Contemporary Controls EIGR Series, EIGR-VX, EIGR-V, EIGR-EEIGR-EX Application Manual

Application Guide – EIGR Series

EIGR – Skorpion Gigabit Wired IP Routers

The EIGR series of high-speed routers link two 10/100/1000
Mbps Internet Protocol (IPv4) networks together — passing
appropriate trac while blocking all other trac. One
network is the local-area-network (LAN) and the other is the
wide-area-network (WAN). The built-in stateful rewall passes

EIGR Skorpion Gigabit IP Router Features …

• Web page conguration

• 10/100/1000 Mbps WAN port

• 4-port 10/100/1000 Mbps Ethernet LAN switch

• PAT, NAT and Port Forwarding and Port Range Forwarding

• NAT Loopback

• Remote Router Access and Whitelist

• Stateful rewall (can be disabled)

• DHCP client (WAN) and DHCP server (LAN)

• DIN-rail mounting

• Diagnostic LEDs

communication initiated on the LAN-side while blocking
WAN-side initiated communication. The EIGR incorporates an
Ethernet switch for multiple LAN-side connections. An
external Ethernet cable or DSL modem attached to the
WAN-side can be used to connect to the Internet.

• CE Mark, RoHS, UL 508, C22.2 No. 142-M1987

• 24 VAC/VDC powered

• Operates over 0 to 60°C (EIGR Series)

• Operates over -40 to + 75°C (EIGR-X Series)

EIGR Series

AG-EIGR0000-AA0

EIGR – Skorpion Gigabit IP Router

Application Guide – EIGR Series

With a DIN-rail mounting clip, rugged metal enclosure and
the ability to be powered from a low-voltage power source,
the EIGR is ideal for automation systems.

Although the EIGR has many of the same features found in
high-end routers, it is simple to install and commission. A
resident DHCP server on the LAN-side will provide IP
addresses to LAN-side clients while a DHCP client on the
WAN-side will accept IP address assignments from the
attached network. Static addressing is accommodated as
well. Conguration is via a web browser using
authentication.

Quick Disconnect 4-pin Power Connector

provides connections to a DC or AC source and a

connection for a backup source

35 mm Din-rail Clip

for convenient control

panel installation

The lower portion of the router connects the local-area­network or the LAN side. The upper portion of the router
connects the wide-area-network or the WAN side. A
rewall - which can be disabled by the user - separates the
two portions. A stateful rewall makes decisions based
upon the structure of the message and who is initiating
and who is responding.

Power LED

Power OK indicator

Reset Switch

returns the EIGR to its

default IP address settings

Writeable Label

for a helpful record of

connected IP devices

Built-in Ethernet Switch

connect up to four 10/100/1000

Mbps Ethernet devices with

auto-negotiation and Auto-MDIX

Metal Enclosure

rugged packaging

for tough environments

Diagnostic LEDs

indicate the status of

Link and Activity

2

AG-EIGR0000-AA0

Web Page Conguration

Setup Menu

displays the screen

shown on this page

Menu Bar

provides quick access

to all main screens

Application Guide – EIGR Series

Resident Help Screens

provide immediate assistance

on any feature on any screen

For More Information

each screen has a convenient link

to our website

3

AG-EIGR0000-AA0

Application Guide – EIGR Series

Secure Login – From Any IP-connected Computer

Administration Menu

displays this screen

Save or Retrieve

Conguration

Default Username is “admin”

Entering a new value is recommended.

Default restored if reset switch is used.

Default Password is “admin”

Entering a new value is recommended.

Default restored if reset switch is used.

Remote Router Access

Disabled by default. Enable if conguration is desired

from a web browser on either LAN side or WAN side.

Default setting of 8080 can be changed after Remote Router Access

is enabled, but well-known ports are not recommended.

Administration Port

Stateful Firewall – Promotes Secure Communication

The lower part of the router connects the LAN side (the local-area­network). The upper part connects the WAN side(wide-area­network). A rewall (which can be disabled by the user) separates
the two parts.

A rewall controls the passing of messages from one side of a
router to the other. A stateful rewall acts on the structure of the
message and who is initiating and who is responding.

Originating requests from the LAN side and corresponding
responses from the WAN side pass through the rewall. But trac
originating from the WAN side is blocked from the LAN side unless
the rewall is adjusted to allow it. This protects the LAN side from
unauthorized WAN access.

4

LAN

inbound or

outbound

requests

or replies

WAN

LAN

STATUS PWR

H

L

1

2

3

4

RESET

WAN requests

are blocked

unless rewall

is changed to

allow them.

WAN

inbound or

outbound

trafc

AG-EIGR0000-AA0

Application Guide – EIGR Series

Status and Conguration Report – Just a Click Away

Status Menu

displays the screen shown on this page

If the EIGR is enabled as a DHCP Server,

clicking the View LAN DHCP Clients button brings up another

window to view the status of the LAN devices being served.

5

AG-EIGR0000-AA0

Application Guide – EIGR Series

Advanced Features – for Demanding Situations

Advanced Menu

displays these menu options

Firewall Enabled by Default

This can be disabled to allow

customised routing situations.

Network Address Translation

Specify up to 30 NAT entries.

Port Forwarding (Port Mapping)

Devices on the WAN port can

initiate messages to LAN devices

using up to 100 specied IP ports

when the rewall is enabled.

Whitelist

Up to 10 public devices can

initiate messages to LAN devices

when the rewall and port

forwarding are enabled.

Port Range Forwarding

Devices on the WAN port can initiate

messages to LAN devices using

an IP port in one of the 20 ranges

when the rewall is enabled.

NAT Loopback

Allows a LAN-side device to

target the router’s WAN-side

IP address and use its Port

Forwarding table to access other

LAN-side devices.

6

AG-EIGR0000-AA0

Application Guide – EIGR Series

Application #1 – A Cable Modem Connection to the Internet

In the WAN Setup, the default Connection Type is DHCP
– where a DHCP server on the WAN side will automatically
assign an IP address, subnet mask, default gateway
address and one or more DNS addresses to the WAN side
of the IP router. Some cable modems have DHCP server
functionality.

192.168.92.1

192.168.92.101

192.168.92.102

WAN

LAN

STATUS PWR

H

L

1

2

3

4

RESET

If a DHCP server is unavailable on the WAN network, you
must make static IP entries for the WAN side of the router.
Enter the IP address, subnet mask, default gateway
address and one or more DNS addresses when using the
Static IP option.

Application #2 – A DSL Modem Connection to the Internet

With DSL modems, the PPPoE protocol must be
selected — and a username and password
provided. Once a connection is established, the
ISP furnishes all the needed WAN IP address
assignments.

192.168.92.1

192.168.92.101

WAN

LAN

STATUS PWR

H

L

1

2

3

4

RESET

192.168.92.102

7

AG-EIGR0000-AA0

Application Guide – EIGR Series

Application #3 – Cascaded Routers for Additional Isolation

For increased security and isolation, IP routers can be
cascaded. Make sure that each LAN-side subnet address is
unique when cascading IP routers. The left-most IP router
can have its WAN-side IP address assigned using DHCP

The illustration shows a pair of EIGR routers, but the
right-most router could also be some other type of router
— perhaps one already existing in the business system —
because the EIGR supports standard Internet protocols.

client or by using static IP address assignment.

STATUS PWR

RESET

H

WAN

L

192.168.92.101

1

2

LAN

3

4

192.168.92.102

192.168.92.1 192.168.93.1

Application #4 – Limiting BACnet Trac

WAN

LAN

STATUS PWR

H

L

1

2

3

4

RESET

192.168.93.101

192.168.93.102

When attaching BACnet devices to IP networks it is
possible that the IP network has been sub-netted through
the use of IP routers. Most IP routers will not pass broadcast
messages which are crucial to BACnet’s operation. The
solution is to incorporate BACnet/IP Broadcast
Management Device (BBMD) functionality within the
BACnet internetwork.

The BBMD concept requires that a broadcast message
originating on one subnet be encapsulated into a directed
message and sent to all remote subnets since these
directed messages will pass through IP routers. Once the
encapsulated messages are received on the remote
subnets, a BBMD device will decode the message and
resend it on its local subnet as a broadcast message.

WAN

LAN

STATUS PWR

H

L

1

2

3

4

Field

Controller

Route between

BACnet/IP and
BACnet MS/TP

Field

Controller

BASRT-B

Therefore, it would appear that a BBMD device must be
present on each subnet in order to provide this encoding
and decoding function.

However, this is not the case if all the BACnet/IP devices
support Foreign Device Registration (FDR). At a minimum,
one BBMD device is required to be located on one of the
subnets with FDR devices registering to this one BBMD.
This is what is shown in the example with a BAS Router
providing BBMD functionality while allowing for foreign
devices registration. Notice that connecting to a BACnet
MS/TP network is an option.

Internet

RESET

Gateway

(rewall)

Automation

Controller

Automation

Controller

Field

Controller

Field

Controller

BASRT-B

EIGR

Route between

IP Subnets

8

Automation

Controller

Automation

Controller

AG-EIGR0000-AA0

Application Guide – EIGR Series

Application #5 – Disable the Firewall for Unrestricted Routing

There are times when you may want to disable the rewall.
The rewall controls the passing of messages from the
public (WAN) side of the router to the private (LAN) side
— and normally this protects the private side from
unauthorized public access.

LAN IP Address WAN IP Address

192.168.92.1/24 192.168.80.10/24

192.168.92.2/24 192.168.80.20/24

192.168.92.3/24 192.168.80.30/24

192.168.92.1/24

192.168.92.2/24

WAN

LAN

STATUS PWR

H

L

1

2

3

4

RESET

Under the Advanced Tab, you may choose to disable the
rewall. Typically, the rewall is disabled when the LANs on
both sides of the router are within one organization. That is,
there is no public side — both sides are essentially private,
so no rewall is needed.

192.168.80.10

192.168.80.20

192.168.80.30

PWR

H

1

L

2

3

4

5

192.168.80.10/24

192.168.80.20/24

192.168.92.3/24

192.168.80.30/24

9

AG-EIGR0000-AA0

Application Guide – EIGR Series

Application #6 – Port Forwarding to Access a Private Web Server

The rewall will normally block all WAN-side requests. Port
forwarding allows computers on the WAN side to access
devices on the LAN side by opening up selected WAN IP
ports. The only WAN-side requests that will be forwarded
through the IP router are those that specify both the router’s
WAN address and a destination IP port number that exists in
the router’s IP port forwarding table. When this match is
made, the message is forwarded to the indicated IP address
on the LAN side.

This is very useful when only one public IP address is
available, but there is a need to access multiple LAN-

Internal IP Address LAN IP Port WAN IP Port External IP Address

192.168.92.101/24 80 8080 1.2.3.4

side devices. In this example, we want to access a private
web server at 192.168.92.101 which is normally invisible from
the Internet. Using port forwarding, we allow a WAN-side
request made to the router’s public (WAN) address. For
additional security, the port numbers have been translated.

You can also select Port Range Forwarding to allow an entire

range of addresses through the rewall. Note that any
WAN-side device can use port forwarding — but you can

greatly enhance security by creating a whitelist of allowed
WAN-side devices. This is illustrated at the bottom of the
page.

192.168.92.101

192.168.92.101:80

192.168.92.102

Enhance Security with a Whitelist

Specify which WAN-side devices

can use port forwarding.

STATUS PWR

RESET

H

WAN

L

1

2

LAN

3

4

192.168.92.1

WAN Request

1.2.3.4:8080

10

AG-EIGR0000-AA0

Application Guide – EIGR Series

Application #7 – Router Access from a WAN-side Device

In some situations, you may want a WAN-side device to
access and possibly congure the router. This is enabled via
the Remote Router Access control (shown below) found
under the Administration tab.

Caution: Enabling this control grants access to any
device on the public or WAN-side. To restrict access to just
certain WAN devices, you must construct a whitelist such
as the example below which species an outside (public or
WAN-side) device that has the IP address of 4.3.2.1.

Enhance Security with a Whitelist

Specify which WAN-side devices

can congure the router.

Application #8 – Port Address Translation (PAT)

PAT (also known as a rewall) allows a many-to-one mapping
of private IP addresses to one public address. Not only does
this provide enhanced security for the devices on the LAN
side, it also allows multiple LAN-side devices to communicate
to devices on the WAN side using only one WAN IP address.
When the WAN network is connected to the Internet, this
allows the LAN devices to communicate on the Internet via
one public IP address.

Most ISPs will limit the number of public IP addresses
provided to their customers. PAT is done by the use of port
assignments — thus, granting private IP addresses access to
the Internet. In this example, the ISP provided the router the
public address of 1.2.3.4. Both LAN-side PCs have
automatically been assigned local IP ports and granted access
to the Internet — and no conguration was needed.

Internal IP Address LAN IP Port External IP Address

192.168.92.101/24 5001 1.2.3.4

192.168.92.102/24 5002 1.2.3.4

192.168.92.101

192.168.92.102

STATUS PWR

RESET

H

WAN

L

1

2

LAN

3

4

192.168.92.1

1.2.3.4

11

AG-EIGR0000-AA0

Application Guide – EIGR Series

Application #9 – Network Address Translation (NAT)

NAT allows for a one-to-one mapping of internal IP
addresses to external IP addresses. This could be helpful
when accessing duplicate systems that are

Internal IP Address External IP Address

192.168.92.101/24 192.168.80.10/24

192.168.92.102/24 192.168.80.20/24

192.168.92.103/24 192.168.80.30/24

configured the same. The actual LAN-side addresses are
hidden. Notice that the LAN and WAN subnets are
different.

192.168.92.101/24

192.168.92.102/24

192.168.92.103/24

WAN

LAN

STATUS PWR

H

L

1

2

3

4

RESET

192.168.80.10

192.168.80.20

192.168.80.30

PWR

H

1

L

2

3

4

5

192.168.80.102/24

12

AG-EIGR0000-AA0

Application #10 – EIGR-V VPN

Application Guide – EIGR Series

VPNs provide a secure way to encrypt and transmit data
between two or more devices. This makes the VPN
technology suitable for remote access to devices at remote
location. Although it is possible to open ports in rewalls
using port forwarding or NAT, IT professionals are often
reluctant to compromise the security of their network and
usually decline this type of request. The VPN model of the
EIGR router, EIGR-V, has built-in OpenVPN software that can
be congured to setup VPN. In the client mode, an

OpenVPN cong le can be loaded to the router via the
VPN Client webpage and the router can form a secure
tunnel between itself and the RemoteVPN server hosted by
Contemporary Controls. Since OpenVPN is an open
technology, it is possible to connect to other OpenVPN
servers. By installing the EIGR-V at a remote location, a
secure way to connect to the LAN side IP devices from the
comfort of your home or oce is possible.

13

AG-EIGR0000-AA0

Application Guide – EIGR Series

United States

Contemporary Control
Systems, Inc.

2431 Curtiss Street
Downers Grove, IL 60515 USA

Tel: +1 630 963 7070
Fax:+1 630 963 0109

info@ccontrols.com

China

Contemporary Controls
(Suzhou) Co. Ltd

11 Huoju Road
Science & Technology
Industrial Park
New District, Suzhou
PR China 215009

Tel: +86 512 68095866
Fax: +86 512 68093760

info@ccontrols.com.cn

United Kingdom

Contemporary Controls Ltd

14 Bow Court
Fletchworth Gate
Coventry CV5 6SP
United Kingdom

Tel: +44 (0)24 7641 3786
Fax:+44 (0)24 7641 3923

info@ccontrols.co.uk

Germany

Contemporary Controls GmbH

Fuggerstraße 1 B
04158 Leipzig
Germany

Tel: +49 341 520359 0
Fax: +49 341 520359 16

info@ccontrols.de

Specications

Power Requirements 10–36 VDC ±10% 7 W or 24 VAC ±10% 11 VA 47–63 Hz

Operating Temperature 0°C to 60°C (Standard)

-40 to + 75°C (Extended Versions)

Storage Temperature –40°C to 85°C

Relative Humidity 10–95%, non-condensing

Protection IP30

Mounting TS-35 DIN-rail

Ethernet Communications IEEE 802.3 10/100/1000 Mbps data rate

10BASE-T, 100BASE-TX and 1000BASE-T
100 m (max) CAT5 cable length

LEDs Power Green = Power OK

Status Green = Boot-up complete

H Green = 1000 Mbps communication established
Yellow = 100 Mbps communication established
Flash = Activity

L Yellow = 10 Mbps communication stablished
Flash = Activity

Regulatory Compliance CE Mark; CFR 47, Part 15 Class A; RoHS;

UL 508; C22.2 No. 142-M1987

Ordering Information

Model RoHS Description

EIGR-E
EIGR-EX
EIGR-V
EIGR-VX

Skorpion GigE IP Router 0 to 60°C
Skorpion GigE IP Router -40 to +75°C
Skorpion GigE IP Router with VPN 0 to 60°C
Skorpion GigE IP Router with VPN -40 to 45°C

www.ccontrols.com

AG-EIGR0000-AA0

April, 2019