Weidmuller IE-SR-2GT-LAN, IE-SR-2GT-UMTS/3G User Manual

Industrial Security Router / Firewall

IE-SR-2GT-LAN

IE-SR-2GT-UMTS/3G

Manual

Version 1.2.4

September 2013

Important notes:

This document continously will be updated and completed step-by-step.

This version refers to Router firmware version 2.3.1 and above.

You may download a new version from the Weidmüller web site using the following path:

1. Open http://www.weidmueller.com/IE

2. Select section „Industrial Ethernet“  „Documents”

3. Select category „Manuals“

4. Download “ Manual_IE-SR-2GT-LAN-3G-UMTS_EN_Vx_yy.pdf

Industrial Security Router / Firewall

IE-SR-2GT-LAN

IE-SR-2GT-UMTS/3G

The software described in this manual is furnished under a license agreement and may be used only in ac-

cordance with the terms of that agreement.

Copyright Notice

Reproduction without permission is prohibited.

Disclaimer

Information in this document is subject to change without notice and does not represent a commitment on the part of Weidmüller.

Weidmüller provides this document "as is," without warranty of any kind, either expressed or implied, including, but not limited to, its particular purpose. Weidmüller reserves the right to make improvements and/or changes to this manual, or to the products and/or the programs described in this manual, at any time.

Information provided in this manual is intended to be accurate and reliable. However, Weidmüller assumes no responsibility for its use, or for any infringements on the rights of third parties that may result from its use.

This product might include unintentional technical or typographical errors. Changes are periodically made to the information herein to correct such errors, and these changes are incorporated into new editions of the publication.

Contact Information

Weidmüller Interface GmbH & Co. KG

PO box 3030

32760 Detmold

Klingenbergstrasse 16

32758 Detmold

Germany

Phone +49 (0) 5231 14-0

Fax +49 (0) 5231 14-2083

E-Mail info@weidmueller.com

Internet www.weidmueller.com

Table of Contents

Industrial Security Router / Firewall ................................................................................. 1

1. Introduction ....................................................................................................................................... 5

Proper and intended usage ................................................................................................................. 5

2. Package Checklist ............................................................................................................................. 5

3. Safety instructions ............................................................................................................................ 6

4. Mounting the device.......................................................................................................................... 7

5. Technical data ................................................................................................................................... 8

6. Hardware related functional descriptions .................................................................................... 11

Pin assignment of power supply connector....................................................................................... 13

Pin assignment of RJ45 Ethernet ports (LAN and WAN) .................................................................. 13

Pin assignment of 4-pin connector for „VPN initiate“ and „VPN active“ ............................................ 13

Pin assignment of 4-pin connector for „Cut WAN port“ and „Signalize Alarm“ ................................. 13

Pin assignment of USB 2.0 connector .............................................................................................. 14

Pin assignment of Smartcard Reader (ISO 7816 Standard) ............................................................. 14

7. Initial start-up / Getting Started ..................................................................................................... 14

Configuration of the Router by using an Internet browser ................................................................ 14

Starting the Web interface ................................................................................................................. 15

8. Reset to factory default settings by external push button ......................................................... 17

Default factory settings of the Router: ............................................................................................... 17

9. Using the Weidmüller Router-Search-Utility ................................................................................ 18

10. Basic description of the configuration interface (menu items) .................................................. 19

Section Diagnostics ........................................................................................................................... 19

Section Configuration ........................................................................................................................ 19

Section System ................................................................................................................................. 19

Section Informations.......................................................................................................................... 19

11. Explanation of the menu items of web interface in chronological order .................................. 20

A. Application scenarios (Uses cases) for Routing, NAT and Firewalling ............................................... 47

A1 - Configuring the Router to connect 2 networks with different IP address ranges ........................... 47

A2 - Connecting 2 Ethernet networks with activated NAT masquerading and using IP address

forwarding ........................................................................................................................................ 53

A3 - Configuring the Router to connect 2 networks with different IP address ranges and additional

firewall rules .................................................................................................................................... 59

A4 - Connecting 2 Ethernet networks with the same IP address range to another network using 1:1

NAT address translation ................................................................................................................. 70

A5 - Using dynamic IP routing as an alternative for manually configuring static routes ....................... 82

B. Application scenarios (Uses cases) for VPN (Virtual private networks) .............................................. 85

B1 - OpenVPN based remote access application via “Meeting Point” ..................................................... 85

Description of a remote access application to allow a communication between protected, not directly accessible machine networks and remote Service-PC’s by using a public OpenVPN-Server

as „Meeting-Point“ ............................................................................................................................. 85

B2 - Configuring an OpenVPN remote access scenario using a Weidmüller Router as OpenVPN-

Server ............................................................................................................................................... 85

B3 - Configuring an IPsec scenario between 2 Routers (Client and Server) ............................................ 85

C. Additional application notes ..................................................................................................................... 86

C1- How to start and stop a pre-defined OpenVPN connection by external 24 VDC input ..................... 86

C2- Description how to disable the Ethernet connection at WAN port ..................................................... 88

C3- Description how to use the feature “Remote Capture” with Wireshark to analyze the LAN/WAN

traffic of the Router ......................................................................................................................... 96

C4- Description how to configure the Internet access of a PC via a 3G Router............................ 101

1. Introduction

Proper and intended usage

The Router is intended for use in industrial (IP20) environments. It is equipped with Ethernet interface ports and is used solely for connecting components within a network.

By connecting network components, the Router enables network nodes to exchange data. The Router also allows an industrial IP network to access the Internet via an external DSL modem (via PPPoE). The Router is responsible for routing IP packets between an industrial network and an external network (such as the Internet). Internet access is automatically activated when needed. The Router can be configured on-site using an IP network on both Ethernet ports (LAN or WAN).

The Router has implemented extensive security standards to enable different networks to work together smoothly

Additionally VPN (virtual private network) connections can be used to connect the Router as a VPN-Client or a VPN-Server with other VPN devices.

2. Package Checklist

Models IE-SR-2GT-LAN and IE-SR-2GT-UMTS/3G 1 x Industrial Security Router (IE-SR-2GT-LAN or IE-SR-2GT-UMTS/3G) 1 x 3-pin connector for power supply 2 x 4-pin connectors for special digital inputs and output signals (Alarm, CUT, VPN) 1 x Ethernet cable ( Length 1 m, Color red) 1 x Hardware Installation Guide

Additional for model IE-SR-2GT-UMTS/3G (with an additional 3G modem) 1 x antenna for mobile connection

If any of these items are missing or damaged, please contact your customer service representative for assistance.

Warning

- Using the selected device for purposes other than those specified or failure to observe the operating instructions and warning notes can lead to serious malfunctions that may result in personal injury or damage to property.

- If this product malfunctions, it is no longer possible to predict the behaviour of neighbouring networked facilities and their connected devices. Personal injury and property damage can occur as a result of malfunctions. Only carry out changes to the settings when you are certain of the consequences such changes will have on all connected networks, facilities and devices.

- Personal injury and property damage can occur as a result if this product is used improperly. Adjustments and setting changes to this product should only be carried out by sufficiently qualified personnel.

Caution

- This device is designed only for an operating voltage range from 7 to 36 V DC. Do not use a higher voltage; this could destroy the Router and other devices.

- The Security Router does not have an on/off switch. The operating voltage must be switched on by the facility in which the device is integrated.

Caution

You should activate and synchronise the time server or set the system time manually if you are using certificates in virtual private networks (VPNs) or simple network management protocol (SNMP). An inaccuracy in the system time can cause the virtual private network (VPN) to malfunction.

You should synchronise the system time with a time server after each Router reboot and after you load the default settings. Or you can set the system time manually.

Caution

- The default system access information for the Security Router is included in this document. Unauthorized individuals can use this access data to gain access to the Router's web browser and cause damage. Be sure to change these system default access settings.

- Some services may be blocked by a firewall. You may need to deactivate the firewall. By deactivating the firewall, the PC is no longer protected against viruses or other attacks. Only deactivate the firewall when your PC is sufficiently protected by other measures.

- A single port can only properly execute one service. If multiple services are assigned to a port, the port can no longer execute any service. Be sure to assign only one service to any port.

3. Safety instructions

Caution

- This device is designed only for a operating voltage range from +7 to 36 VDC. Do not use a higher voltage; this could destroy the Router and other devices.

- Connecting plugs should never be connected or disconnected from electrical devices if they are carrying a live load. Be sure to first disconnect all poles of the plug. Remember to disconnect all plugs from the Router before it is installed or removed.

- Electrical devices should not be installed or removed during operations. Never install or remove the Router while it is running.

Caution

- It is important to provide sufficient clearance between devices which cause strong electromagnetic interference (such as frequency converters, transformers or motor regulators). The clearance gap between such devices and the Router should be as wide as possible. The Router can be further shielded by using a mu-metal partition.

- The Router is designed to be mounted on a top-hat rail that is compliant with the EN 50022 standard. This Router will not have a secure mount if any other type of rail is used. Use a top-hat rail that complies with the EN 50022 standard. Be sure to observe the mounting information provided by the manufacturer.

Note

- A minimum of 2 inch (5 cm) gap should be kept between the Router and neighbouring devices from the top and bottom. This will ensure that the Router is sufficiently ventilated and prevent induction from developing.

- The top-hat rail should be located in a horizontal position along the vertical rear wall of the electrical cabinet. This ensures that the Router can be adequately ventilated from below to above.

Note

- The IP protocol reserves certain IP address ranges for special purposes (such as multicasting). Do not assign IP addresses in the range from 127.0.0.0 –

127.255.255.255 or 224.0.0.0 – 255.255.255.255.

- This device is intended for use in applications as described in the operating instructions only. Using this device in non-approved applications will lead immediately to the expiration of all guarantee and warranty claims on the part of the operator against the manufacturer.

.

4. Mounting the device

Operation mode

IP-Router

Static or dynamic routing according to

RIPv2 or OSPF protocol

Transparent Bridge

2-Port-Switch with additional Layer-2 fil-

ter

Network Services

DHCP Server / DHCP Relay DNS-Relay

NTP-Client DynDNS (DHCP-Client nach RFC 2136)

Firewall

IPv4 Stateful inspection Firewall NAT-Masquerading, 1:1 NAT,

Portforwarding

Layer-2/3-Filter (VLAN ID, VLAN QoS

Tag, MAC adddress based, Ethertype Frame)

"Auto-Learning"-function to create new

packet filter rules (Analysis of the network traffic)

Layer 2/3 packet priorizitation (Ethernet

Frame, IP Header, VLAN Tag)

VPN

OpenVPN

Configurable as OpenVPN server or cli-

ent (Layer 2 and Layer 3) Authentication with X.509 Certificates Tunnel support via HTTP-Proxy A maximum of 10 different server con-

figurations Unlimited number of client connections in

server mode

1

2

DIN-rail mounting:

Insert the top of the DIN-rail clip behind the upper edge of the DINrail (1). Then open the latch at bottom of the device by using a flatbladed screwdriver and fix the device on the DIN-rail by gently pressing on the bottom (2).

To remove the Router from the DIN-Rail, simply reverse the steps as described above.

5. Technical data

IPsec

Can be configured as an IPsec server or

client Authentication with PSK (user ID, pass-

word) or X.509 certificates Hardware encryption for faster data flow

rate A maximum of 64 simultaneous connec-

tions (subnet with subnet or as IPsec

server) Encryption algorithms DES-56, 3DES-

168, AES 128, AES 192, AES-256

Management

Configuration with web interface

(HHTP/HTTPS) Web interface selectable in english or

german language Configuration support through detailed

help information (tooltip) Configurable Multi-user access with de-

finable rights Support for SNMP v1/v3/v3 Event log / syslog

Other features

Modbus/TCP

The Modbus/TCP interface enables the control of the Router by a PLC. Following functions are imaged in the registers:

Cut & Alarm, status request & acknowl-

edgment IPsec, on/off switchable generally OpenVPN, separate status request and

activation / deactivation of the 10 possi-

ble OpenVPN connections

Diagnosis

„Remote Capture“- feature for network

diagnostics via a connected PC (Wire-

shark)

Monitoring

Client monitoring via ICMP protocol (ping

request) with alarm function in case of er-

ror

Interfaces

RJ45-Ports

2 * 10/100/1000BaseT(X)

USB-Port

option for future expansion

SCM card Reader

Save and restore the configuration using

a smart card (SIM card without mobile

provider data, only the storage capacity

of the chip will be used)

LED display

Signaling the status for power, device

status, Cut, Alarm, active VPN connec-

tion and an active 3G connection

Digital Outputs

"Alarm" -> Indicates a configurable net-

work status or error (24V out)

"VPN-active" -> Indicates an active VPN

connection (24 V out)

Digital Inputs

"Cut" -> Disconnects physically (link

down) the WAN port (24 V In) "VPN-initiate" -> Enables a pre-

configured VPN connection (24 V In)

Reset-Button

Restore to the factory settings

Power

Input Voltage

1* 24 VDC (7 bis 36 Volt)

Current consumption

max. 600mA @ 24 VDC

Technical data (housing)

Housing

Metal, protection IP20

Dimensions (width, height, depth)

35 * 159 * 134 mm (without antenna) 35 * 255 * 134 mm (with 3G antenna)

Mounting

TS35 (DIN rail)

Environmental conditions

Operating Temperature

-20°C to +70°C

Storage Temperature

-20°C to + 85°C

Ambient Humidity

6 to 90% noncondensing

DSL and 3G/HSDPA

DSL

DSL Internet access by connecting an

external DSL modem via LAN or WAN

port Free configuration of the PPPoE login

DynDNS

Support for automatic registration

UMTS/3G (Only model IE-SR-2GT-UMTS/3G)

Built-in quad-band 3G / HSPA modem

21.1 Mbps peak downlink

5.8 Mbps peak uplink GSM, GPRS, EDGE: 850 MHz, 900

MHz, 1800 MHz, 1900 MHz UMTS, WCDMA, HSDPA, HSUPA: 850

MHz, 900 MHz, 1900 MHz, 2100 MHz FCC, CE, FCC, IC, NCC, PTCRB, Bell,

AT&T

Approvals

Security

cULus (UL508)

EMC

FCC Part 15 Class A, EN 55022 Class A

EN61000-4-2 (ESD)

EN61000-4-3 (RS),

EN61000-4-4 (EFT)

EN61000-4-5 (Surge)

EN61000-4-6 (CS)

Shock

DIN EN 60068-2-29

Vibration

DIN EN 60068-2-6

Warranty

Period of time

3 years

Order data

Model name / Order number

LAN/WAN Router

IE-SR-2GT-LAN / 1345270000

LAN / WAN Router with integrated modem UMTS/3G

IE-SR-2GT-UMTS/3G / 1345250000

Description of LED status indicators

LED

Signal

Meaning

PWR

off

The device is not powered

Flashing green

Device is turned on, the boot process is running

green

Device is turned on and ready to run

Status

off

The device is not powered

red

Error after boot process or recovering an image

Cut

off

CUT Input is not powered

red

A Cut event is triggered. LED lights up and the WAN port is disabled

Alarm

off

No Alarm

red

An Alarm event is triggered

VPN active

off

No activated VPN tunnel.

green

Active VPN tunnel (triggered by external VPN key)

Only model

IE-SR-2GTUMTS/3G

3G (UMTS)

off

No active GSM / 3G / UMTS connection

Flashing yellow

Searching wireless network

yellow

Connected to a network provider but no active data connection (Offline)

Flashing green

Connected to a network provider. Router activates the connection on data flow (Standby)

UMTS/ 3G

6. Hardware related functional descriptions

Description of device interfaces at top and front side

Only model IE-SR-2GT-UMTS/3G: Connector for UMTS/3G antenna at top side Connector type: SMA female

USB 2.0 connector

4-pin connector („Cut WAN port“ and „Signalize Alarm“)

► 24 VDC input for Cut signal (Disabling WAN interface) and

► 24 VDC output for signaling an alarm event

Note: Corresponding socket connector is included

4-pin connector ( „VPN initiate“ and „VPN active“)

► 24 VDC input for initiating a VPN tunnel (Predefined OpenVPN tunnel)

► 24 VDC output for signaling an active VPN tunnel

Note: Corresponding socket connector is included

RJ45-Connector WAN (10/100/1000BaseTX)

RJ45-Connector LAN (10/100/1000BaseTX)

3-pin connector for 24V DC power supply

Note: Corresponding socket connector is included

Description of device interfaces at rear side

SCM slot / socket

SIM memory card reader for external backup and restore of the Router configuration

3G slot / socket

Slot for mobile SIM card (only 3G/UMTS model)

UMTS/ 3G

Connector for UMTS / 3G antenna of type SMA female

Any external antenna can be used which is compliant to following parameters:

Diversity Support: 900/1900/2100 MHz

Antenna Connector:50 Ohm compatible

Pin number

SIGNAL NAME (MDI) 10/100Base T(x) 1000Base T

1

TX + BI_DA+

2

TX - BI_DA-

3

RX + BI_DB+

4

NC BI_DC+

5

NC BI_DC-

6

RX - BI_DB-

7

NC BI_DD+-

8

NC BI_DD-

Pin number

SIGNAL NAME

1

24V DC (VCC)

2

Initiate VPN (24 V In)

3

VPN active (24 V Out)

4

GND

Pin number

SIGNAL NAME

1

24V DC (VCC)

2

Cut (Disabling WAN-Port, 24 V In)

3

Signalize Alarm (24 V Out)

4

GND

Pin number

SIGNAL NAME

1

24V DC

2

GND

3

PE

Pin assignment of power supply connector

Note: Allowed input voltage range from 7 to 36 VDC (24 VDC typical)

Pin assignment of RJ45 Ethernet ports (LAN and WAN)

Pin assignment of 4-pin connector for „VPN initiate“ and „VPN active“

Pin assignment of 4-pin connector for „Cut WAN port“ and „Signalize Alarm“

Pin number

SIGNAL NAME

1

VDC

2

D -

3

D+

4

GND

Note

The configuration of the device can be done either via LAN or WAN RJ45 ports.

Pin number

SIGNAL NAME

1

VCC 5 Volt

2

RESET

3

CLOCK

4

n/c

5

GND

6

n/c

7

I/O

8

n/c

Pin assignment of USB 2.0 connector

The USB interface is intended for connecting peripheral devices (USB 2.0). The connector is without function in the current firmware version, but is optional for future planned applications.

Pin assignment of Smartcard Reader (ISO 7816 Standard)

The integrated SIM card reader is intended for saving and restoring the configuration data.

7. Initial start-up / Getting Started

Configuration of the Router by using an Internet browser

Connect the unit to a 24V DC (3-pin plug) power source. The corresponding plug is included.

During the initial boot phase, the PWR LED is flashing. The Router is ready when the PWR LED is lit constantly (after about 30 seconds).

Connect the Router to the Ethernet interface of a configuration PC using a RJ45 network cable. It is possible to use a standard Ethernet patch cable or a crossed network cable. By default both Ethernet

ports are configured with autonegotiation.

Important note

The Router’s Web server partly is using Java script for parameter settings (e.g. if you want to apply or deleting a configured Open VPN session).

Please ensure that the Web browser your a using is allowed to run Java script. For Router configuration you do NOT need to install Java runtime software (for executable Java applets) because only Java script will be used. Standard Web browsers by default are able to run Java script code.

If some “Apply” buttons are not working (seems to be without function) and if you are using Internet Explorer 10 please verify that you are using Bowser Mode IE10 to ensure that Java script is running properly. To validate the browser mode press key F12 and activate – if not set – mode Internet Explorer 10 as shown in the screenshot below.

The configuration and control of the Router is to done via the integrated Web server. Any Internet browser (Microsoft Internet Explorer or Mozilla Firefox) can be used.

When delivered, the Web interface of the Router can be achieved from both LAN and WAN port.

To access the Web interface of the Router the IP address of the connected PC has to be in the same logical network (IP address range) as the Router.

The default IP addresses and net masks of the Router are: LAN port : 192.168.1.110 / 255.255.255.0 WAN port : 192.168.2.110 / 255.255.255.0

Starting the Web interface

Start your Web browser and enter the IP address of the connected Router port into the browser’s address line.

Note

If the login prompt does not appear, please check the network LED's, if the devices are connected to the network correctly. If problems still persist, please check the proxy and firewall settings of the local PC

Screenshot of

the Login page

Now the login prompt of the Router should appear for input „User name“ and „Password“.

Default values (factory settings) for Login:

User name : admin Password : Detmold

Confirm your input by pressing the OK button.

Now the Router homepage is displayed. This page corresponds to the menu item "Diagnostic System  Status." On this page the most important configuration and status informations are summarized.

Note: Some fields are linked with a hyperlink to jump directly into the corresponding menu item.

8. Reset to factory default settings by external push button

By pressing the push button "Factory Default" the security Router can be reset at any time and regardless of the configuration to the default settings (factory settings).

How to set the factory settings:

1. Power off the Router

2. Press the button „Factory Default“ and keep it hold down

3. Power on the Router and keeping button „Factory Default“ pressed while Router is booting

4. Release button „Factory Default“ when Power LED starts flashing fast (around 10 seconds after power on)

5. Wait until Power LED is glowing constantly green

 Now the Router is ready to run with factory default settings.

Default factory settings of the Router:

Language: Englisch user interface Operation mode : IP Router IP address LAN port: 192.168.1.110 (static value) Subnet mask: 255.255.255.0 NAT (Masquerading) on LAN port: Not activated IP address WAN port: 192.168.2.110 (static value) Subnet mask: 255.255.255.0 NAT (Masquerading) on WAN port: Not activated Default gateway: No entry DNS: DNS relay not activated Firewall (Packet filter): By default, data traffic in both directions between LAN and WAN is

allowed on both level Layer 2 and Layer 3. For that the packet filter contains two default rules, called "Allow_L2" and "Allow_L3" (allow traffic at Layer 2 and 3) which allows as "white lists" all network traffic.

IP routing  No static routes  Dynamic routing (OSPF, RIP) disabled

SNMP / DHCP / DNS Disabled VPN: Disabled Data prioritization Disabled

Only model IE-SR-2GT-UMTS/3G

3G Modem Disabled

9. Using the Weidmüller Router-Search-Utility

The software tool Weidmüller Router- Search-Utility can be used to find Weidmüller Routers and detect theirs IP addresses within a switched network. This software is very helpful if you don’t know the current IP address of a Router. This can e.g. happen in cases that you have forgotten the current IP configuration or you have lost the Router access in case of configuring an unintended IP address. The main features of the software are

 Detecting a Router and displaying parameters like Device name, MAC address and IP address with Subnet mask

 Change the IP address of a detected Router  Open the web interface of a detected Router

You may download the Weidmüller Router-Search-Utility from the Weidmüller web site using the following path:

1. Open www.weidmueller.com/IE

2. Select section “Industrial Ethernet“  „Software”

3. Select category “Additional Software (Configuration utilities, Drivers and MIB-files)“

4. Select category “Industrial Security Router (IE-SR-2GT-LAN, …3G/UMTS)“

5. Download “ Weidmueller_Router_Search_Utility.zip”

Alternatively you can download this software from this web page:

1. Open www.weidmueller.com

2. Select Downloads

3. Select Software

4. Select Industrial Ethernet

5. Download from section Industrial Security Router (Firmware and Software for IE-SR-2GT-LAN/3G/UMTS)

10. Basic description of the configuration interface (menu items)

The menu structure of the web Interface is divided into 4 main sections:

Section Diagnostics

► Displays system status data ► Display of logging information ► Displays current interface parameters (LAN/WAN/3G) ► Feature for testing the data communication between the Router and other

Ethernet devices (Ping test)

Section Configuration

► Setting of operation mode (eg „IP Router“) and basic network parameters (IP addresses, Default gateway)

► Setting of firewall rules (Packet filter and an additional auto learning feature called „SecureNow“ to assist the creation of packet filtering rules)

► Configuration of general system data (name, location, contact person, date / time, language interface, etc.)

► Certificate Management for VPN connections ► User administration (assignment of rights) ► IP-Routing (static, dynamic) and IP address management (Masquerading, 1:1 NAT,

Portforwarding) ► Configuration of VPN connections (OpenVPN, IPsec) ► Configuration of general network services (e.g. DHCP, DBS, SNMP) ► Prioritization of network traffic (Layer-2 and Layer-3 level)

Section System

► Backup and restore of device configuration, Update firmware, Reboot)

Section Informations

► Display of technical data and hardware information (eg serial number and MAC address)

11. Explanation of the menu items of web interface in

chronological order

Figure 1: Diagnostics  Systemstatus

Startup screen of the web interface after login. Displays current configuration and status data.

Figure 2: Diagnostics  Eventlog Tab State Display events and error messages that have occurred.

Figure 3: Diagnostics  Eventlog Tab Configuration Event and error messages can be sent to a syslog server (PC on the network) and also sent as emails.

Figure 4: Diagnostics  WAN Display of the current status of the WAN port.

Figure 5: Diagnostics  LAN Display of the current status of the LAN port.

Screenshot of a 3G-Router with inserted SIM Card.

The Router is connected to the Internet by provider Vodafone.

Figure 6: Diagnostics  3G Displays the current status of the 3G mobile connection.

Figure 7: Diagnostics  Ping-Test Allows sending of ICMP packets (ping) to test network connections between the Router and other Ethernet

devices.

Figure 8: Diagnostics  Remote-Capture

By using the "remote capture" function data packets on both the LAN and the WAN port of the Router can be recorded for diagnostic purposes. The receiver of the diagnostic data is a PC which must have installed the tool "Wireshark". How to use please refer to application note in Appendix C3.

Figure 9: Configuration  IP Configuration This is the basic configuration window of the Router for assignment of IP addresses on the LAN and WAN

port. Each of the two interfaces can be configured with static or dynamic (DHCP) IP addresses. For models of type IE-SR-3GT-UMTS/3G (as shown above) additionally a section „3G“ will be displayed to configure the 3G connection.

Figure 10: Configuration  SecureNow This is an auxiliary function for "independent learning" firewall rules based on temporary recording of data

traffic. By pressing the button "Start Analysis" button the Router begins to analyze the network traffic (ports LAN, WAN and possibly UMTS/3G). As a result, the Router will provide a table showing the recorded TCP packets and protocols as well as a proposal for the setting of firewall filtering rules.

Figure 11: Configuration  SecureNow  „running analysis“ Window screen after starting the network analysis displaying the current network traffic.

Figure 12: Configuration  SecureNow  „Analysis stopped“ Window after exiting the network analysis with a proposed indication of firewall filtering rules. If you click the

button "apply rules", the firewall will be updated with the proposed rules and immediately activated. The changes are not saved automatically, so that e.g. "wrong" filter rules can be removed by a Router restart. Then previous filter rules would be valid again.

Figure 13: Configuration  Packet filter  Tab „Layer 3“ This is the window for the manual configuration of firewall filter rules based on Layer 3 (IP layer). The

screenshot shows the firewall settings as delivered with the default rule "Allow_L3*". This rule says that any IP protocol (*) and any traffic regardless the direction (source and destination=*) is allowed. The result is that

- on delivery - the firewall is "open" on layer 3. Fore more detailed information about using the packet filter please refer to Appendix A3.

Figure 14: Configuration  Packet filter  Tab „Layer 2“ This is the window for the manual configuration of firewall filter rules based on Layer 2 (MAC layer). The

screenshot shows the firewall settings as delivered with the 2 default rules "Allow_L2*" and „ARP*“ (Address resolution protocol). The rule Allow_L2* allows transmitting any Ethernet frame type (*) and any traffic regardless the direction (source and destination mac address =*). The result is that - on delivery - the firewall is "open" for layer 2.

Figure 15: Configuration  Packet filter  Tab „Status“ Overview of transmit and receive activities of the Ethernet interfaces. In addition, firewall-related information

is displayed under the heading "Filter Log".

Figure 16: Configuration  Cut & Alarm  Tab „Configuration“

In this menu it can be configured how the events "Cut" and "Alarm" - after they have occurred – will be reset (either manually by clicking on a button on the tab “State” or automatically after an elapsed time). For more information please refer to Appendix C2 (Method 2).

Figure 17: Configuration  Cut & Alarm  Tab „State“ Displays the current status of the events

"Internal Cut"  triggered eg by a special firewall rule "External Cut"  Input of 24 VDC at 4-pin connector (at front side of the Router) "Alarm"   triggered eg by a special firewall rule or by the function „Client monitoring“

By clicking on the buttons „Reset Cut signal“ and „Reset alarm signal“ you can manually reset the events „Internal Cut“ and „Alarm“. The "External Cut" will automatically be reset if the 24 VDC at the 4-pin connector

will be removed.

Note: The Router has no battery-buffered, but

a capacity-buffered system clock. If the Router is powered-off more than 30 minutes, the date and time values will be reset to factory default settings (Date = date of production e.g. 01/01/2012, Time 00:00).

Figure 18: Configuration  General settings  System data  Tab „Configuration“ Configuring application-related data of the Router (free text).

Figure 19: Configuration  General settings  Date & time  Tab „Configuration“ Setting of date, time and time zone. Alternatively, the date/time setting can be configured via using the "Net-

work Time Protocol" and accessing an external NTP server.

Figure 20: Configuration  General settings  User interface  Tab „Configuration“ Language  Setting the language (German or English) of the Web interface. Save and apply  Setting the behaviour of the button "Activate" respectively „Save“ in the configuration

windows. If you chose the entry „Apply immediately and do not save“ then configuration changes will be

immediately activated but not saved. If you chose the entry „Save only and do not apply“ then the button named „Apply“ in the configuration windows will be changed to a button named „Saved“. In this case all done

changes will be only saved and not activated. Saved changes come into effect after a restart.

Figure 21: Configuration  General settings  Certificates  Tab „Configuration“

Adding or deleting of certificates for VPN applications (used for both IPsec and OpenVPN).

How to use certificates (CA Root, Server, Client) please refer to Appendix B1 (Link to document TechNote_Router_RemoteAccess_via_MeetingPoint_V1_??.pdf).

Figure 22: Configuration  General settings  SCEP  Tab „Configuration“ Configuration of the Router for online access to certificates which are stored on a centralized online certifica-

te server (SCEP Simple Certification Enrollment Protocol). When setting up certificate-based VPN connections, the necessary certificates can be obtained directly from a SCEP server.

Figure 23: Configuration  Access control  User accounts  Tab „Configuration“ Create and delete other user accounts

Weidmuller IE-SR-2GT-LAN, IE-SR-2GT-UMTS/3G User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual