L3 switches routers support one virtual router ID for each interface IDs can range from 1 to ass Priority Determines priority in a VRRP group The priori value range s 1 to 255 and the 255 is the highest priority If several L3 switches routers have the same priority the router with higher IP address has the higher priority The usable range is to 255 Preemption Mode Determines whether a backup L3 switch router wil take the Authority of master or not rack interface The Track Interface is used ta track specific interface within the router that can change the status of the virtual router fora VRRP Group For example the WAN interface can be tracked and if the ink is down the other backup router will become the ew master of the VRRP group 7 Network Address Translation The following topics are covered in this chapter Network Address Translation NAT gt NAT Concept gt Led NAT NAT gt Port Forward Industria Secure Router User s Manual Network Address Translation Network Address Translation NAT NAT Concept NAT Network Address Translation is a common security function or changing the IP address during Ethernet packet transmission When the user wants to hide the internal IP address LAN from the external network WAN the NAT function wil translate the internal IP address to specific IP address or an
81. ial Secure Router s LAN IP address in the Address field Press Enter to establish the connection 24 Industrial Secure Router User s Manual Getting Started 2 The web login page will open Select the login account Admin User and enter the Password the same ias the Console password and then click Login to continue Leave the Password field blank if a password has not been set Moxa EtherDevice Secure Router EDR G903 Username Ann Password NOTE default password for the EDR series with firmware v3 0 and lateris moxa For previous firmware Versions the default password is blank For greater security please change the default password after the fist log in You may need to wait a few moments for the web page ta be downloaded to your computer Use the menu tree the left side of the window to open the function pages to access each of the routers functions 3 EDR 810 Series Features and Functions In this chapter we explain how to access the Industrial Secure Router s configuration options perform monitoring and use administration functions There are three ways to access these functions 1 RS 232 console 2 Tenet console and 2 web browser The web browser is the most user friendly way to configure the Industral Secure Router since you can both monitor the Industrial Secure Router and use administration functions
82. icast traffic automatically 324 Industria Secure Router User s Manual EDR 810 Series Features and Functions Snooping Mode Snooping Mode allows your industrial secure router to forward multicast packets only to the appropriate ports The router snoops on exchanges between hosts and an IGMP device to find those ports that want to join a multicast group and then configures its fiters accordingly Query Mode Query mode allows the Moxa router to work as the Querier if it has the lowest IP address the subnetwork to which it belongs IGMP querying is enabled by default on the Moxa router to ensure proceeding query election Enable query mode to run multicast sessions on a network that does not contain IGMP routers or queriers Query mode allows users to enable IGMP snooping by VLAN ID Moxa industrial secure router support IGMP snooping version 1 version 2 and version 3 Version 2 is compatible with version 1 The default setting is IGMP V1 V2 IGMP Multicast Filtering IGMP is used by IP supporting network devices to register hosts with multicast groups It can be used on all LANs and VLANs that contain a multicast capable IP router and on other network devices that support multicast fitering Moxa switches support IGMP version 1 2 and 3 IGMP version 1 and 2 work as follows The IP router or querier periodically sends query packets to all end stations on the LANs or VLANs that are connected to it For netwo
83. ieldbus HSE High Speed Ethernet use multicast These industrial Ethernet protocols use publisher subscriber communications models by multicasting packets that could flood a network with heavy traffic IGMP Snooping is used to prune multicast traffic so that travels only to those end destinations that require the traffic reducing the amount of traffic an the Ethernet LAN Multicast Filtering Multicast fitering ensures that only end stations that have joined certain groups receive multicast traffic With multicast filtering network devices only forward multicast traffic to the ports that are connected to registered end stations The allowing two figures illustrate how network behaves without multicast fitering and with muticsst filtering Network without multicast filtering Group 1 Multicast Stream Group 2 Multicast Sram All hosts receive the multicast traffic even if they don t need it IGMPGroup2 IGMP Group 1 IGMP Group 2 IGMP Group 1 Network with multicast filterin Hosts only receive dedicated traffic from other hosts belonging to the same group Group 1 Multicast Stream Group Multicast Stam IGMP Group 2 IGMP Group 1 IGMP Group 2 IGMP Group 1 Multicast Filtering and Moxa s Industrial Secure Routers The Moxa Industrial secure router has two ways to achieve multicast filtering IGMP Internet Group Management Protocol Snooping and adding a static multicast MAC manually to fiter mult
84. ined by users Follow the wizard instructions to configuring the LAN and WAN ports Step 1 Define the WAN ports and LAN ports Click on the ports in the figure to define the WAN ports and LAN ports WAN Routing Quick Setting onthe port to select WAN or LAN Step 2 Configure the LAN IP address of the EDR 810 and the subnet address of the LAN ports Configure the LAN IP address of the EDR 810 to define the subnet of the LAN ports on the secure router The defaut IP address of the EDR B10 on the LAN side is 192 168 127 254 and the default subnet address is 192 168 127 0 24 WAN Routing Quick Setting 22 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Step 3 Configure the WAN port type Configure the WAN port type to define how the secure router switch connects to the WAN WAN Routing Quick Setting Connect PPTP Dialup Connect Type Setting Description Factory Default Dynamic 1P Get the WAN IP address from a DHCP server via aPPTP Dynamic 1P connection Sauce Seta specific static WAN IP address or create a connection PPTP server with a specific IP address PPPoE Get the WAN IP address through PPPoE Dialup Dynamic 1P Sse WAN Por Connect Type TANF Connguraton E Sevice crane PPTP Dialup PPP Connection Enable Knie UserName Password Industrial Secure Router Us
85. ing e mail is sent when Uni ON The port is connected to another device Link OFF portis disconnected e g the cable 1 pulled out or the opposing device shuts down Email Settings Email Setup Email Configuration Mail Server 1P Name Setting Description Factory Default 19 address The 1P Address of your emai server None Account Name Setting Description Factory Default 45 of charters Your email account None Password Setting Setting Description Factory Default Password The email account password None Email Address Setting Description Factory Default Industrial Secure Router User s Manual EDR 810 Series Features and Functions Max of 30 characters can set up to 4 emai addresses to receive alarm emails None rom the Moxa suite Send Test Email After you complete the email settings you should first click Apply to activate those settings and then press the Test button to verify that the settings are correct NOTE Auto warning e mail messages will be sent through an authentication protected SMTP server that supports the CRAM MDS LOGIN and PAIN methods of SASL Simple Authentication and Security Layer authentication mechanism We strongly recommend nat entering your Account Name and Account Password if auto warning e mail messages can be delivered without using an authentication mechani
86. internal IP address range to one external IP address The benefits of using NAT include Uses the N 1 or Port forwarding Nat function to hide the Internal IP address of a critical network or device to increase the level of security of industrial network applications Uses the same private IP address for different but identical groups of Ethernet devices For example 1 to 1 NAT makes it easy to duplicate or extend identical production lines NOTE The NAT function wil check if incoming or outgoing packets match the policy It starts by checking the packet with the first policy Index 1 if the packet matches this policy the Industrial Secure Router will translate the address immediately and then start checking the next packet IF the packet does not match this policy it Wil check with the next policy NOTE The maximum number of NAT policies for the Industrial Secure Router is 128 1 to 1 16 the internal device and external device need to communicate with each other choose 1 to 1 NAT which offers bi directional communication N to 1 Part forwarding are bath single directional communication NAT functions m 4 ade Remote user WAN Network Prosacion ine 1 10 1 NAT is usually used when you have a group of intemal servers with privat IP addresses that must connect to the external network You can use 1 t0 1 NAT to map the internal servers to public IP addresses The IP address of the internal de
87. ion The Industrial Secure Router can generate a trusted Root Certification and then export import the certificate to the remote VPN gateway The diagram below indicates the 5 steps you should follow to use X 509 for IPSec authentication with two VPN gateways referred to as EDR G903 A and EDR G903 8 in the diagram 9 7 Industrial Secure Router User s Manual Virtual Private Network VPN 1 Root Certificate generation Both EDR G903 A and EDR G903 B need to generate their own root certificates 2 EDR G903 A and EDR G903 B can request new certifications based on their own Root Certificates 3 Generate PKCS 12 local certificate with password p12 and Certificate fle for remote VPN tunnel crt EDR G903 A 3Moxa A p12 and Moxa A ert EDR G903 B Moxa B crt and Moxa B ert 4 Upload the PKCS 12 certificate to the Local Certification ils a 12 in EDR G903 A b Moxa B p12 in EDR G903 8 5 Send the Certificate file crt to the remote VPN gateway and upload to the Remote certificate file Upload Moxa B crt to EDR G903 A b Upload Moxa A cr to EDR G903 B EOR G903 A EOR G 09 B 1 eat Rot Concio 3 Generate gt Gentes 3 Genesin 3 Generate PKCSPI2 fle oia p12 and and Corea te Mo A ej e os een 7 Upload Local Upload S S np Haake 1 n
88. ion Factory Default 30 characters The User Name for logging m ts the PPPOE server None Host Name Setting Description Factory Default Wax 30 characters Userdefined Host Name of this PPPOE server None Password Setting Description Factory Default 30 characters The login password for the PPPOE server None WAN2 Configuration includes DMZ Enable WAN2 Configuration Connection Disable Enable Backup IP E Connection Note that there are there are three different connection types for the WAN2 interface Dynamic IP Static 1P and PPPOE A detailed explanation of the configuration settings for each type is given below Connection Mode Setting Description Factory Default Enable or Disable Enable or Disable the WAN interface None Backup Enable WAN Backup mode DMZ Enable DMZ mode can only be enabled when the connection type is set to Stati 1P Industria Secure Router User s Manual EDR G902 G903 Series Features and Functions Connection Type Setting Description Factory Default Static IP Dynamic 1P Configure the connection type Dynamic 1P PPPOE Detailed Explanation of Dynamic IP Type WAN2 Configuration Connection is Eran PPTP Dialup FETE Cams able ji DNS Optional for dynamic IP or PPPoE Type PPTP Dialup Point to Poi
89. irewall VPN NAT Modo Bridge Mode Address Information for Bridge Mode TNI Subnet task 552552550 Router Mode 1n this made EtherDevice Router operates as a gateway between different networks Each interface and LAN has its own IP addresses amp different subnet It provides Routing Firewall VPN and NAT functions Default setting of EtherDavice Router Bridge Mode 1n this mode EtherDevice Router operates as a Bridge mode firewall or call transparent firewall in single subnet Users could simply insert EtherDevice Router into the existing ingle subnet without the need to reconfigure the original subnet into different subnets and without the need to reconfigure the IP address of existing devices EtherDevice Router only has one IP address Network mask and Gateway VPN NAT WAN backup VRRP DHCP Dynamic DNS are not supported in this mode Network Mode Router Mose Router VPN NAT 29 ergo ode ridge Modo Firemail Address inermation fr Bridge Mode IP asoras 2552552580 _caomy User could select the appropriate operation mode and press Activate to change the mode of EtherDevice Router Change operation mode would take around 30 60 seconds to reboot system If the webpage is no response after 30 60 seconds please refresh webpage or press FS p Industrial Secure Router User s Manual EDR G902 G903 Serie
90. k IPSec Internet Protocol Security VPN for LAN to LAN Security Data communication only ina pre defined IP range between two different LANs L2TP Layer 2 Tunnel Protocol VPN for Remote roaming User Secure data communication for remote roaming users with dynamic IP is a popular choice far remote roaming users for VPN applications because the L2TP VPN protocol is already built in to the Microsoft Windows operating system IPSec uses IKE Internet Key Exchange protocol for Authentication Key exchange and provides way for the VPN gateway data to be protected by different encryption methods There are 2 phases for IKE for negotiating the IPSec connections betwaen 2 VPN gateways Key Exchange IPSec Phase 1 The 2 VPN gateways will negotiate how IKE should be protected Phase 1 Wil also authenticate the two VPN gateways by the matched Pre Shared Key or X 509 Certificate Data Exchange IPSec Phase 2 In Phase 2 the VPN gateways negotiate to determine additional IPSec connection details which include the data encryption algorithm IPSec Configuration 1PSec configuration includes 5 parts Global Setting Enable Disable all IPSec Tunnels and NAT Traversal function Tunnel Setting Set up the VPN Connection type and VPN network plan Key Exchange Authentication for 2 VPN gateways Data Exchange Data encryption between VPN gateways Dead Peer Detection The mechanism for VPN Tunne maintenance Global S
91. l add an N 1 policy from the source IP 192 168 127 1 to 192 168 127 252 to the WANE interface after activating the Factory Default Port Forward the initial connection is from outside the LAN but the user still wants ta hide the Internal IP address one way to do this is to use the Port Forwarding NAT function The user can specify the port number of an external P address WAN oF WAN2 in the Port Forwarding policy lt For example if the IP address of a web server in the internal network is 192 168 127 10 with port BO the user can set up part forwarding policy to let remote users connect to the internal web server from external IP address 10 10 10 10 through port 8080 The Industrial Secure Router wil transfer the packet to IP address 192 168 127 10 through port 80 The Port Forwarding NAT function is way of connecting from an external insecure area WAN to an internal secure area LAN The user initiate the connection from the external network to the intemal network but Will not able to initiate a connection from the internal network to the external network WAN Network 7 5 Industrial Secure Router User s Manual Network Address Translation a OUP Enable Disable NAT policy Setting Description Factory Default Enable or Disable Enable or disable the selected NAT policy Enabled NAT Mode Setting Description Factory Default m Select the NAT types a Port Forward
92. le start Warm start Configuration change activated Power 1 2 transition OFF Power 1 2 transition On 089 Authentication fail Topology changed Master setting is mismatched Port traffic overload dotix Auth Fail Port ink offfon 347 EDR G902 G903 Series 4 Features and Functions Overview 5 Configuring Basic Settings gt System Identification gt Accessible IP gt Password gt Time gt Settingcheck gt System File Update by Remote TFTP gt System File Update by Local Import Export gt Restart gt Reset to Factory Default Network Settings gt Mode Configuration gt WANI Configuration WAN2 Configuration Includes DMZ Enable gt Using DMZ Mode gt LAN Interface 9 Communication Redundancy Monitor 5 System Log gt EventLog gt Systog Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Overview The Overview page is divided into three major parts Interface Status Basic function status and Recent 10 Event logs and gives users a quick overview of the EtherDevice Router s current settings Overview priere aaa eee Fe us pnr Ponziu Discomed m p Detail Interface Status want Ex EXE EN MEM E E E NN E ONS Server List a Industrial Secure Router User s Manual EDR G9
93. leted and disabled by defaut User Account m juo amn Usar name Passwers Confirm Password IET 27 Checked The eich con be The Mo Setting S sim The scour has masor sar The acount cn aly read Industrial Secure Router U e s Manual EDR 810 Series Features and Functions Create New Account Input the user name password and assign the authority to the new account Once apply the new setting the new account will be shown under the Account List table Setting Description Factory Dafauit User Name User Name None Max of 30 characters Password Password forthe user account None Minimum requirement is 4 characters maximum of 16 characters Modify Existing Account Select the existing account from the Account List table Modify the details accordingly then apply the setting to save the configuration User Account ade Username Password Confirm Password admin SNMPL3 requres 6 characters passwora Delete Existing Account Select the existing account from the Account List table Press delete button to delete the account User Account rrt Ce Comm Industrial Secure Router User s Manual EDR 810 Series Features and Functions Date and Time The Moxa industrial secure router has time calibration fun
94. licy None Service Setting Description Factory Default TP Fiter Firewall policy wil iter by IP address IP Fiter Fier This Firewall policy wil iter by MAC adress Target Setting Description Factory Default Accept The packet wil penetrate the firewall when it matches this Accept Firewall policy Drop packet wil not penetrate the frewall when t matches this Firewall policy Source 1P Setting Description Factory Default AI Address This Firewall Policy wil check al Source IP addresses inthe AN packet Singis P Address This Firewall Policy will check single Source IP addresses in the packet Range IP Adress This Firewall wil check multiple Source IP addresses in the packet Source Port Setting Description Factory Default Pare number Ths Firewall Policy wil check all Source port numbers in the packet Singis Fort number This Firewall Policy wil check single Source Part numbers in the packet Range Port number This Firewall wil check multiple Source port numbers n the packet Industria Secure Router User s Manual Firewall Destination IP Setting Description Factory Default AI IP Adress This Firewall Policy wil check all Destination IP addresses in the Al packet Single IP Address This Firewall Policy will check single Destination IP addresses in
95. me Relay ARP Gag AX25 ethernet Packet 6000 DEC Assigned proto 06001 DEC DNA Dump Load 06002 DEC DNA Remote Console 6003 DEC DNA Routing 06008 DEC LAT 056005 DEC Diagnostics 06006 DEC Customer use 6007 DEC Systems Comms Arch zug Trans Ether Bridging 06559 Raw Frame Relay 08098 80210 VLAN tagged Fame x37 Novell PX NetBEUL 08600 1 6 Internat Protocol version 6 x8808 MuliPratacal aver ATH PPPOE discovery messages PPPOE session messages Frame based ATM Transport over Ethernet 059000 Loopback Industria Secure Router User s Manual Firewal Quick Automation Profile Ethernet Fieldbus protocols are popular in industrial automation applications In fact many Fieldbus protocols EtheNet IP and Modbus TCP IP can operate on an industrial Ethernet network with the Ethernet port number defined by IANA Internet Assigned Numbers Authority The Industrial Secure Router provides an easy to use function called Quick Automation Profile that includes 45 different pre defined profiles Modbus TCP IP Ethernet P ec allowing users to create an industrial Ethernet Fieldbus firewall policy with a single For example if the user wants to create Modbus TCP IP firewall policy for an internal network the user just needs to select the Modbus TCP IP TCP or Modbus TCP IP UDP protocol from the Protocol drop down menu on the Firewall Policy Setting pag
96. n configure Redundancy Protocol Setting Description Factory Default Turbo Ring Select this item to change to the Turbo Ring configuration page None select this item to change to the RSTP configuration page None 802 1810 Bridge priority Setting Description Factory Default Increase this device s bridge priority by selecting a lower Numerical value number device with a higher bridge priority has a greater selected by user chance of being established as the root of the Spanning Tree 22768 topology Forwarding Delay Setting Description Factory Default Numerical value put The amount of me this device waits before checking to see i by user should change to a different state Industrial Secure Router User s Manual Network Redundancy Hello time Setting Description Factory Default Numerical value input by user The root of the Spanning Tree topology periodically sends out a helio message to other devices on the network to check if the topology is healthy The hell time is the amount of time the root waits between sending hello messages Age Setting Description Factory Default Numerical value input by user F this device i not the root and has not received a helio message from the root in an amount of time equal to Age then this device wili reconfigure itself as a roo
97. ndustrial Secure Router User s Manual Network Redundancy Explanation of Settings Items Redundancy Protocol Setting Description Factory Default Turvo Ring V2 Select this item to change to the Turbo Ring V2 configuration page RSTP IEEE 802 1 Select this item to change to the RSTP configuration page None None Ring redundancy is not active Enable Ring 1 Setting Description Factory Default Enabled Enable the Ring 1 settings Not checked Disabled Disable the Ring 1 settings Not checked Enable Ring 2 Setting Description Factory Default Enabled Enable the Ring 2 settings Not checked Disabled Disable the Ring 2 settings Set as Master Note You should enable bath Ring 1 and Ring 2 when using the Dual Ring architecture Setting Description Factory Default Enabled Select this device as Master Not checked Disabled Do not select this device Master Redundant Ports Setting Description Factory Default Select any port af the device to be one of the redundant ports See the following table 2nd Port Select any port of the device te one of the redundant See the allowing table Enable Ring Coupling Setting Description Factory Default Enable Select tnis EDS as Coupler Not checked Disable Do not select this EDS as Coupler Coupling Mode Setting Description Fac
98. nect to the intemal server private IP 30 30 30 10 via the PPTP protocol The IP address for the PPTP server is 20 20 20 1 The necessary configuration settings are shown in the following figure WAN DNS Doman Name Server optional setting for Dynamic IP and Server 1 2 3 Setting Description Factory Default P Address The DNS iP address None NOTE The priority of a manually configured DNS wil be higher than the DNS from the PPPOE or DHCP server Industrial Secure Router User s Manual EDR 810 Series Features and Functions Detailed Explanation of Static IP Type WAN Configuration 1P Address Setting Description Factory Default IP Address The interface adress None Subnet Mask Setting Description Factory Default TP Address The subnet mask None Gateway Setting Description Factory Default TP Address The Gateway IP address None Detailed Explanation of PPPoE Type WAN Configuration PPE Dlsup DNS Optional tor dynam iP or PPPE PPPoE Dialup User Name Setting Description Factory Default Max 30 characters The User Name for logging in to the PPPOE server None 334 Industria Secure Router User s Manual EDR 810 Series Features and Functions Host Name Setting Description Factory Default
99. nt Tunneling Protocol is used for Virtual Private Networks VPN Remote users can use PPTP to connect to private networks from public networks PPTP Connection Setting Description Factory Default Enable or Disable Enable or Disable the PPTP connection None 1P Address Setting Description Factory Default 1P Address The PPTP service IP address None User name Setting Description Factory Default Max 30 Characters The Login username when dialing up ta PPTP service None Password Setting Description Factory Default Max 30 characters The password for dialing the PPTP service None Example Suppose a remote user IP 10 10 10 10 wants to connect to the internal server private 1P 30 30 30 10 via the PPTP protocol The IP address for the PPTP server is 20 20 20 1 The necessary configuration settings are shown in the following figure Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Let poue mu pr Wo Hop mena Wet Wop xao meus mms woes Susi nos the er Hop i 303026 Doman na tional setting for Dynamic IP and PPPoE types Server 172 3 Setting Description Factory The DNS 1P adress one NOTE The priority of a manually configured DNS will hi
100. nterface unchecked Routing Table The Routing Table page shows all routing entries Ai All Routing Entry List Setting Description Factory Default Show al routing entries Connected Show connected routing entries WA Static Show Static routing entries RIP Show RIP routing entries Show others routing entries INA 6 Network Redundancy The following topics are covered in this chapter Layer 2 Redundant Protocols EDR 810 series only gt Configuring STP RSTP gt Configuring Turbo Ring V2 5 Layer 3 Redundant Protocols gt VRRP Settings Industria Secure Router User s Manual Network Redundancy Layer 2 Redundant Protocols EDR 810 series only Configuring STP RSTP The following figures indicate which Spanning Tree Protocol parameters can be configured A more detailed explanation of each parameter follows Communication Redundancy At the top of this page the user can check the Current Status of this function For RSTP you wil see Now Active shows which communication protocol is being used Turbo Ring RSTP or neither Root Not Root This eld only appears when RSTP mode is selected The field indicates whether or not this switch is the Root lof the Spanning Tree the root is determined automatically At the bottom of this page the user can configure the Settings of this function For RSTP you ca
101. on function based on information from an NTP server or user Specified Time and Date information Functions such as Auta warning Email can add real time information to the message NOTE The EtherDevice Router has realtime clock so the user does not need to update the Current Time and Current Date to set the initial ime for the EtnerDevice Router after each reboot This is especially useful when the network does nat have an Internet connection for an NTP server or there is no NTP server on the network Industria Secure Router User s Manual EDR G902 G903 Series Features and Functions Current Time Setting Description Factory Default User adjustable Time time parameter allows configuration of the local time in local 24 hour format None hh mm ss Current Date Setting Description Factory Default User adjustable date The date parameter allows configuration of the local date im format None Daylight Saving Time Daylight Saving Time al Iso know as DST or summer time involves advancing clocks 1 hour during the summer to provide an extra hour of daylight in the evening Start Date Setting Description Factory Default User adjustable date The Start Date parameter allows users to enter the date that daylight saving time begins None End Date Setting Description Factory Defaul
102. one is an isolated network for devices such as data FTP web and servers connected to a LAN netwark that need to frequently connect with external networks The deployment of an FTP server in DMZ i illustrated in the following figure inen ERIS Secure LAN essor n i Lace 1 192 198 0011 Wg emu 1P 192 168 1002 DMZ mode is configured on the WAN2 configuration web page Set Connect to Enable Connect Type to Static IP and checkmark the DMZ Enable check box You wil also need to input the IP Address and Subnet Mask Click the Activate button ta save the settings Connection Connezitinoe Disable Enatis Backup PI onz Enans connect Te Address Information IP Address 102 86 27 12 ro suber ack 2552552550 NOTE WAN2 configuration and DMZ made are only available an EDR G903 LAN Interface A basic application of an industrial Firewall VPN device is to provide protection when the device is connected to 2 LAN In this regard the LAN port connects to a secure or trusted area of the network whereas the WAN and WAN2 DMZ ports connect to an insecure or untrusted area LAN LANP Configuration 1120842254 ex 1621681 Suone lask 39 Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions LAN IP Configuration 1P Address Setting Description Factory Default TP A
103. ping Tes OSCP Mapping Rate Limiting Address Table Interface LAN Network Service DHCP Settings SNMP Settings Dynamic DNS Security User Interface Management Authentication Certificate Trusted Access RADIUS Server Settings Monitor Interface Statistics Pore Statisties Event Log EDR 6902 6903 Series Features and Functions Overview Configuring Basic Settings System Identification Accessible IP Password Time Settingcheck System File Update by Remote TETP 310 System File Update by Local Import Export 4 10 Restart an Reset to Factory Default u Network Settings n Mode Configuration 412 WAN Configuration WAN2 Configuration includes DMZ Enable 4 15 Using DMZ Mode 419 LAN interface 4 19 Communication Redundancy 420 WAN Backup EDR G903 only 4 20 Monitor 422 System n Syslog 5 Routing Unicast Routing Static Routing RIP Routing Information Protocol Routing Table 6 Network Redundancy Layer 2 Redundant Protocols EDR 810 series only Configuring STP RSTP Configuring Turbo Ring V2 Layer 3 Redundant Protocols VRRP Settings 7 Network Address Translation Network Address Translation NAT NAT Concept Lite NAT N to 1 NAT Port Forward Policy Concept Policy Overview Policy Configuration Layer 2 Policy Setup in Bridge Mode for EDR G902 6903 Quick Automation Profile Policy Check Modbus TCP Policy
104. r applications of different units Example Factory Switch 1 Router Location Setting Description Factory Default Max 80 characters This option is useful for differentiating between the locations of Device Location different units Example production line 1 Router Description Setting Description Factory Default Max 30 characters This option is useful for recording more detailed description af None the unt Maintainer Contact Info Setting Description Factory Default Max 30 characters This option s useful for providing information about whois None responsible for maintaining this unit and how to contact this person Web Configuration Setting Description Factory Default Enable HTTP and HTTPS or https tps Enable HTTPS as Industria Secure Router User s Manual EDR 810 Series Features and Functions User Account The Moxa industrial secure router supports the management of accounts including establishing activating modifying disabling and removing accounts There are twa leves of configuration access admin and user The account belongs to admin privilege has read write access of all configuration parameters while the account belongs to usar authority has read access to view the configuration only NOTE 1 In consideration of higher security level strongly suggest to change the default password after first log in 2 The user with admin account name can t be de
105. r Blocking to block transmission 6 3 Industrial Secure Router User s Manual Network Redundancy Configuring Turbo Ring V2 Communication Redundancy NOTE When using the Dual Ring architecture users must configure settings for both Ring 1 and Ring 2 In this case the status of both rings will appear under Current Status Explanation of Current Status Items Now Active shows which communication protocol is in use Turbo Ring V2 RSTP or none Ring 1 2 Status 1t shows Healthy if the ring is operating normally and shows Break if the ring s backup link is active Ring 1 2 Master Siave It indicates whether or not this EDS is the Master of the Turbo Ring This field appears only when Turbo Ring Turbo Ring V2 modes are selected NOTE The user does not need to set the master to use Turbo Ring If master is not set the Turbo Ring protocol wil assign master status one of the EDS units in the ring The master is only used to determine which segment serves as the backup path Ring 12 12 Ring Port Status Ring 1 2 2nd Ring Port Status The Ports Status indicators show Forwarding for normal transmission Blocking if this port is connected to backup path and the path is blocked and Link down if there is no connection Coupling Mode It indicates either None Dual Homing or Ring Coupling Coupling Coupling Port status It indicates ether imary or Backup I
106. r SHA 5 or HMAC SHA algorithms 8 character passwords are the minimum requirement for authentication MDS or SHA Authentication based Data encryption Provides authentication based Jon key 5 HMAC SHA algorithms and data encryption key 8 character passwords and a data encryption key are the minimum requirements for authentication and encryption These parameters are configured an the SNMP page A more detailed explanation of each parameter is given below 339 Industrial Secure Router Us EDR 810 Series Features and Functions communi Trap Targets SNMP Versions Setting Description Factory Default Disable Select the SNMP protocol version used to manage the secure Disable vi Vas V or router Vas or v3 only Auth Type Setting Description Factory Default MDS Provides authentication based an the algorthme MDS passwords are the minimum requirement for authentication Provides authenticaton based on the HMAC algorithms B character passwords are the minimum requirement for authentication Neh Provides na authentication Data Encryption Enable Disable Setting Description Factory Default Enable Disable Enable of disable the data encryption sable ata Encryption Key Setting Description F
107. rable syslog servers and sysiog server UDP port numbers When an event occurs the event will be sent as syslog UDP packet to the specified syslog servers Syslog Setting Ene E Sislogsenert 102168127100 Ponbesinaion 514 FartDectnaton Ene isla Sener PotDestnston mee mm Syslog Server 1 2 3 Setting Description Factory Default 1P Address Enter the IP address of the Syslog Server used by your network None Tort Destination to 65525 Enter the UDP port ofthe Syslog Server E 424 5 Routing The following topics are covered in this chapter Unicast Routing gt Static Routing gt RIP Routing Information Protocol gt Routing Table Industria Secure Router User s Manual Routing Unicast Routing The Industral Secure Router supports two routing methods static routing and dynamic routing Dynamic routing makes use of RIP Vi Vic V2 You can either choose one routing method ar combine the twa methods to establish your routing table A routing entry includes the following items the destination address the next address which is the next router along the path to the destination address and a metric that represents the cost we have to pay to access a different network Static Route You can define the routes yourself by specifying what is the next hop or router that the Industrial Secure Router forwards data fora spe
108. rap Industria Secure Router User s Manual MIB Groups The Industrial Secure Router also provides a MIB file located in the file Moxa EDRG903 MIB my on the Industrial Secure Router Series utility CD ROM for SNMP trap message interpretation
109. raph is updated every few seconds allowing the user to analyze data transmission activity in real time Industrial Secure Router User s Manual EDR 810 Series Features and Functions Monitor System Total Packets Event Log EventLogTable Page 1524 cms om mame am amame mi o we m mama amame 1in2 112746 quar 12225 pn p 13739 senem ass BER TEE YUAN Configuration Change NUR Fort Seting Conuration Change VLAN conpuration change ostnsemses Pot Linco Port Linkon po IGMP Snooping Configuration Change aonzemaas IGMP Snooping Centguaten Change aeonomats Pouert Power Transtion gt On The Event Log Table displays the following information index Event index assigned to identify tha event sequence Bootup This shows how many times the Moxa switch has been rebooted or cold started Date The date is updated based on how the current date is set in the Basic Settings page The time is updated based how the currant time s set in the Basic Settings page System Startup Tre system startup time related to this event Event Events that occurred 346 Industrial Secure Router User s Manual EDR 810 Series Features and Functions NOTE The following events wil be recorded into tne Moxa industrial secure routers Event Log Table Co
110. rks with more than one IP router the router with the lowest IP address is the querer A switch with IP address lower than the IP address of any other IGMP queriers connected to the LAN or VLAN can become the IGMP querier When an IP host receives a query packet it sends a report packet back that identifies the multicast group that the end station would like to join When the report packet arrives at a port on a switch with IGMP Snooping enabled the switch knows that the port should forward traffic for the multicast group and then proceeds to forward the packet to the router When the router receives the report packet it registers that the LAN or VLAN requires traffic for the multicast groups When the router forwards traffic for the multicast group to the LAN or VLAN the switches only forward the traffic to ports that received a report packet IGMP version 3 supports source fitering which allows the system to define how to treat packets from specified source addresses The system can either white list or black list specified sources IGMP version comparison IGMP Version Main Features Reference vi Periodic query 12 Compatible with VI and adds 2 Group specific query p Leave group messages Resends specific queries to verify leave message was the last one in the group a Querier election Compatible with Vi V2 and adds WCGne 2 Source fitering accept multicast traffic f
111. rmation ofthe person responsible for None maintaining this EDR G903 Web Configuration Setting Description Factory Default Mp or Rips Users can connect to the EDR G903 router via http or tps http or https protocol Tis only Users connect to the 90 router via RIRs protocol Accessible IP The EtherDevice Router uses an IP sddress based fitering method to control access to EtherDevice Router units Accessible IP List WI Enable hs P ist Disable wit alow al costar Erebi de Waren Accessible IP Settings allows you to add or remove Legal remote host IP addresses to prevent unauthorized access Access to the EtherDevice Router is controlled by IP address If host s IP address is in the accessible 1P table then the host will have access to the EtnerDevice Router You can allow ane of the following cases by setting this parameter Only one host with the specified IP address can access this device E g enter 192 168 1 1 255 255 255 255 to allow access to just the IP address 192 168 1 1 Any host on a specific subnetwork can access this device E g enter 192 168 1 0 255 255 255 0 to allow access to all IPs on the subnet defined by this 1P address subnet mask combination Any host can access the EtherDevice Router Disable this function by deselecting the Enable the accessible 1P list option Any LAN can access the EtherDevice Rou
112. rom specified source accept multicast traffic from any source except the specified source Static Multicast MAC Some devices may only support multicast packets but not support either IGMP Snooping The Moxa industrial secure router supports adding multicast groups manually to enable multicast fitering Enabling Multicast Filtering Use the USB console or web interface to enable or disable IGMP Snooping and IGMP querying If IGMP Snooping is not enabled then IP multicast traffic is always forwarded fiooding the network 225 Industrial Secure Router User s Manual EDR 810 Series Features and Functions IGMP Snooping IGMP Snooping provides the ability to prune multicast trafic so that it travels only to those end destinations that require that traffic thereby reducing the amount of traffic the Ethernet LAN IGMP Snooping Settings Enable IGMP Snooping Global Setting Description Factory Default Enable Disable Checkmari the Enable IGMP Snooping checkbox near the tog of Disabled he window to enable the IGMP Snooping function globally Query Interval setting Description Factory Default Numerical value input Sets the query interval of the Querier function global Valld 125 seconds by the user settings are from 20 ta 600 seconds Enable IGMP Snooping Setting Description Factory Default Enable Disable Enables ordisables the IGMP Snooping fun
113. roups can be used in this VPN tunnel both VPN gateways must use he same algorithm ta communicate Aggressive the Remote and Lacal VPN gateway wil negotiate the algorithm it will use the user s configuration Authentication Setting Description Factory Default Pre Shared Key The authentication mode of IPSec VPN Pre Shared Key XS In Pre Shared Key Mode the user needs to key in the same Pre Shared Key in the IPSec setting between the Local and Remote secure router Authentication Mode Aunertcston x505 teen Mesa Cert A 2 Pre Share aras See the X 509 Certification section in this chapter for details X 509 Mode the user needs to upload the Local and Remote certifications frst and then select the certifications from the drop down list Remote 4 Encryption Algorithm Setting Description Factory Default DES aes Encryption Algorithm in key exchange Hors Hash Algorithm Setting Description Factory Default Any Hash Algorithm in key exchange Emm Industrial Secure Router User s Manual Virtual Private Network VPN 5 1 5 256 DH Group Setting Description Factory Default DHi medp 768 Diffie Hellman groups IDH2 modp 1024 DH2 modp 1024 the Key Exchang
114. rrors and these changes are incorporated into new editions of the publication Technical Support Contact Information www moxa com support Moxa Americas Moxa China Shanghai office Toll free 1 888 669 2872 Toll free 800 820 5036 417145286777 Tek 86 21 5258 9955 Fae 41 714 528 6778 Fax 86 21 5258 5505 Moxa Europe Moxa Asia Paci Te 49 89 3 70 03 99 0 Tel 886 2 8919 1230 Fax 449893 70 03 99 99 Fac 886 2 8919 1231 a ES Table of Contents Introduction Overview Package Checklist Features Industrial Networking Capability Designed for Industrial Applications Useful and Remote Configuration Getting Started RS 232 Console Configuration 115200 None 8 1 VTIO0 Using Telnet to Access the Industrial Secure Routers Console Using a Web Browser to Configure the Industrial Secure Router EDR 810 Series Features and Functions Quick Setting Profile System System Information User Account Date and Time Warning Notation SettingCheck System File Update by Remote TETP System File Update by Local Import Export Restart Reset to Factory Default Por Settings Link Aggregation The Port Trunking Concept Pore Mirror Using Virtual LAN The VLAN Concept Configuring Virtual LAN Multicast The Concept of Multicast Firing IGMP Snooping IGMP Snooping Settings IGMP Table Stream Table Stat Multicast QoS and Rate Control QoS Classification Map
115. rs in the page and then click Add to add it into the Modbus Filtering Table Finally cick Activate to activate the configuration Delete Modbus TCP Filtering Rule Select the item in the Modbus Filtering Table then click Delete to delete the item Modify Modbus TCP Filtering Rule Select the item in the Modbus Filtering Table Modify the attributes and click Modify to change the configuration Activate Modbus TCP Filtering Table After adding deleting modifying any Modbus TCP Filtering Rules make sure to click Activate to activate the Industria Secure Router User s Manual Firewall Enable Disable Modbus Policy Seng Description Factory Defaut Enable or Disable Enable or disable the selected Modbus policy Enabled Interface From To in the packet Setting Description Factory Default WAN LAN Select the From Interface and To interface From Al to AI WAN TAN Protocol Setting Description Factory Default AI TCP UDP Modbus Policy wil check the UDP packet TCP packet or Ai c botn uor Setting Description Factory Default Tee 255 Unit Identifier 0 indicate this Modbus policy will check UIDs 0 Function Code Setting Description Factory Default Refer to the Common function codes section Select the function code parameters in this Modbus policy When the function code is set to Manu
116. s Features and Functions WAN1 Configuration WAN1 Configuration Connection is Disable 9 Enable Type Dynamic Connection Note that there are three different connection types for the WANT interface Dynamic IP Static IP and PPPOE detailed explanation of the configuration settings for each type is given below Connection Mode Setting Description Factory Default Enable or Disable Enable or Disable the WAN nt Enable Connection Type Setting Description Factory Default Static 1P Dynamic 1P Setup the connection type Dynamic 1P PPPOE Detailed Explanation of Dynamic IP Type WAN1 Configuration Connection DNS Optional for dynamie IP or PPPOE Type Point to Point Tunneling Protocol is used for Virtual Private Networks VPN Remote users can use PPTP to connect to private networks from public networks PPTP Connection Setting Description Factory Default Enable or Disable Enable or Disable the PPTP connection None 1P Address Setting Description Factory Default 1P Address The PPTP service 1P address Nore User Name Setting Description Factory Default 30 Characters The Login username when dialing up ta PPTP service None Password Setting Description Factory Default Max 30 charaders The password for dialing the PPTP service None Industrial Secure Router User s
117. s nat provide an encryption function is usually combined with IPSec to provide data encryption L2TP Configuration L2TP Sener Mode Disable v Locale ooo fered P Range 0000 oono Sener Mode Disable v Locale OferediPRence 0000 Login UseriPassword UserName Password 1 L2TP Server Mode Setting Description Factory Default Enable Disable Enable or Disable the L2TP function an the WANI or WAN I Disable interface Local 1P Setting Description Factory Default 1P Address IP address of the Local Subnet 0 0 0 0 Offered IP Range Setting Description Factory Default 1P Address Offered IP range is for the L2TP clents 0 0 0 0 9 10 Industrial Secure Router User s Manual Virtual Private Network VPN Login User Name Setting Description Factory Default Max to xx character User Name for L2TP connection NULL Login Password Setting Description Factory Default Max to xx character Password for connection NULL Examples for Typical VPN Applications Site to Site IPSec VPN tunnel with Pre Shared Key The following example shows how to create a secure LAN to LAN VPN tunnel between the Central site and Remote site via an Intranet network po wa way 2 EDR 6903 1 Central site Network Intranet Network ete
118. sm Syslog Server Settings The Syslog function provides the event logs for the syslog server The function supports 3 configurable syslog servers and syslog server UDP port numbers When an event occurs the event will be sent as syslog UDP Packet to the specified syslog servers Each Syslog server can be activated separately by selecting the check box and enable it Syslog Setting n Enable n Syslog Server 1 2 3 Setting Description Factory Default IP Address Enter the Ib address of Syslog server 172 3 used by your None network Tort Destinator Enter the UDP port of Syslog server 1 2 3 to 65535 NOTE The folowing events willbe recorded inte the Moxa industrial secure router s Event Lag table and wil then be sent to the specified Syslog Server Cold start Warm start Configuration change activated Power 1 2 transition On Power 1 2 transition On O Authentication fail Port ink of on Relay Warning Status 342 Industrial Secure Router User s Manual EDR 810 Series Features and Functions When relay warning triggered by either system or port events administrator can decide to shut down the hardware warning buzzer by clicking Apply button The event stil be recorded in the event list Relay Warnning Status E esr arm Cubo AGO SettingCheck SettingCheck Configuraiton Ter 35 ue SettingCheck is a s
119. ss in WAN network area None NOTE The Industrial Secure Router can obtain an IP address via DHCP or PPPOE However this dynamic IP address ie the same as the WAN IP for 1 to 1 NAT then the 1 to 1 NAT function will not work For this reason we recommend disabling the DHCP PPPGE function when using the 1 to 1 NAT function N to 1 NAT If the user wants to hide the Interna IP address from users outside the LAN the easiest way isto use the Neto or N t NAT function The N 1 NAT function replaces the source IP Address with an external IP address and adds a logical port number to identify the connection of this internal external IP address This function is also called Network Address Port Translation NAPT or IP Masquerading The Net NAT function is a one way connection from an internal secure area to an external non secure area The user can initialize the connection from the internal to the external network but may not be able to initialize the connection from the external to the internal network Network Address Translation rate BEIA 1123 a ese wie Enable Disable NAT Policy Setting Description Factory Defaut Enable or Disable Enable or disable the selected NAT policy Enabled NAT Mode Setting Description Factory Default i Select the NAT types a Port Forwarding 74 Industria Secure Router User s Manual Network
120. st matches IP addresses to MAC addresses Static IP Assignment Inthe above example a device named Device 01 was added to the Static DHCP list with a static IP address set 192 168 127 101 and MAC address set to 00 09 ad 00 n0 01 When device with a MAC address of 00 09 ad 00 a8 01 is connected to the Industrial Secure Router the Industrial Secure Router will offer the IP address 192 168 127 101 to this device Static DHCP Enable Disable Setting Description Factory Default Enable Disable Enable or disable Static DHCP server function Disable Name Setting Description Factory Default 30 characters The name ofthe selected device in the Stabe DHCP t None Address Setting Description Factory Default MAC Actress The MAC address of the selected device None Static 1P Setting Description Factory Default TP Aderess The P address of the selected device None Netmask Setting Description Factory Default Netmask The netmask for the selected device 0 002 Lease Time Setting Description Factory Default The lease time of the selected device None Default Gateway Setting Description Factory Default The default gateway for the selected device 0003 232 Industria Secure Router User s Manual EDR 810 Series Features and Functions DNS Server Setting Description Factory Default IP Aderess T
121. t User adjustable date The End Date parameter allows users to enter the date that daylight saving time begins None Offset Setting Description Factory Default User adjustable date offset parameter indicates how many hours forward the clock should be advanced None System Up Time Indicates the ED G903 s Time Zone time from the last cold start The unit is seconds Setting Description Factory Default User selectable time The time zone setting allows conversion from GMT Greenwich Mean Time to local time leur NOTE Changing the time zone will automatically correct the current time You should configure the time zone before setting the tim Enable NTP SNTP Server Enable this function to configure the EtherDevice Router as a NTP SNTP server on the network Enable Server synchronize Enable this function to configure the EtherDevice Router as NTP SNTP client It will synchronize the time information with another NTP SNTP server Time Server 1P Name Setting Description Factory Default Tst Time Server IP or Domain address e g 192 168 1 1 me stdtime gov or time nist gov None 2nd Time Server The EtherDevice Router wil try to locate the 2nd NTP Serverif the ast NTP Server fails to connect Industrial Secure Router User s Manual EDR G902 G903 Series
122. t Setting Description Factory Default Select Deselect Checkmark the appropriate check boxes to select the Join poris None for this multicast group QoS and Rate Control QoS Classification QoS Classification Sneouing Nechanism Weight Fain 421 1 m 2 m a m m 4 1 m E m Aoma B Nema 7 7 m Ioma E m Sema m ermal The Moxa switch supports inspection of layer 3 ToS and or layer 2 CoS tag information to determine how to classify traffic packets Scheduling Mechanism Setting Description Factory Default Weight Fair The Moxa industrial secure router has 4 priorty queues In the Weight Fair Weight fair scheme an 8 4 2 1 weighting is applied to the four priorities This approach prevents the lower priority frames from being starved of opportunity for transmission with only a sight delay to the higher priority frames In the Stric prorty scheme al top priority ramas egress a Port unt that prorty s queue is empty and then the next lower priority queue s frames egress This approach can cause the lower priorities to be starved of opportunity for transmitting any frames but ensures that all high priority frames will egress the switch as as possible Inspect ToS Setting Description Factory Default Enable Disable Enables or disables the Moxa industrial secure rout
123. t Once two more devices on the network are recognized as a root the devices will renegotiate to set up a new Spanning Tree topology 20 Enable STP per Port Setting Description Factory Default Enabie Disabie Select to enable the port as a node on the Spanning Tree topology Disabled NOTE We suggest not enabling opposed to network equi ipment The reason is that it wil cause unnecessary negotiation the Spanning Tree Protocol once the port is connected to a device PLC RTU etc as Setting Description Factory Default Auto 1 TF the port does not receive a BPDU within 3 seconds the port wil be in the forwarding 2 Once the port receives BPDU it will start pn the RSTP negotiation process Force Edge port is fixed as an edge port and wil always be in the forwarding state Fase port isset as the normal RSTP port Port Priority Setting Description Factory Default Numerical value selected by user Increase this ports priority as a node on the Spanning Tree topology by entering a lower number 128 Port Cost Setting Description Factory Default Numerical value input by user Input a higher cost to indicate that this port is less suitable as node for the Spanning Tree topology 200000 Port Status Indicates the current Spanning Tree status of this port Forwarding for normal transmission o
124. tarted RS 232 Console Configuration 115200 None 8 1 VT100 NOTE Connection Caution We strongly suggest that you do NOT use mare than ane connection method at the same time Following this advice wil alow you to maintain better control over the configuration of your Industrial Secure Router NOTE We recommend using Moxa PComm Terminal Emulator which be downloaded fre of charge from Moxa website Before running PComm Terminal Emulator use an ROAS to DB9 F or 245 to DB25 F cable to connect the Industrial Secure Router s RS 232 console port to your PC s COM port generally COM1 or COM2 depending on how your system is set up After instaling PComm Terminal Emulator perform the following steps to access the RS 232 console utility 1 From the Windows desktop cci Start gt Programs gt PCommLite1 3 gt Ter inal Emulator CEN Ast Act 0 Peso Adobe Dose cy rogi le iy Rae 2 Select Open in the Port Manager menu to open a new connection 3 The Communication Parameter page of the Property window will appear Select the appropriate COM port from the Ports drop down list 115200 for Baud Rate for Data Bis None for Panty and 1 for Stop Bis enl mel cote te hee x wem 3 te sew 1 1 oman cov Industrial Secure Router User s Manual Getting Started 4 Click the
125. ter Disable this function by deselecting the LAN option to not allow any IP at the LAN site to access this device E g Ifthe LAN IP Address is set to 192 168 127 254 255 255 255 0 then IP addresses 192 168 127 1 24 192 168 127 253 24 can access the EtherDevice Router The following table shows additional configuration examples Industrial Secure Router User s Manual EDR G902 G903 Series Features and Functions Allowable Hosts Input Format Ay host Disable 1921681120 19218811207 255255255255 192 168 1 1 to 192 168 1 0 255 255 255 0 192 168 0 1 to 192 168 255 254 192 168 0 0 255 255 0 0 192 168 1 1 to 1921651126 192 168 1 0 255 285 255 108 192 168 1129 to 192 168 1254 192 168 1 128 255 255 255 128 The Accessible 1P st controls which devices can connect to the EtherDevice Router to change Ene configuration lof the device In the example shown below the Accessible IP list in the EtherDevice Router contains 10 10 10 10 which is the IP address of the remote user s PC usor The remote user s IP address is shown below in the EtherDevice Routers Accessible IP list Eee tha IP ot Dese il allow a Pa connection m Enable dex P Adice 1 usen B 2 Password The EtherDevice Router provides two levels of access privilege admin privilege gives read write access to all EtherDevice Router configuration
126. tory Default Ah WAN WAN2 LAN Select the From Interface and To interface Nene WANE WANE Protocol Setting Description Factory Default Teter to Tabie Select the Layer 2 Protocol 1n is Firewall Paley Mone for Layer 2 Protocol for a more Industria Secure Router User s Manual Firewall cae EtherType Setting Description Factory Default 0600 to OXFFFF When Protocols set ta Manual you can set up EtherType manually None Firewall policy Target Setting Description Factory Default The packet wil pass the Firewall when t matches this Firewall None Drop The packet wil not pass the Firewall when it matches this None Source MAC Address Setting Description Factory Default Mac Address This Frewall Policy wil check Source MAC addresses ofthe packet 00 00 00 00 00 00 Destination MAC Address Setting Description Factory Default Mac Address This Firewall Policy wil check destination MAC adresses of the packet 00 00 00 00 00 00 The following table shows the Layer 2 protocol types commonly used in Ethernet frames EtherType for Layer 2 Protocol Layer 2 Protocol 0800 Internet Protocol version 4 0xo805 00806 ARP Address Resolution Protocol 0808 Fra
127. tory Default Dual Homing Select this tem to change ta the Dual Homing configuration See the following page iate Wing Coupling Select tis tam to change ta the Ring Coupling backup See the folowing backup configuration page Wing Coupling Select tis tem to change ta the Ring Coupling primary See the folowing primary konfiguration page able Industria Secure Router User s Manual Network Redundancy Layer 3 Redundant Protocols VRRP Settings VRRP Selling Virtual Router Redundancy Protocol VRRP can solve the problem with static configuration VRRP enables a group of routers to form a single virtual router with virtual IP address The LAN clients then be configured With the virtual router s virtual IP address as their default gateway The virtual router s the combination of a group of routers and is also known as a VRRP group Enable Setting Description Factory Default Enable Enables Disable VRRP Interface Setting Entry the same virtual IP ad ress as the VRRP ID This virtual IP address must belong to the same address range as the real 1P adaress of the interface Setting Description Factory Default Enable Enables VARP entry Disabled L3 switches routers in the same VARP group must be satis 0 0 0 0 us Router 1 Viral Router 1D s used te assign a VRRP group The L3 switches routers which operate as master backup s
128. ual LAN Setting up Virtual LANs VLANs on your Moxa industrial secure router increases the efficiency of your network y dividing the LAN into logical segments as opposed to physical segments In general VLANs are easier to manage The VLAN Concept What is a VLAN is a group of devices that can be located anywhere a network but which communicate as if they are the same physical segment With VLANs you can segment your network without being restricted by physical connections a limitation of traditional network design With VLANs you can segment your network into Departmental groups you could have one VLAN for the marketing department another for the finance department and another for the product development department lt Hierarchical groups you could have one VLAN for directors another for managers and another for general sta Usage groups you could have one VLAN for email users and another for multimedia users 220 Industrial Secure Router User s Manual EDR 810 Series Features and Functions Backbone connects multiple switches Switch Department 2 VLAN 2 Department 3 VLAN 3 Benefits of VLANs The main benefit of VLANs is that they provide a network segmentation system that is far more than traditional networks Using VLANs also provides you with three other benefits lt VLANs ease the relocation of devices on networks With traditional net
129. um High 3 29 Industrial Secure Router User s Manual EDR 810 Series Features and Functions ToS DSCP Mapping ToS DSCP Mapping Low OH Low ow Lew pac Eos um Lew ue dw oo ue emi To ema p ospy ema oo eta ema 5 nos 7 caps ems Denn o wen Gems uon ema i o Pul ams Medium Mem Melam ToS DSCP Value and Priority Queues Setting Description Factory Default Maps different TOS values to 4 different egress queues T to 16 Law Medium High 17 to 32 Normal 3 te 48 Medium 49 to 64 High Rate Limiting 1n general one host should not be allowed to occupy unlimited bandwidth particularly when the device malfunctions For example so called broadcast storms could be caused by an incorrectly configured topology malfunctioning device Moxa industrial secure routers not only prevent broadcast storms but can also be configured to a different ingress rate for all packets giving administrators full control of their limited bandwidth to prevent undesirable effects caused by unpredictable faults Rate Limiting Ingress Polcz Line Broadcast CON NN 1 Not Limiter Not Limtod 2 Not Limited 3
130. vice will not change The figure below ilustrates how a user could extend production lines and use the same private IP addresses internal devices in each production line The internal private IP addresses of these devices will map to different public IP addresses Configuring a group of devices for 1 to 1 NAT is easy and straightforward 72 Industri Secure Router User s Manual Network Address Translation LE 101012 LOUP i 192 188 100 1 Vili 192 168 1002 1 3 NAT Setting for EDR G903 in Production Line 1 Muss NAT Setting for EDR G903 in Production Line 2 Natio i m Ince Enable Disable NAT policy Setting Description Factory Default Enable or Disable Enable or disable the selected NAT policy None NAT Mode Setting Description Factory Default Select the NAT types None Port Forward Interface 1 1 NAT type Setting Description Factory Default WANE Select the Interface for this NAT Paley Lm Wana LAN DMZ IP 1 1 NAT type Setting Description Factory Dsfauit Industrial Secure Router User s Manual Network Address Translation TP elec the Tnteral IP address in AN DMZnetworkarea Nane WAN IP 1 1 NAT type Setting Description Factory Datault TP Address Select the external IP addre
131. works network administrators spend much of their time dealing with moves and changes If users move to diferent sub network the addresses of each host must be updated manually With a VLAN setup if host originally on VLAN Marketing for example is moved to a port on another part of the network and retains its original subnet membership you only need to specify that the new port is on VLAN Marketing You do not need to do re cabing VLANs provide extra security Devices within each VLAN can only communicate with other devices on the same VLAN If a device on VLAN Marketing needs to communicate with devices on VLAN Finance the traffic must pass through a routing device or Layer 3 switch VLANs help control traffic With traditional networks congestion can be caused by broadcast traffic that is directed to all network devices regardless of whether or not they need it VLANs increase the efficiency of your network because each VLAN can be set up to contain only those devices that need to communicate with each other Managing a VLAN Anew or initialized Moxa industrial secure router contains a single VLAN fhe Default VLAN This VLAN has the following definition VLAN Name Management VLAN 802 19 VLAN 10 1 if tagging is required All of the ports are initially placed on this VLAN and it is the only VLAN that allows you to access the management software of the Moxa switch over the network Configuring Virtual LAN To confi
132. y shuts off port access Media Type Setting Description Factory Default Media type Displays the media type for each module s port IA Description Setting Description Factory Default Max 63 characters Specifies an alias for the port to help administrators None differentiate between diferent ports Example PLC 1 Speed Setting Description Factory Default Auto Allows the port ta use the IEEE 802 30 protocol to negotiate Auto with connected devices The port and connected devices will determine the best speed for that connection Chose one of these fixed speed options if the connected Ethernet device has trouble auto negotiating for line speed 30M Ful FDX Flow Ctr This setting enables or disables flow control for the port when the port s Speed is set to Wil be determined by the Auto process between the Moxa switch and connected devices The final result Setting Description Factory Default Enable Enables fow control for this port whan the port s Speed is set to Disabled m Disable Disables control for this port when the port s Speed isset Auto NDI MDIX Setting Description Factory Default Aus Allows the port to auto detect the port type of the connected Auto Ethernet device and change the port type accordingly or Choose HDI MDIX f the connected Ethernet device has trouble auta negotating for port type
Download Pdf Manuals
Related Search