Table of Contents
Advertisement
Quick Links
Advertisement
Table of Contents
Summary of Contents for LAPP ETHERLINE NF04T
- Page 1 ETHERLINE ACCESS NF04T - Industrial NAT Gateway und Firewall Manual Version 1 | 16.04.20 | as of Firmware V 1.08.200 U.I. Lapp GmbH | Schulze-Delitzsch-Straße 25 | 70565 Stuttgart Phone: +49 (0)711-7838-01 | Fax: +49 (0)711-7838-2640 | info@lappkabel.de | www.lappkabel.com...
- Page 2 10.00 Euro as a DVD upon request. This offer is valid for a period of three years, starting from the date of product delivery. Copyright © U.I. Lapp GmbH 2020. All rights reserved. Schulze-Delitzsch-Straße 25 | 70565 Stuttgart STEP, TIA, and SIMATIC are registered trademarks of Siemens AG.
-
Page 3: Table Of Contents
Contents General ..........................5 Target audience for this manual ......................5 Safety instructions..........................5 Note symbols and signal words ......................6 Intended use ............................7 Improper use ............................7 Installation ............................8 1.6.1 Access restriction ..........................8 1.6.2 Electrical installation ......................... 8 1.6.3 Protection against electrostatic discharges .................. - Page 4 SNAT ..............................26 NAPT ..............................27 6.10 Port forwarding ............................28 Application case Bridge ...................... 30 Activate Bridge mode ...........................30 Adjustment of the IP addresses in the bridge operating mode ..............30 Packet filter “WAN to LAN” ........................31 ICMP Traffic “WAN to LAN” ........................33 Packet filter “LAN to WAN”...
-
Page 5: General
1 General This operating manual applies only to devices, assemblies, software, and services of U. I. Lapp GmbH 1.1 Target audience for this manual This description is only intended for trained personnel qualified in control and automation engineering who are familiar with the applicable national standards. -
Page 6: Note Symbols And Signal Words
1.3 Note symbols and signal words If the hazard warning is ignored, there is an imminent danger to life and health of people from electrical voltage. If the hazard warning is ignored, there is a probable danger to life and health of people from electrical voltage. If the hazard warning is ignored, people can be injured or harmed. -
Page 7: Intended Use
Modifications to hardware or software configurations that extend beyond the documented options are not permitted and nullify the liability of U. I. Lapp GmbH. The device may not be used as the only means for preventing hazardous situations on machinery and systems. -
Page 8: Installation
1.6 Installation 1.6.1 Access restriction The modules are open operating equipment and must only be installed in electrical equipment rooms, cabinets, or housings. Access to the electrical equipment rooms, cabinets, or housings must only be possible using a tool or key, and access should only be granted to trained or authorized personnel. -
Page 9: Liability
1.6.8 Disclaimer of liability U. I. Lapp GmbH is not liable for damages if these were caused by use or application of products that was improper or not as intended. U. I. Lapp GmbH assumes no liability for any printing errors or other inaccuracies that may appear in the operating manual, unless there are serious errors of which U. -
Page 10: Security Recommendations
2 Security recommendations ® ETHERLINE ACCESS NF04T is a network infrastructure component, and thus an important element in the security ® considerations of a system or network. When using ETHERLINE ACCESS NF04T, therefore please consider the following recommendations in order to prohibit unauthorized access to plants and systems. General: •... -
Page 11: Overview
3 Overview ® ETHERLINE ACCESS NF04T, the Industrial NAT Gateway and Firewall, simply integrates machine networks into the superior production network using network segmentation, packet and MAC address filtering. The NAT operating mode serves the forwarding of the data traffic between various IPv4 networks. It enables the address translation via NAT and uses packet filters for the limitation of access to the automation network located behind. -
Page 12: Connection Of The Power Supply
3.2 Connection of the power supply ® The ETHERLINE ACCESS NF04T must be supplied with 24 V DC at the wide range input 18-30 V DC via the provided connector. Connection FE is for the functional ground. Connect this correctly with the reference potential. The RJ45 “P1 WAN”... -
Page 13: Initial Access To The Web Interface
4 Initial access to the web interface ® The ETHERLINE ACCESS NF04T is set on the LAN side at the factory with the IP address 192.168.0.100 and the subnet mask 255.255.255.0. Access to the web interface is only possible via the LAN connections P2—P4. The IP address of your network adapter must first be set in accordance with the IP subnet of the ACCESS NF04T: Start à... -
Page 14: Initial Registration
4.1 Initial registration You will be prompted to set a password with the initial registration. The password must have at least 8 characters and may have a maximum of 128 characters. It may contain special characters and numbers. With the “Continue” button, the password is stored in the device and you will be ®... -
Page 15: Main View
4.2 Main view ® The “Overview” website of the ETHERLINE ACCESS NF04T always opens after the login. The “Overview” main view ® contains an overview of the most important settings and information of the ETHERLINE ACCESS NF04T. The topmost line contains the menu with the functions for configuration. ®... -
Page 16: Menu Overview
4.2.2 Menu overview 4.2.3 Responsive design The web interface is also suitable for use on tablets and smartphones (“Responsive design”). ® Please note that web access to the ETHERLINE ACCESS NF04T is equipped with inactivity monitoring for security reasons. When the website isn’t used for several minutes, an automatic “log out” takes place. ®... -
Page 17: Choosing The Operating Mode
5 Choosing the operating mode ® Depending upon the application case for the ETHERLINE ACCESS NF04T, the operating mode must first be defined. ® ETHERLINE ACCESS NF04T supports two principal operating modes: NAT and Bridge 5.1 The NAT operating mode When an automation cell with preset IP addresses is to be incorporated into a production network with other IP addresses, the IP addresses of the machine must normally all be set again. -
Page 18: The Bridge Operating Mode
5.2 The Bridge operating mode ® In the Bridge operating mode, ETHERLINE ACCESS NF04T behaves like a layer 2 switch between the machine network (automation cell) and the production network. The IP addresses in the production network are in this case in the same IP address space (subnet) as the addresses in the machine network. -
Page 19: Application Case Nat
6 Application case NAT To activate the NAT operating mode, select the “Operating Mode” menu point in the “Device” menu and set this to “NAT”. 6.1 Adjustment of the IP addresses in the NAT operating mode Click on the “Network” menu and select the sub- menu “Interface”. -
Page 20: Activate Dhcp Client At The Wan Interface
6.2 Activate DHCP client at the WAN interface As an alternative to entering the IP address, a DHCP client can also be activated for the WAN interface. The use of the DHCP client presumes that a DHCP server is active in the WAN network. The IP settings acquired from the DHCP client are made visible on the overview page by clicking on “INTERFACE”. -
Page 21: Setting Up "Basic Nat" Rules
6.3 Setting up “Basic NAT” rules In order that the entry of “Basic NAT” rules is Company network 10.10.1.0/24 ® possible, ETHERLINE ACCESS NF04T must 10.10.1.10 10.10.1.20 External IP Internal IP be in the operating mode “NAT”. 10.10.1.11 192.168.10.1 10.10.1.12 192.168.10.2 10.10.1.13 192.168.10.5... - Page 22 Status: = Rule is active; a click on the lamp symbol changes the rule status to inactive = Rule is inactive: A click on the lamp symbol changes the rule status to active Possible actions: delete a rule edit a rule copy a rule In the case of a “Basic NAT”...
-
Page 23: Packet Filter "Wan To Lan
6.4 Packet filter “WAN to LAN” The packet filters enable the limitation of access between the production network (WAN) and the machine network (LAN). For example, it can be configured that only certain participants from the production network may exchange data with defined participants from the automation cell. - Page 24 Source IP indicates the IP address of the active device in the production network (WAN). Destination IP the addressed device in the machine network (LAN). The filter rules can be defined for one protocol type with protocol “TCP” or “UPD”. Destination Ports indicates the ports to which the filter rules apply.
-
Page 25: Icmp Traffic "Wan To Lan
6.5 ICMP Traffic “WAN to LAN” The Internet Control Message Protocol (ICMP) serves the purpose of exchanging information and error messages via the Internet protocol IPv4. Typical ICMP frames include “ping” or “traceroute”. With the “ICMP Traffic” option, you can generally allow the directing of ICMP frames from the WAN to the LAN network (“Accept”) or, depending upon the packet filters, prohibit this (“Default Action”). -
Page 26: Icmp Traffic "Lan To Wan
6.7 ICMP Traffic “LAN to WAN” With the “ICMP Traffic” option, you can generally allow the directing of ICMP frames from the LAN to the WAN network (“Accept”) or, depending upon the packet filters, prohibit this (“Default Action”). If, for example, the packet filters “Default Action” are set to “Reject”... -
Page 27: Napt
6.9 NAPT ® “NAPT for LAN to WAN traffic” replaces the sender addresses of queries from the LAN with the ETHERLINE ACCESS NF04T WAB IP address. Company network 10.10.1.0/24 10.10.1.10 10.10.1.20 Source IP 10.10.1.1:xxx 10.10.1.1 External (WAN) ETHERLINE ® ACCESS NAT/FIREWALL 192.168.10.5 Internal (LAN) -
Page 28: Port Forwarding
6.10 Port forwarding With the help of port forwarding (“Port forwarding for WAN to LAN traffic”), it can be configured that packets at a ® certain TCP/UDP port of the ETHERLINE ACCESS NF04T (WAN) can be forwarded to a participant in the LAN (e.g. 10.10.1.1:81 to 192.168.10.5:80). - Page 29 Status: = Rule is active; a click on the lamp symbol changes the rule status to inactive = Rule is inactive: A click on the lamp symbol changes the rule status to active Possible actions: delete a rule edit a rule copy a rule “Port forwarding”...
-
Page 30: Application Case Bridge
7 Application case Bridge 7.1 Activate Bridge mode To activate the Bridge operating mode, select the “Operating Mode” menu point in the “Device” menu and set this to “Bridge”. 7.2 Adjustment of the IP addresses in the bridge operating mode ®... -
Page 31: Packet Filter "Wan To Lan
In the bridge mode, all ports are initially blocked for “WAN-to-LAN” data transfer for security reasons! In order to enable access, packet filter rules must be created or the default action for the packet filters be set to “Accept”. See the following chapter. The “LAN to WAN”... - Page 32 Example: A PC in the production network (WAN) has the IP address 10.10.1.11 (e.g. a visualization). This PC should be able to access the CPU with Company network 10.10.1.0/24 the IP address 10.10.1.30 within the LAN via 10.10.1.10 10.10.1.20 the port 102 with the help of the TCP protocol. ETHERLINE ACCESS External (WAN)
-
Page 33: Icmp Traffic "Wan To Lan
Action defines whether this rule allows communication (“Accept”), rejects with error message (“Reject”), or simply rejects (“Drop”). The appropriate method here should always be chosen in interaction with the “Default Action”. If the Default Action is, for example, “Reject” or “Drop”, the filter rules should all be set to “Accept” (Whitelisting). If the Default Action is “Accept”, a block can be defined in the filter rules with “Reject”... -
Page 34: Packet Filter "Lan To Wan
7.5 Packet filter “LAN to WAN” In the basic state, data traffic is permitted for devices from the machine network (LAN) to the production network (WAN) without limitations (“Default Action”: “Accept”). In the “LAN to WAN” packet filter, the communication of devices in LAN with devices in the production network (WAN) can be completely prohibited or be blocked or allowed for particular devices. -
Page 35: Mac Address Filtering
8 MAC address filtering ® With the function “MAC Filtering;” communication via the ETHERLINE ACCESS NF04T can be limited to devices with certain MAC addresses (“Whitelisting”) or devices with certain MAC addresses can be denied access (“Blacklisting”). MAC Filtering can be used both in the NAT and in the bridge operating mode. Filtering for each MAC address can be activated on the WAN, on the LAN, or on both sides. -
Page 36: Static Routes
9 Static routes Static routes are used for communication with other automation cells. To this purpose, the network and the address ® of the router or ETHERLINE ACCESS NF04T responsible for this (“Next Hop” or “Gateway”) must be configured. 10.10.0.0/24 Production network Static route: Static route:... -
Page 37: Use With Simatic Step 7 / Tia Portal
10 Use with Simatic Step 7 / TIA portal ® Problem: If Simatic CPUs in the LAN behind a ETHERLINE ACCESS NF04T are to be addressed or planned with an engineering station in the WAN, the problem is that the Step 7 or TIA portal uses the IP address from the project for access to the CPU. -
Page 38: Application With Step 7
10.1 Application with step 7 Step 7 offers the possibility to access a CPU and to use an IP address other than that set in the project in the process. In order to be able to redirect the responses from the CPU back to the engineering station in the WAN via the ®... -
Page 39: Use In The Tia Portal
10.2 Use in the TIA portal Here you use the function “Expanded loading in the device” in the menu under “Online” or, where necessary, “Connect expanded online”. ® Click on "Access Address" and enter the WAN IP address specified for the device (CPU) in the ETHERLINE ACCESS NF04T in Basic NAT. - Page 40 ® This solution can only be used in Basic NAT operating mode. In the case of using ETHERLINE ACCESS NF04T with NAPT and port forwarding, only one CPU can be reached, as the Simatic Manager/TIA portal always accesses the CPU with the non-adjustable port 102. ®...
-
Page 41: Other Functions
11 Other functions 11.1 DHCP server for LAN ® A DHCP server can be activated for the LAN network of the ETHERLINE ACCESS NF04T in order to enable dynamic IP address assignment in the LAN. ® Primary/Secondary DNS: DNS server in the LAN for the assignment of the device name, after the ETHERLINE ACCESS NF04T DHCP server has assigned the IP address to the device. -
Page 42: Host Name (Wan)
11.2 Host name (WAN) ® The DNS host name of the ETHERLINE ACCESS NF04T can be defined for the WAN interface. The entered device host name is transmitted to the DHCP / DNS server when the DHCP lease has been assigned and the DHCP server used supports the “DHCP Option 12”. -
Page 43: Syslog Remote
11.3.2 Syslog remote The Syslog messages can also be sent by ® the ETHERLINE ACCESS NF04T to a PC through the network on which a program for Syslog recording is running. The IP address of the host and the port can be indicated here. - Page 44 Access rights of the “it-user”. • Access to the ETHERLINE ® ACCESS NF04T exclusively via the WAN interface • Change host name • Update TLS certificate • Setting of remote Syslog server • Change DHCP client for WAN • Restart device •...
-
Page 45: File Certificate (Https)
11.5 File certificate (HTTPS) A customized company certificate can be filed for ® the website of the ETHERLINE ACCESS NF04T. ® This ensures that the calling up of the ETHERLINE ACCESS NF04T configuration website, in addition to the HTTPS encoding, is also trustworthy. 11.6 Allow web interface access over WAN network (Web Interface Access) For security reasons, the web interface can only be reached via the LAN network as a default. -
Page 46: Time Settings (Time)
11.7 Time settings (Time) ® The time of day of the ETHERLINE ACCESS NF04T can be set in the “Time” menu. The time of day is mainly required for the Syslog records. The time of day can be set either manually or be derived automatically from a SNTP server (“Simple Network Time Protocol”). -
Page 47: Export/Import Of Configuration
11.8 Export/import of configuration ® The configuration of the ETHERLINE ACCESS NF04T can be exported into a readable configuration file and imported again. It is thus possible to secure both a backup of a ® ETHERLINE ACCESS NF04T configuration and to copy an existing configuration for a new ®... -
Page 48: Firmware Update
12 Firmware update ® The firmware of the ETHERLINE ACCESS NF04T can be very simply updated via the website. Link to the current firmware: www.lappkabel.com/activenetworkcomponents The firmware file can be recognized by “.HUF” extension and is also encoded to protect it from being changed. -
Page 49: Resetting To Factory Settings
13 Resetting to factory settings ® The resetting of the ETHERLINE ACCESS NF04T to factory settings can be initiated both via the website and without access to the device with the “FCN” button. ® When resetting the ETHERLINE ACCESS NF04T, the configuration is irretrievably deleted and the IP settings are set to the delivery status. -
Page 50: Faq
14 FAQ Are broadcasts or multicasts allowed through the ETHERLINE® ACCESS NF04T? ® ETHERLINE ACCESS NF04T is a TCP/IP NAT or Bridge device. It works on layers 3 and 4. Broadcasts and ® multicasts are blocked at ETHERLINE ACCESS NF04T in both directions (LANàWAN and WANàLAN). The blocking of broadcasts thus also reduces the bus load in both networks and increases the real time capability of the machine network. -
Page 51: Technical Data
15 Technical data 21700141 Order no. ® Name ETHERLINE ACCESS NF04T ® Scope of delivery ETHERLINE ACCESS NF04T, Quick Start Guide 32,5 x 58,5 x 76,5 mm Dimensions (D x W x H) Weight Approx. 130 g WAN interface Number Type 10 Base-T/100 Base-T Connection... -
Page 52: Dimensioned Drawing
15.2 Dimensioned drawing ® ETHERLINE ACCESS NF04T | Version 1 | 04/16/20...
Need help?
Do you have a question about the ETHERLINE NF04T and is the answer not in the manual?
Questions and answers