INSYS MLR 3G 2.0 User Manual

Manual

MLR 3G 2.0

Mar-11

Any duplication of this manual is prohibited. All rights on this documentation and the devices are with INSYS MICROELECTRONICS GmbH Regensburg.

Trademarks The use of a trademark not shown below is not an indication that it is freely available for

use.

MNP is a registered trademark of Microcom Inc.

IBM PC, AT, XT are registered trademarks of International Business Machine Corporation.

INSYS®, e-Mobility LSG® and e-Mobility PLC® are registered trademarks of INSYS MICROELECTRONICS GmbH.

Windows™ is a registered trademark of Microsoft Corporation.

Linux is a registered trademark of Linus Torvalds.

Publisher: INSYS MICROELECTRONICS GmbH Waffnergasse 8 D-93047 Regensburg, Germany Phone: +49 (0)941/56 00 61 Fax: +49 (0)941/56 34 71 E-mail: insys@insys-tec.de Internet:

http://www.insys-tec.de

Date: Mar-11 Item: 31-22-03.173 Version: 1.0 Language: EN

Contents

1 Safety .................................................................................................................. 7

1.1 Usage According to the Regulations ..................................................................................7

1.2 Permissible Technical Limits...............................................................................................8

1.3 Defects Liability Terms .......................................................................................................8

1.4 Marking of Warnings and Notes........................................................................................9

1.4.1 Symbols and Key Words...................................................................................................9

1.5 Responsibilities of the Operator.......................................................................................10

1.6 Qualification of the Personnel .........................................................................................10

1.7 Instructions for Transport and Storage............................................................................10

1.8 Safety Instructions for Electrical Installation...................................................................10

1.9 General Safety Instructions..............................................................................................11

2 Scope of Delivery .............................................................................................. 13

3 Technical Data................................................................................................... 14

3.1 Physical Features ..............................................................................................................14

3.2 Technological Features .....................................................................................................15

4 Display and Control Elements........................................................................... 16

4.1 Meaning of the Displays...................................................................................................18

4.2 Function of the Control Elements ....................................................................................19

5 Connections....................................................................................................... 20

5.1 Front Panel Connections...................................................................................................20

5.2 Rear Panel Connections ....................................................................................................21

5.3 Pin Assignment of the Serial Interface.............................................................................21

6 Function Overview............................................................................................ 22

7 Meaning of the Symbols and the Formatting in this Manual.......................... 26

8 Commissioning ................................................................................................. 27

9 Operating Principle........................................................................................... 31

9.1 Operating the Web Interface ...........................................................................................31

9.2 Access via the HTTPS Protocol ..........................................................................................33

10 Functions ........................................................................................................... 34

10.1 Basic Settings....................................................................................................................34

10.1.1 Web Interface (User Name, Password, Remote Configuration) ......................... 34

10.1.2 Setting IP Addresses ....................................................................................................... 35

10.1.3 Enter Static Route ...........................................................................................................35

10.2 UMTS .................................................................................................................................36

10.2.1 Enter SIM card PIN ..........................................................................................................36

10.2.2 Configure Network Selection....................................................................................... 37

10.2.3 Configure Daily Login and Logout ..............................................................................38

10.2.4 Terminal............................................................................................................................. 38

4 Mar-11

Contents

10.3

Dial-In................................................................................................................................39

10.3.1 Configuring Dial-In .........................................................................................................39

10.3.2 Automatic Callback (Callback).....................................................................................40

10.3.3 Routing............................................................................................................................... 40

10.3.4 Creating or Deleting a Firewall Rule .......................................................................... 41

10.4 Dial-Out.............................................................................................................................42

10.4.1 Configure Dial-Out.......................................................................................................... 42

10.4.2 Configure Leased Line Operation................................................................................ 43

10.4.3 Configuring a Periodical Dial-Out Connection Setup............................................ 44

10.4.4 Routing............................................................................................................................... 44

10.4.5 Configuring a Talking Filter..........................................................................................45

10.4.6 Creating or Deleting a Firewall Rule .......................................................................... 46

10.4.7 Creating a Port Forwarding Rule................................................................................. 46

10.4.8 Defining the Exposed Host...........................................................................................47

10.5 VPN....................................................................................................................................48

10.5.1 VPN General...................................................................................................................... 48

10.5.2 OpenVPN General ........................................................................................................... 48

10.5.3 OpenVPN Server Basic Settings................................................................................... 49

10.5.4 OpenVPN Client Basic Settings.................................................................................... 52

10.5.5 PPTP General..................................................................................................................... 55

10.5.6 PPTP Server Basic Settings ............................................................................................ 55

10.5.7 PPTP Client Basic Settings.............................................................................................56

10.5.8 IPsec .................................................................................................................................... 57

10.6 Redundant Communication Device .................................................................................60

10.6.1 Configure Redundant Communication Device ....................................................... 60

10.7 Configurable Switch .........................................................................................................61

10.7.1 Querying Configuration and Status of the Switch Ports...................................... 61

10.7.2 Configuring Switch Ports .............................................................................................. 61

10.7.3 Configuring the LED Display of the Switch Ports....................................................62

10.7.4 Configuring VLAN............................................................................................................ 62

10.7.5 Configuring Port Mirroring........................................................................................... 63

10.8 Serial Ethernet gateway ...................................................................................................64

10.8.1 Setting up the Serial Ethernet Gateway ................................................................... 64

10.8.2 Configuring the Serial Ethernet Gateway ................................................................66

10.8.3 Modem Emulator ............................................................................................................ 67

10.9 Messages...........................................................................................................................69

10.9.1 Configuring the Message Dispatch............................................................................69

10.9.2 Enable SMS Receipt......................................................................................................... 70

10.9.3 Configuring E-Mail Dispatch........................................................................................ 72

10.9.4 Configure SMS Dispatch................................................................................................ 73

10.9.5 Configuring SNMP Trap Triggering............................................................................ 74

10.10 Server Services ..................................................................................................................75

10.10.1 Setting up DNS Forwarding.......................................................................................... 75

10.10.2 Setting up the Dynamic DNS Update ........................................................................75

10.10.3 Setting up the DHCP Server.......................................................................................... 76

10.10.4 Configuring the Proxy Server....................................................................................... 77

10.10.5 Configuring an URL Filter..............................................................................................78

10.10.6 Configuring IPT ................................................................................................................79

10.10.7 Configuring the SNMP Agent....................................................................................... 80

Mar-11 5

Contents

6 Mar-11

10.11 System Configuration.......................................................................................................81

10.11.1 Displaying the System Log............................................................................................ 81

10.11.2 Displaying the Last System Messages....................................................................... 81

10.11.3 Configuring Time and Time Zone ............................................................................... 82

10.11.4 Resetting the Device....................................................................................................... 83

10.11.5 Update................................................................................................................................ 84

10.11.6 Updating the Firmware................................................................................................. 85

10.11.7 Uploading the Configuration File ...............................................................................87

10.11.8 Download.......................................................................................................................... 88

10.11.9 Sandbox............................................................................................................................. 89

10.11.10 Debugging.........................................................................................................................90

11 Waste Disposal.................................................................................................. 91

11.1 Repurchasing of Legacy Systems......................................................................................91

12 Declaration of Conformity................................................................................ 92

13 Export Regulation ............................................................................................. 93

14 Licenses ............................................................................................................. 94

14.1 GNU GENERAL PUBLIC LICENSE.........................................................................................94

14.2 GNU LIBRARY GENERAL PUBLIC LICENSE ..........................................................................97

14.3 Other Licenses.................................................................................................................102

15 International Safety Instructions ................................................................... 104

15.1 Safety Precautions..........................................................................................................104

16 Glossary........................................................................................................... 106

17 Tables and Diagrams.......................................................................................109

17.1 List of Tables ...................................................................................................................109

17.2 List of Diagrams ..............................................................................................................109

18 Index................................................................................................................ 110

MLR 3G 2.0 Safety

1 Safety

The Safety section provides an overview about the safety instructions, which must be observed for the operation of the product.

The product is constructed according to the currently valid state-of-the-art technology and reliable in operation. It has been checked and left the factory in flawless condition concerning safety. In order to maintain this condition during the service life, the instructions of the valid publications and certificates must be observed and followed.

It is necessary to adhere to the general safety instructions must when operating the product. The descriptions of processes and operation procedures are provided with precise safety instructions in the respective sections in addition to the general safety instructions.

An optimum protection of the personnel and the environment from hazards as well as a safe and fault-free operation of the product is only possible if all safety instructions are observed.

1.1 Usage According to the Regulations

The product may only be used for the purposes specified in the function overview. In addition, it may be used for the following purposes:

 Data transmission functions in machines according to the machine direc-

tive 2006/42/EC.

 Usage as data transmission device for a PLC or a usual PC.

The product may not be used for the following purposes and used or operated under the following conditions:

 Controlling or switching of machines and systems, which do not comply

with the directive 2006/42/EC.

 Usage, controlling, switching and data transmission of machines and sys-

tems, which are operated in explosive atmospheres.

 Controlling, switching and data transmission of machines, which may in-

volve risks to life and limb due to their functions or when a breakdown occurs.

Safety MLR 3G 2.0

1.2 Permissible Technical Limits

The product is only intended for the use within the permissible technical limits specified in the data sheets.

The following permissible limits must be observed:

 The ambient temperature limits must not be fallen below or exceeded.  The supply voltage range must not be fallen below or exceeded.  The maximum humidity must not be exceeded and condensate formation

must be prevented.

 The maximum switching voltage and the maximum switching current

load must not be exceeded.

 The maximum input voltage and the maximum input current must not be

exceeded.

1.3 Defects Liability Terms

A usage not according to the intended purpose, an ignorance of this documentation, the use of insufficiently qualified personnel as well as unauthorised modifications exclude the liability of the manufacturer for damages resulting from this. The liability of the manufacturer ceases to exist.

MLR 3G 2.0 Safety

1.4 Marking of Warnings and Notes

1.4.1 Symbols and Key Words

Danger!

Risk of severe or fatal injury

One of these symbols in conjunction with the key word Danger indicates an imminent danger. It will cause death or severe injuries if not avoided.

Warning!

Personal injury

This symbol in conjunction with the key word Warning indicates a possibly hazardous situation. It might cause death or severe injuries if not avoided.

Caution!

Slight injury and / or material damage

This symbol in conjunction with the key word Caution indicates a possibly hazardous or harmful situation. It might cause slight or minor injuries or a damage of the product or something in its vicinity if not avoided.

Note

Improvement of the application

This symbol in conjunction with the key word Note indicates hints for the user or very useful information. This information helps with installation, set-up and operation of the product to ensure a fault-free operation.

Safety MLR 3G 2.0

1.5 Responsibilities of the Operator

As a matter of principle, the operator must observe the legal regulations, which are valid in his country, concerning operation, functional test, repair and maintenance of electrical devices.

1.6 Qualification of the Personnel

The installation, commissioning and maintenance of the product must only be performed by trained expert personnel, which has been authorised by the plant operator. The expert personnel must have read and understood this documentation and observe the instructions.

1.7 Instructions for Transport and Storage

The following instructions must be observed:

 Do not expose the product to moisture and other potential hazardous en-

vironmental conditions (radiation, gases, etc.) during transport and storage. Pack product accordingly.

 Pack product sufficiently to protect it against shocks during transport and

storage, e.g. using air-cushioned packing material.

Check product for possible damages, which might have been caused by improper transport, before installation. Transport damages must be noted down to the shipping documents. All claims or damages must be filed immediately and before installation against the carrier or party responsible for the storage.

1.8 Safety Instructions for Electrical Installation

The electrical connection must only be made by authorised expert personnel according to the wiring diagrams.

The notes to the electrical connection in the manual must be observed. Otherwise, the protection category might be affected.

The safe disconnection of circuits, which are hazardous when touched, is only ensured if the connected devices meet the requirements of VDE T.101 (Basic requirements for safe disconnection).

The supply lines are to be routed apart from circuits, which are hazardous when touched, or isolated additionally for a safe disconnection.

MLR 3G 2.0 Safety

1.9 General Safety Instructions

Caution!

Moisture and liquids from the environment may seep into the interior of the product!

Fire hazard and damage of the product.

The product must not be used in wet or damp environments, or in the direct vicinity of water. Install the product at a dry location, protected from water spray. Disconnect the power supply before you perform any work on a device which may have been in contact with moisture.

Caution!

Short circuits and damage due to improper repairs and opening of maintenance areas.

Fire hazard and damage of the product.

Only persons, which have the training or skills of an "Electronic technician for industrial engineering", are authorised to open and repair the product.

Caution!

Overcurrent of the device supply!

Fire hazard and damage of the product due to overcurrent.

The product must be secured with a suitable fuse against currents exceeding 1.6 A.

Caution!

Overvoltage and voltage peaks from the mains supply!

Fire hazard and damage of the product due to overvoltage.

Install suitable overvoltage protection.

Caution!

Damage due to chemicals!

Ketones and chlorinated hydrocarbons dissolve the plastic housing and damage the surface of the device.

Never let the device come into contact with ketones (e.g. acetone) or chlorinated hydrocarbons, such as dichloromethane.

Safety MLR 3G 2.0

Caution!

Distance from antennas to persons!

A too low distance from GSM antennas to persons can affect the health.

Please observe to keep a minimum distance of 20 cm between the GSM antenna and persons during operation.

Note

Export restriction for FCC!

Possible offence against approval regulations.

If the final product is not approved in the U.S. territories, the application manufacturer shall take care that the 850 MHz and 190 MHz frequency bands be deactivated and that band settings be inaccessible to end users. If these demands are not met (e.g. if the AT interface is accessible to end users), it is the responsibility of the application manufacturer to always ensure that the application be not exported to countries within the area of validity of the FCC.

MLR 3G 2.0 Scope of Delivery

2 Scope of Delivery

The scope of delivery for the MLR 3G 2.0 includes all accessories listed below. Please check if all accessories are included in the box. If a part is missing or damaged, please contact your distributor.

 1 MLR 3G 2.0  1 Quick Installation Guide  1 Support CD with operator manual in PDF format  1 Power supply connector  GSM/UMTS antenna

The following related documents for the MLR 3G 2.0 can be found on the delivered Support CD or in the download area and on the product page of the MLR 3G 2.0 under www.insys-tec.de:

 • Add-On Manual ASCII Configuration File  • Add-On Manual Automatic Update

Technical Data MLR 3G 2.0

3 Technical Data

3.1 Physical Features

All specified data was measured with nominal input voltage, at full load, and an ambient temperature of 25 °C. The limit value tolerances are subject to the usual variations.

Physical Feature Value

Operating voltage 12 V – 24 V DC (+20%/-15%)

Power consumption idle approx. 3 W

Power consumption connection approx. 6.5 W

Transmitted output: UMTS 850: Class 3 UMTS 1900: Class 3 UMTS 2100: Class 3 EGSM 850 and 900: Class 4 EGSM 1800 and 1900: Class 1 EGSM 850 and 900: Class E2 GSM 1800 and 1900: Class E2

0.25 W

0.25 W 2 W 1 W

0.5 W

Weight 300 g

Dimensions (Width x Depth x Height) 115 mm x 120 mm x 37 mm

Temperature range -20 °C – 55 °C

Maximum permissible humidity 95% non-condensing

IP rating Housing IP40

Table 1: Physical Features

MLR 3G 2.0 Technical Data

3.2 Technological Features

Technological Feature: Description

GSM frequencies (2G) 850, 900, 1800, 1900 MHz

UMTS frequencies (3G) 850, 1900, 2100 MHz

SIM card reader Support for 1.8 V and 3.3 V SIM cards

SMS SMS dispatch; incoming SMS can be received, but

cannot be accessed via the web interface.

CSD Up to 14.4 kBit/s

GPRS GPRS Multislot Class 12, Coding scheme 1 bis 4,

PBCCH, Mobile Station Class B

EDGE (EGPRS) EDGE Multislot Class 10, Modulation and Coding

Scheme MCS 1-9

UMTS Uplink up to 384 kBit/s / downlink up to 384 kBit/s

HSUPA (uplink) up to 5,7 MBit/s HSDPA (downlink) up to 14,4 MBit/s

Table 2: Technological Features

Display and Control Elements MLR 3G 2.0

4 Display and Control Elements

Figure 1: LEDs and control elements on the front of the device

Position Description

1 Power LED 2 COM LED 3 Data/Signal LED 4 Status/VPN LED 6 SIM card 2 - eject button 7 SIM card 2 - card holder 8 SIM card 1 - card holder 9 SIM card 1 - eject button

Table 3: Description of the LEDs and control elements on the front of the device

MLR 3G 2.0 Display and Control Elements

Figure 2: LEDs on the rear of the device

Position Description

1 Link LED for Switch LAN 1 2 Link LED for Switch LAN 2 3 Link LED for Switch LAN 3 4 Link LED for Switch LAN 4 5 Activity LED for Switch LAN 4 6 Activity LED for Switch LAN 3 7 Activity LED for Switch LAN 2 8 Activity LED for Switch LAN 1

Table 4: Description of the LEDs on the rear of the device

Display and Control Elements MLR 3G 2.0

4.1 Meaning of the Displays

LED Colour Function off flashing blinking on

yellow Link 10 Mbit/s

Switch LAN 1-4

green Link 100 Mbit/s

Data traffic

connected

Power green Supply missing present

green Connect

COM

orange PPP link

offline established

green SIM card 1

Data / Signal

orange SIM card 2

no signal or logged out

PPP data traffic

Field strength (see Table

green VPN

Client or server established

Status / VPN

red Status

Initialization, FW update, fault

Table 5: Meaning of the LED displays

Blinking interval LED signal

Quality Signal quality

900 ms on, 100 ms off 20 .. 32 very good 200 ms on, 200 ms off 13 .. 19 good 100 ms on, 900 ms off 0 .. 12 poor off 99 (not detectable) insufficient

Table 6: Blinking code of the data/signal LED

MLR 3G 2.0 Display and Control Elements

4.2 Function of the Control Elements

Description Operation Meaning

Press once for a short time. Resets the MLR 3G 2.0 via

software and restarts it.

(Soft reset)

Press at least 3 seconds. Resets the hardware and

restarts the MLR 3G 2.0.

(Hard reset)

Reset key

Press three times for a short time within 2 seconds.

Deletes all settings of the MLR 3G 2.0 and resets the device to the factory defaults.

SIM card eject button Press with a pointed object Ejects the SIM card holder.

Table 7: Description of the functions and meaning of the control elements

Connections MLR 3G 2.0

5 Connections

5.1 Front Panel Connections

Figure 3: Connections on the front panel of the device

Position Description

1 Serial interface (RS232 socket V.24/V.28)

Table 8: Description of the connections on the front panel of the device

MLR 3G 2.0 Connections

5.2 Rear Panel Connections

Figure 4: Connections on the rear panel of the device

Position Description

1 GSM antenna connection (SMA socket) 2 Power supply connection 3 Ethernet port 1 (RJ45, 10/100 BT) 4 Ethernet port 2 (RJ45, 10/100 BT) 5 Ethernet port 3 (RJ45, 10/100 BT) 6 Ethernet port 4 (RJ45, 10/100 BT)

Table 9: Description of the connections on the rear panel of the device

5.3 Pin Assignment of the Serial Interface

Figure 5: 9-pin D-Sub socket at the device

Pin Signal Description

1 DCD Data Carrier Detect 2 RXD Receive Data 3

TXD Transmit Data

4 DTR Data Terminal Ready 5 GND Ground 6 DSR Data Set Ready 7 RTS Request To Send 8 CTS Clear To Send 9 RI Ring Indication

Table 10: Description of the pin allocation of the D-Sub socket

Function Overview MLR 3G 2.0

6 Function Overview

The MLR 3G 2.0 provides you with the following functions:

 Configuration via web interface All functions of the MLR 3G 2.0 can be configured and set via a web inter-

face. The access to the web interface is protected with a user name and password query. The TCP port which is used to access the web interface can be set freely.

 Serial Ethernet gateway The MLR 3G 2.0 can output arriving data from a certain network port at

the serial interface. Also, data arriving at the serial interface are sent to an IP remote terminal. Together with the INSYS VCom driver, the serial Ethernet gateway enables the transmission of a serial connection via a network.

 DHCP server Ethernet devices connected to the switch can retrieve their IP address

automatically from the MLR 3G 2.0.

 NAT and port forwarding

The MLR 3G 2.0 is a router, which can also send data packets via NAT and

port forwarding. According to defined rules, the MLR 3G 2.0 will send incoming IP packets to definable ports and port areas at IP addresses and ports in the LAN.

 Dial-in PPP server The MLR 3G 2.0 can be used as PPP dial-in server. Similar to an Internet

provider, a caller can establish a PPP connection to the MLR 3G 2.0 to access the network behind it.

 Establishing a PPP connection via an incoming call (callback) The MLR 3G 2.0 identifies calls and will automatically establish a PPP con-

nection to a previously determined remote terminal (e.g. an Internet provider). The caller who triggers the connection setup can identify himself via a PPP authentication method.

 Automatic dialling of a PPP terminal (dial-out) The MLR 3G 2.0 will establish a connection to a PPP terminal (e.g. Internet

provider), as soon as it registers outgoing network traffic.

 Dialling filter for initiating a connection establishment You can use rules to define which network traffic or network participant

may trigger a connection setup.

MLR 3G 2.0 Function Overview

 PPP Leased line operation The MLR 3G 2.0 can establish and maintain a permanent connection via a

"dial-up line". This makes it possible to communicate with a network via a dial-up connection such as a "leased line".

 Periodic PPP connection setup The MLR 3G 2.0 can establish and terminate a PPP connection time-

controlled. Fixed times can be set for the connection setup and termination.

 OpenVPN The MLR 3G 2.0 can be used as OpenVPN server or client. This enables ma-

chines to establish a safe connection to the LAN behind the MLR 3G 2.0 from the outside via an unsafe network. Prerequisite for this is that the device can be accessed via a packet-switched connection (public IP address) or a CSD connection is maintained permanently. The MLR 3G 2.0 can also connect an entire LAN interception-proof and interference-proof via an unsafe Internet connection through a VPN tunnel to another network (e.g. the company network). The MLR 3G 2.0 can connect to an OpenVPN server as client for this. The authentication when connecting to an OpenVPN server via a static key, a certificate with user name and password, or just a certificate is supported with this. The MLR 3G 2.0 can also establish an OpenVPN connection without authentication.

 PPTP The MLR 3G 2.0 can be used as PPTP server or client. This enables machines

to establish a safe connection to the LAN behind the MLR 3G 2.0 from the outside via an unsafe network. Prerequisite for this is that the device can be accessed via a packet-switched connection (public IP address) or a CSD connection is maintained permanently. The MLR 3G 2.0 can also connect an entire LAN interception-proof and interference-proof via an unsafe Internet connection through a VPN tunnel to another network (e.g. the company network). The MLR 3G 2.0 can connect to a PPTP server as client for this.

 IPsec protocol The MLR 3G 2.0 can connect two subnets via an insecure internet connec-

tion tap- and interference-proof via an IPsec tunnel. The authentication when connecting to an IPsec terminal device via certificates or a passphrase (PSK) is supported with this. Up to 10 tunnels can be established at the same time.

 IPT protocol The MLR 3G 2.0 supports the communication via IPT (Internet Protocol Te-

lemetry). The MLR 3G 2.0 can connect to an IPT master as IPT slave and tunnel payload of the serial Ethernet gateway to another IPT slave.

 Dynamic DNS Update The assigned IP address can be deposited at a dynamic DNS service (e.g.

DynDNS) after the set-up of a PPP connection to an Internet service provider . The MLR 3G 2.0 can be contacted out of the Internet.

Function Overview MLR 3G 2.0

 Firewall (stateful firewall) The MLR 3G 2.0 firewall enables the limitation of incoming and outgoing IP

connections. A flexible rule may be created for each connection and stored user. If one of these firewall rules applies to a connection through the MLR 3G 2.0, this connection will be allowed, otherwise the connection is inhibited. This will increase the security by not permitting unauthorized access to the network behind the MLR 3G 2.0. "Stateful firewall" means that the MLR 3G 2.0 will automatically adjust the firewall for the data traffic that was initiated by authorised data packets. This will allow connections also for protocols with special requirements, e.g. FTP.

 Configurable Ethernet switch For each port at the switch of the MLR 3G 2.0, the transmission rate, the

transmission mode and the LED display for certain network events may be set individually. The MLR 3G 2.0 detects the settings automatically when configured with factory settings. The switch can be divided in up to four VLANs.

 Port mirroring at the Ethernet switch for analysis purposes A port at the switch of the MLR 3G 2.0 can reproduce a copy of the data at

another network port of the switch. At these mirror ports, the transmitted data can be read for analysis purposes (e.g. for intrusion detection systems, problem analysis of end terminals), without affecting the network traffic.

 E-Mail and SMS dispatch as well as SNMP trap triggering on different

events

The MLR 3G 2.0 can send an e-mail or SMS to any recipient on different

events or trigger an SNMP trap. A series of pre-define events are available for this, like set-up of connections for example.

 SMS receipt The MLR 3G 2.0 can be configured for receiving SMS. Different commands

can be transmitted to the MLR 3G 2.0 with this, optionally also passwordprotected. SMS that cannot be evaluated can be forwarded to sandbox and evaluated there.

 SNMP agent for processing SNMP requests The MLR 3G 2.0 can respond to incoming SNMP requests (SNMP Get re-

quests) if the SNMP agent is enabled. All configuration parameters can be read out with this.

 Time synchronization via NTP The MLR 3G 2.0 can synchronize its system time via the Network Time Pro-

tocol with an NTP server in the Internet. The system time will thus always be current and the internal clock must not be set manually. In addition, the time and the date can be set manually, if no NTP server is available.

MLR 3G 2.0 Function Overview

 HTTP and HTTPS proxy with URL filter The proxy is used to limit the access to web addresses for applications in

the local network of the MLR 3G 2.0, and to avoid connection timeouts. The MLR 3G 2.0 supports the HTTP and HTTPS protocols. The proxy of the MLR 3G 2.0 maintains connections during the connection setup of the communication device to prevent a premature timeout. The proxy will not work as a cache for frequently accessed websites

 Log files The system messages of the MLR 3G 2.0 can be downloaded as text files

via the web interface.

 Downloadable configuration files The configuration of the MLR 3G 2.0 can be downloaded as binary or ASCII

file. The file can be used as backup copy to configure the MLR 3G 2.0 after a factory reset, or for convenient loading of the same configuration into a different MLR 3G 2.0. The ASCII configuration file can be edited and offers a comfortable option for an alternative configuration.

 Firmware update via web interface The firmware of the MLR 3G 2.0 can be updated via the web interface. An

update can be performed locally or remotely.

 Automatic daily update The MLR 3G 2.0 allows a daily automatic update of firmware files, configu-

ration files (binary and ASCII) or sandbox image files that are provided accordingly on a server.

 An optional, redundant communication device may be connected. You can connect a second INSYS communication device via the serial inter-

face at the MLR 3G 2.0, to secure the dial-out and dial-in communication through redundancy and to increase the availability.

 Freely programmable sandbox The MLR 3G 2.0 provides a freely programmable sandbox. The sandbox is a

kind of a virtual machine, which runs on the MLR 3G 2.0 and allows to start programs, collect data and offer services in the sandbox, which do not exist in the actual system.

 Debugging tools for analysing network connections The MLR 3G 2.0 offers several tools for analysing problems with network

connections. Ping packets can be sent, routes of IP packets can be traced, DNS information can be queried and network packets can be recorded with this.

Meaning of the Symbols and the Formatting in this

MLR 3G 2.0

7 Meaning of the Symbols and the Formatting in this

Manual

This section describes the definition, formatting and symbols used in this manual. The various symbols are meant to help you read and find the information relevant to you. The following text is structured like a typical operating instruction of this manual.

Bold print: This will tell you what the following steps will result in

After that, there will be a detailed explanation why you could perform the

following steps to be able to reach the objective indicated first. You can decide whether the section is relevant for you or not.

 An arrow will indicate prerequisites which must be fulfilled to be able to

process the subsequent steps in a meaningful way. You will also learn which software or which equipment you will need.

1. One individual action step: This tells you what you need to do at this point.

The steps are numbered for better orientation.

 A result which you will receive after performing a step will be marked with

a check mark. At this point, you can check if the previous steps were successful.



, we will indicate possible error sources and tell you

how to avoid them.



s, or what you could do if

you didn't reach the expected results at this point.

Additional information which you should consider are marked with a cir-

cled "i". At this point

Alternative results and steps are marked with an arrow. This will tell you how

to reach the same results performing different step

MLR 3G 2.0 Commissioning

8 Commissioning

This chapter describes how to activate the MLR 3G 2.0, i.e. how to connect the MLR 3G

2.0 to a PC, and how to prepare it for the configuration.

Insert SIM card into the MLR 3G 2.0.

How to insert the SIM card into the MLR 3G 2.0.

 The power supply of the MLR 3G 2.0 is disconnected.  You will need a functionable SIM card of your mobile provider.  You will also need the according PIN.  You will need a pointed object to operate the SIM card eject button, e.g. a

screwdriver with a blade of max. 1.5 mm.

1. Press the SIM card eject button of SIM card 1 with the pointed object.

 If only one SIM card is used, this must always be inserted into the card

holder of SIM card 1!

 The SIM card holder will be ejected a little bit out of the housing.

Remove the SIM card holder.



Make sure that the SIM card does not extend over the card holder.

4. LR 3G 2.0. The contacts of the SIM card must face down (for SIM card 1).

5. inserted SIM card into the housing, until the card holder snaps into place.

3 Insert your SIM card into the card holder.

The SIM card will only fit into the SIM card holder in one position.

Insert the SIM card holder together with the SIM card into the M

Using one finger, carefully push the SIM card holder with the

Commissioning MLR 3G 2.0

 The following figure shows how to insert the SIM card into the SIM card

holder for SIM card 1:

6. Enable the power supply of the MLR 3G 2.0 again.

 You can use a second SIM card in the MLR 3G 2.0 alternatively. The MLR 3G

2.0 provides a second SIM card holder for SIM card 2 for this.

 The following figure shows how to insert the SIM card into the SIM card

holder for SIM card 2:

Connecting the MLR 3G 2.0 to a GSM antenna and a PC

How to connect the MLR 3G 2.0 to a GSM antenna and, via a network cable,

to a PC.

 The power supply of the MLR 3G 2.0 is disconnected.  You will need a Cat. 5 network patch cable.  You will need a network card in the PC.  You will need a suitable GSM antenna (available from IN-

SYS MICROLECTRONICS).

MLR 3G 2.0 Commissioning



an antenna gain of more

2. of the network card,

3. twork

4. Connect the GSM antenna to the antenna connection of the MLR 3G 2.0.

 e the IP address of the network

1. the MLR 3G 2.0 is con-





as IP address for the network

2. r the URL "http://192.168.1.1" into the



IP address is con-

figured in the MLR 3G 2.0. Press the reset key at the MLR 3G 2.0 three times

 A dialogue will prompt you to enter a user name and password for authen-

The regulation of the Federal Communications Commission (FCC) id valid

for the USA, according to which the antenna must be installed and operated in a distance of at least 20 cm to persons, not at the same place wit other antennas or senders, and must not have than 8.4 dBi (GSM 1900) or 2.9.dBi (GSM 850).

1. Locate the RJ-45 socket of the network card at the PC.

Make sure not to use the ISDN socket, but the socket

which you want to use to configure the MLR 3G 2.0.

Plug one end of the network cable into the RJ45 socket of the PC ne

card, and the other end into a network socket of the MLR 3G 2.0.

Configuring the MLR 3G 2.0

 The MLR 3G 2.0 is connected to the PC.  The power supply of the MLR 3G 2.0 is present.

You have the required access rights to chang card to which the MLR 3G 2.0 is connected.

Change the IP address of the network card to which

nected to an address, which starts with 192.168.1.

As an alternative, you may also configure your network card to "Automatic

address allocation". The integrated DHCP server of the MLR 3G 2.0 will then allocate an address from the according address range to your network card.

Do not use the address 192.168.1.1. This is the factory default IP address of

the MLR 3G 2.0. For example, use 192.168.1.2 card in your PC.

Open an Internet browser and ente address bar.

 The browser loads the start page of the MLR 3G 2.0.

If you see the message in your browser window that the page with this ad-

dress cannot be found, follow the following steps: Check, whether your MLR 3G 2.0 is supplied with power. If yes, most probably a wrong

within two seconds and repeat this instruction from step 2.

tication.

Enter the user name "insys" and the password "mlr".

Commissioning MLR 3G 2.0



h the data entered, just reset your MLR

wo seconds and

repeat this instruction from step 2.

 You should now see the start page of the web interface.  The MLR 3G 2.0 is installed successfully and ready for configuration.

User name and password are set as factory defaults. If the registration at

the web interface does not work wit 3G 2.0 to the factory defaults. Press the reset key at the MLR 3G 2.0 three times within t

MLR 3G 2.0 Operating Principle

9 Operating Principle

This chapter describes how to operate and configure the MLR 3G 2.0.

The MLR 3G 2.0 is configured and operated using a web-based interface. The interface itself is displayed and operated using a web browser such as Mozilla Firefox or Microsoft Internet Explorer.

9.1 Operating the Web Interface

The web interface allows easy configuration of the MLR 3G 2.0 using a web browser. All functions of the MLR 3G 2.0 can be configured via the interface. The operation is mostly self-explanatory. The interface also provides an online help feature, which describes the meaning of possible settings of the MLR 3G 2.0. Start the online help by selecting the option "Display help text" in the title bar below the language selection.

 We urgently recommend to enable online help for the first configurations

to allow a quick and flawless configuration.

Configuring the MLR 3G 2.0 with the web interface

How to configure the MLR 3G 2.0 with the web interface.

 The MLR 3G 2.0 is connected to a network and switched on.  A PC, which is physically connected to the same network as the MLR 3G 2.0.  The PC is configured in a way that it is also logically connected to the MLR

3G 2.0 in the same network. The first three octets of the IP address of the PC and the MLR 3G 2.0 must be identical. For example, the MLR 3G 2.0 has the IP address 192.168.1.1. and the PC has the IP address 192.168.1.2.

 A new generation web browser such as Mozilla Firefox or Microsoft Inter-

net Explorer is installed on the PC.

1. Start the web browser.

2. Enter the IP address of the MLR 3G 2.0 in the address line.

 The factory default IP address of the MLR 3G 2.0 is 192.168.1.1.

 rompt you to enter the user name and the password for

authentication.

 of the web interface for the

", the

 The start page of the web interface is displayed.

A dialogue will p

3. Enter the user name and the password and click OK.

The default factory setting

user name is "insys password is "mlr".

Operating Principle MLR 3G 2.0

4. Use the menu on the left side to select the menu item, in which you want to

change settings.

5. Enter the required settings.

6. Click on the button OK on the according configuration page to save the set-

tings.

 After you completed the configuration changes, always click the button

OK. Otherwise the settings will be lost as soon as you change to another page or close the browser.

MLR 3G 2.0 Operating Principle

9.2 Access via the HTTPS Protocol

The web interfacee allows a safe configuration of the MLR 3G 2.0 using the HTTPS protocol. The HTTPS protocol allows the authentication of the servers (i.e. the MLR 3G 2.0) as well as encrypting the data transmission.

If the MLR 3G 2.0 is accessed via the HTTP S protocol fort he first time, the browser indicates that the MLR 3G 2.0 uses an invalid security certificate. The certificate is not trusted, because the certificate of the Certification Authority (CA certificate) is unknown.

You can ignore this warning and add an exception fort his server or establish the safe connection to this server nevertheless (depending on browser and operating system).

We recommend, downloading the CA certificate CA_MoRoS.crt from the certificate page (http://www.insys-tec.de/en/certificate/) and import it into your browser, to trust INSYS MICROELECTRONICS as Certification Authority. Proceed for this, as described in the documentation of your browser.

If INSYS MICROELECTRONICS is registered as Certification Authority with your browser and you access the MLR 3G 2.0 again via the HTTPS protocol, the browser indicates again that the MLR 3G 2.0 uses an invalid security certificate. The certificate is not trusted, because the Common Name of the certificate differs from your input in the address bar of your browsers. The browser indicates that a different device is detected under this URL. The Common Name of the certificate consists of the MAC address of the MLR 3G 2.0, while the colons are replaced with underscores.

You can ignore this warning and add an exception fort his server or establish the safe connection to this server nevertheless (depending on browser and operating system).

In order to eliminate this browser warning as well, you have to enter the Common Name of the MLR 3G 2.0 to be accessed into the address bar of your browser. In order to route the URL to the correct device, the Common Name must be assigned to the IP address of the MLR 3G 2.0. You can find out the Common Name by downloading the certificate from the MLR 3G 2.0 and viewing it. This process depends on your browser. The process for configuring the assignment depends on your operating system:

. Editing /etc/hosts (Linux/Unix) . Editing C:\WINDOWS\system32\drivers\etc\hosts (Windows XP) . Configuring your own DNS server

Refer to the documentation of your operating systems for more information about this.

Functions MLR 3G 2.0

10 Functions

10.1 Basic Settings

10.1.1 Web Interface (User Name, Password, Remote Configuration)

The web interface is used to configure the MLR 3G 2.0. It is protected against unauthorized access by a user name and password query. The web interface can be configured for a configuration from a computer in the internal network or for remote configuration. Then, you can also access the web interface from the external network. A remote configuration can also be performed via the HTTPS protocol. A location can be entered for a better differentiation. You can define the port, at which the interface can be accessed from the respective network of the MLR 3G 2.0.

Configuration with the web interface

User name and password are entered in the menu "Basic Settings" on the

page "Web interface".

The permissible configuration is activated using the respective checkbox.

The web interface port is defined in the entry field "Port for HTTP web interface" or "Port for HTTPS web interface". Port 80 (HTTP) or port 443 (HTTPS) is configured for the web interface of the MLR 3G 2.0 by default.

A description or location of the router may be entered in the entry field "Location". This description appears in the browser window title as well as the start page of the web interface then and facilitates a differentiation if more web interface windows are open.

Save your settings by clicking "OK".

MLR 3G 2.0 Functions

10.1.2 Setting IP Addresses

It must be possible to access the MLR 3G 2.0 in the LAN under a certain IP address. You must assign a static IP address for this.

A virtual network address can be assigned to the local network. Devices in the local network can then be addresses with the virtual address via WAN. The MLR 3G 2.0 replaces the network portion of the virtual IP address with the network portion of the local network and forwards the packet to the destination.

Configuration with the web interface

In order to configure a static IP address, change in the "Basic Settings" menu to the "IP address (LAN)" page.

Enter the IP address of the MLR 3G 2.0 in the LAN into the entry field "IP ad- dress" and the Subnet mask into the field "Netmask address".

 When changing the local IP address, the address range of the DHCP server

will be adjusted to the new network automatically, if the netmask has not changed. The DHCP server will be disabled with a changed netmask and must be configured manually. This is indicated in a notification.

The MAC address of the MLR 3G 2.0 can be found in the entry fields for the IP address and the network mask under "MAC address" on this page.

In order to assign a virtual network address to the local network, check the checkbox "Activate netmapping" and enter the address into the "Virtual network address" field (e.g. 192.168.2.0). This virtual address is only visible from the WAN side.

 If, for example, the local address is 192.168.1.1/255.255.255.0, an entered

virtual address 192.168.2.1 will be changed to 192.168.2.0 and stored.

Save your settings by clicking "OK".

10.1.3 Enter Static Route

You can define static routes for forwarding data packets in the MLR 3G 2.0, which are loaded during system start.

Configuration with the web interface

In order to enter a static route, change in the menu "Basic Settings" to the page "Routing".

Enter in the section "Add new route" the Net address, the Netmask address as well as the Gateway into the respective fields.

In order to delete an existing route, check under "Existing routes" the checkbox of the route(s) to be deleted.

Save your settings by clicking "OK".

 -

in the menus

"Dial-In" or "Dial-Out" on the respective page "Routing".

Neither a default gateway can be entered nor NAT can be enabled or dis

abled here. This is configured for the respective interface

Functions MLR 3G 2.0

10.2 UMTS

10.2.1 Enter SIM card PIN

The MLR 3G 2.0 enables to use two SIM cards. If only one SIM card is used, this must be inserted into the card holder for SIM card 1. Additionally, a second SIM card can be inserted into the card holder for SIM card 2. An operation with one SIM card in SIM 2 without a SIM card in SIM 1 is not intended.

The MLR 3G 2.0 will need the PIN of the inserted SIM card (if the SIM card is protected by a PIN) to log into the mobile network and establish CSD or IP connections.

Note!

Possible locking of the SIM card!

If a wrong PIN is entered, the SIM card may be locked, resulting in the MLR 3G 2.0 not being able to log into the mobile network.

When entering or changing the PIN, make sure that you enter the correct PIN for the SIM card. The SIM card may be unlocked using the according PUK. To unlock the SIM card with the PUK, you will need a mobile phone in which you can insert the locked SIM card and enter the PUK. Alternatively, you can unlock the SIM card using a terminal with the command AT+CPIN=PUK,NEW_PIN.

Configuration with the web interface

Enter the PIN of the inserted SIM card in the menu "UMTS" into the entry field "PIN" for the respective SIM card (1 or 2).

Save your settings by clicking "OK".

 An entered PIN is also stored if the activation of a SIM card has not been

successful. This is possible to allow a configuration without an inserted SIM card. Therefore, a wrong PIN is also stored!

MLR 3G 2.0 Functions

10.2.2 Configure Network Selection

You can determine, into which mobile network the MLR 3G 2.0 should log into. Your SIM card must support roaming for this. The MLR 3G 2.0 can then connect to the strongest available network at the location, with a certain preferred network (which may not necessarily be the strongest available network), or exclusively with the network of a certain provider. If you determine a "Preferred provider", the MLR 3G 2.0 will always attempt to connect to a network of this provider. If the connection attempt to the network of the preferred provider fails, the MLR 3G 2.0 will connect to the best available network of any provider. The settings are made for each SIM card separately.

Configuration with the web interface

In order to select the type of network, use the radio buttons in the menu "UMTS" to choose if the MLR 3G 2.0 should log into the strongest network, to a preferred provider and its network, or exclusively into the network of a provider determined by you.

To ensure that the MLR 3G 2.0 gives preference to the network of a certain provider when logging in, select in the menu "UMTS" the radio button for the option "Preferred provider". Enter the number of the provider into the entry field right of the option. You can obtain the number of the provider using the link under the question mark next to "Read provider list from modem" (the question mark only appears if a SIM card is inserted and unlocked with the correct PIN). To read the data, a SIM card must be inserted and the MLR 3G 2.0 must be logged into a GSM/UMTS network.

To ensure that the MLR 3G 2.0 exclusively selects the network of a certain provider when logging in, select in the menu "UMTS" the radio button for the option "Only log into this provider". Enter the number of the provider into the entry field right of the option. You can obtain the number of the provider using the link under the question mark next to "Read provider list from modem" (the question mark only appears if a SIM card is inserted and unlocked with the correct PIN).

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.2.3 Configure Daily Login and Logout

The MLR 3G 2.0 can log out of the mobile network and in again daily at a specified time. This enables you to limit the connection to certain times. Using periodic logout and login, you will increase the availability of the MLR 3G 2.0, which may otherwise be impaired by several circumstances, which require a re-login into the network, e.g. maintenance work at the mobile network. We recommend to use this function.

 We urgently recommend to login the MLR 3G 2.0 into the mobile network

again daily to get a high availability.

Configuration with the web interface

Enter the desired time for the daily logout in the menu "UMTS" into the entry fields "Daily log-out at" in the format "hh:mm".

Enter the desired time for the daily login in the menu "UMTS" into the entry fields "Daily log-in at" in the format "hh:mm".

Check the checkbox "Activate daily log-out and log-in" to enable the function.

Save your settings by clicking "OK".

10.2.4 Term in al

This function allows the direct transmission of AT commands to the communication device of the MLR 3G 2.0. The response is displayed directly below the entry field.

Configuration with the web interface

Enter the desired AT command in the menu "UMTS" in the section "Terminal" into the entry field "AT command".

Transmit the command by clicking "OK".

MLR 3G 2.0 Functions

10.3 Dial-In

10.3.1 Configuring Dial-In

You can use the MLR 3G 2.0 as dial-in server or incoming PPP server. The dial-in function allows for computers to connect remotely via modem through the MLR 3G 2.0 to the network behind the MLR 3G 2.0. Similar to the dial-in with an Internet provider, users will authenticate themselves via user name and password at the MLR 3G 2.0. To authenticate the PPP users, the methods PAP or CHAP are available. Successfully authenticated users can establish a PPP connection to access the network of the MLR 3G 2.0.

Configuration with the web interface

In order to enable the dial-in server, select in the menu "Dial-In" on the page "Dial-In" the radio button "Yes" for "Activate Dial-In".

You can define an idle time, after which the dial-in connection is closed as soon as no data transfer occurs any more. Enter the required time in seconds into the field "Idle time". If the connection should remain established although there is an idle operation, enter the value "0".

Define the number of ring tones after which the MLR 3G 2.0 will answer a call. Enter the number of ring tones until going off-hook into the entry field "Number of rings before answer".

To use PPP authentication based on user names and passwords, check the checkbox "Authentication for Dial-In". If you disable this checkbox, any caller may establish a PPP connection. Enter up to 10 different combinations of user name and password into the fields "User name" and "Password" and use the respective radio button to specify whether an authentication via "PAP" or "CHAP" is required for this user. The user name must not correspond with the one of the dial-out connection.

If a callback after successful authentication should be possible for the respective user, check the checkbox "Callback active". If the authentication is required for a callback, but this checkbox is not checked, no callback will be performed. A usual dial-in is possible for the caller in this case.

As an option, you can define the IP addresses of the end points of the PPP connection, if these addresses have already been allocated to one of the networks of the {{{PRODUKTBEZEICHNUNG}} or at a remote network. As default, the IP address of the {{{PRODUKTBEZEICHNUNG}} is 192.168.254.1. The standard address of the remote terminal is 192.168.254.2.

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.3.2 Automatic Callback (Callback)

You can trigger an automatic callback to a predefined destination phone number of the MLR 3G 2.0 with a data call or a phone call. You can configure authorized callers for these numbers. The callers can identify themselves via the PPP authentication methods PAP or CHAP, or via their CLIP phone number. The connection, which will then be established by the MLR 3G 2.0, must be configured before in the menu "Dial-Out". Only connections to the preconfigured dial-out destination are possible.

Configuration with the web interface

In order to trigger a dial-out connection by a caller, check in the menu "DialIn" on the page "Dial-In" the checkbox "Activate callback". The dial-out connection, which is triggered by a caller, must first be configured in the menu "DialOut". To enable callers to trigger a connection, they must either identify themselves via PPP authentication or their phone numbers. Select either the radio button for "After successful PPP authentication" or "After a call from these caller IDs". If you select the latter option, enter up to 5 phone numbers into the fields on the right, which can trigger a callback by calling.

Save your settings by clicking "OK".

10.3.3 Routing

You can define routes for forwarding data packets in the MLR 3G 2.0. Moreover, you can enable NAT for incoming and outgoing packets separately.

Configuration with the web interface

In order to set a default route, check in the menu "Dial-In" on the page "Routing" the checkbox "Set default route".

In order to enable NAT for incoming packets, check in the menu "Dial-In" on the page "Routing" the checkbox "Activate NAT for incoming packets".

In order to enable NAT for outgoing packets, check in the menu "Dial-In" on the page "Routing" the checkbox "Activate NAT for outgoing packets".

In order to add a new route, enter in the menu "Dial-In" on the page "Routing" the "Net address" and the "Netmask " into the respective fields.

In order to delete an existing route, check in the menu "Dial-In" on the page "Routing" under "Existing routs" the checkbox of the route(s) to be deleted.

Save your settings by clicking "OK".

MLR 3G 2.0 Functions

10.3.4 Creating or Deleting a Firewall Rule

The MLR 3G 2.0 provides a firewall for dial-in connections. A firewall is used to prevent unauthorized data traffic. The logic of the firewall states that any data traffic is forbidden, which is not explicitly permitted through a rule.

Define here, which connections are permitted by the MLR 3G 2.0. If you enable the firewall for the connection type "Dial-in", only connections are possible, which are allowed by the firewall rules. All other connections will be blocked.

Configuration with the web interface

In order to enable the firewall for dial-in connections, check in the menu "Dial-In" on the page "Firewall" the checkbox "Activate firewall for Dial-In connections".

In order to create a rule for an allowed IP connection, proceed as follows.

Select in the menu "Dial-In" on the page "Firewall" in the drop-down menu "Data direction" a data direction for the rule.

Define the protocol of the permitted connection in the drop-down menu "Pro- tocol".

You can also make sure that the rule is exclusively applied to a particular dial- in user. Select the according dial-in user name in the dropdown menu "Dial-In user name".

Enter the further specifications of the connections permitted by the MLR 3G

2.0 into the entry fields "Source IP address", "Destination IP address" and "Des- tination port". Only rules can be created, which are not valid for individual machines (hosts), but for whole networks. In this case, the net mask must be entered following the "/".

Save your settings by clicking "OK".

In order to disable firewall rules temporarily, uncheck in the menu "Dial-In" on the page "Firewall" the check box in the column "Active" in the firewall rule overview. Click on "OK" to confirm the settings.

In order to delete one or more rules, check the checkbox in the column "delete" in the firewall rule overview. Click on "OK" to confirm the settings.

Functions MLR 3G 2.0

10.4 Dial-Out

10.4.1 Configure Dial-Out

You can use the MLR 3G 2.0 for dial-out. The MLR 3G 2.0 will automatically establish a PPP connection to a remote terminal, when the network traffic occurs in the direction of the network of the terminal. The network traffic which may trigger a connection setup can be limited by rules. This optional "Dialing filter" will ensure that only packets from/to certain IP addresses or from/to certain ports trigger the dial-out connection. This dial-out connection can be compared with the dial-in of a PC into the Internet. Only after this dial-in, it will be possible to transfer IP data (e.g. web contents) or to remotely access devices in the local network of the MLR 3G 2.0, for example.

Configuration with the web interface

In order to enable dial-out, select in the menu "Dial-Out" on the page "DialOut" the option "Yes" for "Activate Dial-Out".

For a GSM-CSD connection, enter the phone number of the PPP terminal (e.g. the Internet provider) into the entry field "Phone number" for destination A. You may enter a further phone number (or "*99***1#" for a packet-based connection, see below) for destination B.

Enter for a packet-based connection (GPRS/EDGE/UMTS/HSDPA) "*99***1#" into the entry field bei "Telephone number" for Target A. For destination A, enter the APN of your mobile provider, which is used to establish a packet-based connection, into the field "Access Point Name". You can enter another APN for Target B. As an alternative, you may also define a GSM-CSD connection with a usual phone number for Target B.

Enter a User name and Password for the PPP dial-up targets A and B. The specification of Target B is optional. The user name must not be the same than a user name of a dial-in user.

Select the PPP authentication method (PAP, CHAP, and PAP or CHAP) to be used for Targets A and B in the selection "Authentication".

If you use a second SIM card, you may select the SIM card to be used for Tar- get B under "SIM card for target B". SIM card 1 is always used for Target A.

Enter a value for "Idle time" to define how long the connection will remain established, if no data transfer takes place. Enter the required time in seconds into the field "Idle time". To maintain the connection for an unlimited time, enter the value "0".

Enter the Maximum connect time to limit the duration of a connection. If you enter a maximum connection time, the connection will be closed after this time period has expired. To keep the connection open without any time restrictions (until the connection is terminated for other reasons), enter the value "0" in the field "Maximum connect-time".

Configure the priority of the targets under "Priority". For this, the options "Try the last successful target at first" and "Always try target A first" are available. The MLR 3G 2.0 will try the respective target first. The MLR 3G 2.0 will always try to reach the other target, if the connection to the configured target cannot

MLR 3G 2.0 Functions

be established.

If the router does not receive a DNS server IP address to be used with a dialout, the checkbox "Request DNS server address" must be disabled. Otherwise, it might happen that a connection cannot be established.

Save your settings by clicking "OK".

10.4.2 Configure Leased Line Operation

You can configure the MLR 3G 2.0 to permanently maintain a PPP connection. This operating mode is interesting for private networks with no minute charges, or for billing models, for which only the transmitted data volume is charged for (e.g. packet-based networks). In this operating mode, the MLR 3G 2.0 will immediately establish the connection after system start. The MLR 3G 2.0 checks the connection for its function periodically. The connection check can be performed either via a DNS query of a host name or via PING at a host.

Configuration with the web interface

In order to configure a leased line, check in the menu "Dial-Out" on the page "Dial-Out" the checkbox "Connect immediately and hold connection".

If necessary, enter another time in minutes for the connection check into the entry field "Interval for checking connection". The default setting is 60 minutes. If a closed connection is determined after this time, the MLR 3G 2.0 will attempt to re-establish the connection after one minute. If the attempt fails, there will be another attempt after 5 minutes. The next attempt will take place after 30 minutes; if this attempt fails as well, the MLR 3G 2.0 will attempt to re-establish the connection every 60 minutes.

Select the method for connection check using the radio buttons behind "Type to check the connection" and enter a host name or an "IP address". The two methods have a different effect. A failed DNS request terminates a possibly existing connection and re-establishes the connection. A failed ping will make sure that the connection is re-initiated, if it was closed after the last data packet or ping. The existing connection is not terminated, if the ping is not responded to.

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.4.3 Configuring a Periodical Dial-Out Connection Setup

The MLR 3G 2.0 can establish and terminate the previously configured dial-out connection time-controlled. The dial-out connection is established and terminated daily at a certain time.

This function will trigger individual events; no blocking time or similar is defined. Example: If a logout is defined for 2 pm and an automatic login at 4 pm, other events within this period could also trigger a connection setup (dial-out), e.g. a simple packet according to the dialling filter. The connection is also automatically terminated after an automatic login, if the configured "Idle time" has expired, for example.

Configuration with the web interface

In order to establish a daily connection at a certain time, check in the menu "Dial-Out" on the page "Dial-Out" the checkbox "Connect automatically once a day at" and enter a time for the connection setup into the entry fields for hours and minutes.

In order to terminate a connection daily at a certain time, check in the menu "Dial-Out" on the page "Dial-Out" the checkbox "Disconnect automatically once a day at" and enter a time for the connection termination into the entry fields for hours and minutes.

Save your settings by clicking "OK".

10.4.4 Routing

You can define MLR 3G 2.0 routes for forwarding data packets. You can still configure NAT for incoming and outgoing packets separately.

Configuration with the web interface

In order to configure a default route, check in the menu "Dial-Out" on the page "Port Routing" the checkbox "Set default route".

In order to enable NAT for incoming packets, check in the menu "Dial-Out" on the page "Routing" the checkbox "Activate NAT for incoming packets".

In order to enable NAT for outgoing packets, check in the menu "Dial-Out" on the page "Routing" the checkbox "Activate NAT for outgoing packets".

In order to add a new route, enter in the menu "Dial-Out" on the page "Routing" the "Net address" and the "Netmask address" into the respective fields.

In order to delete an existing route, check in the menu "Dial-Out" on the page "Routing" under "Existing routes" the checkbox of the route(s) to be deleted.

Save your settings by clicking "OK".

MLR 3G 2.0 Functions

10.4.5 Configuring a Talking Filter

To avoid unnecessary costs due to undesired dial-out processes, a dialling filter may be activated optionally. This dialling filter can restrict the network traffic which could trigger a dial-out process. After a dial-out connection is established, however, all participants in the network may access the dial-out connection and transmit IP data.

Define here, which packets are allowed to initiate the dial-out connection via the MLR 3G

2.0. If you enable the dialling filter, only the dial-out connections are possible, which are permitted by the dialling filter rules. All other connections will be blocked.

Configuration with the web interface

In order to enable the dialling filter, check in the menu "Dial-Out" on the page "Dial filters" the checkbox "Activate Dial-Out filters for Dial-Out interface".

In order to create a rule for a dialling filter, proceed as follows.

Select in the menu "Dial-In" on the page "Firewall" the protocol of the permit- ted connection in the drop-down menu "Protocol".

Enter the further specifications of the connections permitted by the MLR 3G

In order to allow DNS requests to the router, which would initiate a connection setup (DNS relay), explicitly, check the checkbox "Allow DNS requests from source IP address to initiate a connection".

Save your settings by clicking "OK".

In order to disable individual dial-out rules temporarily, disable in the menu "Dial-Out" on the page "Dial filters" the checkbox in the column "active" in the section "These data packets are allowed to initiate a Dial-Out". Click on "OK" to confirm the settings.

In order to delete one or more rules, check the checkbox in the column "delete" in the section "These data packets are allowed to initiate a Dial-Out". Click on "OK" to confirm the settings.

Functions MLR 3G 2.0

10.4.6 Creating or Deleting a Firewall Rule

The MLR 3G 2.0 provides a firewall for dial-out connections. A firewall is used to prevent unauthorized data traffic. The logic of the firewall states that any data traffic is forbidden, which is not explicitly permitted through a rule.

Define which connections will be permitted by the MLR 3G 2.0. If you enable the firewall for the connection type "Dial-Out", only connections will be possible which are authorised by the firewall rules. All other connections will be blocked.

Configuration with the web interface

In order to enable the firewall for dial-out connections, check in the menu "Dial-Out" on the page "Firewall" the checkbox "Activate firewall for Dial-Out connections".

In order to create a rule for a permitted IP connection, proceed as follows.

Select in the menu "Dial-Out" on the page "Firewall" the data direction in the drop-down menu "Data direction".

Define the protocol of the permitted connection in the drop-down menu "Pro- tocol".

Enter the further specifications of the connections permitted by the MLR 3G

Save your settings by clicking "OK".

In order to disable individual firewall rules temporarily, uncheck in the menu "Dial-Out" on the page "Firewall" the checkbox in the column "active" in the firewall rule overview. Click on "OK" to confirm the settings.

In order to delete one or more rules, check the checkbox in the column "delete" in the firewall rule overview. Click on "OK" to confirm the settings.

10.4.7 Creating a Port Forwarding Rule

When including the Internet as communication network, private and public IPs are distinguished. To be able to access the private IP addresses from the Internet, which are mostly used in local networks, the technologies NAT and port forwarding are used. Only the public IP address of the MLR 3G 2.0 can be reached in the Internet. This IP address can still be used to access the local end terminals in the network of the MLR 3G 2.0 from the Internet, if NAT and port forwarding are used.

The MLR 3G 2.0 provides port forwarding. The MLR 3G 2.0 routes incoming packets from outside of the network to certain computers within the network. Outgoing packets of these connections from the network are being routed back to their destinations outside of the network. At certain ports, the MLR 3G 2.0 routes incoming data packets to one port of a certain destination address. You can use rules to define which packets from outside are routed to which addresses and ports in the network. This means that you can make certain services available to computers in the network, using the phone network.

MLR 3G 2.0 Functions

Configuration with the web interface

In order to enable port forwarding, check in the menu "Dial-Out" on the page "Port forwarding" the checkbox "Activate port forwarding for Dial-Out connections".

In order to create a forwarding rule, select the protocol (TCP or UDP) and the port range, for the incoming packets at the MLR 3G 2.0. Enter an IP address for the routing destination in the entry field "to IP address" and a port in the entry field "to port"; this is the address and the port where the packets are routed to. Click on "OK" to store the rule.

In order to disable an existing rule, disable the checkbox "active" and then click on "OK".

In order to delete an existing rule, check the checkbox "delete" and then click on "OK".

The rules in the list are processed from top to bottom. If two rules contradict each other (for example, the same port is used twice), only the rule which is further up in the list will be processed.

10.4.8 Defining the Exposed Host

As an option, the MLR 3G 2.0 can forward all packets which do not comply with any port forwarding rule, to a predefined computer in the LAN, also called "Exposed Host" (for example, for diagnostic purposes). The setting for the exposed host is in principle a port forwarding rule without criteria, which therefore applies to all packets. The exposed host contains all packets which have not been requested by the local network of the MLR 3G

2.0 or which have not been forwarded to a participant in the local network by a port forwarding rule. If no exposed host is configured, these incoming packets are discarded.

Configuration with the web interface

In order to define an exposed host, enter in the menu "Dial-Out" on the page "Port forwarding" in the entry field "Exposed host" the IP address of a computer in the LAN, which shall be accessible from outside via all ports.

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.5 VPN

10.5.1 VPN General

A VPN (virtual private network) is used to connect IP end devices or entire networks with each other, in a safe way. The data is transmitted tamper-proof to a destination and can not be read by third parties.

You can configure the MLR 3G 2.0 for an OpenVPN, PPTP or IPsec connection.

The exact proceeding for creating a certificate structure and configuring a VPN participant is described in a series of configuration guides. These are available from our website (http://www.insys-tec.de/en/home) or our support team (support@insys-tec.de).

10.5.2 OpenVPN General

You can use the MLR 3G 2.0 as OpenVPN server or OpenVPN client. This is independent from the type of connection setup (dial-in or dial-out).

Figure 6 shows a sample VPN configuration. One MLR 3G 2.0 is configured as OpenVPN server and a second MLR 3G 2.0 as OpenVPN client here. Client as well as server can be replaced by any OpenVPN-capable devices. In the example, a PPP connection between the two devices exists. Via this PPP connection, an OpenVPN connection is established.

As soon as a PPP connection has been established via the functions dial-in or dial-out, IP connections between the two networks can be established. OpenVPN uses an existing PPP connection to establish a VPN tunnel within this PPP connection. This tunnel consists of one single IP connection. OpenVPN will make a virtual network card available for sending data traffic.

Figure 6: OpenVPN network and IP addresses in the sample configuration

In the sample configuration, the end points of the OpenVPN connection will have the IP addresses 10.1.0.1 and 10.1.0.2. The VPN tunnel will be established within an already existing PPP connection. The OpenVPN clients and servers must also know which network is located behind the according VPN tunnel end. The networks behind the ends are the target networks, to which data is supposed to be sent. In the sample configuration,

MLR 3G 2.0 Functions

this is the network 192.168.200.0/24 on one side. On the other side, this is the network

192.168.1.0/24. On the other side, this is the network 192.168.1.0/24. As soon as the tunnel is established, data for these target networks is sent through the OpenVPN tunnel. If the entire data traffic from a network behind the MLR 3G 2.0 is supposed to be sent via the VPN tunnel, we recommend activating the firewall as soon as the configuration is completed successfully. This will limit the communication to the port at which the OpenVPN tunnel is established (standard setting: port 1194).

The MLR 3G 2.0 supports several authentication methods when establishing the VPN tunnel:

Authentication type Usage Characteristics

None For testing purposes and

to connect networks without encryption.

No encrypted connection. It is not possible to log in several clients at the server at the same time.

Static key For encrypted connections

of one client and one server each in small applications

Encrypted connection. It is not possible to log in several clients at the server at the same time.

User name/password and common CA certificate (can only be configured at the OpenVPN client)

For encrypted connections from one or more clients to an OpenVPN server.

Flexible application for several clients.

Certificate-based; each participant has an individual certificate and key.

For encrypted connections from one or more clients to an OpenVPN server.

Solution for maximum security, but the configuration is more complicated.

Table 11: Authentication methods for OpenVPN

For detailed information and troubleshooting, we also recommend the OpenVPN web site: http://openvpn.net/howto.html

10.5.3 OpenVPN Server Basic Settings

You can use the MLR 3G 2.0 as VPN server, if you want to send confidential data via an unsecured network, for example. This section describes the basic settings for the VPN Server. The basic settings of the MLR 3G 2.0 are reasonable factory defaults, which you may change in certain circumstances. The VPN basic settings are used to define which port of the MLR 3G 2.0 is used to create the VPN tunnel and if the VPN transmission is performed with the UDP or the TCP protocol. Moreover, you can specify here, whether the clients are informed about the server network, the remote terminal may change its IP address, LZO compression is used, packets are masked before tunnelling, which encryption algorithm is used during transmission, how big the tunnel packets are to be, and in which time intervals the VPN server sends VPN pings. In addition, you will have the option to display the OpenVPN status, the current configuration file, to create a configuration for an OpenVPN remote terminal, and to display a log of the last connection. For example, the created configuration can be used to set up an OpenVPN packet on a client PC. The OpenVPN packet for Windows clients can be downloaded from the INSYS MICROELECTRONICS web site:

Functions MLR 3G 2.0

www.insys-tec.de/en/en/driver/

This program is used as remote terminal, if you want to establish an OpenVPN connection to a Windows PC.

Configuration with the web interface

In order to use the OpenVPN server for a connection, check in the menu "Dial- In" or "Dial-Out" on the page "OpenVPN server" the checkbox "Activate OpenVPN server".

In order to define the local port at the MLR 3G 2.0 as well as the port at the remote terminal, enter a value for the required port into the entry fields "Tunnelling over port (local / remote)" (default setting 1194).

The VPN transmission protocol is selected with the radio buttons "UDP" or "TCP". We recommend using UPD to minimise latency.

In order to inform the clients about the route to the network behind the server, check the checkbox "Inform clients about server network". If this setting is disabled, a communication can only be initiated from the network of the server.

In order to enable remote VPN terminals to change its IP during a connection ("Floating"), check the checkbox "Remote terminal is allowed to change its IP address (float)". This setting is activated by default.

In order to enable or disable LZO compression, check or uncheck the checkbox "Activate LZO compression". If already strongly compressed data (e.g. jpg) is transmitted, the compression will have hardly any effect; however, if compressible data (e.g. text) is transmitted, the compression may significantly reduce the transmitted volume of data. Switch the compression off, if the remote terminal does not support LZO compression.

In order to mask the packets with the virtual tunnel IP address, check the checkbox "Masquerade packets before tunnelling". The recipient of the packets sees the IP address of the tunnel end as sender then, not the address of the original sender.

In order to use a different encryption method than the preset method "Blowfish 128 Bit" for the VPN connection, select one of the following encryption types in the drop-down menu "Cipher algorithm": (Blowfish 128 Bit), DES 64 Bit, DES EDE 128 Bit, DES EDE3 192 Bit, DESX 192 Bit, CAST5 128 Bit, IDEA 128 Bit, RC2 128 Bit, RC2 40 Bit, RC2 64 Bit, AES 128 Bit, AES 192 Bit, AES 256 Bit

In order to configure the detail level of the messages in the connection log, enter the detail level into the field "Log level", where "0" disables the log record completely and "9" records the most detailed information.

In order to define a certain fragmenting size for the VPN tunnel packets in bytes, use the entry field "Fragment packets". Enter the required maximum packet size in bytes here. If you don't enter a value, the VPN packets will have a maximum size of 1.500 bytes. The actually transmitted amount of user data is lower, because VPN creates a "protocol overhead", which means that the protocol information that is transmitted as well is a part of the packet size.

MLR 3G 2.0 Functions

In order to adjust the interval up to the key renegotiation, use the entry field "Interval for renegotiation of data channel key". This interval configures the time in seconds, which must expire before new keys are created.

In order to adjust the VPN ping interval, use the entry field "Ping interval". Enter the interval in the amount of seconds, in which the VPN Server of the MLR 3G 2.0 sends ping packets to the remote VPN terminal. The frequent ping is used to keep the connection open via several routers and gateways, which may participate in the connection and would close the channel in case there was no communication. We recommend entering a value of a few minutes, depending on the used network and the used infrastructure.

In order to adjust the ping restart interval, use the entry field "Ping restart interval". The ping restart interval configures the time in seconds after which the tunnel is to be established again, if no ping from the remote terminal arrived during the complete time. The value "0" prevents the tunnel to be terminated, even if no ping is received any more.

In order to configure the authentication with certificates, select the radio button "Authentication based on certificate". It is indicated under the option here, whether the individual certificates and keys are present (green checkmark) or not (red cross). Present certificates can also be downloaded (blue arrow) or deleted again (red cross on white box). The private key can only be deleted. Check the checkbox "Allow communication between clients" to enable a communication between the clients as well. Define the IP address pool for the clients in the fields "IP address pool for clients" and "Netmask of IP address pool". In order to create a new route to a client network, enter in the section "Create new route to a client network" the Common Name of the client into the field "Name in certificate" as well as its network address and netmask into the field "Net address" and "Netmask address". Optionally, enter the VPN IP address for the tunnel end of a client into the field "VPN IP address". Click on "OK" to take over the new route. You can delete existing routes by checking the checkbox in the column "delete" of the respective route and clicking on "OK".

 A link of a network address with "DEFAULT" as "Common Name" may be

created as "Standard route". It is always used as route, when a client registers with a certificate, for whose "Common Name" no other link has been entered.

Functions MLR 3G 2.0

In order to configure the authentication with static key, select the radio button "No authentication or authentication with preshared key". It is indicated under the option here, whether the static key is present (green checkmark) or not (red cross). A present key can also be downloaded (blue arrow) or deleted again (red cross on white box). If no key exists, the remote terminal will neither be authenticated nor the data traffic through the tunnel will be encrypted. You can also generate a new static key using the "Generate a new static key" link. This static key must then be downloaded and also uploaded to the remote terminal. Enter the IP address or the domain name of the remote terminal into the "IP address or domain name of remote site" field. You can enter the IP address or the domain name of an alternative remote terminal into the "Alternative remote site" field. Enter the IP address of the local tunnel end into the "IP address of VPN tunnel local" field and the IP address of the remote tunnel end into the "IP address of VPN tunnel remote" field. Enter the address as well as the associated netmask of the network behind the VPN tunnel into the "Netaddress of network behind the VPN tunnel" and "Netmask of network behind the VPN tunnel" fields.

In order to confirm all settings made above, click on "OK".

In order to upload a certificate or key, click in the section "Upload key or certificates" on the "Browse..." button. Then, select in the "Upload file" window the desired file on the respective data carrier and click on the "Open" button. If the file is encrypted, you must also enter the password into the "Password (only with encrypted file)" field. Click on "OK" then to upload the file.

10.5.4 OpenVPN Client Basic Settings

You can use the MLR 3G 2.0 as VPN client, if you want to connect to a VPN server via an unsecured network. This section describes the basic settings for the VPN client. The basic settings of the MLR 3G 2.0 are reasonable factory defaults, which you need to adjust to the VPN which will be connected to the MLR 3G 2.0. The VPN basic settings are used to define with which IP address or domain and via which ports the VPN tunnel is established, and if the VPN transmission is performed with the UDP or the TCP protocol. Moreover, you can specify here, whether a default route is set, the local address and the port are fixed, the remote terminal may change its IP address, LZO compression is used, packets are masked before tunnelling, which encryption algorithm is used during transmission, how big the tunnel packets are to be, and in which time intervals the OpenVPN client of the MLR 3G 2.0 sends VPN pings to the server. In addition, you will have the option to display the OpenVPN status, the current configuration file, a configuration for an OpenVPN remote terminal (the OpenVPN sever) and a log of the last connection.

Configuration with the web interface

In order to use the OpenVPN client for a connection, check in the menu "Dial- In" or "Dial-Out" on the page "OpenVPN client" the checkbox "Activate OpenVPN client".

In order to define the IP address or the domain name of the remote terminal, which you use to have the MLR 3G 2.0 establish the VPN connection, enter an IP address or a domain name in the field "IP address or domain name of remote site".

MLR 3G 2.0 Functions

Optionally, an alternative remote terminal can be defined, which will be used by the MLR 3G 2.0 to establish the VPN connection, if the remote terminal configured above is not available. Enter an IP address or domain name into the "Alternative remote site" field for this.

In order to define the local port at the MLR 3G 2.0 as well as the port at the remote terminal, enter a value for the required port into the entry fields "Tunnelling over port (local / remote)".

The VPN transmission protocol is selected with the radio buttons "UDP" or "TCP". We recommend to use UDP to minimize latency.

In order to set a default route, check the checkbox "Set default route (redirectgateway)". The complete data traffic will be routed through the tunnel then.

It is not obligatory to provide the local port and the IP address of the OpenVPN connection. If you want to leave the use of ports and the IP address free, uncheck the checkbox "Bind to local address and port".

Functions MLR 3G 2.0

In order to adjust the VPN ping interval, use the entry field "Ping interval". Enter the interval in the amount of seconds, in which the VPN client of the MLR 3G 2.0 sends ping packets to the remote VPN terminal. The frequent ping is used to keep the connection open via several routers and gateways, which may participate in the connection and would close the channel in case there was no communication.

In order to send a ping via ICMP protocol to a domain or an IP address additionally, enter this into the entry field "Additional ICMP Ping to". It is recommended to enter a domain name or IP address, which can only be connected via the tunnel, here. If the ping is not successful, a possibly existing tunnel will be terminated, and a new tunnel will be established. The ping interval is 15 minutes.

In order to configure the authentication with certificates, select the radio button "Authentication based on certificate". It is indicated under the option here, whether the individual certificates and keys are present (green checkmark) or not (red cross). Present certificates can also be downloaded (blue arrow) or deleted again (red cross on white box). The private key can only be deleted. Alternatively, or in addition to the usage of a client certificate and a private key, an user name/password combination can be used for the authentication with the OpenVPN server (however, the CA certificate is required in any case, which must be possessed by every participant of this VPN). Enter a user name into the field "User name" as well as the associated password into the field "Password" for this. In order to check the certificate type of the remote terminal, check the checkbox "Check remote certificate type".

In order to configure the authentication with static key, select the radio button "No authentication or authentication with preshared key". It is indicated under the option here, whether the static key is present (green checkmark) or not (red cross). A present key can also be downloaded (blue arrow) or deleted again (red cross on white box). If no key exists, the remote terminal will neither be authenticated nor the data traffic through the tunnel will be encrypted. You can also generate a new static key using the "Generate a new static key" link. This static key must then be downloaded and also uploaded to the remote terminal. Enter the IP address of the local tunnel end into the "IP address of VPN tunnel local" field and the IP address of the remote tunnel end into the "IP address of VPN tunnel remote" field. Enter the address as well as the associated netmask of the network behind the VPN tunnel into the "Netaddress of network behind the VPN tunnel" and "Netmask of network behind the VPN tunnel" fields.

In order to confirm all settings made above, click on "OK".

MLR 3G 2.0 Functions

10.5.5 PPTP General

PPTP (Point-to-Point Tunnelling Protocol) is a VPN (virtual private network) that is not recommended for new installations. A recent alternative is OpenVPN.

PPTP establishes a PPP connection via a tunnel set-up with the GRE protocol. To establish the tunnel, it is essential that the GRE protocol is routed without restrictions between the two PPTP participants and a TCP connection with port 1723 is possible. The TCP port 1723 is fix and cannot be modified. The GRE protocol is not always routed directly in the Internet. In this case, NAT can prevent to establish a tunnel, if performed.

We strongly recommend to use as long as possible passwords with special characters and the encryption method MPPE-128 Bit.

10.5.6 PPTP Server Basic Settings

The basic settings for the MLR 3G 2.0 as PPTP server are configured here. A maximum of 5 PPTP clients can log on to this server at the same time. However, it is possible to create more users, but only 5 tunnels can be active at the same time.

Configuration with the web interface

In order to use the MLR 3G 2.0 as PPTP server, check in the menu "Dial-In" or "Dial-Out" on the page "PPTP server" the checkbox "Activate PPTP server".

In order to display the messages of the last connection, select the link "Display log of last connection".

In order to select the authentication method for the PPTP client at the server, select this from the drop-down list "Authentication". If the data traffic is to be encrypted via the PPTP connection using MPPE, the authentication type MSCHAP-v2 is mandatory.

In order to select the encryption for the PPTP connection, select this from the drop-down list "Encryption". The same encryption must also be configured for the client.

In order to adjust the MTU (maximum permissible number of bytes in a packet to be received), change the entry in the entry field "MTU (Maximum Transmission Unit)".

In order to adjust the MRU (maximum permissible number of bytes in a packet to be sent), change the entry in the entry field "MRU (Maximum Receive Unit)".

 The default settings of MTU and MRU are suitable for most applications

and do not need to be modified usually.

Enter the IP address of the local tunnel end into the field "IP address of VPN tunnel local". If no explicit address is specified, the PPTP server will use the IP address 192.168.0.1. If this address is already reserved, another address can be specified here.

Functions MLR 3G 2.0

Define the available IP address pool for the tunnel ends of the PPTP clients in the fields "IP address pool". This pool must be in the network of the LAN. The PPTP clients address their destination directly with IP addresses in the LAN of the MLR 3G 2.0.

In order to add a new user, that is permitted for the connection of PPTP clients, enter a user name and a password into the respective fields for this. Click on "OK" to take over the user. You can delete existing users by checking the checkbox in the column "delete" of the respective user and clicking on "OK".

In order to confirm all settings for the loaded tunnel made above, click on "OK".

10.5.7 PPTP Client Basic Settings

The basic settings for the MLR 3G 2.0 as PPTP client are configured here. All packets through the PPTP tunnel are masked by the MLR 3G 2.0 with its tunnel address.

Configuration with the web interface

In order to use the MLR 3G 2.0 as PPTP client, check in the menu "Dial-In" or "Dial-Out" on the page "PPTP client" the checkbox "Activate PPTP client".

In order to display the messages of the last connection, select the link "Display log of last connection".

Enter the user name and the password of the PPTP client for login to the server into the respective fields.

In order to select the encryption for the PPTP connection, select this from the drop-down list "Encryption". The encryption that is also used by the PPTP server must be selected.

In order to set the default route to this PPTP tunnel, check the checkbox "Set default route". The complete data traffic will be routed through the tunnel then. However, this is only possible, if no preferential default route has been set before.

If no default route to the tunnel is set, the local subnet behind the tunnel must be defined. Enter this network with respective netmask into the field "Remote subnet". Only that way, packets into the network behind the PPTP tunnel will be routed through the tunnel.

In order to adjust the MTU (maximum permissible number of bytes in a packet to be received), change the entry in the entry field "MTU (Maximum Transmission Unit)".

In order to adjust the MRU (maximum permissible number of bytes in a packet to be sent), change the entry in the entry field "MRU (Maximum Receive Unit)".

MLR 3G 2.0 Functions

 The default settings of MTU and MRU are suitable for most applications

and do not need to be modified usually.

 If a tunnel aborts, this will not be re-established automatically, but the es-

tablishment will only be made after a new WAN connection establishment. Therefore, the condition of the tunnel should be checked using an ICMP ping in any case.

In order to confirm all settings for the loaded tunnel made above, click on "OK".

10.5.8 IPsec

IPsec (Internet Protocol Security) is a security protocol for the safe communication via IP networks and can be used to set-up virtual private networks (VPN). Two subnets can be connected together using two suitable routers (e.g. MoRoS 2.1) via a secure tunnel. It is possible to configure up to 10 different tunnels.

Configuration with the web interface

In order to use the IPsec for a connection, check in the menu "Dial-In" or "DialOut" on the page "IPsec" the checkbox "Activate IPsec".

In order to display the current state of the IPsec tunnels, select the link "IPsec current state".

In order to display the messages of the last connection, select the link "Display log of last connection".

In order to configure NAT traversal, use the drop-down list "NAT-Traversal" to select the desired option. If you select "activate" (default setting), all ESP packets are additionally packed into a UDP packet and sent using the UDP port 4500, if a NAT router is detected. If you select "force", this behaviour will be enforced without checking for a NAT router (the remote terminal must also have NAT traversal enabled in this case). If you select "deactivate", an UDP data encapsulation will be prevented, what might lead to problems in operation with a NAT router. This setting applies for all tunnels.

In order to configure the interval of the keep alive packets, which are sent, if NAT traversal is used, enter the time in seconds into the field "Keep alive interval". This can prevent that e.g. a stateful firewall blocks the connection after an extended inactivity period.

Functions MLR 3G 2.0

In order to select the tunnel, whose settings are to be edited, select the desired tunnel from the drop-down list "Tunnel name" and click on the button "load to edit" then. If settings are made to the currently loaded tunnel, these must be taken over before using the button "OK", before a new tunnel is loaded to prevent that these settings get lost. Loading a tunnel does not save settings that have been made!

In order to activate the loaded tunnel, check the checkbox "Activate tunnel".

In order to assign a descriptive name to the loaded tunnel, enter it into the field "Tunnel name". This makes the assignment of messages in the log or status view easier.

In order to specify the remote terminal, to which the tunnel is to be estab- lished, enter the IP address or the domain name of the remote terminal into the field "IP address or domain name of remote site". If no remote terminal is specified, incoming connection requests from all remote terminals are accepted, but no connection can be initiated.

In order to define a network behind the switch of the MLR 3G 2.0 to be tun- nelled, enter this network with according netmask into the field "Local subnet". This does not have to be the actual local subnet, but can also be behind further gateways. In such a case it must be observed that the required routing rules are entered correctly. If this field is not completed, the local subnet is used automatically.

In order to define the local subnet behind the remote terminal, enter this network with according netmask into the field "Remote subnet". Only data, which is addressed to this network, is packed in ESP packets.

In order to specify the ID of the remote terminal, enter it into the field "Remote ID". The respective IP address is used as ID by default. If the actual IP address differs from the received ID (e.g. due to NAT routers in between) or is unknown, the ID of the remote terminal can be specified explicitly (a selfdefined string, which must contain an "@"). When using certificates, the DN (Distinguished Name) is used as ID by default. The domain name of the remote terminal can also be used as ID, because it is resolved by a DNS lookup.

In order to adjust the own ID, enter it into the field "Local ID". This is only necessary, if the default ID can or shall not be used.

In order to specify the authentication mode, select it in the drop-down list "Authentication mode". The main mode is more secure, because all authentication data is transmitted encrypted. The aggressive mode is quicker, because it does not use encryption and the authentication is preformed via a passphrase.

In order to define encryption and hash algorithms as well as the Diffie- Hellman group for the IKE key exchange, select these from the drop-down lists "IKE algorithms".

In order to define encryption and hash algorithms for the IPsec connection, select these from the drop-down lists "IPsec algorithms".

In order to enter the maximum number of connection attempts, which must be exceeded that a remote terminal is considered as not available, enter this into the field "Maximum retries". A value of "0" means an infinite number of attempts here.

MLR 3G 2.0 Functions

In order to mask the received packets with the local IP address of the MLR 3G

2.0, check the checkbox "Mask packets through tunnel". The recipient of the packets will see the local IP address of the MLR 3G 2.0 as sender than, not the address of the original sender from the local net of the remote terminal.

In order to configure the dead peer detection, enter the interval, which is used to send requests to the remote terminal, in seconds into the field "Dead peer detection interval" and the maximum time, in which these requests must be replied, in seconds into the field "Dead peer detection timeout". Select the behaviour for a connection, which is considered as interrupted, in the dropdown list "Action on dead peer". If you select "restart" (default setting) here, the connection will be restarted, for "clear", it will be terminated, and for "hold", it will be held.

In order to enable perfect forward secrecy, check the checkbox "Activate perfect forward secrecy". This can prevent that the next key can be discovered more quickly from a hacked encryption. Both remote terminals must have matching settings to be able to establish the connection.

In order to configure the interval for the key renegotiation, enter the value in seconds into the field "Interval for renegotiation of data channel key". The minimum value is 3600 seconds (1 hour). The regular renewal of the used keys can ensure the security of the IPsec connection for a longer period.

in order to send an additional ping via ICMP protocol to an IP address, enter this address, which must be located in the local subnet of the remote terminal, into the field "Additional ICMP ping to". If the ping is not successful, a possibly existing tunnel will be terminated, and a new tunnel will be established. The ping interval is 15 minutes.

In order to configure the authentication for an IPsec connection, select either the radio button "Authentication based on certificates" or the radio button "Authentication with pre shared key (PSK)“. The authentication with certificates can be used for the main mode. It is indicated under the option here, whether the individual certificates and keys are present (green checkmark) or not (red cross). Present certificates can also be downloaded (blue arrow) or deleted again (red cross on white box). The private key can only be deleted. The authentication with passphrase can be used for main mode and aggressive mode. The passphrase, which must be used by all IPsec participants, must be entered into the field below the option for this.

In order to confirm all settings for the loaded tunnel made above, click on "OK".

Functions MLR 3G 2.0

10.6 Redundant Communication Device

10.6.1 Configure Redundant Communication Device

To increase the operational safety and availability of the MLR 3G 2.0, you can connect a second communication device to provide a redundant transmission path. This means that you can then still use a second transmission path (e.g. modem), in case one transmission path (e.g. mobile radio) fails. Several combinations of modem, ISDN and GSM/GPRS/EDGE/UMTS devices are possible. Just connect another INSYS communication device to the the serial interface of the MLR 3G 2.0. The MLR 3G 2.0 will recognize automatically that a redundant transmission device is available during the next system start and will change the web interface accordingly for configuration.

Please contact your sales partner or INSYS Microelectronics, to find out which other INSYS device is suitable for the connection as a redundant communication device.

If the serial Ethernet gateway is enabled, a redundant communication device cannot be used. The options for the redundant communication device are not displayed. If the sandbox is enabled and the serial interface is reserved for the sandbox in addition, the sandbox has priority, i.e. redundant communication device and serial Ethernet gateway are disabled.

Configuration with the web interface

If the MLR 3G 2.0 finds a redundant communication device at its serial interface during the system start, the menus Dial-In and Dial-Out provide further options.

In order to configure Dial-In for redundant operation, select in the menu "DialIn" on the page "Dial-In", which communication device is to be used for DialIn. You will have the option to activate Dial-in via one of the two communication devices, via both communication devices, or not at all.

In order to configure Dial-Out for redundant operation, select in the menu "Dial-Out" on the page "Dial-Out", which communication device is to be used for Dial-Out. You will again have the option to activate dial-out via one of the two communication devices, via both communication devices, or not at all. You can also define which communication device should be used preferably. The second communication device is only used, when the dialing attempt using the first device is not successful. In the menu "Dial-out", you must also enter the destination phone number and the PPP dial-up parameter for each of the two communication devices individually.

Save your settings by clicking "OK".

MLR 3G 2.0 Functions

10.7 Configurable Switch

10.7.1 Querying Configuration and Status of the Switch Ports

The switch of the MLR 3G 2.0 is configurable. This means that you can determine for each switch port individually which transmission rate should be used or if it is supposed to be operated in half-duplex or full-duplex mode. You may also control via the web interface, to which switch port a cable is connected and if a physical connection exists.

Configuration with the web interface

You can see the current configuration of the individual switch ports in the menu "Switch" on the page "Port configuration" next to the port list.

The coloured fields indicate whether a cable is connected to the switch. These fields indicate the four switch ports. The boxes are green if there is a network cable connected, and red if there is no cable connected or if no physical connection exists to the network.

10.7.2 Configuring Switch Ports

You can determine, which switch port is operated with which transmission rate and if it is operated in half-duplex or full-duplex mode. You can also determine if the auto negotiation (the recognition of the network cabling) is available at each port. These settings may be required if end devices have problems with the automatic recognition of the connection parameters. You can determine how the events at the network and the states of the switch ports are displayed at the switch port status LEDs.

Configuration with the web interface

In order to enable or disable the respective switch port, use in the menu "Switch" on the page "Port configuration" the checkbox "active" of the respective switch port.

In order to enable or disable auto negotiation, use in the menu "Switch" on the page "Port configuration" the checkbox "Auto negotiation" of the respective switch port.

In order to define the transmission rate of a switch port, use the radio buttons "10 Mbit/s" and "100 Mbit/s".

To operate a switch port in full-duplex or half-duplex mode, use the radio buttons "Half-duplex" and "Full-duplex".

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.7.3 Configuring the LED Display of the Switch Ports

You can determine how the events at the network and the states of the switch ports are displayed at the switch port status LEDs. We recommend not to change the basic settings and to change the displays only temporarily for diagnosis purposes.

Configuration with the web interface

Select for the respective network event or the state of the port the colour of the LED display of the switch port status LED in the menu "Switch" on the

page "LED configuration" via the radio buttons.

Save your settings by clicking "OK".

10.7.4 Configuring VLAN

The switch of the MLR 3G 2.0 can be divided in up to four VLANs. The VLANs are described as VLAN A, VLAN B, VLAN C, and VLAN D. The ports 1 to 4 are the switch ports accessible from outside. The MLR 3G 2.0 itself is connected to the 4-port switch via an internal port. The belonging of a port to a VLAN can be defined. The MLR 3G 2.0 can also belong to a VLAN. Each Ethernet packet that belongs to a VLAN will be marked by an identifier (tag). The VLAN tag contains the VLAN ID amongst others. Each port that belongs to a VLAN, will insert the VLAN tag automatically for the received packets, if it not already contained in the packet.

Configuration with the web interface

In order to enable the VLAN configuration, check in the "Switch" menu on the "VLAN configuration" page the checkbox "Activate VLAN configuration".

In order to assign a port or the router to a VLAN, check the respective checkbox in the configuration matrix.

In order to specify a VLAN ID for a >VLAN, enter it into the field "VLAN ID".

In order to specify for a port that belongs to a VLAN, whether it shall insert a

VLAN tag into every received packet, or remove a possibly already existing one, use the radio buttons "Insert VLAN tag" or "Remove VLAN tag" for the re-

spective port. If a port shall belong to several VLANs, the VLAN tag must not be removed. The device connected to this port must be able to interpret these VLAN tags. The VLAN tags will always be removed for packets to the router.

Save your settings by clicking "OK".

Note

Loss of availability!

The configuration will immediately be transferred to the switch after clicking on "OK". This may result that the MLR 3G 2.0 cannot be accessed any more.

Therefore, configure the set VLAN on your locally connected device accordingly.

MLR 3G 2.0 Functions

10.7.5 Configuring Port Mirroring

With port mirroring, you can copy the data traffic of a switch port to a definable, other switch port, called the sniffer port. This enables you to read the network traffic for analysis purposes. The transmitting and receiving packets (TX/RX) of certain ports can be mirrored separately to a sniffer port, where the network traffic can be read.

Configuration with the web interface

To use a port as sniffer port, select the according port in the menu "Switch" on the page "Port mirroring" in the drop-down menu "Sniffer port".

Select in the drop-down menu "TX mirroring to sniffer port" the port, whose TX line data you want to copy to the sniffer port.

Select in the drop-down menu "RX mirroring to sniffer port" the port, whose

RX line data you want to copy to the sniffer port.

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.8 Serial Ethernet gateway

10.8.1 Setting up the Serial Ethernet Gateway

The serial Ethernet gateway enables the addressing of serial end devices from the local network of the MLR 3G 2.0 or from a remote network, which are connected to the serial interface of the MLR 3G 2.0. The data which is sent to a configurable network port of the MLR 3G 2.0 is output at the serial interface of the MLR 3G 2.0. The serial Ethernet gateway connection can either be maintained permanently (leased line mode) or set-up if required (connection on request).

If the serial Ethernet gateway is enabled, a redundant communication device cannot be used at the serial interface. If the sandbox is enabled and the serial interface is reserved for the sandbox in addition, the sandbox has priority, i.e. redundant communication device and serial Ethernet gateway are disabled.

Configuration with the web interface

In order to enable the serial Ethernet gateway, check in the menu "Serial Ethernet" on the page "Serial Ethernet" the checkbox "Activate serial Ethernet gateway".

In order to display the current state of the serial Ethernet gateway, click on the link "Serial Ethernet gateway current state".

In order to display the log of the serial Ethernet gateway, click on the link "Serial Ethernet gateway log".

In order to configure the display of the serial Ethernet gateway log, enter on the page "Serial Ethernet gateway log" into the field "Refresh after“ the update interval of the log in seconds as well as into the field "show last … lines" the number of lines to be displayed and select "OK".

In order to configure the operation mode of the serial Ethernet gateway , select either the radio button "Leased line mode" or "Connection on request".

In order to use an IPT connection, check the checkbox "Use IPT". In this case, the IPT slave must also be configured and enabled in the menu "Server services" on the page "IPT".

In order to increase the time between connection attempts in leased line mode, check the checkbox "increase reconnection interval". In this case, the interval between the connection attempts will increase (1, 5, 15, 30, 60 minutes). Otherwise, the MLR 3G 2.0 will try to establish a connection every minute, if this is interrupted.

In order to enable incoming connections in "Connection on request" mode as well, check the checkbox "Accept incoming connection" and enter the port, on which the serial Ethernet gateway reacts on incoming connections, into the entry field "TCP port" (it is possible to allow incoming and outgoing connections at the same time). If an incoming or outgoing connection is active in this case, the other is not available until the active connection is closed.

In order to specify that the connection is only accepted, if an UDP authentica- tion of an INSYS VCom has taken place, check in the "VCom authentication" section the checkbox "incoming". An existing connection will be terminated

MLR 3G 2.0 Functions

by a VCom authentication during the existing connection. This setting is ignored if IPT is used.

In order to specify that an ATD dialling command triggers an outgoing con- nection, select in the "Outgoing connection" section the radio button "triggered by dialling command ATD". Then, the serial interface will be operated in AT command mode and a connection must be initiated by an ATD command. The Serial Ethernet Gateway expects the dialling command ATD via the serial interface with the destination as IP address or domain name, followed by the TCP port (e.g.: ATD192.168.1.1:1234 or ATD"name.company.com":1234. When using IPT, only the IPT number is specified here (e.g.: "ATD12345").

In order to specify that a character on the serial interface triggers an outgoing connection, select in the "Outgoing connection" section the radio button "triggered by serial character". Then, a connection will be established as soon as a WAN connection is established. A destination must be specified in this operation mode. Enter the IP address or the domain name of the target into the "IP address or domain name" field as well as the port into the "Port" field. Alternatively, enter for an IPT connection the IPT number into the "IPT dial number" field. A secondary target can be entered optionally, to which a connection will be established if the primary target is not available. If the connection set-up fails, a new connection set-up cannot be performed before 5 minutes have expired.

In order to specify a set-up of an outgoing connection by an active WAN con- nection, select in the "Outgoing connection" section the radio button "triggered by active WAN connection". Then, a connection will be established as soon as a WAN connection is established. A destination must be specified in this operation mode. Enter the IP address or the domain name of the target into the "IP address or domain name" field as well as the port into the "Port" field. Alternatively, enter for an IPT connection the IPT number into the "IPT dial number" field. A secondary target can be entered optionally, to which a connection will be established if the primary target is not available.

In order to establish a connection in leased line mode, it is also necessary, to enter the IP address or the domain name of the target as well as the port or the IPT dial number. A secondary destination can be entered optionally.

In order to use authentication via TCP or UDP at an INSYS VCom for outgoing connections, select in the "VCom authentication" section for "outgoing" either the radio button "UDP" or "TCP". This authentication will also be used in leased line mode. This setting is ignored if IPT is used.

Save your settings by clicking "OK". The serial Ethernet gateway will be restarted with this. Existing serial Ethernet gateway connections will be terminated.

Functions MLR 3G 2.0

10.8.2 Configuring the Serial Ethernet Gateway

The serial Ethernet gateway of the MLR 3G 2.0 allows a comprehensive configuration of the serial interface and the packing of the data arriving there into TCP packets. It is also possible to use the Telnet protocol. RFC 2217 is also supported with this, which allows to modify the serial interface parameters during the operation via a Telnet connection.

Configuration with the web interface

In order to configure the serial interface speed, select in the menu" Serial Ethernet" on the page "Configuration" the speed in the drop-down list "Speed (in Bit/s)".

Configure the data format of the serial interface in the drop-down lists "Data bits / Parity bits / Stop bits".

Select the data flow control (Hardware, i.e. RTS/CTS or Software i.e. XON/XOFF) in the drop-down list "Flow control". If the connected serial device does not support the respective data flow control, you must not use this.

In order to use the control lines DCD and DTR, check the checkbox "Use modem control lines".

In order to reset the control lines after the connection is terminated, check the checkbox "Reset modem control lines after connection termination".

In order to specify the maximum block size, from which the serially received data are packed to a TCP packet and sent when reached, enter the value into the field "Maximum block size".

In order to specify the maximum time until packing a TCP packet, enter the time into the field "Aggregation timeout" in milliseconds. If this time has expired, the serially received data will be packed to a TCP packet and sent, even if the maximum block size has not yet been reached. This timer will only be restated if the RS232 input buffer is empty and the first character is received. The subsequent characters do not reset the timer.

In order to close the serial Internet connection automatically, if no data is transmitted any more, enter a timeout value in seconds into the field "Idle time". If no data transfer takes place as long as specified here, the connection will be closed. To ensure that the connection is never closed, set the value to "0". The value "0" is the default setting.

In order to enable sending keep alive packets, enter the sending interval of the packets in seconds into the field "Keep alive interval". This function is disabled by entering "0". If the serial Ethernet gateway receives no reply to a keep alive packet for three consecutive times, the connection will be considered as interrupted and the serial Ethernet gateway terminates the connection.

In order to use the Telnet protocol, check the checkbox "Use Telnet protocol". In this case, the serial Ethernet gateway filters all Telnet commands from the incoming TCP data and replies them. Additionally, the serial and the TCP data stream are adjusted to transmit Telent control characters error free.

Save your settings by clicking "OK".

MLR 3G 2.0 Functions

10.8.3 Modem Emulator

The serial Ethernet gateway can emulate a modem. It provides a series of AT commands for this. A modem will be emulated for each connection type with this function. If an outgoing connection has been triggered by the ATD command, the modem emulator will always be used, even if it is disabled. The following AT commands are supported:

AT command Description

ATD<IP>:<port> ATD“<domain>“:<port>

Connection set-up to <IP>:<port> or <domain>:<port>

Following this, the serial Ethernet gateway is in data mode

ATDL Redialling of the last dialled connection (only possible as

long as the serial Ethernet gateway has not been restarted)

ATH The serial Ethernet gateway closes the serial Internet con-

nection

ATE<n> Configuring the echo behaviour

ATE0 Echo disabled

ATE1 Echo enabled (default)

+++ Puts the serial Ethernet gateway into command mode (a

pause of at least one second is necessary before and after the string)

ATO Change from command mode into data mode

ATQ<n> Configuring the quiet behaviour

ATQ0 Messages are sent (default)

ATQ1 No messages are sent

ATV<n> Configuring the message format

ATV0 Messages in short format, i.e. only the error number

ATV1 Messages in long format, i.e. the error text (default)

ATS0=<n> Automatic call acceptance after <n> ring tones (<n> = 0 for

disabling the automatic call acceptance)

Table 12: List of the AT commands supported by the serial Ethernet gateway

 Moreover, a reply to the ATI command is defined in the default AT answer

file.

Functions MLR 3G 2.0

Configuration with the web interface

In order to enable the modem emulator, check in the menu "Serial Ethernet" on the page "Modem emulator" the checkbox "Activate modem emulator".

In order to enable the echo function using the ATE command in the modem emulator, check the checkbox "Enable echo (ATE)".

In order to disable the answers using the ATQ command in the modem emulator, check the checkbox "Disable answers (ATQ)".

In order to enable the verbose answers using the ATV command in the modem emulator, check the checkbox "Enable verbose answers (ATV)".

In order to configure the number of ring tones until call acceptance, enter the number of ring tones into the field "Number of rings until connection is answered (ATS0)".

In order to configure the default answer for unknown commands, enter this into the field "Default answer for unknown commands". If nothing is entered here, the message "ERROR" is returned in case of an unknown or invalid AT command.

In order to upload an AT answer file, click on the "Browse…" button and locate the respective file. The file will be uploaded after clicking on "OK". This file must be a text file, which defines an associated answer for each desired AT command. Each line in this text file defines an "command-answer-pair" in the form <i="Serial Ethernet Gateway Version 1.0">. The part preceding the "=" indicates the command (here "i" for ati; the "at" must be removed) and the part following in quotation marks indicates the associated answer (here "Serial Ethernet Gateway Version 1.0"). In this case, the message "Serial Ethernet Gateway Version 1.0" would be replied on the ati command. A multi-line answer within the quotation marks is possible Capitalization is ignored. Moreover, the order of the entries must be observed. If an answer for the atxy command and the atx command is defined for example, the entry for the atxy command must be entered before the entry for the atx command, because otherwise the entry for the atx command would be found first and processed after entering the atxy command, before looking for a aty command, which does not exist.

In order to download the current AT answer file, click on the link "Download current AT answer file".

Save your settings by clicking "OK".

MLR 3G 2.0 Functions

10.9 Messages

10.9.1 Configuring the Message Dispatch

The MLR 3G 2.0 can send an e-mail or SMS to any recipient on different events or trigger an SNMP trap. A series of pre-define events are available for this, like set-up of connections or VPN tunnels for example.

Configuration with the web interface

In order to enable to send an e-mail, you must enter the necessary data for the e-mail account in the menu "Messages" on the page"Configuration" in the section "E-mail". Enter the e-mail address into the field "E-mail address" for this. Enter the first and last name of the person holding the e-mail account (or any text) into the field "Real name". Enter the domain name or the IP address of the SMTP server into the field "SMTP server" as well as the port, at which the SMTP server receives e-mails, into the field "SMTP port" (usually port 25). Enter the user name for the e-mail account into the field "User name" as well as the associated password into the field "Password".

In order to enable the SMS dispatch, you have to enter the number of the SMS Service Center of your mobile phone provider in the menu "Messages" on the page"Configuration" in the section "SMS" into the field "SCN (Service Center Number) SIM card 1". If you use a second SIM card, enter the SCN for this SIM card into the entry field "SCN (Service Center Number) SIM card 2".

In order to enable to trigger an SNMP trap, you must specify the SNMP version in the menu "Messages" on the page"Configuration" in the section "SNMP traps". In order to use SNMP v2c, select the radio button "SNMP v2c". Moreover, the community string must be entered into the field "Community". In order to use SNMP v3, select the radio button "SNMP v3". Moreover, the community string must be entered into the field "Community". In order to use an optional SNMP v3 authentication, select the authentication method in the drop-down list field "Authentication" and enter the password for the authentication (at least 8 characters) into the respective field. In order to use an optional SNMP v3 encryption, select the encryption method in the drop-down list field "Encryption" and enter the password for the encryption (at least 8 characters) into the respective field. An authentication is pre-condition for an encryption.

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.9.2 Enable SMS Receipt

The MLR 3G 2.0 can receive SMS and evaluate the content. Different commands can be transmitted to the MLR 3G 2.0 with this, also password-protected. Received SMS can optionally be acknowledged. A new SMS with the received text will be sent back to the sender in this case.

The commands must be sent in the format [<password>, ]<command>.

 We strongly recommend to use password protection.

If a password is configured, the SMS must contain first the password and then, separated by a comma, the command; otherwise, the SMS will not be processed. Conversely, the SMS must not contain a password, if this is not configured. The password is casesensitive. Blanks outside the password will be ignored. Several commands in one SMS will not be supported; only the first command would be executed. The commands are not case-sensitive. The following commands are processed:

Command Effect

dial A dial-out connection will be started or an existing dial-out connection

would be restarted.

openvpn The OpenVPN connection will be restarted. An existing tunnel will be

terminated with this.

ipsec The IPsec connection will be restarted. All existing tunnels will be ter-

minated with this.

pptp The PPTP connection will be restarted. All existing tunnels will be ter-

minated with this.

reset The device will be restarted.

sandbox The sandbox will be restarted.

serial The Serial Ethernet Gateway initiates an outgoing connection.

update An automatic update will be performed.

Table 13: List of SMS commands

SMS messages that do not comply with this syntax, can optionally be forwarded to the sandbox. The subdirectory "/var/spool/sms_in" must exist in the sandbox image for this. The SMS will be filed with a random file name in it. The first line of the file contains the phone number of the sender; the further lines contain the SMS text. If a password is configured, incoming SMS are forwarded to the sandbox in the following way: If an SMS text contains a valid password, the password and the following comma will be removed from the forwarded text. A text with invalid or missing password will be forwarded as it is.

Configuration with the web interface

In order to enable SMS receipt, check in the menu "Messages" on the page "Configuration" the checkbox "Activate reception of SMS".

In order to configure the MLR 3G 2.0 for acknowledgement of an SMS receipt, check the checkbox "Acknowledge incoming SMS". Then, EVERY received SMS will be acknowledged with a reply SMS, not only SMS for executing commands.

MLR 3G 2.0 Functions

 Only the receipt of the SMS will be acknowledged, not the action associated

with it. If the action is to be acknowledged, this must be configured as message.

In order to configure a password for SMS receipt, enter this into the field "Password". The password may consist of letters (upper ans lower case without umlauts), numbers, punctuation marks (without comma), parentheses, underscore, blank and the characters %, & and * and have a length of 20 characters.

In order to forward SMS that cannot be evaluated to the sandbox, check the checkbox "Forward not processable SMS to sandbox". Then, all SMS that cannot be evaluated by the MLR 3G 2.0 will be forwarded to the sandbox to process them there.

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.9.3 Configuring E-Mail Dispatch

The MLR 3G 2.0 can send an e-mail to any recipient on different, pre-defined events. An attachment, which can be selected from different log files, can be attached to every email. Moreover, it is possible to attach the status page of the web interface to the message text. The MLR 3G 2.0 allows to create and manage a series of different combinations of recipient, event, attachment, and text.

Sending an e-mail is only possible if the access data for the e-mail account are entered correctly in the menu "Messages" on the page "Configuration".

Configuration with the web interface

In order to enable e-mail dispatch, check in the menu "Messages" on the page "E-mail" the checkbox "Activate e-mail messages".

In order to create an e-mail message, you have to define this in the section "Create new e-mail". Enter the e-mail address of the recipient into the field "Recipient" for this. Select from the drop-down list "Event" the respective event for triggering the e-mail dispatch. Select from the drop-down list "Attachment" the respective log file to be attached to the e-mail. If this file is not present on the MLR 3G 2.0, the e-mail will be sent without attachment. Check the checkbox "Attach current status to message text", if the status page of the web interface is to be attached to the message text. Enter the message text into the field "Text".

Save your settings by clicking "OK".

In order to temporarily switch off e-mail messages, uncheck in the section "Existing e-mails" the check box in the column "active" in the e-mail message overview. Click on "OK" to confirm the settings.

In order to delete one or more e-mail messages, check in the section "Existing e-mails" the check box in the column "delete" in the e-mail message overview. Click on "OK" to confirm the settings.

MLR 3G 2.0 Functions

10.9.4 Configure SMS Dispatch

The MLR 3G 2.0 can send an SMS to any recipient on different, pre-defined events. The text of an SMS messages can consist of up to 140 characters, while not all characters are permissible and are removed from the entered text automatically by the MLR 3G 2.0 when taking over the settings. The MLR 3G 2.0 allows to create and manage a series of different combinations of recipient, event, and text.

Sending an SMS is only possible if the SCN is entered correctly in the menu "Messages" on the page "Configuration".

Configuration with the web interface

In order to enable SMS dispatch, check in the menu "Messages" on the page "SMS" the checkbox "Activate SMS".

In order to create an SMS message, you have to define this in the section "Cre- ate new SMS". Enter the phone number of the recipient into the field "Telephone number" for this. Select from the drop-down list "Event" the respective event for triggering the SMS dispatch. Enter the message text into the field "Text".

Save your settings by clicking "OK".

In order to temporarily switch off SMS messages, uncheck in the section "Existing SMS" the check box in the column "active" in the SMS message overview. Click on "OK" to confirm the settings.

In order to delete one or more SMS messages, check in the section "Existing SMS" the check box in the column "delete" in the SMS message overview. Click on "OK" to confirm the settings.

Functions MLR 3G 2.0

10.9.5 Configuring SNMP Trap Triggering

The MLR 3G 2.0 can trigger an SNMP trap that sends a message to any recipient on different predefined events. The MLR 3G 2.0 allows to create and manage a series of different combinations of recipient and event. The SNMP traps are described in the MIB (Management Information Base).

Triggering an SNMP trap is only possible if the settings for the SNMP traps are configured correctly in the menu "Messages" on the page "Configuration".

Configuration with the web interface

In order to enable triggering of SNMP traps, check in the menu "Messages" on the page "SNMP traps" the checkbox "Activate SNMP tarps".

In order to download the private MIB, click on the link "Download private MIB".

In order to create an SNMP trap, you have to define this in the section "Create new SNMP trap". Enter the IP address or the domain name and the associated port of the recipient into the fields "IP address or domain name : Port" for this. Select from the drop-down list "Event" the respective event for triggering the SNMP trap.

Save your settings by clicking "OK".

In order to temporarily switch off SNMP traps, uncheck in the section "Existing SNMP traps" the check box in the column "active" in the SNMP trap overview. Click on "OK" to confirm the settings.

In order to delete one or more SNMP traps, check in the section "Existing SNMP traps" the check box in the column "delete" in the SNMP trap overview. Click on "OK" to confirm the settings.

MLR 3G 2.0 Functions

10.10 Server Services

10.10.1 Setting up DNS Forwarding

You may use the MLR 3G 2.0 as DNS relay server. When the MLR 3G 2.0 is configured as DNS server at the locally connected network devices, the MLR 3G 2.0 will either forward the DNS queries to the previously configured DNS servers in the Internet, or will use the IP addresses sent during the PPP connection setup as DNS server.

Configuration with the web interface

DNS servers can be transferred to the MLR 3G 2.0 during PPP connection establishment. For the MLR 3G 2.0 to be able to forward the DNS queries to de- fined name servers, enter the addresses of the according name servers in the entry fields "First DNS server address" and "Second DNS server address".

Save your settings by clicking "OK".

10.10.2 Setting up the Dynamic DNS Update

The MLR 3G 2.0 can forward the IP address, which it was allocated during the dial-in into the Internet, to a DynDNS provider, so it can be reached from the Internet with a domain name. This means that the network behind the MLR 3G 2.0 can always be reached with the same domain name from the Internet, also for dynamically allocated IP addresses (if the allocated IP address for incoming connections is not protected). The MLR 3G 2.0 will update the IP address connected to the domain name at the DynDNS provider during each dialup. For this function, you will need an account with a DynDNS provider.

 A public IP address must also be provided from the provider for packet-

based wireless connections (GPRS/EDGE/UMTS/HSDPA). Otherwise, the device cannot be accessed despite this service.

Configuration with the web interface

In order to configure the dynamic DNS update, check in the menu "Server services" on the page "Dyn. DNS update" the checkbox "Activate dynamic DNS update".

Select a DynDNS provider from the drop-down menu "DynDNS provider".

In order to define an own DynDNS server, select in the drop-down menu "DynDNS provider" the entry "Userdefined DynDNS" and enter a DynDNS server in the entry field "Userdefined DynDNS server".

Enter the domain name to be updated into the entry field "Domain name".

Enter the user name and password of your DynDNS account into the entry fields "User name" and "Password".

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.10.3 Setting up the DHCP Server

On request, the DHCP server of the MLR 3G 2.0 can automatically allocate an address to other devices in the LAN. This automatically allocated, dynamic IP addresses are only valid for a certain time. The validity of the IP addresses allocated by the DHCP server are controlled via the "Lease time". If there is already a DHCP server in the network, in which the MLR 3G 2.0 is used, this function must absolutely be disabled in the MLR 3G 2.0.

IP addresses, which are in the IP pool and for which a connection to a MAC address exists, are exclusively reserved for this DHCP client. The IP address is thus not in the IP pool anymore. No IP addresses should be selected from the IP pool for this MAC IP address connections. The pool should only be available for the DHCP clients, for which no MAC address is known or is to be considered.

Configuration with the web interface

In order to setup the DHCP server, check in the menu "Server services" on the page "DHCP" the checkbox "Activate DHCP server".

Enter into the entry fields "First and last IP address" the first IP address and the last IP address of the address range, from which the DHCP server of the MLR 3G 2.0 allocates addresses in the LAN. The IP address range of the DHCP server must be located in the same network as the IP address of the MLR 3G

2.0.

Enter into the entry field "Lease Time" a validity period in seconds enter a Validity period for the IP addresses to be allocated by the DHCP server. The default value is 3.600 seconds.

In order to inform the DHCP clients about a special DNS server, enter its ad- dress into the entry field "Alternative DNS server address". If the field is empty, the local IP address of the router and the IP addresses of the firmly configured DNS servers are communicated to the clients.

Save your settings by clicking "OK".

In order to view the IP addresses allocated by the DHCP server and their "Lease Time" (validity period), use the link "Display DHCP lease times".

You can define fix allocations in the section "Add new allocation of MAC address and IP address" in order to allocate always the same IP address to DHCP clients. For this, enter the MAC address of the respective DHCP client into the entry field "MAC address" and the IP address, to which the DHCP client is to be connected, into the field "IP address". Save the allocation by clicking "OK".

In order to delete one or more allocations, check in the section "Fixed allocation of IP addresses to MAC addresses“ the checkbox in the column "delete" and click then "OK" to accept the setting.

MLR 3G 2.0 Functions

10.10.4 Configuring the Proxy Server

The MLR 3G 2.0 provides a proxy server. This does not serve as a cache for frequently accessed websites. It is used to delay the connection timeouts for dial-up connections that load slowly (e.g. via modem) and to filter undesired URLs. (e.g. www.xyz.xx).

The proxy supports the HTTP and HTTPS protocols.

Configuration with the web interface

In order to enable the proxy server of the MLR 3G 2.0, check in the menu "Server services" on the page "Proxy" the checkbox "Activate proxy server".

Enter in the entry field "Port of proxy server" the port, which you want to use to access the proxy server from the internal network at the IP address of the MLR 3G 2.0.

In order to terminate connections,which seem to be inactive, after a certain time, you can configure the time in seconds in the entry field "Timeout for inactive connections".

In order to avoid overloading the MLR 3G 2.0, you can restrict the number of clients which can connect to the MLR 3G 2.0 at the same time. Enter the maximum number of simultaneously authorized clients in the entry field "Maximum amount of allowed clients".

In order to increase the availability of the proxy, you can define a minimum number of proxy server processes. Enter the desired number of proxy server processes that are always running on the MLR 3G 2.0 into the entry field "Minimum amount of free proxy servers".

In order to avoid overloading the MLR 3G 2.0 with proxy requests, you can define a maximum number of proxy server processes. An individual proxy server process is started on the MLR 3G 2.0 for each client request. Enter the desired maximum number of simultaneous proxy server processes in the entry field "Maximum amount of free proxy servers" for this. If more requests are received than proxy servers are available, the additional requests are rejected.

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.10.5 Configuring an URL Filter

With the help of the URL filter, the proxy of the MLR 3G 2.0 can restrict possible URLs, which can be accessed by computers from the internal network of the MLR 3G 2.0. This will allow only access to URLs which are entered in the filter list. All other URLs are blocked. To allow access to the Internet only via the proxy, the firewall must be activated. Without the firewall, the access to any URLs would be possible just by bypassing the proxy.

The IP address of the proxy must be defined at the clients (e.g. a web browser on a PC), which establish connections via the proxy.

Configuration with the web interface

In order to enable the URL filter, check in the menu "Server services" on the page "Proxy" the checkbox "Activate filter".

In order to enter an allowed URL, which is accessible from the internal network, enter the desired URL in the entry field "Allowed URLs".

In order to delete an URL from the list, delete the text of the URL from the list.

Save your settings by clicking "OK".

MLR 3G 2.0 Functions

10.10.6 Configuring IPT

The MLR 3G 2.0 also allows data transfer via an IPT channel. The MLR 3G 2.0 can act as IPT slave here.

Configuration with the web interface

In order to enable IPT, check in the menu "Server services" on the page "IPT" the checkbox "Activate IPT slave".

In order to display the current state of the IPT slave, click on the link "IPT cur- rent state".

In order to display the messages of the IPT slave, click on the link "IPT log". This helps to draw conclusions on the failure cause in case of an unsuccessful connection attempt.

In order to configure the connection to the IPT master, enter its IP address or domain name into the entry field "IP address or domain name". Enter the port on which the IPT master accepts the connection into the entry field "Port". Enter the access data for registering at the IPT master into the entry fields "User name" and "Password". These data must be entered for the primary IPT master. A secondary IPT master can be entered optionally that will be used following an unsuccessful connection attempt to the primary IPT master.

In order to specify the IPT device identifier, enter it into the entry field "IPT device identifier". By default, a combination of the string "INS" and the MAC address of the MLR 3G 2.0 is entered.

In order to increase the time between connection attempts, check the checkbox "Increase reconnection interval". In this case, the interval between the connection attempts will increase (1, 5, 15, 30, 60 minutes). Otherwise, the MLR 3G 2.0 will try to establish a connection every minute, if this is interrupted.

In order to specify the maximum time between IPT request and IPT response that must be exceeded that the connection to the IPT master will be disconnected and re-established again, enter this time in seconds into the field "Timeout between request and response".

In order to specify the maximum time between two characters of an IPT command that must be exceeded that the connection to the IPT master will be disconnected and re-established again, enter this time in seconds into the field "Timeout between characters".

In order to enable scrambling of the IPT connection, check the checkbox "Use scrambling". If scrambling is used, a challenge and a fix scramble key must be specified. The fix scramble key encrypts the registration with the IPT master and the challenge scramble key is used for encryption following the successful registration. While the challenge scramble key is transferred from the slave to the master, the fix scramble key must be configured identically at the master and at the slave. Both keys must have the fix length of 32 bytes that must be specified hexadecimal with 64 digits for the configuration.

Save your settings by clicking "OK". The IPT slave will be restarted with this. Existing IPT connections to the master or existing IPT data tunnels will be closed.

Functions MLR 3G 2.0

10.10.7 Configuring the SNMP Agent

The MLR 3G 2.0 provides an SNMP agent that responds to incoming SNMP Get requests. All parameters that exist in the ASCII configuration file, can be read via SNMP Get requests (except user name and password of the web interface authentication). These parameters are described in the MIB (Management Information Base).

Configuration with the web interface

In order to enable the SNMP agent, check in the menu "Server services" on the page "SNMP agent" the checkbox "Activate SNMP agent".

In order to download the private MIB, click on the link "Download private MIB".

In order to permit SNMP Get requests only from the local network and send responds only to the local network, check the checkbox "Exclusively allow SNMP local".

In order to specify the port, on which the SNMP agent receives UDP messages, enter the port into the field "Port".

In order to specify a contact information for the SNMP agent, you can enter this into the field "Contact information".

In order to specify a description for the SNMP agent, you can enter this into the field "description".

In order to use the SNMP agent, you must specify and configure the SNMP versions to be used. In order to use SNMP v1 or SNMP v2c, check the checkbox "Use SNMP v1/v2c" and enter the community string into the field "Community". In order to use SNMP v3, check the checkbox "Use SNMP v3" and enter the SNMP user name into the field "User name". In order to use an SNMP v3 authentication, select the authentication method in the drop-down list field "Authentication" and enter the password for the authentication (at least 8 characters) into the respective field. In order to use an SNMP v3 encryption, select the encryption method in the drop-down list field "Encryption" and enter the password for the encryption (at least 8 characters) into the respective field. An authentication is pre-condition for an encryption.

Save your settings by clicking "OK".

MLR 3G 2.0 Functions

10.11 System Configuration

The MLR 3G 2.0 displays system data such as firmware version, serial number, hardware revision or firmware checksum, together with short system messages about events and errors in the menu "System" on the page "System data". This information is helpful and should be known together with the configured IP address if you contact the support. Furthermore, several links enable to display system states and connection logs. The displayed links depend on the configuration of the MLR 3G 2.0.

10.11.1 Displaying the System Log

The MLR 3G 2.0 allows to display the detailed system log in the menu "System" on the page "System data". The number of displayed lines and the update interval can be configured.

Configuration with the web interface

In order to view the detailed system messages via the web interface, click on the link "Show the extensive system log".

In order to configure the display of the system log, enter on the page "System log" into the field "Refresh after“ the update interval of the log in seconds as well as into the field "show last … lines" the number of lines to be displayed and select "OK".

10.11.2 Displaying the Last System Messages

The MLR 3G 2.0 displays short system messages about events and errors in the menu "System" on the page "System data". For analysis purposes, you can dispaly the last messages of the MLR 3G 2.0 on the web interface.

Configuration with the web interface

In order to display the last system messages of the MLR 3G 2.0, click on the link "Show the last system messages".

Functions MLR 3G 2.0

10.11.3 Configuring Time and Time Zone

The MLR 3G 2.0 has an internal clock to control time-controlled events. This clock must be set to ensure that time-controlled events are processed precisely to the desired time, and that system messages are dated correctly. The clock of the MLR 3G 2.0 can be updated automatically via an NTP server from the Internet. During each connection setup, the MLR 3G 2.0 will attempt to synchronize the time from the specified NTP server. In contrast to the time, the time zone must be manually adjusted to the location of the MLR 3G 2.0.

Configuration with the web interface

In order to configure time and date, enter in the menu "System" on the page "Time" enter the values for day, month, year, hour and minutes in the entry fields "DD MM YYYY hh mm".

Configure the time zone of the location of the MLR 3G 2.0 by selecting this from the drop-down menu "Timezone".

In order to synchronise time and date via NTP server, check the checkbox "Clock synchronisation with" and enter the name of an NTP server or its IP address into the entry field.

In order to synchronise time and date daily at a certain time via NTP server, check the checkbox "Additionally every day at" and enter the time for the daily synchronisation into the entry field.

In order to synchronise time and date immediately via NTP server, check the checkbox "Update time now". Then, it will be tried to connect to the NTP server to synchronize the time once with saving the settings. This enables to check the NTP server settings immediately.

Save your settings by clicking "OK".

MLR 3G 2.0 Functions

10.11.4 Resetting the Device

You can reset the MLR 3G 2.0 via the web interface or by pressing the reset key on the front of the device. You can simply restart your device or reset all settings to the factory defaults. You can initiate a software reset by shortly pressing the reset key once. A hardware reset of the MLR 3G 2.0 can be initiated by pressing it for at least three seconds. A restart will be performed in both cases. Pressing the reset key three times for a short time within two seconds loads the factory defaults of the MLR 3G 2.0.

Configuration with the web interface

In order to restart the MLR 3G 2.0, select in the menu "System" on the page "Reset" the radio button "Reset". Click on "OK" to perform the restart.

In order to restart the MLR 3G 2.0 and load the factory defaults, select in the menu "System" on the page "Reset" the radio button "Load default configuration and reset". Click on "OK" to perform the restart and reset the MLR 3G 2.0 to factory defaults.

In order to configure a daily restart at a certain time, check the checkbox "Daily reset at" and enter the time for the daily reset into the entry field.

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.11.5 Update

You can update the MLR 3G 2.0 with a new firmware or a new configuration using the web interface. A detailed description about these processes can be found in the following sections "Updating the Firmware" and "Uploading the Configuration File" of this manual.

Moreover, the MLR 3G 2.0 allows a daily automatic update of firmware files, configuration files (binary and ASCII) or sandbox image files. These must be provided on a server accordingly for this.

Configuration with the web interface

In order to enable the automatic update, check in the "System" menu on the "Update" page the checkbox "Activate automatic daily update".

In order to select the file transmission protocol, select the radio button "HTTP" or "FTP".

In order to specify the storage location of the update files, enter the IP address or the domain name of the server into the "Server" field and the respective port into the "Port" field. It is also possible to specify sub-directories of the server that are to be searched for the files.

In order to define a fix, MAC-depending time for the daily update, select under "Update time" the radio button "depending on MAC".

In order to define a user-defined time for the daily update, select under "Update time" the radio button "fix" and enter the time for the update.

If the file access is to be protected by an authentication, enter the respective access data into the fields "User name" and "Password".

In order to initiate the automatic update immediately, check the checkbox "Search for updates now".

Save your settings by clicking "OK".

In order to upload a firmware or configuration file (binary or ASCII), click in the section "Manual update" on the "Browse..." button. Then, select in the "Upload file" window the desired image file on the respective data carrier and click on the "Open" button. Click on "OK" then to upload the file.

MLR 3G 2.0 Functions

10.11.6 Updating the Firmware

You can update the firmware of the MLR 3G 2.0. The firmware is a combination of operating system and programs, in which the functions of the {{PRODUKTBEZEICHNUNG}}} are implemented. To update the firmware, you will need a file with a new firmware, which you can obtain from your sales partner or from INSYS MICROELECTRONICS. It is possible that you get two files for extensive updates.

Note

Function loss due to faulty update!

A connection failure during the update and a following restart may cause a loss of function of the MLR 3G 2.0.

As long as the red LED at the MLR 3G 2.0 is illuminated, you are not permitted to perform any actions at the web interface, you must not pull the power plug and you must not perform a reset.

After a failed update, do not restart the MLR 3G 2.0; contact the support of INSYS MICROELECTRICS.

Note

Loss of availability!

Through a firmware update, your MLR 3G 2.0 may loose its previous configuration. Your MLR 3G 2.0 can then only be accessed from the local network via its standard IP address

192.168.1.1.

Perform critical updates only at the site and contact the support of INSYS MICROELECTRONICS.

Complete update of the firmware of the MLR 3G 2.0

The following steps must be performed to update the firmware of a MLR

3G 2.0.

 You have access to the web interface.  If you access the web interface of the MLR 3G 2.0 via a dial-up connection,

the connection must be maintained long enough to perform the uploads. The option "Maximum connect-time" should be set to "0" for the update, also the "Idle time".

 You have ensured that the power supply of the MLR 3G 2.0 can not be

switched off during the update procedure.

 You have the firmware file with the name "system_<rev>" and, if required,

the file "data_<rev>". The file(s) can be located on the PC from which you want to perform the update.

1. In the menu "System", switch to the page "Update".

Functions MLR 3G 2.0

2. Click on Browse... in the "Manual update" section and select the file "sys-

tem_<rev>".

3. Click on OK to start the update.

 A page with a security query is displayed. Compare the displayed MD5

checksum with the MD5 checksum of the file (e.g. using the md5sum.exe tool). If they match, the file has been transferred correctly and you can proceed with the update. The time until the file is completely transmitted to the MLR 3G 2.0 varies, depending on the firmware size.

4. Confirm the query with Yes .

 The update process starts. The browser waits. During the update, the

Status/VPN LED at the MLR 3G 2.0 lights up red.



not perform any action at the web interface

until this page is displayed.

6. the "System"

OK .

After the completed update, a page is displayed which confirms the suc-

cessful update procedure. Do

If you have also received the file "data_<rev>", proceed with the second file

"data_<rev>" as with the first file, without performing a restart. Repeat th steps from step 1. An automatic restart takes place following the upload.

If you have only received the file "system_<rev>", change in

menu to the "Reset" page, select "Reset" and click on

 The new firmware is now active.

Note

Disabling the sandbox!

If a firmware update is performed, a possibly running sandbox will be disabled before.

Observe for your application that a running sandbox will be disabled, if a firmware update will be performed.

MLR 3G 2.0 Functions

10.11.7 Uploading the Configuration File

You may upload a previously downloaded or edited configuration file to the MLR 3G 2.0, to replace the current configuration of the MLR 3G 2.0 by the settings in the file.

Uploading the Configuration File of the MLR 3G 2.0

 You have a configuration file for your version of the MLR 3G 2.0.

1. Change in the web interface of the MLR 3G 2.0 In the menu "System" to the

page "Update".

2. Click on Browse... in the "Manual update" section and select the configura-

tion file (e.g. configuration.bin).

3. Click on OK to start the upload.

 A page with a security query is displayed.

4. Confirm the query with Yes .

 The upload process of the configuration starts.

 , a page is displayed which confirms the suc-

cessful update procedure.

5. menu "System", switch to the page "Reset", select "Reset" and click on

After the completed upload

In the

OK.

 The new configuration is now active.

Functions MLR 3G 2.0

10.11.8 Download

You can download the configuration file of the MLR 3G 2.0 via the web interface. With this file, you can configure other, identical devices, or safely store a working configuration.

Moreover, it is possible to download an ASCII text file of the configuration or an "empty" configuration file (ASCII template). A description of the ASCII configuration file can be found in the respective add-on manual.

The MLR 3G 2.0 allows to download the different log filesas well. Different log files are available on the MLR 3G 2.0 depending on the version. The current log file is always available for download. If this log file exceeds a size of 1 MByte, it will be provided with a timestamp and saved as bzip2-compressed archive file. Up to four of the last archive files are available for download.

Configuration with the web interface

In order to download the binary configuration file of the MLR 3G 2.0, click in the "System" menu on the "Download" page on the link "Binary". The name of the last uploaded configuration file is also displayed in the link. The browser will prompt you to save the file.

In order to download the ASCII configuration file of the MLR 3G 2.0, click on the link "ASCII". The browser will prompt you to save the file.

In order to download an empty ASCII configuration file of the MLR 3G 2.0, click on the link "ASCII template". The browser will prompt you to save the file.

In order to download the log files of the MLR 3G 2.0, right-click on the respective link and select in the context menu "Save target as…". Then, specify the desired storage location and select the "Save" button.

MLR 3G 2.0 Functions

10.11.9 Sandbox

The MLR 3G 2.0 provides a freely programmable sandbox. The sandbox is a kind of a virtual machine, which runs on the MLR 3G 2.0. It is possible to start programs, collect data and offer services in the sandbox, which do not exist in the system of the actual MLR 3G

2.0.

If the sandbox is enabled and the serial interface is reserved for the sandbox in addition, the sandbox has priority, i.e. redundant communication device and serial Ethernet gateway are disabled.

Configuration with the web interface

In order to enable the sandbox, check in the menu "Systems" on the page "Sandbox" the checkbox "Activate sandbox".

In order to configure the password for the user "user", enter the desired password into the field "New password" (the default password is "user"). The user name itself cannot be changed. Permissible are only the characters 0 to 9, a to z, A to Z and the special characters ! " # $ % : ' ( ) * + , - . / ; < = > ? @ [ ] \ ^ _ { } | ~. The ampersand "&" is not permissible.

The file name of the currently stored sandbox image is indicated behind "Stored sandbox image:" together with its MD5 checksum.

The file name of the currently installed sandbox image is indicated behind "Installed sandbox image:" together with its MD5 checksum.

In order to install a stored sandbox image, the checkbox "Install stored sandbox image" must be checked. The image will then be installed after storing the settings with "OK".

 If an installed sandbox image cannot be started any more (if important files

have been deleted unintentionally for example), a re-installation of the default image can recover the original state of the sandbox.

In order to reserve the RS232 interface for the sandbox, the checkbox "Reserve RS232 interface for sandbox" must be checked. In this case, the functions of the MLR 3G 2.0, which would also use the serial interface (e.g. serial Ethernet Gateway), will be disabled automatically, because the serial interface can only be assigned to one task exclusively.

In order to upload a new sandbox image, click in the section "Upload new sandbox image" on the "Browse..." button. Then, select in the "Upload file" window the desired image file on the respective data carrier and click on the "Open" button. Click on "OK" then to upload the file.

Save your settings by clicking "OK".

Functions MLR 3G 2.0

10.11.10 Debugging

The MLR 3G 2.0 offers several tools for analysing problems with network connections.

The "PING" tool allows to send ICMP pings (ping packets). This enables to test, whether a specific machine is available in the network, easily. The "TRACEROUTE" tool shows the route of an IP packet to its destination. The "DNS LOOKUP" tool allows to request DNS information via an IP address or a domain name. The "TCPDUMP" tool allows to record network packets.

Configuration with the web interface

In order to send a ping packet, select in the menu "System" on the page "Debugging" the tool "PING" in the drop-down list field, enter the IP address, to which you want to send the ping packet, or the domain name into the field "Parameter" and click on "OK". Optionally, you may enter additional parameters before, like -s 300 (sends 300 bytes as payload in ICMP ping) or -c 3 (sends subsequent 3 pings) for example. The reply will be displayed on the bottom of the page.

In order to trace the rout of an IP packet, select in the menu "System" on the page "Debugging" the tool "TRACEROUTE" in the drop-down list field, enter the IP address, to which you want to send the IP packet, or the domain name into the field "Parameter" and click on "OK". Optionally, you may increase the standard number of 3 hops by increasing the number of hops to 5 for example using the parameter "-m 5" before. The reply will be displayed on the bottom of the page.

In order to query DNS information, select in the menu "System" on the page "Debugging" the tool "DNS LOOKUP" in the drop-down list field, enter the IP address or domain name to be queried into the field "Parameter" and click on "OK". If no DNS server has been configured or assigned by an external provider or router, this query may take up to 40 seconds.

In order to start recording of network packets, select in the menu "System" on the page "Debugging" the tool "TCPDUMP" in the drop-down list field, specify at least the network device using the parameter "-i" in the field "Parameter" (e.g. "-i br0" for the LAN interface) and click on "OK". The available network devices can be identified by selecting the link "Show current system state" in the menu "System" on the page "System data". After starting, the recording will continue until it is stopped manually or has reached a size of 1 MB. The recording will be displayed immediately after stopping and can be downloaded as a file using the link "TCPDUMP recording"that will then be displayed. It can be viewed on an external machine using "tcpdump" or "wireshark".

MLR 3G 2.0 Waste Disposal

11 Waste Disposal

11.1 Repurchasing of Legacy Systems

According to the new WEEE guidelines, the repurchasing and recycling of legacy systems for our clients is regulated as follows:

Please send those legacy systems to the following address, carriage prepaid:

Frankenberg-Metalle Gaertnersleite 8 D-96450 Coburg

Germany

This regulation applies to all devices which were delivered after August 13, 2005.

Declaration of Conformity MLR 3G 2.0

12 Declaration of Conformity

This device complies with the requirements set out in the Council Directive on the Approximation of the Laws of the Member States relating to Electromagnetic Compatibility 2004/108/EC and the Council Directive relating to Low Voltage 2006/95/EC as well as the Council Directive R&TTE 1999/5/EC.

We will gladly send you a copy of the declaration of conformity on request.

MLR 3G 2.0 Export Regulation

13 Export Regulation

US American export regulations apply to the chip sets used by INSYS Microelectronics GmbH for analogue modems and cellular radio adapters according to ECCN classification 5A991.

At the time of publication of this document, it is thus not allowed to export these communication devices to any of the following countries: Cuba, Libya, North Korea, Iran, and Syria.

The latest list of countries can be found in the section “Country Group E” of the document http://origin.www.gpo.gov/bis/ear/pdf/740spir.pdf. Address the US federal authorities for an exception from this export regulation.

We explicitly point out that the US export regulations take effect in Germany as well. US authorities may among others prohibit American companies to trade with foreign offenders of the ECCN rules.

Note

Export restriction!

Possible offense against export regulations.

This device is subject to the War Weapons Control Act because of its encryption technology and dual use character. Thus, it requires the permission of the Federal Office of Economics and Export Control when being exported out of the EU boundaries.

Licenses MLR 3G 2.0

14 Licenses

The software technologies and programs of the firmware used in the MLR 3G 2.0 are partly bound to the following licenses. The source code of the firmware components of the MLR 3G 2.0 which are bound to these licenses may be obtained from INSYS MICROELECTRONICS on request.

14.1 GNU GENERAL PUBLIC LICENSE

Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public Lice nse applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too.

When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.

To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.

For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.

We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software.

Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

The precise terms and conditions for copying, distribution and modification follow.

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Progr am", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is

MLR 3G 2.0 Licenses

included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are out-

side its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does.

1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.

b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.

c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.

In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machinereadable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,

c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source o

r binary form) with the major components (compiler, kernel, and

Licenses MLR 3G 2.0

so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.

4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.

This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.

8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.

9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.

Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.

10. If you wish to incorpo

rate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.

NO WARRANTY

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR

MLR 3G 2.0 Licenses

THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

14.2 GNU LIBRARY GENERAL PUBLIC LICENSE

Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

[This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.]

Preamble

The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users.

This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too.

For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link a program with the library, you must provide complete object files to the recipients so that they can relink them with the library, after making changes to the library and recompiling it. And you must show them these terms so they know their rights.

Our method of protecting your rights has two steps: (1) copyright the library, and (2) offer you this licen se which gives you legal permission to copy, distribute and/or modify the library.

Also, for each distributor's protection, we want to make certain that everyone understands that there is no warranty for this free library. If the library is modified by someone else and passed on, we want its recipients to know that what they have is not the original version, so that any problems introduced by others will not reflect on the original authors' reputations.

Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming

Licenses MLR 3G 2.0

the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.

Most GNU software, including some libraries, is covered by the ordinary GNU General Public L i cense, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license.

The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such.

Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better.

However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards change s in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries.

The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former co ntains code derived from the library, while the latter only works together with the library.

Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one.

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you".

A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.

The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)

"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.

Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.

1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.

You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:

MLR 3G 2.0 Licenses

 a) The modified work must itself be a software library.  b) You must cause the files modified to carry prominent notices stating that you changed the files

and the date of any change.

 c) You must cause the whole of the work to be licensed at no charge to all third parties under the

terms of this License.

 d) If a facility in the modified Library refers to a function or a table of data to be supplied by an

application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful. (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)

These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.

In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.

Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.

This option is useful when you wish to copy part of the code of the Library into a program that is not a library.

4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.

If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.

5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.

However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.

When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially sig

nificant if the work can be linked without the Library, or if the work is itself a

library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small

macros and small inline functions (ten lines or less in length), then the use of the object file is unre-

Licenses MLR 3G 2.0

stricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)

Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.

6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.

You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:

 a) Accompany the work with the complete corresponding machine-readable source code for the

Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)

 b) Accompany the work with a written offer, valid for at least three years, to give the same user

the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.

 c) If distribution of the work is made by offering access to copy from a designated place, offer

equivalent access to copy the above specified materials from the same place.

 d) Verify that the user has already received a copy of these materials or that you have already

sent this user a copy.

For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the sou rce code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.

It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.

7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:

 a) Accompany the combined library with a copy of the same work based on the Libra ry, unco m -

bined with any other library facilities. This must be distributed under the terms of the Sections above.

 b) Give prominent notice with the combined library of the fact that part of it is a work based on

the Library, and explaining where to find the accompanying uncombined form of the same work.

8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

9. You are not required to accept this License, si

nce you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any

100

INSYS MLR 3G 2.0 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual