MB Connect Line mbNET MDH810 Manual
Hide thumbs
Also See for mbNET MDH810:
- Quick start up manual (26 pages) ,
- Manual (237 pages) ,
- Technical data manual (7 pages)
Related Manuals for MB Connect Line mbNET MDH810
Summary of Contents for MB Connect Line mbNET MDH810
- Page 1 MANUAL V3.3.6 MDH800 – MDH859 23.03.2017 MDH810, MDH811, MDH814, MDH815, MDH816, MDH819, MDH830, MDH831, MDH834, MDH835, MDH841, MDH849, MDH850, MDH855, MDH858, MDH858, MDH859...
- Page 2 No part of this document and its contents may be reproduced, used or distributed without the express permission of MB Connect Line GmbH. Damages will be claimed in the event of infringement. All rights reserved. By purchasing the mbNET router, you have chosen a product made in Germany.
-
Page 3: Table Of Contents
Introduction ........................... 8 Brief description ..............................8 Features .................................. 8 Prerequisites/components: ............................. 8 Safety Instructions (English and France) ..................9 Using Open Source Software ......................11 General Information .............................. 11 Special Liability Regulations ..........................11 Used Open-Source Software ..........................11 Technical Data .......................... - Page 4 12.1 General .................................. 43 12.2 Configuring the industrial router for connection over the telephone network ............45 12.2.1 Connecting and configuring the router ........................ 46 12.2.1.1 Connecting the router ............................46 12.2.1.2 Configuring the router using the web interface ....................47 12.2.2 Configuring a client (PC) to access the router ......................
- Page 5 15.1 System – WEB ................................ 95 15.2 System – Users ..............................96 15.2.1 General ................................. 96 15.2.2 Editing users ................................. 96 15.2.3 Adding users ................................. 97 15.2.4 Deleting Users ..............................98 15.3 System – Certificates ............................. 99 15.3.1 Personal Certificates............................. 99 15.3.2 Root certificate (CA) ............................
- Page 6 17.4.5 Add PC/PG station .............................. 144 17.4.6 Configure mbNET PC station ..........................147 17.4.7 Routing ................................149 17.5 Connecting to S7 using the mbNET S7 driver ....................... 150 Security settings ........................152 18.1 General ................................152 18.2 WAN>LAN ................................153 18.3 LAN>WAN ................................
- Page 7 21.3 Digital outputs ..............................197 Status messages ........................198 22.1 General ................................198 22.2 Status – Interfaces ............................... 198 22.3 Status - Network ..............................199 22.3.1 Firewall ................................200 22.3.1.1 IN / OUT / FORWARD ............................. 200 22.3.1.2 NAT ................................201 22.4 Status –...
-
Page 8: Introduction
Introduction Brief description The mbNET industrial router offers you optimum flexibility and security, making remote communication with your systems both easy and secure. Thanks to its compact design, the mbNET router will fit into any switch cabinet, and with its multiple interfaces and drivers, is the perfect solution for integrating different control systems. The mbNET router is configurable using a web interface. -
Page 9: Safety Instructions (English And France)
Safety Instructions (English and France) Only qualified specialist personnel may install, start up, and operate the router. The national safety and accident prevention regulations must be observed. The router is built to the latest technological standards and recognized safety standards (see Declara- tion of Conformity). - Page 10 Consignes de sécurité Le routeur est construit selon l’état actuel de la technique et les règles techniques reconnues en ma- tière de sécurité (voir la déclaration de conformité). Le routeur doit être monté à un endroit sec. Aucun liquide ne doit pénétrer dans le routeur, car cela pourrait occasionner des chocs électriques ou des courts-circuits.
-
Page 11: Using Open Source Software
€ 10,00. Our offer to send the source code upon request ceases automatically 3 years after delivery of our product to the customer. Requests must be directed to the following address, if possible under specification of the serial number: MB connect line GmbH Fernwartungssysteme Winnettener Str. 6 91550 Dinkelsbühl... -
Page 12: Technical Data
Technical Data Page 12 of 226 Version: 3.3.5 – DR05 – 23.03.2017... - Page 13 General data 10 – 30V DC (external Power Supply or other SELV Power Supply Source, Voltage V (DC) rated 10-30V DC, max. 40A) Power consumption max. 1300 mA @ 24 V IP protection class IP 20 Area of application Dry environments 0 –...
- Page 14 Optional interfaces 10/100 Mbit/s full and half duplex operation, autodetection patch cable / crossover WAN interface cable Interface 1 (COM1) RS-232/485 (using software switchable) Interface 2 (COM2) RS-232/485 (using software switchable) or MPI/PROFIBUS - 12 Mbit/s depending on the device SIM card slots 2 pcs.
- Page 15 Communication 2100 (B1), 1900 (B2), AWS (B4), 850 (B5), 900 (B8) MHz HSxPA CDMA EVDO/1x: BCO, BC1, BC10; downlink max. 42 Mbps, uplink max. 5.76 Mbps 1900 (B2), AWS (B4), 850 (B5), 700 (B13), 700 (B17), 1900 (B25) MHz; down- link max.
-
Page 16: What Is Included In The Package
What is included in the package First, check that the following parts are in the product package: All devices mbNET router Quick Start Guide Straight-through Ethernet cable Router variants with analog modem Router variants with GSM-Modem (3G, 4G) RJ11 plugr RJ10 to TAE adapter GSM antenna (SMA male) Geräte-Typen mit WLAN-Modem... -
Page 17: Displays, Controls And Connections
Displays, controls and connections Front panel view Label Status Description LED off Serial interface COM1 not receiving data. (Function 1) LED on Serial interface COM1 receiving data. LED off Serial interface COM1 not sending data. (Function 2) LED flashing Serial interface COM1 sending data. LED off Serial interface COM2 not receiving data. -
Page 18: Top, Bottom And Back Panel Views
Top, bottom and back panel views Top view Power supply connection 10-30V DC 0V DC connection Digital input I4 (10-30V) Digital input I3 (10-30V) Digital input I2 (10-30V) Digital input I1 (10-30V) Fuse-protection 10-30V DC 0V DC connection Digital output A2 Digital output A1 Bottom view MDH814, MDH819, MDH834, MDH849,... -
Page 19: Interfaces
Interfaces Pinout of top panel terminal blocks X1 and X2 Power supply connection 10 – 30V DC 0V DC connection Digital input I1 (10 – 30V) Digital input I2 (10 – 30V) Digital input I3 (10 – 30V) Digital input I4 (10 – 30V) Fuse protection 10 –... -
Page 20: Pinout Of Front Panel Lan / Wan Ports
Pinout of front panel LAN / WAN ports Signal 1 2 3 4 5 6 7 8 Not connected Not connected Pinout front panel USB port Signal VCC (+5V) - Data +Data Page 20 of 226 Version: 3.3.5 – DR05 – 23.03.2017... -
Page 21: First Time Operation
First time operation Connecting the router to the power supply and switching on The router is designed for installation in switch cabinets. The device is designed for mounting on top-hat rails (based on DIN EN 50022). Insert the router into the DIN rail. To do this, position the upper guide on the rail and then press the router downwards against the rail until fully inserted. -
Page 22: Connecting The Router To A Configuration Pc
Connecting the router to a configuration PC Before configuring the router, connect it to the computer using the crossover cable supplied (1). To do this, connect one end of the cable to the router port labeled LAN, and the other end to your computer’s network card. -
Page 23: How To Set Computer Address (Ip Address) And Subnet Mask In Windows 7
How to set computer address (IP address) and subnet mask in Windows 7 To set the IP address, proceed as follows: First, select “Start” (1) then Control Panel from the Windows Start menu (2) and then click on Network Con- nections (3). -
Page 24: How To Set Computer Address (Ip Address) And Subnet Mask In Xp
How to set computer address (IP address) and subnet mask in XP To set the IP address, proceed as follows: First, select Control Panel from the Windows Start menu (1) and then double-click on Network Connections (2). Right-click on Local Area Connec- tion (3) and select Properties. -
Page 25: Access The Web Interface Of The Router
Access the web interface of the router Proceed as follows: Open your browser and enter the router’s IP address in the address bar: The factory setting is: 192.168.0.100 Log into the router using the following login data: □ Username: admin □... -
Page 26: Cloudserver
10.1 Cloudserver If you selected “Cloudserver“, you can synchronize your configurations per CTM to your device. The following page will appear. Page 26 of 226 Version: 3.3.5 – DR05 – 23.03.2017... -
Page 27: External Router
10.1.1 External Router If you selected External Router, you will be redirected to the WAN-Settings. Label Description WAN Typ DHCP: The router obtains his connection information like the IP address and the subnetmask via DHCP (Dynamic Host Control Protocol). The router will obtain connection information such as IP address and subnet mask using DHCP. -
Page 28: External Dsl Modem
10.1.2 External DSL Modem If you selected DSL-Modem then you will be redirected to PPP-Settings. Label Description PPP Type PPPoE: Activate Point-to-Point Protocol over Ethernet. Used Protocol for connections over ADSL. PPTP: Activate Point-to-Point Tunneling Protocol. Protocol used for a transmission method with tunneling. User / Password Please enter your username and the password for your Point-to-Point Connection. -
Page 29: Wlan
10.1.3 WLAN If you have selected „WLAN“, you will see this screen. Label Description WLAN type DHCP: The router obtains his connection information like the IP address and the sub- netmask via DHCP (Dynamic Host Control Protocol). The router will obtain connection information such as IP address and subnet mask using DHCP. -
Page 30: Cloudserver
10.1.4 Cloudserver Label Description Cloudserverlist: Europe, Europe PRO, USA/Canada, USA/Canada PRO , or “User Defined” Cloudserver address/name You can select the used Portalserver here. Session-Key If you have set a session key on the upload of the configuration file, then you have to enter this session key here. -
Page 31: Start Screen Of The Mbnet
10.1.5 Start screen of the mbNET If you search for your mbNET in your web browser you get this screen. Here you can see the connection or network- problems of the mbNET. To see more detailed information click on the “I”. Click on “Setup”... -
Page 32: Classic Router
10.2 Classic router If you selected this option then you will be directed to the following page. A wizard appears which helps you to con- figure your mbNET router. If you have selected “Classic router” a connection wizard will launch, simplifying network, Internet and VPN connec- tion set up. -
Page 33: Configuration Screen Of The Mbnet
10.3 Configuration screen of the mbNET On successful log in you will be taken to the configuration interface home page. If you use the mbNET with WLAN (Firmware 4.1) you have a little difference. You can see the screen below. Page 33 of 226 Version: 3.3.5 –... -
Page 34: Basic Configuration Of The Router Using The Web Interface
Basic configuration of the router using the web interface 11.1 Web interface home page The home page is designed to provide you with an at-a-glance view of the most important information on mbNET router access or status. The side (1) and top (2) navigation bars will provide the support you need when configur- ing the router. -
Page 35: Icons, Buttons And Fields
11.2 Icons, buttons and fields In the rest of these operating instructions you will repeatedly encounter specific icons. These are listed and explained on the next page. Icon and field Description types Gray LED: connection inactive / cable or USB device disconnected. / Green LED: connection active / cable or USB device connected. -
Page 36: System Settings
11.3 System settings Before configuring the mbNET industrial router for your particular application requirements, you need to implement some specific basic settings. Proceed as follows: On the navigation bar at the top bar on the web interface home page, click System Settings. - Page 37 Label Description Hostname Assign a name to the router. Host Description To identify the device within a network, provide a meaningful description here. Date / Time (UTC) Displays the current system time in Universal Time Coordinates (UTC). Local Date / Time Displays the time based on local time zone.
-
Page 38: Ctm (Configuration Transfer Manager)
11.4 CTM (Configuration Transfer Manager) The CTM allows the transmitting of the configuration via internet connection, or respectively the device receives his configuration as soon as it gets online. CTM has to be activated on the device, to ensure the transmitting of the con- figuration. -
Page 39: Web
11.5 Label Description HTTP Port Specify the port on which your http-Server is reachable. Important: If you change the port then you can reach your router only by typing the new port behind the IP address, into the address-line. e.g.: 192.168.0.100:84 Enable HTTPS If you check this checkbox, you activate the safe variant of HTTP (HTTPS ->... -
Page 40: Wlan Configuration
11.6 WLAN Configuration Network -> WLAN Label Description Interface Type : DHCP: Settings are received with DHCP. Static IP: You can set the settings manually. Page 40 of 226 Version: 3.3.5 – DR05 – 23.03.2017... - Page 41 Label Description SSID Define your SSID. Authentification OPEN Mode At this authentication method, every mobile Station is able to connect with the Access Point if the SSID matches. Some wireless clients know the option ALL or ANY, which allows to make a connection with every access point independently of the SSID.
- Page 42 Operating Band Select the operating band defined under IEEE 802.11 standard. Operating Band Legacy 11 B only This is the oldest standard for radio networks. If your WLAN-adapter supports newer stand- ards like 802.11g, then you should use them instead. ...
-
Page 43: Description Of Different Connection Scenarios
Description of different connection scenarios 12.1 General Now that you have completed basic configuration of the router (see previous pages), it needs to be connected via the appropriate connection type, and configured using the web interface. A description of some basic connection scenarios follows. Choose the connection scenario that best applies to you and follow the instructions in the relevant sec- tion. - Page 44 Configuring the mbNET router for connection with a client PC via DSL Internet access, using a DSL modem (see section 9.4) Configuring the mbNET industrial router for connection to the Internet using another router (see section 9.5) Configuring the mbNET industrial router for VPN connection with a client (client – router) (see section 9.6) Page 44 of 226...
-
Page 45: Configuring The Industrial Router For Connection Over The Telephone Network
Configuring an mbNET industrial router for VPN connection to another mbNET router (router – router) (see section 9.7) 12.2 Configuring the industrial router for connection over the telephone network The following diagram shows how to connect the industrial router to a client over the public telephone network. -
Page 46: Connecting And Configuring The Router
12.2.1 Connecting and configuring the router Before you begin: The router should be connected to a suitable power source, and the Power and Ready LEDs should be solid green. 12.2.1.1 Connecting the router Analog connection (applies to device models MDH xx0) ... -
Page 47: Configuring The Router Using The Web Interface
12.2.1.2 Configuring the router using the web interface – Modem. On the web interface home page, click on Network Note: Not possible at mbNET variant with WLAN (FW 4.1). Configuring the router – client connection over the telephone network Network – Modem For more detailed information, please see section Label Description... - Page 48 SIM PIN If required, you can enter the SIM card PIN here. However, the device will also work ( GSM only ) without SIM card PIN protection You can select your mobile broadband provider here. If it does not appear, select “Oth- Provider ( GSM only ) er”...
- Page 49 Label Description Internet connection Select either Internet via modem or Internet via WAN. Save your changes by clicking Save Changes Click on – System User and add a user with dial- in rights. For further notes on adding us- ers and assigning specific rights, please see section Adding users...
-
Page 50: Configuring A Client (Pc) To Access The Router
Configuring the router – client connection over the telephone network (continued) 12.2.2 Configuring a client (PC) to access the router You can connect directly to the router, and to a remote network, using a telephone line. Router access must first be correctly configured as de- scribed above. - Page 51 Configuring the router – client connection over the telephone network (continued) Now you need to give your connection a name, then click NEXT. Enter the telephone number of your remote station (the number that accesses the indus- trial router) ...
-
Page 52: Establishing A Connection Between The Client Pc And The Industrial Router
Configuring the router – client connection over the telephone network (continued) 12.2.3 Establishing a connection between the client PC and the industrial router Double-click on the connection that you created using the in- structions in the previous section. In this window, enter the user name and password that you created previously when configuring the modem. -
Page 53: Configuring The Industrial Router For Connection Via The Internet
12.3 Configuring the industrial router for connection via the Internet The following diagram shows how to connect the industrial router to a client computer via the Internet. The client is a computer with a modem connection. 77.180.121.116 123.456.789.21 12.3.1 Connection and configuration of the router Before you start make sure that the router is connected to a suitable power source and he Power and Ready LEDs are shining solid green. -
Page 54: Configuring The Router - Client Connection Over The Telephone Network
Configuring the router – client connection over the telephone network 12.3.1.2 On the web interface home page, click on – Modem. Network – settings, please see section “Network – Modem” For a detailed description of the Network Modem Label Description ANALOG: If using an analog device, enter the command +GCI=country code (for country codes, see... - Page 55 Please Note: The internet-by-Call providers are changing their prices often. MB Connect Line cannot be made responsible for any price changes. Now click on – Network Internet and enter the following settings. Label Description From the drop-down field, select the setting Internet Connection Internet via WAN Connection Mode...
-
Page 56: Router Internet Dial-In
As the router IP address changes each time it dials in to the Internet, there is an alternative, which is to use our DynDNS service. For information on setting up and using the MB Connect Line DynDNS ser- Network – DynDNS vice, please see section 12.3.3... -
Page 57: Configuring The Industrial Router For Connection To The Internet Using A Dsl Modem
12.4 Configuring the industrial router for connection to the Internet using a DSL modem The picture below shows how to connect the mbNET industrial router to a client PC over the Internet, using a DSL modem. The client needs to use an existing Internet connection, or to set one up. 123.456.789.21 77.180.121.116 12.4.1... -
Page 58: Configuring The Router Using The Web Interface
You can also choose whether the mbNET should send you an email, use a dynamic DNS service, or be accessible over the Internet via MB Connect Line’s DynDNS. Confirm and save your entries. Finally, the mbNET must be restarted to fully implement the settings. - Page 59 Configuring for connection over the Internet (continued) – From the web interface home page, click Network Internet The following site should be displayed. – settings, please see section “Network – Internet” For a detailed description of the Network Internet Label Description...
-
Page 60: Establishing A Connection Between Client Pc And Router
As the router IP address changes each time it dials up to the Internet, a helpful alternative is to use our DynDNS service. For information on setting up and using the MB Connect Line DynDNS service, Network – DynDNS please see section 12.4.3... -
Page 61: Configuring The Industrial Router For Connection To The Internet Via An Existing Router
12.5 Configuring the industrial router for connection to the Internet via an existing router The diagram below shows how to link the industrial router up to a network which already has a router that is set up for connection to the Internet. The existing router must first be assigned the right settings. This mbNET operating mode is particularly useful if you need to set up a connection between the industrial... - Page 62 Configuring the router for connection to the Internet via an existing router – settings, please see section “Network – WAN” For a detailed description of the Network Label Description As in the example shown, select Static IP. Interface Type Network – DNS This setting also requires a DNS server (see server).
- Page 63 Configuring the router for connection to the Internet via an existing router On the web interface home page, click on – Internet. Network The following screen will be displayed. Follow the instructions on the subsequent pages. – For a detailed description of the Network Internet settings, please see section...
-
Page 64: Configuring The Industrial Router For Vpn Connection To A Client
12.6 Configuring the industrial router for VPN connection to a client Setting up a virtual network reduces the cost of a fixed connection between two or more LANs and ensures se- cure data transfer over the non-secure Internet. Using a tunneling protocol sets up a secure connection called a VPN tunnel. -
Page 65: Connecting And Configuring The Router
Configuring the router for VPN connection to a client 12.6.1 Connecting and configuring the router 12.6.1.1 Connecting the router A VPN connection first requires that the router has an Internet connection in place. For instructions on how to config- ure the router for connection to the Internet, you can refer to the connection scenarios already described above, based on the connection mode required. - Page 66 Connection-Wizard 12.6.1.3.1 The connection wizard helps you to configure your connections quickly and easily. To launch the wizard, click on the Wizards link at the top right of your browser. If you have disabled the autolaunch function for wizards, click on the Start button for the VPN connection wizard.
- Page 67 Label Description Enable To enable the connection, check the box by clicking on it. If you select “yes” here, the PPTP server will be configured using the mbNET’s LAN ad- Auto config dress. This setting needs to be tried out first. You should only enter your PPTP server set- tings manually if there is an address conflict.
-
Page 68: Configuring A Client Pc For A Vpn Connection To The Router
Setting up the router for a VPN connection (continued) 12.6.2 Configuring a client PC for a VPN connection to the router To proceed with set up, the client PC must have an existing Internet connection. For information on setting up a client PC please see section Configuring a client (PC) for router access ... - Page 69 Note: The example in Figure 86 uses an IP address assigned by the ISP. For information on setting up and using the MB Connect Line DynDNS service, please see Network – DynDNS section When entering the router’s IP address, make sure that you always enter the current IP address (the IP ad- dress changes every time the router connects to the Internet).
-
Page 70: Setting Up A Vpn Connection Between Client Pc And Router
Setting up the router for a VPN connection (continued) 12.6.3 Setting up a VPN connection between client PC and router 12.6.3.1 Router Internet dial-in Depending on the connection mode, the router must be configured for Internet access, connected to the Internet, and accessible via the IP address. -
Page 71: Configuring A Connection Between Two Routers Via Vpn Pptp
Setting up the router for a VPN connection (continued) The client PC will display a flashing screen icon the router is connected. You can display the connection properties by right-clicking on the icon On a PC connected to the router, clicking Status on the sidebar and VPN-PPTP... -
Page 72: Settings For Connecting Two Industrial Routers - Pptp - Server
Settings for connecting two industrial routers – PPTP – server 12.7.1 Note: Not possible with mbNET variant with WLAN (FW 4.1) □ From the home page navigation bar on the left, click and on the navigation bar at the top click PPTP. □... - Page 73 Label Description Enable To enable the connection, check the box by clicking on it. Selecting “yes” means that the mbNET’s local network range and IP address will be used. Autoconfig By selecting „no“, you can enter this information manually. Local IP address or This is the PPTP server address Range Remote IP address or...
-
Page 74: Settings For Connecting Two Industrial Routers - Pptp-Client
12.7.2 Settings for connecting two industrial routers - PPTP-Client Clicking on the green plus sign on the far right will open the following configuration screen. □ Name: Enter a name of your choice for the connec- tion. □ Host Name or IP: Enter the public address or DynDNS name for the PPTP server. - Page 75 Label Description Enable To enable the connection, check the box by clicking on it. Assign a name to the client. Name In the example we used: PPTPclientConnection Here, enter the name or IP address that the client uses to contact the server. In the exam- Host name or IP ple, this is: 123456789@mbNET.mymbnet.biz...
-
Page 76: Creating Certificates And Revocation Lists Using Xca
Creating certificates and revocation lists using XCA. 13.1 Certificates overview Any subscriber communicating over a VPN connection needs 2 certificates. One certificate must be signed by a CA (Certificate Authority). Each subscriber must have the CA certificate plus a “server” or “client” certificate. In our case: ... -
Page 77: Creating Certificates
13.2 Creating certificates Christian Hohnstädt’s XCA freeware program is useful for creating certificates. Using this pro- gram makes it easy to create X.509 certificates as well as the necessary private keys. You can download the program from http://sourceforge.net/projects/xca free of charge, and install it in Windows in the usual way (run the .exe file). -
Page 78: Creating A Root Certificate
13.2.1 Creating a root certificate To create a root certificate, click on the “Certificates” tab and open the following dialog box by clicking “New Certificate”. 13.2.1.1 Root certificate source First, change the Signature algorithm to MD5 so that the certificate is compatible with the mbNET. Then you can go straight to the “Subject”... -
Page 79: Root Certificate Subject
13.2.1.2 Root certificate subject In the “Subject” tab, fill in the fields from “Internal Name” through “email address”. For VPNs using IPSec, Subject settings can later be used as an ID (cf. section Authentication) Next, create a private key by clicking on “Generate a new key”. Please do not use accents (e.g. - Page 80 Select key type RSA. You can select any key size and of course, any name. The longer the key, the more secure the encryption but also the more processing power required. Page 80 of 226 Version: 3.3.5 – DR05 – 23.03.2017...
-
Page 81: Root Certificate Extensions
13.2.1.3 Root certificate extensions In the “Extensions” tab you will find the settings for certificate type and validity. Basic constraints Type = Certificate Authority (CA) Check the box labeled Critical and Key identifier Check the box labeled Subject Key Identifier Validity You can enter a specific start and end date in the relevant fields or use the adjacent Time Range field. - Page 82 Subject alternative name The subject alternative name is a list of alternative names for the certificate holder. These can be RFC822 names (email), DNS names, X.400 addresses, EDI names, URIs or IP addresses. In principle, any structured naming system is applicable. If using PKIX, this extension is essential when the certificate subject field is empty. Issuer alternative name For issuer alternative names, the same applies as for subject alternative names.
-
Page 83: Root Certificate Key Usage
13.2.1.4 Root certificate key usage In the “Key usage” tab you will find key usage and extended key usage options. Neither key should be critical i.e. you should leave the boxes marked Critical unchecked. To create a root certificate, please select the following values in the left hand column: ... -
Page 84: Creating A Client Certificate
13.2.2 Creating a client certificate To create a certificate signed by this CA, in the “Certificates” tab, highlight the root certificate that you just creat- ed, and click again on “New Certificate”. After this, the following dialog appears. Page 84 of 226 Version: 3.3.5 –... -
Page 85: Client Certificate Source
13.2.2.1 Client certificate source First we need to select our root certificate as the one that will be used as signatory. We also need to set the signature algorithm to MD5 again. We see here that our root certificate is already set as the one to use as signatory. Page 85 of 226 Version: 3.3.5 –... -
Page 86: Client Certificate Subject
13.2.2.2 Client certificate subject Once again, assign the client certificate details, from internal name through email address. Then generate a key for the client certificate. It is recommended that the key should be the same size as the one for the root certificate. -
Page 87: Client Certificate - Extensions
Client certificate – Extensions 13.2.2.3 As your client certificate does not need to sign any other certificate, select End Entity as the Certificate Type. Basic constraints Type = End Entity Key identifier Check the box labeled Subject Key Identifier Validity You can enter a specific start and end date in the relevant fields or use the adjacent Time Range field. -
Page 88: Client Certificate - Key Usage
Subject alternative name The subject alternative name is a list of alternative names for the certificate holder. These can be RFC822 names (email), DNS names, X.400 addresses, EDI names, URIs or IP addresses. In principle, any structured naming system is applicable. If using PKIX, this extension is essential when the certificate subject field is empty. Issuer alternative name For issuer alternative names, the same applies as for subject alternative names. -
Page 89: Client Certificate - Netscape
Client certificate – Netscape 13.2.2.5 If you would like additional security, you can also select the SSL Server or SSL client option for your VPN subscribers according to their role (client or server). The advantage of this is that OpenVPN can query whether a VPN server is also equipped with SSL. This op- tion can also be enabled on the mbNET. - Page 90 Now the certificates need to be published by highlighting the relevant ones in the “Certificates” tab and then clicking “Export”. In the menu below, you can specify the save location for the certificate on your computer, and also the file format.
-
Page 91: Generating Crl-Files (Certificate Revocation Lists)
As your client is to be authenticated by the client certificate, it also needs the private key for this certificate. As shown in Figure 112, export the client certificate using export format PKCS #12 with Certificate chain. When you click OK, the client certificate will save to the location that you specified above. - Page 92 To export, proceed as follows: In the “Revocation lists” tab you now see the revocation list that you just created. Highlight it, and click “Export”. Select .pem as the export format. Choose a suitable save location, then confirm with OK. You can now import the list System ...
-
Page 93: Importing Certificates In Windows Xp
Importing certificates in Windows XP To import finished certificates, you need to set up what is known as a Certificate Management Console. To do this, click “Start” -> “Run” and type in “MMC”. Then click on “File – Add/Remove Snap-in” and in the next screen, select “Add”. - Page 94 p12 file and then click Next. In the next screen, select “Automatically select the certificate store based on the type of certificate”. When you click “Finish” the relevant certificates will import. No further certificate imports are required. The CA certificate is automatically imported. Nor is it necessary to save the console.
-
Page 95: System Settings
System settings The most important system settings have already been outlined above in System Settings. A more detailed explanation of additional system settings is given below. System – WEB 15.1 Using HTTPS (Hypertext Transfer Protocol Secure; detects https: //... in the browser window) encrypts the connection between web browser and web server. -
Page 96: System - Users
System – Users 15.2 15.2.1 General With user management you can: Give users access rights to web interface administration, and modem or VPN dial-in. Edit or delete existing users, or add new users. 15.2.2 Editing users To edit a user, proceed as follows: Select System and then Users. -
Page 97: Adding Users
15.2.3 Adding users To add a user, proceed as follows: In the navigation bar on the left, select System and then Users. ([CP2]) In the first row of input fields, enter the username, password and full name of the user. Please note: All three fields must be completed otherwise you will receive an er- ror message when you save. -
Page 98: Deleting Users
15.2.4 Deleting Users To delete a user, proceed as follows: In the navigation bar on the left, select System and then Users. Select the row that contains the user name, password and so on, and click the icon to Delete To apply the settings to the router perma- nently, click Apply Changes You will now no longer be able to log in or authenticate this user via the web interface, modem or... -
Page 99: System - Certificates
System – Certificates 15.3 A key component of VPN connections with IPSec or OpenVPN is the trust relationships between two or more com- munications peers. Authentication settings are made during configuration, as explained in the section Authentica- tion. For secure communication, authenticity needs to be verified. Certificates help to ensure also that the right peers are communicating with each other. - Page 100 Label Description Choose PKCS12 file: certificate file selection (PKCS12 file). Browse: provides file path for certificate file. Name for this certificate (optional): optional entry of a name for the certificate file. Import new cer- Password: certificate password entry. The certificate must have been assigned a password tificates when it was created, otherwise it will not import.
-
Page 101: Root Certificate (Ca)
15.3.2 Root certificate (CA) A root certificate verifies whether the remote station certificate is also signed by the root certificate. If the authentication method in the VPN settings is set to “Authentication by certificate from CA”, this root certifi- cate must then be imported. The entry in the root certificate is used to confirm that the person dialing in has a valid certificate. -
Page 102: Peer Certificates (Ipsec)
15.3.3 Peer certificates (IPSec) Peer certificates are remote station certificates. They are only needed if “Authentication by peer certifi- cate” is selected in the VPN settings. In this situation the existence of a local copy of the certificate is con- firmation of its validity. -
Page 103: Crl
15.3.4 The Certificate Revocation List (CRL) is used to verify whether or not the computers dialing in hold valid certificates. The CRL contains the serial numbers of certificates that should be blocked. So if you wish to withdraw someone’s dial-in access rights to the router or the PLC behind it, you just need to create a CRL. XCA makes this easy. -
Page 104: System - Usb
15.4 System - USB You can connect a USB device (flash or external drive) to the industrial router’s USB port and make this available to network users as an additional drive. To set up the USB port, select System on the navigation bar on the left and on the navigation bar at the top. -
Page 105: Firmware Version 4.X
15.4.1 Firmware Version 4.x Because there is no Samba included since firmware V 4.x you can only access the USB device via SFTP. Label Description Active Check this box if you like the mbNET to mount the USB device. SFTP-User Please enter a valid SFTP-User SFTP-Password Please enter the password for the SFTP-User. -
Page 106: System - Logging
15.5 System - Logging System logging for the mbNET can be outsourced to another computer by using a log server. Label Description Set debug output to syslog Output debug info to the syslog. Log also to USB-Device The logs are also being saved to an USB-Device. To enable a log server, place a check in the box by clicking on it. -
Page 107: System - Configuration
15.6 System - Configuration Using this menu, you can both backup and restore a system configuration. The configuration can be saved e.g. to a connected USB drive before making major changes, and if nec- essary, restored onto the industrial router. Label Description Backup Configuration... - Page 108 Encrypt passphrase Define a passphrase for the config file. Repeat encrypt pass- Retype the passphrase which you just entered phrase Restore Configuration To restore a configuration, the stored file containing the router configura- tion must be restored, i.e. transferred back on to the industrial router. Saved config file (*.mbn, .*mbns): To perform a restore, first click Browse, then browse to the file location or...
-
Page 109: System - Firmware
System – Firmware 15.7 There are two ways to update the industrial router’s firmware, both are described on the following page. 15.7.1 Upgrade via USB This requires a USB storage device to be connected to the industrial router so that the file can be transferred across. -
Page 110: Upgrade Via Network
15.7.2 Upgrade via Network In this case you need to enter the IP address of a TFTP server, and the firmware name. In this case: image.bin Before the upgrade can start, the “tftpd32” tool must be launched. You can download this free of charge at http://tftpd32.jounin.net/ Once you launch the tool, enter the following settings in the “DHCP server”... -
Page 111: Network
Network Network – LAN 16.1 LAN configuration allows you to configure the router IP address (LAN address) and subnet mask. This is the IP ad- dress used for accessing the router from the LAN. Label Description Interface To set up the LAN interface, click on the tab. LAN IP address Enter the router IP address. -
Page 112: Network - Wan
Network – WAN 16.2 The industrial router’s WAN interface can connect a local network with a remote network, or with a public network like the Internet. Therefore the WAN interface is configured according to how it will be used. Label Description You can select from the following interface types: DSL:... - Page 113 Network – WAN (continued) Label Description When selecting interface type, choosing DSL also requires you to select one of the following options: PPPoE: Select this option if your ISP requires a PPPoE (Point to Point Protocol over Ethernet) connection. A lot of modems are set to this option. The external IP ad- dress that a remote station uses to access the router is specified by the ISP.
-
Page 114: Network - Modem
Network – Modem 16.3 Notice: Not valid for mbNET variants with WiFi (FW 4.1) Network – Modem –Incomming 16.3.1 The industrial router’s integrated modem is for dial-in or Internet connection (analog, ISDN, GSM) where there is no available DSL or network connection. NOTE: If the modem is used for an outgoing Internet connection, it cannot be used for an incoming connection. - Page 115 Label Description Incoming You need to enable this option for the router to handle incoming dial-in or ISDN connections. You need to enable this function by checking the box so that a client computer can Dial-in enable access the router. You need to enter the router IP address here.
-
Page 116: Network - Modem - Outgoing
Network – Modem – Outgoing 16.3.2 Following settings are relating to the outgoing connections of the modem. Label Description If you would like to call multiple terminals, set this option to “yes”. You will then see three more fields where you can enter numbers that will be selected on receipt of a signal at digital inputs 2 to 4. - Page 117 Authentication via Use the default setting for the authentication protocol. In principle this is preset when a di- al-up connection is set up. Use the default setting for the authentication protocol. In principle this is preset when a di- Authentication via al-up connection is set up.
-
Page 118: Menu Settings Sms
16.3.3 Menu settings SMS First, we need to specify a primary SIM card, which will always be verified or used first. The sec- ondary SIM card is always the non-primary one. Switching is based on two (selectable) criteria: The SIM card fails to initialize, or to register on the cellphone network ... - Page 119 Select primary SIM card Choose the primary SIM Card (SIM 1 or SIM 2) Switch to secondary SIM On / Off card if roaming is detected Switch to secondary SIM card when there is a fail- On / Off ure with the primary SIM card Remotely control services via SMS Enable Service Control via SMS...
-
Page 120: Network - Modem - Callback
Network – Modem – Callback 16.3.4 The settings below apply to the call back function. This function triggers Internet dial-in remotely via a telephone or dial-up connection. It must be set up so that the Internet connection will be established via WAN or modem. Note that call back does NOT work with UMTS-enabled devices. -
Page 121: Network - Modem - Sms
Network – Modem – SMS 16.3.5 Label Description Enable Service Con- This function enables the use of service control via SMS trol via SMS Check the Phone This ensures that the mbNET only accepts SMS commands from a specific number. Then enter the sender’s cell number in “Senders Phone Number”... -
Page 122: Remote Service Control Commands Using Sms
16.3.6 Remote service control commands using SMS INET START or INET STOP This controls the industrial router’s Internet connection. Note that you can only control an Internet connection that is active and has been established by the industrial router. ... -
Page 123: Network - Internet
Network – Internet 16.4 Router Internet dial-in is dependent on connection type and on the appropriate configuration of specific settings. Network – Internet – Internet Connections 16.4.1 Internetconnections Label Description Following options are available at the drop down menu: internet via WAN (external Router, fixed line) Select this Setting if he mbNET does not create the internet connection automatically. -
Page 124: Network - Internet - Internet Settings
Network – Internet – Internet Settings 16.4.2 Internet Settings Keep connection Select this setting if the router should try to connect to the Internet immediately after restarting or after pressing the RESET button on the front of the router. Important: with this setting, the connection will stay on ... - Page 125 Internet settings Settings The Settings tab is only displayed if Internet connection via WAN or modem has been selected along with On demand for the connection mode. The following settings options will be displayed: To connect to the Internet when a data packet is sent, check this box. In oth- er words, an Internet connection will be established if the LAN is trying to Connect on traffic contact a subscriber outside of the LAN.
-
Page 126: Internet Failover Connection
16.4.3 Internet failover connection Firmware versions 3.x.x. and higher have an optional failover function for the Internet connection. Page 126 of 226 Version: 3.3.5 – DR05 – 23.03.2017... - Page 127 First you need to switch on this function. In the table below, you can select a priority order for the Internet interfaces. The order and number or interfaces are freely definable. The “Retry interface before switch to next interface” parameter specifies how many times an Internet connection should be allowed to fail before switching to the next interface.
- Page 128 You can enter up to three different IP addresses which will then be run through in the following order. If the first IP fails, the second will be used. If this one also fails, the third will be used and once all three have been run through, a test will be carried out.
- Page 129 In addition, routers with a GSM/UMTS module and double SIM slot can switch between SIM1 and SIM2. First, we need to specify a primary SIM card, which will always be verified or used by default. The secondary SIM card is always the non-primary one. Switching is based on two (selectable) criteria: ...
-
Page 130: Network - Dhcp
Network – DHCP 16.5 You can configure the industrial router as a LAN or WAN DHCP server. DHCP enables you to integrate a new com- puter into an existing network without the need for any additional configuration. The only requirement is for the com- puter to be set up to acquire the IP address automatically. -
Page 131: Network - Dns Server
Network – DNS server 16.6 DNS is used to resolve IP addresses to names. The factory settings on the industrial router are configured so that the DNS server is assigned by the ISP. If you have a permanent industrial router connection, you can add a private DNS server here. -
Page 132: Network - Hosts
A built in DynDNS service is included with firm- ware versions 1.4.0 and higher. This DynDNS service is operated by MB Connect Line. No log in or registration is required. To use a public version of the DynDNS service you first need to register. Registra- tion is usually free, and should not be particularly complicated. - Page 133 MB Connect Line DynDNS Service Label Description This option enables MB Connect Line’s automatic DynDNS service. The name structure is fixed in this case, and can only be freely defined on one host: Name: Serialnumber.Hostname.mymbnet.biz The serial number is fixed and the host name can be anything you choose.
-
Page 134: Serial Interfaces
Host Name Enter the name that you assigned to the industrial router for the DynDNS service. This field is for whenever the industrial router name changes, e.g. after a new Internet dial-in. Interval[s] Enter the time interval after which the industrial router will inform the DynDNS provider of the new IP address. -
Page 135: Rs232/485 Serial Interfaces
17.2 RS232/485 serial interfaces Page 135 of 226 Version: 3.3.5 – DR05 – 23.03.2017... -
Page 136: Mpi/Profibus Interface
Serial interfaces (continued) Label Description Configuration options for COM1 interface COM 1 The settings that follow it apply only to this interface. Use this drop-down field to set the interface type for COM1. The options are as follows: Interface Type RS232, RS485 2-wire, RS485 4-wire, RS422 Driver from list: Select a product/brand-specific driver to control your serial device. - Page 137 Communication with S7 via VCOMLAN2 (PC adapter in SIMATIC Manager) RFC1006 mbNETS7 driver (direct installation in SIMATIC Manager) Label Description VCOM-LAN2/PC adapter MPI/PROFIBUS Baud rate If you select “VCOM-LAN2/PC adapter”, the PG/PC interfaces must be in- stalled on a PC adapter (MPI/PROFIBUS). For bus speeds higher than 1.5 Mbit/s this must be manually assigned.
-
Page 138: Redirecting Serial Interfaces To Your Pc (Vcom Lan2)
PC. Dispensing with separate driver installation and using the “TCP/IP (Au- to)” option with a PG/PC interface is only possible if the RFC1006 option is enabled. Instructions on this are available on our website support pages un- der the heading “RFC1006”. RFC1006 uses TCP Port 102. Enable RFC1006 You can select to enable the RFC1006 protocol here. - Page 139 With firmware version 2.0 and higher, the RxD2 LED lights up when a MPI or PROFIBUS connection is established, and the TxD2 LED flashes when data is being transferred over ei- ther of these connections. COM 7 <> COM 1 COM 8 <>...
-
Page 140: Settings For Simatic Manager
17.3.1 Settings for Simatic Manager If you wish to set up a connection to a Siemens control system, you first need to verify the settings in Simatic Manager by selecting Extras Set up PG/PC interface adapter (PROFIBUS) or PC adapter (MPI) and then clicking on Properties. -
Page 141: Settings For Netpro Step 7
17.4.1 Settings for NETPro Step 7 Launch the NETPro application in Simatic Manager. 17.4.2 Create subnets Create a “PROFIBUS” and an “Industrial Ethernet” subnet. Page 141 of 226 Version: 3.3.5 – DR05 – 23.03.2017... -
Page 142: Add Pc Station
17.4.3 Add PC station Following step 2.1 you need to add a PC station. You can skip steps 2.2 to 2.3 if you are using the “NETPro” Import function. A pre-configured mbNET station is available as an annex to these instructions. -
Page 143: Configure Pc Station
17.4.4 Configure PC station This “PC Station” requires the integration of a “CPU 412-2 PCI (6ES7 612-2QH00-0AB4 V3.4)”, found by selecting “Simatic PC Station -> Controller -> CPU412-2 PCI” and a “IE_CP V6.2.1 (IE General)” found by selecting “Simatic PC Station -> CP-Industrial Ethernet -> IE General-> IE_CP SW V6.2 SP1”. -
Page 144: Add Pc
17.4.5 Add PC/PG station Now you need to add a PC/PG station. Page 144 of 226 Version: 3.3.5 – DR05 – 23.03.2017... - Page 145 Double clicking on “PG/PC Station” opens the Properties window for this. Here, you need to add this interface by selecting “Interfaces -> New …-> Industrial Ethernet“. This opens a window where you need to make the “Industrial Ethernet” settings for the PC. Specify the PG/PC subnet mask and IP address here.
- Page 146 After assigning your chosen interface, the window should look like this. S7ONLINE access must be set to „Active“. The subnet “Industrial Ethernet” is now linked with the PG/PC. Page 146 of 226 Version: 3.3.5 – DR05 – 23.03.2017...
-
Page 147: Configure Mbnet Pc Station
17.4.6 Configure mbNET PC station To configure this “PC Station” (in this case: mbNET), double-click on “IE General”. Click on “Properties” to set the interface parameters. Enter the IP address and subnet mask here. The IP address and subnet mask must be the same as those entered in the mbNET LAN set- tings. - Page 148 If everything has worked as it should, then “TCP/IP (Auto) -> xxx” (network card) will appear in the bottom border of the screen as “PG/PC interface”. It is recommended at this stage to assign a bus address (in this case, MPI) to the PC station and link this with the subnet. Finally, a CPU of your choice can be added to the relevant subnet.
-
Page 149: Routing
17.4.7 Routing For the station to be able to contact a subscriber from another (slave) network (see picture), you need to make the following settings. In the mbNET settings, enable RFC1006 routing and enter the station address of the (master) routing gateway. -
Page 150: Connecting To S7 Using The Mbnet S7 Driver
17.5 Connecting to S7 using the mbNET S7 driver Alternatively, the licensed mbNET S7 driver can be used. Once installed, this is directly available as an adapter in Simatic Manager. Page 150 of 226 Version: 3.3.5 – DR05 – 23.03.2017... - Page 151 The router settings for this must be as shown below. RFC1006 can be operated in parallel with this. Page 151 of 226 Version: 3.3.5 – DR05 – 23.03.2017...
-
Page 152: Security Settings
Security settings 18.1 General The industrial router has an integrated firewall to protect against third-party and unauthorized access and connection attempts. Incoming and outgoing data traffic is checked, logged and allowed or denied via this firewall. The firewall can generally be configured with one of the following three settings: ... -
Page 153: Wan>Lan
Security settings (continued) 18.2 WAN>LAN This setting governs the incoming data traffic, i.e. the following settings only apply to data traffic arriving from outside the network. “WAN” is always the currently active interface with the Internet as far as the mbNET firewall is concerned. The following rule is determined by the setting under “Network –... - Page 154 Edits the settings in the current line. Deletes entries in the current line. Accepts a new rule. Temporarily saves the created rule. Changes the order of the created rules. Page 154 of 226 Version: 3.3.5 – DR05 – 23.03.2017...
-
Page 155: Lan>Wan
18.3 LAN>WAN This setting governs the outgoing data traffic, i.e. the following settings only apply to outgoing da- ta traffic. Label Description Enable Check the box by clicking it to enable the subsequent settings after they are saved. The following options are available for selection: Drop: If this option is selected, it means that no data packets can pass. -
Page 156: Forwarding
18.4 Forwarding This setting forwards requests from specific IP addresses and ports to defined IP addresses and ports. Label Description Enable Check the box by clicking it to enable the subsequent settings after they are saved. You can enter the IP from which data packets are received here. If an entry is made here, Source IP only packets from this one address are forwarded. -
Page 157: Nat
18.5 This setting enables two networks in the same address range to be connected. If, for example, a network with the address 192.168.0.0/24 is to be connected to a network with the same address, this is only possible if one of the two networks is assigned another address. NAT technology is an easy way of achieving this since only the real network address (LAN address) and the substitute address (NAT network address) are required. -
Page 158: Vpn
19.1 VPN-IPSec 19.1.1 Configuring a VPN-IPSec connection with two routers The settings for a VPN connection via the IPSec protocol are described below. From the start page, click in the navigation bar on the left and IPSec in the naviga- tion bar at the top. -
Page 159: Connection Settings
19.1.1.1 Connection settings Label Description Active Check this box to activate the VPN connection. Connection name Enter a name for the connection in the input field. Select the connection type Connection type Router <> Router Connection or Client <> Router Connection via the drop-down field. Please note that to communicate with another router, this router must be configured for accessing the Internet and for requests from clients. -
Page 160: Authentication
19.1.1.3 Authentication Label Description Enter the address range of the local network in CIDR Local network notation here. E.g. 192.168.0.0/24 Peer network Enter the address range of the local network in CIDR (only with a router-router notation here. connection) E.g. 192.168.10.0/24 This setting is necessary if the VPN connection is es- NAT-Traversal tablished via the Internet and natted between the LAN... - Page 161 Authentication Select the Authentication process via the drop-down field. Authentication by peer certificate: The certificates can be signed by different CAs. A personal certificate+key (.p12 file) must be imported into each router. Each router must also have a copy of the respective peer certificate, naturally WITHOUT the key (.crt file). Certificate: Select the router’s personal certificate via the drop-down field.
-
Page 162: Protocol Settings
19.1.1.4 Protocol settings Label Description You select the coding algorithms, hash total algorithms, etc. used during the various phases on this tab. Protocol op- tions PFS: This setting is only supported for the router-router connection. PFS must be disabled if you want to set up a client-router connection. -
Page 163: L2Tp Server Configuration
19.1.1.5 L2TP Server Configuration The L2TP server can be used for VPN-IPSec communication between the industrial router and a Win- dows client. The only setting required here is a freely selectable local IP address. The addresses for the clients should be from the same network (the start and end of the range are set under the IP ad- dress field). -
Page 164: Vpn - Pptp
19.2 VPN - PPTP 19.2.1 Server settings Label Description Server Configuration Enable Check this box by clicking it if the industrial router is to be enabled as a VPN server. The local address of the mbNET will be used if you select “yes” here. Autoconfig Encryption Configuration Select the encryption method here via the... - Page 165 Label Description Enable Check this box by clicking it if the industrial router is to be enabled as a VPN client. Name Enter a name for the client here. Host Name or Enter the name or IP address under which the client accesses the server here. Example 123456789@mbNET.mymbnet.biz or 80.187.33.55 This entry is optional.
-
Page 166: Vpn - Openvpn
VPN – OpenVPN 19.3 19.3.1 Basics about OpenVPN -OpenVPN basically works with two tunnel IP addresses, i.e. each connection has two IP addresses via which the data traffic is processed. - Depending on the authentication method, OpenVPN either works in point-to-point mode (with static key or no authentication) or in server/client mode (with X.509 certificates). -
Page 167: Connection Scenarios
19.3.2 Connection scenarios Client – router 19.3.2.1 The connection wizard helps you to configure your connections quickly and easily. To access the wizard, click the “Wizards” link in the top right of the web interface. If you have disabled the auto launch function for the wizard, click the Start button for the wizard for VPN connections. - Page 168 Label Description Active Check this box to activate the OpenVPN connection. Connection Set- Connection name Enter a name for the connection in the input field. tings Select the connection type Connection type Client <> Router Connection via the drop-down field. Only one “client to network”...
- Page 169 19.3.2.1.1 No authentication or static key Label Description Enter the IP address of the local VPN tunnel end point Local IP address here, e.g. 10.1.0.5 Enter the IP address of the peer VPN tunnel end point Peer IP address here, e.g. 10.1.0.6 All packets coming into the LAN receive the sender IP ad- Network Client NAT behind the...
-
Page 170: Configuring An Openvpn Windows Client
Authentication with certificates 19.3.2.1.2 Label Description With authentication with certificates, multiple clients can di- al into the server simultaneously and are automatically as- signed an IP address from the “Client IP address pool”. En- Client IP address pool ter the address range in CIDR notation. E.g. 10.1.0.0/24 (corresponds to the subnet mask: 255.255.255.0). -
Page 171: Authenticating A Windows Client With Static Key
VPN connection with your mbNET without encryption, you just need to delete the ???? after “remote”. Next enter the public IP address of the mbNET (the address accessible via the Internet) or use MB Connect Line’s DynDNS service. You must then enter the name specified under Network DynDNS. - Page 172 If you have decided on the method with the static key, you must make a private (secret) entry in addition to entering the IP address (see arrow). Note that you must always use two backslashes in the path name. Authenticating a Windows client with certificates Change the indicated options as appropriate to your circumstances.
-
Page 173: Router-Router
19.3.2.3.1 Starting the OpenVPN connection After completing the configuration, you can right-click the .ovpn file or start the connection via the graphical interface in the toolbar as shown below. 19.3.2.4 Router-Router connection Using the wizard Using the connection wizard: Click the “Wizards” link in the top right of the web interface. Then click the Start button for the wizard for VPN connections, followed by “Next”. - Page 174 Label Description Check this box to activate the OpenVPN con- Active nection. Enter a name for the connection in the input Connection Set- Connection name field. tings Select the connection type via the drop-down Connection type field. A “network to network” connection can be created here. Depending on the authentication method, the client re- ceives an IP address from a defined range or each subscriber specifies its requested address.
-
Page 175: Server - No Authentication Or Static Key
Server – no authentication or static key 19.3.2.1 Label Description Enter the IP address of the local VPN tunnel end Local IP address point here, e.g. 10.1.0.1 Enter the IP address of the peer VPN tunnel end Peer IP address point here, e.g. -
Page 176: Multi-Client: Multiple Clients Can Dial In
Server – authentication with certificates With authentication with certificates, multiple clients can dial into the server simultaneously and are automatically assigned an IP address from the “Client IP address pool”. There are two different operating modes in server mode with certificates. Single client: Only one client can dial in Label Description... - Page 177 Label Description With authentication with certificates, multiple different clients can dial into the server simultaneously and are automatically assigned an IP address from the “Client IP address pool”. Enter Client IP address pool the address range in CIDR notation. E.g. 10.1.0.0/24 Enter the address range of the local network in CIDR notation Local network here.
- Page 178 Label Description Local IP address Enter the IP address of the local VPN tunnel end point here, e.g. 10.1.0.2 Peer IP address Enter the IP address of the peer VPN tunnel end point here, e.g. 10.1.0.1 Network Set- Local network Enter your network address in CIDR notation here (192.168.0.0/24).
- Page 179 Client authentication: With certificates Label Description Do NAT for all out- Network This option was introduced for compatibility with mdex. It replaces the going traffic Settings sender IP address with the current Internet IP address. No network setting is needed on the client because it is sent to the client by the server. Page 179 of 226 Version: 3.3.5 –...
-
Page 180: Authentication
19.3.3 Authentication OpenVPN offers three fundamentally different authentication methods. None: no certificate or key is needed. Used primarily for testing the connection. The tunnel data is also NOT encrypted. Static key: a key as required by each peer is generated for the connection. Similar to the password. ... -
Page 181: Key Management
19.3.6 Key management You can import a key or generate it yourself. All imported keys can be downloaded as a copy under “Down- load”. Label Description Name for this static key Enter the name of the key to be generated here. Static Keys A key previously generated on another system can be im-... -
Page 182: Authentication With Certificates
19.3.7 Authentication with certificates 1. Each subscriber needs the same root CA and a personal certificate signed by the root CA. 2. Like 1, but with addition- There are three different types of authentication with certificates: al username/password verification. 3. Like 2, but without a personal certificate. In other words, the stations only need a root CA and username/password. -
Page 183: Authentication With Ca Certificate And Own Certificate And User/Password
19.3.7.2 Authentication with CA certificate and own certificate and user/password This setting varies depending on the mode. Server Label Description This is the root certificate (root CA). All other certif- CA Certificate icates must come from this certificate. You use this certificate to authenticate yourself to Own Certificate your VPN peer. - Page 184 Client Label Description This is the root certificate (root CA). All other certifi- CA Certificate cates must come from this certificate. You use this certificate to authenticate yourself to Own Certificate your VPN peer. Additional user data may be required from a client di- Additional user and password aling in.
-
Page 185: Inactivity Settings
19.3.8 Inactivity settings If the OpenVPN connection is to be started via a digital input or the dial-out button, the connection is au- tomatically dropped after a defined time without any data traffic. Page 185 of 226 Version: 3.3.5 – DR05 – 23.03.2017... -
Page 186: Protocol Options
19.3.9 Protocol options If the OpenVPN connection is to be started via a digital input or the dial-out button, the connec- tion is automatically dropped after a defined time without any data traffic. OpenVPN offers a range of additional settings. An overview described is shown on the next page. - Page 187 Label Description Encryption Method This setting must be the same on the peers. UDP or TCP can be selected. The default setting is UDP. If the Protocol http proxy is selected, TCP is automatically valid. OpenVPN communication is conducted via the set ports. These local/peer port ports generally have the same settings.
-
Page 188: I/O Manager
Manager The I/O Manager integrated in the router performs the following functions: Displays PLC variables Reads variables from the PLC and saves them to the USB stick at a set interval (logging). Places the logged archives (GZIP) on an external FTP server at a fixed interval. Variables of the type flags, times, counters, inputs, outputs, data blocks and peripherals can currently be read from an S7 controller via RFC1006. -
Page 189: Configuring The Connection
20.1 Configuring the connection If using the MPI/PROFIBUS interface of the router, the RFC1006 protocol must first be activated for this in- terface. Page 189 of 226 Version: 3.3.5 – DR05 – 23.03.2017... -
Page 190: Creating The Plc Connection
20.1.1 Creating the PLC connection The “Name” field must not contain any control characters or spaces. Click the „+“ button after entering the data. If using the MPI/PROFIBUS interface, the IP of the router’s LAN interface must be entered in the PLC IP ad- dress field. -
Page 191: Tags
20.1.2 Tags 20.1.2.1 Creating the tags Tags can be added if there is at least one PLC connection created. The following address syntax must be used for this driver: DBx.DBXy.z = data block x, data bit y.z, BOOL DBx.DBBy = data block x, data byte y, BYTE DBx.DBWy = data block x, data word y, WORD... -
Page 192: Configuring The Logging Function
20.2 Configuring the logging function The logging function can be configured on the second tab under Server Configuration. The logging function applies to all PLC connections. A storage medium must be inserted into the USB socket for the logging function. This can be e.g. a USB stick. Interval [s] The tags are written to the storage medium at the specified interval. -
Page 193: Tag Status
20.3 Tag status Shows the status of the monitored tags. Label Description Number Number of the tag. Description Description of the tag Address Address of the tag Value Value of the tag, in the data format which was set at the tag. Timestamp Shows the exact time when the tag was readed. -
Page 194: Alarm Management
Alarm management 21.1 General The alarm management function can be used to query the states at the four digital inputs and, depending on the result, send an appropriate text to an email address you have spec- ified. switch two digital outputs independent of each other in the event of a fault, when there is an ac- tive Internet connection or manually. -
Page 195: Multiplex Inputs
Each input can be separately configured. Select the input to be configured by clicking the Input 1 ..4 tabs corresponding tab. The input is enabled by checking the box. This is how you determine whether the input in Enable question is to be enabled (“activated”). - Page 196 Actiontable The action number is defined in the Number drop-down field. There are different actions available depending on device model. The “E-Mail” function is available with all devices, the “SMS” option is available with devices with a mobile broadband modem. Page 196 of 226 Version: 3.3.5 –...
-
Page 197: Digital Outputs
21.3 Digital outputs Click Alarmmanagement in the navigation bar, followed by Output. The following screen for configuring the two avail- able digital outputs is then displayed. The outputs can be separately configured using the two tabs. The input and drop-down fields are described on the following pages. -
Page 198: Status Messages
Status messages 22.1 General The industrial router must be analyzed using certain status information when errors occur. For example, a flashing ERROR LED indicates that a system error has occurred on the router. The cause of the error can be determined e.g. –... -
Page 199: Status - Network
22.3 Status - Network Label Description Physical Con- Shows the physical connections via which the router is connected to other computers. nections Routing Table Shows all routes used. Router Listen- Shows all monitored ports. ing Ports Router Con- nections: Con- Shows all IP addresses with ports, e.g. -
Page 200: Firewall
22.3.1 Firewall At Firmware versions greater then 4 there exists the additional tab „Firewall“ under Status -> Network. 22.3.1.1 IN / OUT / FORWARD Page 200 of 226 Version: 3.3.5 – DR05 – 23.03.2017... -
Page 201: Nat
22.3.1.2 Page 201 of 226 Version: 3.3.5 – DR05 – 23.03.2017... -
Page 202: Status - Modem
Status – Modem 22.4 Note: Not available at mbNET variants with WLAN. Page 202 of 226 Version: 3.3.5 – DR05 – 23.03.2017... - Page 203 This input field can be used to issue a command directly to the internal modem. This mands function should only be used as directed by MB Connect Line support personnel. Systemloggings Shows the type of connection and the assigned IP and DNS addresses.
-
Page 204: Status - Internet
Status – Internet 22.5 Label Description Shows outgoing connections to the Internet. These can be both outgoing connections via the Internet modem and connections via WAN. The IP addresses of the local and remote stations are dis- played. An active connection is indicated by a green dot. You can manually connect or discon- nect the Internet connection here also. -
Page 205: Status - Dhcp
Status – DHCP 22.6 Label Description Shows outgoing connections to the Internet. These can be both outgoing connections via the Internet modem and connections via WAN. The IP addresses of the local and remote stations are displayed. An active connection is indicated by a green dot. You can manually connect or However it is not recommended to disconnect the Internet connection here also. -
Page 206: Status - Dns Server
Status – DNS Server 22.7 Label Description Name Shows the name of the DNS server if not assigned by the Internet service provider. IP address Shows the IP address of the DNS server if not assigned by the Internet service provider. Systemloggings Shows the individual operations executed by the DNS server. -
Page 207: Status - Ntp
Status – NTP 22.9 Label Description Date Time (UTC) Shows the current system time in Universal Time Coordinates (UTC). Local Date Time Shows the time using the time zone setting. Systemloggings Shows all notifications and error messages related to the service. Page 207 of 226 Version: 3.3.5 –... -
Page 208: Status - Vpn-Ipsec
Status – VPN-IPSEC 22.10 Note: Not available at mbNET variants with WLAN. Label Description Connections in- Shows both the incoming and outgoing VPN connections of the router. bound / An active connection is indicated by a green dot. outbound The connection duration and active user are displayed. After the connection is disconnected, the active connection time is displayed. -
Page 209: Status - Vpn-Pptp
Status – VPN-PPTP 22.11 Note: Not available at mbNET variants with WLAN. Label Description The incoming VPN connections of the router are listed here. An active connection is in- dicated by a green dot. Server The connection duration, active user, local and remote IP address are displayed. After the connection is disconnected, you can read off the active connection time. -
Page 210: Status - Vpn Openvpn
Status – VPN OpenVPN 22.12 Label Description Connections in- Shows both the incoming and outgoing VPN connections of the router. bound/outbound An active connection is indicated by a green dot. The name, local address and peer address are displayed here. You can manually connect However it is not recommended to use or disconnect the connection here also. -
Page 211: Status - Diagnostics
Status – Diagnostics 22.13 Label Description After an Internet address or IP address is entered, the ping command can determine Ping whether the address in question can be reached. This is e.g. an easy way of determining whether there is an Internet connection active. This command provides more information about the network connection between the TraceRoute router and a remote or other computer. -
Page 212: Status - Usb
Status – USB 22.14 Label Description The manufacturer, model, type and version are displayed for connected USB stor- All connected devices age media. (excluding system hubs). Mounted USB / SCSI de- Shows how the USB storage medium is integrated in the routers file system and the vices file system created on the USB storage medium. -
Page 213: Status - System
Status – System 22.16 Label Description RAM Usage Shows the amount of RAM memory currently being used by the router. Shows the amount of configuration memory and temporary memory currently be- Memory Usage ing used. Tracked Connections Shows the usage of the packet filter. The system information can be used to establish the cause of errors on the router. -
Page 214: Extras
Extras 23.1 You can activate LUA to write and execute LUA scripts. Page 214 of 226 Version: 3.3.5 – DR05 – 23.03.2017... -
Page 215: Toolbox
23.2 Toolbox Label Description If this checkbox is active, then the toolbox is going to be executed after Toolbox active every router restart. The Status Symbol shows if the toolbox is executed or not. By using the Status Symbol button start/stop you can control the toolbox manually. Toolbox load from... -
Page 216: Factory Settings On Delivery
Factory settings on delivery 24.1 Username and password The router is shipped with the following username and password: Username: admin Password: No password required 24.2 IP address of the router The router is set to the following IP address in the factory: IP address: 192.168.0.100 Loading the factory settings Follow the steps outlined below to reset the industrial router to the factory settings:... -
Page 217: Initializing The Modem
Initializing the modem General information on the AT commands The commands can be entered in the input interface (modem settings) in the two fields “Modem Initiali- zation”. The prefix always consists of the letters “AT”. This does not have to be entered in the field. The command consists of individual characters that are written as described below. - Page 218 Initializing the modem (continued) Loudspeaker volume ATL0,1 Low volume ATL2 Medium volume ATL3 High volume Loudspeaker mode ATM0 Loudspeaker always on ATM1 Loudspeaker on until data carrier signal is detected ATM2 Loudspeaker on when the modem is ready to dial ATM3 Loudspeaker off while the number is being dialed and then, after dialing, until a data carrier signal is detected Selects the modulation type...
-
Page 219: Isdn Terminal Adapter (Ta) Commands
Initializing the modem (continued) Message output, dial tone detection This command controls how the modem reacts to the dial tone and busy signal and how it displays the CONNECT messages. ATX0 No busy and dial tone detection i.e. NO CARRIER is displayed in response to a failed dialing attempt. Messages: OK, CONNECT, RING, NO CARRIER, ERROR and NO ANSWER are displayed ATX1 Like ATX0 but CONNECTxxx messages with speed specification ATX2 Busy tone detection disabled, dial tone detection enabled... -
Page 220: Basic Instructions
Basic instructions 27.1 Restart router 27.1.1 Via webinterface Click on „Restart“ on top right of the page screen. Now click on auf den Button „Yes, really reboot now“. The restart process takes about 2 minutes. 27.1.2 Via reset button Press the „Reset“ button on the mbNET Device. This initiates the booting process. -
Page 221: Restore Factory Settings
27.2 Restore factory settings Follow the steps outlined below to reset the industrial router to the factory settings: IMPORTANT: You should first back up your configuration. Once you have carried out these steps, your previous settings will no longer be available. 1. -
Page 222: Appendix
Appendix 28.1 Country codes for analog devices Nr. Country Modem operation setting 1 Afghanistan 2 Albania(AL) 3 Algeria(DZ) 4 American Samoa(AS) 5 Andorra(AD) 6 Angola(AO) 7 Anguilla(AI) 8 Antarctica(AQ) 9 Antigua and Barbuda(AG) 10 Argentina(AR) 11 Armenia(AM) 12 Aruba(AW) 13 Australia(AU) 14 Austria(AT) 15 Azerbaijan(AZ) 16 Bahamas(BS) - Page 223 Country Modem operation setting 46 Cocos (Keeling) Islands(CC) 47 Colombia(CO) 48 Comoros(KM) 49 Congo(CG) 50 Cook Islands(CK) 51 Costa Rica(CR) 52 Cote D’Ivoire(CI) 53 Croatia(HR) 54 Cuba(CU) 55 Cyprus(CY), 56 Czech Republic(CZ) 57 Denmark(DK) 58 Djibouti(DJ), 59 Dominica(DM) 60 Dominican Republic(DO) 61 East Timor(TP) 62 Ecuador(EC) 63 Egypt(EG)
- Page 224 Country Modem operation setting 95 Honduras(HN) 96 Hong Kong(HK) 97 Hungary(HU) 98 Iceland(IS) 99 India(IN) 100 Indonesia(ID) 101 Iran(Islamic Republic of)(IR) 102 Iraq(IQ) 103 Ireland(IE) 104 Israel(IL) 105 Italy(IT) 106 Jamaica(JM) 107 Japan(JP) 108 Jordan(JO) 109 Kazakhstan(KZ) 110 Kenya(KE) 111 Kiribati(KI) 112 Korea-Democratic People’s Republic(KP) 113 Korea-Republic of(KR) 114 Kuwait(KW)
- Page 225 Country Modem operation setting 144 Morocco(MA) 145 Mozambique(MZ) 146 Myanmar(MM) 147 Namibia(NA) 148 Nauru(NR) 149 Nepal(NP) 150 Netherlands(NL) 151 Netherlands Antilles(AN) 152 New Caledonia(NC) 153 New Zealand(NZ) 7° 154 Nicaragua(NI) 155 Niger(NE) 156 Nigeria(NG) 157 Niue(NU) 158 Norfolk Island(NF) 159 Northern Mariana Islands(MP) 160 Norway(NO) 161 Oman(OM) 162 Pakistan(PK)
- Page 226 Country Modem operation setting 193 Solomon Islands(SB) 194 Somalia(SO) 195 South Africa(ZA) 196 South Georgia, South Sandwich Islands(GS) 197 Spain(ES) 198 Sri Lanka(LK) 199 Sudan(SD) 200 Suriname(SR) 201 Svalbard and Jan Mayen Islands(SJ) 202 Swaziland(SZ) 203 Sweden(SE) 204 Switzerland(CH) 205 Syrian Arab Republic(SY) 206 Taiwan-Province of China(TW) 207 Tajikistan(TJ) 208 Tanzania-United Republic of(TZ)