ETIC IPL-G12 User manual

Add to My manuals
120 Pages

advertisement

ETIC IPL-G12 User manual | Manualzz

Distribué par :

IPL-AD2

ADSL router & RAS server & Firewall

_________________

Contact : [email protected]

Tél : 0326824929

Fax : 0326851908

Siège social :

2 rue René Laennec

51500 Taissy

France www.hvssystem.com

User manual

Document reference : 9015509-04

_________________

The IPL-AD2 router is manufactured by

ETIC TELECOM

13 Chemin du vieux chêne

38240 MEYLAN

FRANCE

:

TEL : + 33 4-76-04-20-00

FAX : + 33 4-76-04-20-01

E-mail : [email protected] web : www.etictelecom.com

Page 2

User manual ref. 9015509-04 ADSL router IPL-AD2

CONTENT

OVERVIEW

1 PRODUCTS IDENTIFICATION.................................................................................... 9

2 PRODUCT PRESENTATION.................................................................................... 10

2.1

Overview ....................................................................................................... 10

2.2

Application.................................................................................................... 11

2.3

Main functionalities...................................................................................... 12

3 TECHNICAL DATA.................................................................................................... 15

INSTALLATION

1 PRODUCT DESCRIPTION ....................................................................................... 17

1.1

Overview ....................................................................................................... 17

1.2

Connectors ................................................................................................... 21

1.3

DIP-switches & push-button ....................................................................... 23

2 VENTILATION............................................................................................................ 23

3 SUPPLY VOLTAGE................................................................................................... 23

4 ETHERNET PORTS................................................................................................... 24

5 RS232 INTERFACE ................................................................................................... 24

6 RS485 INTERFACE ................................................................................................... 24

7 CONNECTING A 3G MODEM TO THE USB INTERFACE (IPL-AD2-1201B).......... 25

7.1

TELIT modem ............................................................................................... 25

7.2

Installation .................................................................................................... 27

8 INPUT & OUTPUT CONNECTION ............................................................................ 28

9 LINE CONNECTION .................................................................................................. 29

10 INTERNET SUBSCRIPTION ..................................................................................... 29

../..

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 3

CONTENT

SETUP

1 SETUP STEPS........................................................................................................... 31

2 CONFIGURING THE ROUTER.................................................................................. 32

2.1

Overview ....................................................................................................... 32

2.2

First configuration ....................................................................................... 33

2.3

Modifying the configuration parameters through the LAN...................... 34

2.4

Modifying the configuration from the Internet .......................................... 34

3 REBOOTING THE ROUTER AFTER PARAMETERS CHANGES ........................... 35

4 RECOVERING THE FACTORY LAN IP ADDRESS ................................................. 35

5 RECOVERING THE FACTORY CONFIGURATION ................................................ 35

6 RESTRICTING ACCESS TO THE ADMINISTRATION SERVER ............................. 36

7 RECOVERING A FREE ACCESS TO THE ADMINISTRATION SERVER ............... 36

8 FACTORY CONFIGURATION................................................................................... 37

9 ASSIGNING AN IP ADDRESS TO THE LAN INTERFACE..................................... 38

9.1

IP addresses ................................................................................................. 38

9.2

DHCP server configuration ......................................................................... 39

10 INTERNET CONNECTION ........................................................................................ 40

10.1

ADSL parameters ......................................................................................... 40

10.2

Internet connection parameters ................................................................. 41

10.3

Internet connection control......................................................................... 42

11 RELEASING THE DYNAMIC IP @ WITH THE DYNDNS SERVICE ....................... 43

../..

Page 4

User manual ref. 9015509-04 ADSL router IPL-AD2

CONTENT

SETUP

12 CREATING VPN CONNECTIONS BETWEEN ROUTERS ...................................... 44

12.1

Principles ...................................................................................................... 44

12.2

IPSec VPN connections............................................................................... 46

12.3

Setting TLS VPN connections..................................................................... 52

13 ROUTING FUNCTIONS ............................................................................................. 56

13.1

Basic routing function................................................................................. 56

13.2

Static routes ................................................................................................. 57

13.3

RIP protocol.................................................................................................. 58

14 ADDRESS AND PORT TRANSLATION ................................................................... 59

14.1

Address translation (NAT)........................................................................... 59

14.2

Port forwarding ............................................................................................ 59

14.3

Advanced network address and port translation...................................... 61

15 VRRP REDUNDANCY ............................................................................................... 66

15.1

Principle ........................................................................................................ 66

15.2

Configuring VRRP on the LAN interface.................................................... 67

16 GSM-3G WIRELESS BACKUP ................................................................................ 68

16.1

Principles ...................................................................................................... 68

16.2

Configuration................................................................................................ 69

17 REMOTE USERS CONNECTIONS SERVICE .......................................................... 71

18 REMOTE USERS CONNECTION.............................................................................. 72

18.1

Principles ...................................................................................................... 72

18.2

Configuring a TLS connection.................................................................... 73

18.3

Configuring a PPTP VPN connection......................................................... 75

../..

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 5

CONTENT

… SETUP

19 M2ME_CONNECT SERVICE..................................................................................... 76

19.1

Overview ....................................................................................................... 76

19.2

Configuring a M2Me_Connect connection ................................................ 77

20 USERS LIST............................................................................................................... 79

21 CONFIGURING THE FIREWALL .............................................................................. 82

21.1

Overview ....................................................................................................... 82

21.2

Main filter ...................................................................................................... 84

21.3

Remote users filters..................................................................................... 88

22 SERIAL TO IP GATEWAY......................................................................................... 93

22.1

Modbus menu............................................................................................... 94

22.2

RAW TCP gateway ....................................................................................... 97

22.3

RAW UDP gateway....................................................................................... 99

23 USB TO IP GATEWAY ............................................................................................ 101

23.1

Principles .................................................................................................... 101

23.2

Configuration.............................................................................................. 102

24 ADVANCED FUNCTIONS ....................................................................................... 103

24.1

Adding a certificate.................................................................................... 103

24.2

Alarms ......................................................................................................... 103

24.3

Configuring the web portal ....................................................................... 105

24.4

Configuring the DNS server...................................................................... 106

../..

Page 6

User manual ref. 9015509-04 ADSL router IPL-AD2

CONTENT

DIAGNOSTIC AND MAINTENANCE

1 DIAGNOSTIC ........................................................................................................... 107

2 SAVING THE PARAMETERS FILE......................................................................... 108

3 UPDATING THE FIRMWARE.................................................................................. 109

APPENDIX 1 : HTML configuration server

APPENDIX 2 : VPN mechanism overview

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 7

OVERVIEW

1 Products identification

ADSL 2+ and RE-ADSL IP router

Firewall SPI

Remote access server - 25 users

25 VPN IPSEC & SSL

IPL-AD2 1400 1220 1230

Serial gateway (Raw TCP and UDP, Telnet,

Modbus, Unitelway)

RJ45 10 / 100 BT

RS232

RS485

IP router

NAT

Port forwarding

SNMP

DNS

DHCP client or server on the LAN interface

Digital input for alarm emails

HTML setup

IO Viewer : optional dynamic data html server

-

4

-

1 2

- 1 -

1

2 2

1

1

IPL-AD2- 1400B 1220B 1230B 1201B

Same functions plus :

3G backup with an external

USB modem

VRRP redundancy

• • •

IP addresses substitution

• • • •

M2Me_Connect

• means the function is provided

- means the function is not provided

• • • •

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 9

OVERVIEW

2 Product presentation

2.1 Overview

The IPL-AD2 ADSL router is a security product.

It is designed to interconnect safely automated devices over the Internet.

The IPL-AD2 is at the same time

an IP router to route IP packets and set VPNs with other routers through the Internet.

a remote access server (RAS) to provide a secure access to the

LAN for remote users;

a stateful inspection firewall to filter the IP traffic.

The IPL-AD2 comes with two interfaces :

WAN interface

1 X RJ45 10/100 BT

The ADSL interface :

That ADSL 2+ and Reach Extended ADSL interface can be connected to a public or private ADSL line.

VPNs can be set on that interface.

Further in the text, this ADSL interface is called the WAN interface.

The LAN interface :

It is made to connect industrial devices.

Depending on the model, it includes

4 ethernet ports, or 2 Ethernet and 2 serial ports, or 2 Ethernet and 1 USB port.

LAN interface

4 X RJ45 10/100 BT or

2 X RJ45 & 2 serial ports or

2 RJ45 10/100 BT + 1 USB

1

3

ADSL

10 / 100 BT

2

4

Page 10

User manual ref. 9015509-04 ADSL router IPL-AD2

OVERVIEW

2.2 Application

That features in the same product make the IPL-AD2 a top level solution for remote control systems and remote maintenance through the Internet.

Supervision

Remote

Connection

Machine

Router -Firewall

VPN server

RAS

VPN

Machine

Internet

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 11

OVERVIEW

2.3 Main functionalities

The IPL-AD2 router provides the functions hereafter :

IP router

The IPL-AD2 router provides powerful, flexible and comprehensive solutions to route IP packets from one network to other networks.

The solutions include remote nodes description, static routes, RIP protocol and destination network address translation (DNAT).

Safe VPN links

The IPL-AD2 router is able to establish safe VPN tunnels.

Once a VPN is established between two IPL-AD2 routers , each IP device connected to the first LAN can exchange IP packets with any device connected to the other LAN as if they were linked with a private line.

The IPL-AD2 router is able to establish up to 25 IPSec or TLS – SSL

VPNs.

Authentication can be carried out with a pre-shared key or with certificates.

SPI Firewall

The IPL-AD2 incorporates a firewall. It is able to check source and destination IP addresses and ports number from the Internet and from the

LAN.

The firewall also controls the status of the sessions (TCP, UDP, ICMP) to avoid sophisticated spoofing attacks.

Remote access server function

The IPL-AD2 provides to authorized users a remote access service to the devices connected either to the LAN or to a serial RS232-RS485 interface, as if his PC was directly connected to the LAN or to the RS232.

VRRP redundancy

Thanks to VRRP, a group of two or more routers can service the hosts of one subnet instead of only one usually; only one router of that group actually routes packets; if it fails another one of the group takes its place.

Page 12

User manual ref. 9015509-04 ADSL router IPL-AD2

OVERVIEW

GSM-3G backup

The IPLAD2-1201B router provides a GSM-3G backup function when the

ADSL connection fails.

A 3G USB modem must be connected to the USB interface of the IPL-

AD2 router.

When the ADSL connection to the Internet provider fails, the IPL-AD2 router routes the data through the 3G network.

Serial gateway

The product includes an up-to-date RS to IP gateway, enabling to connect asynchronous devices directly and safely to the Internet.

Emails – sms

An email (or SMS) can be sent each time the digital input is opened or closed.

DNS server

DNS makes it possible to assign Internet names to devices or organizations independently of their public IP address.

The IPL-AD2 router behaves like a DNS server for the devices connected to the LAN.

DynDNS client (WAN interface)

The IPL-AD2 router is compatible with the Dyn DNS service

DHCP server (LAN interface)

DHCP is a standard Internet protocol that enables a DHCP server to dynamically distribute IP addresses and configuration information to the network DHCP clients.

Over the LAN interface, the IPL-AD2 can be a DHCP server.

SNMP

The IPL-AD2 router is an SNMP agent.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 13

OVERVIEW

Html and DIP switches configuration

The IPL-AD2 is configured with a web server .

Two DIP switches allow to set the method the products receives its IP address over the LAN interface : From a DHCP client or server, factory IP address or stored IP address.

EticFinder software

The ETICFinder software is delivered with the product.

It detects the ETIC products connected to an Ethernet interface and displays the MAC address and the iP address of each product.

M2Me

VPN client software

M2Me is a TLS client software (to order separately) edited by ETIC

Telecommunications.

It is able to register up to 100 VPN connections the user can set on a click.

Page 14

User manual ref. 9015509-04 ADSL router IPL-AD2

OVERVIEW

3 Technical data

General characteristics

Dimensions 137 x 48 x 116 mm (h, l, p)

Electrical safety EN 60950- UL 1950

CEM

ESD : EN61000-4-2 : Discharge 6 KV

RF field : EN61000-4-3 : 10V/m < 2 GHz

Fast transient : EN61000-4-4

Surge voltage : EN61000-4-5 : 4KV line / earth

Supply voltage

IPL-AD2-1400 & IPL-AD2-1400B : 10 to 60 VDC - 250mA / 24VDC

IPL-AD2-1220 & IPL-AD2-1220B : 10 to 30 VDC - 250 mA / 24 VDC

IPL-AD2-1230 & IPL-AD2-1230B : 10 to 60 VDC - 250 mA / 24 VDC

IPL-AD2-1201 : 10 to 60 VDC - 250 mA / 24 VDC

IPL-AD2-1201B : 10 to 30 VDC - 400 mA / 24 VDC (including the 3G modem)

Operating T°

ADSL

-20°C / + 60°C

Humidity 5 to 95 %

ADSL2 + transmission

Cable 1 telephone grade twisted pair

ITU G992.5 (ADSL 2 plus and Reach Extended ADSL)

Provider connection

PPPoEthernet or PPPoATM

EoA : Ethernet over ATM RFC2684 Bridged

Data rate

IPoA : Routed IP over ATM, RFC2684 Routed

Download 24 Mbit/s (From Internet)

Upload 1 Mbit/s (To Internet)

Ethernet / IP router

Ethernet 10/100 BT – 2 or 4 switched ports

IP router

Ip address translation

DNS

Remote connections- static routes - RIP V2

Source IP @ translation (NAT)

Destination IP @ translation (DNAT)

Port translation (Port forwarding)

Domain name

IP address assignment Fixed IP @ or DHCP client or DHCP server

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 15

OVERVIEW

Security

VPN

Client or server IPSEC or TLS/SSL

Encryption 3DES

Certificate X509 or preshared key

Stateful packet inspection (50 rules) Firewall

Logs

Connection

Date and time stamped logs

Remote access server (RAS)

User list 25 users

VPN PPTP / L2TP-IPSec / TLS Open VPN

Login & password

Certificate X509

M2Me

Alarms

Serial interface

RS232

VPN Compliant with the M2Me_Secure VPN client

Compliant with the M2Me_Connect mediation service

3 inputs : emails

Serial to IP gateways

1200 - 115200 kb/s parity N / E / O

Modbus master and slave

Raw TCP client and server

Telnet

RAW UDP “multicast” unitelway

Page 16

User manual ref. 9015509-04 ADSL router IPL-AD2

INSTALLATION

1 Product description

1.1 Overview

IPL-AD2-1400 and IPL-AD2-1400B

VPN

ADSL

OPERATION

Not used

Ethernet port 1& 2

Ethernet port 3 & 4

1

10 / 100 BT

2

4

3

1

RS485

Interface Led

LEDS

IPL-AD2-1400 and IPL-AD2-1400B

Function

ADSL

ADSL

VPN One VPN at least has been established

Blinking : ADSL connection in progress

LINE

Lit : ADSL connection set

Ethernet Ethernet to

Ethernet 4

Blinking quickly : Data activity

Lit : Interface connected, no activity

Green : Operation

Red : Alarm

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 17

INSTALLATION

IPL-AD2-1220 and IPL-AD2-1220B

VPN

ADSL

OPERATION

Not used

RS485

Ethernet port 1 & port 2

RX led

(To IPL)

1

RS485

Rx

10 / 100 BT

2

TX led

(From IPL)

RS485

Tx

RS232

Interface Led

ADSL

ADSL

VPN

LINE

Ethernet

RS232

RS485

Rx

Tx

Rx

Tx

LEDS

IPL-AD2-1220 and IPL-AD2-1220B

Function

Ethernet 1 & 2

One VPN at least has been established

Blinking : ADSL connection in progress

Lit : ADSL connection set

Blinking quickly : Data activity

Lit : Interface connected, no activity

Bytes received from the RS232 (to the IPL)

Bytes transmitted to the RS232 (from the IPL)

Bytes received from the RS485 (to the IPL)

Bytes transmitted to the RS485 (from the IPL)

Green : Operation

Red : Alarm

Page 18

User manual ref. 9015509-04 ADSL router IPL-AD2

INSTALLATION

IPL-AD2-1230 and IPL-AD2-1230B

VPN

ADSL

OPERATION

Not used

RS485

Ethernet port 1 & port 2

RX led

(To IPL)

1

10 / 100 BT

2

TX led

(From IPL)

RS232

Interface Led

ADSL

ADSL

Ethernet

RS232

VPN

LINE

Rx

Tx

LEDS

IPL-AD2-1230 and IPL-AD2-1230B

Ethernet 1 & 2

Function

One VPN at least has been established

Blinking : ADSL connection in progress

Lit : ADSL connection set

Blinking quickly : Data activity

Lit : Interface connected, no activity

Bytes received from the RS232 (to the IPL)

Bytes transmitted to the RS232 (from the IPL)

Green : Operation

Red : Alarm

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 19

INSTALLATION

IPL-AD2-1201

ADSL line

VPN

ADSL

Operation

Backup

Ethernet port 1 & port 2 Ethernet port 1 & port 2

10 / 100 BT

3G supply V

1

2

3G modem connected 1

10 / 100 BT

2

USB modem

Rx

LINE

USB

LINE

1 digital output

1 digital input

9 to 30 VDC

(double input)

USB

Interface Led

ADSL

ADSL

VPN

LINE

Ethernet Ethernet 1 & 2

USB

LINE

IPL-AD2-1201 LEDS

Function

One VPN at least has been established

Blinking : ADSL connection in progress

Lit : ADSL connection set

Blinking quickly : Data activity

Lit : Interface connected, no activity

Lit : The 3G backup link is in operation

Off : The 3G backup link is not in operation

Green : Operation

Red : Alarm

Interface Led

ADSL

ADSL

Ethernet

USB

VPN

LINE

Ethernet 1 & 2

LINE

Backup

IPL-AD2-1201B LEDS

Function

One VPN at least has been established

Blinking : ADSL connection in progress

Lit : ADSL connection set

Blinking quickly : Data activity

Lit : Interface connected, no activity

Lit : The 3G backup link is in operation

Off : The 3G backup link is not in operation

Green : Operation

Red : Alarm

The data are switched to the backup connection

Page 20

User manual ref. 9015509-04 ADSL router IPL-AD2

INSTALLATION

1.2 Connectors

Pin Nr Signal

1

2

3

4

5

8 pins screw block

Supply voltage and input / output

Function

Power 1 + Supply voltage input 1

Power 1 - 0 V

Power 2 + Supply voltage input 2

Power 2 - 0 V

3V3 + 3.3 VDC voltage provided by the product

7

8

F +

F -

Output + (max 50Vdc - 0,6A)

Output -

Pin Nr Signal

ADSL RJ45 connector

Function

Pin Nr Signal

1

2

Tx +

Tx -

3 Rx +

Ethernet RJ45 connector

Function

TX polarity +

TX polarity -

Reception polarity +

6 Rx - Reception polarity -

Pin Nr Signal

1

2

A

B

RS485 2 pins screw block

Function

RS485 polarity A

RS485 polarity B

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 21

INSTALLATION

Pin Nr Circuit

RS232 RJ45 connector

(To connect to a DCE to the RS232 port)

Function

1

2

3

4

5

DTR - 108

TD - 103

RD - 104

DSR - 107

SG - 102

OUT

OUT

IN

IN

-

Data terminal ready

Data Emission

Data Reception

Data set ready

Ground

7

8

CTS - 106

RTS - 105

IN

OUT

Clear to send

Request to send

1

2

3

4

5

6

7

8

CD - 109

RD - 104

TD - 103

DTR - 108

SG - 102

DSR - 107

RTS - 105

CTS - 106

RS232 : RJ45 connector

(To connect a DTE to the RS232 port)

Function

OUT

OUT

IN

Carrier detect

Data Reception

Data Emission

Data terminal ready IN

-

OUT

IN

OUT

Ground

Data set ready

Request to send

Clear to send

4 pins screw block “AUX”

3G modem power supply control

(IPL-AD2-1201B)

Pin Signal

1

Function

V+OUT * 3G modem power supply output

3

4

TO-IN Active high signal used to switch on the modem

TO_IN H > 5 VDC

TO_IN L< 0,5 VDC

Power ON t > 1 s

HR_IN Active high signal used to switch off the modem

HR_IN H > 5 VDC

HR_IN L< 0,5 VDC

Power OFF 1 s< t < 2s

Page 22

User manual ref. 9015509-04 ADSL router IPL-AD2

INSTALLATION

1.3 DIP-switches & push-button

DIP switches

SW 1 SW 2

Management

OFF OFF

The current IP@ of the product is the stored IP @

ON OFF

The active IP@ of the product is the factory IP@ : 192.168.0.128

No login and password are required to access to the html server

OFF ON The active IP@ is provided by the BOOTP or DHCP server.

ON ON

Reserved

Push-button : It enables to restore the factory profile.

To restore the factory profile, switch the power on while pressing the push-button until the RUN light turns green.

Attention : Once the factory profile has been restored, the stored configuration is lost.

2 Ventilation

To avoid overheating when the ambient temperature is high, leave a 1 cm

(0.5 inch) space on each side of the product.

3 Supply voltage

Product Min Supply voltage Max supply voltage Consumption at 24 VDC

IPL-AD2-1400 10

IPL-AD2-1400B 10

IPL-AD2-1220 10

60

60

30

250

250

250

IPL-AD2-1220B 10

IPL-AD2-1230 10

IPL-AD2-1230B 10

IPL-AD2-1201 10

IPL-AD2-1201B 10

30

30

30

60

30

250

250

250

250

250 / 400 *

* the consumption of the IPL-AD2-1201B at 24 VDC is 250 mA, or 400 mA when a 3G modem is connected to the router.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 23

INSTALLATION

4 Ethernet ports

The IPL-AD2 features two or four auto-sensing 10/100 Mbps MDI/MDI-X

LAN ports.

5 RS232 interface

The RS232 data rate can be tuned from 1200 to 115200 b/s with parity

(even / odd) or no parity.

The data terminal must be less than 10 meters far from the modem.

Cables can be provided to connect the product to DTE and DCE as follows :

RS232 cables (L=1m)

Code

CAB592

User connector

SubD 9 male

Cable function

To connect a DCE to the IPL-AD2

CAB593

CAB609

SubD 9 female wires

To connect a DTE to the IPL-AD2

To connect a device providing a specific connector

6 RS485 interface

The RS485 serial interface is provided on the front panel 2 pins screw-block.

Polarisation resistors

1 Kohm bus polarisation resistors are included inside the product.

+

1K

B(+)

SW1

RS485

1K

A(-)

-

RS485 line adaptation

For a several meters long connection over the RS485 local interface, it is not necessary to adapt the RS485 line. For a longer distance, connect a

120 Ohm resistor at each end of the line.

Page 24

User manual ref. 9015509-04 ADSL router IPL-AD2

INSTALLATION

7 Connecting a 3G modem to the USB interface (IPL-AD2-1201B)

7.1 TELIT modem

A TELIT UT864 3G modem can be connected to the USB interface of the router as a backup connection in case of failure of the adsl connection.

The overall dimensions of the modem are: 77 x 67 x 26 mm.

A magnetic or a roof mounted antenna must be ordered separately (ANT200 or

ANT207).

The KIT15 kit provides the accessories which are necessary to connect the modem to the router.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 25

INSTALLATION

The KIT15 kit includes :

The USB cable

It must be connected on one hand to the router IPL-AD2-1201B and on the other hand to the TELIT 3G modem.

The power cable

It must be connected on one hand to the router “AUX” Power screw block and on the other hand to the RJ11 power connector of the TELIT modem.

Power cable

RJ11

VCC (5 à 32 VDC) White

4 pins screw terminal

1 1

Power control

Power control

The DIN rail adaper

Green

Red

3

4

4

3

Page 26

User manual ref. 9015509-04 ADSL router IPL-AD2

INSTALLATION

7.2 Installation

The 3G modem must be supplied with 30 VDC maximum.

Check the supply voltage of the IPL-AD2-1201B router does not exceed 30 VDC.

Step 1 : Installing the SIM card

Cancel the PIN code of the SIM card using a usual mobile phone.

Check the modem is powered off (the power cable is disconnected).

Insert he SIM card in the SIM card holder after having previously cancelled the PIN code.

Step 2 : Connecting the antenna

Connect the antenna to the 3G modem.

Step 3 : Connecting the modem to the router

The modem must be installed on a Din rail close to the router.

Connect the USB cable.

Conect the antenna.

Connect the power cable.

Power up the router (Supply V. < 32 VDC).

Check the power led of the 3G modem blinks fast (period 1 s) while searching the network during one minut, and then slowly (period = 3 s / led ON = 0,3 s), and then is permanently ON when the modem is connected.

4 pins screw block

Power

1

1

USB

ADSL router IPL-AD2

Power cable

RJ11

SIM card

USB cable

USB

TELIT UT864

3G modem

User manual ref. 9015509-04

Page 27

INSTALLATION

8

Input & output connection

Alarm output

1 relay output is provided to indicate an alarm.

The alarm condition can be selected using the html server.

IPL-AD2

3V3

5

Digital input

In

6

Digital output

F+

7

+

-

V

F-

8

I max = 0,5 A V < 48 VDC

I < 0,5 A

The electrical characteristics of the output are :

Opto-isolated output

Maximum voltage : 50 VDC

Maximum current : 500 mA

Inputs

The product features two digital inputs ; they are not isolated. if one input is opened, an SNMP trap will be sent to the SNMP server is that function has been enabled.

Page 28

User manual ref. 9015509-04 ADSL router IPL-AD2

INSTALLATION

9 Line connection

The IPL-AD2 is designed to be connected to an analog line.

If an analog telephone set has to be connected to the line ; a filter has to be added to separate the ADSL signal from the voice signal.

10 Internet subscription

Router

Filter

Telephone line

IP address :

The IP address is generally assigned by the provider ; it can also be entered.

If it is assigned by the provider and if it is a temporary IP address, the product has to be a VPN client over the Internet ; it will connect to a VPN server device to which a fixed IP address will have to be assigned.

If a fixed IP address cannot be assigned to the VPN server device, one can use the DYNDNS service which enables to use a domain name instead of an IP address (see Configuration chapter).

Other technical parameters :

See

Configuration chapter. paragraph 5.4.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 29

SETUP

1 Setup steps

To configure the router, we advise to proceed as follows :

Connecting a PC to the router

Setting up the LAN interface

Setting up the Internet connection

Setting up VPNs

Setting up routing and IP address translation functions

Setting up remote connections and the M2Me_Connect service

Setting up the remote users list

Setting up the 3G backup connection

Setting up the serial or USB gateway

Setting up the firewall

The IPL-AD2 router is configured with a PC and an HTML browser.

2 DIP switches enable you to set the IP address : Factory address, stored address, BootP or DHCP client or server.

For the first configuration, we advise to connect the PC directly to the router Ethernet interface.

Modifications can be carried out through the LAN or remotely.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 31

SETUP

2 Configuring the router

Administration server address :

The administration html server is located at the LAN IP address of the router (The default address is192.168.0.128).

First setup :

For the first configuration, we advise to connect the PC directly to the LAN interface of the

IPL-AD2 router.

Setup modifications :

Modifications can be carried out from the LAN interface, or from the Internet if a firewall rule authorises to reach the administration server (not advised), or from the Internet or using a remote user connection or a VPN.

Restoring the factory IP address :

The factory IP address of the router on the LAN interface can be restored by setting the

DIP switches SW01 ON and SW02 OFF.

In that position o the DIP switches, the stored configuration is not deleted.

Setting the DIP switches in that position gives also a free access to the administration server from the LAN interface.

During operations, the DIP switches must not be left in that position.

Network IP address :

Later in the text, we often speak of “network address”.

We mean the lowest value of the addresses of the network.

For instance, if the netmask of a network is 255.255.255.0, the network address of that network is X.Y.Z.0.

Copy and paste :

Parameters must be entered with the keyboard; they cannot be pasted.

However, it can be useful to paste a string when it is long to avoid errors.

In that case, paste the string, delete the last character of the pasted string, and enter it again with the keyboard.

Saving and restoring the parameters file (see the maintenance chapter)

A parameters file can only be downloaded to a product having the same firmware version.

It is why, we advise to assign a name to a parameter file including the product name and the software version like for instance “myrouterfile_iplad21220_V241.bin”.

Page 32

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

2.2 First configuration

Step 1 : Check the DIP switches

Coming from factory, the DIP switches SW1 and SW2 are set OFF to select the stored IP address.

Coming from factory, the stored IP address is the factory IP address

192.168.0.128.

Step 2 : Create or modify the PC IP connection.

Assign to the PC an IP @ in accordance with the IPL-AD2 IP address.

For the first configuration, assign or instance 192.168.0.127 to the PC.

Step 3 : Connect the PC directly to the LAN interface of the IPL-AD2 router using any Ethernet cable (straight or cross wired).

Step 4 : Launch the navigator

Enter the LAN IP @ of the router 192.168.0.128.

The Home page of the administration server is displayed

Remark :

If the home page cannot be displayed, refer

below.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 33

SETUP

2.3 Modifying the configuration parameters through the LAN

If the IP @ of the IPL-AD2 on the LAN interface is assigned by a

DHCP server

Step 1 : Ensure the DIP switch SW1 is OFF and SW2 ON to select DHCP client operation.

Step 2 : Launch ETIC FINDER to detect the IPL-AD2 address over the

LAN interface.

Click the product once detected.

The Home page of the administration server is displayed.

Remark :

If the home page cannot be displayed, refer

below.

If the IP @ of the IPL-AD2 on the LAN interface is fixed

Step 1 : Ensure the DIP switch SW1 and SW2 are OFF to select the stored IP @.

Step 2 : Launch the html browser and enter the IP address assigned to the router.

Or, launch the ETICFINDER utility to detect the IPL-AD2 address.

Remark :

If the home page cannot be displayed, refer

below.

2.4 Modifying the configuration from the Internet

Coming from factory, the firewall rejects all the packets coming from the

Internet to the LAN.

To carry out modifications from the internet, it is possible to set a remote user PPTP or TLS connection.

The modifications can be also carried out from a remote LAN through a

VPN.

Page 34

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

3 Rebooting the router after parameters changes

• After the parameters any page have been completed, click the

« Save » button at the bottom of the page.

• After some parameters changes, the IPL-AD2 must restart.

When the configuration has been completely carried out, click the

« Reboot » red button in the green bar, when displayed.

• Once the product has restarted, check the «

Reboot » button has disappeared from the green bar.

To save the configuration file to a hard disk :

• Select the “maintenance” menu and then the “Save / restore” menu.

• Click the “Save current configuration to disk” button.

4 Recovering the factory LAN IP address

When launching the html browser, the homepage of the html server may not be displayed; the cause may be the IP address you entered was wrong.

if the IP address you enter is wrong, you can recover the factory IP address by setting SW01 ON and SW2 OFF.

The factory IP address 192.168.0.128 will be restored as long as the

SW01 and SW02 micro switch will be left in that position.

Remark :

The SW01 and SW02 must not be left in that position during operations.

5 Recovering the factory configuration

If firewall rules have been created finally preventing from reaching any IP address on the LAN interface including the router itself, it may be necessary to restore the factory configuration of the router.

To restore the IPL-AD2 factory configuration,

• Switch OFF the power supply of IPL-AD2 router.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 35

SETUP

• Press the push button on the top part of the IPL-AD2 router and switch ON the power supply.

• Keep the push button pressed until the operation led turns red.

Remark : The stored configuration will be lost; the factory IP address

192.168.0.128 will be restored.

6 Restricting access to the administration server

The access to the administration server can be protected by a login and password.

To protect access to the administration server,

• Select the “Setup” menu, the “Security” menu and then the

“Administration menu”.

Remark : For more simplicity, we advise to chose the login and the password of one of the remote users stored in the user list.

7 Recovering a free access to the administration server

If the Login & or password entered to reach the administration server have been rejected, it is possible to recover a free access to the administration server from the LAN only, by setting SW01 ON and SW2

OFF.

Remark :

The factory IP address 192.168.0.128 will also automatically be restored as long as SW01 will remain ON and SW2 OFF.

During normal operations SW01 and SW02 must not be left in that position.

Page 36

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

8 Factory configuration

Coming from factory, the router configuration is as follows :

LAN IP @

WAN IP @

192.168.0.128

None

Default user : Login = admin ; Password = admin

Admin. server restriction : None

Firewall :

Remote user filter

Main filter

Authorises any remote user belonging to the user list to reach a LAN IP address using a PPTP or TLS or L2TP /

IPSec connection

IP packets coming from the Internet to the LAN are dropped.

IP packets transported inside a VPN are forwarded

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 37

SETUP

9 Assigning an IP address to the LAN interface

9.1 IP addresses

To set up the LAN interface IP parameters,

• Click the « Configuration» menu and then « LAN interface» and then “IP protocol”.

LAN parameters :

IP address :

Enter the IP address assigned to the router over the Ethernet local network.

Netmask :

Enter the IP netmask assigned to the local network.

Remote access parameters :

Start of users IP address pool and end of users IP addresses pool :

That parameters define the pool of addresses which will be assigned automatically to remote user’s PC when they will connect to the router.

Enter the start address and the end address.

Remark :

After the LAN IP address of the router has been modified, it is necessary to reboot the unit.

Moreover, If VPNs have been created, they must be launched again.

To launch the VPNs again after the LAN IP address has been modified,

• Select the « network» menu and then the « VPN » menu,

• Click the « Properties » button in front of the « type of VPN » field, and then on the “OK” button of the window entitled« VPN properties».

• Click the « Modify » button in front of the « VPN connection » field, and then on the “OK” button.

If the DHCP server is used, it must be also launched again.

To launch again the DHCP server after the LAN IP address has been modified,

• Select the « LAN interface» menu and the «DHCP server» menu,

• Unselect the « Enable the DHCP serve» checkbox, and then select it again.

Page 38

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

9.2 DHCP server configuration

Over the LAN interface, the IPL-AD2 router can behave like a DHCP server.

If you select that option, we advise to assign a fixed IP address to the IPL-

AD2 router itself over the LAN interface.

To configure the DHCP server function,

• select the « Setup» menu and then « LAN interface» and then « DHCP server ».

“IP address pool start” & “IP addresses pool end” parameters :

That parameters define the range of IP addresses which can be assigned by the

IPL-AD2 to the DHCP client devices.

“Primary DNS IP address” & “secondary DNS IP address” parameters :

Enter the IP addresses of the domain name servers.; the DHCP server will communicate that information to the DHCP client devices.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 39

SETUP

10 Internet connection

10.1 ADSL parameters

Select the “Configuration “ menu, the “WAN interface” menu and then the « Modem » menu.

That menu allows to select the way the ADSL modem connects to the provider modem (DSLAM).

”Modulation” parameter :

The default value is multi; the modem will adapt to the modulation of the

FAI modem.

Otherwise, ask your provider the modulation which as to be used.

“VPI” parameter :

This parameter is used to set the « Virtual Path Identifier » for the APVC.

Range is 0 - 255.

Page 40

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

“Virtual Path Identifier” & “Virtual Channel Identifier” parameters :

This parameter is used to set the Virtual Channel Identifier for the APVC.

Range is 0 - 65535.

“Multiplexing” parameter :

LLC : Select LLC or VC

“Encapsulation” parameter :

Option Description

PPPoA VC-Mux

PPPoA LLC

PPPoE VC-Mux

PPPoE LLC

Bridged Ethernet VC-Mux

Bridged Ethernet LLC

RFC 2364 VC-multiplexed PPP over AAL5

RFC 2364 LLC encapsulated PPP over AAL5

RFC 2516 VC-multiplexed PPP over Ethernet

RFC 2516 LLC encapsulated PPP over Ethernet

RFC 2684 VC-multiplexed bridged Ethernet

FC 2684 LLC encapsulated bridged Ethernet

10.2 Internet connection parameters

Select the « Internet » menu and then click« Connection ».

The information entered in this page have to be provided by the Internet provider.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 41

SETUP

“Internet account” parameters : Refer to your Internet contract

“Internet account password” parameters : Refer to your Internet contract

“Service name” parameter : Refer to your Internet contract

“Obtain an IP address automatically” parameter :

Set that option if the provider is supposed to assign an IP address to the router through the line each time it connects to the Internet.

“ IP address” & “netmask” parameter :

Enter the fixed IP address and netmask assigned to the router if it not assigned through the line.

“Obtain DNS IP addresses automatically” parameter : Select that option if the Domain name servers IP addresses are supposed to be provided automatically through the Internet.

“Primary DNS IP address” & “secondary DNS IP address” parameters :

Enter the IP addresses of the domain name servers.

” SMTP server” parameter :

It the address of the SMTP server for outgoing mails (ex : smtp.nerim.net)

“Source account e-mail address” parameter :

Enter the email address attached to the account.

10.3 Internet connection control

• Select the « Internet » menu and then click« remote control ».

Connect to Internet at product power-on :

If that option is selected, the router will connect to the Internet as soon it will be powered on.

Connect to Internet on a rising edge of the digital input 1 :

If that option is selected, the router will connect to the Internet each time the digital input 1 will be set closed.

Connect to Internet now” parameters :

The router will connect to the Internet when the button “Connect” will be clicked.

Page 42

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

11 Releasing the dynamic IP @ with the DYNDNS service

Dynamic DNS (DDNS) allows you to create a hostname that points to a dynamic IP or static IP address or URL.

If the IP address assigned to the router over the Internet is not fixed, the router will contact the DYNDNS service each time it will change and update the hostname table with the new address.

Each time a device wishes to connect to the IPL-AD2, it will use its host name and get its temporary

IP address from the DYNDNS server or from another DNS server.

It will then connect to the IPL-AD2 as if its address had been fixed.

To configure that function,

go to www.dyndns.org

and create an account.

Select the « Wan interface » menu and then « DynDNS »

Enable the DYNDNS function.

Enter the account login and password provided by DYNDNS

Enter the hostname which has been registered (Ex :

iplad2grenoble2.dyndns.org).

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 43

SETUP

12 Creating VPN connections between routers

12.1 Principles

A VPN is a safe link set between two end-points over an IP network : Both routers authenticate, data are encrypted and each device of a LAN can exchange data with each device f the other one. (see appendix 1).

25 VPNs can be set on the WAN interface of the IPL-AD2 router.

Two types of VPN can be set : TLS VPN and IPSec VPN.

IPSec has the advantage to be a standard solution.

TLS is easier to employ because the transport layer is TCP or UDP; it is why, it can be easily used when the VPN must pass through several or even numerous company routers.

Once a type of VPN (TLS or IPSec) has been selected, all the VPN set between the IPL-AD2 router and another one must be the same.

Two steps are necessary to configure the IPL-AD2 to create VPN connections between routers :

1 st

step : Select the type of VPN and setting the parameters

2 types of VPNs can be used to connect IPL-AD2 routers together or with other type of routers: IPSec or TLS/ SSL

Once a type of VPN has be selected, it applies to all the connections with remote routers.

2 nd

step : Create VPN connections

Page 44

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

A connection can be an incoming connection or an outgoing connection.

If a connection is an incoming connection, the local router is named

“VPN server” and the remote router is a “VPN client”.

VPN connection client

Outgoing

VPN

IP network

Ingoing connection

To create VPN connections between routers, select the « Setup» menu and then « Network» and then “V¨PN

connections”.

VPN server

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 45

SETUP

12.2 IPSec VPN connections

12.2.1 Configuring the IPSec protocol

• Select the “Setup” menu, the “network” menu and then ‘VPN

connections”.

• Select the “Ipsec” type of VPN,

• Click “Properties” .

“Encryption Protocol” parameter :

Select ESP to encrypt the data flow; select AH, if no encryption is required or if NAT traversal is required.

“Authentication & encryption key” parameter :

Authentication an encryption can be carried-out with a pre-shared key or a certificate.

“Pre-shared key” value :

The pre-shared key value applies to all the connections.

The maximum length of the key is 40 characters.

Page 46

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

The same preshared key value will be used for remote users L2TP /

IPSec connections.

Certificate” value

The IPL-AD2 router is delivered with a certificate stored into the product in our factory.

To add a certificate, refer to the “Security” menu.

“Encryption and hash algorithm phase 1” & “Encryption and hash algorithm phase 2” parameters :

That parameters allow to define the encryption and hash algorithms in use during the phase 1 of the exchanges between the end-points (VPN setup) and during the phase 2 (data exchange).

The default value is Auto; in that case both end-points will negotiate a common algorithm.

“DPD request period” parameters :

A DPD request (also called Keepalive message) is a message sent periodically by each end-point to the other one to make sure that the VPN must be left active.

This parameters sets the amount of time (in seconds) between two of these requests.

“Connection death time-outparameters :

This parameter defines the maximum amount of time (in seconds) a VPN connection will stay established if no traffic or no DPD request message are received from the remote point.

ATTENTION : Once the parameters of the IPSEC connection have been selected, click the OK button and then the Save button.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 47

SETUP

12.2.2 Configuring an outgoing IPSec connection

LAN

IP addr.

Outgoing connection

Remote LAN

IP addr.

VPN

Réseau IP

WAN

IP addr.

Remote WAN

IP addr.

Router Remote router

To set an outgoing VPN connection,

• Come back to the “VPN connections” screen,

• Click the “add a connection” button..

Give a name to the connection and select the “Outgoing” option.

Page 48

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

‘Remote WAN IP address’ parameter :

Enter the IP network address and netmask assigned to the remote router o ver the internet.

“Remote LAN address & Remote LAN netmask” parameters :

Enter the IP network address and netmask assigned to the remote LAN.

Preshared key

If the preshared key used by the connection is the general PS K entered in th e “VPN” menu, no additional parameter has to be entered.

If a particular PSK must be u sed, complete the configuration of the c onnection as explained below.

“Unique PSK for this node” parameters :

Select that option if a particular PSK key has to be used for this c onnection.

“PSK value” parameter :

E nter the value of the PSK.

”My WAN address” parameter :

Enter the Internet IP address of the router

Certificate

“My subjectAlt name” & “Remote subjectAlt name” parameters :

Paste the field "SubjectAltName" of the active certificate of the router you a re configuring and the one the remote router.

Attention : For ETIC certificates, this field is the Email field

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 49

SETUP

12.2.3 Configuring an ingoing IPSec connection

LAN

IP addr.

Ingoing connection

Remote LAN

IP addr.

VPN

IP network

WAN

IP addr.

Remote WAN

IP addr.

Router Remote router

To set an ingoing VPN connection,

• Come back to the “VPN connections” screen,

• Click the “add a connection” button.

Page 50

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

Give a name to the connection and select the “ingoing” connection

direction option.

“Remote WAN IP address” parameter :

Enter the IP network address and netmask assigned to the remote router over the Internet (public IP address over Internet).

“Remote LAN address & Remote LAN netmask” parameter :

Enter the IP network address and netmask assigned to the remote LAN.

Preshared key

If the key used by the connection is the general PSK entered in the VPN menu, no additional parameter has to be entered.

If a particular PSK must be used, carry out the configuration of the connection as explained below.

“Use a specific key for this connection” parameter :

If that option is not selected, the preshared key entered in the VPN configuration screen will be used by the router.

If that option is selected, enter the specific key.

“My WAN address” & “Remote WAN address” parameters :

Enter the WAN IP address of the router (public IP address over Internet) and the WAN IP address of the remote router (public IP address over

Internet).

Attention : For ETIC certificates, this field is the Email field

Certificate

“My subjectAlt name” & “Remote subjectAlt name” parameters :

Paste the field "SubjectAltName" of the active certificate of the router you are configuring and the one the remote router.

Attention : For ETIC certificates, this field is the Email field.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 51

SETUP

12.3 Setting TLS VPN connections

12.3.1 Configuring the TLS-SSL protocol

• Select the “Setup” menu, the “network” menu and then the ‘VPN connections” menu.

• Select the “TLS” VPN type and click “Properties” .

“Port number” & “level 3 protocol” parameters :

Select the port Nr and the type of level 3 protocol used to transport the

TLS VPN; UDP will be preferred.

Attention :

The port number value must be different from one used by remote users;

“VPN network address” & “VPN network netmask” parameters :

The TLS VPN server router assigns automatically an IP address to the

VPN client router.

That VPN IP address must not be confused with the public IP address assigned to the routers over Internet nor with the private network IP addresses.

Attention :

The VPN IP network address field must be different from the private network IP address field.

The number of VPN addresses cannot be greater than 255; the netmask cannot exceed 255.255.255.0.

VPN IP addr.

(Default 172.16.1.0)

LAN

IP addr.

Remote LAN

IP addr.

Router

WAN

IP addr.

VPN

IP network

Remote WAN

IP addr.

Remote router

Page 52

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

“Connection death time-out” :

This parameter defines the maximum amount of time (in seconds) a VPN connection will stay established before being cleared if no response to the

VPN control message has been received from the remote router.

“Repetition time-out” : use.

A control message (also called Keepalive message) is sent periodically by the VPN server router to make sure that the VPN must be left active.

This parameters sets the amount of time (in seconds) the server will wait for the response before repeating it.

“Encryption algorithm” & “Message digest algorithm” parameters :

That parameters allow to define the encryption and hash algorithms in

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 53

SETUP

12.3.2 Configuring an outgoing TLS connection

LAN

IP addr.

Outgoing connection

Remote LAN

IP addr.

VPN

IP network

WAN

IP addr.

Remote WAN

IP addr.

Router Remote router

• Select the “Setup” menu, the “network” menu and then the ‘VPN

connections” menu.

• Click the “add a connection” button.

Give a name to the connection and select the “Outgoing” connection

direction option.

Page 54

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

“Login & Password” parameter:

Enter the login and password, the router will have to use to authenticate.

“Remote WAN IP address / URL” parameter :

Enter the IP address of the remote router or its DNS name.

“Remote WAN IP address” parameters :

Enter the IP network address and netmask assigned to the remote router over the Internet (public IP address over Internet).

12.3.3 Configuring an ingoing TLS connection

LAN

IP addr.

Ingoing connection

Remote LAN

IP addr.

VPN

IP network

WAN

IP addr.

Remote WAN

IP addr.

Router Remote router

• Select the “Setup” menu, the “network” menu and then the ‘VPN

connections” menu.

• Click the “add a connection” button.

Give a name to the connection and select the “ingoing” connection

direction option.

“Remote router Login” & “Remote router password” parameters :

Enter the login and password of the remote router

The remote router ha to use that login and password to authenticate.

“Remote LAN address” & “Remote LAN netmask” parameters :

Enter the IP network address and netmask assigned to the remote LAN.

“Common name” :

Enter the remote router certificate common name.

Attention : For ETIC certificates, this field is the Email field

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 55

SETUP

13 Routing functions

13.1 Basic routing function

Once an iP address has been assigned to the R2 router on the LAN interface and another one on the WAN / Internet interface (see drawing hereafter), the IPL-AD2 R2 router is ready to route packets …

… between devices connected to the remote LAN network like RL1, and devices connected to the LAN network like L1 through a VPN;

… between devices connected to the Internet like W1, and devices connected to the LAN network like L1.

192.168.5.128

Internet

IP addr.

Internet

IP addr. 192.168.2.128

Remote LAN

192.168.5.0/24

VPN

Internet

LAN

192.168.2.0/24

R3 router R2 router

RL1

W1 L1

Remark 1 : Firewall rules must be set to authorize WAN to LAN transfer.

Remark 2 : A default gateway address must be entered in each device of the LAN network and the remote .

Page 56

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

13.2 Static routes

However, the router R2 is not able to route packets between a device like

L1 belonging to the LAN network and a device connected to “network 6”

(see the drawing hereafter).

Network 6

192.168.6.0

network 1

192.168.1.0

192.168.6.24

192.168.1.24

R4 router Internet

IP addr.

Internet

IP addr.

192.168.2.128

R1 router

192.168.5.1

192.168.2.1

Remote LAN

192.168.5.0/24

VPN LAN

192.168.2.0/24

Internet

R2 router

RL1 R3 router

192.168.5.128

W1 L1

In that case, it is necessary to enter the route to that hidden “network 6”; that route is called a static route.

A static route consists in a table which describes a destination network (IP address and netmask) and the IP address of the neighbour router through which an IP packet to that destination must pass.

Router 2 static routes :

Active

Yes

Yes

Route name Destination Netmask Gateway

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 57

SETUP

To set a static route,

• Select the “Configuration” menu, the “network” menu the “Routing” menu and then “Static routes”. click the “Add a route” button.

“Destination IP address” & “netmask” parameters :

Enter the destination network IP address and netmask.

“Gateway IP address” parameters :

Enter the Ip address of the gateway through which the IP packets intended for that network must pass.

To set a static route,

• Select the “Configuration” menu, the “network” menu the “Routing” menu and then “Static routes”.

• click the “Add a route” button.

13.3 RIP protocol

RIP (Routing Information Protocol) is a routing protocol which enables each router belonging to a network to acquire the routes to any subnet.

The principle is as follows :

Routing table

Each router holds a routing table.

Each entry of the table consists in the destination subnet address and the adjacent router address leading to that subnet.

Routing table broadcasting :

Each router broadcasts its table.

Routing table update :

Each router updates its own table using the tables received from the other ones.

Page 58

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

To enable RIP,

• select the « Setup» menu, the “Routing” menu and then the “RIP” menu».

• Select the ‘

Enable RIP on LAN interface” and the “Enable RIP on WAN interface” options.

14 Address and port translation

The IPL-AD2 provides the capability to replace the original source IP address and the destination port and IP address in particular situations.

14.1 Address translation (NAT)

That function called NAT applies when a device connected to the LAN wishes to initiate a connection to the WAN or the Internet.

It consists in replacing the IP source address of packets coming from a device connected to the LAN by the WAN IP address of the router.

At the same time, the router will also replace the source port number by a particular port number making possible to route back the responses coming from the Internet to the appropriate device.

To enable the NAT function,

• Select the « Configuration » menu, the “WAN interface” menu, and the « IP protocol menu».

• Tick the checkbox « Activate the address translation (NAT) ».

14.2 Port forwarding

The port forwarding function consists in transferring to a particular device connected to the LAN interface a particular data flow addressed to the IPL-AD2 router on its WAN interface.

That function applies only to the packets addressed to the WAN IP address of the router.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 59

SETUP

The transfer criteria is the port number; the port number is used as an additional address field :

When a packet is addressed to the IPL-AD2 router with a particular configured port, it is transferred to a particular device connected to the

LAN interface.

Example :

Let us suppose the PC named “W1” of the WAN network has to send packets to the device PLC1 of the LAN network

Suppose moreover that the addresses of the LAN network cannot be used on the WAN network for any reason.

The solution can be to use the Port forwarding function :

When W1 needs to transmit packets to PLC1, it addresses the packets to the IPL-AD2 router on a chosen and agreed port.

The router checks the packet, replaces the destination address by the Ip address of the device on the LAN interface, and eventually changes the port number.

WAN IP addr. :

62.10.10.7

PLC1 192.168.0.15

TCP : 102

W1

WAN network

62.10.10.7

TCP : 102

PLC2 192.168.0.16

TCP : 502

PC 192.168.0.17

TCP : 80

The port forwarding rule will be

Internet / WAN LAN translation

To set the Port forwarding function,

• select the “network” menu and then the “Port forwarding” menu.

Page 60

User manual ref. 9015509-04 ADSL router IPL-AD2

• Click “Add a DNAT” rule.

14.3 Advanced network address and port translation

SETUP

14.3.1 Principle

This function is available in IPL-AD2-1400B, IPL-AD2-1220B, IPL-AD2-

1230B routers only.

That function consists in replacing the source port and IP address and the destination port and IP address of particular packets received by the router on its interfaces according to configured rules.

It applies to all the packets received by the router on any of its two interfaces except to the IP packets contained in a remote user PPTP or

TLS connection.

It applies as well to packets the destination address of which is the IPL-

AD2 router itself or to packets the destination IP address is a device belonging to the LAN subnet, or to the WAN subnet or to another network.

One brings out the DNAT function which consists in replacing the destination port number and IP address. the SNAT function which consists in replacing the source IP address.

Because the DNAT and SNAT functions modify the IP addresses of the IP packets processed by the IPL-AD2 router, and because the firewall filters that packets, it is very important to understand in which order that different functions are carried out :

Direction

WAN to LAN

WAN DNAT Router FIREWALL SNAT LAN

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 61

SETUP

LAN to WAN

WAN SNAT FIREWALL Router DNAT LAN

Page 62

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

14.3.2 Configuration

To set the advanced address translation functions

• select the “Setup” menu, “Network” , and then the “Advanced NAT” menu.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 63

SETUP

To create a new DNAT rule

• Click “Add a DNAT” rule.

• Select “Yes” to enable the rule.

• Enter the replacement criterion :

Source IP address & Destination IP address.

Protocol (TCP, UDP, …)

Source port & Destination port

• Enter the new destination port number and IP address.

Page 64

User manual ref. 9015509-04 ADSL router IPL-AD2

To replace the source IP address & destination port

• Click “Add a SNAT” rule.

Select “Yes” to enable the rule.

Enter the replacement criterions :

Source & Destination IP address.

Protocol (TCP, UDP, …)

Source & Destination port

Enter the new source IP address.

SETUP

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 65

SETUP

15 VRRP redundancy

That function is available only in IPL-AD2-1400B, IPL- AD2-1220B, IPL-

AD2-1230B routers

15.1 Principle

VRRP is a protocol designed to increase the availability of the default gateway of a subnet.

Thanks to VRRP, a group of two or more routers can service the hosts of one subnet instead of only one usually; only one router of that group actually routes packets; if it fails another one of the group takes its place.

The routers belonging to a VRRP group must be connected to the same

Ethernet segment.

VRRP works as follows :

An usual IP address is assigned to each router of the group.

An additional and common IP address, called the virtual IP address is assigned to all the routers of the group. This virtual address is the address which must be stored as the default gateway address in all the host devices belonging to the subnet.

A priority index is assigned to each router of the group. Using that index, the routers of the group can elect a master router; the master router is the one which has the greatest priority code. The other routers are the backup routers.

The master router is the only one to answer to the ARP requests and route actually packets. It uses the virtual IP address and the virtual MAC address If that option has been selected.

In case of failure of the master router, another master router is elected. It replaces the router in failure. It will use the same virtual IP address and the virtual MAC address as the previous master router.

The IPL-AD2 router manages that protocol as well on the LAN and on the

WAN interface.

Page 66

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

15.2 Configuring VRRP on the LAN interface

To enable and configure VRRP,

• select the “Setup” menu, the “network” menu and then the “VRRP”

menu.

« Enable VRRP on the LAN interface » parameters :

Tick that checkbox to enable VRRP on the LAN interface.

« VRRP Id (1-255) » parameter:

Assign an identity code to the routers group between 1 and 255.

The same identity code must be assigned to all the routers of the group.

« Virtual IP address» parameter :

Enter the IP address the elected master router will use to answer to ARP requests.

«Priority (1-255) » parameter :

Assign a priority index to the router

The router which has the greatest index will become the master router.

«Use a virtual MAC address » parameter :

A virtual MAC address can be associated to the virtual IP address.

If that option is selected, the elected master router will answer to ARP requests by using that virtual MAC address.

That MAC address is 00-00-5E-00-01-XX, where XX is the VRRP Id of the group coded in hexadecimal.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 67

SETUP

16 GSM-3G wireless backup

IPL-AD2-1201B only.

16.1 Principles

The IPLAD2-1201B router provides a 3G backup function when the

ADSL connection fails.

A 3G USB modem must be connected to the USB interface of the IPL-

AD2 router.

Redundant

VPN Server

GSM-3G

Modem

Internet

Backup Main

We recommand to use the TELIT UC864 modem which has been qualified with the IPL-AD2 router.

When the ADSL connection to the Internet provider fails, the IPL-AD2 router routes the data through the 3G network.

The line led associated with the RJ45 ADSL connector is switched off, while the Line led associated to the USB connector switches on to indicate the 3G connection is established.

Page 68

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

If a VPN was established through the ADSL line, the IPL-AD2 establishes it again through the 3G network.

Whilst the 3G connection is set, The router tries periodically to set the

ADSL line.

A soon as the ADSL line is established, the IPL-AD2 stops transmitting over the 3G wireless network.

Remark :

The backup function works if the ADSL connection uses PPPo Ethernet or

PPPo ATM or IPoA (Routed IP over ATM, RFC2684 routed).

But, it does not work if the ADSL connection uses the EoA protocol

(Ethernet over ATM RFC2684 Bridged).

16.2 Configuration

To set up the backup function,

• Select the « Setup» menu , and then « Backup interface », and then the « Modem » menu.

• Select the “Enable” checkbox.

• Select the « Telit UC864 » type of modem.

• Select the « GPRS/3G » mode.

• Enter the APN code.

• Select the « Setup» menu , and then « Backup interface », and then the « Connection» menu.

That page allows to setup the PPP connection between the IPL-AD2 router (acting as the PPP client) and the 3G central system (acting as the

PPP server) through the air.

« Login» and « Password » parameters :

Enter the login and password associated to the 3G SIM card.

« Authentication» parameter :

Leave the default value (PAP/CHAP)

« Obtain an IP address automatically » checkbox :

Select that checkbox if an IP address is automatically assigned to the router over the 3G network.

This is the usual case.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 69

SETUP

« Local IP address» and “Remote IP address» parameters :

In particular cases, the IP address of the router on the 3G network and the IP address of the 3G central system are fixed IP addresses and must be entered.

«Obtain DNS servers address automatically» checkbox :

Select that checkbox if the DNS servers addresses are assigned automatically to the router.

This is the usual case.

«Primary DNS server address» and «Secondary DNS server

address» parameters:

In particular cases, the DNS servers IP addresses must be entered.

• Select the « Setup» menu , and then « Backup interface » menu, and then the «Control» menu.

«Connect at power-on» parameter :

Select that checkbox.

The IPL-AD2 and the USB 3G modem remain connected to the 3G network.

That checkbox must be selected to enable the backup function.

Page 70

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

17 Remote users connections service

The IPL-AD2 provides a full remote user connection function called ”RAS” :

• The remote user authenticates using the login, password and eventually a certificate; the router accepts the connection only if the remote user belongs to the user list.

• Individual access rights are automatically allocated to the remote user.

• An IP address belonging to the LAN network is automatically assigned to the remote PC.

• Data are encrypted (TLS and L2TP / IPSec only).

• The connection is logged.

• The IPL-AD2 is compatible with the M2Me_Connect service.

To setup the remote user connection service, the following steps must be carried out :

• Step 1 :

Configure a PPTP or TLS or L2TP / IPSec connection

or select the M2Me_Connect

service

• Step 2 :

Complete the user list

• Step 3 ::

Define the

firewall rules

to limit the rights of the remote users

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 71

SETUP

18 Remote users connection

18.1 Principles

A remote user connection is a tunnel set between a remote PC and a router providing the RAS function (Remote Access Service), like the IPL-

AD2.

A remote user connection provides security and simplicity advantages :

• The remote user is identified with a login in and password or eventually a certificate.

• The data is encrypted (TLS or L2TP).

• An IP address belonging to the local network is automatically assigned to the remote user’s PC.

The IPL-AD2 manages PPTP and TLS or L2TP remote connections.

Only one type can be selected. It will apply to all the remote users connections.

A PPTP is the simplest type of remote user connection; data is not encrypted.

The remote user can be identified only with a login and password.

A TLS connection provides encryption; moreover; the remote user can be identified with a log in and password and with a certificate if necessary.

Page 72

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

18.2 Configuring a TLS connection

The M2Me_Secure software provided by ETIC TELECOM is a Windows

TLS client software.

Installed on a PC running Windows XP or Seven, M2Me_Secure makes

TLS connections from a remote PC to the IPL-AD2 easy; moreover it includes a connection book in such a way one just need a click to connect to a remote site.

We describe hereafter how to configure the router and the M2Me_Secure software to set a TLS VPN between both.

Step 1 : Router configuration

To configure a remote user TLS connection,

• select the “Setup” menu, the “Remote users” menu and then the

User list” menu.

• Select the VPN type “ TLS”.

• Click the “Properties” button and set the parameters.

“Port number” & “level 3 protocol” parameters :

Select the port Nr and the type of level 3 protocol used to transport the

TLS VPN; UDP will be preferred.

Attention :

The selected port number assigned to the remote users connections must be different from the one used for VPN connections between routers if such VPN connections have been configured.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 73

SETUP

“Remote User authentication” parameters :

Authentication an encryption can be carried-out with a pre-shared key or a certificate.

If the “Login/password” is selected, the remote user is authenticated with a login and a password.

If the “Login/password and Certificate” value is selected, the remote PC is authenticated with the certificate and the user with a login and password. In that case, the PC certificate must be stored in the user list.

«Encryption algorithm» & «Message digest algorithm» parameters:

Leave the default values

Step 2 : Configure the M2Me_Secure software

For detailed information, refer to the M2Me_Secure manual.

Click « Menu » and then « New site ». The Site configuration window is displayed.

Select the « General » tab and enter a site name.

Select the « Connection » tab; select the option “That site can be reached through the Internet.

In the field « Host name or IP address », select the router IP address or DynDNS name or DNS name.

Select the « Advanced tab » ; select the level 3 protocol (UDP or

TCP), the port number and the encryption algorithm.

These parameters must have the same values must in the PC and in the router.

Page 74

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

18.3 Configuring a PPTP VPN connection

We describe hereafter how to configure the router and the PC to set a

PPTP remote user connection between them.

Step 1 : Router configuration

• select the “Setup” menu, the “Remote users” menu and then the

User list” menu.

• Select the VPN type “ PPTP”.

Remark : The “properties” button allows to modify the authentication protocol; leave the default configuration if the PPTP client is a PC running

Windows.

Step 2 : Set a PPTP connection on the PC side.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 75

SETUP

19 M2Me_Connect service

IPL-AD2-1400B, IPL-AD2-1220B, IPL-AD2-1230B routers only.

19.1 Overview

The M2Me_Connect service simplifies the connection of a remote PC to a machine through the Internet.

It provides a solution when a direct PPTP or TLS connection described before shows itself impossible.

Let us take the example of a machine made of several devices forming a

“machine network” and connected to a company network through an IPL-

AD2 router.

Suppose an expert wishes to connect to one or several of these devices to help repairing them or to upgrade a firmware.

The simplest solution should be to set a remote connection between the remote PC and the IPL-AD2 through the company network, the existing

Internet access in the company, and the Internet.

Several reasons make that connection difficult or impossible, but the main one is a security reason : It is generally not allowed to set an ingoing connection from a PC connected to the Internet towards a device like an

IPL-AD2 connected inside a company network.

The M2Me_Connect service solves that difficulty :

The PC does not connect directly to the IPL-AD2; both the PC and the router connect to the “M2Me_Connect” service.

Once both parties have been authenticated by the M2Me_Connect service with their own certificate, a TLS VPN is set from end to end from the PC to the IPL-AD2 router.

The remote user identity is checked by the router to verify he or she belongs to the user list stored in the IPL-AD2 router.

Finally, individual access rights are assigned to the remote user depending on his or her identity.

Page 76

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

19.2 Configuring a M2Me_Connect connection

Step 1 : Router configuration

Select the « Setup» menu, the « Remote users » menu, the

M2Me_Connect” menu, and then the “Connection” menu.

« Activate » parameter:

Tick the checkbox

“TCP ports” and “UDP ports” parameters :

Select the ports the router must check to set a connection to the

M2Me_Connect service.

“Proxy” parameters :

If a proxy server is in charge of filtering IP packets transmitted towards the

Internet, select the “Use a Proxy server” option; choose either “HTTP” or “SOCK S5”;

Enter the Proxy server address, port number, Login and password.

• Test the connection

Click the “Control” menu, and press the “connect now” button.

Go to the ”Diagnostic” menu, “Network status” menu and then “M2Me”.

When the connection between the router and the M2Me_Connect service is established, the port number and protocol are displayed.

• Deselect the ports number needlessly selected

If too many ports have been selected, the connection delay may be long; it is why we advise to unselect all the ports except the one which has finally been successful.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 77

SETUP

Step 2 : Configuring the M2Me_Secure software

Click « Menu » and then « New site ». The Site configuration window is displayed.

Select the « General » tab and enter a site name.

Select the « Connection » tab; select the option “That site can be reached through the Internet and the “M2Me_Connect” option.

Enter the product key of the router; it can be pasted from the “About” menu of the router.

Page 78

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

20 Users list

The user list registers 25 authorised remote users forms.

Each user form stores the identity of the user (Login and password), his email address to send alarm emails and the filter assigned to him.

To display the user list,

• select the “Setup” menu, the “Remote users” menu and then the

User list” menu.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 79

SETUP

Attention :

Coming from factory, a default user is registered; his login is admin and the password is also admin. After the test phase, we advise to modify these login and password.

To add a user form

• Click the “add a user ” button

“ Active (value Yes or NO)” parameters :

Select “No” if you want to prevent the user to access the network.

Select “yes” to authorize the user to access the network.

“Full name” parameters :

It is the name displayed in the user list.

“Login” & “ password” parameters :

The login and the password will have to be entered by each user at the beginning of the remote connection.

Page 80

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

“E-mail” parameters :

The IPL-AD2 will send an email to that address in two situations :

Alarm email : the IPL-AD2 sends an alarm email to the defined user If the input 1 is closed or opened (if that option has been set).

Internet connection email : Once connected to the Internet, the IPL-AD2 will send to the demanding user an email containing the dynamic IP @ assigned to the IPL-AD2 by the provider. (See OPERATION chapter).

“Firewall filter” parameters :

Select a filter in the list.

A filter defines a domain of the local network.

Thus, once assigned to a user, a filter limits his or her access rights.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 81

SETUP

21 Configuring the firewall

21.1 Overview

The firewall filters IP packets between the WAN and the LAN interface of the IPL-AD2 router. It is divided in 3 particular filters :

The remote users filters

The function of the remote users filters is to limit the IP domain an authenticated remote user can reach when he connects to the IPL-AD2 router through the Internet.

The remote users filters filter the destination IP address and port number of the IP packets included inside à PPTP or TLS or L2TP remote user connection.

Thus the IP addresses checked by the remote users filters are LAN IP addresses.

25 remote users filters can be created and assigned individually to each of the users declared in the user list.

The source IP address of the packets is not checked by the remote users filters because the filters apply to the remote users connections according the login and password of the remote user checked when the remote user connection is set.

The main filter

It filters IP packets whether carried inside one of the VPNs or outside a

VPN.

The main filter checks source and destination IP addresses and the source and destination ports.

The main filter does not check the IP packets included in a remote user connection. That packets are checked by the remote users filter.

The main filter does not check the IP packets defined in the “Port forwarding” table. That packed are directly forwarded to the defined device (see

Port forwarding

).

The deny of service filter is made to usual attacks coming from the

Internet. That filter cannot be configured.

Page 82

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

The firewall of the IPL-AD2 firewall can thus be represented by the drawing hereafter :

Remote user connection

Users filters

VPN between routers

Main filter

WAN LAN

DoS filter

Port forwarding

FIRE-WALL

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 83

SETUP

21.2 Main filter

The main filter applies to all the IP packets except to the ones included in remote users connections.

To recognize a TLS remote user connection, the router detects the port number.

21.2.1 Main filter Overview

Main filter structure

For a better organisation, the main filter is divided in two tables; both having the same structure.

The “VPN” filter : It filter the packets transmitted inside the VPNs.

The “WAN” filter : It filters the packets transmitted outside the VPNs

Each of that two filters is made of a filter policy and a filter table each line of which is a filter rule

Main filter default policy

The default policy is the decision which will be applied if a packet does not match any of the rules of the filter.

The WAN to LAN and the LAN to WAN traffic are regarded separately because the decision can be opposite for a packet coming from the WAN or coming from the LAN :

WAN to LAN : The default policy can be “Accept” or “drop”.

LAN to WAN : The default policy can also be “Accept” or “drop”.

For instance, if the default policy assigned the WAN to LAN traffic is

“drop”, it means that an IP packet which does not match any of the rules of the main filter will be rejected.

Page 84

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

Main filter table

The main filter is a table, each line being a rule.

Each rule of the filter is composed a several fields which defines a particular data flow and another field which is called the action field.

The fields which define the data flow are :

Direction (« WAN to LAN » or « LAN to WAN »),

Protocol (TCP, UDP…),

IP@ & port number, source & destination.

The Action field can take two values

Accept : To authorize the data flow to be forwarded to the router interface.

Drop : To drop the packet which matches the rule.

How does the main filters works

When the firewall receives a packet, it checks if it matches the first rule..

If it does, the decision is applied to the packet according to the “Action” field.

If it does not, the firewall checks if it matches the second rule; and so on.

If the packet does not match any of the rules of the table, the default policy is applied to the packet (drop or reject).

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 85

SETUP

21.2.2 Configuring the main filter

Select the “Security” menu and then “Firewall” and “Main filter”.

The “Main filter” page is divided in two parts :

WAN traffic rules :

The first part, entitled “WAN” traffic rules, is made to define how the IP packets not carried in a VPN, have to be filtered.

VPN traffic rules :

The second part, entitled “VPN traffic rules” allows to define how the IP packets carried inside the VPNs have to be filtered.

Page 86

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

Configure successively the WAN traffic rules using the same method.

Step 1 : Select the default policy

“LAN to WAN” parameter :

That parameter sets what the filter will decide if an IP packet coming from the LAN does not match any f the rules of the filter :

If the value “Accept” is selected, the IP packet will be transmitted to the

VPN.

If the value “Drop” is selected, the IP packet will be rejected.

“WAN to LAN” parameter :

That parameter sets what the filter will decide if an IP packet coming from the WAN does not match any f the rules of the filter :

If the value “Accept” is selected, the IP packet will be transmitted to the

LAN.

If the value “Drop” is selected, the IP packet will be rejected.

The cautious default policy is to choose the value “Drop”; at the opposite, if the value “Accept” is selected, a packet which does not match any of the rules of the filter is transmitted.

Step 2 : Add a rule to the filter

Click the “add a rule” button.

“Direction” parameter :

Select the direction of the data flow to which the rule applies.

“Action” parameter :

Select the value “Accept” if the IP packet has to be transmitted in the selected direction.

Select the value “Drop” if the IP packet has to be rejected.

“Protocol” parameter :

Select the level 3 protocol concerned.

“Source IP address” & “Source port” parameters :

Enter the value of the source IP address and the source port number.

It is possible to enter a range of source IP addresses and not a single IP address by selecting a netmask value from 1 to 32; It is the number of binary 1 of the netmask; for instance, the value 24 means 255.255.255.0; the value 16 means 255.255.0.0.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 87

SETUP

”Destination IP address” & “destination port” parameters :

Enter the value of the destination IP address and the destination port number. Select the netmask value.

21.3 Remote users filters

A remote user filter applies to the IP packets received inside a remote user connection.

25 remote user filters can be configured and assigned individually to each of the users declared in the user list.

A remote user filter is a table of destination port numbers and IP addresses belonging to the LAN network.

Once a remote user is connected to the IPL-AD2 router, the router applies the filter assigned to him (see the remote user form).

According to his identity (Login and password, he will thus only access to the IP domain defined by the filter.

Example :

Filter name : Access to the device PLC1 (html and modbus)

Filter policy : All is forbidden except what we specify

Rules list

Action Device Service

Allow PLC1 80

Allow PLC1 192.168.0.12 Modbus 502

A filter must be assigned at least to one user to become enabled.

Step 1 : Complete, if necessary, the list of services

Remark : The main services (html, ftp, modbus) are available from

factory; for that reason, most of the time, that step can be skipped.

• Select the menu “system” and then “service list” The list of TCP ports is displayed.

• Click « add a service ».

• Enter the label of that the new service, assign a protocol (udp, tcp, icmp) and a port number.

• Save. The list is updated.

Page 88

User manual ref. 9015509-04 ADSL router IPL-AD2

Step 2 : Enter the list of devices of the LAN network

• Select the «System» menu, then «Devices list».

The list of the devices of the LAN network is displayed.

SETUP

• Click « add a device ».

• Assign a label and an IP address to the device and click OK.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 89

SETUP

Step 3 : Build a remote user filter

• Select the « security» menu, then « firewall» and then «Filter list»

The users filters list is displayed.

Page 90

User manual ref. 9015509-04 ADSL router IPL-AD2

• Click « add a new filter ».

SETUP

• Assign a name to the new filter.

• Choose the policy ; « All is forbidden except what we specify » is the advised policy.

• Click « add a new rule to the list ».

• Select a device among the ones which have been stored and a service (also called port).

• Add other rules if necessary.

• Click OK when the filter is complete ; the updated filter list is displayed.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 91

SETUP

Step 4 : Assign a filter to each user

• Select the « Remote user» and then « User list ».

• Select a user to which you want to assign a filter ; and click modify ; the user window is displayed.

Assign a filter to the user ; click OK and save.

Page 92

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

22 Serial to IP gateway

The IPL-AD2 features two serial ports.

A serial gateway can be assigned to each port .

If the same type of gateway is assigned to both serial ports, the UDP or

TCP port numbers must be different.

The gateways listed below are provided :

Modbus client or server (i.e. master or slave)

To connect several serial modbus slaves to several IP modbus clients.

Or to connect a serial modbus master to an IP modbus server.

RAW TCP server or client :

To connect 2 serial devices through an IP network.

Telnet :

To connect a Telnet terminal to the RAS.

RAW UDP :

To exchange serial data between several serial and IP devices, through an IP network, using a table of IP addresses..

Unitelway slave :

To connect a serial unitelway master to an IP network.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 93

SETUP

22.1 Modbus menu

22.1.1 Modbus server gateway

This gateway allows to connect serial modbus slaves to the serial interface of the

IPL-G12.

• Select the modbus menu and then modbus server and enable the modbus server gateway and set the parameters as follows :

“Port selection” parameter :

Select the serial port COM 1 or COM2.

If the modbus server gateway is assigned to one serial COM port, it cannot be assigned to the other one.

« ASCII / RTU protocol » parameter:

Select the right option

“Proxi” parameter:

Enable the proxi option if you wish to avoid to frequent requests on the

RS232-RS485 interface.

“Cache refreshment period” parameter:

Select the period at which the gateway will send request to the slaves PLC.

“Timeout waiting for the answer” parameter:

Set up the timeout the gateway has to wait for the answer of the modbus slave answer.

Page 94

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

“Local retry” parameter :

Set up the number of times the gateway will repeat a request before declaring a failure.

“Inter-character gap” parameter :

Set up the maximum delay the gateway will have to wait between a received character of a modbus answer packet and the following character of the same packet.

“Modbus slave address” parameter:

Choose “specified by the modbus TCP client” , if the address of the slave

PLC must be decoded by the gateway from the modbus TCP packet coming from the client.

Otherwise, specify the modbus address of the slave PLC; in that case only one slave can be connected to the RS232 serial interface.

“TCP inactivity Timeout” parameter :

Set the time the gateway will wait before disconnecting the TCP link if no characters are detected.

“TCP port number” parameter :

Set the port number the gateway has to use.

If the Raw TCP client gateway is assigned to both serial COM ports, the

TCP port numbers must be different on each port.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 95

SETUP

22.1.2 Modbus client gateway

This gateway allows to connect a serial modbus master to the serial interface of the IPL-AD2.

• Select the modbus menu and then “modbus client” menu; enable the

“modbus client” gateway and set up the parameters as follows :

“Port selection” parameter :

Select the serial port COM 1 or COM2.

If the modbus server gateway is assigned to one serial COM port, it cannot be assigned to the other one.

« ASCII / RTU protocol » parameter :

Select the right option

“Inter-character gap” parameter :

Set up the maximum delay the gateway will have to wait between a received character of a modbus answer packet and the following character of the same packet.

“TCP inactivity Timeout” parameter :

Set the time the gateway will wait before disconnecting the TCP link if no characters are detected.

Page 96

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

“TCP port number” parameter :

Set the TCP port number the gateway has to use.

“IP address” parameter :

The modbus client gateway allows to transmit modbus requests from the serial modbus master device to any modbus slave device, more precisely called “ modbus server”, located on the IP network.

To assign an IP address to each modbus slave device with which the serial master device needs to communicate, click the “add a link” button;

Assign an IP address in front of each modbus slave address with which the serial master device will have to communicate.

22.2 RAW TCP gateway

22.2.1 Raw client gateway

The RAW client gateway can be used if a serial “master” device has to send requests to one slave device (also called server) located on the IP network.

The server can be either an ETIC gateway or a PC including a software

TCP server.

• Select the “transparent” and then the “raw client COM1” or the “raw client COM2” menu .

• Enable the raw client gateway; and set up the parameters as follows :

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 97

SETUP

“RS232/485 input buffer size” parameter :

Set up the maximum length of an asynchronous string the gateway will store before transmitting it to the IP network.

“Timeout of RS232/485 end of packet” parameter :

Set up the delay the gateway will wait before declaring complete a string received from the asynchronous device.

Once declared complete, the gateway will transmit the string to the IP network.

“TCP inactivity Timeout” parameter :

Set the time the gateway will wait before disconnecting the TCP link if no characters are detected.

“TCP port number” parameter :

Set the port number the gateway has to use.

If the Raw TCP client gateway is assigned to both serial COM ports, the

TCP port numbers must be different on each port.

“Raw server IP address” parameter :

The raw client gateway is able to communicate with a raw server gateway.

Assign an IP address to define the destination gateway.

22.2.2 Raw server gateway

That gateway can be used if a serial slave device has to answer requests coming from devices located on the IP network and acting like a master

(also called TCP client).

Page 98

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

• Select the “transparent” and then the “raw server COM1” or the “raw server COM2” menu.

• Enable the raw server gateway and set up the parameters as follows :

“RS232/485 input buffer size” parameter :

Set up the maximum length of an asynchronous string the gateway will store before transmitting it to the IP network.

“Timeout of RS232/485 end of frame” parameter :

Set up the delay the gateway will wait before declaring complete a string received from the asynchronous device.

Once declared complete, the gateway will transmit the string to the IP network.

“TCP inactivity Timeout” parameter :

Set up the time the gateway will wait before disconnecting the TCP link if no characters are detected.

“TCP port number” parameters :

Set up the port number the gateway has to use.

If the Raw TCP server gateway is assigned to both serial COM ports, the

TCP port numbers must be different on each port.

22.3 RAW UDP gateway

22.3.1 Overview

The RAW UDP gateway enables you to connect together a group of serial or IP devices through an IP network.

The group can include IP devices if they have the software pieces able to receive or transmit serial data inside UDP.

Serial data transmitted by each device is transmitted to all other serial devices through the IP network.

A table of IP destination gateways is stored in each IPL-AD2 belonging to the group.

The serial data is encapsulated in the UDP protocol.

The UDP datagram is sent to each destination IP address stored in the table.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 99

SETUP

22.3.2 Configuration

• Select the “gateway” menu and then the “Transparent” menu and then click “RAW UDP”.

• Select the “Activate” option.

« Serial input buffer size” parameter (value 1 to 1024) :

Sets the maximum size of an UDP datagram.

“End of frame time-out” parameter (value 10 ms to 5 sec ) :

Sets the delay the gateway will wait before sending the UDP datagram towards the IP network when no characters are received from the serial interface.

«UDP port number» parameter :

Sets the UDP port number.

If the Raw UDP gateway is assigned to both serial COM ports, the UDP port numbers must be different on each port.

“IP addresses of the destination devices » table :

This table stores the IP addresses of the gateways to which the serial data, encapsulated inside UDP, have to be sent.

A different UDP port number can be entered for each destination IP address.

Page 100

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

23 USB to IP gateway

23.1 Principles

The IPL-AD2-1201B provides a USB to IP gateway.

The USB port can be used either to connect a 3G modem or to connect a

USB device.

It is able to forward IP traffic from devices connected to the Ethernet network to a USB device.

On the USB interface, the IPL-AD2-1201 behaves like a USB host and a

PPP client.

The USB device connected to the IPL-AD2-1201 USB interface must behave like a PPP server.

Destination IP address; main case

When a device, connected to the Ethernet network, needs to transmit data to the USB device, the destination address of the IP frames which need to be transmitted to the USB device must be a specific IP address assigned to the USB gateway of the IPL-E (see the configuration below).

Destination IP address; Modbus case

If no specific IP address is assigned to the USB gateway (see below), the

IPL-E forwards only modbus TCP traffic to the USB interface.

The destination IP address of the IP frames must be the LAN IP address of the IPL-E router.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 101

SETUP

23.2 Configuration

Select the “Setup” menu and then the “USB” menu.

“Activate” checkbox :

Select the “Activate” checkbox.

“Use a specific IP address” checkbox :

If modbus TCP traffic only has to be forwarded, that checkbox must not be selected.

If other kinds of traffic have to be forwarded, that checkbox has to be selected.

“Specific IP address” parameter :

If modbus TCP traffic only has to be forwarded to the USB interface, no IP address has to be entered.

If other kinds of traffic have to be forwarded to the USB interface, enter a specific IP address.

That address is the specific IP address of the USB gateway. It will be used as the destination IP address of the IP frames which must be forwarded to the USB interface.

“Accept WAN traffic” checkbox:

It is necessary to select that checkbox it the PC is connected to the network connected to the WAN interface.

It is not necessary to select that checkbox if the remote PC is connected to the RAS through a VPN.

Page 102

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

24 Advanced functions

24.1 Adding a certificate

Coming from the factory, the IPL-AD2 router includes a certificate delivered by ETIC TELECOM acting as a certification authority.

That certificate can be used to set a VPN between two routers.

Two IPL-AD2 routers can set a VPN with one another using certificates only if the certificates have been provided by the same authority.

Additional X509 certificates, provided by ETIC Telecommunications or not, can be downloaded into the router.

To import a new certificate, the file extension can be PKCS#12 with a password or PEM.

Even if more than one certificate have been downloaded into the IPL-AD2 router, one certificate can be used for all the connections.

24.2 Alarms

24.2.1 SNMP

The IPL-AD2 router is able to send snmp traps when alarms occur.

” Activation” parameter :

If that option is selected, the router will send an SNMP trap if an alarm is detected.

“SNMP network management IP address” parameters :

Enter the IP address of the management platform

“SysName” & “SysLocation” parameters :

That fields allow to identify the source device.

Example :

Sysname : etic

Syslocation : France

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 103

SETUP

“Product start-up” parameter :

If that option is selected, the router will send an SNMP trap each time it will connect to the Internet

24.2.2 Digital output alarm

If an alarm occurs, the router will open the digital output..

The causes which make the output to open cane be either the

ADSL disconnection, power input 1 failure, power input 2 failure.

24.2.3 E-mail alarm

When the digital input is closed or opened, an email can be transmitted to one of the users of the users list.

To set that function select the “Alarm” menu and click “email”.

“Enable the alarm email” parameter :

Select this option if you want an email to be sent to a user when the digital input 1 is set

ON or OFF.

“Alarm launched on event” parameter :

If the option OPEN is selected, the alarm will be sent each time the digital input will be opened.

If the option CLOSED is selected, the alarm will be sent each time the digital input will be opened.

If the option BOTH is selected, the alarm will be sent each time the digital input will be opened or closed.

” Hold time” parameter :

Select the time the input has to stay in its alarm state to be taken into account.

“Alarm destination” parameter :

Select the user to whom the email must be sent.

“Text to send” parameter :

Enter the email text.

Page 104

User manual ref. 9015509-04 ADSL router IPL-AD2

SETUP

24.3 Configuring the web portal

The web portal in an html page; it displays a list of devices connected to the LAN. Each line of the list is made of the device name, its IP address and three links :

The html link : To go directly to the web server of the associated machine.

The « explore » link : To explore the HD of the associated machine, if it is a Windows machine.

The « ftp » link : To explore the files of the associated device.

If the we portal option has been selected (see below), the web portal page is displayed when the remote user launches the navigator and enters the

Ip address assigned to the IPL-AD2 router. In that case, the administration server, usually can be displayed at the same address but at the port number 8080 instead of 80 when the web portal page option is not selected.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 105

SETUP

24.4 Configuring the DNS server

For domain names resolution, the IPL-AD2 can behave like a domain name server or a domain name relay.

DNS server :

A domain name server is a networking device which is able to associate a label (etictelecom.com for instance) with an IP address.

That function allows a client device to send a request to a network equipment referring to a domain name as if it was the actual IP address of the destination device.

The IPL-AD2 router is able to resolve any domain name composed with the name of one of the devices entered in the devices list followed the site name which is entered at the top of the devices list.

DNS relay :

The IPL-AD2 router behaves also like a DNS relay; any DNS request it receives from the LAN, which cannot be resolved because the device is not registered in the devices list, will be transferred to the internet to be resolved.

That function can be carried out only if the IPL-AD2 IP address is pointed out as the main DNS server of the devices of the LAN.

.

That function is efficient in particular when a device connected to the LAN has to send emails through the Internet.

Page 106

User manual ref. 9015509-04 ADSL router IPL-AD2

MAINTENANCE

1 Diagnostic

The html server provides extended diagnostic functions.

Select the Diagnostic menu and then the appropriate sub-menu.

Log sub-menu:

The log displays the last 300 dated events :

ADSL, VPN and users connections and disconnections, power on,

Serial gateway events.

Network status sub-menu and then status sub-menu :

That screen displays the current status of the LAN interfaces and of the

Internet connection :

LAN interfaces :

That part of the page shows the data of the LAN interface :

MAC address,

Ethernet mode (10 /100, half or full),

IP address.

Internet connection :

That part of the page shows the data of the Internet interface :

ADSL data rates,

Internet IP address,

DNS IP address.

The “View statistics” button gives access to the ADSL statistics windows; that windows shows the reception signal attenuation, the Signal to noise margin (SNR margin),

G821 error rates indicators.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 107

MAINTENANCE

VPN sub-menu

That menu displays the table of the VPN (remote user connections and remote routers connections) which are established.

Serial gateway :

That page displays the current status of the serial gateways :

Type of the gateway(Modbus, RAW, Telnet …), serial port set-up (data rate etc…), number of characters received or sent,

Number of TCP frames or UDP datagrams received or sent,

Number of TCP connections enabled.

The View link displays a window which shows the hexadecimal received and transmitted traffic< over each serial COM port.

Ping :

That screen enables to send a ping to an IP address.

IO control

That screen displays the status of the digital input and output and allows to set ON or OFF the alarm digital output.

2 Saving the parameters file

Once a product has been configured, the parameters file can be stored and restored when necessary.

To save the parameters file,

Select the “System” menu and then “Save restore”,

Click the ”Save” button

Select the location to store the file and give a name to the file.

The file suffix is “.bin”.

To restore a parameters file

Select the “System” menu and then “Save restore”,

Click the “browse” button and select the parameters file,

Click the “Load” button and confirm to restart the product.

Page 108

User manual ref. 9015509-04 ADSL router IPL-AD2

MAINTENANCE

Attention :

A parameters file can only be downloaded to a product having the same firmware version.

It is why, we advise to assign a name to a parameter file including the product name and the software version.

Example :

Name of a parameters file for an IPL-AD2-1220 router with the firmware version V2.41

Example : Myrouterfile_iplad21220_V241.bin

3 Updating the firmware

Step 1 : Before starting, you need,

A PC with a Web browser.

An Ethernet cable or a switch

The FTP server software which can be downloaded from the « firmware page » of the ETIC « download area » web server.

Step 2 : Download the release of the firmware from our download area to your PC

Step 3 : Prepare the PC

Check the Ip address of the PC is compatible with the one of the router.

Connect the router to the PC.

Launch the TFTP server (tftp32.exe) software and select the new release

(L026xxx/img) by using the "Browser" button.

Click on "Show dir" to check the files of the directory : rfsmini.tgz, rootfs.bin, u-boot.bin and uImage.

Step 4 : Update the firmware

Launch the web browser

Enter the IP address of the ETIC product ; the home page of the ETIC configuration server is displayed.

Select the "System" menu and then " firmware Update". In the field "IP address of the TFTP server", enter the IP address of your PC.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 109

MAINTENANCE

Note : The IP address of the PC is written in the field "Server Interface" in the TFTP server windows.

Click "Save" and then "Update".

The first file should begin to be downloaded from the PC to the router.

During the operation, the led blinks

When the download is finished, the product automatically reboots.

To be sure the new release has been installed, go to "About" in the administration web page of the IP product.

Page 110

User manual ref. 9015509-04 ADSL router IPL-AD2

MAINTENANCE

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 111

APPENDIX 1 : HTML administration server

1/ Setup menu

Remote users To assign an ID and PWD to each authorized user and set rights

To set the M2Me service

LAN interface To enter the IP @ of the router on the LAN interface.

To enter the IP @ assigned to the remote users

To set up the Ethernet interfaces

To set up the DHCP server on the LAN interface

WAN interface To enter the IP @ of the router over the WAN interface.

Network To configures the VPNs

To enter static routes and enable the RIP protocol

To set up the VRRP redundancy protocol

To set up port forwarding

To set up advanced Ip addr. translation functions

Security

Alarm

To set the firewall rules (User filter and main filter)

To add a certificate

To restrict access to the administration server

To set up alarm SNMP traps

To set up alarm emails

Serial gateway To set up the modbus gateway (client / server)

To set up the Unitelway gateway

To set up the RAW TCP / RAW UDP / TELNET gateways

System To set up SNMP parameters

To enter the devices list

To update the service list

To update time and date

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 113

APPENDIX 1 : HTML administration server

2/ Diagnostic menu

Log

To display the events ( VPN connections, user connections..)

Network status Interfaces status : @ MAC, @IP, ADSL, VPN status tables status

Serial gateways

To display the status of each gateway (COM1 and COM2)

Tools To send Pings from the router

Hardware To display the input status

To control the output

To display the DIP switches status

Environment To display the internal T° and the supply voltage

Advanced To store the internal report to a disk for diagnostic purposes

3/ Maintenance menu

Firmware update To update the firmware

Save / restore To save or restore a configuration file

.To restore the factory configuration

Reboot

To restart he router

4/ About menu

To display the certificate “product key”

To display the firmware version

Page 114

User manual ref. 9015509-04 ADSL router IPL-AD2

APPENDIX 2 : VPN mechanism overview

1 Overview

VPN is the acronym for « virtual private network » ; it is a mechanism which allows to connect safely 2 end-points, two routers for instance or one router and one PC, through a network not intrinsically safe.

Once a VPN has been set between two routers , any device of the first network can communicate with any device of the second one as if the two routers were directly connected with an Ethernet cable.

VPN

Internet

VPN end-point

VPN end-point

A VPN allows also to connect a remote user to the devices of a network.

VPN

Internet

2 Functions

A VPN provides the functions described hereafter :

Authentication

The VPN ensures that the party with which the communication is set is actually the one it claims to be.

Data integrity

The VPN mechanism ensures that information being transmitted over the public Internet is not altered in any way during transit.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 115

APPENDIX 2 : VPN mechanism overview

Confidentiality

A VPN protects the privacy of information being exchanged between communicating parties.

Page 116

User manual ref. 9015509-04 ADSL router IPL-AD2

APPENDIX 2 : VPN mechanism overview

3 Operation

Authentication phase

The first operation the end-points carry out is authentication.

2 levels of authentication can be performed using a VPN :

Device level authentication

A code is stored in each end-point (i.e. router or PC); it can be a Key or a certificate delivered by a certification authority.

During the initial phase, the two end-point exchange their codes; each party checks that the other party code is valid.

User level authentication

The IPL-AD2 router holds a user list; once a VPN has been set with the remote user PC, the remote user identification code and password is checked.

Encrypted tunnel transmission phase

Once the end-points have exchanged and checked each other identity code, they set the VPN tunnel.

It is an Ip packets exchange; the source and destination IP addresses are the end-points.

That tunnel encapsulates the encrypted IP data flow transmitted between any of the devices connected to each end-point.

VPN clearing

Periodically, each router (or at least the VPN server router) sends to the other one a control message to check the VPN must remain established.

If no response is received from the other party, the VPN is cleared.

ADSL router IPL-AD2 User manual ref. 9015509-04

Page 117

Distribué par :

Contact : [email protected]

Tél : 0326824929

Fax : 0326851908

Siège social :

2 rue René Laennec

51500 Taissy

France www.hvssystem.com

13, Chemin du Vieux Chêne

38240 Meylan France

Tel : 33 4 76 04 20 00

Fax : 33 4 76 04 20 01

E-mail : [email protected]

Web : www.etictelecom.com

advertisement

Related manuals

Download PDF

advertisement

Table of contents