Moxa Technologies EDR-G903 User Manual
  1. Manuals
  2. Brands
  3. Moxa Technologies Manuals
  4. Network Router
  5. EtherDevice EDR-G903
  6. User manual

Moxa Technologies EDR-G903 User Manual

Hide thumbs Also See for EDR-G903:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Installation Manual
EDR-G903 User's Manual
Second Edition, January 2011
www.moxa.com/product
© 2011 Moxa Inc. All rights reserved.
Reproduction without permission is prohibited.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the EDR-G903 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Moxa Technologies EDR-G903

Summary of Contents for Moxa Technologies EDR-G903

  • Page 1 EDR-G903 User’s Manual Second Edition, January 2011 www.moxa.com/product © 2011 Moxa Inc. All rights reserved. Reproduction without permission is prohibited.

  • Page 2: Copyright Notice

    EDR-G903 User’s Manual The software described in this manual is furnished under a license agreement and may be used only in accordance with the terms of that agreement. Copyright Notice Copyright ©2011 Moxa Inc. All rights reserved. Reproduction without permission is prohibited.

  • Page 3: Table Of Contents

    Getting Started ..........................2-1 RS-232 Console Configuration (115200, None, 8, 1, VT100) ..............2-2 Using Telnet to Access the EDR-G903’s Console ..................2-4 Using a Web Browser to Configure the EDR-G903 ................... 2-5 Features and Functions ........................3-1 Configuring Basic Settings ........................3-3 System Identification ........................

  • Page 4: Introduction

    Introduction Welcome to the Moxa EDR-G903 Series of Gigabit Firewall/VPN secure routers designed for connecting Ethernet-enabled devices in industrial field applications. The following topics are covered in this chapter:  Overview  Package Checklist  Features  Industrial Networking Capability ...

  • Page 5: Overview

    -40 to 75°C environments. Package Checklist The EDR-G903 is shipped with the following items. If any of these items are missing or damaged, please contact your customer service representative for assistance.

  • Page 6: Getting Started

    (1) serial console, (2) Telnet console, or (3) web browser. The serial console connection method, which requires using a short serial cable to connect the EDR-G903 to a PC’s COM port, can be used if you do not know the EDR-G903’s IP address. The Telnet console and web browser connection methods can be used to access the EDR-G903 over an Ethernet LAN, or over the Internet.

  • Page 7: Rs-232 Console Configuration (115200, None, 8, 1, Vt100)

    Before running PComm Terminal Emulator, use an RJ45 to DB9-F (or RJ45 to DB25-F) cable to connect the EDR-G903’s RS-232 console port to your PC’s COM port (generally COM1 or COM2, depending on how your system is set up).
  • Page 8 Enter. Enter a question mark (?) to display the command list in the console. The following table shows a list of commands that can be used when the EDR-G903 is in console (serial or Telnet) mode: Login by Admin account:...

  • Page 9: Using Telnet To Access The Edr-G903'S Console

    (by either Telnet or a web browser) from a PC host that is connected to the same LAN as the EDR-G903, you need to make sure that the PC host and the EDR-G903 are on the same logical subnet. To do this, check your PC host’s IP address and subnet mask.

  • Page 10: Using A Web Browser To Configure The Edr-G903

    NOTE To use the EDR-G903’s management and monitoring functions from a PC host connected to the same LAN as the EDR-G903, you must make sure that the PC host and the EDR-G903 are connected to the same logical subnet. NOTE Before accessing the EDR-G903’s web browser, first connect the EDR-G903’s RJ45 Ethernet LAN ports to your...
  • Page 11 Getting Started NOTE By default, the EDR-G903’s password is not set (i.e., is blank). You may need to wait a few moments for the web page to be downloaded to your computer. Use the menu tree on the left side of the window to open the function pages to access each of the router’s functions.

  • Page 12: Features And Functions

    There are three ways to access these functions: (1) RS-232 console, (2) Telnet console, and (3) web browser. The web browser is the most user-friendly way to configure the EDR-G903, since you can both monitor the EDR-G903 and use administration functions from the web browser. An RS-232 or Telnet console connection only provides basic functions.
  • Page 13 The Overview page is divided into three major parts: Interface Status, Basic function status, and Recent 10 Event logs, and gives users a quick overview of the EDR-G903’s current settings. Click More… at the top of the Interface Status table to see detailed information about all interfaces.

  • Page 14: Configuring Basic Settings

    [Serial No. of this E.g., Factory Router 1. switch] Router Location Setting Description Factory Default Max. 80 Characters To specify the location of different EDR-G903 units. Device Location E.g., production line 1. Router Description Setting Description Factory Default Max. 30 Characters...

  • Page 15: Accessible Ip

    Accessible IP Settings allows you to add or remove “Legal” remote host IP addresses to prevent unauthorized access. Access to the EDR-G903 is controlled by IP address. If a host’s IP address is in the accessible IP table, then the host will have access to the EDR-G903. You can allow one of the following cases by setting this parameter: •...

  • Page 16: Password

    192.168.1.129 to 192.168.1.254 192.168.1.128 / 255.255.255.128 The Accessible IP list controls which devices can connect to the EDR-G903 to change the configuration of the device. In the example shown below, the Accessible IP list in the EDR-G903 contains 10.10.10.10, which is the IP address of the remote user’s PC.

  • Page 17: Time

    The Time configuration page lets users set the time, date, and other settings. An explanation of each setting is given below. The EDR-G903 has a time calibration function based on information from an NTP server or user specified Time and Date information. Functions such as Auto warning “Email” can add real-time information to the message.
  • Page 18 NOTE The EDR-G903 has a real time clock so the user does not need to update the Current Time and Current Date to set the initial time for the EDR-G903 after each reboot. This is especially useful when the network does not have an Internet connection for an NTP server, or there is no NTP server on the network.

  • Page 19: Settingcheck

    For example, if the remote user (IP: 10.10.10.10) connects to the EDR-G903 and changes the accessible IP address to 10.10.10.12, or deselects the Enable checkbox accidently after the remote user clicks the Activate button, connection to the EDR-G903 will be lost because the IP address is not in the EDR-G903’s Accessible IP list.

  • Page 20: System File Update-By Remote Tftp

    Accessible IP List setting, allowing the remote user to reconnect to the EDR-G903 and check what’s wrong with the previous setting. If the new configuration does not block the connection from the remote user to the EDR-G903, the user will see the SettingCheck Confirmed page, shown in the following figure. Click Confirm to save the configuration updates.

  • Page 21: System File Update-By Local Import/Export

    TFTP server, or click Upload to upload a file to the remote TFTP server. System File Update—by Local Import/Export Configuration File Click Export to export the configuration file of the EDR-G903 to the local host. Log File Click Export to export the Log file of the EDR-G903 to the local host.

  • Page 22: Restart

    Features and Functions Upgrade Firmware To import a firmware file into the EDR-G903, click Browse to select a firmware file already saved on your computer. The upgrade procedure will proceed automatically after clicking Import. This upgrade procedure will take a couple of minutes to complete, including the boot-up time.

  • Page 23: Wan1 Configuration

    • Default setting of EDR-G903 Bridge mode In this mode, EDR-G903 operates as a Bridge mode firewall (or call transparent firewall). Users could simply insert EDR-G903 into the existed network and no need to reconfigure the other device. • EDR-G903 only has one IP address, Network mask and Gateway.
  • Page 24 EDR-G903 Features and Functions Detailed Explanation of Dynamic IP Type PPTP Dialup Point-to-Point Tunneling Protocol is used for Virtual Private Networks (VPN). Remote users can use PPTP to connect to private networks from public networks. PPTP Connection Setting Description Factory Default...
  • Page 25 EDR-G903 Features and Functions DNS (Doman Name Server; optional setting for Dynamic IP and PPPoE types) Server 1/2/3 Setting Description Factory Default IP Address The DNS IP address None NOTE The priority of a manually configured DNS will higher than the DNS from the PPPoE or DHCP server.

  • Page 26: Wan2 Configuration (Includes Dmz Enable)

    EDR-G903 Features and Functions PPPoE Dialup User Name Setting Description Factory Default Max. 30 characters The User Name for logging in to the PPPoE server None Host Name Setting Description Factory Default Max. 30 characters User-defined Host Name of this PPPoE server...
  • Page 27 EDR-G903 Features and Functions PPTP Dialup Point-to-Point Tunneling Protocol is used for Virtual Private Networks (VPN). Remote users can use PPTP to connect to private networks from public networks. PPTP Connection Setting Description Factory Default Enable or Disable Enable or Disable the PPTP connection...
  • Page 28 EDR-G903 Features and Functions Detailed Explanation of Static IP Type Address Information IP Address Setting Description Factory Default IP Address The interface IP address None Subnet Mask Setting Description Factory Default IP Address The subnet mask None Gateway Setting Description...

  • Page 29: Using Dmz Mode

    EDR-G903 Features and Functions Host Name Setting Description Factory Default Max. 30 characters User-defined host name for this PPPoE server None Password Setting Description Factory Default Max. 30 characters The login password for this PPPoE server None Using DMZ Mode A DMZ (demilitarized zone) is an isolated network for devices—such as data, FTP, web, and mail servers...

  • Page 30: Dhcp Server

    255.255.255.0 DHCP Server The EDR-G903 provides a DHCP (Dynamic Host Configuration Protocol) server function for LAN interfaces. When configured, the EDR-G903 will automatically assign an IP address to a Ethernet device from a defined IP range. DHCP configuration DHCP Server Enable/Disable...

  • Page 31: Static Dhcp List

    Features and Functions Static DHCP List Use the Static DHCP list to ensure that devices connected to the EDR-G903 always use the same IP address. The static DHCP list matches IP addresses to MAC addresses. In the above example, a device named “Device-01” was added to the Static DHCP list, with static IP address set to 192.168.127.101 and MAC address set to 00:09:ad:00:aa:01.

  • Page 32: Communication Redundancy

    Use the EDR-G903’s WAN backup function for dual WAN redundancy applications. The EDR-G903 has two WAN interfaces: WAN1 is the primary WAN interface and WAN2 is the backup interface. When the EDR-G903 detects that connection WAN1 has failed (Link down or Ping fails), it will switch the communication path from WAN1 to WAN2 automatically.

  • Page 33: Wan Backup Configuration

    The EDR-G903’s WAN backup function checks the link status and the connection integrity between the EDR-G903 and the ISP or central office. When the primary WAN interface fails, it will switch to the backup WAN automatically to keep the connection alive.

  • Page 34: Static Routing And Dynamic Routing

    Static Route You can define the routes yourself by specifying what is the next hop (or router) that the EDR-G903 forwards data for a specific subnet. The settings of the Static Route will be added to the routing table and stored in the EDR-G903.

  • Page 35: Static Routing

    For modifying the content of a selected entry in the Static Routing Table. NOTE The entries in the Static Routing Table will not be added to the EDR-G903’s routing table until you click the Activate button. RIP (Routing Information Protocol) RIP is a distance-vector routing protocol that employs the hop count as a routing metric.

  • Page 36: Routing Table

    EDR-G903 Features and Functions RIP State Setting Description Factory Default Enable/Disable Enable or Disable RIP protocol Disable Enable WAN 1 RIP Check the checkbox to enable RIP in the WAN 1 interface. Enable WAN 2 RIP Check the checkbox to enable RIP in the WAN 2 interface.

  • Page 37: Network Address Translation (Nat)

    The NAT function will check if incoming or outgoing packets match the policy. It starts by checking the packet with the first policy (Index=1); if the packet matches this policy, the EDR-G903 will translate the address immediately and then start checking the next packet. If the packet does not match this policy, it will check with the next policy.

  • Page 38: Port Forwarding

    Features and Functions The EDR-G903 provides a Dual WAN backup function for communication redundancy. If the interface is set to Auto, the NAT Mode is set to N-1, and the WAN backup function is enabled, the primary WAN interface is WAN1.

  • Page 39: 1-To-1 Nat

    EDR-G903 Features and Functions Interface (Port Forward mode) Setting Description Factory Default WAN1 Select the Interface for this NAT Policy WAN1 WAN2 Protocol (Port Forward mode) Setting Description Factory Default Select the Protocol for NAT Policy TCP & UDP WAN Port (Port Forward mode)
  • Page 40 NOTE The EDR-G903 can obtain an IP address via DHCP or PPPoE. However, if this dynamic IP address is the same as the WAN IP for 1-to-1 NAT, then the 1-to-1 NAT function will not work. For this reason, we recommend disabling the DHCP/PPPoE function when using the 1-to-1 NAT function.

  • Page 41: Firewall Settings

    (the secure part). Firewall Policy Overview The EDR-G903 provides a Firewall Policy Overview that lists firewall policies by interface direction. Select the From interface and To interface and then click the Show button. The Policy list table will show the policies that match the From-To interface.

  • Page 42: Firewall Policy Configuration

    EDR-G903 Features and Functions Firewall Policy Configuration The EDR-G903’s Firewall policy provides secure traffic control, allowing users to control network traffic based on the following parameters. Interface From/To Setting Description Factory Default All (WAN1/WAN2/LAN) Select the From Interface and To interface...

  • Page 43: Layer 2 Policy Setup

    NOTE The EDR-G903’s firewall function will check if incoming or outgoing packets match the firewall policy. It starts by checking the packet with the first policy (Index=1); if the packet matches this policy, it will accept or drop the packet immediately and then check the next packet.
  • Page 44 EDR-G903 Features and Functions EtherType Setting Description Factory Default 0x0600 to 0xFFFF When Protocol is set to “Manual” you can set up EtherType None manually Target Setting Description Factory Default Accept The packet will pass the Firewall when it matches this Firewall...

  • Page 45: Quick Automation Profile

    (e.g., EtheNet/IP and Modbus TCP/IP) can operate on an industrial Ethernet network, with the Ethernet port number defined by IANA (Internet Assigned Numbers Authority). The EDR-G903 provides an easy to use function called Quick Automation Profile that includes 45 different pre-defined profiles (Modbus TCP/IP, Ethernet/IP, etc.), allowing users to create an industrial Ethernet Fieldbus firewall policy with a single click.

  • Page 46: Policycheck

    PolicyCheck button to check each policy; warning messages will be generated that can be used for further analysis. If the user decides to ignore a warning message, the EDR-G903 firewall will run on the configuration provided by the user.
  • Page 47 DROP After clicking the PolicyCheck button, the EDR-G903 will issue a message informing the user that policy [3] is masked by policy [2] because the IP range of policy [3] is smaller than the IP range of policy [2], and the Target action is different.

  • Page 48: Denial Of Service (Dos) Function

    The source IP range in policy 3 is smaller than policy 2, but the destination IP of policy 2 is smaller than policy 3, and the target actions (Accept/Drop) of these two policies are different. If the user clicks the PolicyCheck button, the EDR-G903 will issue a message informing the user that policy [3] is in Cross Conflict with policy [2].

  • Page 49: Vpn (Virtual Private Network)

    VPN (Virtual Private Network) Overview This chapter describes how to use the EDR-G903 to build a secure Remote Automation network with the VPN (Virtual Private Network) feature. A VPN provides a highly cost effective solution of establishing secure tunnels, so that data can be exchanged in a secure manner.

  • Page 50: Ipsec Configuration

    If there is an external NAT device between VPN tunnels, the user must enable the NAT-T (NAT-Traversal) function. IPSec Quick Setting The EDR-G903’s Quick Setting mode can be used to easily set up a site-to-site VPN tunnel for two EDR-G903 units. When choosing the Quick setting mode, the user just needs to configure the following: •...
  • Page 51 EDR-G903 Features and Functions Tunnel Setting Enable or Disable VPN Tunnel Setting Description Factory Default Enable or Disable Enable or Disable this VPN Tunnel Disable Name of VPN Tunnel Setting Description Factory Default Max. of 16 characters User defined name of this VPN Tunnel.
  • Page 52 EDR-G903 Features and Functions Local Network / Netmask / ID Setting Description Factory Default IP Address IP address of local VPN network IP address of LAN interface Subnet Mask Subnet Mask of local VPN network Netmask of LAN interface ID for indentifying the VPN tunnel connection.
  • Page 53 EDR-G903 Features and Functions In X.509 Mode, the user needs to upload the Local and Remote certifications first, and then select the certifications from the drop-down list. See the X.509 Certification section in this chapter for details. Encryption Algorithm Setting...

  • Page 54: Dead Peer Detection

    EDR-G903 Features and Functions Data Exchange (IPSec phase II) Perfect Forward Secrecy Setting Description Factory Default Enable or Disable Uses different security key for different IPSec phases to Disable enhance security SA Lifetime Setting Description Factory Default SA lifetime (minutes)

  • Page 55: X.509 Certification

    Key exchange phase and Data exchange phase. X.509 Certification X.509 is a digital certificate method commonly used for IPSec Authentication. The EDR-G903 can generate a trusted Root Certification and then export/import the certificate to the remote VPN gateway.

  • Page 56: Certificate Setting

    EDR-G903 Features and Functions Certificate Generation The user must fill in the following information to generate the Root certification: • Country name (2 Letter code) • Certificate Days • State or Province Name • Locality Name • Organization Name •...

  • Page 57: L2Tp (Layer 2 Tunnel Protocol)

    EDR-G903 Features and Functions Local Certificate Upload Upload the .p12 local certificate on this page. The Password must be the same as the .p12 certificate file. If the password is not correct, the certificate import process will fail. Label: User defined name for this local certificate...

  • Page 58: Examples For Typical Vpn Applications

    EDR-G903 Features and Functions L2TP Configuration L2TP Server Mode Setting Description Factory Default Enable / Disable Enable or Disable the L2TP function on the WAN1 or WAN 2 Disable interface Local IP Setting Description Factory Default IP Address The IP address of the Local Subnet 0.0.0.0...
  • Page 59 All communication from the Roaming user (no fixed IP) to the Remote site Network (100.100.3.0/24) needs to pass through the VPN tunnel. • Communication goes through the Internet. • The configuration of the WAN/LAN interface for the EDR-G903 is shown in the following table. 3-48...

  • Page 60: Traffic Prioritization

    The maximum number of Firewall policies for the EDR-G903 is 256. How Traffic Prioritization Works The EDR-G903 provides four different priorities levels (0-3, high to low) for incoming and outgoing traffic. The following figure illustrates incoming traffic, which refers to the traffic transmitted from WAN1 to LAN or WAN2 to LAN interface.

  • Page 61: Traffic Prioritization Configuration

    EDR-G903 Features and Functions Traffic Prioritization Configuration Enable or Disable Setting Description Factory Default Enable or Disable Enable or disable the Traffic Prioritization function Disabled Max. Bandwidth Setting Description Factory Default 1 to 1,000,000 The maximum bandwidth for total incoming or outgoing traffic 100 KBytes/s...
  • Page 62 EDR-G903 Features and Functions Maximum Bandwidth of Priority 0/1/2/3 Setting Description Factory Default 1 to 1,000,000 The maximum bandwidth for Priority 0/1/2/3 Priority 0: 10 KBytes/s KBytes/s Priority 1: 20 KBytes/s Priority 2: 30 KBytes/s Priority 3: 40 KBytes/s Outgoing/Incoming Policy Setup...
  • Page 63 100 KBytes/s - 10 KBytes/s - 20 KBytes/s = 70 KBytes/s that do not belong to any priority. So, the EDR-G903 will increase the bandwidth from highest priority (0) to lowest priority (3). The EDR-G903 will add this 70 KBytes/s bandwidth to priority 0 because the maximum bandwidth of priority 0 is 100 KBytes/s.

  • Page 64: Configuring Snmp

    MD5 or SHA, is the most secure protocol. You can also enable data encryption to enhance data security. SNMP security modes and security levels supported by the EDR-G903 are shown in the following table. Select the security mode and level that will be used to communicate between the SNMP agent and manager.
  • Page 65 Port Events are related to the activity of a specific port. System Events SNMP Trap is sent when… Cold Start Power is cut off and then reconnected. Warm Start The EDR-G903 is rebooted, such as when network parameters are changed (IP address, subnet mask, etc.). 3-54...

  • Page 66: Using Auto Warning

    3. Activate your settings and if necessary, test the email After configuring and activating your EDR-G903’s Event Types and Email Setup, you can use the Test Email function to see if your e-mail addresses and mail server address have been properly configured.
  • Page 67 Warning email is sent when… Cold Start Power is cut off and then reconnected. Warm Start The EDR-G903 is rebooted, such as when network parameters are changed (IP address, subnet mask, etc.). Power Transition (On-Off) The EDR-G903 is powered down.

  • Page 68: Configuring Relay Warning

    Relay Alarm Events setting subsection). 2. Activate your settings After completing the configuration procedure, you will need to activate your EDR-G903’s Relay Event Types. Event Types can be divided into two basic groups: System Events and Port Events. System Events are related to the overall function of the router, whereas Port Events are related to the activity of a specific port.

  • Page 69: Using Diagnosis

    The function’s most unique feature is that even though the ping command is entered from the user’s PC keyboard, the actual ping command originates from the EDR-G903 itself. In this way, the user can essentially control the EDR-G903 and send ping commands out through its ports. There are two basic steps required to set up the Ping command to test network integrity: Select which interface will be used to send the ping commands.

  • Page 70: Using Monitor

    Access the Monitor by selecting “System” from the left selection bar. Monitor by System allows the user to view a graph that shows the combined data transmission activity of all the EDR-G903’s 3 ports. Click one of the three options—Total Packets, TX Packets or RX Packets—to view transmission activity of specific types of packets.

  • Page 71: Using System Log

    EDR-G903 Features and Functions Using System Log The EDR-G903 provides EventLog and Syslog functions to record important events. Using EventLog Field Description Bootup This field shows how many times the EDR-G509 has been rebooted or cold started. Date The date is updated based on how the current date is set in the “Basic Setting” page.

  • Page 72: Using Syslog

    EDR-G903 Features and Functions QoS_UpStream Configuration change activated DHCP Configuration Change activated/ Enable / Disable Configuration Change activated/ Enable / Disable SNMP Configuration Change activated/ Enable / Disable DDNS Configuration Change activated/ Enable / Disable WAN Backup Configuration change activated...

  • Page 73: Using Https/Ssl

    Features and Functions Using HTTPs/SSL To secure your HTTP access, the EDR-G903 supports HTTPS/SSL to encrypt all HTTP traffic. Perform the following steps to access the EDR-G903’s web browser interface via HTTPS/SSL. Open Internet Explorer and type https://<EDR-G903’s IP address> in the address field. Press Enter to establish the connection.

  • Page 74: Mib Groups

    MIB Groups The EDR-G903 comes with built-in SNMP (Simple Network Management Protocol) agent software that supports cold start trap, line up/down trap, and RFC 1213 MIB-II. The standard MIB groups that the EDR-G903 series support are: MIB II.1 – System Group sysORTable MIB II.2 –...

Table of Contents