Contemporary Controls CTRLink EIAR-10T User Manual

Page 1
CTRLink-
Router
EIAR-10T
Internet Access Router
Fuggerstraße 1 B
04158 Leipzig
Tel.:
341-520359-0
Fax:
341-520359-16
Version 2.4.1, Oktober 2005
Page 2
Copyright
Contemporary Controls GmbH. All rights reserved. All rights are reserved, including those of translation, reprinting, and
reproduction of this manual, or parts thereof. No part of this manual may be reproduced, processed, copied, or transmitted in any way whatsoever (photocopy, microfilm, or other method) without the express written permission of Contemporary Controls GmbH, not even for use as training material, or using electronic systems. All rights reserved in the case of a patent grant or registration of a utility model or design.
Copyright © 2004 by Contemporary Controls GmbH
Fuggerstraße 1 B 04158 Leipzig
NOTE
We have checked the content of this manual for conformity with the hardware and software described. Nevertheless, because deviations cannot be ruled out, we cannot accept any liability for complete conformity. The data in this manual have been checked regularly and any necessary corrections will be included in subsequent editions.
We always welcome suggestions for improvement.
Trademarks
Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.
All products mentioned herein may be trademarks or registered trademarks of their respective owners.
CTRLink
TM®
are trademarks registrated by Contemporary Controls
GmbH and Contemporary Control Systems Inc. HEYFRA® registrated trademark by HEYFRA ELECTRONIC GmbH
Handbuch: Manual CTRLink Router EIAR-10T Datei: manualrouter en 11-1-05.doc 26.10.2005 Revision c11-1/05
Page 3
Contents
1 Safety Notes 1-5
1.1 Graduated safety notes 1-5
1.2 Definitions 1-5
1.3 Hazards resulting from use other than as described 1-5
1.4 Hazards resulting from modifications and upgrades 1-5
1.5 Admitted personnel 1-6
1.5.1 Operator 1-6
1.5.2 Start-up engineer 1-6
1.5.3 Service engineer 1-6
1.6 Electrical connections 1-7
1.7 Safety regulations 1-7
1.8 Service and maintenance 1-8
1.9 Waste disposal 1-8
1.10 Liability 1-9
2 Use as Prescribed 2-10
2.1 Range of application 2-10
3 Description of Functions 3-11
3.1 General Description of Functions 3-11
3.2 Functioning of "Dial on Demand" 3-11
3.3 Functioning of "Dial–In Server" 3-12
3.4 Call-back functionality 3-13
3.5 Start-up 3-13
3.6 Connecting 3-13
3.7 The boot process 3-15
4 Configuration 4-16
4.1 Configuring options 4-16
4.1.1 Configuring via the Ethernet interface 4-16
4.1.1.1 Setting the IP address in accordance with the local network 4-16
4.1.2 Configuring via a null-modem cable 4-18
4.1.3 Configuring via the telephone network 4-18
1
Page 4
Contents
4.1.4 Configuring via the RS 232 interface 4-19
4.1.4.1 Available configuration services for different connections 4-19
4.2 Configuring via the Ethernet 4-19
4.2.1 Adaptation of the IP address 4-19
4.2.1.1 Windows 2000 4-20
4.2.1.2 Setting up the network card under Linux 4-22
4.2.2 Configuring via a null-modem cable 4-23
4.2.3 Configuring via the telephone network 4-27
4.2.4 Configuring via the RS 232 interface 4-30
4.3 Configuration services 4-31
4.3.1 Web browser 4-31
4.3.1.1 Menu option "General" 4-32
4.3.1.2 Menu option "Date & time" 4-34
4.3.1.3 General modem settings 4-35
4.3.1.4 Menu option "DNS" 4-37
4.3.1.5 Menu option "SSH" 4-38
4.3.1.6 Menu option "HTTP" 4-39
4.3.1.7 Menu option "Logging" 4-40
4.3.1.8 Menu option "Firewall" 4-42
4.3.1.9 Menu option "Firewall - Masquerading" 4-43
4.3.1.10 Menu option "Firewall - Routing" 4-43
4.3.1.11 Menu option "Firewall - Trusted Nets" 4-44
4.3.1.12 Menu option "Firewall – Destination NAT" 4-45
4.3.1.13 Menu option "Dial-out - modem" 4-46
4.3.1.14 Menu option "Dial-out - DynDNS" 4-47
4.3.1.15 Menu option "Dial-in" 4-48
4.3.1.16 Menu option "VPN server" 4-49
4.3.1.17 Menu option "VPN client 4-49
4.3.1.18 Menu option "Save settings" 4-50
4.3.1.19 Menu option "Restarting the router" 4-50
4.3.1.20 Menu option "Close PPP connections" 4-50
4.3.1.21 Menu option "Active network interfaces" 4-50
4.3.1.22 Menu option "Active VPN tunnel" 4-50
4.3.2 Configuration via the serial console 4-51
4.3.2.1 Changing the network address 4-51
4.3.2.2 Basic configuration 4-52
4.3.2.3 Configuring date and time 4-52
4.3.2.4 DNS configuration 4-53
2
Page 5
Contents
4.3.2.5 SSH configuration 4-53
4.3.2.6 HTTP configuration 4-54
4.3.2.7 Firewall configuration 4-54
4.3.2.8 Modem configuration 4-55
4.3.2.9 DynDNS configuration 4-57
4.3.2.10 VPN configuration 4-58
4.3.2.11 Logging configuration 4-59
4.3.3 Configuring using the SSH server 4-60
4.4 Configuring the client computers 4-62
4.4.1 Configuring the computers in the Routers Ethernet 4-62
4.4.2 Configuring a remote computer 4-63
5 Hardware 5-64
5.1 Dimensions 5-64
5.1.1 Internet Access Router 5-64
5.1.2 Top-hat rail 5-65
5.1.3 Swirl mounting 5-66
5.2 Installation notes 5-67
5.2.1 Mounting the router on the top-hat rail 5-67
5.2.2 Functional earthing of the Internet Access Router 5-67
5.3 Installation guidelines 5-67
5.4 Storage and storage temperatures 5-68
5.5 Operating temperature, humidity 5-68
5.6 Status display 5-69
5.6.1 Display "Modem connection active" 5-70
5.6.2 Display "Ethernet Interface active" 5-70
5.6.3 Display "Error" 5-70
5.6.4 Display "POWER on/off" 5-70
5.7 Connections / Interfaces 5-71
5.7.1 Power supply 5-71
5.7.2 Modem interface 5-72
5.7.3 Ethernet interface 5-72
5.7.4 RS-232 interface for the "Console" mode 5-72
5.7.5 RS-232 interface for the "External" mode 5-72
6 Technical Data 6-73
3
Page 6
Contents
7 Standards and Certifications 7-74
7.1 Harmonised standards 7-74
7.2 Certification to DIN EN ISO 9001 7-74
7.3 Approbations 7-74
7.4 CE marking 7-74
8 Symbols Used 8-75
4
Page 7
CAUTION
Safety Notes
1 Safety Notes
1.1 Graduated safety notes
In this Instruction Manual, safety notes are marked with a symbol and the keyword CAUTION or NOTE at the page margin. Safety notes are printed in bold letters and are marked with an outside border.
1.2 Definitions
The keyword CAUTION is used to warn you of a possibly hazardous situation.
NOTE
CAUTION
The keyword NOTE is used to draw your attention to an important recommendation to be observed.
1.3 Hazards resulting from use other than as
described
Use other than as prescribed may result in personal injuries to the user or third persons, as well as in material damage to the control system or the product, or in environmental damage. The Internet Access Router must only be used according to its intended purpose!
1.4 Hazards resulting from modifications and
upgrades
The Internet Access Router is an in-house development designed exclusively by our company.
1-5
Page 8
CAUTION
CAUTION
Safety Notes
Unauthorised modifications and amendments are not permissible. Such unauthorised modifications or amendments may impair the
proper operation of the remote diagnosis unit, resulting in personal injuries, material damage or environmental impairments and will render all liability on our part null and void.
1.5 Admitted personnel
Only sufficiently qualified and instructed personnel are allowed to operate the Internet Access Router!
It must only be started up by an electrical expert. Service and maintenance, as well as troubleshooting, must only be
carried out by qualified expert personnel.
1.5.1 Operator
The operator:
is an instructed person
who is authorised to turn on / turn off the equipment
1.5.2 Start-up engineer
The start-up engineer:
is an electrical expert
who carries out the start-up, observing strict precautions and
carries out the required test
1.5.3 Service engineer
The service engineer:
is a qualified expert
who services the electrical and mechanical components of the
control system
carries out maintenance work
carries out troubleshooting
1-6
Page 9
CAUTION
Safety Notes
1.6 Electrical connections
The Internet Access Router must be connected to an electrical supply system.
Power supply connection The Internet Access Router must only be connected to the
electrical supply system by an electrical expert. The power supply of the Internet Access Router must be provided
exclusively by a power pack which complies with DIN EN 60 742 (VDE 0551).
Make sure that an appropriate fuse is installed in the incoming supply feeder.
For operation of the Internet Access Router, please refer to the information provided in Chapter 6. "Technical Data".
CAUTION
1.7 Safety regulations
The Internet Access Router possesses a housing cover.
Electrical hazards The operation of the Internet Access Router is only allowed with
the housing closed.
The housing cover prevents:
persons from coming into contact with live parts;
the penetration of humidity and foreign substances, and
the impairment of system functions by electromagnetic interference
The housing cover must only be opened by electrical experts.
1-7
Page 10
CAUTION
Safety Notes
1.8 Service and maintenance
Service and maintenance work Improper service and maintenance may result in loss of life,
personal injuries, material damage or environmental impairments. Service and maintenance work, as well as troubleshooting, must
only be carried out by qualified expert personnel. Before performing service or maintenance work, always switch off
the power supply of the Internet Access Router first! Reinstall all panelling, protective covering and safety devices
immediately after completion of service and maintenance work and check their functioning.
CAUTION
CAUTION
Spare parts The use of inappropriate spare parts may result in loss of life,
personal injuries, material damage or environmental impairments. The spare parts must comply with the technical requirements of
the manufacturer. Use only original spare parts from Contemporary Controls.
1.9 Waste disposal
Electrical scrap (components, CRT units, etc.) may harm the environment.
Dispose of all electrical devices and materials according to the relevant environmental regulations or entrust an expert company with this job.
1-8
Page 11
NOTE
1.10 Liability
The contents of the present Instruction Manual are subject to technical modifications, which may result, in particular, from the continuous further development of the products made by Contemporary Controls. Contemporary Controls will not assume any liability for printing errors or any other inaccuracies contained in the present Instruction Manual, unless these are serious errors which are evidently known to Contemporary Controls. In addition, the "General Terms and Conditions for the Supply of Products and Services in the Electrical Industry" shall apply. Irrespective thereof, the relevant national and international standards and regulations will apply in addition to the notices and instructions contained in this Instruction Manual.
Use other than prescribed - exclusion of liability Contemporary Controls will not be liable for damage resulting
from use or application of the products not according to the intended purpose or other than as prescribed.
Safety Notes
NOTE
Use as prescribed or according to the intended purpose also includes the exact knowledge of this Instruction Manual. In particular, the notes and safety notes contained therein must be observed.
If you run the products together with other components, such as safety modules, control systems or sensors, always observe the relevant user information of such devices.
The Internet access routers dialling to an Internet provider via the public telephone network, results in telephone and dial-in changes. Contemporary Controls does not assume any liability for any charges, including changes in case of an inadvertent dial-in.
1-9
Page 12
Use as Prescribed
2 Use as Prescribed
2.1 Range of application
The Internet Access Router grants an industrial IP network access to the Internet via its integrated analog or ISDN modem.
It provides the transport of IP packets between IP-based industrial network and another network (e.g. Internet). The Internet access is activated automatically as necessary. The Internet Access Router is configured at its site of installation via the IP network, an RS 232 interface or externally via the telephone network.
In addition, access from a remote computer to the industrial IP network is also possible. Thus, clients installed in the network can be controlled via IP-based services (Telnet, SSH).
CAUTION
CAUTION
Any errors in configuring, in the execution of any work or operations, as well as inadvertent false operation may impair the proper functioning of the Internet Access Router, resulting in personal injury, or material or environmental damage. Therefore, only sufficiently qualified personnel are allowed to operate the router.
Always observe the safety notes!
The Internet Access Router is intended exclusively for use in machines complying with the scope of application of DIN EN 60204-1:1998-11 (Electrical Equipment of Machines).
Do not use the Internet Access Router in potentially explosive areas!
When connecting the device, observe, in particular, the information provided in the following sections:
1.6 Electrical connections
3.6 Connecting
6 Technical Data
2-10
Page 13
Description of Functions
3 Description of Functions
3.1 General Description of Functions
The Internet Access Router provides a local Ethernet based on TCP/IP the transition to another IP network via a PPP connection (long-distance data transmission).
This transition is normally provided via the internal modem integrated into the router (56k Analog Modem or ISDN Modem, see Chapter 6). This grants all clients integrated into the network access to a remote PPP server (Internet provider, in-house monitoring computer) via a single interface.
In this case, the connection is only established when necessary (IP packets addressed externally) and is cleared if not used for a longer period.
Additionally, an authorised computer may establish a direct PPP connection to the router via its integrated modem. By using this connection, the router can be monitored and configured.
Since the router shows a transparent behaviour with such a direct PPP connection, the clients working in the Ethernet can be addressed directly, and TCP/IP-based services, such as Telnet or FTP, can be used.
In addition, it is possible to establish a VPN connection via the Internet. A configurable firewall software is preinstalled, protecting the Ethernet
from unauthorised access from outside.
3.2 Functioning of "Dial on Demand"
As already mentioned, the Internet Access Router only establishes a connection to the Internet if required ("on demand"). This situation arises if the router receives an IP packet from your Ethernet, which possesses a target address outside the Ethernet. At this time, the router checks whether there is already a modem connection. If this is not the case, the router will dial a number specified by you using the internal or external modem. Then, a PPP program becomes active to establish an IP connection using the PPP protocol (Point-to-Point).
3-11
Page 14
NOTE
Description of Functions
Depending on the modem type you are using (analog or ISDN) and depending on the quality of the telephone line, this process may take up to 60 seconds. During this time, some applications trigger a timeout and will treat your query to the Internet as failed. It may therefore be necessary to adapt the timeout times of your programs.
The MODEM status LED is lit in green once the connection is established. After the PPP connection has been established, your query will be processed. The modem connection will remain active for a certain period which can be specified. Each computer in the Ethernet may use this connection. The period you are connected extends automatically with each query put to the Internet. If during this period no data traffic takes place, the connection is cleared automatically.
The status LED "MODEM" is lit in red once the connection is established or cancelled or interrupted.
The status LED "MODEM" is off if there is no PPP connection via the internal modem.
CAUTION
Check whether there are services in your network which put queries to the Internet automatically at cyclic intervals (e.g. Netscape Mail)
Such queries may result in an undesired connection or prevent a connection being cleared by creating external data traffic.
If necessary adapt your firewall settings accordingly (disabling of the port number of the service in "PORTS NOT FORWARDED"; Section 4.3.1.12)!
3.3 Functioning of "Dial–In Server"
The Internet Access Router is configured as a dial-in server by default. This means that the modem of the router may accept calls via the telephone network. Thus, a direct PPP (long-distance data transmission) connection may be established to the router.
When the router is called, the modem is requested to pick up. After picking up, a PPP server becomes active on the router and checks the authentication of the caller. Then the IP data set according to Section
4.3.1.15 is transmitted to the remote computer automatically.
If the connection is active, the MODEM status LED is lit in green. Now you may communicate transparently with the router services (Web
server, SSH) or the services provided by the clients integrated into the Ethernets.
3-12
Page 15
NOTE
Description of Functions
The connection is only cleared if this is specified manually by the remote computer.
Please note that dialling during an existing modem connection is not possible, since the telephone line is already busy.
3.4 Call-back functionality
The router can be configured such that it will not work as a dial-in server (see Section 4.3.1.15). Instead, in the case of an incoming call, it will hang up immediately and then automatically establish a connection to the Internet provider configured. The router can now be addressed in the Internet.
To address the router using its domain name, it is recommended to configure also an appropriate dynamic DNS provider when selecting this function (see Section 4.3.1.14).
To provide a secure connection via the Internet, it is additionally recommended to set up a Virtual Private Network (VPN).
3.5 Start-up
The start-up of the Internet Access Router is carried out in 3 steps:
Connecting
Executing the boot process
Configuring the router
3.6 Connecting
First connect the router to the hub (switch) at the 10-Base-T socket using a patch cable. If you want to connect only a single host to the router and not a complete network, use a cross-over cable.
Now connect the RJ-11 interface labelled with MODEM to a TAE socket using a telephone cable
3-13
Page 16
NOTE
Description of Functions
With this device, it is also possible to use an external modem (analog, ISDN, GSM), alternatively to the internal modem integrated into the router.
To do so, connect the modem to the RS232 interface of the router labelled EXTERNAL using an RS232 connection cable.
For configuration, the router may also be connected to a computer via the RS232 interface labelled "CONSOLE". This possibility, however, is not recommended, since errors could easily result in the configuration file when using this method. Therefore, you should use the console only in an extreme emergency.
Now connect the 24 V power supply to the POWER connection on the front side of the device.
Directly after connecting the power, the status display of the LEDs may vary; only the "Power" LED must be lit in green. The LED will only indicate the status correctly when starting the boot process, see 3.7.
NOTE
The ON condition could look as follows: ACTIVE MODEM: off
ACTIVE ETHERNET: red ERROR: orange POWER: green
The "orange" display is no error condition!
After switching on
1)
the power supply, the router will start booting.
When connecting the Internet Access Router, observe the notes provided in the Sections 1.6 Electrical connections1.6, 5.7 Connections / Interfaces and in Chapter 6 Technical Data.
1) The router does not have its own ON / OFF switch; connecting the operating
voltage is a function of the system/installation into which the remote diagnosis unit will be integrated.
3-14
Page 17
Description of Functions
3.7 The boot process
During the boot process, all services and programs required are started automatically.
This process will take approx. 2 minutes. Starting the boot process:
States of the LEDs:
ACTIVE MODEM: off ACTIVE ETHERNET: off ERROR: off POWER: green
The settings are loaded.
States of the LEDs:
ACTIVE MODEM: off ACTIVE ETHERNET: off ERROR: red POWER: green
A check is carried out to see whether the ETHERNET connection can be addressed.
States of the LEDs:
ACTIVE MODEM: off ACTIVE ETHERNET: red ERROR: red POWER: green
All relevant services, such as firewall and routing, are initialised. The configuration of the ETHERNET connection is finished.
States of the LEDs:
ACTIVE MODEM: off ACTIVE ETHERNET: green ERROR: red POWER: green
The boot phase is now completed; the router is ready for operation.
States of the LEDs:
ACTIVE MODEM: off ACTIVE ETHERNET: green ERROR: green POWER: green
3-15
Page 18
Configuration
4 Configuration
Before the router can be started up, it must be configured. The individual steps for starting up will be explained in the present chapter.
4.1 Configuring options
4.1.1 Configuring via the Ethernet interface
With this configuring option, a computer integrated into your Ethernet may be used for configuring. Either an SSH client or a standard web browser (recommended) must be installed on this PC.
When working with a web browser, the IP (Ethernet) address
192.168.1.100 is used by default to address the router. When
connecting via telephone, the address of the modem interface is
192.168.6.1. If your network uses an address other than 192.168.1.0,
please proceed as described in Section 4.1.1.1 and 4.2.1.
4.1.1.1 Setting the IP address in accordance with the local network
It is not always possible to set the local network to 192.168.1.x, or else the address 192.168.1.100 may already exist. The router can be set to any address via a serial connection using a terminal program to allow access via a browser. Any further configurations can subsequently be made in the browser.
You will need a PC on which a terminal program is installed, a free RS232 interface and an RS232 interconnecting cable.
The connection between computer and router is established using the RS232 interconnecting cable. To this end, connect a serial interface of the PC to the "Console" interface of your router. You can use the Windows program "HyperTerminal".
Windows already includes the terminal program HyperTerminal. Other terminal programs (such as "minicom" under Linux, etc.) are also supported.
The description provided below refers to HyperTerminal. First, establish a connection using "File - New Connection". Enter a
name for the new connection and select a symbol. Do not enter a dialling number under "Connect To"! Only the serial interface to be used is important.
The following settings are required for the serial interface:
4-16
Page 19
Configuration
Then click on the icon in the toolbar to start the connection. The connection is established.
A log-in window will appear on the router. If not, press ENTER. Enter the password (default: ctr) To set the IP address, type the command "setip" followed by the
address and the subnet mask of the local network using the following format. Please note the spaces!
Example: setip 192.168.1.150 255.255.255.0 The change is written to the configuration file of your router and stored
permanently using the command "save"; see the following illustration. For subnetting (a smaller network), it is additionally necessary to specify
the number of the significant bits.
Example: setip 192.168.1.150 255.255.255.80 25
CAUTION
The default value for a Class C network is 24.
The change in the IP address is only stored permanently in the flash of your router with the command "save". Without "save", all your changes are lost when the router is restarted.
4-17
Page 20
Configuration
The current IP address of the router can be interrogated in the terminal using the command "ifconfig". If you use the parameter "ifconfig eth0", only the IP address is displayed.
NOTE
The commands "setip", "save" and "ifconfig" are additional scripts and are therefore not shown in the list of "build-in commands".
4.1.2 Configuring via a null-modem cable
With this configuring option, the connection between computer and router is established using a null-modem cable. The relevant procedure is described in Section 4.2.2. Either a standard web browser (recommended) or an SSH client (not recommended) can be used for configuring the router.
4.1.3 Configuring via the telephone network
The user dials into the router via the telephone network. In this case, either the internal modem is used or else an external modem connected to the RS 232 interface "External". This connection constitutes a direct PPP (long-distance data transmission) connection. The router acts as a PPP server (see section 4.2.3). Either a standard web browser (recommended) or an SSH client (not recommended) can be used for configuring the router.
4-18
Page 21
Configuration
4.1.4 Configuring via the RS 232 interface
The router is connected to a PC via the RS 232 interface "Console" using a null-modem cable. The RS232 protocol is used directly so that no IP communication is possible. The difference to configuration using a zero-modem cable connected to the external modem connection is that no full PPP connection is created; the router cannot be addressed from the SSH or using a web browser.
The use of the RS 232 interface provides expanded diagnosis options through direct output of all screen contents to the serial CONSOLE output of the router, which is especially advantageous for the configuring and maintenance of the router itself. Access to the underlying network, however, is not possible.
It is also possible, however, to reload the original default settings if the router is configured not correctly if you press the ENTER key when prompted to do so during booting.
NOTE
4.1.4.1 Available configuration services for different connections
Ethernet Telephone
network RS 232
It is strongly recommended to use a web browser for configuring.
Web Browser RS232 SSH
possible not possible possible possible not possible possible
not possible possible not possible
4.2 Configuring via the Ethernet
4.2.1 Adaptation of the IP address
The initial configuration of the router must include an adaptation of the IP data of your router to the IP data of your Ethernet.
The following addresses are set by default:
IP Address 192.168.1.100 Network Address 192.168.1.0 Subnet Mask 255.255.255.0
4-19
Page 22
Configuration
If your Ethernet network address is also 192.168.1.0, you may skip the following instructions. In this case, you can proceed with Section 4.1 Configuring options.
In the operating systems Windows NT-SP6, Windows 2000, Windows XP or Linux/Unix, you may assign the network card of the appropriate computer more than one IP address (see Section 4.2.1.1 and Section 4.2.1.2). In addition, it is still possible to use the configuring options "via the telephone network" or "via the serial interface" (not recommended).
4.2.1.1 Windows 2000
To assign a network card one or several IP addresses under Windows2000, administrator rights are required.
Log in as administrator and open the Control Panel Dial-Up Networking. Display the properties of your LAN connection:
On this tab, select Internet Protocol (TCP/IP) and click on "Properties". You will see the current configuration of your network card (IP address, Gateway, DNS etc.) in the window which then appears. These settings remain unchanged. If you click on "Advanced" the window shown below appears.
4-20
Page 23
Configuration
The basic network settings are already entered here. To add a second IP address to your network card, click on "Add" in the upper field "IP addresses" and type 192.168.1.120 for the IP address and
255.255.255.0 for the subnet mask. Then click on OK; the result should
look as follows:
The computer you have just configured can now be seen both in the network 192.168.101.0 and in the network 192.168.1.0. It is therefore not necessary to restart Windows 2000.
Now call a browser and type the following address: 192.168.1.100 Thereafter, you will be prompted to enter your user name and your
password (default: user: admin, pass: ctr).
4-21
Page 24
Configuration
The welcoming text of the embedded web server will appear. To configure the router, proceed as described in Section 4.3.1.
4.2.1.2 Setting up the network card under Linux
To assign a network card two IP addresses under Linux, you must possess root rights. In addition, the use of a kernel 2.4.x or higher is recommended.
Open a console and assign your self temporary root rights:
¾ su
Password:
Type "ifconfig" to check the status of your network condition:
¾ ifconfig
eth0 ...
lo ...
Select the card you want to assign a second IP address (here: "eth0") and enter the following:
¾ ifconfig eth0:1 192.168.1.120 netmask 255.255.255.0
If you type "ifconfig" anew, the following should be output:
¾ ifconfig
eth0 ...
eth0:1 ...
lo ...
Thus, the interface "eth0" only possesses two IP addresses, and you can proceed configuring the router via the web interface. To do so, call a browser and type the following address: 192.168.1.100.
4-22
Page 25
Configuration
Thereafter, you will be prompted to enter your user name and your password (default: user: admin, pass: ctr).
NOTE
The welcoming text of the embedded web server will appear. Now you can proceed with Section 4.3.1.
4.2.2 Configuring via a null-modem cable
Prerequisites: A PC with web browser and a free 9-pin serial interface, as well as a
zero-modem cable are required. Connect the zero-modem cable to the free serial connection on the PC side, and to the RS 232 jack labelled "External" on the router side.
It is not relevant whether MS Windows or Linux is installed on your PC, because both operating systems include the required tools.
The method described here pertains to Windows 2000.
Now go to Control PanelÆNetwork Connections and start the "New Connection Wizard".
Choose "Connect directly to another computer" for the type of connection:
4-23
Page 26
Configuration
Set the role you want to choose for this computer in the next tab to "Host":
Now select the connection to which your zero-modem cable is connected:
Answer the next question with "Use connection exclusively":
4-24
Page 27
Enter a name for your connection (e.g.: "Zero modem"):
Configuration
Click on "Finish". If your PC attempts to establish a new connection immediately, this should first be cancelled.
To process the connection just established, choose "Properties" from the context menu:
On the "General" tab, click on the "Configure" button. In the dialog box that now appears, set the maximum transfer rate to 115,200 bits/s:
4-25
Page 28
Configuration
Now you can establish a connection. If you double-click on the zero­modem connection, the following screen should appear:
4-26
Page 29
Configuration
Enter ’extern’ as the user name for yourself, too, and ’ctr’ for the password (default values). Call a browser and type the address
192.168.7.1
Thereafter, you will be prompted to enter your user name and your password (default: user: admin pass: ctr).
NOTE
The welcoming text of the embedded web server will appear. Now you can proceed with Section 4.3.1 .
4.2.3 Configuring via the telephone network
Prerequisites: You will need a PC on which a Web browser is installed and a modem.
The PC must be connected to a different telephone connection with a separate number to that of the router. A long-distance data transmission will be established.
It is not relevant whether MS Windows or Linux is installed on your PC, because both operating systems include the required tools.
The method described here pertains to Windows 2000 only.
Now go to Control PanelÆNetwork Connections and start the "New Connection Wizard".
4-27
Page 30
Choose "Connect directly to another computer" for the type of connection:
Configuration
Enter the number of the telephone connection to which the router is connected:
If you are prompted to specify the availability of the connection, choose the option "Use connection exclusively":
4-28
Page 31
Configuration
Enter a name for your connection (e.g.: "Zero modem"):
If you are connected to a private telecommunications switching system, please note that no dialling tone is to be heart in the telephone. In this case, you must configure the modem such that it does not wait for the dialling tone. To this end, the initialisation command "ATX3" must additionally be entered in the tab "Advanced settings" in the modem configuration in the device manager of Windows 2000.
Use "Select" to establish a new connection:
Enter ’extern’ as the user name for yourself, too, and ’ctr’ for the password (default values). Now call a browser and type the following address: 192.168.6.1
4-29
Page 32
Configuration
Thereafter, you will be prompted to enter your user name and your password (default: user: admin, pass: ctr).
CAUTION
The welcoming text of the embedded web server will appear. Now you can proceed with Section 4.3.1 .
4.2.4 Configuring via the RS 232 interface
It is not recommended to use this type of configuration. It should only be used if you are absolutely conversant with the handling and programming of program commands in the terminal mode. Incorrect inputs or typing errors may result in the router no longer functioning.
If the router is configured incorrectly and no longer boots correctly, it is possible to restore the original default settings. To do so, press ENTER after you have been prompted to do so (on the console) while the router is booting. In this case, however, all settings you have made will be lost!
If you wish to configure the router using a browser, it is imperative that the router is installed in the same network with a network address not yet used. The default setting of the IP address is 192.168.1.100 with subnet mask 255.255.255.0. If you do not wish to set the IP address according to the local network, you can also set the IP address and the subnet mask via the serial interface to allow access via the network using a browser (see Section 4.1.1.1).
4-30
Page 33
Configuration
4.3 Configuration services
4.3.1 Web browser
You may use any browser which is able to handle frames as the configuration tool. The configuration has been tested successfully using Internet Explorer 5.x, Mozilla 1.x, Opera 7.x and Konquerer 3.x.
If the factory default settings have not been changed, the integrated web server of the router is started if you enter the IP address
192.168.6.1 (for modem) or 192.168.7.1 (for direct serial line) or
192.168.1.100 (for Ethernet) as the URL. The dialog box for you to
enter your user name and the password is displayed:
HINWEIS
The default user name is "admin", and the default password is "ctr". The exact appearance of the interrogation dialog box depends on the browser you are using.
The browser will create a dynamic web site from the configuration data of the router:
The exact appearance of the browser window depends on the browser you are using and its settings. The colour, font type and font size, line length and line feeds may deviate from the illustrations shown here.
4-31
Page 34
Configuration
The screen is divided into four areas. The "Navigation" area can be found on the left-hand side. Here you can
choose the functionalities. The meaning of the individual elements is explained in the following sections. The home page is called by clicking
on the house
in the top right window (see illustration above).
The central area is the actual working area. The settings are made here and status information is also displayed. The dialog language for the menus and help texts can be selected by clicking on the appropriate flag on the home page. Currently, German and English are supported, default language is English.
If necessary, help texts are displayed for the individual configuration options.
4.3.1.1 Menu option "General"
Click on the "Base" menu option to call the basic configuration menu of the router. Three general configuration settings can be made there:
the TCP/IP configuration
the configuration of the administrator access
the configuration of the serial console
These three configuration options will be explained in the following.
4-32
Page 35
Configuration
TCP/IP configuration
Enter the host and the domain name, as well as the IP address and the subnet mask of your router here. To activate the online help for the individual items, simply click on the appropriate menu option.
Brief info IP addresses:
An IP address consists of the number of the IP network and of the number of a host in this network.
192.168.1.100
Number of network Number of computer in network 192.168.1
The size of the network portion may be varied via this IP address. It is determined by the network class. The example uses network class C, three numbers for the network, and one for the client.
CAUTION
For IP addresses, any numbers between 1 and 254 are permissible. If a higher address is set, the router will not be found in the network by the browser. In this case, either restore the factory default settings or set a valid network address using the serial console (see Section 4.2.4).
Make sure that the address you are setting is not already assigned within the Ethernet. The default setting 192.168.1.100 corresponds to client no. 100 in a C class network with no. 192.168.1. Make sure that the IP address is the same as that of the network address.
Configuring the administrator access
Enter the password for administrator access in these fields. This can be max. 8 characters long and should consist of letters, digits and special characters. If nothing is entered here, the old password is kept.
4-33
Page 36
Configuration
It is strongly recommended to replace the default password ’ctr’ by your own password with 8 characters. Keeping the default password constitutes a significant breach in security.
CAUTION
Configuring the serial console
Here you can set the velocity of the serial console. If you connect the serial console to an IBM/PC (i386 or higher), you may keep the default value 115,200.
4.3.1.2 Menu option "Date & time"
This configuration menu is divided into two parts:
Set local date and local time
Configure the time zone / rules for daylight saving time
Configuring date & time
Here you must enter the local date and the local time. Setting of the time is necessary, for example, if you want to use the recording capabilities of your router (see Section 4.3.1.7).
Configuring time zone and daylight saving time
You can first enter here your time zone relative to the zero meridian (Greenwich). The sign will become negative (minus) if your time zone lies east of the zero meridian, and positive (plus) if it lies west. For Central Europe, for example, the value "-1" must be entered.
4-34
Page 37
Configuration
If switching between daylight saving time and standard time is required in the country where the router is used, select the relevant field. You may configure the rules applying in this country. In the European Union, daylight saving time always starts on the last Sunday in March, which can be set as the 5th Sunday in March. The return to standard time is on the last Sunday in October, which can be set as the 5th Sunday in October. If a month has only 4 Sundays, the time is nevertheless switched on the 4th (last) Sunday even if "5" has been chosen. In the USA, however, daylight saving time always starts on the 1st Sunday in April and must be configured accordingly.
4.3.1.3 General modem settings
The menu shown below can be used to make general settings for configuring your modem.
Configuring the internal modem analogue
The menu shown above can be used to configure the speed and the country code of your internal modem.
The country is selected via name of the country in the list box
country code
The country code is set by placing a tick in the checkbox. If the correct country is already set, the checkbox need not be ticked, since setting of the country code takes some time.
The internal modem supports the following country codes:
Australia Great Britain Korea South Africa Austria Greece Malaysia Spain Belgium Hong Kong Mexico Sweden Brazil Hungary New Zealand Switzerland China India Norway Taiwan Denmark Ireland Philippines The Czech Republic Finland Israel Poland The Netherlands France Italy Portugal Turkey Germany Japan Singapore USA/Canada
.
Modem
4-35
Page 38
CAUTION
Configuration
Always ensure that the modem has been assigned the correct country code; otherwise, you will not be allowed to dial in.
Please save your configuration immediately after changing the country code. Otherwise, all your settings are lost after a cold restart of your router.
To activate a changed country code, the router must be disconnected from the mains temporarily; a warm restart will not be sufficient.
Konfiguration des internen Modems ISDN
Use this menu to configure the baud rate and the MSN (Multiple Subscriber Number) of the internal modem. The MSN is the dialling number of the modem connected to a multiple device port.
Configuring the external modem
The configuration depends on the external modem you are using:
The menu shown above can be used to configure the speed and the country code of your external modem. For the country codes of the external modem, please refer to the manual of your external modem. The country code is set with placing the tick in the checkbox. If the correct country is already set, the checkbox need not be ticked, since setting of the country code takes some time. Furthermore, setting of the country code is not possible with certain modems.
4-36
Page 39
Configuration
If a GSM modem is connected to the external interface of your router, specify the AT command with which your PIN is transmitted to your modem, and the PIN itself. This PIN is transmitted to the GSM modem automatically upon completion of configuring and with each start. If an error occurs during these processes, check first the status of your GSM modem. If it is already logged in to your provider, the PIN will be denied with an error message.
Use this menu to configure the baud rate and the MSN (Multiple Subscriber Number) of the external modem. The MSN is the dialling number of the modem connected to a multiple device port.
4.3.1.4 Menu option "DNS"
4-37
Page 40
Configuration
The domain name service serves to resolve the names in a network. Resolving names means that each IP address is assigned a name which is easy to remember. This service is offered by the server.
In order not to be compelled to enter all hosts of the entire company or even of the entire Internet here, the DNS forwarder concept has been created. Any addresses which cannot be resolved by the local name server are forwarded to the host entered here. Therefore, specify either the IP address of the name server of your company or that of your Internet provider here.
In the bottom field, you can enter each host in your network to be dissolved by the router itself and assign the name the appropriate IP address.
4.3.1.5 Menu option "SSH"
Here you can configure the SSH daemon.
CAUTION
If you want to use the SSH daemon, the appropriate field must be activated. You can define at which port the SSH daemon is to be addressed. This is port 22 by default.
For security reasons, you may also enter a different port. Please observe that the relevant port must also be communicated explicitly to the SSH client you are using, see chapter 4.3.3.
For details on how to do this, please refer to the appropriate documentation of your SSH client (a suitable and tested client for Windows is "putty", for example;
http://www.chiark.greenend.org.uk/~sgtatham/putty/)
Please observe the port entered here must not be occupied by another service (DNS, HTTP, VPN etc.).
4-38
Page 41
Configuration
You may create a user for access to the SSH. If not, no additional user will be created, and only access to the administrator is granted via SSH.
NOTE
It is recommended to create an additional user here to provide an additional less privileged access to the system.
If you wish to create a user, it is imperative to enter a password; otherwise, you will not be permitted to create a user. The password follows the same rules as the password for access to the administrator (max. 8 characters, letter, digits, special characters, etc.).
4.3.1.6 Menu option "HTTP"
Since the HTTP server is required for configuring the router, it cannot be turned off. You may define the port and the user.
NOTE
Any changes you make here will only come into effect after restarting the router. In other words: You may first finish configuring the router without undue problems before you restart the router.
It is recommended to change both the user name and the password of the default user. Please note that the web server possesses its own user management so that neither the administrator (root), nor the SSH user have access to the web interface. Otherwise, the HTTP user specified here is not granted access to the router, neither via the serial console, nor via the SSH.
The default port for an HTTP server is 80; all browsers poll this port by default. If you want to use a different port here, you must add it in the address line of your browser. For example http://192.168.1.100:8080, sends an HTTP request to the host to port 8080 instead of port 80, specifying address 192.168.1.100.
4-39
Page 42
CAUTION
Please observe the port entered here must not be occupied by another service (DNS, SSH, VPN, etc.).
4.3.1.7 Menu option "Logging"
Configuration
If the logging service is activated, the router issues status messages regarding its current activities. All these status messages are generally output to the serial console. Additionally, you can configure here which status messages are to be forwarded to a so-called log-host (see below). The router can also forward status messages from computers in one network to a log-host in a different network.
To define which status messages are to be forwarded, appropriate rules can be defined. Each rule specifies the type of service to be logged (source), the type of the activities and the IP address of the log-host. The following services can be configured as the source:
auth All authentication services are monitored.
authpriv All services assigning access rights are monitored.
daemon All active server processes are monitored (SSH, HTTP,
DNS etc.).
kern The operating system kernel is monitored.
mark "Time marks" (signs-of-life) are sent off at regular
intervals.
syslog The logging service itself is monitored.
user All user processes are monitored.
4-40
Page 43
Configuration
The type of status messages ranges from very simple information up to critical errors. It is also possible to define that no more messages are received explicitly from certain services:
debug Creates status messages which may signal software
errors in the respective service.
Info Creates status messages that only serve for information of
the user.
notice Creates status messages with reference to things that are
to be handled in a special manner (no errors!).
warning Creates status messages that incorporate warnings.
err Creates status messages indicating errors.
crit Creates status messages indicating critical things (e.g.
hardware errors).
alert Creates status messages with reference to things that
should be corrected immediately (for example, errors in configuration files)
emerg Creates status messages indicating that the appropriate
service could either not be started or had to be cancelled.
4-41
Page 44
Configuration
4.3.1.8 Menu option "Firewall"
The firewall of the router offers two data filtering options:
a packet filter
a port filter
The packet filter always considers the IP addresses. It only passes IP packets with permitted IP addresses, and blocks packets of illegal addresses. As a rule, complete network(s) (areas) are enabled or disabled in order to prohibit or permit individual hosts selectively as required.
The router offers three preconfigured packet filters:
Masqueraded networks
These subnets are masked externally, i.e. these networks appear externally as a host.
Routed networks
Packets sent into these subnets are forwarded, but not masked.
CAUTION
Trusted networks
Packets exchanged between these subnets are forwarded unobstructed and are not masked. This makes sense, in particular, with reference to the port filter and to the black/white lists (see below).
In addition, the router keeps a black or white list of hosts for which the access to the routed / masked networks is to be permitted / prohibited explicitly.
A port filter assesses packets not by their source or target address, but by their target port. For example, all packets aimed at a certain port are discarded, or all packets of a certain port are transferred to another computer.
CAUTION !!! Any settings in the "Firewall" area pertain directly to the security
of your network. Any modifications should therefore only be made if you have the
appropriate knowledge.
4-42
Page 45
4.3.1.9 Menu option "Firewall - Masquerading"
Configuration
Specify the networks to be masked externally here. If you are using unofficial IP addresses, such as 192.168.x.x, and if the router is nevertheless to be used for access to the Internet, it is imperative to specify them here.
Please observe that any network addresses always contain "xxx.xxx.xxx.0" (i.e. always end with zero).
For each network specified, either the appropriate subnet address must also be specified, or else the number of bits set in the subnet mask (significant bits).
4.3.1.10 Menu option "Firewall - Routing"
Routing
Packets belonging to connections established by hosts in these subnets are forwarded by the router. Furthermore, packets sent into these networks are not masked.
The same syntactic rules apply as for the masked networks.
4-43
Page 46
Configuration
Host filter
Certain computers may be granted access specifically to other networks (white list) or else, conversely, it is possible to prohibit some computers access to other networks (black list). In this case, the packet filter will merely pass packets of the specified computers or else it will block precisely these.
If no computer is to be prohibited communication via the router, define an empty black list. This is also the default configuration.
4.3.1.11 Menu option "Firewall - Trusted Nets"
By using this configuration menu, the disabling of routing for certain ports (see below) and the black/white list can be disabled for certain networks. Here you can specify subnets which are trusted.
A typical example is the routing of NetBios ports (Windows enables) between two LANs which are assigned data via two network cards of the Linux fli4l router. In this case, all trusted networks must be specified.
In this conjunction, contrary to the masked or routed networks, all networks must be specified between which packets are to be forwarded. Therefore, at least two networks must be specified to ensure that correct firewall rules can be generated.
4-44
Page 47
Configuration
4.3.1.12 Menu option "Firewall – Destination NAT"
Destination NAT
For various Internet protocols it is imperative to divert a connection established for a computer from the outside to the internal network. If the network is masked externally ("IP masquerading", see 4.3.1.19), i.e. only one official IP address exists for the entire LAN, certain ports or protocols to which access is to be granted from the outside can be diverted to a certain internal computer. This is called port forwarding or "Destination Network Address Translation", briefly "DNAT".
Port access
The routing via certain IP ports can be prevented. For example, it makes sense to prohibit the routing for the NETBIOS ports 137 to 139. Thus, not only the routing of IP packets with specified ports "to the outside" is prevented, but also the routing of these ports between two LANs.
If you run several network cards for several subnets and you want that some clients from a directory of a client, which is shared under Windows, may access from another subnet, the forwarding of the NETBIOS ports should not be prevented here. In this case, trusted networks (see 4.3.1.11) can be specified between which the routing of these ports is nevertheless explicitly permitted.
4-45
Page 48
4.3.1.13 Menu option "Dial-out - modem"
Configuration
Dial-out (for example, into the Internet) is possible via the internal or the external modem. This dial-out into the Internet is done once the router receives a request for an IP address which does not belong to "its" network and which it can not assign otherwise to any of its known networks.
Instead of the internal modem, an external modem connected via the serial interface "Ext. modem" can also be used. The default dialling string can be changed in the field "Dial-out modem commands". For automatic hang-up, a wait time in seconds can be set in the field "Dial­out Timeout".
More than one destination can be defined. If more than one destination is defined the function "Dial on Demand" is deactivated. To dialout the button "Dial" must be activated manually. The manual activation also works if only one destination is defined and function "Dial on Demand" is activated accordingly.
With firmware version 2.2 or above the Dial-Out can be deactivated completely. Be aware then a Callback is not longer possible.
Either only the internal or only the external modem can be configured for dial-out at the same time. This, however, has no influence on the configuration for dial-in (see Section 4.3.1.15).
4-46
Page 49
Configuration
4.3.1.14 Menu option "Dial-out - DynDNS"
With version 2.0 and higher, the router offers the facility to register with a DynDNS provider in the Internet so that it can be addressed using a fixed host name. This possibility can be configured here.
To be able to use this capability, you must first register with a DynDNS provider. The router in its current version supports the following providers:
FreeDNS (http://freedns.afraid.org)
CJB.NET (http://cjb.net/)
Companity (http://www.staticip.de/)
DHS International (http://www.dhs.org/)
DNS2Go (http://dns2go.deerfield.com/)
The Art of DNS (http://dnsart.com/)
DtDNS (http://www.dtdns.com/)
DynAccess (http://dynaccess.de/)
DynDNS (http://dyndns.org/)
DynDNS DK (http://dyndns.dk/)
dyn.ee (http://dyn.ee/)
eisfair.net (http://eisfair.net/)
Fidosoft (http://fidosoft.de)
hn.org (http://hn.org/)
KONTENT (http://www.kontent.de/)
Nerdcamp (http://nerdcamp.net/)
No-IP (http://www.no-ip.com/)
Regfish (http://www.regfish.com)
SelfHost (http://selfhost.de/)
ZoneEdit (http://zoneedit.com/)
4-47
Page 50
Configuration
Please note that the relevant DynDNS provider must be entered as the first name server on the client side to be able to resolve the host name of the router correctly.
4.3.1.15 Menu option "Dial-in"
Dial-in can be performed either via the external or via the internal modem. It is irrespective of the dial-out.). In other words: The modem configured for dial-out can also additionally be configured here for dial­in. It is also possible, however, that both modems wait for incoming calls simultaneously.
The difference between dial-in and call-back is that in dial-in the dialling computer establishes a direct telephone connection to the computer. With call-back, the router recognises that it was dialled, hangs up immediately and either calls back or calls the Internet provider, depending on how it was configured in the dial-out (see Section
4.3.1.13).
With the external connection, it can be configured here that not a modem, but a zero-modem cable has been connected so that a connection is possible via zero-modem cable.
4-48
Page 51
4.3.1.16 Menu option "VPN server"
Configuration
The VPN server can be used to establish secure (encrypted; 128bit blowfish encryption) connections to the router. To this end, a VPN server must be started on the router which will then assign the router a virtual IP.
To be able to communicate with this server, a VPN client must be started on the opposite side. This can be either also a router (see Section 4.3.1.17) or a Linux PC on which the relevant software is installed (BSD, Solaris) (http://vtun.sourceforge.net/).
4.3.1.17 Menu option "VPN client
The VPN client can establish a connection to a VPN server and thus establish an encrypted connection across the Internet. To this end, either a second router can be used as server (see Section 4.3.1.16) or an appropriately configured Linux computer (BSD, Solaris) (http://vtun.sourceforge.net/
).
4-49
Page 52
Configuration
4.3.1.18 Menu option "Save settings"
This menu option serves to save all changes made in the configuration permanently. Any changes are only held in the user memory until saving; they are lost when restarting the PC. The error LED of the router is lit in red during the saving process.
4.3.1.19 Menu option "Restarting the router"
This menu option can be used to restart the router. This process may take several minutes. The router is ready again for operation if the following LEDs are lit in green: "Power", "Error" and "Ethernet".
To activate a changed country code for the internal modem, the router must be disconnected from the mains temporarily; warm restart via the menu is not sufficient.
CAUTION
4.3.1.20 Menu option "Close PPP connections"
Use this menu option to close all modem connections currently active.
4.3.1.21 Menu option "Active network interfaces"
Use this menu option to display all network interfaces currently active and to display various status information.
4.3.1.22 Menu option "Active VPN tunnel"
Use this menu option to display all VPN servers and VPN clients currently active, as well as all active connections.
4-50
Page 53
CAUTION
Configuration
4.3.2 Configuration via the serial console
This configuration method is not recommended. It should only be used if you are absolutely sure with the handling and programming of program commands in the terminal mode. Incorrect inputs or type errors may have the effect that the router does not function any more.
Log in to the system of the router as described in Section 4.2.4. After you have entered the command "e3em /etc/rc.cfg", an integrated editor opens. At the same time, the central configuration is displayed as plain text. Use the arrow keys for navigation.
Keyboard assignment of the integrated editor: Ctrl + X, then F - Load file
HINWEIS
Ctrl + X, then S - Save current file Ctrl + X, then C - Quit editor
Only the command "spiwr" will save all settings in the flash of your router. If you then reboot the system, your changes come into effect.
A large part of the configuration file consists of internal settings which should not be changed.
All entries which can be changed will be specified here. We will here forego an explanation of the principle of action; it corresponds to the appropriate menu options of the web interface. Each item specified here can also be addressed via the web interface which is therefore recommended for configuring.
4.3.2.1 Changing the network address
If you only wish to change the network address to grant a browser access to the router, change the following lines:
IP_ETH_1_IPADDR='192.168.1.100'
IP_ETH_1_NETMASK='255.255.255.0'
MASQ_NETWORK='192.168.1.0/24 ...
TRUSTED_NETS='192.168.1.0 ...
4-51
Page 54
4.3.2.2 Basic configuration
HOSTNAME=’heyfra’
.... the host name of the router
DOMAIN_NAME='lan.fli4l'
.... the domain name of the router
PASSWORD='ctr'
.... the password of the administrator access of the router
IP_ETH_1_IPADDR='192.168.1.100'
.... the IP address of the router
IP_ETH_1_NETMASK='255.255.255.0'
Configuration
.... the netmask of the router
SER_CONSOLE_RATE='115200'
.... the baud rate of the serial console
The country code of the modem cannot be controlled via the file </etc/rc.cfg>. To this end, the script <setCountry> is included in the scope of supply. The command "setCountry -h" in the command line indicates all country codes possible.
"setCountry device <code>" will set the modem specified in <device> to <code>. <device> must be either:
/dev/ttyS1 for the external modem, or
/dev/ttyS2 for the internal modem
If no <code> is specified, the script will simply output the country code currently set for the appropriate modem.
4.3.2.3 Configuring date and time
TIME_INFO='UCT-1UCST,M3.5.0,M10.5.0'
Configuring time zone and daylight saving time; meaning:
UCT-1: Subtract an hour from the Greenwich Time.
UCST: This time zone possesses a daylight saving time.
M3.5.0: The daylight saving time starts on the last (5) Sunday (0) of
the third (3) month.
4-52
Page 55
Configuration
M10.5.0: The daylight saving time ends on the last (5) Sunday (0)
of the third (10) month.
In this file, date and time cannot be set. To this end, the commands
"date" and "hwclock" which must be used on the console.
4.3.2.4 DNS configuration
START_DNS='yes'
.... corresponds to "Start DNS server?"
DNS_FORWARDERS='145.253.2.11'
.... corresponds to "External DNS server of provider / company"
HOST_1_NAME='kai'
.... first host name of the "LIST OF HOSTS FOR DNS"
HOST_1_IP='192.168.101.44'
.... the IP which is to be assigned to the appropriate host name (in this
case, the first one)
HOSTS_N='2'
.... number of entries in HOST_X
4.3.2.5 SSH configuration
OPT_SSHD='yes'
.... corresponds to "Start DNS server?"
SSHD_PORT='22'
.... port to be used by the SSH server
SSHD_USERS_1_NAME='sshuser'
.... name of the SSH user
SSHD_USERS_1_PASSWD='ssh'
.... password of the SSH user
4-53
Page 56
4.3.2.6 HTTP configuration
HTTPD_PORT='80'
.... web server to be used by the SSH server
HTTPD_USER_1='admin'
.... user name for the web server
HTTPD_PASS_1='ctr'
.... password for the web server
4.3.2.7 Firewall configuration
MASQ_NETWORK='192.168.1.0/24'
.... networks to be masked (separate by spaces)
Configuration
ROUTE_NETWORK='192.168.6.0/24 192.168.7.0/24'
.... networks to be routed (separate by spaces)
TRUSTED_NETS=' '
.... trusted networks (separate by spaces; either at least 2 or none)
FORWARD_HOST_WHITE='no'
.... host list is white list or black list
OPT_PORTFW='yes'
.... Activate port forwarding?
PORTFW_N='0'
.... number of ports to be forwarded
PORTFW_1_SOURCE='1024'
.... first port to be forwarded
PORTFW_1_PROTOCOL='tcp'
.... protocol on the first port whose data are to be forwarded
PORTFW_1_TARGET='192.168.1.45'
.... target host for the data of the first port
4-54
Page 57
Configuration
FORWARD_DENY_PORT_N='1'
.... number of ports at which the acceptance of data is to be denied
FORWARD_DENY_PORT_1='445 reject'
.... port whose data are to be denied ("reject" is a keyword and is
repeated in each entry).
4.3.2.8 Modem configuration
OPT_MODEM='yes'
.... Configure modem for dial-out?
MODEM_DEV='ttyS2'
.... If instead of the internal modem the external modem is to be used
for dial-out, enter here "ttyS1", otherwise "ttyS2".
MODEM_SPEED='115200'
.... speed of the modem
MODEM_DIALOUT='0,0192658'
.... number of the Internet provider
MODEM_TIMEOUT='200'
.... time of inactivity after which the modem is to hang up
MODEM_USER='msn'
.... user name with the Internet provider
MODEM_PASSWD='msn'
.... password with the Internet provider
INT_DIALIN='yes'
.... Configure internal modem for dial-in?
INT_CALLBACK='no'
.... Configuring the internal modem for call-back (CAUTION: If both
dial-in and call-back are activated, the modem will be configured to "Dial-in".)
4-55
Page 58
INT_IPADDR='192.168.6.1'
.... local IP address to be assigned for dial-in
INT_PEER='192.168.6.2'
.... remote IP address to be assigned for dial-in
INT_USER='intern'
.... log-in name for dial-in / call-back
INT_PASS='ctr'
.... password for dial-in / call-back
EXT_DIALIN='yes'
.... Configure external modem for dial-in?
Configuration
EXT_CALLBACK='no'
.... Configuring the external modem for call-back (CAUTION: If both
dial-in and call-back are activated, the modem will be configured to "Dial-in".)
EXT_NULLMODEM='yes'
.... Instead of a modem, a zero-modem cable is connected to the
external modem interface.
EXT_SPEED='38400'
.... speed of the external modem
EXT_IPADDR='192.168.7.1'
.... local IP address with dial-in
EXT_PEER='192.168.7.2'
.... remote IP address with dial-in
EXT_USER='extern'
.... user name for dial-in / call-back
EXT_PASS='ctr'
.... password for dial-in / call-back
4-56
Page 59
4.3.2.9 DynDNS configuration
OPT_DYNDNS='yes'
.... Start dynamic DNS?
DYNDNS_N='1'
.... number of DynDNS providers you are using
DYNDNS_1_PROVIDER='FIDOSOFT'
.... name of the DynDNS provider; possible entries are:
AFRAID for afraid.org
CJB for cjb.net
COMPANITY for Companity
DHS for DHS International
Configuration
DNS2GO for DNS2Go
DNSART for The Art of DNS
DTDNS for DtDNS.net
DYNACCESS for dynaccess.de
DYNDNSDK for DynDNS.dk
DYNDNS for DynDNS.org
DYNEE for dyn.ee
DYNEISFAIR for eisfair.net
FIDOSOFT for fidosoft.de
HAMMERNODE for hn.org
KONTENT for Kontent.de
NERDCAMP for nerdcamp.net
NOIP for No-IP.com
REGFISH for Regfish.com
SELFHOST for SelfHost.de
ZONEEDIT for zoneedit.com
DYNDNS_1_USER='heyfra'
.... log-in name with the DynDNS provider
DYNDNS_1_PASSWORD='router'
.... log-in password with the DynDNS provider
4-57
Page 60
Configuration
DYNDNS_1_HOSTNAME='heyfra.fidosoft.de'
.... host name to be to be registered with the DynDNS provider
4.3.2.10 VPN configuration
VTUND_SERVER_1_NAME='tunnel01'
.... name of the VPN server session
VTUND_SERVER_1_PASS='ctr'
.... password for the VPN server session
VTUND_SERVER_1_PORT='4326'
.... port of the VPN server
VTUND_SERVER_1_COMPRESS='z2'
.... compression rate of the VPN connection (min.: z0; max. z9)
VTUND_SERVER_1_SERVERIP='192.168.1.254'
.... virtual local IP address of the VPN server
VTUND_SERVER_1_CLIENTIP='192.168.2.254'
.... virtual remote IP address of the VPN client
VTUND_SERVER_1_CLIENTNETMASK='255.255.255.0'
.... virtual netmask of the VPN connection
VTUND_CLIENT_1_NAME='tunnel01'
.... name of the VPN server session
VTUND_CLIENT_1_PASS='ctr'
.... password for the VPN server session
VTUND_CLIENT_1_HOST='heyfra.fidosoft.de'
.... real host name of the computer on which the VPN server runs
VTUND_CLIENT_1_PORT='4326'
.... port to be used by the VPN client
VTUND_CLIENT_1_SERVERIP='192.168.1.254'
.... virtual local IP address of the VPN client
4-58
Page 61
Configuration
VTUND_CLIENT_1_SERVERNETMASK='255.255.255.0'
.... virtual netmask of the VPN connection
4.3.2.11 Logging configuration
OPT_SYSLOGD='yes'
.... Activate logging of status messages
SYSLOGD_REMOTE='yes'
.... Forward status messages of remote hosts
SYSLOGD_MARK_INTERVALL='60'
.... time interval for the logging time marks in minutes
SYSLOGD_DEST_N='1'
NOTE
.... number of logging rules
SYSLOGD_DEST_2='*.* @192.168.1.123'
.... First logging rule: Structure: <source.type@targethost>. Which
sources are possible and which types of status messages can be logged can be found in the Description in Section 4.3.1.7.
Use the "spiwr" command to save all your settings in the flash of the router. If you then reboot the system, your changes come into effect.
4-59
Page 62
Configuration
4.3.3 Configuring using the SSH server
For configuration using the SSH server, you will need an SSH client on your configuration computer. Appropriate tools can be downloaded from the Internet both for Windows and for Linux. A Windows client is also included on the supplied CD ("Putty").
The following settings are nessesary in the PuTTY in menu "Session": Host Name or IP address: IP-Address of the router, see
chapter Fehler! Verweisquelle konnte nicht gefunden werden.
Port: adjusted Port-Nummer in the router, see chapter Fehler! Verweisquelle konnte nicht gefunden werden.
Protocol: SSH
If the connection was established successfully, the router will request the user to log in. Enter "root" to log in and "ctr" as the password (factory-default settings).
4-60
Page 63
Configuration
All further configuration steps are identical to those for configuring via the "Serial console" (see Section 4.3.2):
After configuration, clear the SSH connection using the EXIT command. SSH is a telnet-like access to a remote computer. The only difference is
that SSH will encrypt the entire communication.
4-61
Page 64
Configuration
4.4 Configuring the client computers
To run the client computers with the router, no special software needs to be installed, but some configuring notes must be observed.
4.4.1 Configuring the computers in the Routers Ethernet
All IP packets sent from the Ethernet to the outside must always be routed via the router. This must be known to all clients.
Therefore, the Ethernet IP address of the router (default:
192.168.1.100) must be specified as the standard gateway off all clients
in the Ethernet. If the internal DNS server of the router is activated, you may address
the hosts in the Ethernet using names instead of IP addresses (see Section 4.3.1.4). Here again, the IP address of the DNS server (Ethernet IP address of the router) must be specified for all clients.
4-62
Page 65
Configuration
4.4.2 Configuring a remote computer
The remote computer has to be connected to an analog modem or ISDN modem, depending from the type of router. Only the same kind of modems can communicate each other.
The steps described below refer to a windows system. When a remote computer dials into the router with a direct PPP
connection, the modem interface of the computer gets assigned a dynamic IP address. So no configuring is necessary. The standard gateway of this computer is also adapted automatically.
To access the clients in the routers network with their host name, the IP address of the DNS server (factory default 192.168.1.100) has to be set.
The remote computer can be connected to another ethernet network (i.e. the office network). It should be considered that the network address of this interface is different from the routers network addresses (see figure).
If both networks have the same address range, the packets for the routers network will be misdirected into the local network of the remote computer!
To be on the safe side, all three networks should have different network addresses (see figure).
4-63
Page 66
Hardware
5 Hardware
5.1 Dimensions
This Chapter provides all relevant information on the dimensions of:
Internet Access Router
Top-hat rail
5.1.1 Internet Access Router
The sketch below shows the dimensions of the Internet Access Router:
Dimensions [mm] Height 155 Width 45 Depth 137
5-64
Page 67
Hardware
5.1.2 Top-hat rail
To fasten the router, a top-hat rail which complies with the standard EN 50022 is required.
1
35
7,5
Fasten this top-hat rail on the control cubicle rear wall such that a conductive connection is provided.
Observe the instructions of the manufacturer with reference to fastening.
NOTE
NOTE
Mounting
To the montage hangs the appliance on the top-hat rail at the desired position and locks through pressure to the back.
Releasing The top-hat rail adapter is offered in two variants, resulting in the
different direction of movement when unhooking from the top-hat rail. Therefore, before unhooking, check whether the router is to be moved upwards or downwards against the retaining spring.
To remove the device, unhook it by pushing it firmly upwards or downwards, and then remove it forwards from the top-hat rail.
5-65
Page 68
Hardware
5.1.3 Swirl mounting
There ary two mounting plates intended for mounting of the device on the swirls. The mounting plates ary fastened with screws on the rear side of the housing and must B mounted ace shown in the illustration. The top-hat rail adapters must B removed if you mount the device on the swirls.
NOTE
Mounting using at top-hat rail Mounting on the swirls
When mounting at top-hat rail adapters on the rear of the housing, it is imperatives to observe the correct position of the retaining jumps:
Plastic variant: Retaining jumps at the bottom Aluminums variant: Retaining jumps at the top CAUTION: Incorrect mounting will reduce the retaining force of the
top-hat rail adapters. Only use the original screws of the top-hat rail; longer screws will
damage the electronics of your router! The screws to be used are M3 x 8 round head for adapters with plastic insert and M3 x 4 countersunk head for aluminium adapters.
5-66
Page 69
Hardware
5.2 Installation notes
Make sure that at least 30 mm of clearance is left above the module. A space of 35 mm must be provided beneath the module to route the
cables for the interfaces and for the power supply.
5.2.1 Mounting the router on the top-hat rail
The device is intended for mounting on a top-hat rail to DIN EN 50022. Pull the top-hat rail downwards, at the same time pushing the device back onto the top-hat rail. To remove the device, unhook it upwards, and while pushing it up, lift it from the top-hat rail.
5.2.2 Functional earthing of the Internet Access Router
For functional earthing, make a connection between the "Functional earth" terminal on the housing of the router and the equipotential bonding of the control cubicle.
The connection "Functional earth" serves purely operational functions (modem function).
Make sure that the cross-section of the interconnecting line does not exceed 4 mm
2
.
5.3 Installation guidelines
The specified maximum operating temperature pertains to the air
temperature beneath the router (air inlet).
Observe a sufficient clearance to devices emitting strong
electromagnetic radiation (such as frequency converters, transformers, motor controllers, etc.). The clearance between these devices and the Internet Access Router should be as large as possible. If necessary install partition walls as shielding (MU metal).
Do not plug or remove the devices during operation!
Before removing a router, also remove the relevant plugs and
connectors.
5-67
Page 70
Hardware
Do not connect or remove the connectors if the supply lines are still
live (all-pole disconnection).
5.4 Storage and storage temperatures
The following values apply for storage:
Storage temperature: -20 to +60 °C
Humidity: 30 to 95 % (non-condensing)
5.5 Operating temperature, humidity
The following values apply for operation: Operating temperature for
vertical mounting position: 0 to +60 °C
Humidity: 30 to 95 % (non-condensing)
5-68
Page 71
5.6 Status display
A total of four LEDs are to be found on the front side of the Internet Access Router to display the current operating condition.
Hardware
5-69
Page 72
5.6.1 Display "Modem connection active"
LED Description OFF Modem not in use. Green steady light The router has activated a modem connection. Red steady light The modem connection was interrupted.
5.6.2 Display "Ethernet Interface active"
LED Description OFF Not connected Green steady light Ethernet interface active
Hardware
Red steady light Connected, but no Ethernet interface found.
5.6.3 Display "Error"
LED Description OFF -
Green steady light Red steady light The device is in the phase of initialisation.
The phase of initialisation is completed. The device is ready for operation.
5.6.4 Display "POWER on/off"
LED Description OFF The supply voltage is turned off. Green steady light The supply voltage is turned on.
5-70
Page 73
Hardware
5.7 Connections / Interfaces
The connection for the power supply and four interfaces are to be found on the front side of the Internet Access Router:
5.7.1 Powe r supply
The router can be powered either with +10 … 36 V DC or 8 … 24 V AC. The power consumption is approx. 10 W.
DC Power Supply AC Power Supply
5-71
Page 74
Hardware
AC power supply Redundant DC power supply from safety battery
CAUTION
Power supply connection The Internet Access Router must only be connected to the
electrical supply system by an electrical expert. The power supply of the Internet Access Router must be provided
exclusively by a power pack which complies with DIN EN 60 742 (VDE 0551).
Make sure that an appropriate fuse is installed in the incoming supply feeder.
5.7.2 Modem interface
The router module possesses an analog modem or an ISDN modem. It is connected to the local telephone network via an RJ11 connector.
5.7.3 Ethernet interface
The device possesses a 10 Mbit Ethernet controller. It is connected to the industrial Ethernet via an RJ45 connector.
5.7.4 RS-232 interface for the "Console" mode
The RS232 interface "Console" is intended for connecting a PC or a laptop with which the start-up and parameterisation may be carried out locally (see Section 3.6).
5.7.5 RS-232 interface for the "External" mode
The device is prepared for operation of an additional RS232 interface. Communication channels using this interface will be set up upon request.
5-72
Page 75
Technical Data
6 Technical Data
Type designation
EIAR-10T/A with integrated Analog Modem EIAR-10T/I with integrated ISDN Modem
Design
Material of the housing Aluminium Colour RAL 5002 ultramarine, fine structure, dull Degree of protection - housing IP40 Degree of protection - terminals IP20
Protection against hazardous shock currents
Mechanical Data
Dimensions H x W x D 155 x 45 x 137 mm fastening on the top-hat rails to DIN 50 022
Connection technique
- Connections of the power supply
- Modem
- Ethernet Conductor cross-sections of the power supply connections
Safety extra-low voltage + protective separation
Plug connectors with self-disengaging screw terminals Connector, type RJ11 Connector, type RJ45 min. 0.5 mm² max. 2.5 mm²
Ambient Conditions Ambient temperature -
operation Ambient temperature - storage -20 ... +60 °C
Relative humidity - operation min. 30 % / max. 90 % (non-condensing) Relative humidity - storage min. 30 % / max. 90 % (non-condensing)
0 ... +60 °C
Electrical Data
The power supply of the Internet Access Router
Power supply
Rated operating voltage 10 … 36 V DC / 8 … 24 V AC Rated operating capacity 10 W Fuse, external T1A Rated frequency 50 Hz ... 60 Hz
must be provided exclusively by a power pack which complies with DIN EN 60742 or VDE 0551.
6-73
Page 76
Standards and Certifications
7 Standards and Certifications
7.1 Harmonised standards
EN 50081-1 Noise emission for residential, commercial and light­industrial environment
EN 61000-6-2 Noise immunity for the industrial environment
7.2 Certification to DIN EN ISO 9001
Contemporary Controls GmbH is certified to ISO 9001.
7.3 Approbations
7.4 CE marking
EU Low-Voltage Directive EC Certificate of Conformity on request
7-74
Page 77
8 Symbols Used
Connection for the functional earthing
Mains transformer
+
d.c. power supply source
+
Symbols Used
Battery (emergency power)
8-75
Page 78
Notes
8-76
Loading...