Industrial Secure Router User’s Manual Second Edition, August 2013 www.moxa.com/product © 2013 Moxa Inc. All rights reserved. Reproduction without permission is prohibited.
Industrial Secure Router User’s Manual The software described in this manual is furnished under a license agreement and may be used only in accordance with the terms of that agreement. Copyright Notice Copyright ©2013 Moxa Inc. All rights reserved. Reproduction without permission is prohibited. Trademarks The MOXA logo is a registered trademark of Moxa Inc. All other trademarks or registered marks in this manual belong to their respective manufacturers.
Table of Contents 1. Introduction ...................................................................................................................................... 1-1 Overview ........................................................................................................................................... 1-2 Package Checklist ............................................................................................................................... 1-2 Features ..........................
SettingCheck .............................................................................................................................. 4-8 System File Update—by Remote TFTP .......................................................................................... 4-10 System File Update—by Local Import/Export ................................................................................ 4-10 Restart.......................................................................................................
1 1. Introduction Welcome to the Moxa Industrial Secure Router series, the EDR-G902, EDR-G902, and EDR-810. The all-in-one Firewall/NAT/VPN secure routers are designed for connecting Ethernet-enabled devices with network IP security.
Industrial Secure Router User's Manual Introduction Overview As the world’s network and information technology becomes more mature, the trend is to use Ethernet as the major communications interface in many industrial communications and automation applications. In fact, a entirely new industry has sprung up to provide Ethernet products that comply with the requirements of demanding industrial applications.
2 2. Getting Started This chapter explains how to access the Industrial Secure Router for the first time. There are three ways to access the router: (1) serial console, (2) Telnet console, and (3) web browser. The serial console connection method, which requires using a short serial cable to connect the Industrial Secure Router to a PC’s COM port, can be used if you do not know the Industrial Secure Router’s IP address.
Industrial Secure Router User's Manual Getting Started RS-232 Console Configuration (115200, None, 8, 1, VT100) NOTE Connection Caution! We strongly suggest that you do NOT use more than one connection method at the same time. Following this advice will allow you to maintain better control over the configuration of your Industrial Secure Router NOTE We recommend using Moxa PComm Terminal Emulator, which can be downloaded free of charge from Moxa’s website.
Industrial Secure Router User's Manual Getting Started 4. Click the Terminal tab, select VT100 for Terminal Type, and then click OK to continue. 5. The Console login screen will appear. Use the keyboard to enter the login account (admin or user), and then press Enter to jump to the Password field. Enter the console Password (the same as the Web Browser password; leave the Password field blank if a console password has not been set), and then press Enter.
Industrial Secure Router User's Manual Getting Started the form 192.168.xxx.xxx. On the other hand, if your PC host’s subnet mask is 255.255.255.0, then its IP address must have the form, 192.168.127.xxx. NOTE To use the Industrial Secure Router’s management and monitoring functions from a PC host connected to the same LAN as the Industrial Secure Router, you must make sure that the PC host and the Industrial Secure Router are connected to the same logical subnet.
Industrial Secure Router User's Manual Getting Started 2. The web login page will open. Select the login account (Admin or User) and enter the Password (the same as the Console password), and then click Login to continue. Leave the Password field blank if a password has not been set. NOTE The default password for the EDR series with firmware v3.0 and later is “moxa”. For previous firmware versions, the default password is blank.
3 3. EDR-810 Series Features and Functions In this chapter, we explain how to access the Industrial Secure Router’s configuration options, perform monitoring, and use administration functions. There are three ways to access these functions: (1) RS-232 console, (2) Telnet console, and (3) web browser. The web browser is the most user-friendly way to configure the Industrial Secure Router, since you can both monitor the Industrial Secure Router and use administration functions from the web browser.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Quick Setting Profile The EDR-810 series supports WAN Routing Quick Setting, which creates a routing function between LAN ports and WAN ports defined by users. Follow the wizard’s instructions to configuring the LAN and WAN ports. Step 1: Define the WAN ports and LAN ports Click on the ports in the figure to define the WAN ports and LAN ports.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Step 3: Configure the WAN port type Configure the WAN port type to define how the secure router switch connects to the WAN. Connect Type Setting Dynamic IP Description Factory Default Get the WAN IP address from a DHCP server or via a PPTP Dynamic IP connection. Static IP Set a specific static WAN IP address or create a connection to a PPTP server with a specific IP address.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Static IP PPPoE Step 4: Enable services Check Enable DHCP Server to enable the DHCP server for LAN devices. The default IP address range will be set automatically. To modify the IP range, go to the DHCP Server page. N-1 NAT will be also enabled by default.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Step 5: Activate the settings Click the Activate button. NOTE An existing configuration will be overwritten by new settings when processing WAN Routing Quick Setting. System The System section includes the most common settings required by administrators to maintain and control a Moxa switch. System Information Defining System Information items to make different switches easier to identify that are connected to your network.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions User Account The Moxa industrial secure router supports the management of accounts, including establishing, activating, modifying, disabling and removing accounts. There are two levels of configuration access, admin and user. The account belongs to admin privilege has read/write access of all configuration parameters, while the account belongs to user authority has read access to view the configuration only. NOTE 1.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Create New Account Input the user name, password and assign the authority to the new account. Once apply the new setting, the new account will be shown under the Account List table. Setting Description Factory Default User Name User Name None Password for the user account. None (Max.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Date and Time The Moxa industrial secure router has a time calibration function based on information from an NTP server or user specified time and date. Functions such as automatic warning emails can therefore include time and date stamp. NOTE The Moxa industrial secure router does not have a real time clock.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Start Date Setting Description Factory Default User-specified date Specifies the date that Daylight Saving Time begins. None Setting Description Factory Default User-specified date Specifies the date that Daylight Saving Time ends. None End Date Offset Setting Description Factory Default User-specified hour Specifies the number of hours that the time should be set None forward during Daylight Saving Time.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions System Event Settings System Events are related to the overall function of the switch. Each event can be activated independently with different warning approaches. Administrator also can decide the severity of each system event. System Events Description Cold Start Power is cut off and then reconnected.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Port Event Settings Port Events are related to the activity of a specific port. Port Events Warning e-mail is sent when… Link-ON The port is connected to another device. Link-OFF The port is disconnected (e.g., the cable is pulled out, or the opposing device shuts down). Email Settings Mail Server IP/Name Setting Description Factory Default IP address The IP Address of your email server.
Industrial Secure Router User's Manual Max. of 30 characters EDR-810 Series Features and Functions You can set up to 4 email addresses to receive alarm emails None from the Moxa switch. Send Test Email After you complete the email settings, you should first click Apply to activate those settings, and then press the Test button to verify that the settings are correct.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions When relay warning triggered by either system or port events, administrator can decide to shut down the hardware warning buzzer by clicking Apply button. The event still be recorded in the event list. SettingCheck SettingCheck is a safety function for industrial users using a secure router.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions If the user enables the SettingCheck function with the Accessible IP list and the confirmer Timer is set to 15 seconds, then when the user clicks the Activate button on the accessible IP list page, the Industrial Secure Router will execute the configuration change and the web browser will try to jump to the SettingCheck Confirmed page automatically.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions TFTP Server IP/Name Setting Description IP Address of TFTP The IP or name of the remote TFTP server. Must be configured None Factory Default Server before downloading or uploading files. Configuration File Path and Name Setting Description Factory Default Max. 40 Characters The path and filename of the Industrial Secure Router’s None configuration file in the TFTP server.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Upgrade Firmware To import a firmware file into the Industrial Secure Router, click Browse to select a firmware file already saved on your computer. The upgrade procedure will proceed automatically after clicking Import. This upgrade procedure will take a couple of minutes to complete, including the boot-up time.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Enable Setting Description Factory Default Checked Allows data transmission through the port. Enabled Unchecked Immediately shuts off port access. Media Type Setting Description Factory Default Media type Displays the media type for each module’s port N/A Setting Description Factory Default Max.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Link Aggregation Link aggregation involves grouping links into a link aggregation group. A MAC client can treat link aggregation groups as if they were a single link. The Moxa industrial secure router’s port trunking feature allows devices to communicate by aggregating up to 4 trunk groups, with a maximum of 8 ports for each group.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Step 1: Select the desired Trunk Group Step 2: Select the desired Member Ports or Available Ports Step 3: Use Up and Down to modify the Group Members Trunk Group (maximum of 4 trunk groups) Setting Description Factory Default Trk1, Trk2, Trk3, Trk4 Specifies the current trunk group.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Port Mirroring Settings Setting Description Monitored Port Select the number of the ports whose network activity will be monitored. Multiple port Watch Direction Select one of the following two watch direction options: selection is acceptable. • Input data stream: Select this option to monitor only those data packets coming into the Moxa industrial secure router’s port.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Benefits of VLANs The main benefit of VLANs is that they provide a network segmentation system that is far more flexible than traditional networks. Using VLANs also provides you with three other benefits: • VLANs ease the relocation of devices on networks: With traditional networks, network administrators spend much of their time dealing with moves and changes.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions 802.1Q VLAN Settings Management VLAN ID Setting Description Factory Default VLAN ID from 1-4094 Assigns the VLAN ID of this Moxa switch. 1 Port Type Setting Description Factory Default Access Port type is used to connect single devices without tags. Access Trunk Select Trunk port type to connect another 802.1Q VLAN aware switch. Hybrid Select Hybrid port to connect another Access 802.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Input multi port numbers in the “Port” column, and Port Type, Tagged VLAN ID, and untagged VLAN ID, and then click the Set to Table button to create VLAN ID configuration table. VLAN Table Use the 802.1Q VLAN Table to review the VLAN groups that were created, Joined Access Ports, Trunk Ports, and Hybrid Ports, and also Action for deleting VLANs which have no member ports in the list.
Industrial Secure Router User's Manual • EDR-810 Series Features and Functions It makes efficient use of network bandwidth and scales well as the number of multicast group members increases. • Works with other IP protocols and services, such as Quality of Service (QoS). Multicast transmission makes more sense and is more efficient than unicast transmission for some applications.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Snooping Mode Snooping Mode allows your industrial secure router to forward multicast packets only to the appropriate ports. The router snoops on exchanges between hosts and an IGMP device to find those ports that want to join a multicast group, and then configures its filters accordingly. Query Mode Query mode allows the Moxa router to work as the Querier if it has the lowest IP address on the subnetwork to which it belongs.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions IGMP Snooping IGMP Snooping provides the ability to prune multicast traffic so that it travels only to those end destinations that require that traffic, thereby reducing the amount of traffic on the Ethernet LAN.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions The information shown in the table includes: • Auto Learned Multicast Router Port: This indicates that a multicast router connects to/sends packets from these port(s).
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Join Port Setting Description Select/Deselect Checkmark the appropriate check boxes to select the join ports None Factory Default for this multicast group. QoS and Rate Control QoS Classification The Moxa switch supports inspection of layer 3 ToS and/or layer 2 CoS tag information to determine how to classify traffic packets.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions inspecting 802.1p CoS tags in the MAC frame to determine the priority of each frame. Port Priority Setting Description Factory Default Port priority The port priority has 4 priority queues. Low, normal, medium, 3(Normal) high priority queue option is applied to each port. NOTE The priority of an ingress frame is determined in the following order: 1. Inspect ToS 2. Inspect CoS 3.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions ToS/DSCP Mapping ToS (DSCP) Value and Priority Queues Setting Description Factory Default Low/Normal/ Maps different TOS values to 4 different egress queues. 1 to 16: Low Medium/High 17 to 32: Normal 33 to 48: Medium 49 to 64: High Rate Limiting In general, one host should not be allowed to occupy unlimited bandwidth, particularly when the device malfunctions.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Limit Broadcast, Multicast, Flooded Unicast Limit Broadcast, Multicast Limit Broadcast Ingress/Egress Rate Setting Description Factory Default Ingress/Egress Rate Select the ingress/egress rate limit (% of max.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Interface WAN VLAN ID Moxa Industrial Secure Router’s WAN interface is configured by VLAN group. The ports with the same VLAN can be configured as one WAN interface. Connection Note that there are three different connection types for the WAN interface: Dynamic IP, Static IP, and PPPoE. A detailed explanation of the configuration settings for each type is given below.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions User Name Setting Description Factory Default Max. 30 Characters The Login username when dialing up to PPTP service None Setting Description Factory Default Max. 30 characters The password for dialing the PPTP service None Password MPPE Encryption Setting Description Factory Default None/Encrypt Enable or disable the MPPE encryption None Example Suppose a remote user (IP: 10.10.10.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Detailed Explanation of Static IP Type Address Information IP Address Setting Description Factory Default IP Address The interface IP address None Subnet Mask Setting Description Factory Default IP Address The subnet mask None Gateway Setting Description Factory Default IP Address The Gateway IP address None Detailed Explanation of PPPoE Type PPPoE Dialup User Name Setting Description Factory Default Max.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Host Name Setting Description Factory Default Max. 30 characters User-defined Host Name of this PPPoE server None Setting Description Factory Default Max. 30 characters The login password for the PPPoE server None Password LAN Add a VLAN Interface Input a name of the VLAN interface, select a VLAN ID, and assign an IP address / Subnet Mask for the interface. Checkmark the Enable checkbox to enable this interface.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions DHCP Server The Industrial Secure Router provides a DHCP (Dynamic Host Configuration Protocol) server function for LAN interfaces. When configured, the Industrial Secure Router will automatically assign an IP address to a Ethernet device from a defined IP range.
Industrial Secure Router User's Manual NOTE EDR-810 Series Features and Functions 1. The DHCP Server is only available for LAN interfaces. 2. The Pool First/Last IP Address must be in the same Subnet on the LAN. Static DHCP Use the Static DHCP list to ensure that devices connected to the Industrial Secure Router always use the same IP address. The static DHCP list matches IP addresses to MAC addresses.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions DNS Server Setting Description Factory Default IP Address The DNS server for the selected device 0.0.0.0 Setting Description Factory Default IP Address The NTP server for the selected device 0.0.0.0 NTP Server Clickable Buttons Add Use the Add button to input a new DHCP list. The Name, Static IP, and MAC address must be different from any existing list. Delete Use the Delete button to delete a Static DHCP list.
Industrial Secure Router User's Manual ≥ 5min. EDR-810 Series Features and Functions The lease time of the connected device None Setting Description Factory Default IP Address The default gateway for the connected device 0.0.0.0 Setting Description Factory Default IP Address The DNS server for the connected device 0.0.0.0 Default Gateway DNS Server NTP Server Setting Description Factory Default IP Address The NTP server for the connected device 0.0.0.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions SNMP Versions Setting Description Factory Default Disable Select the SNMP protocol version used to manage the secure Disable V1, V2c, V3, or router. V1, V2c, or V3 only Auth. Type Setting Description Factory Default MD5 Provides authentication based on the HMAC-MD5 algorithms. MD5 8-character passwords are the minimum requirement for authentication. SHA Provides authentication based on the HMAC-SHA algorithms.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Access Control Setting Description Factory Default Read/Write Access control type after matching the community string Read/Write Setting Description Factory Default IP Address Enter the IP address of the Trap Server used by your network. 0.0.0.0.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Security User Interface Management Enable MOXA Utility Setting Description Factory Default Select/Deselect Select the appropriate checkboxes to enable MOXA Selected Utility Enable Telnet Setting Description Factory Default Select/Deselect Select the appropriate checkboxes to enable Telnet Selected Port: 23 Enable SSH Setting Description Factory Default Select/Deselect Select the appropriate checkboxes to enable S
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Authentication Certificate SSL Certificate Re-generate Setting Description Factory Default Select/Deselect Enable the SSL Certificate Re-generate Deselect Setting Description Factory Default Select/Deselect Enable the SSH Key Re-generate Deselect SSH Key Re-generate Trusted Access The Moxa industrial secure router uses an IP address-based filtering method to control access.
Industrial Secure Router User's Manual • EDR-810 Series Features and Functions Grant access to one host with a specific IP address For example, enter IP address 192.168.1.1 with netmask 255.255.255.255 to allow access to 192.168.1.1 only. • Grant access to any host on a specific subnetwork For example, enter IP address 192.168.1.0 with netmask 255.255.255.0 to allow access to all IPs on the subnet defined by this IP address/subnet mask combination.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Port Statistics Access the Monitor by selecting Monitor from the left selection bar. Monitor by System allows the user to view a graph that shows the combined data transmission activity of all of the Moxa industrial secure router’s ports. Click one of the four options—Total Packets, TX Packets, RX Packets, or Error Packets—to view transmission activity of specific types of packets.
Industrial Secure Router User's Manual EDR-810 Series Features and Functions Event Log The Event Log Table displays the following information: Index Event index assigned to identify the event sequence. Bootup This field shows how many times the Moxa switch has been rebooted or cold started. Date The date is updated based on how the current date is set in the Basic Settings page. Time The time is updated based on how the current time is set in the Basic Settings page.
Industrial Secure Router User's Manual NOTE EDR-810 Series Features and Functions The following events will be recorded into the Moxa industrial secure router’s Event Log Table: • Cold start • Warm start • Configuration change activated • Power 1/2 transition (Off ( On), Power 1/2 transition (On ( Off)) • Authentication fail • Topology changed • Master setting is mismatched • Port traffic overload • dot1x Auth Fail • Port link off/on 3-47
4 4.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Overview The Overview page is divided into three major parts: Interface Status, Basic function status, and Recent 10 Event logs, and gives users a quick overview of the EtherDevice Router’s current settings. Click More… at the top of the Interface Status table to see detailed information about all interfaces.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Click More… at the top of the Recent 10 Event Log table to open the EventLogTable page. Configuring Basic Settings The Basic Settings group includes the most commonly used settings required by administrators to maintain and control the EDR-G903. System Identification The system identification section gives you an easy way to identify the different switches connected to your network.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Maintainer Contact Info Setting Description Factory Default Max. 30 Characters Enter the contact information of the person responsible for None maintaining this EDR-G903 Web Configuration Setting Description Factory Default http or https Users can connect to the EDR-G903 router via http or https http or https protocol. https only Users can connect to the EDR-G903 router via https protocol only.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Allowable Hosts Input Format Ay host Disable 192.168.1.120 192.168.1.120 / 255.255.255.255 192.168.1.1 to 192.168.1.254 192.168.1.0 / 255.255.255.0 192.168.0.1 to 192.168.255.254 192.168.0.0 / 255.255.0.0 192.168.1.1 to 192.168.1.126 192.168.1.0 / 255.255.255.128 192.168.1.129 to 192.168.1.254 192.168.1.128 / 255.255.255.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Account Setting Description Factory Default Admin “admin” privilege allows the user to modify all configurations. Admin User “user” privilege only allows viewing device configurations.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Current Time Setting Description Factory Default User adjustable Time The time parameter allows configuration of the local time in None (hh:mm:ss) local 24-hour format. Current Date Setting Description Factory Default User adjustable date.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions SettingCheck SettingCheck is a safety function for industrial users using a secure router. It provides a double confirmation mechanism for when a remote user changes the security policies, such as Firewall filter, NAT, and Accessible IP list. When a remote user changes these security polices, SettingCheck provides a means of blocking the connection from the remote user to the Firewall/VPN device.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions If the new configuration does not block the connection from the remote user to the EtherDevice Router, the user will see the SettingCheck Confirmed page, shown in the following figure. Click Confirm to save the configuration updates.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions System File Update—by Remote TFTP The EtherDevice Router supports saving your configuration file to a remote TFTP server or local host to allow other EtherDevice Router routers to use the same configuration at a later time, or saving the Log file for future reference.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Log File Click Export to export the Log file of the EtherDevice Router to the local host. NOTE Some operating systems will open the configuration file and log file directly in the web page. In such cases, right click the Export button and then save as a file. Upgrade Firmware To import a firmware file into the EtherDevice Router, click Browse to select a firmware file already saved on your computer.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Network Settings Mode Configuration Network Mode EtherDevice Router provides Router Mode and Bridge Mode operation for different applications: Router Mode In this mode, EtherDevice Router operates as a gateway between different networks.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions WAN1 Configuration Connection Note that there are three different connection types for the WAN1 interface: Dynamic IP, Static IP, and PPPoE. A detailed explanation of the configuration settings for each type is given below.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Example: Suppose a remote user (IP: 10.10.10.10) wants to connect to the internal server (private IP: 30.30.30.10) via the PPTP protocol. The IP address for the PPTP server is 20.20.20.1. The necessary configuration settings are shown in the following figure.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Gateway Setting Description Factory Default IP Address The Gateway IP address None Detailed Explanation of PPPoE Type PPPoE Dialup User Name Setting Description Factory Default Max. 30 characters The User Name for logging in to the PPPoE server None Setting Description Factory Default Max. 30 characters User-defined Host Name of this PPPoE server None Setting Description Factory Default Max.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Connection Type Setting Description Factory Default Static IP, Dynamic IP, Configure the connection type Dynamic IP PPPoE Detailed Explanation of Dynamic IP Type PPTP Dialup Point-to-Point Tunneling Protocol is used for Virtual Private Networks (VPN). Remote users can use PPTP to connect to private networks from public networks.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions DNS (Doman Name Server; optional setting for Dynamic IP and PPPoE types) Server 1/2/3 NOTE Setting Description Factory Default IP Address The DNS IP Address None The priority of a manually configured DNS will higher than the DNS from the PPPoE or DHCP server.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Subnet Mask Setting Description Factory Default IP Address The subnet mask None Setting Description Factory Default IP Address The Gateway IP address None Gateway Detailed Explanation of PPPoE Type PPPoE Dialup User Name Setting Description Factory Default Max. 30 characters The User Name for logging in to the PPPoE server None Setting Description Factory Default Max.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Using DMZ Mode A DMZ (demilitarized zone) is an isolated network for devices—such as data, FTP, web, and mail servers connected to a LAN network—that need to frequently connect with external networks. The deployment of an FTP server in a DMZ is illustrated in the following figure. DMZ mode is configured on the WAN2 configuration web page.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions LAN IP Configuration IP Address Setting Description Factory Default IP Address The LAN interface IP address 192.168.127.254 Description Factory Default Subnet Mask Setting Communication Redundancy Moxa industrial secure router provides a communications redundancy function: WAN backup (EDR-G903 only).
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions WAN Backup Configuration Select Backup for the WAN2/DMZ Connect Mode, and then go to the Network Redundancy WAN Backup setting page for the WAN Backup configuration.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions Monitor You can monitor statistics in real time from the EtherDevice Router’s web console. Monitor by System Access the Monitor by selecting “System” from the left selection bar. Monitor by System allows the user to view a graph that shows the combined data transmission activity of all the EtherDevice Router’s 3 ports.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions System Log The industrial secure router provides EventLog and Syslog functions to record important events. EventLog Field Description Bootup This field shows how many times the device has been rebooted or cold started. Date The date is updated based on how the current date is set in the “Basic Setting” page. Time The time is updated based on how the current time is set in the “Basic Setting” page.
Industrial Secure Router User's Manual EDR-G902/G903 Series Features and Functions DI transition (Off -> On) DI transition (On -> Off) Cold start NOTE Factory default Warm start System restart Warm start Firmware Upgrade Warm start Configuration Upgrade Warm start The maximum number of event entries is 1000. Syslog This function provides the event logs for the syslog server. The function supports 3 configurable syslog servers and syslog server UDP port numbers.
5 5.
Industrial Secure Router User's Manual Routing Unicast Routing The Industrial Secure Router supports two routing methods: static routing and dynamic routing. Dynamic routing makes use of RIP V1/V1c/V2. You can either choose one routing method, or combine the two methods to establish your routing table.
Industrial Secure Router User's Manual Routing Clickable Buttons Add For adding an entry to the Static Routing Table. Delete For removing selected entries from the Static Routing Table. Modify For modifying the content of a selected entry in the Static Routing Table. NOTE The entries in the Static Routing Table will not be added to the Industrial Secure Router’s routing table until you click the Activate button.
Industrial Secure Router User's Manual Routing RIP Interface Table (EDR-810 series only) Setting Description Factory Default Enable/Disable Check the checkbox to enable RIP for each interface. Unchecked Routing Table The Routing Table page shows all routing entries.
6 6.
Industrial Secure Router User's Manual Network Redundancy Layer 2 Redundant Protocols (EDR-810 series only) Configuring STP/RSTP The following figures indicate which Spanning Tree Protocol parameters can be configured. A more detailed explanation of each parameter follows. At the top of this page, the user can check the Current Status of this function. For RSTP, you will see: Now Active: It shows which communication protocol is being used—Turbo Ring, RSTP, or neither.
Industrial Secure Router User's Manual Network Redundancy Hello time (sec.) Setting Description Factory Default The root of the Spanning Tree topology periodically sends out a Numerical value input “hello” message to other devices on the network to check if the by user topology is healthy. The “hello time” is the amount of time the 2 root waits between sending hello messages. Max. Age (sec.
Industrial Secure Router User's Manual Network Redundancy Configuring Turbo Ring V2 NOTE When using the Dual-Ring architecture, users must configure settings for both Ring 1 and Ring 2. In this case, the status of both rings will appear under “Current Status.” Explanation of “Current Status” Items Now Active It shows which communication protocol is in use: Turbo Ring V2, RSTP, or none.
Industrial Secure Router User's Manual Network Redundancy Explanation of “Settings” Items Redundancy Protocol Setting Description Turbo Ring V2 Select this item to change to the Turbo Ring V2 configuration page. RSTP (IEEE 802.1W/ 802.1D-2004) None Factory Default None Select this item to change to the RSTP configuration page.
Industrial Secure Router User's Manual Network Redundancy Layer 3 Redundant Protocols VRRP Settings Virtual Router Redundancy Protocol (VRRP) can solve the problem with static configuration. VRRP enables a group of routers to form a single virtual router with a virtual IP address. The LAN clients can then be configured with the virtual router’s virtual IP address as their default gateway. The virtual router is the combination of a group of routers, and is also known as a VRRP group.
7 7.
Industrial Secure Router User's Manual Network Address Translation Network Address Translation (NAT) NAT Concept NAT (Network Address Translation) is a common security function for changing the IP address during Ethernet packet transmission. When the user wants to hide the internal IP address (LAN) from the external network (WAN), the NAT function will translate the internal IP address to a specific IP address, or an internal IP address range to one external IP address.
Industrial Secure Router User's Manual Network Address Translation 1-to-1 NAT Setting for EDR-G903 in Production Line 1 1-to-1 NAT Setting for EDR-G903 in Production Line 2 Enable/Disable NAT policy Setting Description Factory Default Enable or Disable Enable or disable the selected NAT policy None Setting Description Factory Default N-1 Select the NAT types None NAT Mode 1-1 Port Forward Interface (1-1 NAT type) Setting Description Factory Default WAN1 Select the Interface for this NAT
Industrial Secure Router User's Manual IP Address Network Address Translation Select the Internal IP address in LAN/DMZ network area None WAN IP (1-1 NAT type) NOTE Setting Description Factory Default IP Address Select the external IP address in WAN network area None The Industrial Secure Router can obtain an IP address via DHCP or PPPoE. However, if this dynamic IP address is the same as the WAN IP for 1-to-1 NAT, then the 1-to-1 NAT function will not work.
Industrial Secure Router User's Manual Network Address Translation Interface (N-1 mode) Setting Description Factory Default Auto Select the Interface for this NAT Policy Auto WAN1 WAN2 The Industrial Secure Router provides a Dual WAN backup function for network redundancy. If the interface is set to Auto, the NAT Mode is set to N-1, and the WAN backup function is enabled, the primary WAN interface is WAN1.
Industrial Secure Router User's Manual Network Address Translation Enable/Disable NAT policy Setting Description Factory Default Enable or Disable Enable or disable the selected NAT policy Enabled Setting Description Factory Default N-1 Select the NAT types N-1 NAT Mode 1-1 Port Forward Interface (Port Forward mode) Setting Description Factory Default WAN1 Select the Interface for this NAT Policy WAN1 WAN2 Protocol (Port Forward mode) Setting Description Factory Default TCP Select t
8 8.
Industrial Secure Router User's Manual Firewall Policy Concept A firewall device is commonly used to provide secure traffic control over an Ethernet network, as illustrated in the following figure. Firewall devices are deployed at critical points between an external network (the non-secure part) and an internal network (the secure part). Policy Overview The Industrial Secure Router provides a Firewall Policy Overview that lists firewall policies by interface direction.
Industrial Secure Router User's Manual Firewall Enable Setting Description Factory Default Enable or Disable Enable or disable the selected Firewall policy Enabled Description Factory Default Interface From/To Setting All (WAN1/WAN2/LAN) Select the From Interface and To interface From All to All WAN1 WAN2 LAN Quick Automation Profile Setting Description Factory Default Refer to the “Quick Select the Protocol parameters in this Firewall Policy None Automation Profile” section.
Industrial Secure Router User's Manual Firewall Destination IP Setting Description All (IP Address) This Firewall Policy will check all Destination IP addresses in the All Factory Default packet Single (IP Address) This Firewall Policy will check single Destination IP addresses in the packet Range (IP Address) This Firewall Policy will check multiple Destination IP addresses in the packet Destination Port Setting Description Factory Default All (Port number) This Firewall Policy will check al
Industrial Secure Router User's Manual Firewall detailed description EtherType Setting Description Factory Default 0x0600 to 0xFFFF When Protocol is set to “Manual” you can set up EtherType None manually Target Setting Description Accept The packet will pass the Firewall when it matches this Firewall None Factory Default policy Drop The packet will not pass the Firewall when it matches this None Firewall policy Source MAC Address Setting Description Mac Address This Firewall Policy will c
Industrial Secure Router User's Manual Firewall Quick Automation Profile Ethernet Fieldbus protocols are popular in industrial automation applications. In fact, many Fieldbus protocols (e.g., EtheNet/IP and Modbus TCP/IP) can operate on an industrial Ethernet network, with the Ethernet port number defined by IANA (Internet Assigned Numbers Authority).
Industrial Secure Router User's Manual Firewall Modbus TCP/IP (TCP) 502 Modbus TCP/IP (UDP) 502 PROFInet RT Unicast (TCP) 34962 PROFInet RT Unicast (UDP) 34962 PROFInet RT Multicast (TCP) 34963 PROFInet RT Multicast (UDP) 34963 PROFInet Context Manager (TCP) 34964 PROFInet Context Manager (UDP) 34964 IEC 60870-5-104 (TCP) 2404 IEC 60870-5-104 (UDP) 2404 DNP (TCP) 20000 DNP (UDP) 20000 The Quick Automation Profile also includes the commonly used Ethernet protocols listed in the foll
Industrial Secure Router User's Manual Firewall Policy Check The Industrial Secure Router supports a PolicyCheck function for maintaining the firewall policy list. The PolicyCheck function detects firewall policies that may be configured incorrectly. PolicyCheck provides an auto detection function for detecting common configuration errors in the Firewall policy (e.g., Mask, Include, and Cross conflict).
Industrial Secure Router User's Manual Firewall Include: Policy [X] is included in Policy [Y] The Source/Destination IP range or Source/Destination port number of policy [X] is less than or equal to policy [Y], and the action target (Accept/Drop) is the same. In this case policy [X] will increase the loading of the Industrial Secure Router and lower its performance.
Industrial Secure Router User's Manual Firewall Modbus TCP Policy Modbus TCP is a Modbus protocol used for communications over TCP/IP networks, connecting over port 502 by default. Some have experimented with using Modbus over UDP on IP networks, which removes the overheads required for TCP.
Industrial Secure Router User's Manual Firewall Enable/Disable Modbus Policy Setting Description Factory Default Enable or Disable Enable or disable the selected Modbus policy Enabled Setting Description Factory Default All (WAN/LAN) Select the From Interface and To interface From All to All Setting Description Factory Default All (TCP/UDP) This Modbus Policy will check the UDP packet, TCP packet or All TCP both.
Industrial Secure Router User's Manual Firewall Destination IP Setting Description All (IP Address) This Modbus policy will check all Destination IP addresses in the All Factory Default packet. Single (IP Address) This Modbus policy will check single Destination IP addresses in the packet. Range (IP Address) This Modbus policy will check multiple Destination IP addresses in the packet. Unit identifier (UID) is used with Modbus/TCP devices that are composites of several Modbus devices.
Industrial Secure Router User's Manual Firewall Denial of Service (DoS) Defense The Industrial Secure Router provides 9 different DoS functions for detecting or defining abnormal packet format or traffic flow. The Industrial Secure Router will drop the packets when it detects an abnormal packet format. The Industrial Secure Router will also monitor some traffic flow parameters and activate the defense process when abnormal traffic conditions are detected.
Industrial Secure Router User's Manual Firewall 8-14
9 9. Virtual Private Network (VPN) The following topics are covered in this chapter: Overview IPSec Configuration Global Settings IPSec Settings IPSec Status X.
Industrial Secure Router User's Manual Virtual Private Network (VPN) Overview In this section we describe how to use the Industrial Secure Router to build a secure Remote Automation network with the VPN (Virtual Private Network) feature. A VPN provides a highly cost effective solution of establishing secure tunnels, so that data can be exchanged in a secure manner.
Industrial Secure Router User's Manual Virtual Private Network (VPN) All IPSec Connection Users can Enable or Disable all VPN services with this configuration. NOTE The factory default setting is Disable, so when the user wants to use VPN function, make sure the setting is enabled. IPSec NAT-T If there is an external NAT device between VPN tunnels, the user must enable the NAT-T (NAT-Traversal) function.
Industrial Secure Router User's Manual Virtual Private Network (VPN) Name of VPN Tunnel NOTE Setting Description Factory Default Max. of 16 characters User defined name of this VPN Tunnel. None The first character cannot be a number.
Industrial Secure Router User's Manual ID Virtual Private Network (VPN) ID for indentifying the VPN tunnel connection. None The Local ID must be equal to the Remote ID of the VPN Gateway. Otherwise, the VPN tunnel cannot be established.
Industrial Secure Router User's Manual Virtual Private Network (VPN) MD5 SHA1 SHA256 DH Group Setting Description Factory Default DH1(modp 768) Diffie-Hellman groups DH2(modp 1024) DH2(modp 1024) (the Key Exchange group between the Remote and VPN DH5(modp 1536) Gateways) DH14(modp 2048) Negotiation Time Setting Description Negotiation time The number of allowed reconnect times when startup mode is 0 Factory Default initiated.
Industrial Secure Router User's Manual Virtual Private Network (VPN) AES-128 AES-192 AES-256 Hash Algorithm Setting Description Factory Default Any Hash Algorithm in data exchange SHA1 MD5 SHA1 SHA256 Dead Peer Detection Dead Peer Detection is a mechanism to detect whether or not the connection between a local secure router and a remote IPSec tunnel has been lost. Action Action when a dead peer is detected.
Industrial Secure Router User's Manual Virtual Private Network (VPN) 1. Root Certificate generation. Both EDR-G903(A) and EDR-G903(B) need to generate their own root certificates. 2. EDR-G903(A) and EDR-G903(B) can request new certifications based on their own Root Certificates. 3. Generate PKCS#12 local certificate with password (.p12) and Certificate file for remote VPN tunnel (.crt) a. EDR-G903(A)Moxa-A.p12 and Moxa-A.crt b. EDR-G903(B)Moxa-B.crt and Moxa-B.crt 4.
Industrial Secure Router User's Manual NOTE Virtual Private Network (VPN) The default setting for Certificate Day is 0, which means that the certification will not be terminated unless modified by the user. Certificate Setting After Root Certification is activated, the user can generate different certifications for different VPN Tunnels. The user needs to fill in the following information and press Add and Activate to add the new certificate to the Certificate List.
Industrial Secure Router User's Manual Virtual Private Network (VPN) Remote Certificate Upload Upload the .crt Remote certificate on this page. Label: User defined name for this local certificate Name/Subject: Show the Name and subject when the certificate is imported successfully or the user selects a certificate from the list Certificate Upload: Use the Browser to select a .p12 file and press the Import button.
Industrial Secure Router User's Manual Virtual Private Network (VPN) Login User Name Setting Description Factory Default Max. to xx character. User Name for L2TP connection NULL Setting Description Factory Default Max. to xx character.
Industrial Secure Router User's Manual Virtual Private Network (VPN) L2TP for Remote User Maintenance The following example shows how a Roaming user uses L2TP over IPSec to connect to the remote site network. VPN Plan • All communication from the Roaming user (no fixed IP) to the Remote site Network (100.100.3.0/24) needs to pass through the VPN tunnel. • Communication goes through the Internet.
10 10. Diagnosis The Industrial Secure Router provides Ping tools and LLDP for administrators to diagnose network systems.
Industrial Secure Router User's Manual Diagnosis Ping The Ping function uses the ping command to give users a simple but powerful tool for troubleshooting network problems. The function’s most unique feature is that even though the ping command is entered from the user’s PC keyboard, the actual ping command originates from the Industrial Secure Router itself. In this way, the user can essentially control the Industrial Secure Router and send ping commands out through its ports.
Industrial Secure Router User's Manual Diagnosis LLDT Table Port: The port number that connects to the neighbor device. Neighbor ID: A unique entity that identifies a neighbor device; this is typically the MAC address. Neighbor Port: The port number of the neighbor device. Neighbor Port Description: A textual description of the neighbor device’s interface. Neighbor System: Hostname of the neighbor device.
A A. MIB Groups The Industrial Secure Router comes with built-in SNMP (Simple Network Management Protocol) agent software that supports cold start trap, line up/down trap, and RFC 1213 MIB-II. The standard MIB groups that the Industrial Secure Router series support are: MIB II.1 – System Group sysORTable MIB II.2 – Interfaces Group ifTable MIB II.4 – IP Group ipAddrTable ipNetToMediaTable IpGroup IpBasicStatsGroup IpStatsGroup MIB II.5 – ICMP Group IcmpGroup IcmpInputStatus IcmpOutputStats MIB II.
Industrial Secure Router User's Manual MIB Groups The Industrial Secure Router also provides a MIB file, located in the file “Moxa-EDRG903-MIB.
