Hide thumbs Also See for mbNET.rokey RKH 210:
Table of Contents

Advertisement

Quick Links

Manual
V 7.2.0 - en | Aug 25
th
, 2022
.

Advertisement

Table of Contents
loading

Summary of Contents for MB Connect Line mbNET.rokey RKH 210

  • Page 1 Manual V 7.2.0 - en | Aug 25 , 2022...
  • Page 2 The latest information can be found on our website. We are always grateful for suggestions and proposed improvements. Copyright © MB connect line GmbH 1997 - 2022 Page 2 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 3: Table Of Contents

    Table of contents General..............................9 Release note............................11 Brief description..........................13 Features..............................13 Information about cyber-security...................... 15 Warning signs............................. 16 Security information........................... 16 Maintenance............................19 Disposal of old devices........................19 Legal notice............................20 Technical Data.............................21 Scope of Supply..........................27 Display, controls and connectors..................... 28 13.1 Front view of the device......................28 13.2 View at the top of the device.....................
  • Page 4 20.3 Finish - Apply settings........................ 46 Quick Start - Cloud Status Page....................... 47 21.1 Quick Start..........................47 21.2 Diagnosis.............................49 21.2.1 Output of device diagnostic information to a USB stick..........50 21.3 IoT............................... 51 Classic router - configuring the mbNET via the web interface............52 22.1 Description of the graphical user interface (configuration interface)..........
  • Page 5 24.5.2 LAN DHCP static lease server settings............... 147 24.6 Network > DNS-Server......................148 24.7 Network Hosts...........................152 24.8 Network > DynDNS........................154 24.8.1 System DynDNS settings (MB Connect Line DynDNS service)........154 24.8.2 Public DynDNS service....................155 Serial (serial port COM)........................158 25.1 COM settings..........................159 25.2 COM network settings......................
  • Page 6 26.4 Security Settings > Forwarding....................179 26.4.1 Edit Forwarding Rule....................182 26.5 Security settings > NAT......................184 26.5.1 SimpleNAT........................184 26.5.1.1 Edit SimpleNAT Rule....................185 26.5.2 1:1 NAT.........................187 26.5.2.1 Edit 1:1 NAT rule.......................188 VPN..............................190 27.1 IPSec............................190 27.1.1 Configure IPSec connections..................190 27.1.2 IPSec settings.......................191 27.2 PPTP............................
  • Page 7 30.4 Key Management........................279 30.4.1 Create Backup-Key.......................280 30.5 Firmware........................... 281 30.6 RoKEY............................283 Status (information and analysis)....................285 31.1 Status > Interfaces........................285 31.2 Status > Network........................288 31.2.1 General......................... 288 31.2.2 Firewall..........................289 31.2.3 Network participants..................... 289 31.3 Status > Modem........................291 31.3.1 GSM information......................291 31.3.2 Modem..........................
  • Page 8 Load factory settings........................321 Device restart (Reset)........................322 Annex..............................323 37.1 Set computer address (IP address) in Windows 10..............323 Page 8 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 9: General

    The document serves as a reference guide. Please read carefully and keep in a safe place. Validity The document is valid for industrial routers mbNET.rokey RKH 210, RKH 216, RKH 235 und RKH 259 - from firmware version V 6.2.4 and from hardware version HW03* The SIMPLY.connect** function is only available for devices with the Simplify³-Logo*...
  • Page 10 Related documents Getting started with mbCONNECT24 This document describes the first steps and measures necessary to get a device (mbNET router) connected via the Remote Client (mbDIALUP) to the portal server mbCONNECT24. Current manuals and other information The latest manuals and more information about products related to secure remote maintenance can be found in the download portal at www.mbconnectline.com Page 10 von 324 | V 7.2.0 - en | Aug 25...
  • Page 11: Release Note

    Release note Version Date Comments V 6.0.6 Apr 11 , 2019 Start-Version V 6.0.8 Jun 19 , 2019 Add connection and termination examples for serial interfaces in RS 485 2- and 4-wire operation. See Chapter: "Pin assignment serial interfaces COM1/COM2 (front of device)" Note on "Last error message"...
  • Page 12 Version Date Comments V 7.2.0 Aug 25 , 2022 Devices with GSM modem: The following fields/information have been added under Status > Modem > GSM Information and in the Quickstart: - Mobile number (Own number) - MCC - MNC All SMS received from this device (mbNET) are now listed under Status > Modem >...
  • Page 13: Brief Description

    Brief description The mbNET industrial router offers you optimum flexibility and security, making remote communication with your systems both easy and secure. Thanks to its compact design, the mbNET router will fit into any switch cabinet, and with its multiple interfaces and drivers, is the perfect solution for integrating different control sys- tems.
  • Page 14 Requests must, where possible, be sent to the following address with the product's serial number: MB connect line GmbH Fernwartungssysteme · Winnettener Str. 6 · 91550 Dinkelsbühl GERMANY Tel. +49 (0) 98 51/58 25 29 0 · Fax +49 (0) 98 51/58 25 29 99 · info@mbconnectline.com...
  • Page 15: Information About Cyber-Security

    Information about cyber-security To prevent unauthorized access to facilities and systems, observe the following security recommendations: General • Periodically ensure that all relevant components meet these recommendations and any additional inter- nal security policies. • Perform a security assessment of the entire system. Use a cell protection concept with suitable prod- ucts.
  • Page 16: Warning Signs

    Warning signs The following information signs and signal words are used in this document: NO T I CE Note - indicates a potentially dangerous situation that can lead to property damage if not avoided. TI P A tip indicates additional information and guidance, for example on cyber security, which facilitates secure use of the system.
  • Page 17 Technical limits The product is only intended for use within the technical limits specified in the data sheets. EN/F Safety instructions • Assembly, installation and commissioning of the router should be carried out only by qualified person- nel. The respective national safety and accident prevention regulations must be observed. •...
  • Page 18 (F) Consignes de sécurité: • Le routeur est construit selon l’état actuel de la technique et les règles techniques reconnues en matière de sécurité (voir la déclaration de conformité). • Le routeur doit être monté à un endroit sec. Aucun liquide ne doit pénétrer dans le routeur, car cela pourrait occasionner des chocs électriques ou des courts-circuits.
  • Page 19: Maintenance

    The final holder is responsible for deleting personal data on the old devices to be disposed of. MB connect line offers the possibility of returning and disposing of old devices. Details can be found at www.mbconnectline.com/disposal.
  • Page 20: Legal Notice

    No claims may be derived from the information, figures and descriptions in this operating manual. MB connect line GmbH assumes no liability for damages due to: • Non-compliance with these instructions •...
  • Page 21: Technical Data

    Technical Data mbNET.rokey industrial router RKH 210, RKH 216, RKH 235, RKH 259 EU, RKH 259 AT&T - from Hardware version: HW 03 You can find the hardware version on the device rating plate. Housing dimensions and views Image 1: Devices and interfaces vary depending on the device type. Technical Data | Page 21 of 324...
  • Page 22 Release note Version Date Comment V 6.2 Febr 26 , 2020 Previous version: V 1.0 from Nov. 2 , 2018 Correction of the current consumption: old = 1300 mA => new = 500mA Add the performance data for new LTE module, for devices with hardware version HW04.
  • Page 23 I/Os and standard interfacesGeneral Data Digital inputs 4 pieces, 1030 V DC (electrically isolated), (low 0 – 3.2 V DC, high 8 – 30 V DC) Digital outputs 2 pieces, 10-30 V DC (electrically isolated), to a maximum of 1.5 A per output WAN interfaces 10/100MBit/s full and half duplex operation, automatic detection patch cable/cross- over cable (auto detection)
  • Page 24 Communication Devices with LTE (4G) modem EU (RKH 259 EU) from hardware version: HW 05 Target region EMEA GSM/GPRS/EDGE 900 (B8), 1800 (B3) MHz; max. 236 kbps HSxPA 900 (B8), 1800 (B3), 2100 (B1) MHz; Downlink max. 42 Mbps, Uplink max. 5,76 Mbps 800 (B20), 900 (B8),1800 (B3), 2100 (B1), 2600 (B7), 700 (B28A) MHz;...
  • Page 25 Devices with hardware version up to HW 04 Countries where used North America GSM/GPRS/EDGE 850, 1900 MHz; max. 236 kbps HSxPA 1900 (B2), 850 (B5) MHz; Downlink max. 21 Mbps, Uplink max. 5.76 Mbps 1900 (B2), AWS 1700 (B4), 850 (B5), 700 (B17) MHz; Downlink max. 100 Mbps, Uplink max.
  • Page 26 E482663 SIMPLIFIED EU DECLARATION OF CONFORMITY MB connect line GmbH hereby declares that the radio system type RKH 259 EU corresponds to the 2014/53/ EU directive. A copy of the EU declaration of conformity is available at the following Internet address: www.mbconnectline.com...
  • Page 27: Scope Of Supply

    1 x Device information card (Fig. representative) Item No.: 8.002.704.00.00 If one of these parts is missing or MB connect line GmbH Tel.: +49 (0)9851/58 25 29 0 damaged, contact the following Winnettener Str. 6 Fax: +49 (0)9851/58 25 29 99 address: D-91550 Dinkelsbühl...
  • Page 28: Display, Controls And Connectors

    Display, controls and connectors 13.1 Front view of the device Function / status LEDs WAN interface LAN interfaces 1 – 4 (4 port switch) USB Host 2.0 Dial Out button Reset button Serial interface COM Coding switch hexadecimal (Function in prepa- ration) 8.a Function / status LEDs for coding switch Key switch...
  • Page 29 Description colour status orange GSM devices: no reception flashes GSM devices: Blink frequency 1 Hz == 20 % – 50 % reception quality • Together with Fc1 if a firmware has been detected via the USB interface. green GSM devices: Reception quality display depends on Fc4 GSM devices: Fc3 green + Fc4 green: 71 % –...
  • Page 30 Interfaces Designation Status Description – WAN port on the router (customer network, DSL modem,...) green flashes Network connection available WAN LED orange flashes Network traffic active LAN 1 - 4 – Local network connection (e.g. machine network) LAN-LED green flashes Network connection available 1 –...
  • Page 31: View At The Top Of The Device

    13.2 View at the top of the device Supply voltage connection 10 - 30 VDC – Connection 0 VDC / device housing Digital input E4 (10 - 30 VDC) galvanically isolated Digital input E3 (10 - 30 VDC) Digital input E2 (10 - 30 VDC) Digital input E1 (10 - 30 VDC) Secure Voltage 10 - 30 VDC Connection 0 VDC...
  • Page 32: View Of Underside Of Device

    13.3 View of underside of device Devices with LTE (4G) modem Type Equipment RKH 259 1 x SD card slot 2 x SIM card slot 2 x SMA socket for GSM antenna (MIMO) Standard devices Type Equipment RKH 210 1 x SD card slot RKH 216 RKH 235 Page 32 von 324 | V 7.2.0 - en | Aug 25...
  • Page 33: Interface Assignment

    Interface assignment 14.1 Pin assignment of terminal blocks X1 and X2 on the top of the device Supply voltage connection 10 - 30 VDC – Connection 0 VDC / device housing Digital input E4 (10 - 30 VDC) galvanically isolated Digital input E3 (10 - 30 VDC) Digital input E2 (10 - 30 VDC) Digital input E1 (10 - 30 VDC)
  • Page 34: Pin Assignment Lan/Wan Port On Front Of Device

    In RS 485 mode, terminations must be carried out using terminating resistors in accordance with the number of conductors. Below you can see example circuits for 4-wire and 2-wire operation. Image 2: Connection example for the 4-wire operation Image 3: Connection example for the 2-wire operation 14.4 Pin assignment LAN/WAN port on front of device Signal Not assigned...
  • Page 35: Pin Assignment Usb Port On Front Of Device

    14.5 Pin assignment USB port on front of device Signal VCC (+ 5 V) – Data +Data Interface assignment | Page 35 of 324...
  • Page 36: Router Installation

    Router Installation Installation position/minimum clearances The router is designed to be mounted on DIN top hat rails (in accordance with DIN EN 50 022) and for installation in a control cabinet. The installation and assembly must be carried out according to VDE 0100/IEC 364.
  • Page 37: Starting The Router

    Starting the router NO T I CE Before you connect the router to a network or a PC, make sure that the router is properly connected to the power supply. Otherwise, other devices may be damaged. galvanically isolated 1. Connect the equipotential bonding to the grounding screw on the top side of the router. Note that the grounding screw and the device housing with the 0 V potential of the power supply are electrically connected to terminal X1.
  • Page 38: Connect Router To Configuration Pc

    Connect router to configuration PC You can access the web interface of the mbNET directly via a PC. Requirement: • PC with network card • Internet browser (HTML5 compatible) • The IP address of the computer must be in the same network as the mbNET - 192.168 in this case.
  • Page 39: Calling Up The Mbnet Web Interface

    Calling up the mbNET web Interface Start the Web browser on your PC and type the re- quired IP address of the router in the address bar. Factory setting is: 192.168.0.100 NO T I CE Please note that access to the web interface is possible only via the HTTPS protocol (https://192.168.0.100). Log in to the router - Factory setting is: User name: admin...
  • Page 40: First Start

    To cancel this operation, simply unsubscribe from the web interface (admin > Logout). Information about the benefits of using mbCONNECT24 can be found on our website www.mbconnectline.com or contact your MB connect line distribution partner. • Classic Router Selecting "classic router" creates a separate router without connecting to the mbCONNECT24 portal.
  • Page 41: Portal Server - First Start

    To cancel this operation, simply logout from the web interface (admin > Logout). Information about the benefits of using mbCONNECT24 can be found on our website www.mbconnectline.com or contact your MB connect line distribution partner. Use the Cloudserver to configure the mbNET for a connection a. to the Internet and b.
  • Page 42: Internet - Configuring The Internet Connection

    20.1 Internet - Configuring the Internet connection Image 4: the selection may vary depending on the device type Here, you can select how to connect to the Internet. And click on "Next". Depending on the device type, the selection is •...
  • Page 43 Clicking on "Next" will take you to the Portal Server settings. Static If interface type Static is selected, enter your WAN settings for the Ethernet-Internet connection. Designation Description Interface type Selection field for the interface type: - DHCP - Static WAN IP address Enter the WAN IP address.
  • Page 44: Modem Connection Settings

    20.1.2 Modem Connection Settings Designation Description Network (provider) Selection field for the service provider APN (Access Enter the APN of your provider here, if necessary. Point Name) SIM Pin Enter the SIM PIN of the SIM card used. User If necessary, enter your user name and password. Password Clicking on "Next"...
  • Page 45 Designation Description List of portal servers List of available portal servers: (For more informa- • rsp.mbconnect24.net (EU) tion see the "mbCON- NECT24 Server List” • rsp.mbconnect24.us (US/CAN) table) • rsp.mbCONNECT24.asia (ASIA) • rsp.au.mbCONNECT24.net (AU) • User defined Host address or DNS The matching host address of the portal server selection will be shown here.
  • Page 46: Finish - Apply Settings

    20.3 Finish - Apply settings Save changes Save the settings by clicking on "Save Changes". Complete Click"Complete" to complete the process. You will be taken to the "Cloudstatus Page" (Quick start). Here you can find information (including connection errors and their cause) for each connection to the Internet, and the Portal Server. NO T I CE Do not switch off the mbNET until the mbNET has picked up its configuration from the portal.
  • Page 47: Quick Start - Cloud Status Page

    Quick Start - Cloud Status Page 21.1 Quick Start This display appears a. each time you call up the mbNET web interface, if you have created the mbNET as a portal device b. from the configuration interface via the "admin" Menu Here, you can detect connection errors and determine the cause.
  • Page 48 In Step 1, you will receive an overview of interfaces and general system information. Step 2 provides information about the status of the connection to the Internet. In Step 3, you will see the result from the DNS and NTP check as well as the port check (port 80/443/1194) for the remote maintenance portal.
  • Page 49: Diagnosis

    21.2 Diagnosis Image 5: Diagnostic example with executed command: Route monitoring Designation Description Ping After entering an internet address or an IP address, you can use the ping command (Click on the "Ping” button) to determine whether the corresponding address is ac- cessible.
  • Page 50: Output Of Device Diagnostic Information To A Usb Stick

    Designation Description TCPDUMP In order to closely monitor the network traffic, you can use the "TCPDUMP” com- mand. Some examples of the use of this command are: • -i eth0 not port 80 Displays all TCP/IP connections to the (-i) LAN (eth0) interface, except (not) those using Port 80 (port 80) when incoming or outgoing.
  • Page 51: Iot

    21.3 IoT Here you can see an overview • of the serial number and the license type of the mbEDGE SD card used • of the status of the IoT service (Docker) • of the Docker Management Status • of the status of activation for Flows and Dashboard Click on the "Flows"...
  • Page 52: Classic Router - Configuring The Mbnet Via The Web Interface

    Classic router - configuring the mbNET via the web interface If you use the mbNET as a classic router, the complete configuration and setup is performed via the web interface of the device. 22.1 Description of the graphical user interface (configuration interface) Image 6: Basic structure of the graphical user interface Main Navigation First-level navigation for the operational user interface.
  • Page 53: Description Of Buttons, Icons And Fields

    22.2 Description of buttons, icons and fields Here, you will find an overview of the display elements, input/selection fields and buttons. Symbol Description Display element- greyLED example: a link is inactive, a cable or USB device is not connected, Output1 is inactive etc.
  • Page 54: System - Settings And Basic Router Configuration

    System - settings and basic router configuration Here, you will find general system information and settings. Under the System menu the following submenus are listed: Submenu Description Info General system information CTM* Configuring the CTM (Config Transfer Manager). Settings General system configuration (e.g. time and mail settings). Website HTTPS access configuration in the mbNETweb interface.
  • Page 55: System > Info

    23.1 System > Info Image 7: Example display, content can vary depending on the type of device. System - settings and basic router configuration | Page 55 of 324...
  • Page 56 System Here you will find information about • Device type • Serial number • Firmware version • Device name in the network Warnings or/and the most recent error are also displayed here. Network Here you will find information about • Interface LAN and WAN displays which network ports are linked/connected at the moment to the existing net- work via the corresponding sockets.
  • Page 57: System > Ctm (Configuration Transfer Manager)

    23.2 System > CTM (Configuration Transfer Manager) The CTM allows the mbNET to transfer the portal configuration via the active Internet connection, i.e. the mbNET picks up its configuration from the mbCONNECT24 portal, as soon as it comes online. In order to ensure the transfer, CTM must be activated on the mbNET.
  • Page 58 Designation Description Active "Yes / No" selection field to activate/deactivate this function. Host address or DNS Enter the host address or DNS name. Session-Key Enter the session key generated by the portal. Enable connection "Yes/No" selection field - select "Yes" if you want to use an HTTPS proxy server through a HTTP proxy as the outgoing connection.
  • Page 59 Designation Description HTTP proxy username User name input field If required, the domain name (domain\username), as well as the authentication method are also here (for "NTLM”: User- name#AUTH-NTLM or for "NTLMv2": Enter Username#AUTH-NTLM2). HTTP proxy password Server password input field Clicking on "Save”...
  • Page 60: System > Settings

    23.3 System > Settings Page 60 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 61 In the Settings submenu you can configure the following functions: Function Description/content System settings • Assign a device name in the network • Configure a device reboot Time Settings • Set the local time (date/time) • Select the time zone NTP Settings •...
  • Page 62: System > Settings > System Settings

    23.3.1 System > Settings > System Settings Designation Description Hostname Enter here a name that allows the router to be reached on the network. NO T I C E The mbNET can only be reached under this Hostname, if the DNS server that is registered on your PC knows the device name and the IP address of the mbNET.
  • Page 63: System > Settings > Time Settings

    23.3.2 System > Settings > Time Settings Designation Description Date/Time (UTC) Displays the current system time in UTC (Coordinated Universal Time). Local Date Time Displays the current system time based on the selected time zone. Set local Date Time Adjustable system time, which is used, if no automatic time adjustment is to take place, or is not possible.
  • Page 64: System > Settings > Ntp Settings

    23.3.3 System > Settings > NTP Settings The Network Time Protocol (NTP) is a standard for synchronizing clocks in computer systems via pack- age-based communication networks. When time synchronization, the NTP client gets the current time from an NTP server. The mbNET can act both as an NTP client and as an NTP server.
  • Page 65 Designation Description Time synchronization Checkbox for enabling/disabling the NTP function. using NTP If this checkbox is activated, the mbNET acts as an NTP client. Server address Enter the IP address or the name of the time server (default address: 0.de.pool.nt- p.org).
  • Page 66: System > Settings > Mail Settings

    In the case of certain events (e.g. from the alarm management) you can send automatically generated mes- sages from the system via email. Here you set whether the mbNET should use the mail server of MB connect line, with fixed specifications, or whether you want to use your own SMTP server.
  • Page 67 NO T I CE Temporary stored settings/changes are saved until a reboot of the router. Only after you confirm via “Apply Changes", will the changes be applied (activated) and stored permanently. System - settings and basic router configuration | Page 67 of 324...
  • Page 68: System > Settings > Device-Api

    23.3.5 System > Settings > Device-API The mbNET can be used as an MQTT broker. Designation Description Enable MQTT access Checkbox zum Aktivieren/Deaktivieren dieser Funktion. to status topcis MQTT Password Mandatory field for entering a password. No default password is specified here. MQTT Username The default username "web"...
  • Page 69 After activating the "MQTT access to status topics" function, you can query the values from the "MQTT Debug List" under Status > System. System - settings and basic router configuration | Page 69 of 324...
  • Page 70: System > Settings > System Service

    23.3.6 System > Settings > System Service Designation Description Disable network config- Check box for enabling/disabling this function. uration (Conftool) NO T I C E The "Disable Network Configuration (Conftool)" function is only relevant if you operate the router on the portal mbCONNECT24.
  • Page 71: System > Web

    23.4 System > WEB In the Web submenu you can configure the following functions: HTTPS device configuration access Function Description/content HTTPS Port Here you can • change the default port (443), through which the HTTPS server is accessed. ° Important! If you change the default ports, you must specify the new port in the browser's address bar (e.g.:192.168.0.100:84).
  • Page 72 System Services Function Description/content Enable access to This function is only relevant if you operate the router in the mbCONNECT24 portal Quickstart WITHOUT (Cloudserver). credentials You can find a description of this function in the mbCONNECT24 online help. Enable login via GET- Checkbox to activate / deactivate this function.
  • Page 73: System > Web > Https Access For Device Configuration

    23.4.1 System > Web > HTTPS access for device configuration Designation Description HTTPS Port Here you can change the default port (443), through which the HTTPS server is ac- cessed. Important! If you change the default ports, you must specify the new port in the browser's address bar (e.g.:192.168.0.100:84).
  • Page 74: System > Web > System Services

    23.4.2 System > Web > System Services System Services Function Description/content Enable access to This function is only relevant if you operate the router in the mbCONNECT24 portal Quickstart WITHOUT (Cloudserver). credentials You can find a description of this function in the mbCONNECT24 online help. Enable login via GET- Checkbox to activate / deactivate this function.
  • Page 75: System > User

    23.5 System > User Here you can manage the users who have access to the configuration interface of the mbNET. • By default, the user "admin", is created with all rights. • The user "admin" is associated with the device password. •...
  • Page 76: Added/Edited User

    23.5.1 Added/Edited User Designation Description User name Mandatory field for entering a user name (for example, User1) Full Name Mandatory field for entering a name (for example, Peter Schmidt) Check boxes to enable/disable the type of access by the user to the web interface of the Administration mbNET.
  • Page 77 Designation Description NO T I C E The password should consist of at least 8 characters, including uppercase letters, numbers and special characters (example: aZ?34%s8). Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close”...
  • Page 78: System > Certificates

    23.6 System > Certificates The main component for VPN connections using IPSec or OpenVPN is the trust between two or more com- munication partners. An authenticity test is required for secure communications. This is done using PKI (public key infrastructure). Certificates will ensure that the "right"...
  • Page 79: Own Certificate

    23.6.1 Own certificate Own certificates are used by the certificate holder. These are issued and signed by a higher authority (CA Root Certificate). In order for the mbNET to be able to use its own certificate at a remote terminal so as to show it there, the appropriate PKCS12 file (certificate including private key) must be selected, in order to import this.
  • Page 80 In the overview, you can see certificates imported thus far. Page 80 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 81: Ca Certificate (Root Certificate)

    23.6.2 CA certificate (root certificate) A root certificate verifies that the remote site certificate is signed. Such a stem cell certificate must be imported, if under the VPN settings "by means of a certificate from the same CA" is selected as the authentication method. The entry from the root certificate will be used as a criterion to decide whether the certificate of the in-dialling device is valid.
  • Page 82 In the overview, you can see certificates imported thus far. Page 82 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 83: Partner Certificate (Ipsec)

    23.6.3 Partner certificate (IPSec) Partner certificates are certificates of the remote terminal. They are only required if the VPN settings "Authen- tication via partner certificate" have been selected. In this case, the criterion for deciding the validity of a certificate is that a copy of this partner certificate exists locally.
  • Page 84 In the overview, you can see certificates imported thus far. Page 84 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 85: Crl (Revocation List)

    23.6.4 CRL (revocation list) The recover/revocation list (Certificate Revocation List CRL, for short) checks whether the certificates of in- dialling computers are valid or not. The CRL contains the serial numbers of certificates that should be blocked. So if one wants to deprive people of permission to dial into the mbNET or the underlying PLC, it is only necessary to create a CRL.
  • Page 86 In the overview, you can see certificates imported thus far. Page 86 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 87: System > Memory Devices

    23.7 System > Memory devices The mbNET has • a USB port (USB Host 2.0) on the front of the device and • an SD card slot on the bottom of the device 23.7.1 USB You can connect a USB device (USB stick or USB hard drive) to the USB port on the Industrial router. The USB storage medium can be accessed via SFTP.
  • Page 88: Usb Settings

    23.7.1.1 USB Settings Within USB Settings you can select USB Mode: • USB memory via SFTP • USB Transparent (USBOverIP) NO TI CE USB mode "USB Transparent (USBOverIP)" is only relevant/functional in conjunction with the mbCON- NECT24 Remote-Service-Portal and the Remote Client mbDIALUP . Related settings can only be made via mbCONNECT24 and mbDIALUP.
  • Page 89: Usb Access From The Network

    23.7.1.2 USB access from the network Designation Description Active Check box for enabling/disabling this function. If the checkbox is activated, a connected USB storage medium is integrated by the mbNET. SFTP User Input field for the SFTP user name SFTP password Input field for the SFTP password SFTP Password Input field for confirmation of the SFTP User Password.
  • Page 90: Usb Devices

    23.7.1.3 USB devices You can connect a USB device (USB stick or USB hard drive) to the USB port on the Industrial router. The USB storage medium can be accessed via SFTP. A LED icon will display if a USB storage medium is connected to the mbNET or has been detected. USB Device connected Green LED symbol = USB storage medium available Gray LED symbol = No USB storage device connected...
  • Page 91: Sd-Card

    23.7.2 SD-Card NO T I CE The "SD access from network" configuration menu is only available when using an mbEDGE card and after activating the card via the menu "IoT > Control > Docker - activate mbEDGE". Other SD cards are not recognized by the mbNET. An LED symbol indicates whether an SD card is inserted in the mbNET.
  • Page 92: Sd Access From Network

    23.7.2.1 SD Access from network Designation Description Active Check box for enabling/disabling this function. If the checkbox is activated, a connected SD card is integrated by the mbNET. SFTP User Input field for the SFTP user name SFTP Password Input field for the SFTP password SFTP Password Input field for confirmation of the SFTP User Password.
  • Page 93 Click the Edit icon to edit the corresponding function. System - settings and basic router configuration | Page 93 of 324...
  • Page 94: General Settings

    23.8.1 General Settings Designation Description Set debug output to syslog Check box for enabling/disabling this function. If this checkbox is enabled, debug information is output on the logging server. Log also to USB-Device Check box for enabling/disabling this function. If this checkbox is enabled, the logs are also stored on a USB device. Clicking on "Save”...
  • Page 95: External Logging (Server Settings)

    23.8.2 External logging (server settings) Designation Description Enable external Check box for enabling/disabling this function. logging server When this check box is selected, the system logging of the mbNET is out- sourced to an external computer. Remote IP Address Enter the IP address of the external logging server here. Remote Port Specifies the port number of the extrnal logging server.
  • Page 96: System > Configuration (Backup And Restore)

    23.9 System > Configuration (backup and restore) Here you can download a backup copy of the system configuration (Backup) and, if necessary, restore (Re- store). Click the Edit icon to edit the corresponding function. Page 96 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 97: System > Firmware (Firmware Update)

    23.10System > Firmware (Firmware update) Here you can check the actuality of the installed firmware version and if necessary upgrade to a higher version. Click the Edit icon to edit the corresponding function. System - settings and basic router configuration | Page 97 of 324...
  • Page 98 Firmware update Designation Description Upgrade Method Selection field with the following options: • Auto Update Server => this requires an internet connection to be established. • USB stick => this requires that a USB stick with the new firmware - in the root directory - is connected to mbNET.
  • Page 99: Network - Connection Settings And Options

    automatic Firmware version check and update After activating this function, the actuality of the installed firmware is checked every 24 hours. If a newer version is available on the Autoupdate server, it will be automatically installed. NO T I CE An automatic update will only take place if "Autoupdate server"...
  • Page 100 Image 8: Example display, content can vary depending on the type of device. Under the Network menu the following submenus are listed: Submenu Description Here you can set the LAN IP address and the subnet mask of the router (mbNET). This IP address accesses the router in the LAN.
  • Page 101: Network > Lan

    24.1 Network > LAN Here you can set the LAN IP address and the subnet mask of the router (mbNET). This IP address accesses the router in the LAN network. You can also specify / add network routes in CIDR format (x.x.x.0/24). 24.1.1 Interface Here you can set the LAN IP address and the subnet mask of the router (mbNET).
  • Page 102 Configuring the LAN Interface Here you can set the LAN IP address and the subnet mask of the router (mbNET). This IP address accesses the router in the LAN network. Designation Description LAN IP address Enter the IP address for accessing the router. Subnet mask Enter the subnet mask of the network that the router should be integrated into.
  • Page 103 Network participants Here you can monitor the Network participants. Designation Description Monitors network Selection box to participants • Disable • Passive Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. NO T I CE Temporary stored settings/changes are saved until a reboot of the router.
  • Page 104 Wake on LAN LAN participants can be entered here who receive a WoL packet either manually or daily via cron job. Click the plus icon , to add WoL participants.. Bezeichnung Beschreibung MAC address Enter the MAC address of the WOL addressee here. Trigger Here you specify how and/or when the WoL addressee should be woken up.
  • Page 105 Here you can send a WoL wake-up call manually edit an entry delete an entry add a new entry Network - connection settings and options | Page 105 of 324...
  • Page 106: Routes

    24.1.2 Routes If the local network has additional subnetworks, you can add additional network routes in CIDR format (x.x.x.0 / 24) here. Click the Add button to add a route. Add LAN route Designation Description IP address Enter an IP address with CIDR-Seffix (x.x.x.0 / 24). Gateway The gateway to be entered is usually the IP address of the router (mbNET).
  • Page 107 Edit / Delete LAN route After you confirm your entry by clicking on the "Save" button, your entries appear in the overview of the LAN- routes. Click the Edit icon , to edit the corresponding entry. Click the Delete icon , to delete the corresponding entry.
  • Page 108: Network > Wan

    24.2 Network > WAN Using the mbNET's WAN interface, you can connect a local network to another local network or a public network, such as the Internet. The WAN interface can be configured depending on the application. Optionally, you can define / add network routes here in CIDR format (x.x.x.0/24). 24.2.1 Interface - set WAN interface type Here you can specify the type of interface and configure the interface.
  • Page 109 Configuring the WAN Interface When selecting interface type Static, you must configure the interface. Designation Description WAN IP address Enter the WAN IP address of the router (mbNET). NO T I C E The WAN IP address and the LAN IP address must be in different address ranges! Subnet mask Enter the subnet mask of the network that the router should be integrated into.
  • Page 110: Routes

    24.2.2 Routes If further sub-networks are connected to the locally connected network, you can define additional routes here. Here, you can specify network routes in CIDR format (x.x.x.0/24) or define routes to individual network users. Click the Add button to add a route. Click the Edit icon , to edit the corresponding route.
  • Page 111 Edit/Delete WAN route After you confirm your entry by clicking on the "Save" button, your entries appear in the overview of the WAN- routes. Click the Edit icon , to edit the corresponding entry. Click the Delete icon , to delete the corresponding entry. Clicking on "Save”...
  • Page 112: Network > Modem

    24.3 Network > Modem The built-in mbNET modem (analogue or GSM) is provided for dial-up and/or Internet connections if no corre- sponding DSL or network connection is available. NO T I CE If the modem is used for an outgoing internet connection, no incoming connection can be made. 24.3.1 Analogue modem configuration Page 112 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 113 Network - connection settings and options | Page 113 of 324...
  • Page 114: Modem Settings

    24.3.1.1 Modem Settings Click the Edit icon to edit the corresponding function. Designation Description Modem init Input field for the country code, the default is +GCI=FD (FD for Europe) NO T I C E A list of country codes for devices with analogue modem can be found in the Appendix. Modem init The command X3 (do not wait for dial tone) is the default connection value.
  • Page 115 Network - connection settings and options | Page 115 of 324...
  • Page 116: Outgoing (Configuration For Outgoing Connections)

    24.3.1.2 Outgoing (configuration for outgoing connections) Here, you configure the access data and the authentication for outgoing connections. Click the Edit icon to edit the corresponding function. Access data (selection of inputs) Page 116 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 117 Designation Description Selection of in- Selection field no/yes puts Select Yes if you want to call several stations. Three more lines for entering the necessary access data will appear. Each of these ad- ditional lines is selected because of signals to digital inputs I2 to I4. Now enter the numbers and the user data for the PPP dial-up in the additional fields.
  • Page 118 Authentication Here you can select the authentication protocol for the dial-up connection and set the dial-up timeout. Designation Description Authentication us- Authentication protocol with your login data are transmitted in order to protect this da- ing CHAP ta (Challenge Handshake Authentication Protocol). CHAP is normally the procedure which is performed when logging on to the internet at the Internet Service Provider (ISP) via a modem.
  • Page 119: Incoming

    24.3.1.3 Incoming Here you approve the access to the router (mbNET) by a client computer. Click the Edit icon to edit the corresponding function. Network - connection settings and options | Page 119 of 324...
  • Page 120 Designation Description Dialin enable Check box for enabling/disabling this function. If the checkbox is enabled, access to the router (mbNET) is approved by a client computer. PPP Server IP-Address Enter the address of the router (mbNET) here. (here) You can use the same network domain as the local network. However, you should avoid using an existing address, as this can lead to an address conflict.
  • Page 121 Network - connection settings and options | Page 121 of 324...
  • Page 122: Call Back

    24.3.1.4 Call Back When this capability is activated, the mbNET is ready to connect to the Internet when a call is made. Click the Edit icon to edit the corresponding function. Designation Description Call Back enable Check box for enabling/disabling this function. When this checkbox is activated, the mbNET is ready to connect to the Internet when a call is made.
  • Page 123: Gsm Modem Configuration

    24.3.2 GSM modem configuration Network - connection settings and options | Page 123 of 324...
  • Page 124: Modem Settings

    24.3.2.1 Modem Settings Here, you can perform the basic modem settings. Click the Edit icon to edit the corresponding function. NO T I CE For a GSM connection, none of the two initializations is necessary to guarantee error-free connection. Page 124 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 125: Outgoing Sim 1/Sim 2 (Configuration For Outgoing Connections)

    24.3.2.2 Outgoing SIM 1/SIM 2 (configuration for outgoing connections) Here you can configure the SIM settings, the access data and the authentication for outgoing connections. Click the Edit icon to edit the corresponding function. Network - connection settings and options | Page 125 of 324...
  • Page 126 SIM Settings Here you enter the SIM PIN of the respective SIM card and select your wireless service provider. Designation Description SIM PIN Enter your personal identification number (PIN) of the respective SIM card to provide access. You need a mobile phone to switch the PIN on or off. Provider Selection field with a list of the most common wireless service providers.
  • Page 127 Access data (selection of inputs) Designation Description Selection of in- Selection field no/yes puts Select Yes if you want to call several stations. Three more lines for entering the necessary access data will appear. Each of these ad- ditional lines is selected based on signals to digital inputs I2 to I4. Now enter the numbers and the user data for the PPP dial-up in the additional fields.
  • Page 128 Authentication Here you can select the authentication protocol for the dial-up connection and set the time limit for dial attempts. Designation Description Authentication via Authentication protocol with your login data transmitted in order to protect this da- CHAP ta (Challenge Handshake Authentication Protocol). CHAP is normally the procedure which is performed when logging on to the internet at the Internet Service Provider (ISP) via a modem.
  • Page 129: General Sim Settings

    24.3.2.3 General SIM Settings Here you can specify which SIM card or which of the two SIM card slots is to be used primarily. Click the Edit icon to edit the corresponding function. Designation Description Select Selection field for the SIM card slot, that should be addressed/ used first. Primary SIM Card Switch to the secondary Check box for enabling/disabling this function.
  • Page 130 Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close” discards the current input/changes. NO T I CE Temporary stored settings/changes are saved until a reboot of the router. Only after you confirm via “Apply Changes", will the changes be applied (activated) and stored permanently. Page 130 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 131 Network - connection settings and options | Page 131 of 324...
  • Page 132: Sms (Remotely Control Services Via Sms Send Sms If

    24.3.2.4 SMS (Remotely control services via SMS Send SMS if,...) Click the Edit icon to edit the corresponding function. Remotely control services via SMS Designation Description Enable Service Control Check box for enabling/disabling this function. via SMS Check the Phone Number Check box for enabling/disabling this function.
  • Page 133 Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close” discards the current input/changes. NO T I CE Temporary stored settings/changes are saved until a reboot of the router. Only after you confirm via “Apply Changes", will the changes be applied (activated) and stored permanently. Command set for remote control of the mbNET via SMS Command Note...
  • Page 134 Send an SMS if... (the Internet connection was established) Designation Description Internet connection es- Check box for enabling/disabling this function. tablished When the function is enabled, the mbNET sends an SMS notification once the mbNET has established a connection to the Internet. Recipient phone number Recipient’s phone number to whom the notification should be sent.
  • Page 135 Network - connection settings and options | Page 135 of 324...
  • Page 136: Network > Internet (Internet Connection And Internet Settings)

    24.4 Network > Internet (Internet connection and Internet settings) 24.4.1 Configure Internet connectivity Click the Edit icon to edit the corresponding function. Page 136 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 137 Failover Designation Description Failover "Yes / No" selection field to activate/deactivate this function. The reliability function allows switching between different Internet connections. If this function is enabled, the Internet interfaces in the desired priority can be entered ac- cording to the device type. Network - connection settings and options | Page 137 of 324...
  • Page 138 Internet connection - Failover = No - Click the Edit icon to edit the corresponding function. Image 9: The choice of available Internet interfaces depends on the device type and can vary. Designation Description Internet connection Here you select the Internet interface, with which the mbNET should connect to the Internet.
  • Page 139 Internet connection - Failover = Yes - (Failover of Internet interfaces) Click the Edit icon to edit the corresponding function. Image 10: The choice of available Internet interfaces depends on the device type and can vary. Designation Description The number of attempts Enter the number of connection attempts here.
  • Page 140 Designation Description Add Internet interface to 1. Here you can select an Internet interface/action from the selection field. priority list Click the green plus sign to add the selected interface/action to the pri- ority list. 3. Repeat this process as necessary until no interface/action is available. Internet Interface Priority The selected interfaces/actions are listed in order of priority here.
  • Page 141 Check the Internet connection (ping IP) Here you can also check the availability of the internet connection by pinging an IP address. You can enter up to three different IP addresses with different intervals. The entries are executed one after the other.
  • Page 142: Internet Settings (Connection Settings)

    NO T I CE You can see the ping result on the quick start page under step 2. 24.4.2 Internet settings (Connection settings) Here you specify • when the mbNET should connect to the Internet. Click the Edit icon to edit the corresponding function. Connection settings •...
  • Page 143 Designation Description Connection Mode Selection field for the type of connection when the mbNET should connect to the Internet – Key switch(ONL) When the key switch is in the ONL position, an internet connection is estab- lished as soon as the device is ready for operation, after being switched on or after a device restart.
  • Page 144 Page 144 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 145: Network > Dhcp

    24.5 Network > DHCP The mbNET can be configured as a DHCP server on the LAN or WAN network. If this service is active, the router will assign IP addresses to clients from the network independently. In addition, you can configure the service for the LAN and/or WAN interface. For example, you can supply several devices with it.
  • Page 146: Lan Dhcp Server Settings

    24.5.1 LAN DHCP server settings Designation Description DHCP Server active Check box for enabling/disabling this function. By enabling the function the mbNET can be set up as a DHCP server to the cor- responding interface. Start Enter the start address of the address range managed by the DHCP server. End address of the range managed by the DHCP server.
  • Page 147: Lan Dhcp Static Lease Server Settings

    24.5.2 LAN DHCP static lease server settings Here you can create fixed mappings between IP addresses and MAC addresses. i.e. a device with a specific MAC address always receives the same IP address. Click on the green plus , in order to create and add an assignment. Designation Description MAC address...
  • Page 148: Network > Dns-Server

    24.6 Network > DNS-Server Using DNS, IP addresses are converted into names. At the factory, the mbNET is configured in such a way that the DNS server is assigned by the Internet service provider (IPS). For permanent connection of the industrial router, a dedicated DNS server can be added here. This is then used before the server assigned by the internet service provider.
  • Page 149 Add server Designation Description DNS Server IP Address Enter the IP address of your DNS server. Confirm your entries by clicking on the Save button and repeat the process for further DNS server entries. NO T I C E A total of up to five DNS servers can be entered. Network - connection settings and options | Page 149 of 324...
  • Page 150 Settings Here, you specify the basic settings for the DNS server. Click the Edit icon to edit the corresponding function. Page 150 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 151 Designation Description No Hosts Check box for enabling/disabling this function. If this checkbox is activated, the computer names entered under network hosts are not taken into account. Strict arrangement Check box for enabling/disabling this function. If this checkbox is activated, the sequence of the entries is exactly as described un- der "Server".
  • Page 152: Network Hosts

    24.7 Network Hosts This setting allows you to always assign a specific name to exactly one IP address. DNS queries can therefore be answered directly. Click on the green plus to add an assignment. Host Settings This setting allows you to always assign a specific name to exactly one IP address. DNS queries can therefore be answered directly.
  • Page 153 Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close” discards the current input/changes. NO T I CE Temporary stored settings/changes are saved until a reboot of the router. Only after you confirm via “Apply Changes", will the changes be applied (activated) and stored permanently. Image 13: Example entries in the Host Settings Click the Edit icon , to edit the corresponding entry.
  • Page 154: Network > Dyndns

    The DynDNS service means that the mbNET is always available under the same name. It is used for converting addresses into names and vice versa. 24.8.1 System DynDNS settings (MB Connect Line DynDNS service) By enabling the function "Enable System Dynamic DNS", you use the automatic DynDNS service of MB connect line.
  • Page 155: Public Dyndns Service

    24.8.2 Public DynDNS service In order to be able to use a public DynDNS service, you must register/have registered for one of the services that are supported by the mbNET. Registration is normally free. Click the Edit icon to edit the corresponding function. Network - connection settings and options | Page 155 of 324...
  • Page 156 Designation Description Active Enable this checkbox if you are registered with a DynDNS service, from the selection list from the drop down list in the provider field and the mbNET should use this service. The mbNET reports the next time it dials into the Internet the current IP address that it has received from the Internet service provider to the DynDNS service.
  • Page 157 | Page 157 of 324...
  • Page 158: Serial (Serial Port Com)

    Serial (serial port COM) General If the IP address of the mbNET is known, the serial interface of the device can be accessed via a dial-up connection or via the Internet. The COM serial port can be configured directly via the web interface to RS232, RS485 and RS422 and the corresponding control commands redirected, e.g.
  • Page 159: Com Settings

    25.1 COM settings Driver type: System driver Designation Description Interface type Use this selection field to set the interface type. The options are: RS232, RS485 2-wire, RS485 4-wire, RS422 Driver type When choosing a System Driver, a range of product- and company-specific device drivers are available to control your serial devices.
  • Page 160 Driver type: User settings Designation Description Interface Type Use this selection field to set the interface type. The options are: RS232, RS485 2-wire, RS485 4-wire, RS422 Driver Type Select the driver type User Preferences, if no matching driver is available in the drop-down list or if you want to make your own settings.
  • Page 161: Com Network Settings

    25.2 COM network settings Designation Description Protocol Select the appropriate driver for your connected devices. Port Enter the port for the network or Internet communications. The port can be chosen freely, but it must match the settings in the VCOMLAN2. Enable ports in The checkbox must be enabled so that you can communicate via the specified port.
  • Page 162: Com2 Settings

    • VCOM LAN2 (PC adapter in the SIMATIC Manager) • RFC1006 • mbNETS7 driver (installable directly in the SIMATIC Manager) 25.3.1 COM2 Settings Protocol: MPI/PROFIBUS Network Driver NO T I CE The Protocol Choice MPI/PROFIBUS network driver requires the installation of a network driver on the client PC beforehand! Only in conjunction with the option RFC1006 can a separate driver installation be dispensed with and the "TCP/IP (Auto)"...
  • Page 163 Designation Description Station address of If routing function is enabled via RFC1006, you must enter the address of the rout- the Routing Gateway ing gateway here. (Address 14 in the example below). NO T I CE If a bus participants (slave) is to be accessed on a subordinate station that is not directly connected to the network, the station address of the PLC must be registered as a routing gateway in the router with the gateway (master).
  • Page 164: Com2 Network Settings

    25.3.2 COM2 Network settings Designation Description Protocol Select the appropriate driver for your connected devices. Port Enter the port via which the communication should take place here. Enable ports in If this checkbox is enabled, the port indicated above is enabled for direct access from the firewall the Internet in the firewall.
  • Page 165: Security Settings

    Security settings The mbNET has a built-in firewall to protect against strange or/and unauthorized access/connection attempts. Incoming and outgoing data traffic is monitored, logged and enabled/disabled via this firewall. The following submenus are listed under the Security settings menu: Submenu Description Firewall General Here you can specify the basic firewall settings.
  • Page 166: Security Settings > Firewall General

    26.1 Security Settings > Firewall General The firewall can generally be configured in one of the following four variants: • Maximum security level all incoming packets (data from the Internet) will be rejected all outgoing packets from the LAN (data) will be rejected except: DNS, FTP, IMAP, POP3, SMTP, HTTP, HTTPS, Telnet, NTP Enable signals for the data traffic must be configured accordingly.
  • Page 167 NO TI CE The "Minimum security level" and "Firewall off" variants should only be selected for a short period of time and for test purposes or at initial start-up, if you want to ensure that a configured rule should not apply. ATTENTION! Any data traffic from inside to outside and external access are possible! The integrity of your mbNET and the connected devices is threatened when you select one of these two variants! Click the Edit icon...
  • Page 168: Security Settings > Wan Lan (Configuration Of The Firewall Rules)

    26.2 Security Settings > WAN LAN (configuration of the firewall rules) This setting controls the incoming traffic, i.e. the following settings only apply to incoming traffic from the outside. From the point of view of the mbNET Firewall is "WAN" always the currently active interface to the Internet. Depending on the setting under "Network >...
  • Page 169 Designation Description Active Checkbox for enabling/disabling this firewall rule. Action Selection field for the applicable action. The options are: • Drop When you select this action, no data packets can pass and the pack- ets will be deleted immediately. The sender receives no information about the whereabouts of the data packets.
  • Page 170 Designation Description WAN Interfaces You can use this selection field to determine which WAN interface* should normally be used. The options are: • Internet • WAN Ethernet • OpenVPN • IPsecVPN • PPTPVPN • All * The selection field for the WAN interface can vary depending on the type of router. Source IP Enter the source IP addresses of incoming data packets for which the firewall rule ap- plies.
  • Page 171 NO T I CE The input of IP and port is not mandatory. If neither an IP nor a port is specified, a rule applies only to the selected interfaces. Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close”...
  • Page 172: Edit Firewall Rule

    26.2.1 Edit firewall rule Change the entered rule order Click on the Edit icon in the header of the overview to change the sequence of the entered change rules. Here you can move up and down (drag and drop) to change the sequence of the firewall rules. Change/delete firewall rule Page 172 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 173 Click on the Edit icon at the end of the line of the registered rule to edit it. Click the Delete icon , to delete the corresponding entry. Security settings | Page 173 of 324...
  • Page 174: Security Settings > Lan-Wan (Configuration Of The Firewall Rules)

    26.3 Security Settings > LAN-WAN (configuration of the firewall rules) This setting controls the outgoing traffic, i.e. the following settings only apply to outgoing traffic. From the point of view of the mbNET Firewall is "WAN" always the currently active interface to the Internet. Click on the green plus , to add a rule.
  • Page 175 Designation Description Active Checkbox for enabling/disabling this firewall rule. Action Selection field for the applicable action. The options are: • Drop When you select this action, no data packets can pass and the pack- ets will be deleted immediately. The sender receives no information about the whereabouts of the data packets.
  • Page 176 Designation Description Destination Port Enter the ports to which the data packets are to be forwarded. Acceptable input: Integer or List of ports (between 0 and 65535) separated with com- mas or Port range [e.g. 32240-32245] or empty NO T I CE Ranges must be separated by a hyphen (-) and enumerated by comma (,).
  • Page 177: Edit Firewall Rule

    26.3.1 Edit firewall rule Change the entered rule order Click on the Edit icon in the header of the overview to change the sequence of the entered change rules. Here you can move up and down (drag and drop) to change the sequence of the firewall rules. Security settings | Page 177 of 324...
  • Page 178 Change/delete firewall rule Click on the Edit icon at the end of the line of the registered rule to edit it. Click the Delete icon , to delete the corresponding entry. Page 178 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 179: Security Settings > Forwarding

    26.4 Security Settings > Forwarding Forwarding is used to forward requests from specific IP addresses and ports to IP addresses and ports defined in turn. Click on the green plus , to add a rule. Designation Description Active Check box for enabling/disabling this function. Origin IP Here you can enter the IP addresses from which data packets are received.
  • Page 180 Designation Description Protocol The following protocols are available: • All - the set rule applies to all protocols. • Tcp - the set rule applies only to the TCP protocol. • Udp - the set rule applies only to the UDP protocol. •...
  • Page 181 Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close” discards the current input/changes. NO T I CE Temporary stored settings/changes are saved until a reboot of the router. Only after you confirm via “Apply Changes", will the changes be applied (activated) and stored permanently. Image 17: Forwarding Entry Example Security settings | Page 181 of 324...
  • Page 182: Edit Forwarding Rule

    26.4.1 Edit Forwarding Rule Change the entered rule order Click on the Edit icon in the header of the overview to change the sequence of the entered change rules. Here you can move up and down (drag and drop) to change the sequence of the firewall rules. Change/delete firewall rule Page 182 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 183 Click on the Edit icon at the end of the line of the registered rule to edit it. Click the Delete icon , to delete the corresponding entry. Security settings | Page 183 of 324...
  • Page 184: Security Settings > Nat

    26.5 Security settings > NAT 26.5.1 SimpleNAT "SimpleNAT” allows you to grant access to an IP address from the LAN Network 1:1 in the WAN Ethernet network. To do this, a free WAN Ethernet address from the WAN network is registered as WAN IP. This IP address is then added to the WAN interface and directly “natted”...
  • Page 185: Edit Simplenat Rule

    Image 18: Example entry 26.5.1.1 Edit SimpleNAT Rule Change the entered rule order Click on the Edit icon in the header of the overview to change the sequence of the entered change rules. Here you can move up and down (drag and drop) to change the sequence of the entered rules. Security settings | Page 185 of 324...
  • Page 186 Change/delete SimpleNAT Rule Click on the Edit icon at the end of the line of the registered rule to edit it. Click the Delete icon , to delete the corresponding entry. Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close”...
  • Page 187: 1:1 Nat

    26.5.2 1:1 NAT Using "1:1 NAT" it is possible to connect two networks that are in the same address range with each other. For example, if a network with the address 192.168.0.0/24 is to be connected to a network with the same address, this is only possible if one of the two networks is assigned a different address.
  • Page 188: Edit 1:1 Nat Rule

    Image 19: Example entry 26.5.2.1 Edit 1:1 NAT rule Change the entered rule order Click on the Edit icon in the header of the overview to change the sequence of the entered change rules. Page 188 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 189 Here you can move up and down (drag and drop) to change the sequence of the entered rules. Change/delete 1:1 NAT rule Click on the Edit icon at the end of the line of the registered rule to edit it. Click the Delete icon , to delete the corresponding entry.
  • Page 190: Vpn

    Here you can configure the communication via a VPN tunnel. You can choose from the following protocols: IPSec | PPTP | OpenVPN 27.1 IPSec NO T I CE As a rule, to enable communication via a VPN tunnel with IPSec, you need to enable the 500 UDP and 4500 UDP ports for your network.
  • Page 191: Ipsec Settings

    27.1.2 IPSec settings Click the Edit icon to edit the corresponding function. VPN | Page 191 of 324...
  • Page 192 L2TP server -configuration You can use the L2TP server for VPN-IPSec communication between the mbNET and a Windows client. Designation Description Local IP address Enter the name or IP address that the server should have while communicating with the Windows Client (example: 192.168.0.103). You can also use an address from the IP range of the LAN interface.
  • Page 193 IPsec Debug settings klipsdebug One of the following debug information can be selected using the klipsdibug selection field: • no debug • Tunnel - Messages of the tunnel code. • Tunnel-xmit - Messages of the packets sent in the tunnel. •...
  • Page 194 • lifecycle - temporary option, records the lifespan of the Security Associations (SA). • parsing - shows the structure of the incoming messages (useful for troubleshooting). • private - also logs the private keys in the log. • raw - shows all transmitted bytes (raw bytes). Page 194 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 195: Pptp

    27.2 PPTP 27.2.1 PPTP configuration Click the Edit icon to edit the corresponding function. VPN | Page 195 of 324...
  • Page 196 PPTP Server configuration Designation Description Active Check box for enabling/disabling this function. automatic configu- "Yes / No" selection field to activate/deactivate this function. ration If this option is set to "YES", the PPTP server is configured automatically. (Suitable addresses for the remote PCs are used in a similar way to the LAN address of the router).
  • Page 197 Encryption configuration Designation Description Encryption Selection field for the type of encryption: • None • MPPEV2/40 • MPPEV2/128 • MPPEV2/all NO T I C E IMPORTANT: You should always enable encryption of your VPN connections, otherwise unauthorized access to networks, machines, etc. is possible! VPN | Page 197 of 324...
  • Page 198 Authentication configuration You can use the following checkboxes to select the authentication protocols (PAP,CHAP,MSCHAP,MSCHAP V2). Designation Description Authentication via Here the Client User Name/Password combination is sent to the host for the neces- sary time to accept or reject the client authentication. Authentication us- Here, the authentication is controlled by the host.
  • Page 199: Pptp Client Configuration

    27.2.2 PPTP client configuration Click on the green plus to add a client. VPN | Page 199 of 324...
  • Page 200 Designation Description Active Check box for enabling/disabling this function. Enable this feature if you want to use as the mbNET as a VPN client. Name Enter a name for the client here. Host name or IP Enter the name or IP address used by the client to access the server. Example 123456789@mbNET.mymbnet.biz or 80.187.33.55 Local IP Option input field...
  • Page 201: Openvpn

    Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close” discards the current input/changes. NO T I CE Temporary stored settings/changes are saved until a reboot of the router. Only after you confirm via “Apply Changes", will the changes be applied (activated) and stored permanently. 27.3 OpenVPN OpenVPN Basics •...
  • Page 202: Configure Openvpn Connections

    27.3.1 Configure OpenVPN connections Click on the green plus to add a connection. To establish a VPN connection, follow the Configuration Wizard. 27.3.1.1 Connection type: Client router connection Select the connection type if you want to connect one single PC to the router (mbNET). NO T I CE Only one "client to network"...
  • Page 203 1 Connection settings Designation Description Active Check box for enabling/disabling this function. Connection Name In the text box, enter a name for the connection. Connection Type Selection field for the connection type • Router - Router connection select this connection type to connect two complete networks together. •...
  • Page 204 2 Network settings Designation Description Local IP Address of Enter the IP address of the local VPN tunnel endpoint. e.g. 10.1.0.5 the VPN tunnel Partner IP address of Enter the IP address of the partner VPN tunnel endpoint. e.g. 10.1.0.6 the VPN tunnel Replace the sender IP Check box for enabling/disabling this function.
  • Page 205 3 Authentication (Authentication process = no authentication) NO T I CE Select this method only to test the connection, as all the data is transmitted in clear text! Always enable encryption of your VPN connections, otherwise unauthorized access to networks, machines, etc.
  • Page 206 (Authentication process = static key) NO T I CE For symmetric encryption with a static key, you first need to generate a key (VPN OpenVPN static key) or import a previously created one. Note, however, that each participant needs to receive the key in a secure manner.
  • Page 207 (Authentication process = x.509) NO T I CE For this authentication method, you must first create/import your certificates (see: System > Certificates) Designation Description Authentication Selection field for the authentication process process • no authentication • Static key • x.509 CA certificate Selection field with all certificates imported to date.
  • Page 208 Designation Description Use only CA and Check box for enabling/disabling this function. User/password for In this case only the CA certificate and the user login are used for authentication. client verification NO T I C E Note that you still need to have your own certificate and it must be selected! Click the "Next"...
  • Page 209 Protocol Protocol Designation Description Coding algorithm Selection field for the method used by the mbNET to encrypt OpenVPN data: - DES with CBC (64 bit) - RC2 with CBC (128 bit) - DES-EDE with CBC (128 bit) - DES-EDE3 with CBC (192 bit) - DESX with CBC (192 bit) - Blowfish with CBC (128 bit) - RC2 with CBC (40 bit)
  • Page 210 Miscellaneous Miscellaneous Designation Description Bind the local IP- Check box for enabling/disabling this function. address and port This corresponds to the "bind" setting of OpenVPN. OpenVPN cannot dynamically change the ports during the connection. Allow the peer to Check box for enabling/disabling this function. change the IP-ad- This corresponds to the OpenVPN setting "float"...
  • Page 211 Miscellaneous Designation Description Fragment the All UDP packets that are larger than ... [bytes] are divided into several packages UDP packets in... (fragment). [bytes] This corresponds to the setting "fragment". The default setting is that the packages are not split (" "). Regenerate a new Renew the security key after ...
  • Page 212 Miscellaneous Miscellaneous Designation Description Enable connection Check box for enabling/disabling this function. through a HTTP If this function is activated, the outgoing connection attempts to pass through a proxy proxy server. The following fields must be completed for this purpose. HTTP proxy name Input field for the DNS names or the IP address of your proxy server.
  • Page 213 Click on "Save", after completing all settings. Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close” discards the current input/changes. N O T I C E Temporary stored settings/changes are saved until a reboot of the router. Only after you confirm via “Apply Changes", will the changes be applied (activated) and stored permanently.
  • Page 214: Connection Type: Router-Router Connection - Server Mode

    27.3.1.2 Connection type: Router-router connection - server mode Select this connection type to connect two complete networks together. Here you can create a "network to network" connection. Depending on the authentication method, the dialing party receives an IP from a defined area or each participant specifies his required address. Example: mbNET Client mbNET Server...
  • Page 215 1 Connection settings Designation Description Active Check box for enabling/disabling this function. Connection name In the text box, enter a name for the connection. Connection type Selection field for the connection type • Router - Router connection • Client router connection Link connection Selection field for when or under which conditions the connection should be started.
  • Page 216 2 Network settings Designation Description Local IP Address of Enter the IP address of the local VPN tunnel endpoint. e.g. 10.1.0.5 the VPN endpoint Peer IP Address of the Enter the IP address of the partner VPN tunnel endpoint. e.g. 10.1.0.6 VPN endpoint Local network Enter your own network address in CIDR notation (as standard for the router:...
  • Page 217 3 Authentication (Authentication process = no authentication) NO T I CE Select this method only to test the connection, as all the data is transmitted in clear text! Always enable encryption of your VPN connections, otherwise unauthorized access to networks, machines, etc.
  • Page 218 (Authentication process = static key) NO T I CE For symmetric encryption with a static key, you first need to generate a key (VPN OpenVPN static key) or import a previously created one. Note, however, that each participant needs to receive the key in a secure manner.
  • Page 219 (Authentication process = x.509) NO T I CE For this authentication method, you must first create/import your certificates (see: System > Certificates) Designation Description Authentication Selection field for the authentication process process • no authentication • Static key • x.509 CA certificate Selection field with all certificates imported to date.
  • Page 220 Designation Description Use only CA and Check box for enabling/disabling this function. User/password for In this case only the CA certificate and the user login are used for authentication. client verification NO T I C E Note that you still need to have your own certificate and it must be selected! Click the "Next"...
  • Page 221 Protocol Protocol Designation Description Coding algorithm Selection field for the method used by the mbNET to encrypt OpenVPN data: - DES with CBC (64 bit) - RC2 with CBC (128 bit) - DES-EDE with CBC (128 bit) - DES-EDE3 with CBC (192 bit) - DESX with CBC (192 bit) - Blowfish with CBC (128 bit) - RC2 with CBC (40 bit)
  • Page 222 Miscellaneous Miscellaneous Designation Description Bind the local IP- Check box for enabling/disabling this function. address and port This corresponds to the "bind" setting of OpenVPN. OpenVPN cannot dynamically change the ports during the connection. Allow the peer to Check box for enabling/disabling this function. change the IP-ad- This corresponds to the OpenVPN setting "float"...
  • Page 223 Miscellaneous Designation Description Fragment the All UDP packets that are larger than ... [bytes] are divided into several packages UDP packets in... (fragment). [bytes] This corresponds to the setting "fragment". The default setting is that the packages are not split (" "). Regenerate a new Renew the security key after ...
  • Page 224 Miscellaneous Miscellaneous Designation Description Enable connection Check box for enabling/disabling this function. through a HTTP If this function is activated, the outgoing connection attempts to pass through a proxy proxy server. The following fields must be completed for this purpose. HTTP proxy name Input field for the DNS names or the IP address of your proxy server.
  • Page 225 Click on "Save", after completing all settings. Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close” discards the current input/changes. N O T I C E Temporary stored settings/changes are saved until a reboot of the router. Only after you confirm via “Apply Changes", will the changes be applied (activated) and stored permanently.
  • Page 226: Connection Type: Router-Router Connection - Client Mode

    27.3.1.3 Connection type: Router-router connection - client mode With the "router-router connection" you create a "network to network" connection. Depending on the authentication method, the dialing party receives an IP from a defined area or each participant specifies his required address. Example: mbNET Client mbNET Server...
  • Page 227 Designation Description Active Check box for enabling/disabling this function. Connection name In the text box, enter a name for the connection. Connection type Selection field for the connection type • Router - Router connection • Client router connection Link connection Selection field for when or under which conditions the connection should be started.
  • Page 228 2-level security You use the control mechanism of the 2-level access control to control or regulate remote access to a device and the components connected to it. NO T I CE To prevent remote access locally is a recommendation from cybersecurity authorities such as the German BSI, the French ANSSI or the European ENISA.
  • Page 229 2 Network settings Designation Description Local IP Address of Enter the IP address of the local VPN tunnel endpoint. e.g. 10.1.0.5. the VPN tunnel Peer IP Address of the Enter the IP address of the partner VPN tunnel endpoint. e.g. 10.1.0.6. VPN tunnel Local network Enter your own network address in CIDR notation (as standard for the router:...
  • Page 230 3 Authentication (Authentication method = no authentication) NO T I CE This type should only be selected to test the connection, as all the data is transmitted in clear text! Always enable encryption of your VPN connections, otherwise unauthorized access to networks, machines, etc.
  • Page 231 (Authentication procedure = static key) NO T I CE For symmetric encryption with a static key, you first need to generate a key (VPN OpenVPN static key) or import a previously created one. Note, however, that each participant needs to receive the key in a secure manner.
  • Page 232 (Authentication procedure = X.509 - client mode) If one of the following options was selected for "Link connection", this mbNET is in client mode and is referred to as "Client". - Connection immediately - Start with an active internet connection - Connect when input 1 has High-signal - Connect when input 2 has High-signal - Connect when input 3 has High-signal...
  • Page 233 VPN | Page 233 of 324...
  • Page 234 Designation Description Authentication Selection field for the authentication procedure procedure • no authentication • Static key • X.509 If you do not have any certificates, then you first need to create your own certifi- cates using the XCA program. ° CA certificate: This shows the selected root cell certificate.
  • Page 235 4 Protocol settings Network Interface Networkadapter Interface Designation Description Interface Type Selection field for the virtual kernel driver: - TUN - TAP VPN | Page 235 of 324...
  • Page 236 Protocol Protocol Designation Description Coding algorithm Selection field for the method used by the mbNET to encrypt OpenVPN data: - DES with CBC (64 bit) - RC2 with CBC (128 bit) - DES-EDE with CBC (128 bit) - DES-EDE3 with CBC (192 bit) - DESX with CBC (192 bit) - Blowfish with CBC (128 bit) - RC2 with CBC (40 bit)
  • Page 237 Miscellaneous Miscellaneous Designation Description Bind the local IP- Check box for enabling/disabling this function. address and port This corresponds to the "bind" setting of OpenVPN. OpenVPN cannot dynamically change the ports during the connection. Allow the peer to Check box for enabling/disabling this function. change the IP-ad- This corresponds to the OpenVPN setting "float"...
  • Page 238 Miscellaneous Designation Description Fragment the All UDP packets that are larger than ... [bytes] are divided into several packages UDP packets in... (fragment). [bytes] This corresponds to the setting "fragment". The default setting is that the packages are not split (" "). Regenerate a new Renew the security key after ...
  • Page 239 Miscellaneous Miscellaneous Designation Description Enable connection Check box for enabling/disabling this function. through a HTTP If this function is activated, the outgoing connection attempts to pass through a proxy proxy server. The following fields must be completed for this purpose. HTTP proxy name Input field for the DNS names or the IP address of your proxy server.
  • Page 240 Click on "Save", after completing all settings. Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close” discards the current input/changes. N O T I C E Temporary stored settings/changes are saved until a reboot of the router. Only after you confirm via “Apply Changes", will the changes be applied (activated) and stored permanently.
  • Page 241: Static Key (Key Management)

    27.4 Static key (key management) Here you can import or even generate static keys. All keys contained can be downloaded as a copy under "Download". Click on the green plus to add a key. Generate static key Name Enter a name for the key here Generate To generate the key, click the "Generate"...
  • Page 242 To download a key, click on the Download button To delete a key, click on the Delete button Page 242 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 243: Io-Manager

    IO-Manager The I / O Manager integrated in the router fulfills the following tasks: • Display of PLC variables • Read PLC variables and, within a preset interval, save them on a USB stick (logging). • Store the logged archives (GZIP) on an external FTP server. The following variable types can currently be read from an S7 controller via RFC1006: •...
  • Page 244 NO T I CE If communication is to take place via the MPI / PROFIBUS interface, the RFC1006 protocol must be activated in the settings for COM2 (Serial> COM2> COM2 Settings). Page 244 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 245: Configuring The Plc Connection

    28.1 Configuring the PLC connection Click the Add button to add a PLC connection.. Designation Description Active Checkbox to enable / disable this connection. Driver Selected driver (only S7 ISOTCP is available here). Name Enter a unique name for this connection. This field can not contain any spaces or special characters.
  • Page 246 Designation Description SPS slot address • For MPI/PROFIBUS communication, the PLC slot address is the same as the bus address. • For Ethernet communication, this is the slot space of the PLC on the rack (usually 2). 3. Click on Save to accept the input / changes. To add a PLC connection, click the add button To edit a PLC connection, click on the edit button To delete a PLC connection, click the delete button...
  • Page 247: Logging - Configuration

    28.2 Logging - configuration Click on the respective edit button to configure the logging settings and the settings for the FTP upload. NO T I CE The logging settings apply to all PLC connections. For logging, it is necessary that a storage medium (USB stick) is connected to the USB socket of the mbNET. Settings Logging IO-Manager | Page 247 of 324...
  • Page 248 Designation Description Interval [s] Enter here the interval (in seconds) after which the tags are to be written to the stor- age medium. Maximum time until After this period of time (in hours), the log file is archived and a new log file is started. archiving the log file Settings FTP upload The logged tags can additionally be archived on an FTP server.
  • Page 249: Create Tags

    28.3 Create tags NO T I CE Before you can create one or more tags, a PLC connection must be created. To create a tag, click on the add button IO-Manager | Page 249 of 324...
  • Page 250 Designation Description Active Checkbox for activating / deactivating the created datapoint. Server Selection box with all previously created PLC connections. Address Enter the tag address for this PLC connection here. For the address syntax of the dri- ver, see table below. Display format Selection box for the desired display format (BIN, DEZ, HEX, FLOAT).
  • Page 251: Status

    28.4 Status Here, the status of each tag is displayed for all created PLC connections. Designation Description Description Display of the description given under "Tags". Address The address of a tag Value Displays the tag value in the display format chosen when the tag was created (BIN, DEZ, HEX, FLOAT).
  • Page 252: Diagnosis

    28.5 Diagnosis Here you can view and analyze the logging. Page 252 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 253: Alarm Management

    Alarm Management The mbNET Alarm Management provides the following functions: • Status query (1/0) of the four digital inputs (I1 - I4) with subsequent action: ° Send an Email ° Perform a device Restart ° Send an SMS ° Send an Internet-SMS •...
  • Page 254: Digital Inputs - Configuration

    29.1 Digital inputs - Configuration NO T I CE The configuration of input 1 is representative for inputs 2, 3, 4. Input 1 settings displays the settings of the selected input. Current status displays the current status (1 or 0) of the individual inputs, as well as an LED symbol for the Dial-out button.
  • Page 255 Designation Description Active Check box for enabling/disabling this function. When this feature is enabled, the input is activated ("armed"). Query on Selection field "Low (0)/High (1)/No" to query the status of the relevant input. status Campaign Selection field for the action to be performed when the selected status of the relevant input occurs: •...
  • Page 256: Multiplex Inputs

    29.2 Multiplex Inputs An action specification (number) can be determined by the user via the inputs (2 - 4). I.e. one input is STROBE, one input is CYCLE_x1 and one is CYCLE_1x. The pulse at PULSE_x1 (one digit) and PULSE_1x (tens digit) can be counted with a rising edge at STROBE.
  • Page 257 To be able to use and configure Multiplex inputs, you must activate this function using the "Enable" checkbox. Input 2 is used for the STROBE signal, input 3 for the pulse of the unit position and input 4 for the decadic position.
  • Page 258 Multiplex Inputs Number Choose a Multiplex Input between 01 and 99 Action Select an action for the input • Send E-Mail • System Reboot • SMS • Internet SMS Text Enter the text for the alarm message here. N O T I CE When sending an alarm text message, observe the maximum number of characters (160).
  • Page 259 Image 21: Example overview of 2 defined multiplex inputs Clicking on "Save” temporarily saves the current entries/changes. But the changes are not yet enabled. Clicking on "Close” discards the current input/changes. N O T I C E Temporary stored settings/changes are saved until a reboot of the router. Only after you confirm via “Apply Changes", will the changes be applied (activated) and stored permanently.
  • Page 260: Digital Outputs - Configuration

    29.3 Digital outputs - Configuration NO T I CE The configuration of output 1 is representative for output 2. The settings of the selected output are under Output 1 settings. By clicking on the button “Switch output", the status of the selected output mode is switched (from 0 to 1 or from 1 to 0).
  • Page 261 Designation Description Function Selection field for the condition for switching the selected output: • Off Select these settings, if the selected output should not be switched. • On by malfunction Select this setting in the event of a device fault if the selected output should be set to signal level 1.
  • Page 262: Extras

    Extras Image 22: The display can vary depending on the device type. You will find the following submenus in the Extras menu: • Lua • IoT • RoKEY 30.1 LUA LUA (programming language) Via Extras > LUA LUA scripts can be imported and run. Page 262 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 263 LUA Controller Use the LUA Control • to enable LUA • import LUA scripts • see whether LUA is currently running (LUA running) grey LED symbol = LUA is not running green LED symbol LUA running Click the Edit icon to edit the corresponding function.
  • Page 264 Designation Description Active Check box for enabling/disabling this function. If this checkbox is activated, the LUA script runs after each router reboot. Import Choose a LUA-script via the file browser (* .lua) and confirm the action by clicking on the "Import" button. NO T I C E There can only be uploaded and executed one LUA script at a time.
  • Page 265 LUA output All readouts of the script are displayed here. For example, readouts with "print". LUA logging All error messages are shown here. Extras | Page 265 of 324...
  • Page 266: Iot > Control (Mbedge)

    30.2 IoT > Control (mbEDGE) In the submenu IoT you configure and manage the mbEDGE functionality. NO T I CE mbEDGE is a software kit that extends the router mbNET and mbNET.rokey to an edge gateway. The basis for this is the container platform Docker, in which several user applications are executed separately. With Node-RED there is a graphic development tool with whose function blocks the user can create individual IOT applications.
  • Page 267 1. Click the edit icon to enable the Docker service. 2. Enable the Docker settings. Click on "Save" to save the change. Confirm the activation by clicking on "Apply changes". NO T I CE The mbEDGE service is now started. This may take a few minutes at the first activation. In the now expanded menu, you can activate additional services and make settings.
  • Page 268 Page 268 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 269: Iot > Control - After Activating Mbedge

    30.2.2 IoT > Control - after activating mbEDGE After activating mbEDGE, you will see the full scope of the IoT menu with all submenus. Extras | Page 269 of 324...
  • Page 270 Information • Serial number of the mbEDGE card • License Type Here you can see the license type of your mbEDGE card: mbEDGE.start or mbEDGE.advanced. Docker • Service Activate your mbEDGE license here. • Daemon LED symbol indicates whether the Docker daemon is active (green symbol). Docker Management •...
  • Page 271: Iot > Control - Activate Docker Management

    30.2.3 IoT > Control - activate Docker Management NO T I CE You can only activate Docker Management if you have activated "Docker Management Admin" under System > Users. NO T I CE Activate Docker Management only if you have purchased an mbEDGE.advance license. 1.
  • Page 272: Link To User Interface

    30.2.3.1 Link to User Interface Click on the "Management" button to get to the container management. A new browser window, with a login, will open. The access data for this are: a. User name and password for the user you created in the user management for accessing Node-Red b.
  • Page 273: Flows And Dashboard

    30.2.4 Flows and Dashboard 30.2.4.1 Activate flows and dashboard 1. Click on the edit icon to activate the Flows and Dashboard Service. 2. Activate the flows and dashboard settings. Click on "Save" to save the change. Confirm the activation by clicking on "Apply changes". After activation, the links to "Flows(Node-Red)"...
  • Page 274: Link To Flows (Node-Red)

    30.2.4.1.1 Link to Flows (Node-RED) By clicking on the "Flows" button you will be redirected to Node-Red-Flows. A new browser window, with a login, will open. The access data for this are: a. User name and password for the user you created in the user management for accessing Node-Red b.
  • Page 275: Link To Dashboard (Node-Red)

    30.2.4.1.2 Link to Dashboard (Node-RED) By clicking on the "Dashboard" button you will be redirected to Node-Red-Flows. A new browser window, with a login, will open. The access data for this are: a. User name and password for the user you created in the user management for accessing Node-Red b.
  • Page 276: Backup And Delete Flows

    30.2.5 Backup and Delete flows Here you can save and / or delete the flows you have created. Saved flows can be read in again via Node-Red. 1. Click the edit icon. 2. Choose an option (Download or Delete) Page 276 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 277: Network

    30.3 Network • Docker Interface Adjust the IP address of the Docker Daemon (runtimer for the IoT services and Nod-Red) if an address conflict with other network settings exists / is to be expected. The default setting is 172.16.0.1/24 Extras | Page 277 of 324...
  • Page 278 • Firewall Settings for Node-Red Here, you add firewall rules to open ports for Node-RED. By default, a network socket node in Node-RED has access only from the inside out. Therefore, any "listener socket" created in Node- RED is not accessible via LAN / WAN. For example, an OPC UA server can not be reached via LAN / WAN.
  • Page 279: Key Management

    30.4 Key Management Only the mbNET with which an mbEDGE card is paired can open the encrypted container. So that you can access your data at any time - even if the mbNET is no longer available - a Backup-Key is required. If the mbNET is no longer reachable before you have generated the Backup-Key (eg in the event of total failure due to damage), there is no way to access the card.
  • Page 280: Create Backup-Key

    30.4.1 Create Backup-Key 1. Click on the edit icon in Settings. 2. Fill in the input fields under Key Settings. ° The Backup-Key must consist of at least 8 characters. ° You can find the License Code on the back of the mbEDGE packaging. 3.
  • Page 281: Firmware

    After you have saved your entries, you can change or delete the backup key at any time. To do this, click on the edit icon. 30.5 Firmware Under "Current Firmware Version" you can see • the current firmware versions of °...
  • Page 282 Requirement: The mbNET must be connected to the Internet. 1. Click the "Upgrade" button to upgrade the firmware versions. Page 282 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 283: Rokey

    30.6 RoKEY Key Switch position Here, the current position of the mbNET.rokey key switch is displayed. Switch position Function RST Loading the factory settings OFF It is not possible to establish a VPN connection. Modem devices can not connect to the Internet.
  • Page 284 Page 284 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 285: Status (Information And Analysis)

    Status (information and analysis) When errors/faults occur, these can be analysed on the basis of specific status information. Thus, for example, when the LED Stat (Status) is flashing, this indicates that a system error has occurred on the mbNET. For this purpose, e.g.
  • Page 286 Designation Description MAC address IP address Display of the settings on the WAN connection (external connection) of the mbNET. Subnet mask As soon as the mbNET has a physical connection to the network, or the mbNET is assigned a static IP address, the IP address is displayed. DNS Server 1 Gateway Bytes Received...
  • Page 287 LAN interfaces Designation Description MAC address Display of the settings on the LAN connection (local connection) of the mbNET. The IP address is then displayed if the mbNET has a physical connection. IP address Subnet mask Bytes Received Display the volume of data in received and sent data packets. Sent Bytes Status (information and analysis) | Page 287 of 324...
  • Page 288: Status > Network

    31.2 Status > Network 31.2.1 General Physical connections: Ethernet connections Displays the physical connections used to connect the router to other computers. Route table Displays all routes used. Router monitored ports Displays all monitored ports. Router connections: Connections to the router Displays all IP addresses of ports, such as of computers that are connected to the router.
  • Page 289: Firewall

    31.2.2 Firewall IN/OUT/FORWARD Displays incoming and outgoing data traffic as well as forwarding. Displays natted data traffic. 31.2.3 Network participants Status (information and analysis) | Page 289 of 324...
  • Page 290 The LAN network participants that have been recognized via ARP reconnaissance are listed here. Page 290 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 291: Status > Modem

    31.3 Status > Modem 31.3.1 GSM information Manual control of the GSM modem Reboot Here you can click on the "Execute" button to restart the GSM modem. Information Status (information and analysis) | Page 291 of 324...
  • Page 292 Designation Description Signal Quality Signal strength display (in %) GSM Service Display of the transfer procedure, depending on the type of modem, signal strength etc. SIM card slot Display of the active SIM card slot SIM status Status of detected SIM Card Provider Displays the wireless service provider Mobile number...
  • Page 293: Modem

    Received Bytes time. Modem command NO T I C E Use this function only as instructed by the MB connect line support staff! Modem Command Enter here the modem command and click on the "Execute” button. (without AT) Status (information and analysis) | Page 293 of 324...
  • Page 294: Wifi

    31.4 WiFi Information Designation Description Connected Display of the connection status via an LED symbol SSID Display Wi-Fi Network Names Signal strength Signal strength display (in %) Operating fre- Operating frequency display quency IP address Displays the settings on the Wi-FiL connection (local connection) of the router. The IP Subnet mask address is displayed if the router has a physical connection.
  • Page 295 Available WiFi networks Available networks are listed here. Click on the magnifying glass symbol to see the details of the respective WiFi network. Status (information and analysis) | Page 295 of 324...
  • Page 296: Internet

    NO T I C E Use this function only as instructed by the MB connect line support staff! Internet access This displays outgoing connections to the Internet. This can be both outgoing connections via the modem as well as connections over WAN.
  • Page 297: Dhcp

    31.6 DHCP DHCP Server LAN Displays the IP addresses that the DHCP server assigns to connected clients. DHCP Server WAN Displays the IP addresses that the DHCP server assigns to connected clients. Logging Displays the IP addresses that the DHCP assigns and which IP addresses are not allowed. DHCP Client WAN Information about clients connected via the WAN connection.
  • Page 298: Dns Server

    31.7 DNS Server DNS_Server Designation Description Name Displays the name of the DNS server (if not assigned by the Internet Service Provider). IP address Displays the IP address of the DNS server (if not assigned by the Internet Service Provider). Logging Designation Description...
  • Page 299: Dyndns

    31.8 DynDNS DynDNS Designation Description Updated Displays the current IP address that is assigned to the mbNET via the Internet. IP-address Logging Designation Description System Here all events and errors relating to the DynDNS service are displayed. Logging Status (information and analysis) | Page 299 of 324...
  • Page 300: Ntp

    31.9 NTP Date and time Designation Description Date/Time (UTC) Displays the current system time in Universal Time Coordinates (UTC). Local date/time Time Clicking on the "Execute” button, synchronises the time with the NTP server stored and update activated under System > Settings > Time Settings. Logging Designation Description...
  • Page 301: Vpn-Ipsec

    By clicking on the "Start" or "Stop” button, you can manually start or stop a connection. NO T I CE Use this function only as instructed by the MB connect line support staff! System logging: Connection The connection protocol is displayed here.
  • Page 302: Vpn-Pptp

    31.11VPN-PPTP 31.11.1 VPN PPTP server Connections Inbound Outbound The incoming VPN connections of the mbNET are listed here. An active connection is indicated by a green LED icon The connection time, users dialled-in, local and remote IP address is displayed. After disconnection, you can see the time during which the corresponding connection was active.
  • Page 303: 2Vpn Pptp Clients

    By clicking on the "Start" or "Stop” button, you can manually start or stop a connection. NO T I CE Use this function only as instructed by the MB connect line support staff! System PPTP Client user logs All notifications and error messages of the PPTP service are displayed here.
  • Page 304: Vpn-Openvpn

    By clicking on the "Start" or "Stop” button, you can manually start or stop a connection. NO T I CE Use this function only as instructed by the MB connect line support staff! System OpenVPN user logs The connection protocol is displayed here.
  • Page 305: Iot

    31.13IoT 31.13.1 IoT > Docker Here you can see: • the Status of your mbEDGE installation green LED icon = mbEDGE is active Click the "stop" button to deaktivate / stop mbEDGE gray LED icon = mbEDGE is not active Click on the "start"...
  • Page 306: 2Iot > Docker Management

    31.13.2 IoT > Docker Management Here you can see the Status of the Docker Management green LED icon = Docker Management is activated Click the "stop" button to deaktivate / stop the Docker Management gray LED icon = Docker Management is not active Click on the "start"...
  • Page 307: 3Iot > Flows And Dashboard

    31.13.3 IoT > Flows and Dashboard Here you can see: • the Status of accessing Flows and Dashboard. green LED icon = access to Flows and Dashboard is enabled. Click the "stop" button to deaktivate / stop the access gray LED icon = access to Flows and Dashboard is disabled.
  • Page 308: Runtime

    31.14Runtime NO T I CE This function is only relevant if you operate the mbNET in the mbCONNECT24 portal. Here you can see: • theRuntime Status: green LED icon = Runtime is enabled. gray LED icon = Runtime is disabled. •...
  • Page 309: Diagnostics - Network Resources

    31.15Diagnostics - Network Resources Designation Description Ping After entering an internet address or an IP address, you can use the ping command (Click on the "Ping” button) to determine whether the corresponding address is ac- cessible. Among other things, for example, you can easily determine whether an In- ternet connection exists.
  • Page 310: Log-Analyzer

    Designation Description TCPDUMP In order to closely monitor the network traffic, you can use the "TCPDUMP” com- mand. Some examples of the use of this command are: • -i eth0 not port 80 Displays all TCP/IP connections to the (-i) LAN (eth0) interface, except (not) those using Port 80 (port 80) when incoming or outgoing.
  • Page 311 The live log of the system can be seen under Log Analyzer. The display can be filtered by "Priority" and/or "Application". Status (information and analysis) | Page 311 of 324...
  • Page 312 Filters for "Priority" and/or "Application" can be set independently for a clear, detailed display. Page 312 von 324 | V 7.2.0 - en | Aug 25 , 2022 |...
  • Page 313: Storage Media

    31.17Storage media Status display showing whether a storage medium (USB stick or/and SC card) is connected to the mbNET. green LED symbol = storage medium connected Grey LED symbol = storage medium is not connected Status (information and analysis) | Page 313 of 324...
  • Page 314: Alarm Manager

    31.18Alarm Manager Designation Description Inputs The statuses of the digital inputs are displayed here. The status query is performed and updated approximately every three seconds. Outputs The statuses of the digital outputs are displayed here. The status query is performed and updated approximately every three seconds.
  • Page 315: System

    31.19System 31.19.1 System-Usage CPU Information Display of the current utilization of the CPU. RAM in use Displays the currently required /used RAM of the router. Flash in use Displays the capacity of the configuration memory and temporary memory. Status (information and analysis) | Page 315 of 324...
  • Page 316: 2System Information

    31.19.2 System Information Device uptime The operating time of the device since the last device restart is displayed here. The same information can also be found on the Quickstart page. System Kernel Logging Possible reasons for errors in the router can be found in the system information. System error log For example, if the Stat-LED on the front of the device is flashing, it may be possible to use the logging to discover the cause of the error.
  • Page 317: 3Mqtt Debug List

    31.19.3 MQTT Debug List The MQTT debug list outputs the system information in tabular form. The mbNET can be used as an MQTT broker. After activating the "MQTT access to status topics" function under "System > Settings > Device API", you can query the values from the "MQTT debug list".
  • Page 318: Firmware Update Via The Usb Interface

    Firmware update via the USB interface You can update the mbNET directly via the USB interface. The device then automatically recognizes the firmware saved to a connected USB stick. Pressing the Dial Out button starts the firmware update. Preparation: • Go to www.mbconnectline.com (downloads) and download the latest firmware version (e.g. "mb- NET_FW_V624.zip").
  • Page 319: Programming The Mbconnect24 Portal Configuration Via The Usb Interface

    Programming the mbCONNECT24 portal configuration via the USB interface If you created the mbNET device configuration in the mbCONNECT24 service portal, you can scan this portal configuration directly via the USB interface into the mbNET. The device automatically detects the portal con- figuration stored on a connected USB Stick ("mbconnect24.mbn/-.mbnx”).
  • Page 320: Factory Settings When Delivered

    Factory settings when delivered 34.1 User name and password - for access to the mbNET Web Interface The mbNET is delivered with the following user data: User name admin Password The default password can be found on the back of the device NO T I CE Make sure you change the default access data immediately! 34.2 IP address of the mbNET...
  • Page 321: Load Factory Settings

    Load factory settings NO T I CE Before you configure the device to its factory settings, you should note the following: • Save your configuration first. After restoring the factory settings, all of your settings/changes will be deleted. • The IP address of the device is reset to the original IP address (192.168.0.100). You may also need to modify the network settings of the configuration PC accordingly.
  • Page 322: Device Restart (Reset)

    Device restart (Reset) Directly on the device (mbNET) using the reset button For example, use a paper clip and press the Reset button on the mbNET. The device will now restart. The restart is complete once both the "Rdy" and "Pwr" LEDs light up. Via the mbNET web interface 1.
  • Page 323: Annex

    Annex 37.1 Set computer address (IP address) in Windows 10 NO T I CE If you want to access the web interface of the mbNET via a configuration PC, the following conditions must be met: • The mbNET must be connected to the PC via one of its LAN interfaces. •...
  • Page 324 • Click on properties in the next window (Status of LAN connection). • Here, under Properties of the LAN-connec- tion, select the entry Internet Protocol Ver- sion 4 (TCP/IPv4), and click on Properties. • Here, ° the IP address of the computer must be in the same network range as the mbNET, °...

Table of Contents