Page 1 Web Interface and Command Line Reference Guide DR-200 MR-200 6622-3201 ADSL Router GPRS Router www.westermo.com...
Page 2: Legal Information
Westermo reserves the right to revise this document or withdraw it at any time without prior notice. Under no circumstances shall Westermo be responsible for any loss of data or income or any special, incidental, and consequential or indirect damages howsoever caused.
Page 3: Typographical Conventions
Westermo design and manufacture a wide range of both wireline and wireless network routing products. For a complete, up-to-date list of current products, please visit the Westermo web site at www.Westermo.com.
Page 4: Using The Web Interface
2 Using the Web interface To access the built-in web pages using a web browser (e.g. Internet Explorer), there are two options. 2.1 Access Via a LAN Port To access the unit through a LAN port you should assign your PC an IP address on the 192.168.0.0/ 24 network (for example use an IP address of 192.168.0.1 and a mask of 255.255.255.0).
Page 5 You must now enter a name for the connection. It is helpful to choose a name that you will easily remember such as “My Local Westermo” or “DR-200 - Bristol Ofﬁ ce”. Click Next >. The following dialog allows you to ﬁ ll in the phone number for the connection.
Page 6: Initiating A Dun Connection
The new DUN connection that you have just created may now be used to connect to the unit but before you do this, you will need to check some of the conﬁ guration properties. Click on the Start button and select Connect To My Westermo Router (substituting the connection > name you chose).
Page 7: Using The Command Line Interface
Application Commands Application commands are speciﬁ c to Westermo products and are used to control most features of the unit when not using the Web interface. X.3 Commands These are standard X.3 commands which are used only in X.25 PAD mode...
Page 8: The Escape Sequence
3.1.2 The Escape Sequence If you enter a command such as “ATD”, which results in the unit successfully establishing a connection to a remote system, it will issue a “CONNECT” result code and switch from command mode to on-line mode. This means that it will no longer accept commands from the terminal. Instead, data will be passed transparently through the unit to the remote system.
Page 9: Establishing A Remote Connection
3.2 Westermo Application Commands The unit also supports numerous text-based “application” commands that are speciﬁ c to Westermo products and do not require the “AT” preﬁ x. Some of these are generic i.e. they are related to the general operation of the unit; others are application or protocol speciﬁ c.
Page 10 ♦ An outgoing V.120 call may be made using the “ATD” command ♦ You can initiate a DUN session to establish a dial-up PPP connection. ♦ An outgoing X.25 call may be made using the “ATD” command followed by the X.28 CALL command.
Page 11 4 Conﬁ guring your unit This section describes the various conﬁ guration parameters for the unit and how to set or change them using the built-in web pages or the text commands. Conﬁ guration using the Web pages is achieved by entering the required values into text boxes or tables on the page, or by turning features on or off using checkboxes.
Page 12: Signal Strength Indicators
4.2 Conﬁ guring and Testing GPRS Models Refer to the Module section of this guide to conﬁ gure your router for the correct Conﬁ gure > GPRS APN and PIN code (if any). You can now power up your unit and test connection to the GPRS network. If you have correctly conﬁ...
Page 13 4.4 Conﬁ gure > ADAPT The unit incorporates two “Adapt” (rate adaptation protocol) instances. Each instance allows you to select and conﬁ gure the protocol to be used for providing rate adaptation over an ISDN B channel. The supported protocols are V.110, V.120 and X.75. Depending on which protocol is selected, there may be an associated LAPB instance (distinct from the two general purpose LAPB instances), as for example, when V.120 is used in error corrected (Multi-frame) mode.
Page 14 V110 user rate: This parameter allows you to specify the data rate to be used on ISDN when operating in V.110 mode. V110 ﬁ xed rate: This parameter can be set to Yes to prevent the V.110 protocol from changing the data rate. Direct sync mode: This parameter allows you to replace the standard V120 frame header with the 0xff character.
Page 15 The parameters and values are: Parameter Values Equivalent Web Parameter number dial_retries number dsync off, on Direct sync mode ﬁ xed_rate off, on V110 ﬁ xed rate ip_addr number IP address ip_port number IP port leased_line off, on lip_port number Listening IP port number msnv110...
Page 16 4.5 Conﬁ gure > Analyser Your unit can be conﬁ gured to maintain a trace of activity taking place at the various ports and of the layer 2 and 3 protocols. Trace information is stored in a circular buffer in memory. When the buffer is full, the storage of new trace data starts at the beginning of the buffer again (overwriting the oldest data).
Page 17 SNAIP: This checkbox is used to enable or disable the inclusion of SNAIP packets in the analyser trace. ISDN sources: The group of check boxes shown under this heading are used to select the ISDN channels (D, B1 and B2) that will be included in the trace. To include or exclude a speciﬁ c LAPB or LAPD instance from the trace ensure that the appropriate checkbox is checked or cleared respectively.
Page 18 Using Text Commands From the command line, the command can be used to conﬁ gure the protocol analyser. To display the current settings for the analyser enter the command: ana <instance> ? where <instance> is 0 (there is only one instance of the Analyser).
Page 19 To include or exclude trace information from the various possible sources, use the appropriate command from the above table in conjunction with the required value from the following tables: ASY sources: Value ASY 3 ASY 2 ASY 1 ASY 0 Ethernet, IP or PPP sources: These are a special case and cannot be conﬁ...
Page 20 LAPD sources: Value LAPB 2 LAPB 1 LAPB 0 Raw Sync sources: Physical Physical Value ISDN B2 ISDN B1 ISDN D Port 1 Port 0 6620-3201...
Page 21 4.6 Conﬁ gure > ASY Ports Each ASY (serial) port can be independently conﬁ gured for interface speed, parity, command echo, etc. These parameters can be set via the appropriate web page or from the Conﬁ gure > ASY Port command line using AT commands and S registers.
Page 22 parameter is the decimal ASCII code for the character, normally 43 (“+” symbol). Changing this parameter has the same effect as changing the “S2” register. Escape delay (x20 ms): This parameter deﬁ nes the required minimum length of the pause (in multiples of 20ms), in the escape sequence between entering three escape characters and then entering “AT”.
Page 23 Using Text Commands ASY ports are conﬁ gured from the command line using “AT” commands and “S” registers: Cmd/S-reg Description Echo Verbose mode Load proﬁ le &C DCD control &D DTR response &K Flow control &W Store proﬁ le &Y Power-up proﬁ...
Page 24 4.7 Conﬁ gure > TRANSIP ASY Ports TransIP is a method of using virtual ASY ports for serial connections, in effect multiplying the number of concurrent serial connections to a unit. Using the Web Page(s) TransIP #: The TransIP port number. Each TransIP is assigned a separate virtual ASY port. ASY port: The virtual ASY port number assigned to the TransIP instance.
Page 25: Backup Ip Addresses
4.8 Conﬁ gure > Backup IP Addresses This page contains a table that is used to specify alternative addresses to use when the unit fails in an attempt to open a socket. These addresses are used only for socket connections that originate from the unit and are typically used to provide back-up for XOT connections, TANS (TPAD answering) connections or any application in which the unit is making outgoing socket connections.
Page 26: Certifi Cate Request
The unit can establish an IPSec tunnel to another unit using certiﬁ cates. For more information on using certiﬁ cates with your unit, please refer to the Application Note “How to conﬁ gure an IPSEC VPN tunnel between two Westermo Routers using Certiﬁ cates and SCEP”, which is available from the Westermo web site.
Page 27 Using Text Commands From the command line, the command can be used to enter the certiﬁ cate request information. creq To display the current settings for certiﬁ cate request enter the command: creq <instance> ? where <instance> is 0. To change the value of a parameter use the same command in the format: creq <instance>...
Page 28 4.10 Conﬁ gure > Certiﬁ cates > SCEP This page contains information needed to both request CA certiﬁ cates from the CA server, and to enrol the certiﬁ cate requests using Simple Certiﬁ cate Enrolment Protocol (SCEP). Using the Web Page(s) Host: The IP address of the CA server.
Page 29 Using Text Commands From the command line, the command can be used to retrieve CA certiﬁ cates and enrol scep certiﬁ cate requests. To display the current settings for SCEP enter the command: scep <instance> ? where <instance> is 0. To change the value of a parameter use the same command in the format: scep <instance>...
Page 30 4.11 Conﬁ gure > Certiﬁ cates > Utilities This page contains information used to generate the private key needed before a certiﬁ cate can be requested from the CA. Using the Web Page(s) New Key Size: The size of the private key in bits. If this parameter is set to Off, the private key will not be generated. The key size can be anything between 384 bits and 2048 bits.
Page 31 From the command line, the command can be used to generate a certiﬁ cate request. If creqnew the private key does not already exist, and the appropriate parameters are entered, the key will be generated at the same time. To generate a certiﬁ cate request, enter the command: creq new <parameter>...
Page 32: Calling Numbers
4.12 Conﬁ gure > Calling Numbers Note: This feature is for use by experienced personnel for network testing and fault diagnosis. It should not be required in normal use. To use this feature, your ISDN circuit must support Calling Line Identiﬁ...
Page 33: Command Filters
ﬁ lter table is only checked if there was not a match in the command mapping table. For more information on Command Filtering, please refer to the Application Note “Command Line Response Manipulation”, which is available on the Westermo web site. Using the Web Page(s) page contains a table that allows you to enter a series of Conﬁ...
Page 34 4.14 Conﬁ gure > Command Mappings It is possible to specify a small number of command “aliases” on your unit. This allows you to specify substitute strings for text commands entered at the command line. Using the Web Page(s) page contains a table that allows you to specify up to four Conﬁ...
Page 35: Dhcp Servers
> Ethernet Port n Westermo routers incorporate one or more Dynamic Host Conﬁ guration Protocol (DHCP) servers, one for each Ethernet port. DHCP is a standard Internet protocol that allows a DHCP server to dynamically distribute IP addressing and conﬁ guration information to network clients.
Page 36 Using Text Commands From the command line, use the command to conﬁ gure or display the DHCP server settings. dhcp To display current settings for the DHCP server enter the following command: dhcp <instance> ? When conﬁ gured for Port Isolate operation, models with a built-in hub support multiple DHCP instances.
Page 37: Dhcp Server
4.16 Conﬁ gure > DHCP Server > MAC –>IP Addresses This page allows you to conﬁ gure a number of MAC to IP address mappings and should be used when it is necessary to supply a speciﬁ c IP address to a particular Ethernet MAC address. This is particularly useful for mobile applications, e.g.
Page 38 4.17 Conﬁ gure > DNS Server Update “Dynamic DNS” is supported in accordance with RFC2136 and RFC2485. This allows units to update speciﬁ ed DNS servers with their IP addresses when they ﬁ rst connect to the Internet and at regular intervals thereafter.
Page 39 Required time accuracy (s) This parameter speciﬁ es the permitted variance between the unit’s time and that of the DNS server. If the variance exceeds this time then the DNS update will fail. Time to live (s): This parameter speciﬁ es how long a unit that resolved the address is allowed to cache that address for.
Page 40 None - Receive Gain Offset rxg_oset number None - Target Noise Margin Offset tnm_oset number None - Transmission Gain Offset txg_oset Note: txg_oset, rxg_oset, tnm_oset and max_bpt should not be changed without explicit instructions from Westermo Technical Support. 6620-3201...
Page 41 4.19 Conﬁ gure > > ATM PVCs > PVC n Products incorporating a DSL broadband interface will include a conﬁ guration page entitled PVCs. This is turn will contain one ATM PVC sub-page for each ATM PVC Conﬁ gure > >...
Page 42 Using Text Commands To conﬁ gure ATM PVC parameters via the command line use the command. To display the apvc current settings for an APVC instance enter the command: apvc <instance> ? where <instance> is 0 to 3. To change the value of a parameter, use the command in the format: apvc <instance>...
Page 43: Dynamic Dns
4.20 Conﬁ gure > Dynamic DNS The Dynamic DNS client (DYNDNS), is used to update DNS hostnames with the current IP address of a particular interface. It operates in accordance with the speciﬁ cation supplied by dyndns.org (go to http://www.dyndns.org/developers/specs/). When the interface speciﬁ ed by the Interface and Interface # parameters connects, the client checks the current IP address of that interface and if it differs from that obtained by the previous connection, www.dyndns.org...
Page 44 Using Text Commands From the command line, use the command to conﬁ gure or display DNS Update settings. To dyndns display current settings enter the command: dyndns <instance> ? where <instance> is 0. To change the value of a parameter use the command in the format: dyndns <instance>...
Page 45 4.21 Conﬁ gure > Ethernet > ETH n folder opens to list conﬁ guration pages for each of the available Ethernet Conﬁ gure > Ethernet instances on the unit. Each page allows you to conﬁ gure parameters such as the IP address, mask, gateway, etc.
Page 46 Max Rx rate (kbps): On models with multiple LAN ports, this parameter may be used to specify a maximum data rate in kbps that the unit will receive on this port. This may be useful in applications where separate LAN ports are allocated to separate LAN’s and it is necessary to prioritise trafﬁ...
Page 47 private host, it changes the destination IP address of the packet from it’s public IP address to the IP address of the private host. NAPT NAPT behaves like NAT but in addition to changing the source IP of the packet from the private host it can also change the source port number.
Page 48 “genuine” trafﬁ c. This effect can be prevented by using the appropriate commands and options within the ﬁ rewall script. However, on Westermo 1000 series units, or where you are not using a ﬁ rewall, the same result can be achieved by selecting this option, i.e. when this option is selected the normal behaviour of the unit in responding to SYN packets with RST packets is disabled.
Page 49 RIP authentication method: This parameter selects the authentication method for RIP packets. When set to “Off”, the interface will send and receive packets without any authentication. When set to “Access List”, the interface will send RIP packets without any authentication. When receiving packets, the interface will check the sender’s IP address against the list entered on the Conﬁ...
Page 50 VRRP group ID: The VRRP parameters are used to conﬁ gure the router to participate in a VRRP group. VRRP (Virtual Router Redundancy Protocol), allows multiple physical routers to appear as a single gateway for IP communications in order to provide back-up WAN communications in the event that the primary router in the group fails in some way.
Page 51 Parameter Values Equivalent Web Parameter igmp off, on IGMP ipaddr IP address IP address ipanon off, on Analyser: IP sources IPSec: 0=Off 1=On ipsec ipsecadd number IPSec source IP from interface # ipsecent blank, PPP, ETH IPSec source IP from interface linkdeact number Physical link down deact delay...
Page 52 4.22 Conﬁ gure > Ethernet > ETH n > In addition to the QOS parameter on the ETH N standard parameters pages (which are used to enable quality of service management for that ETH instance), each ETH instance has an associated QOS instance (ETH 0 maps to QOS 5, ETH 1 maps to QOS 6, etc.).
Page 53 The parameters and values are: Parameter Values Equivalent Web Parameter linkkbps number Link speed (Kbps) q0prof 0-11 Queue 0 Proﬁ le q0prio Queue 0 Priority q1prof 0-11 Queue 1 Proﬁ le q1prio Queue 1 Priority q2prof 0-11 Queue 2 Proﬁ le q2prio Queue 2 Priority q3prof...
Page 54 VRRP priority according to the status of that interface. For example, the user may wish to conﬁ gure probing in such a way that the Westermo router WAN interface is tested, and adjust the VRRP priority down if the WAN is not operational. Another example would be to probe the WAN interface of another VRRP router, and adjust the local VRRP priority up if that WAN interface isn’t operational.
Page 55 Probe priority adjustment direction: This parameter speciﬁ es the direction in which the Group priority will be adjusted in the event that the Probe failure limit is reached. Probe failure priority adjustment: This parameter is used to set the amount of priority adjustment applied to the Group priority in the event that the Probe failure limit is reached.
Page 56: Mac Filters
MAC address or matching part thereof exists in the MAC ﬁ lter table. It is possible to allow a range of addresses by specifying only the signiﬁ cant portion of the MAC address in the table, e.g. macﬁ lt 0 mac “00042d” to allow packets from Westermo units. Using the Web Page(s) The MAC ﬁ...
Page 57 4.25 Conﬁ gure > Ethernet > VLANs VLANs (Virtual LAN’s) enable you to split a single physical LAN into separate Virtual LAN’s. This is useful for security reasons, and will also help cut down on broadcast trafﬁ c on your LAN. The VLAN feature is currently a chargeable extra.
Page 58 Using Text Commands From the command line, use the command to conﬁ gure or display the VLAN instance. vlan To display the current settings for the VLAN instance enter the following command: vlan <instance> ? where <instance> is the VLAN instance (0 - 9). To change the value of a parameter use the following command: vlan <instance>...
Page 59: Event Handler
4.26 Conﬁ gure > Event Handler The unit maintains a log of certain types of event in the “EVENTLOG.TXT” pseudo ﬁ le. When an event of a speciﬁ ed level (or higher) occurs, it can be conﬁ gured to automatically generate and send an email alert message, or on GPRS models an SMS alert message, to a pre-deﬁ...
Page 60 Email To: This parameter is used to specify the email address for the recipient of email alert messages generated by the event logger. Email From: This parameter is used to specify the email address for the unit. You will need to set up an email account with your Internet Service Provider.
Page 61 SMS template: This ﬁ eld contains the name of the template ﬁ le that will be used to form the basis of any SMS alarm messages generated by the event logger. The default template is a text ﬁ le called “EVENT.SMS” that is stored within the compressed .web ﬁ...
Page 62: Event Logcodes
4.27 Conﬁ gure > Event Logcodes This page allows you to edit the logcodes used to describe events entered in the “EVENTLOG.TXT” pseudo ﬁ le. Using the Web Page(s) The web page shows the following information: Event Code The code used to describe the event in the “EVENTLOG.TXT” pseudo ﬁ le. Filter Priority The priority of the event, used to determine whether the event will trigger emails, SMS messages or SNMP traps.
Page 63 PPP Mask: A bitmask (entered in decimal format) that determines which PPP instances the priority for the event will apply. For example, if you wish that only events on PPP0 and PPP3 have the priority set in the parameter, enter 5 (1010 in decimal). Priority Log Level: The priority of the event, used to determine whether the event will be logged.
Page 64 4.27.2 Conﬁ guring Reasons By clicking on a reason, a new page is displayed showing the following parameters: Inherit priority from Event: By selecting “On”, the priority of the reason will be the same as the Event that was triggered. If “Off” is selected, the reason takes the priority entered in the Priority parameter.
Page 65 A more detailed description of how ﬁ rewalls operate on Westermo routers is given in the “Firewall Scripts” section. If you intend to implement a ﬁ rewall you should refer to that section ﬁ rst.
Page 66 Using Text Commands If your ﬁ rewall script is particularly complex, you may wish to create it on your PC using the text editor of your choice and then load it onto the unit when it is complete. To do this simply create the ﬁ le and save it as “FW.TXT”.
Page 67: Firewall Options
4.29 Conﬁ gure > Firewall Options This page contains the timer parameters and other options that are used by the Firewall stateful inspection module. This module establishes temporary ﬁ rewall rules that last for the duration of a single connection only. Typically, the ﬁ rst packet of a TCP connection (a SYN packet), is used to create a stateful inspection rule that only allows subsequent packets for that TCP connection through the ﬁ...
Page 68 Using Text Commands From the command line, use the command to conﬁ gure or display ﬁ rewall options. fwall To display current settings enter the command: fwall <instance> ? where <instance> is 0. At present there is only one ﬁ rewall instance, i.e. 0, but the instance parameter has been included to allow for future expansion.
Page 69 4.30 Conﬁ gure > FTP Client This page contains only one parameter. Using the Web Page(s) TX buffer size: The size of the TX buffer in bytes. Using Text Commands From the command line, use the command to conﬁ gure FTP client options. ftpcli To display current settings enter the command: ftpcli <instance>...
Page 70 4.31 Conﬁ gure > FTP Relay Agents > RELAY n The FTP Relay agents allow any ﬁ les transferred onto the unit by a speciﬁ ed user (using File Transfer Protocol), to be temporarily stored in memory and then relayed to a speciﬁ ed FTP host. This is useful when the unit is being used to collect data ﬁ...
Page 71 Rename local ﬁ le: When this parameter is set to “Yes”, the unit will store uploaded ﬁ les internally with a ﬁ lename in the form “relnnnn” where nnnn is a sequential number. For each new ﬁ le received the number is incremented.
Page 72 Using Text Commands From the command line, use the command to conﬁ gure or display FTP Relay Agent frelay settings. To display current settings enter the command: frelay <instance> ? where <instance> is the instance number of the agent. To change the value of a parameter use the command in the format: frelay 0 <parameter>...
Page 73 4.32 Conﬁ gure > General This is used to set up a variety of features that relate to the basic operation of the unit. Using the Web Page(s) Power-up conﬁ g: This speciﬁ es which of the two conﬁ g ﬁ les “CONFIG.DA0” or “CONFIG.DA1”, is loaded when the unit is powered up or rebooted.
Page 74 X25 remote command address: This parameter is used to allow remote access to the unit via an X.25 channel. If the address speciﬁ ed, (up to 15 digits), matches the trailing digits of an incoming X.25 call, the calling user will be prompted to enter their username and password.
Page 75 GPRS port Telnet mode: On models ﬁ tted with GPRS, this parameter is used to select the Telnet mode when a remote entity is connected to the GPRS port via TCP/IP. The three available options are the same as those for described above.
Page 76 Alternative route delay (s): This parameter is normally set to 0 and should not be changed without reference to Westermo Technical Support. Always-on route return-to-service delay (s): An “always-on”...
Page 77 Pre login banner: This parameter speciﬁ es a ﬁ le that will be used as a banner placed before login information is requested when connecting to a command line session. Post login banner: This parameter speciﬁ es a ﬁ le that will be used as a banner placed after login information is entered when connecting to a command line session.
Page 78 Using Text Commands From the command line, the general settings are conﬁ gured using the command. To display current general settings enter the command: cmd <instance> ? where <instance> is 0, 1, 2 or 3. Note: The instance number should be 0 in all cases EXCEPT when using the ASY name or Telnet mode parameters, in which cases the instance number should match the required port number.
Page 79 Parameter Values Equivalent Web Parameter bufsafe_secs number None - The time period for buffer level checking. cmdnua number X.25 remote command address SNMP community string comm_str text SNMP enterprise name ent_name text ent_nb number SNMP enterprise number from Auto-conﬁ gure Email: From text ftpnatport number...
Page 80 Local Port Access Levels It is possible to set the access level for all ASY ports to a certain level using the command. local Any user connecting to the local port will be assigned this access level. To override this, the command can be used to log in with a username and password, and the port will then login be assigned the access level for that user.
Page 81 4.33 Conﬁ gure > GP TCP Sockets This page is used to set parameters relating to general purpose TCP sockets. Using the Web Page(s) ASY port sockets MSS to advertise: This parameter sets the maximum segment size used/advertised by an ASY port connected to TCP sockets.
Page 82 Using Text Commands From the command line, the command can be used to conﬁ gure the TCP Sockets. To sockopt display the current settings for the TCP sockets enter the command: sockopt <instance> ? where <instance> is 0. To change the value of a parameter use the same command in the format: sockopt 0 <parameter>...
Page 83: Gprs Module
4.34 Conﬁ gure > GPRS Module GPRS functionality is only available on models that are ﬁ tted with a GPRS module. This module replaces one of the ASY ports (normally ASY1) and is controlled by the router using “AT” commands (in the same way as a modem).
Page 84 Backup IP address: This parameter may be used to specify an IP address associated with the Backup APN for use when the unit cannot connect using the primary Static IP address. If the parameter is enabled, this parameter is used to Retry APN time (mins): Use backup APN deﬁ...
Page 85 Link retries: The router will normally make multiple attempts to connect to the GPRS network in the event that the signal is lost. In some cases, this can result in a “lock-up” situation where the GSM network is unable to attach the GPRS device due to the multiple attempts. The parameter speciﬁ...
Page 86 Using Text Commands From the command line, the command can be used to conﬁ gure the GPRS module. To modemcc display the current settings for the GPRS module enter the command: modemcc <instance> ? where <instance> is 0. To change the value of a parameter use the same command in the format: modemcc 0 <parameter>...
Page 87 4.34.1 Additional Conﬁ guration for GPRS If you are intending to use your GPRS router to connect a local PC or laptop to remote services via GPRS, you will need to ensure that both the PC and the router share a common TCP/IP subnet. To ensure that this is the case, use the unit’s DHCP server to give your PC an IP address in the correct range.
Page 88 4.35 Conﬁ gure > GPRS Module > Cell Monitor The Cell Monitor retrieves information about the GSM network and displays the following: ♦ The parameters of the GSM cell currently being used to provide the communications link (typically GPRS), known as the serving cell ♦...
Page 89 IP connection settings The Cell Monitor may be conﬁ gured to transmit the data it retrieves to a speciﬁ ed TCP/IP address/ port. The parameters are as follows: IP address: This parameter speciﬁ es an IP address to which the unit will attempt to establish a TCP/IP connection. must be speciﬁ...
Page 90: Gps Receiver
4.36 Conﬁ gure > GPS Receiver The unit can contain an optional internal GPS receiver, or can be connected to an external GPS receiver. Both will be connected to an internal ASY port. Using the Web Page(s) The web page is split into several sections. If Local Monitoring is “On”, messages from the GPS receiver may be viewed Local Monitoring on the...
Page 91 IP Connections The IP connections section contains the parameters for setting the destination for the GPS data. Up to two destinations can be conﬁ gured. IP address 1: The IP address the GPS data is sent to. IP port 1: The TCP or UDP port number the GPS data is sent to.
Page 92 Using Text Commands From the command line, use the command to conﬁ gure or display GPS receiver parameters. To display the current parameters and their values, enter: gps <instance> ? where <instance> is 0. To change the value of a parameter enter: gps 0 <parameter>...
Page 93 Additional GPS Text Commands Two additional text commands are available for controlling the way in which messages from the GPS receiver are treated. These are as follows: cmd <instance> gpson {on|off} When set to on, this indicates that an instance of the command line interpreter is connected to the GPS receiver.
Page 94 4.37 Conﬁ gure > IP Routes > > RIP update options Using the Web Page(s) RIP update timeout: This is the length of time in seconds an updated metric will apply for when a RIP update is received. If no updates are received within this time the usual metric will take over. RIP update linger timeout: When a RIP update timeout occurs and the route metric is 16, the unit will continue to advertise this route in RIP updates for this period of time (in seconds).
Page 95 4.38 Conﬁ gure > IP Routes > > RIP access list The unit has the ability to modify route metrics based upon received RIP responses. Static routes and default routes will have their metric modiﬁ ed if the route ﬁ ts within one of the routes found within the RIP packet.
Page 96 4.39 Conﬁ gure > IP Routes > RIP > Authentication keys > Key n The RIP authentication keys are used with the “Plain password” and “MD5” RIP authentication methods used by the parameter on the RIP authentication method Conﬁ gure >...
Page 97 Link with interface: This parameter, in conjunction with the parameter, deﬁ nes which interface or Link with interface # interfaces this key is associated with. “Any” means this key can be used by any interface, “PPP” means the key can only be used by the PPP interface instance number deﬁ ned in Link with #, and “Ethernet”...
Page 98 4.40 Conﬁ gure > IP Routes > Route n pages allow you to set up static IP routes for particular IP Conﬁ gure > IP Routes > Route n subnets, networks or addresses. There is a separate page for each available static route which, when populated with the appropriate information, deﬁ...
Page 99 Enqueue only one packet during interface connection period: This parameter deﬁ nes how many packets will be enqueued by the route during the time when waiting for an interface to connect. When turned “ON”, only one packet will be enqueued, when “Off”, two packets will be enqueued.
Page 100 Using Text Commands From the command line, use the command to conﬁ gure a static IP route. route To display the current settings for a particular IP route, enter the following command: route <instance> ? where <instance> is the number of the IP route. To set up parameters for a static IP route, enter the command in the format: route <instance>...
Page 101 For further information refer to “IPSec and VPN’s” in this manual. Also check the Downloads page on www.Westermo.com for the latest IPSec application notes. The ﬁ rst stage in establishing a secure link between two endpoints on an IP network is for those two points to securely exchange a little information about each other.
Page 102 4.43 Conﬁ gure > IPSec > When an IPSec tunnel is not receiving packets, the unit will send an IKE DPD request at regular intervals. If no response is received to the DPD request, more requests are sent at a shorter interval until either the maximum outstanding requests allowed is reached or a response is received.
Page 103 4.44 Conﬁ gure > IPSec > > IKE n Using the Web Page(s) Encryption algorithm: This parameter selects the encryption algorithm to be used for IKE exchanges over the IP connection. You can select “DES”, “3DES” or leave the option blank (in which case key exchanges will not be encrypted).
Page 104 Minimum IPSec MODP group: This parameter allows the user to set the minimum width of the numeric ﬁ eld used in the calculations for phase 2 of the security exchange. With “No PFS” (Perfect Forwarding Security) selected, the data transferred during phase 1 can be reused to generate the keys for the phase 2 SA’s (hence speeding up connections).
Page 105 Using Text Commands From the command line, use the command to conﬁ gure or display IKE initiator settings. To display current settings for an IKE instance enter the command: ike <instance> ? where <instance> is 0 or 1. To change the value of a parameter use the command in the format: ike <instance>...
Page 106 4.45 Conﬁ gure > IPSec > > Responder Using the Web Page(s) page lists the various parameters for IKE 0 when used in Conﬁ gure > IPSec > IKE Responder responder mode: Act as initiator only: Setting this parameter to “Yes” prevents the unit from responding to any remote IKE requests. When set to “No”...
Page 107 RSA private key ﬁ le: This parameter speciﬁ es the name of a ﬁ le for the X.509 certiﬁ cate holding the unit’s private part of the public/private key pair used in certiﬁ cate exchanges. See X.509 certiﬁ cates for further explanation. Use debug port: When this parameter is set to “No”, any debug information is sent to the normal analyser trace where it may be ﬁ...
Page 108 4.46 Conﬁ gure > IPSec > IKEv2 > IKEv2 n When IKE Version 2 is supported, it is possible to specify whether the IKEv1 or IKEv2 protocol should be used to negotiate IKE SA’s. By default, IKEv1 is used and units which have been upgraded from IKEv1 to IKEv2 will not require any changes to their conﬁ...
Page 109 NAT traversal keep-alive interval (s): This parameter may be used to set a timer (in seconds), such that the unit will send regular packets to a NAT device in order to prevent the NAT table from expiring. RSA private key ﬁ le: This parameter speciﬁ...
Page 110 4.47 Conﬁ gure > IPSec > IKEv2 > Responder Using the Web Page(s) page lists the various Responder parameters for Conﬁ gure > IPSec > IKEv2 > Responder IKEv2.0: Act as initiator only: Setting this parameter to “Yes” prevents the unit from responding to any remote IKEv2 requests. When set to “No”...
Page 111 NAT traversal keep-alive interval (s) This parameter may be used to set a timer (in seconds), such that the unit will send regular packets to a NAT device in order to prevent the NAT table from expiring. RSA private key ﬁ le: This parameter speciﬁ...
Page 112 4.48 Conﬁ gure > IPSec > IPSec Eroutes > Eroute n Once the IKE parameters have been set-up, the next stage is to deﬁ ne the characteristics of the encrypted routes, or tunnels (“eroutes”). This includes items such as what source/destination addresses will be connected by the tunnel and what type of encryption/authentication procedures will be applied to the packets traversing it.
Page 113 Local subnet IP address to negotiate (if different from above): / Local subnet mask to negotiate (if different from above): If eroutes are allowed to negotiate local trafﬁ c selectors which differ from the normal ones, these two parameters will be the values used when negotiating the tunnels. The ﬁ rewall can then be used to translate the source addresses of packets to a value that lies within the negotiated range.
Page 114 ESP encryption algorithm: This parameter speciﬁ es the cryptographic algorithm to be used when securing the packet payload. You may select none (blank), “DES”, “3-DES” or “RIJN” (AES). This parameter is only used when is set ESP encrypt key length (bits): ESP encryption algorithm to “AES”.
Page 115 Create SA’s automatically: When this parameter is set to “Yes”, the Eroute will automatically attempt to create an IPSec SA (VPN Tunnel) regardless of whether the unit needs to route any packets to the remote subnet or not. This effectively creates an “always on” Eroute. Authentication method: This parameter speciﬁ...
Page 116 This eroute is tunnelled within another eroute: It is now possible to tunnel packets within a second (or more) tunnel. When this parameter is set to “On”, the unit will take outgoing packets going through this tunnel and once tunnelled, will recheck to see if the resultant packet also goes through a tunnel.
Page 117 Using Text Commands From the command line, use the command to conﬁ gure or display Eroute settings. To eroute display current settings for a speciﬁ c Eroute, enter the command: eroute <eroute> ? where <eroute> is the number of the eroute. To change the value of a parameter use the command in the format: eroute <eroute>...
Page 118 Parameter Values Equivalent Web Parameter Delete SAs when eroute goes out oosdelsa off, on of service ourid Our ID text peerid Peer ID text peerip IP address Peer IP/hostname privkey ﬁ lename RSA private key ﬁ le off, tcp, udp IP protocol proto reﬁ...
Page 119 ID’s. For example, setting the parameter to “Westermo*” would Peer ID match all remote units having an parameter starting with “Westermo”, e.g. Westermo01, Our ID Westermo02, etc. Example: To setup multiple users in this way, ﬁ rst set up the...
Page 120 4.49 Conﬁ gure > IPSec > Default Eroute Like a normal IP routing set-up, IPSec “Eroutes” have a default conﬁ guration that is applied if no speciﬁ c route can be found. This is useful when, for instance, you wish to have a number of remote users connect via a secure channel (perhaps to access company ﬁ...
Page 121 4.50 Conﬁ gure > ISDN LAPB > LAPB n LAPB (Link Access Procedure Balanced) is a standard subset of the High-Level Data Link Control (HDLC) protocol. It is a bit-oriented, synchronous, link-layer protocol that provides data framing, ﬂ ow control and error detection and correction. LAPB is the link layer used by X.25 applications. Using the Web Page(s): folder expands to list separate pages for the LAPB 0 and LAPB 1 Conﬁ...
Page 122 Inactivity timer (s): This parameter may be used to specify the length of time (in seconds) before the link is disconnected if there has been no activity. If this parameter is zero or not speciﬁ ed, then the inactivity timer is disabled.
Page 123 Using Text Commands From the command line, use the command to conﬁ gure or display LAPB settings. To display lapb current settings for a LAPB instance enter the command: lapb <instance> ? where <instance> is 0 or 1. To change the value of a parameter use the command in the format: lapb <instance>...
Page 124 4.51 Conﬁ gure > ISDN LAPD > LAPD n Link Access Protocol D (LAPD) is the protocol used for ISDN D-channel signalling and call set up. Using the Web Page(s) folder expands to list separate pages for the LAPD 0, LAPD 1 and Conﬁ...
Page 125 TEI: Each ISDN terminal device connected to your ISDN basic rate outlet must be assigned a unique Terminal Endpoint Identiﬁ er (TEI). In most cases, this is negotiated automatically. In some cases however, it may be necessary to assign a ﬁ xed TEI. When TEI is set to 255, the TEI is negotiated with the ISDN network.
Page 126 Using Text Commands From the command line, use the command to conﬁ gure or display LAPD settings. To display lapd current settings for a LAPD instance enter the command: lapd <instance> ? where <instance> is 0, 1 or 2. To change the value of a parameter use the command in the format: lapd <instance>...
Page 127 PPP trafﬁ c is carried. Typically, both the physical layer connection and the logical PPP connection would be terminated on the same device, e.g. a Westermo router. This is illustrated below: With L2TP answering the call however, the router terminates the layer 2 connection only and the PPP frames are passed in an L2TP “tunnel”...
Page 128 is “Off” this parameter is not used. Answering Window: This parameter specify the L2TP window size which can be set from 1 to 8. Layer 1 interface: This parameter determines which physical interface is to be used to terminate an L2TP connection. This can be set to either “ISDN”...
Page 129 Using Text Commands From the command line, use the command to conﬁ gure or display the L2TP settings. To l2tp display current settings for the L2TP instance enter the following command: l2tp <instance> ? where <instance> is the number of the l2tp instance.
Page 130 4.53 Conﬁ gure > PPP is a standard tunnelling protocol for transporting data from point to multipoint networks (such as IP) across point-to-point links (such as a serial or ISDN connection). This is essential for dial-up Internet access. As data is transferred across IP networks in synchronous format, your unit supports asynchronous to synchronous PPP conversion.
Page 131 4.54 Conﬁ gure > > MLPPP Using the Web Page(s) Desired local ACCM: For advanced users only - default value is 0x00000000. Desired remote ACCM: For advanced users only - default value is 0xffffffff. Request remote CHAP authentication: Set this parameter to “Yes” if it is required that the unit authenticate itself with the remote system using CHAP.
Page 132 D->1B up rate (bytes/s): When Always on mode is “On”, this is the value (in bytes/s) above which the data transfer rate must remain for D->1B up delay (s) before the unit will activate a B-channel. D->1B up delay (s): When Always on mode is “On”, this is the time (in seconds) for which the data transfer rate must remain above the speciﬁ...
Page 133: External Modems
4.55 Conﬁ gure > > External Modems > External Modem n Using the Web Page(s) In circumstances where it is necessary to communicate with the router remotely via a normal analogue modem (perhaps because no ISDN line is available), this page may be used to set up the various parameters associated with controlling the modem.
Page 134 Using Text Commands From the command line, use the command to conﬁ gure or display the external modem modemcc settings. To display current settings enter the following command: modemcc <instance> ? where <instance> is 0. At present there can only be one modemcc instance, i.e. 0, but the instance parameter has been included to allow for future expansion.
Page 135 4.56 Conﬁ gure > > Sub-Conﬁ gs > Sub-Conﬁ g n These pages must be used in conjunction with the pages. Sub-conﬁ gs can Conﬁ gure > IP Routes be used as an alternative to using an entire PPP instance if only a few parameter changes from an existing PPP instance are required.
Page 136 4.57 Conﬁ gure > > PPP n > Standard The following parameters are those that you are most likely to need to customise PPP for your application. More advanced settings are covered in the next section. Using the Web Page(s) Name: This parameter allows you to enter a name for this PP instance, to make it easier to identify it.
Page 137 “genuine” trafﬁ c. This effect can be prevented by using the appropriate commands and options within the ﬁ rewall script. However, on Westermo 1000 series units, or where you are not using a ﬁ rewall, the same result can be achieved by selecting this option, i.e. when this option is selected the normal behaviour of the unit in responding to SYN packets with RST packets is disabled.
Page 138 Conﬁ rm password: If altering the password, the new password must also be entered here. The unit will check that both ﬁ elds are identical before changing the parameter value. AODI NUA: This parameter is used to specify the NUA (Network User Address) required to connect to your AODI (Always On Dynamic ISDN) access service provider and is only available if you have purchase the AODI software option.
Page 139 Maximum negotiation time (s): This parameter speciﬁ es the maximum time (in seconds) allowed for a PPP negotiation to complete. If negotiations have not completed within this time after initial connection, the PPP is disconnected. Firewall: The Firewall parameter is used to turn Firewall script processing “On” or “Off” for this interface. IGMP: This IGMP parameter is used to enable or disable the transmission and reception of IGMP packets on this interface.
Page 140 DEFLATE compression: When this parameter is set to “Off”, DEFLATE compression is disabled on this PPP instance. When set to “On”, DEFLATE compression is enabled and data compression is applied to the data being carried. The effectiveness of data compression will vary with the type of data but a typical ratio achieved for a mix of data, for instance Web pages, spread sheets, databases, text ﬁ...
Page 141 Remote IP address pool range: This speciﬁ es the range of IP addresses that the PPP instance can provide to the remote unit. This will only be required if the Remote IP address pool minimum IP address is already in use. For example, if Remote IP pool minimum parameter is set to 10.10.10.1 and the Remote IP address Pool range is set to 9, this PPP instance would be authorised to assign IP address in the range of 10.10.10.1 to 10.10.10.10.
Page 142 Using Text Commands From the command line, use the command to set or display PPP parameter settings. To display current settings for a PPP instance enter the following command: ppp <instance> ? where <instance> is the number of the PPP instance. To set the value for a parameter enter the command in the format: ppp <instance>...
Page 143 Parameter Values Equivalent Web Parameter DNSserver IP address DNS server NAT mode: 0=Off 1=NAT 2=NAPT do_nat 0,1,2 None - this is the password in encrypted format. This parameter epassword text is not conﬁ gurable. ﬁ rewall off, on Firewall off, on igmp off, on IGMP...
Page 144 Parameter Values Equivalent Web Parameter RIP authentication method: 0=Off 1=Access list 2=Plain password 3=MD5 ripauth 0,1,2,3 ripip IP address RIP destination IP rxtimeout number Rx packet Inactivity timeout (s) tband number Time band timeout number Inactivity timeout (s) timeout2 number Inactivity timeout 2 (s) uplogmins number...
Page 145 4.58 Conﬁ gure > > PPP n > Advanced Using the Web Page(s) The parameters listed in the following table are unlikely to require alteration. They are initial values used during negotiation of the PPP link and will be acceptable for most applications. You should not alter these values unless you are familiar with the operation of the PPP protocol.
Page 146 Request local PFC: Setting this parameter to “Yes” causes the unit to request Protocol Field Compression, which compresses PPP protocol ﬁ elds from 2 to 1 bytes. Request remote ACFC: Setting this parameter to “Yes” causes the unit to get the remote to request Address Control Field Compression.
Page 147 PING response timeout (s): If this parameter is set to a non-zero value the unit will wait for the interval speciﬁ ed for a response from a PING request before applying the interval. If this parameter is No PING response request set to 0 (default), the time speciﬁ...
Page 148 Auto activation attempts allowed: On GPRS units this parameter may be used to specify the maximum number of times a PPP instance that is conﬁ gured to auto-activate (when the PPP Standard Always On mode is On), is allowed to do so before other PPP instances that were inhibited by this PPP instance will be allowed to connect.
Page 149 Data limit reset day of month: If you wish to automatically unlock a locked interface at the start of a new billing period, this parameter should be set to the appropriate day of the month (from 1 to 28). When this date is reached the unit will unlock the interface and data transfer may resume.
Page 150 Using Text Commands From the command line the advanced PPP parameters are set using the same command as for the standard parameters. The parameters and values are: Parameter Values Equivalent Web Parameter acttries number Auto-activation attempts allowed dnsport number DNS server port echo number LCP echo request interval (s)
Page 151 Parameter Values Equivalent Web Parameter r_addr off, on Request IPCP remote address option Route broadcasts if this PPP issues rbcast off, on an IP address for an Ethernet network r_callb off, on Allow remote to request call-back r_chap off, on Request remote CHAP authentication off, on Request remote compression...
Page 152 > PPP/IP Over X25 Westermo routers can optionally support transmission of TCP/IP packets encapsulated in X.25. This feature allows the ISDN D-channel to be used as an “always on” connection providing a permanent, low speed Internet Protocol pipe between two Local Area Networks.
Page 153 Backup X25 Interface These parameters are used to specify details of a backup interface to be used if the link layer interface used by PPP is lost. The parameters are as follows: Calling NUA: This speciﬁ es the calling X.25 address to be used when making outgoing X.25 calls on the backup interface.
Page 154 4.60 Conﬁ gure > > PPP n > In addition to the QOS parameter on the PPP N standard parameters pages (which are used to enable quality of service management for that PPP instance), each PPP instance has an associated QOS instance (PPP 0 maps to QOS 0, PPP 1 maps to QOS 1, etc.).
Page 155 Parameter Values Equivalent Web Parameter q6prio Queue 6 Priority q7prof 0-11 Queue 7 Proﬁ le q7prio Queue 7 Priority q8prof 0-11 Queue 8 Proﬁ le q8prio Queue 8 Priority q9prof 0-11 Queue 9 Proﬁ le q9prio Queue 9 Priority The queue priority values are mapped as follows: Value Priority Very High...
Page 156: Protocol Bindings
> Protocol Bindings Westermo products are soft conﬁ gurable to allow different protocols to be used on different ports. The process of selecting which protocol will be used on which port is referred to as “binding”. Using the Web Page(s) page allows you to deﬁ...
Page 157: Pstn Modem
4.62 Conﬁ gure > PSTN Modem This page only appears on models which are ﬁ tted with an internal PSTN modem, e.g. MW3520 ﬁ tted with PSTN option. The page provides access to the parameters that are Conﬁ gure > PSTN Modem used to conﬁ...
Page 158: Quality Of Service
Field). 4.63.2 Basic Operation In Westermo routers the classiﬁ cation of incoming IP packets for the purposes of QOS takes place within the ﬁ rewall. The ﬁ rewall allows the system administrator to assign a DSCP code to a packet with any combination of source/destination IP address/port and protocol.
Page 159 4.64 Conﬁ gure > Quality of Service > DSCP Mappings Each DSCP value must be mapped to a queue. These mappings are set-up using the DSCP conﬁ guration page. Mappings Using the Web Page(s) The Default parameter at the top of the page is used to set-up a default queue, which may be set to a value from Q0 to Q9.
Page 160 4.65 Conﬁ gure > Quality Of Service > Q Proﬁ les You may deﬁ ne up to 12 distinct “queue proﬁ les” that may then be assigned to the QOS queues as required. The queue proﬁ le determines how QOS queues with that proﬁ le assigned to them will behave.
Page 161 Small weighting factor values result in a weighted queue length that moves quickly, and more closely matches the actual queue length. Larger weighting factor values result in a queue length that adjusts more slowly. If a weighted queue length moves too quickly (small weighting factor), it may result in dropped packets if the transmit rate rises quickly, but will also recover quickly after the transmit rate dies off.
Page 162: Radius Client
4.66 Conﬁ gure > RADIUS client The RADIUS client may be used for authentication purposes at the start of remote command sessions, SSH sessions, FTP and WEB sessions. Depending on how the RADIUS client is conﬁ gured, the unit may authenticate with one of two RADIUS servers, or may locally authenticate a user using the existing user tables conﬁ...
Page 163 Secondary authorisation server IP address: This is the IP address of the Secondary authorisation NAS server. Secondary authorisation server password: This password is supplied by the Secondary authorisation NAS administrator and is used in conjunction with the Secondary authorisation NAS ID to authenticate RADIUS packets. Conﬁ...
Page 164 Using Text Commands From the command line, use the command to conﬁ gure or display RADIUS client settings. radcli To display current settings for the RADIUS client enter the following command: radcli <instance> ? where <instance> is 0. At present there can only be one instance of RADIUS, i.e. 0, but the instance parameter has been included to allow for future expansion.
Page 165 4.67 Conﬁ gure > SMS Edit Models with GPRS capability are capable of sending SMS alert messages. The SMS related parameters on the pages are used to Conﬁ gure > Event Handler Conﬁ gure > GPRS module conﬁ gure the unit to send such alarms, but the page allows you to edit and Conﬁ...
Page 166 4.68 Conﬁ gure > SMTP The Simple Mail Transfer Protocol (SMTP) is widely used for the transmission of electronic mail. The unit incorporates a software module known as an SMTP Client which sends emails by establishing a connection to a remote computer that is running an SMTP server and then transmits emails using the SMTP protocol.
Page 167 SMTP AUTH Parameters The following parameters are used to authenticate the unit against the SMTP server. Username: This is the password used to authenticate with the SMTP server, and is usually provided by your SMTP service provider. Password: This is the password used to authenticate with the SMTP server, and is usually provided by your SMTP service provider.
Page 168 4.69 Conﬁ gure > SNAIP > SNAIPn The unit is capable of sending Systems Network Architecture (SNA) trafﬁ c over TCP/IP, using the DLSw protocol. The unit is also capable of sending HDLC trafﬁ c over TCP/IP. SNA uses Synchronous Data Link Control (SDLC) which is an unbalanced mode in which there is one master station and 1 or more secondary stations.
Page 169 incoming calls only to ISDN numbers where the trailing digits match the MSN value. For example, setting the MSN parameter to 123 will prevent the unit from answering any calls to numbers that do not end in 123. is “Off”, or is set to “Port”, this parameter is not used.
Page 170 LAPB Parameters DTE/DCE mode: When this parameter is set to “DTE”, the unit will behave as Data Terminal Equipment with respect to the ISDN network. This is the default value and should not be changed for normal operation across the ISDN network. If your application involves using two units back-to-back, one of the units should have the DTE/DCE mode value set to “DCE”...
Page 171 DLSw Role: When this parameter is set to “Active”, and the unit is in SNA mode, then this DLSw switch will actively connect to the remote DLSw switch. Use 1 socket: When this parameter is set to “On” then only one socket is used for both read and write data. This is useful if the unit is behind a NAT box and incoming connections are.
Page 172 Parameter Value Equivalent web parameter DLSw Role: Off=Active On=Passive passive off, on MAC address Peer VMAC peervmac pollresp number Polling Response(msec) LAPB, SNA, RAW, protocol Protocol RAW_NOHDR r_ipport number Read port numbers SAPs saps send_xid_null off, on Send Null XID sock_inact number TCP socket inactivity timer (s)
Page 173 4.70 Conﬁ gure > SNTP The unit supports the Simple Network Time Protocol (SNTP). This protocol is used to synchronise the unit’s internal clock with the time and date information provided by a remote computer. The remote computer must be running an NTP server in order to obtain this information. Using the Web Page(s) page allows you to set up the parameters for the SNTP client.
Page 174 Using Text Commands From the command line, use the command to conﬁ gure or display SNTP settings. sntp To display current settings for an SNTP instance enter the following command: sntp <instance> ? where <instance> is 0. At present there can only be one instance of SNTP, i.e. 0, but the instance parameter has been included to allow for future expansion.
Page 175: Ssh Server
4.71 Conﬁ gure > SSH server The SSH (Secure Shell) server allows remote peers to access the unit over a secure TCP connection using a suitable SSH client. The SSH server provides a Telnet-like interface and secure ﬁ le transfer capability.
Page 176 Host key #2 ﬁ lename: This is the ﬁ lename of either an SSH V1 host key or an SSH V2 host key. It is highly recommended that the ﬁ lename be preﬁ xed with “priv” to ensure that the key is not compromised. This key is generated on the page.
Page 177 Using Text Commands From the command line, use the command to conﬁ gure or display SSH server settings. To display current settings for the SSH server enter the following command: ssh <instance> ? where <instance> is 0. At present there can only be one SSH server instance, i.e. 0, but the instance parameter has been included to allow for future expansion.
Page 178 4.72 Conﬁ gure > SSL client Some sites, when connecting to them using SSL, require client side authentication. The unit’s SSL client handles the authentication for SSL connections using certiﬁ cates signed by a certiﬁ cate authority (CA). For more information regarding certiﬁ cates and certiﬁ cate requests, refer to Conﬁ...
Page 179: Static Multicast Routes
4.73 Conﬁ gure > Static Multicast Routes The unit supports Multicast routes, allowing your unit to route packets to multicast group addresses. You can conﬁ gure up to 20 different static multicast routes. Using the Web Page(s) page displays a table that allows you to set the following Conﬁ...
Page 180 4.74 Conﬁ gure > Static NAT Mappings The unit supports Network Address Translation (NAT) and Network Address and Port Translation (NAPT). NAT or NAPT may be enabled on a particular interface such as a PPP instance. When operating with NAT enabled, this interface has a single externally visible IP address. When sending IP packets, the local IP addresses (for example, on a local area network) are replaced by the single IP address of the interface.
Page 181 Using Text Commands From the command line use the command to conﬁ gure settings for the static NAT mappings. To display current settings for a particular mapping enter the command: nat <entry> ? where <entry> is 0 - 49, corresponding to the table entry number. This lists the port number and the mapped IP address.
Page 182: Sync Ports
4.75 Conﬁ gure > SYNC Ports The DTE ports on your unit will usually be conﬁ gured for asynchronous operation. This is the most common mode of serial communication. However, some applications will require synchronous serial communications using a protocol such as HDLC. This section describes the various parameters that may require setting up correctly for such an application.
Page 183 Using Text Commands: From the command line, use the command to conﬁ gure or display SYNC port settings. To display current settings for a SYNC port enter the following command: sy <port> ? where <port> is 0. At present there is only one SYNC port, i.e. 0, but the port parameter has been included to allow for future expansion.
Page 184 4.75.1 Conﬁ guring the X.21 Daughter Card In order to be able to use X.21 mode, your unit must have an X.21 daughter card ﬁ tted. There are two versions of the X.21 daughter card. One version is compatible with IR2140 and IR2420 routers, and one version is compatible with MW3520, MW3410 and VC5100 routers.
Page 185: System Messages
4.76 Conﬁ gure > Syslog The unit may be conﬁ gured to deliver Syslog messages when events of a suitable priority occur. Refer to the page for more details. Conﬁ gure > Event Handler Using the Web Page(s) Remote syslog server: This is the IP address of the unit that the Syslog messages will be sent to.
Page 186 4.78 Conﬁ gure > Time The unit incorporates a battery-backed real-time clock/calendar. This is used for time/date stamping internal ﬁ les and statistics. Normally, once the time and date has been set, the unit will keep the time accurate to +/- 5 seconds/day while power is applied. However you may also conﬁ gure it to automatically obtain the correct time at regular intervals using the SNTP option.
Page 187: Time Bands
> Time Band n Westermo routers support “time bands” which are used to determine periods of time during which routing is allowed or prevented. For example, an ofﬁ ce router could be conﬁ gured so routing is only allowed on weekdays. At present, time bands may only be applied to PPP instances.
Page 188 Using Text Commands To setup time bands from the command line use the command. tband To display current time band settings, enter the command in the format: tband <instance> ? where <instance> is 0 - 3. To set-up a transition you will need to enter three commands (one each to specify the days of the week, the time and the transition state): tband <instance>...
Page 189 TPAD is a simpliﬁ ed version of the X.25 PAD speciﬁ cation that is commonly used for carrying out credit-card clearance transactions. Westermo units support the use of TPAD over the ISDN B and D channels and also over an IP interface such as GPRS via XOT or TCP. Automatic back-up between any two of these “layer 2 interfaces”...
Page 190 NUA: This parameter speciﬁ es the X.25 Network User Address to be used for outgoing X.25 calls if no NUA is speciﬁ ed in the call string. NUI: This speciﬁ es the X.25 Network User Identiﬁ er to be used for outgoing X.25 calls if no NUI is speciﬁ ed in the call string.
Page 191 Merchant #: This parameter can be used to insert a merchant number into the APACS 30 string when the locally connected equipment does not transmit a merchant number. Calling NUA: This is the NUA that the unit will report to the X.25 network as its own NUA. Often the X.25 network will override this NUA.
Page 192 LCN: The unit supports up to eight logical X.25/TPAD channels. In practice, the operational limit is determined by the particular service to which you subscribe (usually 4). Each logical channel must be assigned a valid Logical Channel Number (LCN). The LCN parameter is the value of the ﬁ...
Page 193 Include LRC: The LRC (Longitudinal Redundancy Check) is a form of error checking that may be required by some TPAD terminals. When the Include LRC option is set to “Yes” the unit will check the LRC. Include LRC line: This parameter is normally set to “Off” so that any LCR’s received from a TPAD terminal will be removed before the transaction data is transmitted to the remote host.
Page 194 Boot to direct mode: Direct mode is a mode of operation whereby the unit automatically routes APACS 30 packets to their destination without the terminal having to perform any call control. If this parameter is set to “Yes”, then the next time the unit is rebooted it will operate in direct mode. For direct mode to work you must set up the appropriate addressing information (B channel, NUA or NUI).
Page 195 Backup Parameters This parameter is functionally equivalent to the Layer 2 deactivation timer (s): Layer 2 deactivation parameter in the general parameters section above but only applies to the backup service. timer Layer 2 interface: The Layer 2 Interface parameter speciﬁ es whether the backup service uses “LAPB”, “LAPD” “TCP”, “SSL”...
Page 196 The parameters and values are: Parameter Values Equivalent web parameter Unable to authorise acquirer uaarc number response ackdat off, on ACK data bdir off, on Boot to direct mode bnumber B-channel # cingnua text Calling NUA clear_dirtime number Clearing time (direct mode) (ms) clear_time number Clear Delay (s)
Page 197 Parameter Values Equivalent web parameter In same call: 0=Off 1=Transaction 2=Clear samecall 0,1,2 strip_tspaces off, on Strip Trailing Spaces stx_2_soh off, on STX to SOJ sufﬁ x number Sufﬁ x # tenqdel number ENQ char delay (ms) off, on DTE retransmit teretran termed Terminal ID...
Page 198 4.82 Conﬁ gure > UDP Echo Client/Server > UDP Echo n When enabled, UDP Echo generates UDP packets that contain the unit serial number and ID, and transmits them to the speciﬁ ed IP address and port at the conﬁ gured interval. When the unit receives a UDP packet at a local port conﬁ...
Page 199 Using Text Commands From the command line, use the command to conﬁ gure or display a UDP Echo instance. udpecho To display the current settings for a UDP Echo instance, enter the command: udpecho <instance> ? where <instance> is 0 to 3. To change the value of a parameter use the same command in the format: udpecho 0 <parameter>...
Page 200 4.83 Conﬁ gure > Users The unit allows you to deﬁ ne a number of authorised users. The number of users available depends upon the software build that your unit is running. Each user has a password and an access level that determines what facilities the user has access to.
Page 201 Using Text Commands From the command line use the command to conﬁ gure settings for the authorised users. To user display current settings for a particular user enter the command: user <number> ? where <number> is 0 - 9. This lists the username, password, the encrypted form of the password and the user access level.
Page 202 Datawire’s VXN protocol acts as a replacement to X.25 and the Layer 2 protocol that X.25 is carried over. The Westermo unit still uses the X.25 entity to handle VXN sessions for the sake of convenience. Using the Web Page(s) Service name: The name of the Datawire VXN server to use.
Page 203 Key Synchronisation timeout (s): Key synchronisation is normally only required once between the unit and the Datawire host. However, there may be times when the host loses synchronisation, which would result in an error response when the next transaction is received. This parameter deﬁ nes the time that must elapse between transactions before the unit will perform another key synchronisation.
Page 204 4.85 Conﬁ gure > Using the Web Page(s) Use addresses from call in accept for LAPD: When this parameter is set to “On” then when X.25 is answering a call on the LAPD interface the called and calling addresses from the CALL packet are used in the X25 CALL CNF (call conﬁ rm packet) that the unit sends to answer the call.
Page 205 The parameters and values are: Parameter Values Equivalent Web Parameter en_incl_iphdr off, on Include length of header in IP length header lapb_cnf_addr off, on Use addresses from call in accept for LAPB lapd_cnf_addr off, on Use addresses from call in accept for LAPD reset_xotpvc_ini off, on Reset XOT PVC if Initiator...
Page 206 4.87 Conﬁ gure > > Macros This page allows you to deﬁ ne up to 64 X.25 CALL “macros” that can be used to initiate ISDN and/or X.25 layer 3 calls. These simple English-like names are mapped to full command strings. For example, the call string: 0800123456=789012Dtest data could be given the name “X25test”...
Page 207 4.88 Conﬁ gure > > IP–>X25 Calls Using the Web Page(s) Each page contains a table that allows you to enter a Conﬁ gure > > IP->X25 Calls > Entries series of IP Port numbers and X.25 Call strings. It is used to conﬁ gure the unit so that IP data can be switched over X.25.
Page 208 Using Text Commands From the command line, use the command to conﬁ gure IP to X.25 calls. To display the ipx25 current mappings enter the following command: ipx25 <n> ? where <n> is the table entry number, i.e. 0 - 255. To change the value of a parameter use the following command: ipx25 <n>...
Page 209 4.89 Conﬁ gure > > NUA/NUI–>Interface Using the Web Page(s) pages contain tables that allows you to enter a series Conﬁ gure > > NUA/NUI–>Interface of X.25 NUA or NUI values along with IP addresses/Ports to which they should be mapped if you need to override the default settings in the page.
Page 210 Interfaces are coded as follows: Parameter Value Interface Type Default LAPD LAPB 0 LAPB 1 LAPD X (actual instance determined by NUA) LAPB 0 PVC LAPB 1 PVC XOT PVC TCP stream UDP stream For example, to set up table row 2 from the example you would enter the following series of commands: nuaip 2 nua 222 nuaip 2 ipaddr 1.2.3.4...
Page 211 4.90 Conﬁ gure > > PADs > PAD n There are two main elements to the conﬁ guration procedure for accessing X.25 networks: ♦ General and service related parameters ♦ PAD parameters (X.3) Each X.25 PAD conﬁ guration page also includes a sub-page detailing the X.3 PAD parameters. Collectively this set of values is known as a PAD proﬁ...
Page 212 IP Length header: When in IP Stream mode the length of a data sequence is inserted before the data. For the receive direction it is assumed the length of the data is in the data stream. Strip Trailing Spaces: When this parameter is turned on any spaces received at the end of a sequence of data from the network will be removed before being relayed to the PAD port.
Page 213 Inactivity timeout (s): This parameter speciﬁ es the length of time in seconds after which the PAD will terminate an X.25 call if there has been no data transmission. No Call L2 Timeout (s): This parameter speciﬁ es the length of time in seconds after which the unit will disconnect a layer 2 link if there are no layer 3 calls in progress.
Page 214 Using Text Commands To conﬁ gure PAD parameters from the command line use the command. To display the settings for the speciﬁ ed PAD instance use the command in the form: pad <instance> ? where <instance> is 0 - 4. To change the value of a parameter use the command in the form: pad <instance>...
Page 215: Pad Parameters
4.91 Conﬁ gure > > PADs > PAD n > PAD Parameters Each PAD conﬁ guration page has an attached sub-page that allows you to edit the X.3 PAD parameters. These pages allow you to load one of the standard proﬁ les or edit the individual parameters to suit your application requirements and save the resulting customised “user”...
Page 216 4.91.4 4 Idle Timer Delay This parameter deﬁ nes a time-out period after which data received from the DTE is assembled into a packet and forwarded to the network. If the forwarding time-out is disabled, one or more characters should be selected as “data forwarding characters” using parameter 3. Option Description No data forwarding time-out...
Page 217: Port Speed
4.91.8 8 Discard Output This parameter determines whether data received during a call is passed to the DTE or discarded. It can only be directly set by the remote system and may be used in a variety of circumstances when the remote DTE is not able to handle a continuous ﬂ...
Page 218 4.91.13 13 LF Insertion (after CR) Controls the automatic generation of a Line Feed by the PAD. Option Description No line feed insertion Line Feeds inserted in data passed TO the DTE Line Feeds inserted in data received FROM the DTE Line Feeds inserted after CR’s echoed to DTE The line feed values can be added together to select Line Feed insertion to any desired combination.
Page 219 4.91.20 20 Echo Mask This parameter deﬁ nes characters that are NOT echoed when echo mode has been enabled using parameter 2. Option Description No echo mask (all characters are echoed) VT, HT or FF BEL, BS ESC,ENQ ACK,NAK,STX,SOH,EOT,ETB,ETX No echo of characters set by parameters 16, 17 & 18 No echo of characters 0-32 decimal Combinations of the above sets of characters are possible by adding the respective values together.
Page 220 X.25 data on a speciﬁ ed LCN. For each X.25 service connection you may setup up multiple PVC’s each of which uses a different LCN (or a mixture of PVC’s and SVC’s). Westermo routers support up to four PVC’s numbered 0-3.
Page 221 Upper layer interface #: This parameter speciﬁ es the number of upper layer interface connected to this PVC. Where the Upper layer interface is set to “XSW” this can only be “0”. Packet size: This parameter deﬁ nes the packet size to be used for the PVC. Select the appropriate value from the drop down list.
Page 222 4.93 Conﬁ gure > > X25 Switch The X.25 Switch software available on some models provides X.25 call switching between the various interfaces that may be available including: Interface Description LAPD Data will be switched from / backed-up from LAPD using the X.25 service. LAPD X As above but the actual LAPD instance used will be determined by the NUA.
Page 223 The unit will ﬁ rst look up the Called NUA/NUI in the Conﬁ gure > > NUA/NUI–>IP address mapping table to determine the IP address to use in the event that the call ends up being switched to a TCP or XOT interface. If a match is found on the Called NUA/NUI the unit assigns the matching IP address from the table to the call.
Page 224 Switch from LAPB 2 to: This parameter controls the switching of incoming X.25 calls received via LAPB 2. Select the interface to which data should be switched from the drop down list, or select “Off” and the X25 switch will not respond to any incoming LAPB 2 calls.
Page 225 Call preﬁ x: This parameter speciﬁ es the call preﬁ x to inserted in front of the NUA in calls being switched to LAPD. For example, if the called NUA in the call being received by the LAPB 0 interface is 56565 and the call preﬁ...
Page 226 LAPB2 default packet size: This is the default packet size for calls being switched onto LAPB 2. The default packet size is 128, other possible values are 256, 512 or 1024 bytes. LAPB2 default window size: This is the default window size for calls being switched onto LAPB 2. The default window size is 2, the valid range is 1 to 7.
Page 227 Notes on PAD Answering Because the other interfaces can operate as normal, even when the switch is operating, special care needs to be taken with regard to answering NUA’s programmed on active PADs. For example when a call is being received on a LAPD or LAPB interface, a PAD instance (or remote conﬁ guration session) is capable of answering and terminating the call in preference to the call being switched.
Page 228 Using Text Commands To conﬁ gure the X.25 switch parameters via the command line use the command. To display x25sw current settings for the X.25 switch enter the following command: x25sw 0 ? where <instance> is 0. To change the value of a parameter use the command in the format: x25sw <instance>...
Page 229 Parameter Values Equivalent web parameter lapb2wpar LAPB 2 default window size LAPD default packet size: 7=128 8=256 9=512 10=1024 lapdppar 7,8,9,10 lapdwpar LAPD default window size nostripfac off, on Don’t strip facilities noswfac off, on Don’t switch facilities srcipadd number XOT source IP address interface # srcipent ““, ETH, PPP...
Page 230 4.94 Conﬁ gure > > X25 Switch > CUD Mappings X.25 switch CUD mappings allow you to map an incoming call’s CUD (call user data) from one value to another. The PID (protocol identiﬁ er) portion of the CUD (if present) is maintained from input to output and is not involved in the comparison.
Page 231: Saving Configuration Settings
Using Text Commands To conﬁ gure the X.25 switch NUA mappings via the command line use the command. x25map To display a current X.25 switch NUA mapping enter the command: x25map <instance> ? where <instance> is 0 - 19. Four separate commands are needed to set up a mapping.
Page 232: Clearing Statistics
5 Statistics pages Your Westermo product maintains a wide range of statistics relating to each of the different protocol instances that may be used. These statistics are collected and maintained in non-volatile memory and may be displayed via the web pages.
Page 233: Status Pages
6 Status pages The next sub-heading on the directory tree is Status. Clicking on the “+” symbol at the left of the Status folder expands the sub-tree to list a number of pages which contain various status information about the unit: Under the Status folder there are hyperlinks for pages that display the analyser trace, event log, ﬁ...
Page 234 6.3 Status > Event log page allows you to display the contents of the “EVENTLOG.TXT” pseudoﬁ le Status > Event Log with the most recent events listed at the top of the log. Each event log entry consists of the time and date of the event followed by a brief description.
Page 235 Network Registration Status: This ﬁ eld indicates the status of the GPRS module with respect to the GSM network. It may be one of the following: ♦ Not registered, not searching ♦ Registered, home network ♦ Not registered, searching ♦ Registration denied ♦...
Page 236 6.8 Status > IGMP Groups lists statistics relating to the Internet Group Management Protocol Status > IGMP Groups (IGMP). This protocol is used for the management of IP multicast group membership. The statistics are described in the following table: Abbreviation Description Free Groups Number of available multicast group entries...
Page 237 6.12 Status > X.25 Sessions page lists the available pool of X.25 sessions (8 in total). For each Status > X.25 Sessions session it lists the current state (FREE or ENGAGED) and for each busy session it also shows the User, Link, Mode and NUA.
Page 238: System Files
File containing compressed Web pages for your model logcodes.txt Text ﬁ le containing Event Log conﬁ g. info. sbios Westermo BIOS and bootloader sregs.dat Data ﬁ le containing AT command & S register settings x3prof X.25 PAD proﬁ le parameters 7.2 Filing System Commands...
Page 239: Dir List File Directory
7.2.3 DIR List File Directory command is used to display the ﬁ le directory. For example: direct 3360 ro 07:25:07, 03 Jan 2000 sbios 65536 ro 07:25:07, 03 Jan 2000 image 257508 rw 09:53:46, 20 Jan 2000 sregs.dat 400 rw 09:56:05, 20 Jan 2000 conﬁ...
Page 240: Type Display Text File
For example: type conﬁ g.da0 bind PAD 0 ASY 0 pad 0 l2iface LAPB cmd 0 username Westermo cmd 0 epassword Oz57X0kd cmd 0 hostname ss.2000r 7.2.8 XMODEM File Transfer command is used to initiate an XMODEM ﬁ le upload from the port at which the xmodem command is entered.
Page 241: Initial Setup
8 Using V.120 V.120 is a protocol designed to provide high-speed point-to-point communication over ISDN. It provides rate adaptation and can optionally provide error control. Both the calling and called units must be conﬁ gured to use V.120 before data can be transferred. Similarly, if one unit is conﬁ gured to use the error control facility, the other must be conﬁ...
Page 242: Answering V.120 Calls
8.3 Answering V.120 Calls V.120 answering can be enabled from the command interface by setting register S0 for the appropriate ASY port to a non-zero value. For example: ats0=1 You should ensure that you have set S0 for the correct ASY port by either entering it directly on that port or by using the AT\PORT command to select the correct port ﬁ...
Page 243: Answering Isdn Calls
9 Answering ISDN calls SarianWestermo routers are capable of answering incoming B-channel ISDN calls with 3 main protocols. Usually several instances of these protocols exist. This section explains how answering priorities work for the different protocols. 9.1 Protocol Entities The following protocol instances are capable of answering an incoming ISDN call: Adapt Adapt instances provide rate adaptation protocols such as V.120 or V.110.
Page 244: Multiple Subscriber Numbers
9.2 Multiple Subscriber Numbers An MSN (multiple subscriber number), is an alternative number provided by the telephone service provider which when dialled, will also route through to your ISDN line. It is possible to purchase several MSN’s for an ISDN line. This means that in effect one ISDN line can have several ISDN numbers.
Page 245 A further standard, X.31 deﬁ nes the procedures used to access X.25 networks via the ISDN B and D channels. Westermo ISDN products include support for allowing connected terminals to access X.25 over ISDN B channels, the ISDN D-channel or over TCP. They can also be conﬁ gured so that if there is a network failure it will automatically switch to using an alternative service.
Page 246 10.4 X.28 Commands Once an X.25 session layer has been established the unit switches to “PAD” mode. In this mode operation of the PAD is controlled using the standard X.28 PAD commands listed in the following table: Command Description CALL Make an X.25 call Clear an X.25 call ICLR...
Page 247 Fast select (ISDN B-channel only) When the standard Fast select facility is requested using the “F” facility code, the call packet generated by the CALL command is extended to allow the inclusion of up to 124 bytes of user data. For example: CALL F-1234567890DThis DATA sent with call packet would cause an X.25 CALL packet to be sent using the Fast select facility including the message...
Page 248: Aborting A Call
Calling user data The calling user data ﬁ eld for a normal call may contain up to 12 bytes of user data. If the ﬁ rst character is an exclamation mark (!), the PAD omits the four byte protocol identiﬁ er and allows the full 16 bytes as user data.
Page 249 Code Verbose message Service or option not available, unspeciﬁ ed Bearer capability not implemented Channel type not implemented Requested facility not implemented Only restricted digital information bearer Service or option not implemented, unspeciﬁ ed Invalid call reference value Identiﬁ ed channel does not exist A suspended call exists, but this call identity does not Call identity in use No call suspended...
Page 250 10.4.3 CLR Clear an X.25 Call The CLR command is used to clear the current call and release the associated virtual channel for further calls. On completion of call clear the PAD> prompt is re-displayed. A call may also be cleared as a result of a number of other situations.
Page 251 Proﬁ le 50 is automatically loaded when a PAD is ﬁ rst activated. To load one of the other pre-deﬁ ned proﬁ les use the PROF command followed by the required proﬁ le number. For example: PROF 90 To create a User PAD proﬁ le you must use the SET command to conﬁ gure the various PAD parameters to suit your application and then use the PROF command in the format: PROF &nn where “nn”...
Page 252 10.4.11 RSET Set Remote X.3 Parameters RSET is used to set one or more X.3 parameters for the remote system. It is entered in the format: RSET par #:value[,par #:value[,par #:value ...]] 10.4.12 SET Set Local X.3 Parameters SET is used to set one or more of the local X.3 parameters for the duration of the current session. The format of the command is: SET par #:value[,par #:value[,par #:value ...]] 10.4.13 STAT Display Channel Status...
Page 253: Ppp Over Ethernet
11 PPP over Ethernet PPP over Ethernet (PPPoE) is a means of establishing a PPP connection over the top of an Ethernet connection. The implementation provided is compliant with RFC 2516, “A Method for Transmitting PPP Over Ethernet”. A typical application would be to allow non-PPPoE enabled devices to access Internet services where the connection to the Internet is provided by an ADSL bridge device.
Page 254: Ipsec And Vpn´s
12 IPSec and VPN´s 12.1 What is IPSec? One inherent problem with the TCP protocol used to carry data over the vast majority of LAN’s and the Internet is that it provides virtually no security features. This lack of security, and recent publicity about “hackers”...
Page 255: What Is A Vpn
12.2.2 3-DES (192-bit key) Again, this is a well-established and accepted protocol but as it involves encrypting the data three times using DES with a different key each time, it has a very high processor overhead. This also renders it almost impossible for casual hackers to attack and very difﬁ cult to break in any meaningful time frame, even for well-equipped and knowledgeable parties.
Page 256 Before this gets any more complicated we’ll assume that Westermo are a competent authority to issue certiﬁ cates and given that they exist and are valid, see how they are used.
Page 257 Our ID Should be set to “info@Westermo.com”. This is the same as the subject “Altname” in certiﬁ cate CERT01.PEM which makes it possible for the router to locate the correct certiﬁ cate to send to the host.
Page 258: Firewall Script Syntax
A ﬁ rewall must be individually conﬁ gured to match the needs of authorised users and their applications. On Westermo routers the rules governing ﬁ rewall behaviour are deﬁ ned in a script ﬁ le called FW.TXT. Each line in this ﬁ le consists of a label deﬁ nition, a comment or a ﬁ lter rule.
Page 259 block: action prevents a packet from being allowed through the ﬁ rewall. When block is speciﬁ ed block an optional ﬁ eld can be included that will cause an ICMP packet to be returned to the interface from which that packet was received. This technique is sometimes used to confuse hackers by having different responses to different packets or for fooling an attacker into thinking a service is not present on a network.
Page 260 pass-ifup: action allows outbound packets that match the rule to pass through the ﬁ rewall but pass-ifup only if the link is already active. debug: The debugaction causes the unit to tag any packets matching the rule for debug. This means that for every matching rule that is encountered from this point in the script onwards, an entry will be placed in the pseudo-ﬁ...
Page 261 break: When the option is speciﬁ ed it must be followed by a user-deﬁ ned label name or the pre- break deﬁ ned keyword. When followed by a label, the rule processor will “jump” to that label to continue processing. When followed by the keyword rule processing will be terminated and the packet will be treated according to the last matching rule.
Page 262 #dns gglist www.Westermo.co.*,www.*.co.nz Then the following ﬁ rewall rule will block all dns lockups to DNS names matching the above list. block out break end on ppp 1 proto udp dnslist gglist from any to any port=dns [ip-range] ﬁ...
Page 263: Specifying Ip Addresses And Ranges
13.3 Specifying IP Addresses and Ranges ﬁ eld of a ﬁ rewall script rule identiﬁ es the IP address or range of addresses to which ip-range the rule applies. The syntax for specifying an IP address range is: ip-range = “all” | “from” ip-object “to” ip-object [ ﬂ ags ] [ icmp ] where: ip-object = addr [port-comp | port-range]...
Page 264: Address/Port Translation
13.4 Address/Port Translation One further option that may be used when specifying addresses is to use address translation. The syntax for this is: srcdst = “all | fromto [-> [ip-object] “to” object] I.e. directly after the IP addresses and port are speciﬁ ed an optional “->” can follow indicating that the addresses/ports should be translated.
Page 265: Filtering On Tcp Flags
Note: The above service keywords are pre-deﬁ ned based on “standard” port numbers. It is possible that these may have been deﬁ ned differently on your system in which case you should use the port numbers explicitly (not the deﬁ ned names). 13.6 Filtering on TCP Flags An ip-objectcan be followed by an optional ags]ﬁ...
Page 266: Filtering On Icmp Codes
13.7 Filtering on ICMP Codes can be followed by an optional ﬁ eld. This allows the script to ﬁ lter packets ip-object [icmp] based on ICMP codes. ICMP packets are normally used to debug and diagnose a network and can be extremely useful.
Page 267: Stateful Inspection
13.8 Stateful Inspection The Westermo routing code stack contains a sophisticated scripted “Stateful Firewall” and “Route Inspection” engine. Stateful inspection is a powerful tool that allows the unit to keep track of a TCP/ UDP or ICMP session and match packets based on the state of the connection on which they are being carried.
Page 268: Using [Inspect-State] With Flags
The ﬁ rst rule matches only the ﬁ rst outgoing packet because it checks the status of the (SYN) ﬂ ag and will only pass the packet if the SYN ﬂ ag is set. At ﬁ rst glance however, it appears that the second rule blocks all inbound packets on PPP 0.
Page 269: Using [Inspect-State] With Icmp
13.8.2 Using [inspect-state] with ICMP The [inspect-state] option can be also used with ICMP codes. To allow the use of echo request and to allow echo replies you would have just the one rule: pass out break end on ppp 0 proto icmp icmp-type echo inspect-state The advantage of using inspect-state, other than just needing one rule, is that it leads to a more secure ﬁ...
Page 270: Using [Inspect-State] With The Out Of Service Option
13.8.3 Using [inspect-state] with the Out Of Service Option ﬁ eld can be used with an optional parameter. This parameter allows the inspect-state stateful inspect engine to mark as “out of service” any routes that are associated with the speciﬁ ed interface and also to control how and the interfaces are returned to service.
Page 271 a packet to route and the AODI mode parameter is set to “On”. TCP Example pass out log break end on ppp 3 proto tcp from any to 192.168.0.1 ﬂ ags S!Ainspect-state oos 30 t=10 c=2 d=2pass inpass out This rule will speciﬁ cally trace attempts to open a TCP connection on PPP 3 to the 192.168.0.1 IP address and if it fails within 10 seconds twice in a row, will cause the PPP 3 interface to be ﬂ...
Page 272: Log File Examples
13.9 The FWLOG.TXT File When the log option is speciﬁ ed within a ﬁ rewall script rule, an entry is created in the FWLOG.TXT pseudo-ﬁ le each time an IP packet matches the rule. Each log entry will in turn contain the following information: Parameter Description...
Page 273 Congestion: Normal May FragmentLast Fragment 80 TTL: 128 01 Proto: ICMP 0C E1 Checksum: 3297 64 64 64 19 Src IP: 100.100.100.25 64 64 64 32 Dst IP: 100.100.100.50 ICMP: 08 Type: ECHO REQ 00 Code: 0 04 5C Checksum: 1116 Example: Text included in the EVENTLOG.TXT pseudo-ﬁ...
Page 274 13.10 Further [inspect-state] Examples Here is a basic rule with no OOS options: inspect-state pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet ﬂ ags S!A inspect-state This rule will allow TCP packets from 10.1.1.1 to 10.1.2.1 port 23 with the SYN ﬂ ag set to pass out on PPP 2.
Page 275 pass out break end on PPP 2 proto TCP from 10.1.1.1 to 10.1.2.1 port=telnet ﬂ ags S!A inspect-state oos 60 t=10 c=5 d=10 r=tcp,120,10 Now, 10 seconds is allowed for each recovery attempt. If the socket connects within that time, the recovery is successful, else the recovery is unsuccessful.
Page 276 13.11 Debugging a Firewall During the creation and management of ﬁ rewall scripts, ﬁ rewall scripts may need debugging to ensure that packets are being processed correctly. To assist in this, a rule with the debug action may be used. If a rule with the debug action is encountered, an entry is made in the FWLOG.TXT pseudo-ﬁ...
Page 277: Remote Management
14 Remote management Westermo products equipped with ISDN BRI’s can be accessed and controlled remotely via the ISDN network by using: ♦ a V.120 connection to access the text command interface ♦ PPP to access the Web Interface ♦ PPP to access the text command interface using Telnet ♦...
Page 278 14.3.1 FTP under Windows Once the connection has been established, enter the Web address for the unit. By default this will be: 1.2.3.4 or ss.2000r If you are using a browser, as opposed to a speciﬁ c FTP program, you will need to precede the address with “ftp://”.
Page 279: The Event Log
15 The event log 15.1 What is the Event Log? Many Westermo products automatically maintain a log of certain types of event in a pseudo ﬁ le called EVENTLOG.TXT. The contents of the log can be viewed via the web page or Status >...
Page 280 Event Description Originating module Comment X.25 connection made X.25 X.25 CALL cleared X.25 X.25 CLEAR request Rx’d X.25 X.25 incoming call Rx’d X.25 Calling address LAPB call request sent ISDN call control Called party number LAPD call request sent ISDN call control Called party number LAPB call clear request Rx’d ISDN call control...
Page 281: Editing The File
15.2.1 Event Blocks Each event block starts with a line containing the text [EVENTS]. This is followed by a line for each event code in the following format: <event code>,<priority code>,<description> where: <event code> values are pre-deﬁ ned and should not be changed. <priority code>...
Page 282: C Dcd Control
16 AT commands 16.1 D Dial The ATD command causes the unit to initiate an ISDN call. The format of the command depends on the mode of operation. When using the unit to make data calls on one of the ISDN B-channels, enter the ATD command followed by the telephone number.
Page 283: F Load Factory Settings
16.5 &F Load Factory Settings The AT&F command is used to load a pre-deﬁ ned default set of S-register and AT command settings (the default proﬁ le). These are: E1, V1, &C1, &K1, &D2, S0=0, S2=43 All other values are set to 0. 16.6 &V View Proﬁ...
Page 284 16.8 &Y Set Default Proﬁ le The AT&Y command is used to select the power-up proﬁ le (0 or 1). For example, to ensure that the unit boots up using stored proﬁ le 1, enter the command: at&y1 16.9 &Z Store Phone Number The AT&Z command is used to store “default”...
Page 285: At Ignore Invalid At Commands
at\port? PORT 2 ASY0 Here, ASY2 is the active port and ASY0 is the port at which the command was entered. If the default port and the port to which you are connected are the same, only one entry will be listed. To reset the default port to the one to which you are connected use the AT\PORT command without a parameter.
Page 286: S0 V.120 Answer Enabled
17 S registers In addition to the AT commands there are a number of Special (“S”) registers. These registers contain numeric values that may represent time intervals, ASCII characters or operational ﬂ ags. To display the contents of a particular “S” register, the ATS command is used in the form ATSn? where n is the number of the register whose contents are to be shown.
Page 287: S2 Escape Character
17.3 S2 Escape Character Units: ASCII Default: 43 Range: 0-255 The value stored in S2 deﬁ nes which ASCII character is used as the Escape character, which by default is the “+” symbol. Entering this character three times followed by a delay of 1-2 seconds and then an AT command will cause the unit to switch from on-line mode to command mode.
Page 288: S31 Asy Interface Speed
17.6 S31 ASY Interface Speed Units: N/A Default: 0 Range: 0-11 Register S31 is used to set the speed and data format for the ASY port to which you are currently connected. The default value for ASY 0 is 0, i.e. the port speed/data format is not set to a speciﬁ c value, it is determined automatically from the AT commands that you enter.
Page 289: General System Commands
The output will appear similar to the following example: bind PAD 0 ASY 0 pad 0 l2iface LAPB cmd 0 username Westermo cmd 0 epassword Oz57X0kd cmd 0 hostname IR2140 The conﬁ g ﬁ les only contain details of those settings that are different from the unit’s default settings.
Page 290 19 TCPPerm and TCPDial This section describes the operation of the commands which are tcpperm tcpdial available only as application commands and have no equivalent web pages. 19.1 TCPPERM command is used to establish a permanent “serial to IP” connection between one of tcpperm the ASY ports and a remote IP host.
Page 291 The command can also be made to execute automatically on power-up by using the “cmd n autocmd ‘cmd’” macro command, i.e. cmd 0 autocmd ‘tcpperm asy 0 192.168.0.1 -f3 -s3000 -k10 -e1’ Considerations for use with VPN or GRE Tunnels When the socket used by TCPPERM is opened the default behaviour is to use the address of the interface over which the socket is carried (ETHn or PPPn) as the source address of the socket.
Page 292: Rs232 Serial Port Connectors
External Transmitter Ä Clock A range of suitable adapters and cables are available from Westermo. 20.2 X.21 Serial Port Connectors On models ﬁ tted with the X.21 synchronous serial option, the following pin-outs are used at the 25- way D connector:...
Page 293 20.2.1 Conﬁ guring the X.21 Daughter Card The X.21 daughter card compatible with the IR2140 and IR2420 routers has three internal jumpers that determine the clock mode. By default, these are set so that the unit acts as a clock sink. For correct X.21 operation the jumper settings must match the setting of the parameter conﬁ...
Page 294: Serial Cable Wiring
RS232 (V.24) Straight Through Cable (25 - 25 pin) This is normally the cable to use to connect a V.24 synchronous terminal to a Westermo router. (For an asynchronous terminal, e.g. a PC, the ETC and RxC pins do not need to be connected.)
Page 295 Signal RJ45 Pin # 9-way Pin# Signal X.21 Straight Through Cable (25 - 15 pin) This cable would normally be used to connect an X.21 terminal to a Westermo router. Signal 25 Pin # (Westermo 15 Pin# (DTE) Signal DCE)
Page 296 X.21 Crossover Cable (25 - 15 pin) This cable would normally be used to connect a Westermo to an X.21 leased line. Signal 25 Pin # (Westermo 15 Pin # (DCE) Signal DCE) Frame Ground (Case) Frame Ground (Case) RxDA...
Page 297 21 LOGCODES.TXT The following is a listing of a typical “LOGCODES.TXT” ﬁ le. You can edit this ﬁ le with a text editor to change the events that generate automatic e-mails. Once you have ﬁ nished editing, save the changes and copy the ﬁ...
Page 298 [EVENTS]08,3,Login failure by %c: %e [REASONS] 1,,x25 3,,Telnet 4,,v120 5,,IKE [EVENTS] 09,6,Time set/changed %c 14,2,%e %a Start %c 15,1,PPP %a async-sync 17,1,SMTP req by %e email %c18,0,SMTP success 21,0,Telnet session closed 22,0,New logcodes.txt ﬁ le 23,0,Conﬁ g req by %e 24,0,Anonymous FTP by %c 25,0,FTP session closed 26,0,%e %a X25 Call req #: %c...
Page 299 72,0,DIONE login failed 73,0,S Reg 0 changed %a -> %s 74,0,TCP Req: %c [EVENTS] 75,7,%e alarm, machine %s, %c [REASONS] 01,7, Failed 02,7,Error detected 03,7, Empty 04,7, Critical 05,7, Soap empty, FAIL 06,7, Errors during cycle, FAIL [EVENTS] 77,0,%e %a Connection Opened %c 78,0,%e %a Connection Closed 85,0,%e %a Orderly Shutdown 81,0,V110 User Rate %c...
Page 300 [EVENTS] 10,0,Username %a change to ‘%c’ 11,0,Password %a change 12,0,Hostname change to ‘%c’ [REASONS] 01,,WEB 02,,CMD 03,,SNMP [EVENTS] 13,4,WEB restart [REASONS] 01,,BALLOC fail [EVENTS] 16,0,Event delay [REASONS] 01,,Logger busy [EVENTS] 19,2,SMTP reject %e [REASONS] 01,,SMTP busy 02,,NULL template 03,,Recd unexpected data 04,,No Destination Address [EVENTS] 20,2,SMTP err...
Page 301 [EVENTS] 35,0,%e B%a ISDN Call Cleared 36,0,%e %a ISDN Call Cleared [REASONS] 03,,No route to dest 16,,Normal clearing 17,,User busy 18,,No user 19,,No answer 21,,Call rejected 34,,No cct 38,,Net oor 44,,Req cct not av 50,,Fac not sup 57,,Bearer not auth 58,,Bearer not avail 63,,Service not avail 88,,Incomp dest...
Page 302 [EVENTS] 90,,ISDN Line State Change F%a -> F%s [EVENTS] 82,,FTP Client Transfer [%c] Completed [REASONS] 00,,Success 01,,File Not Transferred 02,,Error During Transfer 03,,Couldn’t Open File [EVENTS] 91,,IKE Negotiation Failed [REASONS] 1,,Retries Exceeded 2,,Inactivity 3,,Bad Packet 4,,No SA Found 5,,No Transform Selected 6,,No Password Available %c 7,,Rx Key Exchange Failed 8,,Rx Nonce Failed...
Page 303: Email Templates
22 Email templates One of the principal features provided by the event log function is the ability to conﬁ gure the unit to automatically generate and send an email alert message each time an event of a speciﬁ ed priority, or higher, occurs.
Page 304 22.1.3 Body Section The body section may include any text. This text is parsed for any function calls that may be present. Function calls must be enclosed between “<%” and “%>”. These sequences are substituted by text resulting from the function call. The following functions may be used: Function Description TimeSmtp();...
Page 305 23 Glossary 0 – 9 3DES Triple Data Encryption Standard ACFC Address Control Field Compression ADSL Asymmetric Digital Subscriber Line Advanced Encryption Standard Authentication Header AODI Always On Dynamic ISDN APACS The UK payments association Access Point Name Asynchronous Transfer Mode or Automatic Teller Machine BACP Bandwidth Allocation and Control Protocol Certiﬁ...
Page 306 GPRS General Packet Radio System Global Positioning System Generic Routing Encapsulation Global System for Mobile Communications HDLC High-Level Data Link Control HMAC Hash Message Authentication Code HSDPA High-Speed Downlink Packet Access ICMP Internet Control Message Protocol IGMP Internet Group Management Protocol Internet Key Exchange Internet Protocol IPSec...
Page 307 Out Of Service OPNS Online PUK Negotiation Service PANS Polling Answering Service Packet Assembler/Disassembler Password Authentication Protocol Protocol Field Compression Protocol Identiﬁ er Personal Identity Number Point to Point Protocol PPPoE Point to Point Protocol over Ethernet PSDN Packet Switched Data Network PSTN Public Switched Telephone Network Power Up Key...
Page 308 Transmission Control Protocol Terminal Endpoint Identiﬁ er Type Of Service TPAD Transaction Packet Assembler/Disassembler User Datagram Protocol UMTS Universal Mobile Telecommunications System VLAN Virtual Local Area Network Virtual Private Network VRRP Virtual Router Redundancy Protocol Wide Area Network WRED Weighted Random Early Dropping X.25 Over TCP 6620-3201...
Page 312 E-mail : infos@westermo.fr E-mail: contact@ontimenet.com Westermo Data Communications Ltd Talisman Business Centre • Duncan Road Park Gate, Southampton • SO31 7GA Phone: +44(0)1489 580-585 • Fax.:+44(0)1489 580586 E-Mail: sales@westermo.co.uk Westermo Teleindustri AB have distributors in several countries, contact us for further information.

This manual is also suitable for:

Mr-200

Westermo DR-200 Reference Manual

Quick Links

Need help?

Questions and answers

Related Manuals for Westermo DR-200

Summary of Contents for Westermo DR-200

This manual is also suitable for:

Table of Contents