Page 1 IX20 User Guide Firmware version 23.9...
Page 2 June 2022 5Genhancements: Added 5Gslice support for configuring the slice type for the 5Gmodems. Added WAN Bonding as an add-on feature via Digi Remote Manager for bonding multiple outbound Internet connections together for increased maximum throughput or data redundancy. Surelink enhancements: Enabled Surelink reset_modem action by default on cellular interfaces and set fail count to three.
Page 3 New settings to control the NMEA message content that the devices sends when there is no valid fix from any of the configured location sources. Release of Digi IX20 firmware version 22.8: September 2022 Cellular modem enhancements: Added modem ota download and system firmware ota download commands for downloading cellular modem and device firmware.
Page 4 Added the ability to turn off all LEDs on the device to reduce power consumption. Release of Digi IX20 firmware version 22.11: December 2022 Updated the Linux kernel to version 5.19. The intelliFlow feature now integrates with Digi Remote Manager to provide aggregated insights and analytics for all Digi devices in your environment.
Page 5 Documented the new Modem emulator mode, which allows serial ports to act as a dial-up modem emulator for handling incoming AT dial-ins. Advanced Watchdog options: Added System > Advanced Watchdog options to all devices. Digi Remote Manager support: IX20 User Guide...
Page 6 Release of Digi IX20 firmware version 23.9: October 2023 Register a device to DRM: Added a link to the Dashboard of the local web UI to register and add the device to Digi Remote Manager. Updated Dashboard: Updated the layout of the Dashboard page of the...
Page 7 Added information about adding a MACsec tunnel. Trademarks and copyright Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide. All other trademarks mentioned in this document are the property of their respective owners.
Page 8 Include the document title and part number (IX20 User Guide, 90002381 N) in the subject line of your email. IX20 User Guide...
Page 9: Table Of Contents
Digi IX20 Quick Start Step 1: Connect your device Apply Dielectric Grease over SIM Contacts Step 2: Connect DCpower Step 3: Set up access to Digi Remote Manager Step 4: Register your device Step 5: Complete setup Step 6: Configure cellular APN...
Page 10 Using the local web interface Log out of the web interface Use the local REST API to configure the IX20 device Use the GET method to return device configuration information Use the POST method to modify device configuration parameters and list arrays...
Page 11 Configure Remote Access mode Configure Application mode Configure PPP dial-in mode Configure UDP serial mode Configure Modem emulator mode Configure Modbus mode Configure RealPort mode using the Digi Navigator Installation and configuration process Digi Navigator features Install the Digi Navigator IX20 User Guide...
Page 12 Configure RealPort on a Digi device from the Digi Navigator Digi Navigator application features Advanced RealPort configuration without using the Digi Navigator Windows Operating System Linux Operating System Download the RealPort driver Configure RealPort on your laptop Configure the serial port for RealPort mode...
Page 13 Configure a DMVPN spoke L2TP Configure a PPP-over-L2TP tunnel L2TP with IPsec Show L2TP tunnel status L2TPv3 Ethernet Configure an L2TPv3 tunnel Show L2TPV3 tunnel status MACsec Configure a MACsec tunnel NEMO Configure a NEMO tunnel Show NEMO status IX20 User Guide...
Page 14 Configure telnet access Configure DNS Show DNS server WAN bonding Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Configure WAN bonding on your local device Show WAN bonding status and statistics Simple Network Management Protocol (SNMP)
Page 15 Example: Set the LTE connection indicator to flashing purple Set up the IX20 to automatically run your applications Configure scripts to run automatically Show script information Stop a script that is currently running Start an interactive Python session Run a Python application at the shell prompt...
Page 16 Configure web filtering with manual DNS servers Verify your web filtering configuration Show web filter service information Containers Use Digi Remote Manager to deploy and run containers Use an automation to start the container Upload a new LXCcontainer Configure a container...
Page 17 Use intelliFlow to display top data usage information 1059 Use intelliFlow to display data usage by host over time 1061 Configure NetFlow Probe 1062 File system The IX20 local file system 1068 Display directory contents 1068 Create a directory 1069 Display file contents...
Page 18 Ping to check internet connection 1114 Stop ping commands 1114 Use the traceroute command to diagnose IP routing problems 1114 Digi IX20 regulatory and safety statements RF exposure statement 1116 Federal Communication (FCC) Part 15 Class B 1116 Radio Frequency Interference (RFI) (FCC15.105)
Page 19 1166 modem pin status 1166 modem pin unlock 1166 modem puk status 1166 modem puk unlock 1167 modem reset 1167 modem scan 1167 modem sim-slot 1167 monitoring 1168 monitoring metrics upload 1168 more 1168 IX20 User Guide...
Page 20 1179 show web-filter 1179 show wifi ap 1180 show wifi client 1180 show wifi-scanner 1180 show wifi-scanner blocklist 1181 show wifi-scanner candidates 1181 show wifi-scanner log 1181 speedtest 1181 1182 system backup 1182 system disable-cryptography 1182 IX20 User Guide...
Page 21 1185 system serial save 1185 system serial show 1185 system support-report 1186 system time set 1186 system time sync 1186 system time test 1186 tail 1187 telnet 1187 traceroute 1187 calibrate analog input ports 1188 IX20 User Guide...
Page 22: What's New In Digi Ix20 Version 23.9
What's new in Digi IX20 version 23.9 Release of Digi IX20 firmware version 23.9: Register a device to DRM: Added a link to the Dashboard of the local web UI to register and add the device to Digi Remote Manager. Updated Dashboard: Updated the layout of the Dashboard page of the web UI to combine the network interface and cellular modem details into a single Network Activity panel.
Page 23: Digi Ix20 Quick Start
Insert the SIM cards into the CORE modem. d. On the IX20 back panel, remove the CORE modem cover by loosening the cover plate thumb screw and removing the cover plate. e. With the antennas SMA connectors pointing outward, slide the CORE modem into the IX20 device.
Page 24: Apply Dielectric Grease Over Sim Contacts
Apply Dielectric Grease over SIM Contacts Note Digi recommends using either the Loctite®LB 8423 Dielectric Grease or Synco Lube® Silicone Dielectric Grease. a. Use a sheet of paper or cardboard over the area where you intend to work.
Page 25 Securely finger tighten each antenna to the threaded barrel using the nut at the base of the antenna. 3. Use an Ethernet cable connect the IX20's WAN/ETH1 port to the internet, such as a home internet router or LAN Ethernet port in an office environment.
Page 26: Step 2: Connect Dcpower
Step 2: Connect DCpower Step 2: Connect DC power Step 3: Set up access to Digi Remote Manager If you already have a Digi Remote Manager account, skip to Register your device. If you prefer to configure the device locally rather than using Remote Manager, see...
Page 27: Step 6: Configure Cellular Apn
Digi IX20 Quick Start Step 6: Configure cellular APN Step 6: Configure cellular APN If you installed a SIM in step 1, the device will attempt to setup the APN automatically. However, if your SIM was set up with a custom APN, you will need to configure it manually: 1.
Page 28: Digi Ix20 Hardware Reference
Two 10/100 BaseT Ethernet ports for high-speed connectivity. For a detailed list of IX20 hardware specifications, see https://www.digi.com/products/networking/cellular-routers/industrial/digi-ix20#specifications. IX20 accessories When accessories are purchased with the IX20 device, the following are provided: Cellular antennas. Wi-Fi antennas (for the IX20Wdevice only). Power supply.
Page 29: Ix20 Leds
IX20 power supply requirements. suppy IX20 LEDs The IX20 LEDs are located on the top front panel. The number of LEDs varies by model. During bootup, the front-panel LEDs light up in sequence to indicate boot progress. IX20 User Guide...
Page 30: Power
Digi IX20 hardware reference IX20 LEDs Power No power. Solid green Device has power The WAN/ETH1 Ethernet port not connected. Flashing green The WAN/ETH1 Ethernet port is connecting. Solid green The WAN/ETH1 Ethernet port is connected and has activity. Wi-Fi Service (IX20W model only) No Wi-Fi access points or Wi-Fi clients are enabled.
Page 31: Sim1
Digi IX20 hardware reference IX20 LEDs SIM1 Indicates that SIM1 is in use. SIM1 not in use. Solid green SIM1 is in use. SIM2 Indicates that SIM2 is in use. SIM2 not in use. Solid green SIM2 is in use.
Page 32: Signal Quality Indicators
Digi IX20 hardware reference IX20 LEDs Alternating Red/yellow (or orange) Upgrading firmware. WARNING! DO NOT POWEROFF DURINGFIRMWARE UPGRADE. 1. Or an unknown type of cellular network. Signal quality indicators LEDs labeled 1 through 5 Indicate the cellular service quality level.
Page 33: Signal Quality Bars Explained
Solid green: 10/100 Mbps link detected. Signal quality bars explained The signal status bars for the Digi IX20 measure more than simply signal strength. The value reported by the signal bars is calculated using an algorithm that takes into consideration the Reference Signals Received Power (RSRP), the Signal-to-noise ratio (SNR), and the Received Signal Strength Indication (RSSI) to provide an accurate indicator of the quality of the signal that the device is receiving.
Page 34: Ix20 Power Supply Requirements
IX20 power supply requirements IX20 is intended to be powered by a certified power supply with output rated at either 12 VDC/0.75 A or 24 VDC/0.375 A minimum. Use the included power supply (part number 24000154).
Page 35 Digi IX20 hardware reference Configuration for extreme thermal conditions 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 36: Qrcode Definition
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 37 Digi IX20 hardware reference QRcode definition QR code items Semicolon separated list of: ProductName;DeviceID;Password;SerialNumber;SKUPartNumber-SKUPartRevision Example IX20;00000000-00000000-112233FF-FF445566;PW1234567890;50001001-00 IX20 User Guide...
Page 38: Hardware Setup
Hardware setup This chapter contains the following topics: Install SIM cards in the Plug-in LTE modem Connect data cables Mount the IX20 device IX20 User Guide...
Page 39: Install Sim Cards In The Plug-In Lte Modem
3. Insert the SIM cards into the CORE modem. 4. On the IX20 back panel, remove the CORE modem cover by loosening the cover plate thumb screw and removing the cover plate. 5. With the antennas SMA connectors pointing outward, slide the CORE modem into the IX20 device.
Page 40: Apply Dielectric Grease Over Sim Contacts
8. Affix the cellular antennas to the two connectors protruding from the device. Apply Dielectric Grease over SIM Contacts Note Digi recommends using either the Loctite®LB 8423 Dielectric Grease or Synco Lube®Silicone Dielectric Grease. 1. Use a sheet of paper or cardboard over the area where you intend to work.
Page 41: Connect Data Cables
Attach to DIN rail with bracket. Attach to a mounting surface by using the mounting tabs Attach to DIN rail with clip The DIN rail clip is an optional accessory included when the IX20 is purchased with accessories. IX20 User Guide...
Page 42: Attach To Din Rail With Bracket
1. Attach the DIN rail clip to the bottom of the device with the screws provided. 2. Set the IX20 device onto a DIN rail and gently press until the clip snaps into the rail. Attach to DIN rail with bracket 1.
Page 43 3. Set the bracket with the clip onto a DIN rail and gently press until the clip snaps into the rail. WARNING! If being installed above head height on a wall or ceiling, ensure the device is fitted securely to avoid the risk of personal injury. Digi recommends that this device be installed by an accredited contractor.
Page 44 Change the default SSID and pre-shared key for the preconfigured Wi-Fi access point Configuration methods Using Digi Remote Manager Using the local web interface Use the local REST API to configure the IX20 device Using the command line IX20 User Guide...
Page 45: Firmware Configuration
Firmware configuration Review IX20 default settings Review IX20 default settings You can review the default settings for your IX20 device by using the local WebUI or Digi Remote Manager: Local WebUI 1. Log into the IX20 WebUI as a user with Admin access. See Using the local web interface details.
Page 46: Other Default Configuration Settings
(Wi-Fi Wi-Fi access interface model only) point: Digi Other default configuration settings Feature Configuration Digi Remote Manager enabled as the central management service. Central management Packet filtering allows all outbound traffic. Security policies SSH and web administration: IX20 User Guide...
Page 47: Primary Responder Mode
Flow control: None Primary Responder mode You can use the Primary Responder mode configuration setting to manually enable the IX20 device to be in an AT&T FirstNet-compliant mode (Primary Responder mode). When a device is in Primary Responder mode, certain firmware features are disabled. See...
Page 48 To enable Primary Responder mode:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. On the Dashboard, verify the current firmware version installed on the device. In the Device section, look at the Firmware Version field and verify that the version is 23.9.x or above.
Page 49: Change The Default Password For The Admin User
To change the default password for the admin user:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 50  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 51: Change The Default Ssid And Pre-Shared Key For The Preconfigured Wi-Fi Access Point
Differences between standard firmware operation and Primary Responder mode.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 52  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 53: Configuration Methods
Shows how to perform a task by using the command line interface. Using Digi Remote Manager By default, your IX20 device is configured to use Digi Remote Manager as its central management server. Devices must be registered with Remote Manager using one of the following options:...
Page 54: Using The Local Web Interface
Using the local web interface To connect to the IX20 local Web UI: 1. Use an Ethernet cable to connect the IX20's ETH2 port to a laptop or PC. 2. Open a browser and go to 192.168.2.1. 3. Log into the device using a configured user name and password.
Page 55: Log Out Of The Web Interface
Use the local REST API to configure the IX20 device Your IX20 device includes a REST API that can be used to return information about the device's configuration and to make modifications to the configuration. You can view the REST API specification from your web browser by opening the URL: https://ip-address/cgi-bin/config.cgi...
Page 56 Firmware configuration Use the local REST API to configure the IX20 device (config)> ? auth Authentication cloud Central management firewall Firewall monitoring Monitoring network Network serial Serial service Services system System (config)> The allowed values for path are listed in the first (left) column.
Page 57: Use The Post Method To Modify Device Configuration Parameters And List Arrays
Firmware configuration Use the local REST API to configure the IX20 device "acl.zone.2": "ipsec" "acl.zone.3": "setup" "enable": "true" "key": "" "mdns.enable": "true" "mdns.name": "" "mdns.type": "_ssh._tcp." "port": "22" "protocol.0": "tcp" You can also use the GET method to return the configuration parameters associated with an item: curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/keys/service/ssh -X...
Page 58: Use The Delete Method To Remove Items From A List Array
Firmware configuration Use the local REST API to configure the IX20 device Use the POST method to add items to a list array To add items to a list array, use the POST method with the path and append parameters. For example, to add the external firewall zone to the ssh service: $ curl -k -u admin "https://192.168.210.1/cgi-...
Page 59 Firmware configuration Use the local REST API to configure the IX20 device "4": "external" 2. Use the DELETE method to remove the external zone (list item 4). $ curl -k -u admin https://192.168.210.1/cgi- bin/config.cgi/value?path=service.ssh.acl.zone.4 -X DELETE Enter host password for user 'admin': { "ok": true }...
Page 60: Using The Command Line
Log in to the command line interface  Command line 1. Connect to the IX20 device by using a serial connection, SSH or telnet, or the Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command line interface more information.
Page 61: Exit The Command Line Interface
Admin CLI s: Shell q: Quit Select access or quit [admin] : Type a or admin to access the IX20 command line. You will now be connected to the Admin CLI: Connecting now... Press Tab to autocomplete commands Press '?' for a list of commands and details...
Page 62: Central Management
Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Remote Manager Configure multiple IX20 devices by using Digi Remote Manager configurations View Digi Remote Manager connection status Learn more IX20 User Guide...
Page 63: Digi Remote Manager Support
This URL is required to utilize the client-side certificate support. Prior to release 22.2.9.x, the default URL was my.devicecloud.com. If your Digi device is configured to use a non-default URL to connect to Remote Manager, updating the firmware will not change your configuration. However, if you erase the device's configuration, the Remote Manager URL will change to the default of edp12.devicecloud.com.
Page 64 HTTP proxy server support. To configure your device's Digi Remote Manager support:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 65 8. (Optional) For Speedtest server, type the name or IP address of the server to use to test the speed of the device's internet connection(s). 9. (Optional) For Retry interval, type the amount of time that the IX20 device should wait before reattempting to connect to remote cloud services after being disconnected. The default is 30 seconds.
Page 66 Within the US: 12029823370 International: 447537431797 d. (Optional) Type the Service identifier. 17. (Optional) Configure the IX20 device to communicate with remote cloud services via one of two methods: Pinhole or Proxy server. If using the Pinhole method, refer to the following If using the Proxy server method: a.
Page 67  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 68 (config)> cloud drm keep_alive 600s (config)> 7. (Optional) Set the amount of time that the IX20 device should wait between sending keep-alive messages to the Digi Remote Manager when using a cellular interface. Allowed values are from 30 seconds to two hours. The default is 290 seconds.
Page 69 If set to false, no login prompt will be presented and the user will be logged in as admin. The default is false. 14. (Optional) Configure the IX20 device to communicate with remote cloud services by using SMS: a. Enable SMS messaging: (config)>...
Page 70: Collect Device Health Data And Set The Sample Interval
To disable the collection of device health data or enable it if it has been disabled, or to change the health sample interval:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 71  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 72 1, 5, 15, 30, or 60, and represents the number of minutes between uploads of health sample data. 5. By default, the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded. This is useful to reduce the bandwidth used to report health metrics.
Page 73: Enable Event Log Upload To Digi Remote Manager
To enable the event log upload, or disable it if it has been disabled, and to change the upload interval:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
Page 74  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 75: Reach Digi Remote Manager On A Private Network
The device is capable of connecting through an HTTP proxy, such as Squid, but it is up to the network administrator to decide which HTTP proxy type to use. To enable a proxy server and enter the server and port in Digi Remote Manager, see step 17 in Configure your device for Digi Remote Manager support.
Page 76: Vpn Tunnel Method
Central management Log into Digi Remote Manager To see instructions for setting up Squid and then configuring a device (not DAL) to reach Digi Remote Manager, see the Digi Quick Note, Connecting to Digi Remote Manager Through Web Proxy. Though this Quick Note references older technology and device types, it may provide a network administrator with concrete examples from which they can draw correlations to newer technology and devices.
Page 77: Use Digi Remote Manager To View And Manage Your Device
Use Digi Remote Manager to view and manage your device To view and manage your device: 1. If you have not already done so, connect to your Digi Remote Manager account. 2. From the menu, click Devices to display a list of your devices.
Page 78: Add A Device To Remote Manager Using Your Remote Manager Login Credentials
6. (Optional) Complete the other fields. 1. Click Add Device. Remote Manager adds the IX20 device to your account and it appears in the Device Management view. Add a device to Remote Manager using your Remote Manager login credentials If you want to add a device to Remote Manager, and you do not have its password, you can add it using your Remote Manager login credentials.
Page 79: Configure Multiple Ix20 Devices By Using Digi Remote Manager Configurations
Remote Manager configurations. Typically, if you want to provision multiple IX20 routers: 1. Using the IX20 local WebUI, configure one IX20 router to use as the model configuration for all subsequent IX20s you need to manage. 2. Register the configured IX20 device in your Remote Manager account.
Page 80: View Digi Remote Manager Connection Status
Digi Remote Manager provides multiple methods for applying configurations to registered devices. You can also include site-specific settings with a profile to override settings on a device-by-device basis. View Digi Remote Manager connection status To view the current Digi Remote Manager connection status from the local device:  IX20 User Guide...
Page 81: Learn More
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 82: Interfaces
Interfaces IX20 devices have several physical communications interfaces. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN). This chapter contains the following topics: Wide Area Networks (WANs) Local Area Networks (LANs)
Page 83: Wide Area Networks (Wans)
Interfaces Wide Area Networks (WANs) Wide Area Networks (WANs) The IX20 device is preconfigured with one Wide Area Network (WAN), named ETH1, and one Wireless Wide Area Network (WWAN), named Modem. Default Interface type Preconfigured interfaces Devices configuration Wide Area...
Page 84: Wide Area Networks (Wans) And Wireless Wide Area Networks (Wwans)
Configured WAN and WWAN interfaces. This example uses the preconfigured ETH1 and Modem interfaces. The metric for each WAN.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 85 For Metric, type 1. c. Click IPv6. d. For Metric, type 1. 4. Set the metrics for ETH1: a. Click Network > Interfaces > ETH1 > IPv4. b. For Metric, type 2. c. Click IPv6. d. For Metric, type 2. IX20 User Guide...
Page 86  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 87: Wan/Wwan Failover
WAN, and its Ethernet WAN, ETH1, as its secondary WAN. WAN/WWAN failover If a connection to a WAN interface is lost for any reason, the IX20 device will immediately fail over to the next WAN or WWAN interface, based on WAN priority. See...
Page 88: Configure Surelink Active Recovery To Detect Wan/Wwan Failures
Problems can occur beyond the immediate WAN/WWAN connection that prevent some IP traffic from reaching its destination. Normally this kind of problem does not cause the IX20 device to detect that the WAN has failed, because the connection continues to work while the core problem exists somewhere else in the network.
Page 89 Otherwise, the device will reboot and all recovery actions listed after the Reboot Device action will be ignored.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 90 When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address. Use the SIM failover options to configure the IX20 device to automatically recover the modem in the event that it cannot obtain an IP address.
Page 91 Ping payload size: The number of bytes to send as part of the ping payload. DNS test: Performs a DNS query to the named DNS server. If DNS test is selected, complete the following: DNS server: The IP address of the DNS server. IX20 User Guide...
Page 92 IPv6: The IPv6 connection must be up. Expected status: The status required for the test to past. Up: The test will pass only if the referenced interface is up and passing its own SureLink tests (if applicable). IX20 User Guide...
Page 93 Reset modem: This recovery action is available for WWAN interfaces only. If Reset modem is selected, complete the following: Attempts: The number of attempts for this recovery action to perform, before moving to the next recovery action. IX20 User Guide...
Page 94 For Delayed Start, type the amount of time to wait while the device is starting before SureLink testing begins. This setting is bypassed when the interface is determined to be Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. IX20 User Guide...
Page 95  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 96 If set, an initial traceroute is sent to the hostname or IP address configured in the SureLink advanced settings, and then the first hop in that route is used for the ping test. interface_address. interface_dns: The interface's DNS server. IX20 User Guide...
Page 97 Set the amount of time to wait for the interface to connect for the first time before the test is considered to have failed. (config network interface my_wan surelink tests 1)> interface_timeout value (config network interface my_wan surelink tests 1)> IX20 User Guide...
Page 98 Set the interface to test. i. Use the ? to determine available interfaces: (config network interface my_wan surelink tests 1)> other_ interface ? Test interface: Test the status of this other interface. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: IX20 User Guide...
Page 99 (config)> add network interface my_wan surelink actions end (config network interface my_wan surelink actions 0)> c. New actions are enabled by default. To disable: (config network interface my_wan surelink actions 0)> enable false (config network interface my_wan surelink actions 0)> IX20 User Guide...
Page 100 Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config network interface my_wan surelink actions 0)> override_interval int (config network interface my_wan surelink actions 0)> restart_interface. If restart_interface is selected, complete the following: IX20 User Guide...
Page 101 Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config network interface my_wan surelink actions 0)> override_interval int (config network interface my_wan surelink actions 0)> IX20 User Guide...
Page 102 Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config network interface my_wan surelink actions 0)> max_ attempts int (config network interface my_wan surelink actions 0)> The default is 3. Set the commands to run to attempt to recovery connectivity. IX20 User Guide...
Page 103 (config)> network interface my_wan surelink pass_threshold int (config)> The default is 1. e. Set the amount of time that the device should wait for a response to a test attempt before considering it to have failed: IX20 User Guide...
Page 104 The interface_gateway parameter is used by the Interface gateway Ping test as the endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8, and should only be changed if this IP address is not accessible due to networking issues. To set to an alternate host: IX20 User Guide...
Page 105: Configure The Device To Reboot When A Failure Is Detected
Type quit to disconnect from the device. Configure the device to reboot when a failure is detected Using SureLink, you can configure the IX20 device to reboot when it has determined that an interface has failed. Required configuration items Enable SureLink.
Page 106 To configure the IX20 device to reboot when an interface has failed:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 107 When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address. Use the SIM failover options to configure the IX20 device to automatically recover the modem in the event that it cannot obtain an IP address.
Page 108 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Initial connection time to ten minutes, enter 10m or 600s. Custom test: Tests the interface with custom commands. IX20 User Guide...
Page 109 For Recovery type, select the type of recovery action. If multiple recovery actions are configured, they are performed in the order that they are listed. Change default gateway: Increases the interface's metric to change the default gateway. If Change default gateway is selected, complete the following: IX20 User Guide...
Page 110 Execute custom Recovery commands. If Recovery commands is selected, complete the following: Attempts: The number of attempts for this recovery action to perform, before moving to the next recovery action. The Commands to run to recovery connectivity. IX20 User Guide...
Page 111  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 112 When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address. Use the SIM failover options to configure the IX20 device to automatically recover the modem in the event that it cannot obtain an IP address.
Page 113 DHCP, or statically configured for this interface. interface_up: Tests the current status of the interface. The test fails if the interface is down. Failing this test infers that all other tests fail. If interface_up is set, complete the following: IX20 User Guide...
Page 114 If tcp_connection is selected, complete the following: Set the hostname or IP address of the host to create a TCP connection to: (config network interface my_wan surelink tests 1)> tcp_host hostname/IP_address (config network interface my_wan surelink tests 1)> IX20 User Guide...
Page 115 The IPv6 connection must be up. The status required for the test to past. (config network interface my_wan surelink tests 1)> other_ status value (config network interface my_wan surelink tests 1)> where value is one of: IX20 User Guide...
Page 116 Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config network interface my_wan surelink actions 0)> override_ interval int (config network interface my_wan surelink actions 0)> 7. Optional SureLink configuration parameters: IX20 User Guide...
Page 117 (config)> network interface my_wan surelink timeout 600s (config)> The default is 15s. f. Set the amount of time to wait while the device is starting before SureLink testing begins. This setting is bypassed when the interface is determined to be up. IX20 User Guide...
Page 118: Disable Surelink
Type quit to disconnect from the device. Disable SureLink If your device uses a private APN with no Internet access or has a restricted WAN connection that doesn't allow DNS resolution, you can disable SureLink connectivity tests. You can also reconfigure IX20 User Guide...
Page 119 SureLink to disable the DNS test and use one or more other tests.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 120 WAN connections that do not allow DNS resolution, and configure alternate test.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 121 4. Select the appropriate WAN or WWAN on which the default DNS test should be disabled.. 5. After selecting the WAN or WWAN, click SureLink. 6. Click to expand Tests. 7. Click to expand the default DNS configured test. 8. Click to toggle off Enable. IX20 User Guide...
Page 122 Down time: The amount of time that the interface is down before the test can be considered to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Down time to ten minutes, enter 10m or 600s. IX20 User Guide...
Page 123  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 124 If set, an initial traceroute is sent to the hostname or IP address configured in the SureLink advanced settings, and then the first hop in that route is used for the ping test. interface_address. interface_dns: The interface's DNS server. IX20 User Guide...
Page 125 Set the amount of time to wait for the interface to connect for the first time before the test is considered to have failed. (config network interface my_wan surelink tests 1)> interface_timeout value (config network interface my_wan surelink tests 1)> IX20 User Guide...
Page 126 Set the interface to test. i. Use the ? to determine available interfaces: (config network interface my_wan surelink tests 1)> other_ interface ? Test interface: Test the status of this other interface. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: IX20 User Guide...
Page 127: Example: Use A Ping Test For Wan Failover From Ethernet To Cellular
Type quit to disconnect from the device. Example: Use a ping test for WAN failover from Ethernet to cellular In this example configuration, the ETH1 interface serves as the primary WAN, while the cellular Modem interface serves as the backup WAN. IX20 User Guide...
Page 128 Update Routing recovery action will increase the metric for the ETH1 interface by 100, which will cause the IX20 device to start using the Modem interface as the default route. It continues to regularly test the connection to ETH1, and when tests on ETH1 succeed, the device falls back to that interface.
Page 129  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 130: Using Ethernet Devices In A Wan
Type quit to disconnect from the device. Using Ethernet devices in a WAN The IX20 device has Ethernet devices, named ETH1ETH2. You can use these Ethernet interfaces as a WAN when connecting to the Internet, through a device such as a cable modem:...
Page 131: Using Cellular Modems In A Wireless Wan (Wwan)
Typically, you configure SIM1 of the cellular modem as the primary cellular interface, and SIM2 as the backup cellular interface. In this way, if the IX20 device cannot connect to the network using SIM1, it automatically fails over to SIM2. IX20 devices automatically use the correct cellular module firmware for each carrier when switching SIMs.
Page 132 Interfaces Wide Area Networks (WANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 133 The default is All technologies. 5. For Antennas, select whether the modem should use the main antenna, the auxiliary antenna, or both the main and auxiliary antennas. 6. Click Apply to save the configuration and apply the change.  Command line IX20 User Guide...
Page 134 Interfaces Wide Area Networks (WANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 135 (config)> network modem modem max_intfs int (config)> 9. Carrier switching allows the modem to automatically match the carrier for the active SIM. Carrier switching is enabled by default. To disable: (config)> network modem modem carrier_switch false (config)> IX20 User Guide...
Page 136 Type quit to disconnect from the device. Configure cellular modem APNs The IX20 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 137 Interfaces Wide Area Networks (WANs)  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 138  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 139 (config)> network interface modem modem apn 0 username name (config)> network interface modem modem apn 0 password pwd (config)> The default is none. 8. Disable Lightweight M2M support if you are using an AT&T SIM that does not support AT&T lightweight M2M: IX20 User Guide...
Page 140 Dual-APN connections with the Telit LE910-NAv2 module when using a Verizon SIM are not supported. Using an AT&T SIM with the Telit LE910-NAv2 module is supported. The Telit LE910-NAv2 module is used in the 1002-CM04 CORE modem. IX20 User Guide...
Page 141 Interfaces Wide Area Networks (WANs)  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 142 For Zone, select External. e. For Device, select Modem . f. (Optional): Configure the public APN. If the public APN is not configured, the IX20 will attempt to determine the APN. i. Click to expand APN list > APN.
Page 143 Configure the source address: i. Click to expand Source address. ii. For Type, select Interface. iii. For Interface, select LAN1. f. Configure the destination address: i. Click to expand Destination address. ii. For Type, select Interface. IX20 User Guide...
Page 144  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 145 Set the modem device: (config network interface WWANPublic)> modem device modem (config network interface WWANPublic)> d. (Optional): Set the public APN. If the public APN is not configured, the IX20 will attempt to determine the APN. (config network interface WWANPublic)> modem apn public_apn (config network interface WWANPublic)>...
Page 146 Set the type to interface: (config network route policy 0)> dst type interface (config network route policy 0)> ii. Set the interface to WWANPublic : (config network route policy 0)> interface /network/interface/WWANPublic (config network route policy 0)> IX20 User Guide...
Page 147 (config network route policy 1)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 148 Select Manual or Manual/Automatic carrier selection mode. The Network PLMN ID.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 149  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 150  Log into the IX20 WebUI as a user with full Admin access rights. 1. From the main menu, click Status > Modems. 2. Scroll to the Connection Status section and click SCAN.
Page 151  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 152  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 153 A SIM card can be locked if a user tries to set an invalid PIN for the SIM card too many times. In addition, some cellular carriers require a SIM PIN to be added before the SIM card can be used. If the SIM card is locked, the IX20 device cannot make a cellular connection. ...
Page 154 Wide Area Networks (WANs) To unlock a SIM card: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 155  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 156 Interfaces Wide Area Networks (WANs) +GCAP: +CGSM 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 157: Configure A Wide Area Network (Wan)
Additional IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the WAN. The relative weight for IPv4 routes associated with the WAN.
Page 158 MACaddress denylist and allowlist. To create a new WAN or edit an existing WAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 159 8. (Optional) Click to expand 802.1x to configure 802.1x port based network access control. The IX20 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Click to expand Authentication. b. Click Enable server to enable the 802.1x authenticator on the IX20 device.
Page 160 Never: Never use DNS servers for this interface. k. Enable DHCP Hostname to instruct the IX20 device to include the device's system name with DHCP requests as the Client FQDN option. The DHCP server can then be configured to register the device's hostname and IP address with an associated DNS server.
Page 161  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 162 (config network interface my_wan)> ipv4 weight num (config network interface my_wan)> iii. Set the management priority. This determines which interface will have priority for central management activity. The interface with the highest number will be used. IX20 User Guide...
Page 163 Never use DNS servers for this interface. vi. Enable DHCP Hostname to instruct the IX20 device to include the device's system name with DHCP requests as the Client FQDN option. The DHCP server can then be configured to register the device's hostname and IP address with an associated DNS server.
Page 164 8. (Optional) To configure 802.1x port based network access control: Note The IX20 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Enable the 802.1x authenticator on the IX20 device: (config network interface my_wan)> 802_1x authentication enable true (config network interface my_wan)>...
Page 165: Configure A Wireless Wide Area Network (Wwan)
The cellular modem that is used by the WWAN. Additional configuration items SIM selection for this WWAN. The SIM PIN. The SIM phone number for SMS connections. Enable or disable roaming. SIM failover configuration. APN configuration. The custom gateway/netmask. IX20 User Guide...
Page 166 Configure SureLink active recovery to detect WAN/WWAN failures for further information.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 167 To edit an existing WWAN, click to expand the WWAN. 5. For Zone, select External. 6. For Device, select the cellular modem. 7. For Match SIM by, select a SIM matching criteria to determine when this WWAN should be used: IX20 User Guide...
Page 168 None: The device will perform no alternative action if automatic SIM switching is unavailable. Reset modem: The device will reset the modem if automatic SIM switching is unavailable. Reboot device: The device will reboot if automatic SIM switching is unavailable. IX20 User Guide...
Page 169 Wide Area Networks (WANs) 13. For APN list and APN list only, the IX20 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 170  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 171 (config network interface my_wwan)> modem carrier Match SIM carrier: The SIM carrier match criteria. This interface is applied when the SIM card is provisioned from the carrier. Format: AT&T Rogers Sprint T-Mobile Telstra Verizon Vodafone other Default value: AT&T Current value: AT&T IX20 User Guide...
Page 172 Normally, this should be left blank. It is only necessary to complete this field if the SIM does not have a phone number or if the phone number is incorrect. 9. Roaming is enabled by default. To disable: (config network interface my_wwan)> modem roaming false (config network interface my_wwan)> IX20 User Guide...
Page 173 (config network interface my_wwan)> modem sim_failover false (config network interface my_wwan)> If enabled: a. Set the number of times that the device should attempt to connect to the active SIM before failing over to the next available SIM: IX20 User Guide...
Page 174 The device will reboot if automatic SIM switching is unavailable. 12. The IX20 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 175 (config network interface my_wwan)> b. Set the type, which determines how the modem in the device obtains an IP address from the cellular network. (config network interface my_wwan)> ipv4 modem_type value (config network interface my_wwan)> Where value is one of: IX20 User Guide...
Page 176 Wide Area Networks (WANs) static: Digi device obtains the static IP address from the cellular network. dhcp: Digi device obtains IP address via a DHCP server on the cellular network. c. Set the metric: (config network interface my_wwan)> ipv4 metric num (config network interface my_wwan)>...
Page 177: Show Wan And Wwan Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 178: Delete A Wan Or Wwan
Type quit to disconnect from the device. Delete a WAN or WWAN Follow this procedure to delete any WANs and WWANs that have been added to the system. You cannot delete the preconfigured WAN, ETH1, or the preconfigured WWAN, Modem.  IX20 User Guide...
Page 179 Interfaces Wide Area Networks (WANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 180: Default Outbound Wan/Wwan Ports
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Default outbound WAN/WWAN ports The following table lists the default outbound network communications for IX20 WAN/WWAN interfaces: Port Description...
Page 181: Local Area Networks (Lans)
Interfaces Local Area Networks (LANs) Local Area Networks (LANs) The IX20 device is preconfigured with the following Local Area Networks (LANs): Interface type Preconfigured interfaces Devices Default configuration Local Area ETH2 Ethernet: Firewall zone: Network ETH2 (non- Internal (LAN) IP address: Wi-Fi 192.168.2.1/24...
Page 182: About Local Area Networks (Lans)
IP address and subnet of LAN1. Additional configuration items Additional IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the LAN.
Page 183 MACaddress denylist and allowlist. To create a new LAN or edit an existing LAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 184 8. (Optional) Click to expand 802.1x to configure 802.1x port based network access control. The IX20 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Click to expand Authentication. b. Click Enable server to enable the 802.1x authenticator on the IX20 device.
Page 185 Click to expand MAC address denylist. b. For Add MAC address, click . c. Type the MAC address. 13. (Optional) Click to expand MAC address allowlist. If allowlist entries are specified, incoming packets will only be accepted from the listed MAC addresses. IX20 User Guide...
Page 186  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 187 The interface with the highest number will be used. (config network interface my_lan)> ipv4 mgmt num (config network interface my_lan)> iv. Set the MTU: (config network interface my_lan)> ipv4 mtu num (config network interface my_lan)> IX20 User Guide...
Page 188 DHCPv6 server (config network interface my_lan)> View default settings for the IPv6 DHCP server: (config network interface my_lan)> ipv6 dhcpv6_server ? DHCPv6 server: The DHCPv6 server settings for this network interface. Parameters Current Value --------------------------------------------------------------------- ---------- IX20 User Guide...
Page 189 8. (Optional) To configure 802.1x port based network access control: Note The IX20 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Enable the 802.1x authenticator on the IX20 device: (config network interface my_lan)> 802_1x authentication enable true (config network interface my_lan)>...
Page 190: Configure The Wan/Eth1 Port As A Lan Or In A Bridge
Create a bridge that includes the WAN/ETH1 port. To configure the WAN/ETH1 Ethernet port as a LAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 191 For Address, type the IPv4 address and netmask, using the format IPv4_address/netmask, for example, 192.168.3.1/24. d. Enable the DHCP server: i. Click to expand DHCP server. ii. Click to toggle on Enable. e. Disable SureLink: i. Click to expand SureLink. ii. Click to toggle off Enable. IX20 User Guide...
Page 192  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 193 To add the WAN/ETH1 port to the LAN bridge:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 194  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 195 Interfaces Local Area Networks (LANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 196 For Add Interface, type a name for the interface and click . c. For Zone, select Internal. d. For Device, select the new bridge. e. Click to expand IPv4. f. For Address, type the IPv4 address and netmask, using the format IPv4_address/netmask, for example, 192.168.3.1/24. IX20 User Guide...
Page 197  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 198 Create the bridge: (config)> add network interface interface_name (config network interface interface_name)> where interface_name is the name of the new interface. For example, to create a interface named LAN_bridge_interface: (config)> add network interface LAN_bridge_interface (config network interface LAN_bridge_interface)> IX20 User Guide...
Page 199: Change The Default Lan Subnet
DHCP server range will also change to the range of the LAN subnet. To change the LAN subnet:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 200  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 201: Show Lan Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 202: Delete A Lan
Follow this procedure to delete any LANs that have been added to the system. You cannot delete the preconfigured LAN, LAN1.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 203  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 204: Dhcp Servers
Type quit to disconnect from the device. DHCP servers You can enable DHCP on your IX20 device to assign IP addresses to clients, using either: The DHCP server for the device's local network, which assigns IP addresses to clients on the device's local network.
Page 205 Interfaces Local Area Networks (LANs)  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 206 12. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. IX20 User Guide...
Page 207 7. Sequential DHCP address allocation By default, DHCP addresses are assigned psuedo-randomly, using a hash of the client's MAC address to determine the IP address that gets assigned. You can configure the device to use sequential IP addresses instead: IX20 User Guide...
Page 208 No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. auto: Broadcasts the IX20 device's gateway. custom: Allows you to identify the IP address of a custom gateway to be broadcast: (config)> network interface my_lan ipv4 dhcp_server advanced gateway_custom ip_address (config)>...
Page 209 (config)> where value is one of: none: No server is broadcast. auto: Broadcasts the IX20 device's server. custom: Allows you to identify the IP address of the server. For example: (config)> network interface my_lan ipv4 dhcp_server advanced primary_dns_custom ip_address (config)>...
Page 210 A label for this instance of the static lease. To map static IP addresses:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 211  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 212  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 213 Delete static IP mapping entries To delete a static IP entry:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 214  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 215 Force the option to be sent to the DHCP clients. A label for the custom option.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 216  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 217 If the incorrect data type is selected, the device will send the value as a string. (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> datatype value (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> where value is one of: 1byte 2byte 4byte ipv4 The default is str. IX20 User Guide...
Page 218 DHCP requests. Additional configuration items IP address of additional DHCP relay servers.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 219  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 220 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show DHCP server status and settings View DHCP status to monitor which devices have been given IP configuration by the IX20 device and to diagnose DHCP issues. ...
Page 221: Default Services Listening On Lan Ports
Interfaces Local Area Networks (LANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 222 Interfaces Local Area Networks (LANs) connected to a LAN interface.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 223 For Access concentrator name, type the name of the access concentrator to report to the client. If no name is provided, the host name is used. d. For Authentication method, select the authentication method used to connect to the remote peer. IX20 User Guide...
Page 224 14. (Optional) Click to expand 802.1x to configure 802.1x port based network access control. The IX20 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Click to expand Authentication. b. Click Enable server to enable the 802.1x authenticator on the IX20 device.
Page 225  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 226 The interface with the highest number will be used. (config network interface ip_passthrough_interface)> ipv4 mgmt num (config network interface ip_passthrough_interface)> d. Set the MTU: (config network interface ip_passthrough_interface)> ipv4 mtu num (config network interface ip_passthrough_interface)> e. Configure how to use DNS: IX20 User Guide...
Page 227 Modify any of the remaining default settings as appropriate. 10. (Optional) To configure 802.1x port based network access control: Note The IX20 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Enable the 802.1x authenticator on the IX20 device: (config network interface ip_passthrough_interface)>...
Page 228: Virtual Lans (Vlans)
VLAN can only access other devices on the same VLAN and each device is unaware of any other VLAN, which isolates networks from one another, even though they run over the same physical network. Your IX20 device supports two VLANs modes: Trunking: Supports multiple VLANs per Ethernet port, which enables you to extend your VLAN across multiple switches through your entire network.
Page 229: Create A Trunked Vlan Route
The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 230 Interfaces Virtual LANs (VLANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 231: Create A Vlan Using Switchport Mode
The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN using switchport mode:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 232  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 233 (config network vlan vlan1)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 234: Bridging
You can also use bridging to create a Vitural LAN switchport bridge. See Create a VLAN using switchport mode for more information about switchport bridging for VLANs. By default, the IX20 has the following preconfigured bridges: Interface Default type Preconfigured interfaces...
Page 235: Edit The Preconfigured Eth2 Bridge
Enable Spanning Tree Protocol (STP). To edit the preconfigured LAN bridge:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 236  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 237 0 /network/device/eth2 1 /network/wireless/ap/digi_ap (config)> ii. Use the index number to delete the appropriate device. For example, to delete the Digi AP Wi-Fi access point from the bridge: (config)> del network bridge lan device 1 (config)> Note If you are deleting multiple devices from the bridge, the device index may be reordered after each deletion.
Page 238: Configure A Bridge
Additional configuration items Enable Spanning Tree Protocol (STP). To create a bridge:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: IX20 User Guide...
Page 239 Interfaces Bridging Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 240  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 241: Show Surelink Status And Statistics
To show the current state of SureLink for the IX20 device, use the show surelink state command: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. IX20 User Guide...
Page 242: Show Surelink Status For All Interfaces
1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 243: Show Surelink Status For A Specific Interface
1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 244: Show Surelink Status For A Specific Ipsec Tunnel
1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 245: Show Surelink Status For A Specific Openvpn Client
A low number of retries will end a "stale" connection more quickly that a larger number. The default is 15 retries.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 246 Interfaces Configure a TCP connection timeout a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 247: Serial Port
Serial port IX20 devices have a single serial port that provides access to different features, depending on the serial port mode selection. Default serial port configuration You can review the default serial port configuration for your device. Serial mode options You can choose a serial mode option for each serial port, depending on the feature that you want to use.
Page 248: Configure Login Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 249  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 250 9. Set the stop bits used by the device to which you want to connect: (config)>serial port1 stopbits bits (config)> 10. Set the type of flow control used by the device to which you want to connect: (config)>serial port1 flow value (config)> where value is one of: none rts/cts xon/xoff IX20 User Guide...
Page 251: Configure Remote Access Mode
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure Remote Access mode Remote Access mode allows for remote access to another device that is connected to the serial port. IX20 User Guide...
Page 252 To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 253 Click to expand Access Control List. For example, to set the Access Control List for the SSH connection for serial port 1, click to expand Serial > Port 1 > SSH connection > Access Control List: IX20 User Guide...
Page 254 No limit to IPv6 addresses that can access the service-type. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: i. Click Interfaces. ii. For Add Interface, click .
Page 255 For Idle timeout, type the amount of time to wait before disconnecting due to user inactivity. 10. Expand Monitor Settings. a. Enable CTS to monitor CTS (Clear to Send) changes on this port. b. Enable DCD to monitor DCD (Data Carrier Detect) changes on this port. IX20 User Guide...
Page 256  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 257 Limit access to the serial port to a single active session: (config)>serial port1 exclusive true (config) c. Set the number of bytes of output from the serial port that are written to buffer. These bytes are redisplayed when a user connects to the serial port. IX20 User Guide...
Page 258 Enable autoconnect: (config)>serial port1 autoconnect enable true (config)> b. Set the option that will trigger the connection: (config)>serial port1 autoconnect trigger value (config)> where value is one of: always data destination match If match is selected: IX20 User Guide...
Page 259 (config)>serial port1 autoconnect port int (config)> where int is any integer between 1 and 65535. f. To enable TCP keepalive: (config)>serial port1 autoconnect keepalive true (config)> g. To enable TCP nodelay: (config)>serial port1 autoconnect nodely true (config)> IX20 User Guide...
Page 260 (config)>serial port1 service ssh port int (config)> where int is any integer between 1 and 65535. The default is 3001. iii. Enable TCP keep-alive messages: (config)>serial port1 service ssh keepalive true (config)> iv. Enable TCP nodelay messages: IX20 User Guide...
Page 261 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 service ssh acl interface end value (config)>...
Page 262 (config)>serial port1 service ssh mdns enable true (config)> b. Configure TCP settings: i. Enable TCP: (config)>serial port1 service tcp enable true (config)> ii. Set the port to be used for ssh communications: (config)>serial port1 service tcp port int (config)> IX20 User Guide...
Page 263 A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: IX20 User Guide...
Page 264 Type ... firewall zone ? at the config prompt: (config)> ... firewall zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration ------------------------------------------------- ------------------------------ dynamic_routes edge external hotspot internal IX20 User Guide...
Page 265 A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: IX20 User Guide...
Page 266 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 service telnet acl interface end value (config)>...
Page 267 (config)>serial port1 logging size value (config)> where value is the size of the log file in bytes. The default is 65536. d. Specify the data type: (config)>serial port1 logging type value (config)> where value is one of: received transmitted IX20 User Guide...
Page 268: Configure Application Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 269  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 270: Configure Ppp Dial-In Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 271 16. (Optional) Configure the serial port to use a custom PPP configuration file: a. Click to expand Custom PPP configuration. b. Click Enable to enable the use of a custom PPP configuration file. IX20 User Guide...
Page 272 18. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. IX20 User Guide...
Page 273 (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set idle_timeout to ten minutes, enter either 10m or 600s: (config)> serial port1 idle_timeout 600s (config)> IX20 User Guide...
Page 274 Use the ? to determine available zones: (config)> serial port1 ppp_dialin zone ? Zone: The firewall zone assigned to this interface. This can be used by packet filtering rules and access control lists to restrict network traffic on this IX20 User Guide...
Page 275 For example: (config)> serial port1 ppp_dialin custom config_file "debug lcp-echo- interval 10 lcp-echo-failure 2" (config)> 16. (Optional) Configure a script that will be run to prepare the link before PPP negotiations are started: IX20 User Guide...
Page 276 17. Save the configuration and apply the change (config)> save Configuration saved. > 18. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 277: Configure Udp Serial Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 278 Click Strip End Pattern if you want to remove the end pattern from the packet before it is sent. 7. Expand UDP Serial Settings. a. For Local port, enter the UDP port. The default is 4001 or serial port 1, 4002 for serial port 2, etc. IX20 User Guide...
Page 279 For Destinations, you can configure the remote sites to which you want to send data. If you do not specify any destinations, the IX20 sends new data from the last IP address and port from which data was received. To add a destination: i.
Page 280 To limit access to specified IPv6 addresses and networks: i. Click IPv6 Addresses. ii. For Add Address, click . iii. For Address, enter the IPv6 address or network that can access the device's service-type. Allowed values are: IX20 User Guide...
Page 281  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 282 9. Set the stop bits used by the device to which you want to connect: (config)>serial port1 label stopbits bits (config)> 10. Set the type of flow control used by the device to which you want to connect: (config)>serial port1 label flow type (config) IX20 User Guide...
Page 283 (config)> 14. Configure the remote sites to which you want to send data. If you do not specify any destinations, the IX20 send new data to the last hostname and port from which data was received. To add a destination:...
Page 284 Where value can be: A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. IX20 User Guide...
Page 285 Serial port Configure UDP serial mode To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 udp acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 286 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 udp acl interface end value (config)>...
Page 287 Enable serial port logging: (config)>serial port1 logging enable true (config)> b. Set the file name: (config)>serial port1 logging filename string (config)> c. Set the maximum allowed log size for the serial port log when starting the log: IX20 User Guide...
Page 288: Configure Modem Emulator Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 289 12. For Escape character, type the character to use in the escape sequence. Enter this character three times, followed by the escape delay and then an AT command to switch from data mode to command mode. The default is the plus sign (+). IX20 User Guide...
Page 290 To limit access to specified IPv6 addresses and networks: i. Click IPv6 Addresses. ii. For Add Address, click . iii. For Address, enter the IPv6 address or network that can access the device's service-type. Allowed values are: IX20 User Guide...
Page 291: Configure Modbus Mode
No limit to IPv6 addresses that can access the service-type. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: i. Click Interfaces. ii. For Add Interface, click .
Page 292 Serial port Configure Modbus mode Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration > Serial. Changes made by using either Device Configuration or Serial Configuration will be reflected in both.
Page 293 Serial port Configure Modbus mode 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 294: Configure Realport Mode Using The Digi Navigator
Digi Navigator on your computer, the RealPort application is automatically installed as well. With Digi Navigator, you can set all serial ports on the device to RealPort mode, and then also enable the RealPort service. The COM ports on your laptop are also configured. These processes ensure that RealPort is configured on the device and on your computer.
Page 295: Install The Digi Navigator
The Digi Navigator application can also be downloaded from your device's product support page. 2. Scroll down to the Product Resources tab, and in the Drivers & Patches section, click Digi Navigator. 3. From the list box, select the appropriate Microsoft Windows option from the list of driver options.
Page 296: Configure Realport On A Digi Device From The Digi Navigator
Advanced RealPort configuration without using the Digi Navigator. Download and install the Digi Navigator. 2. Make sure the IX20 is powered connected your local network or computer with an Ethernet cable. 3. Launch the Digi Navigator. 4. Specify the IP address of the Digi device: To add a device, you will need the devices's IP address, and the user name and password for the device.
Page 297 RealPort from within the Digi Navigator. 1. Launch the Digi Navigator if it is not currently open. A list of devices that have RealPort enabled and configured displays in the RealPort Devices section at the bottom of the application screen.
Page 298: Digi Navigator Application Features
Item Description Filters Click Filters to display the types of filters that can be applied to Digi devices, services, and IP types. Device Filters: A list of the Digi device types displays. All types are disabled by default, and when all are disabled, all types are displayed.
Page 299 After you have enabled and configured RealPort on at least one Digi device, a list of configured devices displays at the bottom of the Digi Navigator. You can refresh the list and easily access the COM port configuration on your computer.
Page 300 Click Login. Filter devices for display in the Digi Navigator You can use the Digi Navigator filters to determine the types of Digi devices you want to display. Only the devices that are powered on and are discoverable are included.
Page 301: Advanced Realport Configuration Without Using The Digi Navigator
Advanced RealPort configuration without using the Digi Navigator Access Digi Remote Manager from the Digi Navigator You can access Digi Remote Manager from the Digi Navigator. Within the Remote Manager, you can configure and monitor your Digi devices. For information about using Digi Remote Manager, refer to the Digi Remote Manager User Guide.
Page 302: Configure Realport On Your Laptop
1. Navigate to the downloaded Realport .zip file. 2. Open the .zip file. 3. Click on setup.exe to launch the RealPort wizard. The Welcome to the Digi RealPort Setup Wizard screen displays. 4. If this is not the first time you have run the wizard, select the Add a New Device option. If this is the first time running the wizard, no options are available on the screen.
Page 303 Serial port Advanced RealPort configuration without using the Digi Navigator Step 2: Configure a RealPort connection on your laptop for your device 1. Follow the standard Windows process to access the Device Manager from your computer's operating system. 2. Select Multi-port Serial Adapters.
Page 304: Configure The Serial Port For Realport Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 305  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 306 Serial port Advanced RealPort configuration without using the Digi Navigator 5. Set the sharing mode: (config)> serial port1 sharing value (config)> where value is one of: none: Only the user that opened the port can change the port settings. All other users are rejected.
Page 307: Configure The Realport Service
Configure the RealPort service After you have configured RealPort mode on the IX20, you must enable and configure the RealPort service. When this step is complete, all of the serial ports on the IX20 are configured to use the RealPort service.
Page 308: Show Serial Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 309  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 310 Serial port Review the serial port message log 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 311 Configure a Wi-Fi access point with personal security Configure a Wi-Fi access point with enterprise security Isolate Wi-Fi clients Configure a Wi-Fi client and add client networks Show Wi-Fi access point status and statistics Show Wi-Fi client status and statistics IX20 User Guide...
Page 312: Wi-Fi
The password for the default access point is the unique password as found on the device's label. See Change the default SSID and pre-shared key for the preconfigured Wi-Fi access point for information about changing the default SSID and password. Default Wi-Fi configuration The default Wi-Fi configuration of the IX20Wdevice is: IX20 User Guide...
Page 313 Digi AP Enabled or disabled Enabled SSID Digi-IX20W-serial_number SSID broadcast Enabled Encyrption WAP2 Personal (PSK) Pre-shared key The unique password printed on the bottom label of the device. Group rekey interval 10 minutes Client mode connections: none. IX20 User Guide...
Page 314: Configure The Wi-Fi Radio's Channel
Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 315  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 316: Configure The Wi-Fi Radio To Support Dfs Channels In Client Mode
Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 317  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 318: Configure The Wi-Fi Radio's Band And Protocol
Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 319  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 320: Configure The Wi-Fi Radio's Transmit Power
100 percent. You can configure the Wi-Fi radio to transmit at a lower power.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 321  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 322: Configure An Open Wi-Fi Access Point
The amount of time to wait before changing the group key. To configure a Wi-Fi access point with no security:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 323 7. (Optional) Enable Isolate clients to prevent clients that are connected to this access point from communicating with each other. See Isolate Wi-Fi clients for information about how to prevent clients connected to different access points from communicating with each other. IX20 User Guide...
Page 324 Command line Configure a new access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 325 Wi-Fi radio is restarted. The default is 10 minutes. 1. Assign the Wi-Fi access point to a LAN interface or to a bridge. See Configure a Local Area Network (LAN) Configure a bridge for more information. IX20 User Guide...
Page 326 Type quit to disconnect from the device. Edit an existing Access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 327 2. Save the configuration and apply the change (config)> save Configuration saved. > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 328: Configure A Wi-Fi Access Point With Personal Security
The amount of time to wait before changing the group key. To configure a Wi-Fi access point to use personal security:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 329 7. (Optional) Enable Isolate clients to prevent clients that are connected to this access point from communicating with each other. See Isolate Wi-Fi clients for information about how to prevent clients connected to different access points from communicating with each other. IX20 User Guide...
Page 330 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre-shared key. The wpa_ passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 331 Configure a Wi-Fi access point with personal security Configure a new access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 332 (config network wifi ap new_AP)> where value is any number of days, hours, minutes, or seconds, and takes the format number {d|h|m|s}. For example, to set group rekey interval to ten minutes, enter either 10m or 600s: IX20 User Guide...
Page 333 Type quit to disconnect from the device. Edit an existing Access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 334 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 335: Configure A Wi-Fi Access Point With Enterprise Security
Using enterprise security modes allows each client to have different usernames and passwords configured in the RADIUS server, rather than using preshared key on the IX20 device. By default, the IX20Wdevice comes with one preconfigured access point, Digi AP. You cannot delete default access points, but you can modify them or you can create your own access points.
Page 336 The amount of time to wait before changing the group key. To configure a Wi-Fi access point with WPA2 enterprise security:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 337 Click to expand RADIUS server list. b. Click to expand RADIUS server. c. For RADIUS IP/hostname, type the IP address or hostname of the RADIUS server. d. (Optional) Change the RADIUS port. The default port is 1812. IX20 User Guide...
Page 338 Command line Configure a new access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 339 (Optional) Add and configure additional radius servers: i. Add a server: (config network wifi ap new_AP)> add encryption radius_servers end (config network wifi ap new_AP encryption radius_servers 1)> ii. Configure the new server as described above. For example, set the server IP address: IX20 User Guide...
Page 340 Type quit to disconnect from the device. Edit an existing Access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 341 11. (Optional) Set the amount of time to wait before changing the group key. The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is IX20 User Guide...
Page 342: Isolate Wi-Fi Clients
This section provides instructions for both mechanisms. Isolate clients connected to the same access point  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 343  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 344: Isolate Clients Connected To Different Access Points
3. Assign those LAN interfaces to separate firewall zones. 4. Create firewall filters to prevent traffic between the two firewall zones.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 345 3. Create a new access point. By default, the IX20Wcomes with one preconfigured access point, named Digi AP. In these instructions, we will use the existing Digi AP access point and create another new access point, named new_AP. a. Click Network > WiFi > Access points.
Page 346 5. Create a new LAN: By default, the IX20Wdevice comes with one preconfigured LAN, which includes the default access point. We will use that LAN for the default access point, and create a new LAN for the second access point. IX20 User Guide...
Page 347  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 348 Internal zone to the LAN2_isolation_zone, this filter must be added before the Allow all outgoing traffic filter, which allows the Internal zone to have access to any zone. In this example, we will add the new to the first position in the list (index position 0). IX20 User Guide...
Page 349 (config network interface LAN2)> c. Set the device to the new Wi-Fi access point: (config network interface LAN2)> device /network/wifi/ap/new_AP (config network interface LAN2)> d. Set the zone to LAN2_isolation_zone: (config network interface LAN2)> zone LAN2_isolation_zone (config network interface LAN2)> IX20 User Guide...
Page 350: Configure A Wi-Fi Client And Add Client Networks
The private key in PEM format. (Optional) The private key passphrase. PEAP: Username/password authentication. If PEAP is selected, identify the username and password. SCEP certificates: Simple Certificate Enrollment Protocol (SCEP) certificate management. If SCEP certificates is selected: IX20 User Guide...
Page 351 The IX20Wdevice supports a maximum of ten enabled Wi-Fi clients, regardless of the number of enabled access points. To configure a Wi-Fi client:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 352 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 353 Scan threshold. d. For Short interval, type the number of seconds to wait between scans for access points, when the signal strength from the access point to which the client is currently connected is below the Scan threshold. IX20 User Guide...
Page 354  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 355 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 356 Client certificate authentication. If tls is selected: i. Set the username: (config network wifi client new_client)> ssid 0 encryption id_wpa2 username (config network wifi client new_client)> ii. Set the CA certificate by using the ca_cert paramater and pasting the certificte in PEM format: IX20 User Guide...
Page 357 If the signal strength from the access point to which the client is currently connected is stronger than the value of bgscan_strength, it will use bgscan_long_ interval to determine how often to scan for available access points. IX20 User Guide...
Page 358 Use the appropriate index number to delete the channel. For example, to delete the 2412 frequency: (config network wifi client new_client)> del 0 (config network wifi client new_client)> g. To add a frequency: i. Use the ? with an existing index number to determine the allowed values for frequencies: IX20 User Guide...
Page 359: Show Wi-Fi Access Point Status And Statistics
You can show summary status for all Wi-Fi access points, and detailed status and statistics for individual Wi-Fi access points.  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the main menu, click Status. 2. Under Connections, click Wi-Fi > Access Points.
Page 360 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 361: Show Wi-Fi Client Status And Statistics
1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 362 To show a detailed status and statistics of a Wi-Fi client, use the show wifi client name name command. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 363: Hotspot
IX20 device, as well as applying bandwidth limits, authenticating users, and other features. The IX20 device's implementation of hotspot uses a "captive portal" page— a web page that is displayed to users when they first connect to the hotspot and requires users to...
Page 364: Hotspot Authentication Modes
Local shared password: Requires each user to enter a password. This password is validated locally on the IX20 device, and the password is the same for all users. The sample HTML page included with your IX20 device for local shared password authentication is password.html.
Page 365: Hotspot Dhcp Server
Hotspot Hotspot DHCP server When the hotspot is enabled on the IX20 device, it automatically enables a DHCP server. During hotspot configuration, you assign an IPv4 address to the hotspot, and the DHCP server then uses the subnet of the hotspot's IP address, along with the hotspot's subnet mask, to assign IPv4 addresses to clients that connect to the hotspot.
Page 366: Hotspot Configuration
Hotspot configuration This section provides information about enabling and configuring the default hotspot that is provided with your IX20 installation, as well as creating a new hotspot and configuring the type of authentication mode you select for your hotspot. This section contains the following topics:...
Page 367 Hotspot Enable hotspot using the default configuration The default configuration of the IX20 device's hotspot is: Default configuration Hotspot Name: hotspot Disabled Authentication mode: Click-through IP address: 10.1.0.1/24 DHCP server: Automatically enabled DHCP server lease range: 100-250 Bandwidth limits: Maximum download speed: 10000 Kbps...
Page 368 See Edit sample hotspot HTML pages for information.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 369 Click Network > Hotspots > hotspot. b. Click Enable hotspot. 4. Enable the hotspot access points: a. Click Network > Wi-Fi > Access points > Digi Hotspot AP (Wi-Fi). b. Click Enable. 5. Enable the hotspot bridge: a. Click Network > Bridges > hotspot_bridge.
Page 370  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 371 Enable hotspot using the default configuration instructions. An SSID for the hotspot.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 372  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 373 Lease range start and end. To change the default hotspot IP address and subnet:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 374  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 375 IP address. (config)> network hotspot hotspot ipv4 address dhcp_server lease_end value (config)> where value is any integer between 1 and 254. The default is 250. 5. Save the configuration and apply the change (config)> save Configuration saved. > IX20 User Guide...
Page 376 Maximum upload speed, in Kbps. To change the default hotspot IP address and subnet:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 377  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 378 Ethernet port to be added to the hotspot. To add an Ethernet port to the default hotspot:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 379 LAN bridge, which is used by the ETH2 interface. As a result, when you add an Ethernet port to the hotspot, you may need to reconfigure the Ethernet port configuration for other interfaces. For example, to remove the port from the LAN bridge: IX20 User Guide...
Page 380  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 381 4. Save the configuration and apply the change (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 382 Maximum download speed, in Kbps. Maximum upload speed, in Kbps. Enable verbose logging. To create a new hotspot:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 383 Hotspot 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a.
Page 384 5. Click Network > Hotspots. 6. For Add Hotspot, enter a name for the hotspot and click . The new hotspot configuration appears. 7. Hotspots are enabled by default when they are created. To disable, toggle off Enable hotspot. IX20 User Guide...
Page 385 Click-through: Requires each user to accept the terms and conditions. Local shared password: Requires each user to enter a password. This password is validated locally on the IX20 device, and the password is the same for all users. Configure the hotspot to use local shared password authentication for information about configuring hotspot for local shared password authentication.
Page 386 For Domain, type the hostname of the allowed domain. d. Repeat to add additional domains. To add subnets that can be accessed by the client prior to authentication: a. Click to expand Allowed subnets. b. Click  to add a subnet. IX20 User Guide...
Page 387  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 388 (config network bridge new_hotspot_bridge)> b. Add devices to the bridge: i. Determine available devices: (config network bridge new_hotspot_bridge)> ..interface lan device ? Device: The network device used by this network interface. Format: /network/device/eth1 /network/device/eth2 /network/device/loopback /network/bridge/hotspot_bridge /network/bridge/lan /network/wireless/ap/digi_ap IX20 User Guide...
Page 389 /network/wireless/ap/digi_hotspot_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge new_hotspot_bridge)> ii. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge new_hotspot_bridge)> add device end /network/wireless/ap/digi_ap (config)> c. Type ... to return to the config prompt: (config network bridge new_hotspot_bridge)>...
Page 390 /network/wireless/ap/digi_hotspot_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge new_hotspot_bridge)> b. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge new_hotspot_bridge)> add device end /network/wireless/ap/digi_ap (config)> 7. Set an access point, and Ethernet port, or a bridge for the hotspot's device: a.
Page 391 Requires each user to accept the terms and conditions. local_shared_password: Requires each user to enter a password. This password is validated locally on the IX20 device, and the password is the same for all users. Configure the hotspot to use local shared password authentication for information about configuring hotspot for local shared password authentication.
Page 392 (config network hotspot new_hotspot)> ipv4 address dhcp_server lease_ time value (config network hotspot new_hotspot)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set lease_time to ten minutes, enter either 10m or 600s: IX20 User Guide...
Page 393 Repeat to add additional IP addresses or subnets. 16. (Optional) Change the default maximum download speed: (config network hotspot new_hotspot)> bandwidth_max_down value (config network hotspot new_hotspot)> where value is an integer between 1 and 100000 and represents the maximum download speed in Kbps. IX20 User Guide...
Page 394 Local shared password authentication requires each user to enter a password. This password is validated locally on the IX20 device, and the password is the same for all users. By default, the router redirects unauthenticated users to the HTML authentication page located on the router at etc/config/hotspot/password.html.
Page 395 Hotspot  Configure hotspot for local shared password authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 396 A user on the RADIUS server with the username guest. RADIUS server secret. RADIUS NAS ID. Domain name or subnet of the RADIUS server included in the "white list" of servers that unauthenticated hotspot clients can access. IX20 User Guide...
Page 397 Hotspot LAN configuration:  Configure hotspot for RADIUS shared password authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 398 Configure hotspot for RADIUS shared password authentication from the Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 399 (Optional) Enable Swap Octets to swap the meaning of the input octets/packets and output octets/packets RADIUS attributes. This can fix issues if the data limits and/or accounting reports appear to be reversed on the RADIUS server: (config)> network hotspot hotspot_name radius swap octets true (config)> The default is disabled. IX20 User Guide...
Page 400 Required configuration items Create a new hotspot Enable hotspot using the default configuration. Select RADIUS users authentication. IP address or hostname of the primary RADIUS server. Users configured on the RADIUS server. RADIUS server secret. RADIUS NAS ID. IX20 User Guide...
Page 401 Hotspot LAN configuration:  Configure hotspot for RADIUS users authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 402  Configure hotspot for RADIUS users authentication from the Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 403 (Optional) Enable Swap Octets to swap the meaning of the input octets/packets and output octets/packets RADIUS attributes. This can fix issues if the data limits and/or accounting reports appear to be reversed on the RADIUS server: (config)> network hotspot hotspot_name radius swap octets true (config)> The default is disabled. IX20 User Guide...
Page 404 Type quit to disconnect from the device. Configure the hotspot to use HotspotSystem authentication You can configure IX20 hotspot to use HotspotSystem, a cloud hotspot service that supports various free and paid authentication methods, including social media accounts, SMS, voucher, and PayPal.
Page 405  Configure hotspot for HotspotSystem authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 406 For Domain, type the hostname of the allowed domain. d. Repeat to add additional domains. To add subnets that can be accessed by the client prior to authentication: a. Click to expand Allowed subnets. b. Click  to add a subnet. IX20 User Guide...
Page 407  Configure hotspot for HotspotSystem authentication from the Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 408: Show Hotspot Status And Statistics
Type quit to disconnect from the device. Show hotspot status and statistics  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the main menu, click Status 2. Under Networking, click Hotspot. The Hotspot status page is displayed.
Page 409  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 410: Customize The Hotspot Login Page
Type quit to disconnect from the device. Customize the hotspot login page The IX20 device provides three sample HTML webpages for use with the hotspot feature. When hotspot is enabled for the first time, the sample webpages are installed to the /etc/config/hotspot folder on the device's filesystem.
Page 411 HTML files using utilities. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 412 Supported file extensions include: .html, .gif, .js, .jpg, .mp4, .ogv, .png, .swf, .json, and .dat. You can configure the IX20 device to use your custom HTML page using either the WebUI or the command line: ...
Page 413  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 414 The hotspot directory and files are loaded when the hotspot is enabled, and you can restore the default pages by doing the following: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 415: Hotspot Radius Attributes
Also, if the RADIUS server requests it, the hotspot will send accounting information back to the RADIUS server. For example, here are some of the RADIUS attributes that the hotspot sends: Acct-Input-Octets Acct-Output-Octets Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Input-Gigawords Acct-Output-Gigawords IX20 User Guide...
Page 416: Routing
Routing This chapter contains the following topics: IP routing Show the routing table Dynamic DNS Virtual Router Redundancy Protocol (VRRP) IX20 User Guide...
Page 417: Ip Routing
IP routing IP routing The IX20 device uses IP routes to decide where to send a packet it receives for a remote network. The process for deciding on a route to send the packet is as follows: 1. The device examines the destination IP address in the IP packet, and looks through the IP routing table to find a match for it.
Page 418: Configure A Static Route
The Maximum Transmission Units (MTU) of network packets using this route. To configure a static route:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 419 7. For Interface, select the interface on the IX20 device that will be used with this static route. 8. (Optional) For Gateway, type the IPv4 address of the gateway used to reach the destination.
Page 420 The any keyword can also be used to route packets to any destination with this static route. 6. Set the interface on the IX20 device that will be used with this static route: a. Use the ? to determine available interfaces: (config network route static 0)>...
Page 421: Delete A Static Route
Type quit to disconnect from the device. Delete a static route  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 422  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 423: Policy-Based Routing
However, you can use policy-based routing to forward the packet based on other criteria, such as the source of the packet. For example, you can configure the IX20 device so that high-priority traffic is routed through the cellular connection, while all other traffic is routed through an Ethernet (WAN) connection.
Page 424: Configure A Routing Policy
To configure a routing policy:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 425 5. (Optional) For Label, type a label that will be used to identify this route policy. 6. For Interface, select the interface on the IX20 device that will be used with this route policy. 7. (Optional) Enable Exclusive to configure the policy to drop packets that match the policy when the gateway interface is disconnected, rather than forwarded through other interfaces.
Page 426  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 427 (config network route policy 0)> label "New route policy" (config network route policy 0)> 5. Set the interface on the IX20 device that will be used with this route policy: a. Use the ? to determine available interfaces: (config network route policy 0)> interface ? Interface: The network interface used to reach the destination.
Page 428 (config network route policy 0)> where value is one of: zone: Matches the source IP address to the selected firewall zone. Set the zone: a. Use the ? to determine available zones: (config network route policy 0)> src zone ? IX20 User Guide...
Page 429 Set the interface. For example: (config network route policy 0)> src interface /network/interface/eth1 (config network route policy 0)> address: Matches the source IPv4 address to the specified IP address or network. Set the address that will be matched: IX20 User Guide...
Page 430 (config network route policy 0)> dst zone ? Zone: Match the IP address to the specified firewall zone. Format: dynamic_routes edge external hotspot internal ipsec loopback setup Default value: any Current value: any (config network route policy 0)> dst zone IX20 User Guide...
Page 431 IPv6_address[/prefix_length], or any to match any IPv6 address. mac: Matches the destination MACaddress to the specified MACaddress. Set the MAC address to be matched: (config network route policy 0)> dst mac MAC_address (config network route policy 0)> IX20 User Guide...
Page 432: Example: Dual Wan Policy-Based Routing
This example routes traffic to a specific IP address to go through the cellular WWAN interface, while all other traffic uses the Ethernet WAN interface.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 433 For IPv4 address, type the IP address that will be the destination for outgoing traffic routed through the WWAN interface. In the above example, this is 241.236.162.59. 9. Click Apply to save the configuration and apply the change.  Command line IX20 User Guide...
Page 434 Routing IP routing 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 435: Example: Domain-Based Routing With Dual Wan
This example routes traffic destined for a specific domain to the WAN Ethernet port, and never through the cellular modem.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 436 Click to expand Destination address. b. For Type, select Domain. c. Click to expand Domains. d. Click the  to add a new domain. e. For Domain, type youtube.com. You can add additional domains by repeating the last two steps. IX20 User Guide...
Page 437  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 438: Example: Route Traffic To A Specific Wan Interface Based On The Client Mac Address
This example routes all data from a certain client device through a cellular WAN based on the device's MACaddress, while all other client devices are routed through the Ethernet WAN.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 439 For Add Zone, type EthernetWAN and click . ii. Enable Source NAT. 4. Configure the WAN interfaces to use the new zones: a. Configure the cellular WAN interface: i. Click Network > Interfaces > Modem. ii. For Zone, select CellularWAN. IX20 User Guide...
Page 440 Click to expand Source address. ii. For Type, select MAC address. iii. For MAC address, type 26:88:0E:23:50:C2. f. Configure the destination zone: i. Click to expand Destination address. ii. For Type, select Zone. iii. For Zone, select CellularWAN. IX20 User Guide...
Page 441  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 442 Set the label that will be used to identify this route policy: (config network route policy 0)> label "VoIP phone" (config network route policy 0)> c. Set the interface: (config network route policy 0)> interface /network/interface/modem (config network route policy 0)> IX20 User Guide...
Page 443 (config firewall filter 2)> c. Set the action to drop: (config firewall filter 2)> action drop (config firewall filter 2)> d. Set the source zone to internal: (config firewall filter 2)> src_zone internal (config firewall filter 2)> IX20 User Guide...
Page 444: Routing Services
Enable routing services. Enable and configure the types of routing services that will be used.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 445 Routing IP routing 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 446 Routing IP routing 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 447: Show The Routing Table
Type quit to disconnect from the device. Show the routing table To display the routing table:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 448  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 449: Dynamic Dns
WAN or public IP address changes. Your IX20 device supports a number of Dynamic DNS providers as well as the ability to provide a custom provider that is not included on the list of providers.
Page 450 The amount of time to wait for an IP address update to succeed before retrying the update. The number of times to retry a failed IP address update.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 451 14. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. IX20 User Guide...
Page 452 (config network ddns new_ddns_instance)> 5. Set the Dynamic DNS provider service: a. Use the ? to determine available services: (config network ddns new_ddns_instance)> service ? Service: The provider of the dynamic DNS service. Format: custom 3322.org changeip.com ddns.com.br IX20 User Guide...
Page 453 (config network ddns new_ddns_instance)> check_interval 600s (config network ddns new_ddns_instance)> The default is 10m. 11. (Optional) Set the amount of time to wait to force an update of the interface's IP address: (config network ddns new_ddns_instance)> force_interval value (config network ddns new_ddns_instance)> IX20 User Guide...
Page 454: Virtual Router Redundancy Protocol (Vrrp)
Multiple IX20 devices can be configured as VRRP devices and assigned a priority. The router with the highest priority will be used as the master router. If the master router fails, then the IP address of the virtual router is mapped to the backup device with the next highest priority.
Page 455: Vrrp
VRRP-enabled devices and dynamically change the VRRP priorty of devices based on the status of their network connectivity.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 456 IP address of the VRRP pool, then the priority of this device should be set to 255 . Allowed values are from 1 and 255, and it is configured to 100 by default. IX20 User Guide...
Page 457  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 458 (config network vrrp new_vrrp_instance)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 459: Configure Vrrp
For backup VRRP devices, enable the ability to monitor the VRRP master, so that a backup device can increase its priority when the master device fails SureLink tests.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 460 This parameter allows a backup VRRP device to monitor the master device, and increase its priority when the master device is failing SureLink tests. This can allow a device functioning as a backup device to promote itself to master. IX20 User Guide...
Page 461 VRRP virtual IP addresses: i. Click to expand DHCP Server > Advanced settings. ii. For Gateway, select Custom. iii. For Custom gateway, enter the IP address of one of the virtual IPs used by this VRRP IX20 User Guide...
Page 462  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 463 This allows a backup VRRP device to monitor the master device, and increase its priority when the master device is failing SureLink tests. This can allow a device functioning as a backup device to promote itself to master. (config)> network vrrp VRRP_test vrrp_plus monitor_master true (config)> IX20 User Guide...
Page 464 Set the amount of time to wait between connectivity tests: (config)> network interface eth2 ipv4 surelink interval value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interval to ten minutes, enter 5s: IX20 User Guide...
Page 465 The interface is considered to be down based on the interfaces down time, and the amount of time an initial connection to the interface takes before this test is considered to have failed. IX20 User Guide...
Page 466: Example: Vrrp/Vrrp+ Configuration
10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Example: VRRP/VRRP+ configuration This example configuration creates a VRRP pool containing two IX20 devices: IX20 User Guide...
Page 467: Configure Device One (Master Device)
Configure device one (master device)  Task 1: Configure VRRP on device one 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 468 9. Click to expand Virtual IP addresses. 10. Click  to add a virtual IP address. 11. For Virtual IP, type 192.168.3.3. Task 2: Configure VRRP+ on device one 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. IX20 User Guide...
Page 469 Command line Task 1: Configure VRRP on device one 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 470 (config network vrrp VRRP_test )> Task 3: Configure the IP address for the VRRP interface, ETH2, on device one 1. Type ... to return to the root of the config prompt: (config network vrrp VRRP_test )> ... (config)> IX20 User Guide...
Page 471: Configure Device Two (Backup Device)
Configure device two (backup device)  Task 1: Configure VRRP on device two 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 472 The new VRRP instance configuration is displayed. 5. Click Enable. 6. For Interface, select Interface: ETH2. 7. For Router ID, leave at the default setting of 50. 8. For Priority, type 80. 9. Click to expand Virtual IP addresses. IX20 User Guide...
Page 473 Task 4: Configure SureLink for ETH2 on device two 1. Click Network > Interfaces > ETH2 > IPv4 > SureLink. 2. Click Enable. 3. For Interval, type 15s. 4. Click to expand Test targets > Test target. 5. For Test Type, select Ping test. IX20 User Guide...
Page 474 Command line Task 1: Configure VRRP on device two 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 475 (config network vrrp VRRP_test )> Task 3: Configure the IP address for the VRRP interface, ETH2, on device two 1. Type ... to return to the root of the config prompt: (config network vrrp VRRP_test )> ... (config)> IX20 User Guide...
Page 476 (config network interface eth2 ipv4 surelink target 0)> test ping (config network interface eth2 ipv4 surelink target 0)> 4. Set https://remotemanager.digi.com as the hostname to ping: (config network interface eth2 ipv4 surelink target 0)> ping_host https://remotemanager.digi.com(config network interface eth2 ipv4 surelink target 0)>...
Page 477: Show Vrrp Status And Statistics
This section describes how to display VRRP status and statistics for a IX20 device. VRRP status is available from the Web UI only.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 478  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 479 Virtual IP address(es) : 10.10.10.1, 100.100.100.1 Current State : Master Current Priority : 100 Last Transition : Tue Jan 1 00:00:39 2019 Became Master Released Master Adverts Sent : 71 Adverts Received Priority Zero Sent Priority zero Received : 0 > IX20 User Guide...
Page 480 Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices can connect from one network to the other using secure channels. This chapter contains the following topics: IPsec OpenVPN Generic Routing Encapsulation (GRE) Dynamic Multipoint VPN (DMVPN) L2TP L2TPv3 Ethernet MACsec NEMO IX20 User Guide...
Page 481: Ipsec
Authentication of data to ensure an unauthorized device has not injected it into the IPsec tunnel. IPsec mode The IX20 supports the Tunnel mode. With the Tunnel mode, the entire IP packet is encrypted and/or authenticated and then encapsulated as the payload in a new IP packet. Transport mode is not currently supported.
Page 482: Authentication
XAUTH client. RSASignatures With RSA signatures authentication, the IX20 device uses a private RSA key to authenticate with a remote peer that is using a corresponding public key. Certificate-based Authentication X.509 certificate-based authentication makes use of private keys on both the server and client which...
Page 483 NAT is being used. If using IPsec failover, identify the primary tunnel during configuration of the backup tunnel. The Network Address Translation (NAT) keep alive time. The protocol, either Encapsulating Security Payload (ESP) or Authentication Header (AH). IX20 User Guide...
Page 484 Configure a static route for information about configuring a static route.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 485 9. For Zone, select the firewall zone for the IPsec tunnel. Generally this should be left at the default of IPsec. Note Depending on your network configuration, you may need to add a packet filtering rule to allow incoming traffic. For example, for the IPsec zone: IX20 User Guide...
Page 486 Type the Pre-shared key. Asymmetric pre-shared keys: Uses asymmetric pre-shared keys to authenticate with the remote peer. i. For Local key, type the local pre-shared key. This must be the same as the remote key on the remote host. IX20 User Guide...
Page 487 SCEP certificates: Uses Simple Certificate Enrollment Protocol (SCEP) to download a private key, certificates, and an optional Certificate Revocation List (CRL) to the IX20 device from a SCEP server. You must create the SCEP client prior to configuring the IPsec tunnel. See...
Page 488 Round robin: Attempts to connect to hostnames sequentially based on the list order. Random: Randomly selects an IPsec peer to connect to from the hostname list. Priority ordered: Selects the first hostname in the list that is resolvable. c. Click to expand Hostname. IX20 User Guide...
Page 489 Serial number: The device's serial number will be used as the ID and sent as a ID_KEY_ID IKE identity. 21. Click to expand Policies. Policies define the network traffic that will be encapsulated by this tunnel. a. Click  to create a new policy. The new policy configuration is displayed. IX20 User Guide...
Page 490 For Protocol, select one of the following: Any: Matches any protocol. TCP: Matches TCP protocol only. UDP: Matches UDP protocol only. ICMP: Matches ICMP requests only. Other protocol: Matches an unlisted protocol. If Other protocol is selected, type the number of the protocol. IX20 User Guide...
Page 491 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Phase 2 lifetime to ten minutes, enter 10m or 600s. IX20 User Guide...
Page 492 27. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. IX20 User Guide...
Page 493 Zone: The firewall zone assigned to this IPsec tunnel. This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel. Format: dynamic_routes edge external hotspot internal ipsec loopback setup Default value: ipsec Current value: ipsec (config vpn ipsec tunnel ipsec_example)> IX20 User Guide...
Page 494 Only the payload of the IP packet is encrypted and/or authenticated. The IP header is unencrypted. The default is tunnel. 8. Set the protocol: (config vpn ipsec tunnel ipsec_example)> type protocol (config vpn ipsec tunnel ipsec_example)> where protocol is either: IX20 User Guide...
Page 495 Set the private key passphrase that is used to decrypt the private key. Leave blank if the private key is not encrypted. (config vpn ipsec tunnel ipsec_example)> auth private_key_ passphrase passphrase (config vpn ipsec tunnel ipsec_example)> c. For the peer_public_key parameter, paste the peer's public RSA key in PEM format: IX20 User Guide...
Page 496 (config vpn ipsec tunnel ipsec_example)> 11. (Optional) Configure the device to connect to its remote peer as an XAUTH client: a. Enable XAUTH client functionality: (config vpn ipsec tunnel ipsec_example)> xauth_client enable true (config vpn ipsec tunnel ipsec_example)> IX20 User Guide...
Page 497 Any ID will be accepted. ipv4: The ID will be interpreted as an IPv4 address and sent as an ID_IPV4_ADDR IKE identity. Set an IPv4 formatted ID. This can be a fully-qualified domain name or an IPv4 address. IX20 User Guide...
Page 498 Repeat for additional hostnames. b. Set the hostname selection type: (config vpn ipsec tunnel ipsec_example)> remote hostname_selection value (config vpn ipsec tunnel ipsec_example)> where value is one of: IX20 User Guide...
Page 499 Set the ID in internet email address format: (config vpn ipsec tunnel ipsec_example)> remote id type rfc822_ id id (config vpn ipsec tunnel ipsec_example)> fqdn: The ID will be interpreted as FQDN (Fully Qualified Domain Name) and sent as an ID_FQDN IKE identity. IX20 User Guide...
Page 500 Do not send oversized IKE messages in fragments, but announce support for fragmentation to the peer. The default is always. e. Padding of IKE packets is enabled by default and should normally not be disabled except for compatibility purposes. To disable: IX20 User Guide...
Page 501 Configure the types of encryption, hash, and Diffie-Hellman group to use during phase 1: i. Add a phase 1 proposal: (config vpn ipsec tunnel ipsec_example)> add ike phase1_proposal (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> IX20 User Guide...
Page 502 Set the type of Diffie-Hellman group to use for key exchange during phase 1: i. Use the ? to determine available Diffie-Hellman group types: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> dh_group ? curve25519 curve448 ecp192 IX20 User Guide...
Page 503 Set the type of encryption to use during phase 2: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> cipher value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> where value is one of: 3des aes128 aes128gcm128 IX20 User Guide...
Page 504 (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> ii. Set the Diffie-Hellman group type: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> dh_group value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> The default is modp2048. vi. (Optional) Add additional phase 2 proposals: IX20 User Guide...
Page 505 (config vpn ipsec tunnel ipsec_example nat 0)> b. Set the IPv4 address and optional netmask of a destination network that requires source NAT. You can also use any, meaning that any destination network connected to the tunnel will use source NAT. IX20 User Guide...
Page 506 Current value: (config vpn ipsec tunnel ipsec_example policy 0)> local address ii. Set the interface. For example: (config vpn ipsec tunnel ipsec_example policy 0)> local address eth1 (config vpn ipsec tunnel ipsec_example policy 0)> IX20 User Guide...
Page 507 Set the protocol matching criteria for the local traffic selector: (config vpn ipsec tunnel ipsec_example policy 0)> local protocol value (config vpn ipsec tunnel ipsec_example policy 0)> where value is one of: any: Matches any protocol. tcp: Matches TCP protocol only. IX20 User Guide...
Page 508 Allowed values are an integer between 1 and 255. 19. (Optional) You can also configure various IPsec related time out, keep alive, and related values: a. Change to the root of the configuration schema: (config vpn ipsec tunnel ipsec_example policy 0)> ... (config)> IX20 User Guide...
Page 509 20. Save the configuration and apply the change (config)> save Configuration saved. > 21. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 510: Configure Ipsec Failover
Virtual Private Networks (VPN) IPsec Configure IPsec failover There are two methods to configure the IX20 device to fail over from a primary IPsec tunnel to a backup tunnel: SureLink active recovery—You can use SureLink along with the IPsec tunnel's metric to configure two or more tunnels so that when the primary tunnel is determined to be inactive by SureLink, a secondary tunnel can begin serving traffic that the primary tunnel was serving.
Page 511 See Configure an IPsec tunnel for instructions. During configuration of the IPsec tunnel, set the metric to a value that is higher than the metric of the primary tunnel (for example, 20).  Command line IX20 User Guide...
Page 512 Use the ? to view a list of available tunnels: (config vpn ipsec tunnel backup_ipsec_tunnel)> ipsec_failover ? Preferred tunnel: This tunnel will not start until the preferred tunnel has failed. It will continue to operate until the preferred tunnel returns to full operation IX20 User Guide...
Page 513: Configure Surelink Active Recovery For Ipsec
To configure the IX20 device to regularly probe the IPsec connection:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 514 Virtual Private Networks (VPN) IPsec a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 515 The Interface gateway. If Interface gateway is selected, an initial traceroute is sent to the hostname or IP address configured in the SureLink advanced settings, and then the first hop in that route is used for the ping test. IX20 User Guide...
Page 516 TCP connect host: The hostname or IP address of the host to create a TCP connection to. TCP connect port: The TCP port to create a TCP connection to. Test another interface's status: Tests the status of another interface. If Test another interface's status is selected, complete the following: IX20 User Guide...
Page 517 Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. Restart interface. If Restart interface is selected, complete the following: IX20 User Guide...
Page 518 Powercycle the modem. This recovery action is available for WWAN interfaces only. If Powercycle the modem is selected, complete the following: Attempts: The number of attempts for this recovery action to perform, before moving to the next recovery action. IX20 User Guide...
Page 519  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 520 The hostname or IP address of an external server. Set ping_host to the hostname or IP address of the server: (config vpn ipsec tunnel ipsec_example surelink tests 1)> ping_host hostname/IP_address (config vpn ipsec tunnel ipsec_example surelink tests 1)> IX20 User Guide...
Page 521 For example, to set interface_down_time to ten minutes, enter either 10m or 600s: (config vpn ipsec tunnel ipsec_example surelink tests 1)> interface_down_time 600s (config)> IX20 User Guide...
Page 522 If other is selected, complete the following: Set the interface to test. i. Use the ? to determine available interfaces: (config vpn ipsec tunnel ipsec_example surelink tests 1)> other_interface ? Test interface: Test the status of this other interface. Format: IX20 User Guide...
Page 523 Type ... to return to the root of the configuration: (config vpn ipsec tunnel ipsec_example surelink tests 1)> ... (config)> b. Add a recovery action: (config)> add vpn ipsec tunnel ipsec_example surelink actions end (config vpn ipsec tunnel ipsec_example surelink actions 0)> IX20 User Guide...
Page 524 (config vpn ipsec tunnel ipsec_example surelink actions 0)> action value (config vpn ipsec tunnel ipsec_example surelink actions 0)> WWAN interfaces: (config vpn ipsec tunnel ipsec_example surelink actions 0)> modem_action value (config vpn ipsec tunnel ipsec_example surelink actions 0)> IX20 User Guide...
Page 525 (config vpn ipsec tunnel ipsec_example surelink actions 0)> override_interval int (config vpn ipsec tunnel ipsec_example surelink actions 0)> reset_modem: This recovery action is available for WWAN interfaces only. If reset_modem is selected, complete the following: IX20 User Guide...
Page 526 Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config vpn ipsec tunnel ipsec_example surelink actions 0)> override_interval int (config vpn ipsec tunnel ipsec_example surelink actions 0)> IX20 User Guide...
Page 527 (config vpn ipsec tunnel ipsec_example surelink actions 0)> g. Repeat for each additional recovery action. 7. Optional SureLink configuration parameters: a. Type ... to return to the root of the configuration: (config vpn ipsec tunnel ipsec_example surelink actions 0)> ... (config)> IX20 User Guide...
Page 528 Set the amount of time to wait while the device is starting before SureLink testing begins. This setting is bypassed when the interface is determined to be up. (config)> vpn ipsec tunnel ipsec_example surelink advanced delayed_ start value (config)> IX20 User Guide...
Page 529: Show Ipsec Status And Statistics
Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show IPsec status and statistics  IX20 User Guide...
Page 530: Debug An Ipsec Configuration
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 531 Virtual Private Networks (VPN) IPsec 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 532: Configure A Simple Certificate Enrollment Protocol Client
Simple Certificate Enrollment Protocol (SCEP) is a mechanism that allows for large-scale X.509 certificate deployment. You can configure IX20 device to function as a SCEP client that will connect to a SCEP server that is used to sign Certificate Signing Requests (CSRs), provide Certificate Revocation Lists (CRLs), and distribute valid certificates from a Certificate Authority (CA).
Page 533 Virtual Private Networks (VPN) IPsec  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 534 9. For Renewable Time, type the number of days that the certificate enrollment can be renewed, prior to the request expiring. This value is configured on the SCEP server, and is used by the IX20 device to determine when to start attempting to auto-renew an existing certificate. The default is 7.
Page 535 Click Use New Private Key to enable the creation of a new private key for renewal requests. c. Use Client Certificate is enabled by default. Click to disable the use of a client certificate for renewal requrests. 22. Click Apply to save the configuration and apply the change.  Command line IX20 User Guide...
Page 536 Virtual Private Networks (VPN) IPsec 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 537 The URL to the file name used to access the certificate revocation list from the crldp: The CRL distribution point. getCRL: A CRL query using the issuer name and serial number from the certificate whose revocation status is being queried. The default is url. IX20 User Guide...
Page 538 (config network scep_client scep_client_name)> polling_interval 600s (config network scep_client scep_client_name)> The default is 5s. 14. Set the bit size of the private key: (config network scep_client scep_client_name)> key_length int (config network scep_client scep_client_name)> The default is 2048. IX20 User Guide...
Page 539: Example: Scep Client Configuration With Fortinet Scep Server
Type quit to disconnect from the device. Example: SCEP client configuration with Fortinet SCEP server In this example configuration, we will configure the IX20 device as a SCEP client that will connect to a Fortinet SCEP server. Fortinet configuration On the Fortinet server: 1.
Page 540 Click OK. IX20 configuration On the IX20 device:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 541 Fortinet server. 7. (Optional) Click Debug to enable verbose logging in /var/log/scep_client. 8. Click to expand SCEP server. 9. For FQDN, type the fully qualified domain name or IP address of the Fortinet server. IX20 User Guide...
Page 542  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 543 8. Set the number of days that the certificate enrollment can be renewed, prior to the request expiring. This value must match the setting of the Allow renewal x days before the certified is expired option on the Fortinet server. IX20 User Guide...
Page 544: Show Scep Client Status And Information
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 545 Last Update : May 23 13:27:21 2022 GMT > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 546: Openvpn
OpenVPN clients. OpenVPN clients use Network Address Translation (NAT) to route traffic from devices connected on its LAN interfaces to the OpenVPN server. The manner in which the IP subnets are defined depends on the OpenVPN topology in use. The IX20 device supports two types of OpenVPN topology:...
Page 547: Configure An Openvpn Server
Virtual Private Networks (VPN) OpenVPN OpenVPN managed—The IX20 device creates the interface and then uses its standard configuration to set up the connection (for example, its standard DHCP server configuration). Device only—IP addressing is controlled by the system, not by OpenVPN.
Page 548 Access control list configuration to restrict access to the OpenVPN server through the firewall. Additional OpenVPN parameters.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 549 If not enabled, certificates must be created externally and added to the server. 9. If Server managed certificates is not enabled: a. Select the Authentication type: Certificate only: Uses only certificates for client authentication. Each client requires a public and private key. IX20 User Guide...
Page 550 No limit to IPv6 addresses that can access the service-type. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces. b. For Add Interface, click .
Page 551  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 552 1 and 255. The number entered here will represent the first client IP address. For example, if address is set to 192.168.1.1/24 and server_first_ip is set to 80, the first client IP address will be 192.168.1.80. The default is from 80. IX20 User Guide...
Page 553 Authentication Group and User for instructions. ii. Paste the contents of the CA certificate (usually in a ca.crt file) into the value of the cacert parameter: (config vpn openvpn server name)> cacert value (config vpn openvpn server name)> IX20 User Guide...
Page 554 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config vpn openvpn server name)> add acl interface end value (config vpn openvpn server name)>...
Page 555 Additional Configuration -------------------------------------------------------- ----------------------- dynamic_routes edge external hotspot internal ipsec loopback setup (config vpn openvpn server name)> Repeat this step to include additional firewall zones. 9. (Optional) Set additional OpenVPN parameters. IX20 User Guide...
Page 556: Configure An Openvpn Authentication Group And User
IX20 user authentication for more information about creating authentication groups and users.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 557 For Add Group, type a name for the group (for example, OpenVPN_Group) and click . The new authentication group configuration is displayed. c. Click OpenVPN access to enable OpenVPN access rights for users of this group. d. Click to expand the OpenVPN node. e. Click  to add a tunnel. IX20 User Guide...
Page 558 Click to expand the Groups node. e. Click  to add a group to the user. f. Select a Group with OpenVPN access enabled. 5. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 559  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 560: Configure An Openvpn Client By Using An .Ovpn File
Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 561  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 562 (config vpn openvpn client name)> password value (config vpn openvpn client name)> 7. Paste the content of the client.ovpn file into the value of the config_file parameter: (config vpn openvpn client name)> config_file value (config vpn openvpn client name)> IX20 User Guide...
Page 563: Configure An Openvpn Client Without Using An .Ovpn File
Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 564 3. Click VPN > OpenVPN > Clients. 4. For Add, type a name for the OpenVPN client and click . The new OpenVPN client configuration is displayed. 5. The OpenVPN client is enabled by default. To disable, toggle off Enable. IX20 User Guide...
Page 565  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 566 (config vpn openvpn client name)> username value (config vpn openvpn client name)> password value (config vpn openvpn client name)> 9. Set the IP address of the OpenVPN server: (config vpn openvpn client name)> server ip_address (config vpn openvpn client name)> IX20 User Guide...
Page 567: Configure Surelink Active Recovery For Openvpn
Type quit to disconnect from the device. Configure SureLink active recovery for OpenVPN You can configure the IX20 device to regularly probe OpenVPN client connections to determine if the connection has failed and take remedial action. IX20 User Guide...
Page 568 To configure the IX20 device to regularly probe the OpenVPN connection:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 569 All test pass: All tests need to pass for SureLink to consider the interface to be up. 9. (Optional) For Pass threshold, type or select the number of times that the test must pass after failure, before the interface is determined to be working and is reinstated. IX20 User Guide...
Page 570 If HTTP test is selected, complete the following: Web server: The URL of the web server. Test DNS servers configured for this interface: Tests communication with DNS servers that are either provided by DHCP, or statically configured for this interface. IX20 User Guide...
Page 571 Down: The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable). e. Repeat for each additional test. 12. Add recovery actions: a. Click to expand Recovery actions. By default, there are two preconfigured recovery actions: IX20 User Guide...
Page 572 If set to the default value of 0s, the Test interval is used. Switch to alternate SIM: Switches to an alternate SIM. This recovery action is available for WWAN interfaces only. If Switch to alternate SIM is selected, complete the following: IX20 User Guide...
Page 573 For Backoff interval, type the time to add to the test interval when restarting the list of actions. This option is capped at 15 minutes. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. IX20 User Guide...
Page 574  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 575 1)> ping_size int (config vpn openvpn client openvpn_client1 surelink tests 1)> dns: Performs a DNS query to the named DNS server. If dns is set, set the IPv4 or IPv6 address of the DNS server: IX20 User Guide...
Page 576 For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config vpn openvpn client openvpn_client1 surelink tests 1)> interface_timeout 600s (config)> IX20 User Guide...
Page 577 /network/interface/eth2 /network/interface/loopback Current value: (config vpn openvpn client openvpn_client1 surelink tests 1)> other_interface ii. Set the interface. For example: (config vpn openvpn client openvpn_client1 surelink tests 1)> other_interface /network/interface/eth1 (config vpn openvpn client openvpn_client1 surelink tests 1)> IX20 User Guide...
Page 578 (config vpn openvpn client openvpn_client1 surelink actions 0)> enable false (config vpn openvpn client openvpn_client1 surelink actions 0)> d. Create a label for the action: (config vpn openvpn client openvpn_client1 surelink actions 0)> label string (config vpn openvpn client openvpn_client1 surelink actions 0)> IX20 User Guide...
Page 579 Increases the interface's metric to change the default gateway. If update_routing_table is selected, complete the following: Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config vpn openvpn client openvpn_client1 surelink actions 0)> max_attempts int IX20 User Guide...
Page 580 This recovery action is available for WWAN interfaces only. If reset_modem is selected, complete the following: Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config vpn openvpn client openvpn_client1 surelink actions 0)> max_attempts int IX20 User Guide...
Page 581 The default is 3. Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config vpn openvpn client openvpn_client1 surelink actions 0)> override_interval int IX20 User Guide...
Page 582 Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config vpn openvpn client openvpn_client1 surelink actions 0)> override_interval int (config vpn openvpn client openvpn_client1 surelink actions 0)> g. Repeat for each additional recovery action. 7. Optional SureLink configuration parameters: IX20 User Guide...
Page 583 (config)> vpn openvpn client openvpn_client1 surelink timeout 600s (config)> The default is 15s. f. Set the amount of time to wait while the device is starting before SureLink testing begins. This setting is bypassed when the interface is determined to be up. IX20 User Guide...
Page 584 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show SureLink status and statistics for information about showing Surelink status for OpenVPN clients. IX20 User Guide...
Page 585: Show Openvpn Server Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 586: Show Openvpn Client Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 587 Virtual Private Networks (VPN) OpenVPN 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 588: Generic Routing Encapsulation (Gre)
Enable the device to respond to keepalive packets. Task One: Create a GRE loopback endpoint interface  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 589  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 590 Type quit to disconnect from the device. Task Two: Configure the GRE tunnel  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 591  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 592 (config vpn iptunnel gre_example)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 593: Show Gre Tunnels
Show GRE tunnels To view information about currently configured GRE tunnels:  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click Status > IP tunnels. The IP Tunnelspage appears. 2. To view configuration details about a GRE tunnel, click the  (configuration) icon in the upper right of the tunnel's status pane.
Page 594: Example: Gre Tunnel Over An Ipsec Tunnel
Example: GRE tunnel over an IPSec tunnel The IX20 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel.
Page 595 Configuration procedures Configure the IX20-1 device Task one: Create an IPsec tunnel  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 596 5. Click to expand Authentication. 6. For Pre-shared key, type testkey. 7. Click to expand Remote endpoint. 8. For Hostname, type public IP address of the IX20-2 device. 9. Click to expand Policies. 10. For Add Policy, click  to add a new policy.
Page 597  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 598 7. Click Apply to save the configuration and apply the change.  Command line 1. At the command line, type config to enter configuration mode: > config (config)> 2. Add an interface named ipsec_endpoint1: (config)> add network interface ipsec_endpoint1 (config network interface ipsec_endpoint1)> IX20 User Guide...
Page 599 3. For Local endpoint, select the IPsec endpoint interface created in Task two (Interface: ipsec_ endpoint1). 4. For Remote endpoint, type the IP address of the GRE tunnel on IX20-2, 172.30.0.2. 5. Click Apply to save the configuration and apply the change.  Command line 1.
Page 600 (config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_ endpoint1 (config vpn iptunnel gre_tunnel1)> 4. Set the remote endpoint to the IP address of the GRE tunnel on IX20-2, 172.30.0.2: (config vpn iptunnel gre_tunnel1)> remote 172.30.0.2 (config vpn iptunnel gre_tunnel1)> 5. Save the configuration and apply the change (config vpn iptunnel gre_tunnel1)>...
Page 601 (config network interface gre_interface1)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 602 Generic Routing Encapsulation (GRE) Configure the IX20-2 device Task one: Create an IPsec tunnel  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 603  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 604 Generic Routing Encapsulation (GRE) (config vpn ipsec tunnel ipsec_gre2)> auth secret testkey (config vpn ipsec tunnel ipsec_gre2)> 5. Set the remote endpoint to public IP address of the IX20-1 device: (config vpn ipsec tunnel ipsec_gre2)> remote hostname 192.168.100.1 (config vpn ipsec tunnel ipsec_gre2)>...
Page 605 4. Set the device to /network/device/loopback: (config network interface ipsec_endpoint2)> device /network/device/loopback (config network interface ipsec_endpoint2)> 5. Set the IPv4 address to the IP address of the local GRE tunnel, 172.30.0.2/32: (config network interface ipsec_endpoint2)> ipv4 address 172.30.0.2/32 (config network interface ipsec_endpoint2)> IX20 User Guide...
Page 606 3. For Local endpoint, select the IPsec endpoint interface created in Task two (Interface: ipsec_ endpoint2). 4. For Remote endpoint, type the IP address of the GRE tunnel on IX20-1, 172.30.0.1. 5. Click Apply to save the configuration and apply the change.  Command line 1.
Page 607 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 4. Set the remote endpoint to the IP address of the GRE tunnel on IX20-1, 172.30.0.1: (config vpn iptunnel gre_tunnel2)> remote 172.30.0.1 (config vpn iptunnel gre_tunnel2)> 5. Save the configuration and apply the change (config vpn iptunnel gre_tunnel2)>...
Page 608: Dynamic Multipoint Vpn (Dmvpn)
This is achieved by the creation of a dynamic GRE tunnel directly to the other spoke. The network address of the target spoke is resolved with the use of Next Hop Resolution Protocol (NHRP). This section contains the following topics: Configure a DMVPN spoke IX20 User Guide...
Page 609: Configure A Dmvpn Spoke
Dynamic Multipoint VPN (DMVPN) Configure a DMVPN spoke To configure a DMVPN spoke:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 610 For Zone, select Internal. d. For Device, select the IP tunnel created above. e. Click to expand IPv4. f. For Address, type the IP address and netmask of the tunnel. The netmask must be set to /32. IX20 User Guide...
Page 611 For AS number, type the autonomous system number for this device. d. For Best path criteria, select Multipath. e. Click to expand Neighbours. f. Click  to add a neighbour. g. For IP address, type the IP address of the hub. IX20 User Guide...
Page 612  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 613 (config network interface dmvpn_tunnel_interface)> c. Set the zone to internal: (config network interface dmvpn_tunnel_interface)> zone internal (config network interface dmvpn_tunnel_interface)> d. Set the device to the IP tunnel created above: (config network interface dmvpn_tunnel_interface)> device /vpn/iptunnel/dmvpn_tunnel (config network interface dmvpn_tunnel_interface)> IX20 User Guide...
Page 614 6. Set the hostname or IP address of the node that will be the next hop server: (config network route service nhrp network 0 nhs 0)> nbma hostname/IP_ address (config network route service nhrp network 0 nhs 0)> IX20 User Guide...
Page 615: L2Tp
10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. L2TP Your IX20 device supports PPP-over-L2TP (Layer 2 Tunneling Protocol). IX20 User Guide...
Page 616: Configure A Ppp-Over-L2Tp Tunnel
Whether to override the default configuration and only use the custom options. Optional configuration data in the format of a pppd options file.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 617 A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. d. Click  again to list additional IP addresses or networks. IX20 User Guide...
Page 618 Virtual Private Networks (VPN) L2TP To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces. b. For Add Interface, click . c. For Interface, select the appropriate interface from the dropdown. d. Click  again to allow access through additional interfaces.
Page 619  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 620 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add vpn l2tp acl interface end value (config)>...
Page 621 LAC. For example, to add an LACnamed lac_tunnel: (config)> add vpn l2tp lac lac_tunnel (config vpn l2tp lac lac_tunnel)> LACs are enabled by default. To disable: (config vpn l2tp lac lac_tunnel)> enable false (config vpn l2tp lac lac_tunnel)> IX20 User Guide...
Page 622 Zone: The firewall zone assigned to this tunnel. This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel. Format: dynamic_routes edge external hotspot internal ipsec loopback setup Current value: (config vpn l2tp lac lac_tunnel)> IX20 User Guide...
Page 623 (config vpn l2tp lns lns_server)> This can also be: A range of IP addresses, using the format x.x.x.x-y.y.y.y, for example 192.168.188.1- 192.168.188.254. The keyword any, which means that the server will accept connections from any IP address. IX20 User Guide...
Page 624 Use the ? to determine available zones: (config vpn l2tp lns lns_server)> zone ? Zone: The firewall zone assigned to this tunnel. This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel. Format: IX20 User Guide...
Page 625: L2Tp With Ipsec
L2TP is commonly used in conjunction with IPsec in transport mode (to provide security). Your IX20 supoorts L2TP with IPsec by configuring a transport-mode IPsec tunnel between the two endpoints, and then an L2TP tunnel with its LNS and LACconfigured the same as the IPsec tunnel’s endpoints.
Page 626: Show L2Tp Tunnel Status
Show the status of L2TP access connectors from the Admin CLI 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 627: L2Tpv3 Ethernet
Show the status of L2TP network servers from the Admin CLI 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 628: Configure An L2Tpv3 Tunnel
The peer session cookie. The Layer2SpecificHeader type. The Sequence numbering control.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 629 Both: Add a sequence number to each outgoing packet, and reorder packets if they are received out of order. The default is None. h. Repeat for additional sessions. 11. Click Apply to save the configuration and apply the change.  Command line IX20 User Guide...
Page 630 Virtual Private Networks (VPN) L2TPv3 Ethernet 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 631 1 and 4294967295. 12. (Optional) Set the cookie value to be assigned to the session. (config vpn l2tpeth L2TPv3_example session_example)> cookie value (config vpn l2tpeth L2TPv3_example session_example)> Allowed value is 8 or 16 hex digits. IX20 User Guide...
Page 632: Show L2Tpv3 Tunnel Status
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. IX20 User Guide...
Page 633: Macsec
MACsec tunnel over a wired Ethernet LAN. The MACsec uses keys to provide multiple authentications between hosts in a network. A MACsec tunnel must be tied to a physical interface. You cannot create a MACsec tunnel for a bridge. Security modes Two security modes are available for a MACsec tunnel. IX20 User Guide...
Page 634: Configure A Macsec Tunnel
The local network device to connect to the peer device. When using Manual mode, the connectivity association key and key name.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 635  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 636: Nemo
Local Area Networks (LANs) on your device. NEMO creates a tunnel between the home agent on the mobile private network and the IX20 device, isolating the connection from internet traffic and advertising the IP subnets of the LANs for remote access and device management.
Page 637: Configure A Nemo Tunnel
If the local network is set to Interface, identify the local interface to be used.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 638 10. For MTU discovery, leave enabled to determine the maximum transmission unit (MTU) size. If disabled, for MTU, type the MTU size. The default MTU size for LANs on the IX20 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
Page 639  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 640 (config vpn nemo nemo_example)> mtu_discovery false (config vpn nemo nemo_example)> If disabled, set the MTU size. The default MTU size for LANs on the IX20 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
Page 641 Use the ? to determine available interfaces: (config vpn nemo nemo_example)> tun_local interface ? Interface: The network interface to use to communicate with the peer. Set this field to blank if using the default route. Format: defaultip defaultlinklocal eth1 eth2 loopback IX20 User Guide...
Page 642: Show Nemo Status
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 643 ---------- lan1 192.168.2.1/24 Advertized LAN2 192.168.3.1/24 Advertized > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 644 Simple Network Management Protocol (SNMP) Location information Modbus gateway System time Network Time Protocol Configure a multicast route Ethernet network bonding Enable service discovery (mDNS) Use the MQTT broker service Use the iPerf service Configure the ping responder service IX20 User Guide...
Page 645: Allow Remote Access For Web Administration And Ssh
To allow web administration or SSH for the External firewall zone: Add the External firewall zone to the web administration service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 646  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 647 Services Allow remote access for web administration and SSH  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 648 Services Allow remote access for web administration and SSH 5. Select External. 6. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 649: Configure The Web Administration Service
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 650 The web administration service is enabled by default. To disable the service, or enable it if it has been disabled:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 651 Type quit to disconnect from the device. Configure the service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 652 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 653 Legacy port redirection and deselect Enable. 10. For Minimum TLS version, select the minimum TLS version that can be used by client to negotiate the HTTPS session. 11. Click Apply to save the configuration and apply the change.  Command line IX20 User Guide...
Page 654 Services Configure the web administration service 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 655 Enclose the certificate and private key contents in quotes ("). (config)> service web_admin cert "ssl-cert-and-private-key" (config)> If SSL certificate is blank, the device will use an automatically-generated, self-signed certificate. The SSL certificate and private key must be in PEM format. IX20 User Guide...
Page 656 (config)> service web_admin cert "-----BEGIN CERTIFICATE----- MIID8TCCAtmgAwIBAgIULOwezcmbnQmIC9pT9txwCfUbkWQwDQYJKoZIhvcNAQEL BQAwgYcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xDjAMBgNVBAcMBUFs b2hhMRMwEQYDVQQKDApNY0JhbmUgSW5jMRAwDgYDVQQLDAdTdXBwb3J0MQ8wDQYD VQQDDAZtY2JhbmUxHzAdBgkqhkiG9w0BCQEWEGptY2JhbmVAZGlnaS5jb20wHhcN MjAwOTIyMTY1OTUyWhcNMjEwOTIyMTY1OTUyWjCBhzELMAkGA1UEBhMCVVMxDzAN BgNVBAgMBk9yZWdvbjEOMAwGA1UEBwwFQWxvaGExEzARBgNVBAoMCk1jQmFuZSBJ bmMxEDAOBgNVBAsMB1N1cHBvcnQxDzANBgNVBAMMBm1jYmFuZTEfMB0GCSqGSIb3 DQEJARYQam1jYmFuZUBkaWdpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAOBn19AX01LO9plYtfRZq0bETwNwSCYGeEIOGJ7gHt/rihLVBJS1woYv u1Oq1ohYxIawBY1iIPBD2GtzyEJXzBZdQRhwi/dRyRi4vr7EkjGDr0Vb/NVT0L5w UzcMeT+71DYvKYm6GpcWx+LoKqFTjbMFBIze5pbBfru+SicId6joCHIuYq8Ehflx 6sy6s4MDbyTUAEN2YhsBaOljej64LNzcsHeISbAWibXWjOSsK+N1MivQq5uwIYw/ 1fsnD8KDS43Wg57+far9fQ2MIHsgnoAGz+w6PIKJR594y/MfqQffDFNCh2lJY49F hOqEtA5B9TyXRKwoa3j/lIC/t5cpIBcCAwEAAaNTMFEwHQYDVR0OBBYEFDVtrWBH E1ZcBg9TRRxMn7chKYjXMB8GA1UdIwQYMBaAFDVtrWBHE1ZcBg9TRRxMn7chKYjX MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALj/mrgaKDNTspv9 ThyZTBlRQ59wIzwRWRYRxUmkVcR8eBcjwdBTWjSBLnFlD2WFOEEEnVz2Dzcixmj4 /Fw7GQNcYIKj+aIGJzbcKgox10mZB3VKYRmPpnpzHCkvFi4o81+bC8HJQfK9U80e vDV0/vA5OB2j/DrjvlOrapCTkuyA0TVyGvgTASx2ATu9U45KZofm4odThQs/9FRQ +cwSTb5v47KYffeyY+g3dyJw1/KgMJGpBUYNJDIsFQC9RfzPjKE2kz41hx4VksT/ q81WGstDXH++QTu2sj7vWkFJH5xPFt80HjtWKKpIfeOIlBPGeRHvdH2PQibx0OOt Sa+P5O8= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgZ9fQF9NSzvaZ WLX0WatGxE8DcEgmBnhCDhie4B7f64oS1QSUtcKGL7tTqtaIWMSGsAWNYiDwQ9hr c8hCV8wWXUEYcIv3UckYuL6+xJIxg69FW/zVU9C+cFM3DHk/u9Q2LymJuhqXFsfi 6CqhU42zBQSM3uaWwX67vkonCHeo6AhyLmKvBIX5cerMurODA28k1ABDdmIbAWjp Y3o+uCzc3LB3iEmwFom11ozkrCvjdTIr0KubsCGMP9X7Jw/Cg0uN1oOe/n2q/X0N jCB7D56ABs/sOjyCiUefeMvzH6kH3wxTQodpSWOPRYTqhLQOQfU8l0SsKGt4/5SA v7eXKSAXAgMBAAECggEBAMDKdi7hSTyrclDsVeZH4044+WkK3fFNPaQCWESmZ+AY i9cCC513SlfeSiHnc8hP+wd70klVNNc2coheQH4+z6enFnXYu2cPbKVAkx9x4eeI IX20 User Guide...
Page 657 (config)> service web_admin port 444 (config)> 7. (Optional) Set the minimum TLS version that can be used by client to negotiate the HTTPS session: (config)> service web_admin legacy_encryption value (config)> where value is one of: TLS-1_1 TLS-1_2 TLS-1_3 IX20 User Guide...
Page 658 9. Save the configuration and apply the change (config)> save Configuration saved. > 10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 659: Configure Ssh Access
The SSH service is enabled by default. To disable the service, or enable it if it has been disabled:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
Page 660 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure the service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 661 Configure SSH access 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 662 9. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. IX20 User Guide...
Page 663 No limit to IPv6 addresses that can access the SSH service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service ssh acl interface end value (config)>...
Page 664 5. (Optional) Configure Multicast DNS (mDNS) mDNS is a protocol that resolves host names in small networks that do not have a DNS server. mDNS is enabled by default. To disable mDNS, or enable it if it has been disabled: IX20 User Guide...
Page 665 OpenSSH sshd_config file. For example, to enable the diffie-helman-group-sha-14 key exchange algorithm: (config)> service ssh custom config_file "KexAlgorithms +diffie- hellman-group14-sha1" (config)> 8. Save the configuration and apply the change (config)> save Configuration saved. > IX20 User Guide...
Page 666 Services Configure SSH access 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 667: Use Ssh With Key Authentication
SSH service to allow SSH access for the External firewall zone.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 668 These instructions assume an existing user named temp_user. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 669 4. Save the configuration and apply the change (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 670: Configure Telnet Access
Enable the telnet service The telnet service is disabled by default. To enable the service:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 671 Type quit to disconnect from the device. Configure the service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 672 A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the telnet service. d. Click  again to list additional IP addresses or networks. IX20 User Guide...
Page 673  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 674 Services Configure telnet access Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service telnet acl interface end value (config)> Where value is an interface defined on your device.
Page 675: Configure Dns
Type quit to disconnect from the device. Configure DNS The IX20 device includes a caching DNS server which forwards queries to the DNS servers that are associated with the network interfaces, and caches the results. This server is used within the device, and cannot be disabled.
Page 676 The device is configured by default with the hostname digi.device, which corresponds to the 192.168.210.1 IP address. To configure the DNS server:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 677 No limit to IPv6 addresses that can access the DNS service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 678  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 679 Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration -------------------------------------------------------- ----------------------- dynamic_routes edge external hotspot internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones. IX20 User Guide...
Page 680 (config service dns server 0)> c. To restrict the device's use of this DNS server based on the domain, use the domain command. If no domain are listed, then all queries may be sent to this server. IX20 User Guide...
Page 681: Show Dns Server
Command line Show DNS information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 682: Wan Bonding
WAN bonding also provides seamless failover by automatically using multiple pipes within the bonded tunnel. The WAN bonding service for your IX20 device must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. This section contains the following topics:...
Page 683: Use Digi Remote Manager To Enable And Configure Wan Bonding On Multiple Devices
Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
Page 684 Select Interfaces and select a WAN interface to be bonded. Note By default, IX20 devices prioritize their WAN Ethernet connection over any WWAN cellular connections. Consider this prioritization if using both wired Ethernet and cellular Internet connections. Make sure to add the highest priority in-use interface(s) to the WAN Bonding settings.
Page 685 4. Create a site-specific settings file for the Tunnel username and Tunnel password options: a. Click  Home. b. Click  and select  Download to download a CSV file to your local filesystem, which you can use to set site-specific settings. IX20 User Guide...
Page 686: Configure Wan Bonding On Your Local Device
Configure WAN bonding on your local device Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
Page 687 Additional configuration items The firewall zone for the new bonded interface, if other than External.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 688 4. Toggle on Enable. Note The WAN bonding service must be enabled for this device in Digi Remote Manager. Contact your Digi sales representative for information. 5. For Hostname, type the hostname or IPv4 address of the external server hosting the WAN bonding server.
Page 689  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 690 Set the zone: (config)> network sdwan wan_bonding zone zone (config)> 8. Configure the device's WAN interfaces that will be bonded: a. Add the first interface: (config)> add network sdwan wan_bonding interfaces end (config network sdwan wan_bonding interfaces 0)> IX20 User Guide...
Page 691 The WAN bonding web interface can be used to view detailed WAN bonding statistics and to fine-tune the WAN bonding process, and is accessed via a web browser at http://ip- address:8088, where ip-address is the IP address of the local IX20 device. (config)> network sdwan wan_bonding web_interface password password (config)>...
Page 692: Show Wan Bonding Status And Statistics
Command line Show WAN bonding information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 693 RX 17 sent, 0 lost; TX 19 sent, 0 lost, 19 acked > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 694: Simple Network Management Protocol (Snmp)
By default, the IX20 device automatically blocks SNMP packets from being received over WAN and LAN interfaces. As a result, if you want a IX20 device to receive SNMP packets, you must configure the SNMP access control list to allow the device to receive the packets. See...
Page 695 Services Simple Network Management Protocol (SNMP) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 696  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 697 No limit to IPv6 addresses that can access the SNMP service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service snmp acl interface end value (config)>...
Page 698 6. Set the password for the user that will be used to connect to the SNMP agent: (config)> service snmp password pwd (config)> 7. (Optional) Set the port number for the SNMP agent. The default is 161. IX20 User Guide...
Page 699: Download Mibs
15. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Download MIBs This procedure is available from the WebUI only. IX20 User Guide...
Page 700 Enable SNMP. To download a .zip archive of the SNMP MIBs supported by this device:  Log into the IX20 WebUI as a user with full Admin access rights. 1. Enable SNMP. Configure Simple Network Management Protocol (SNMP) for information about enabling and configuring SNMP support on the IX20 device.
Page 701: Location Information
By default, the modem's internal GNSS module is enabled. You can also configure your IX20 device to forward location messages, either from the IX20 device or from external sources, to a remote host. Additionally, the device can be configured to use a geofence, to allow you to determine actions that will be taken based on the physical location of the device.
Page 702: Configure The Location Service
The location service is enabled by default. You can disable it, or you can enable it if it has been disabled.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 703  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 704: Enable Or Disable Modem Gnss Support
To disable support for the modem's GNSS receiver, or enable it if it has been disabled:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 705  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 706: Configure The Device To Use A User-Defined Static Location
Configure the device to use a user-defined static location You can configured your IX20 device to use a user-defined static location.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 707  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 708: Configure The Device To Accept Location Messages From External Sources
You can configure the IX20 device to accept NMEA and TAIP messages from external sources. For example, location-enabled devices connected to the IX20 device can forward their location information to the device, and then the IX20 device can serve as a central repository for this location information and forward it to a remote host. See Forward location information to a remote host information about configuring the IX20 device to forward location messages.
Page 709 Access control list configuration to provide access to the port through the firewall. To configure the device to accept location messages from external sources:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 710  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 711 No limit to IPv6 addresses that can access the location server UDP port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service location source 1 acl interface end value (config)>...
Page 712 Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration -------------------------------------------------------- ----------------------- dynamic_routes edge external hotspot internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones. IX20 User Guide...
Page 713: Forward Location Information To A Remote Host
A vehicle ID that is used in the TAIP ID message and can also be prepended to the forwarded message. Configure the IX20 device to forward location information:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 714 GGA: Reports time, position, and fix related data. GLL: Reports position data: position fix, time of position fix, and status. GSA: Reports GPS DOP and active satellites. GSV: Reports the number of SVs in view, PRN, elevation, azimuth, and SNR. IX20 User Guide...
Page 715 13. (Optional) For Prepend text, enter text to prepend to the forwarded message. Two variables can be included in the prepended text: %s: Includes the IX20 device's serial number in the prepended text. %v: Includes the vehicle ID in the prepended text.
Page 716 Services Location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 717 9. (Optional) Set the text to prepend to the forwarded message. Two variables can be included in the prepended text: %s: Includes the IX20 device's serial number in the prepended text. %v: Includes the vehicle ID in the prepended text.
Page 718 (config service location forward 0 filter_nmea)> add gsa end (config service location forward 0 filter_nmea)> If the message protocol type is TAIP: Allowed values are: al: Reports altitude and vertical velocity. cp: Compact position: reports time, latitude, and longitude. IX20 User Guide...
Page 719: Configure Geofencing
Type quit to disconnect from the device. Configure geofencing Geofencing is a mechanism to create a virtual perimeter that allows you configure your IX20 device to perform actions when entering or exiting the perimeter. For example, you can configure a device to factory default if its location service indicates that it has been moved outside of the geofence.
Page 720 Update interval, which determines the amount of time that the geofence should wait between polling for updated location data.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 721 For Longitude, any integer between -180 and 180, with up to six decimal places. c. For Radius, type the radius of the circle. Allowed values are an integer followed by m or km, for example, 100m or 1km. IX20 User Guide...
Page 722 Click  again to add an additional point, and continue adding points to create the desired polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: This defines a square-shaped polygon equivalent to the following: 7.
Page 723 If you disable Sandbox, the script may render the system unusable. vii. Repeat for any additional actions. To define actions that will be taken when the device exits the geofence, or is outside the geofence when it boots: IX20 User Guide...
Page 724 Sandbox is enabled by default. This prevents the script from adversely affecting the system. If you disable Sandbox, the script may render the system unusable. vii. Repeat for any additional actions. 8. Click Apply to save the configuration and apply the change.  Command line IX20 User Guide...
Page 725 Services Location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 726 Configure additional vortices: (config service location geofence test_geofence coordinates 0)> .. (config service location geofence test_geofence coordinates)> add end (config service location geofence test_geofence coordinates 1)> latitude int (config service location geofence test_geofence coordinates 1)> longitude int IX20 User Guide...
Page 727 For longitude, any integer between -180 and 180, with up to six decimal places. Repeat for each vortex of the polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: (config service location geofence test_geofence)> add...
Page 728 Add the action: (config)> add service location geofence test_geofence on_ entry action end (config service location geofence test_geofence on_entry action 0)> d. Set the type of action: (config service location geofence test_geofence on_entry action 0)> type value IX20 User Guide...
Page 729 For example. the allocate one megabyte of memory to the script and its spawned processes: (config service location geofence test_geofence on_entry action 0)> max_memory 1MB (config service location geofence test_geofence on_entry action 0)> IX20 User Guide...
Page 730 (config)> add service location geofence test_geofence on_exit action end (config service location geofence test_geofence on_exit action 0)> d. Set the type of action: (config service location geofence test_geofence on_exit action 0)> type value (config service location geofence test_geofence on_exit action 0)> IX20 User Guide...
Page 731 (config service location geofence test_geofence on_exit action 0)> max_memory 1MB (config service location geofence test_geofence on_exit action 0)> v. A sandbox is enabled by default to prevent the script from adversely affecting the system. To disable the sandbox: IX20 User Guide...
Page 732: Show Location Information
Command line Show location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 733: Modbus Gateway
Type quit to disconnect from the device. Show geofence information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 734: Configure The Modbus Gateway
The maximum time between bytes in a packets. Whether to send broadcast messages. Response timeout If connection type is set to socket: The port to use. The inactivity timeout. If connection type is set to serial: Whether to use half duplex (two wire) mode. IX20 User Guide...
Page 735 Whether packets should be delivered to a fixed Modbus address. Whether packets should have their Modbus address adjusted downward before to delivery.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 736 For Port, enter or select an appropriate port. The default is port 502. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the IX20 device. 5. For Packet mode, select RTU or RAW (if Connection type is set to Socket) or ASCII (if Connection typeis set to Serial) for the type of packet that will be used by this connection.
Page 737 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 738 Modbus server is running. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the IX20 device. 5. For Packet mode, select RTU or RAW (if Connection type is set to Socket) or ASCII (if Connection typeis set to Serial) for the type of packet that will be used by this connection.
Page 739 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 740  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 741 (config service modbus_gateway server test_modbus_server)> where value is either rtu or raw. The default is rtu. iv. Set the maximum allowable time between bytes in a packet: (config service modbus_gateway server test_modbus_server)> socket idle_gap value (config service modbus_gateway server test_modbus_server)> IX20 User Guide...
Page 742 (config service modbus_gateway server test_modbus_ server)> ii. Set the packet mode: (config service modbus_gateway server test_modbus_server)> serial packet_mode value (config service modbus_gateway server test_modbus_server)> where value is either rtu or ascii. The default is rtu. IX20 User Guide...
Page 743 (config service modbus_gateway client test_modbus_client)> where type is either socket or serial. The default is socket. If connection_type is set to socket: i. Set the IP protocol: (config service modbus_gateway client test_modbus_client)> socket protocol value (config service modbus_gateway client test_modbus_client)> IX20 User Guide...
Page 744 600s (config service modbus_gateway client test_modbus_client)> vi. Set the hostname or IP address of the remote host on which the Modbus server is running: (config service modbus_gateway client test_modbus_client)> remote_host ip_address|hostname (config service modbus_gateway client test_modbus_client)> IX20 User Guide...
Page 745 For example, to set idle_gap to one second, enter 1000ms or 1s. iv. (Optional) Enable half-duplex (two wire) mode: (config service modbus_gateway client test_modbus_client)> serial half_duplex true (config service modbus_gateway client test_modbus_client)> d. (Optional) Enable the gateway to send broadcast messages to this client: IX20 User Guide...
Page 746 (config service modbus_gateway client test_modbus_client)> filter 1 50-100 (config service modbus_gateway client test_modbus_client)> g. If request messages handled by this client should always be forwarded to a specific device, , use fixed_server_address to set the device's Modbus address: IX20 User Guide...
Page 747: Show Modbus Gateway Status And Statistics
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show Modbus gateway status and statistics You can view status and statistics about location information from either the WebUI or the command line.  IX20 User Guide...
Page 748  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 749 Packet Errors RX Responses RX Timeouts TX Broadcasts TX Requests modbus_socket_21 ---------------- Address Translation Errors Connection Errors Packet Errors RX Responses RX Timeouts TX Broadcasts TX Requests modbus_serial_client -------------------- Address Translation Errors Connection Errors Packet Errors RX Responses IX20 User Guide...
Page 750 Modbus gateway RX Timeouts TX Broadcasts TX Requests > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 751: System Time
If t least one upstream NTP server for synchronization. Additional Configuration Options Additional upstream NTP servers.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 752 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. IX20 User Guide...
Page 753 2. At the command line, type config to enter configuration mode: > config (config)> 3. (Optional) Set the timezone for the location of your IX20 device. The default is UTC. (config)> system time timezone value (config)> Where value is the timezone using the format specified with the following command: (config)>...
Page 754  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 755: Manually Set The System Date And Time
Services Network Time Protocol 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 756: Configure The Device As An Ntp Server
The time zone setting, if the default setting of UTCis not appropriate. To configure the IX20 device's NTP service:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 757 3. Click Services > NTP. 4. Enable the IX20 device's NTP service by clicking Enable. 5. (Optional) Configure the access control list to limit downstream access to the IX20 device's NTP service. To limit access to specified IPv4 addresses and networks: a.
Page 758  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 759 5. Allow the device's local system clock to be used as backup time source: (config)> service ntp local true (config)> 6. (Optional) Configure the access control list to limit downstream access to the IX20 device's NTP service. To limit access to specified IPv4 addresses and networks: (config)>...
Page 760 No limit to IPv6 addresses that can access the NTP server agent. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service ntp acl interface end value (config)>...
Page 761: Show Status And Statistics Of The Ntp Server
By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX20 device can use the NTP service. 7. (Optional) Set the timezone for the location of your IX20 device. The default is UTC. (config)> system time timezone value (config)>...
Page 762: Configure A Multicast Route
To configure a multicast route:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 763  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 764 Set the interface. For example: (config service multicast test)> src_interface /network/interface/eth1 (config service multicast test)> 7. Set a destination interface that the IX20 device will send mutlicast packets to: a. Use the ? to determine available interfaces: (config service multicast test)> src_interface ? Destination interface: Which interface to send the multicast packets.
Page 765: Ethernet Network Bonding
Create a new network interface for the bonded Ethernet devices, and disable the any interfaces associated with those Ethernet devices..  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 766 Services Ethernet network bonding a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 767 Disable any other interfaces associated with the devices that were added to the Ethernet bond. For example, if ETH1 and ETH2 were added to the Ethernet bond, disable the ETH1 and ETH2 interfaces: IX20 User Guide...
Page 768  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 769 For example, if ETH1 and ETH2 were added to the Ethernet bond, and they are included with the ETH1 and ETH2 interfaces: a. Type ... to return to the root of the configuration: (config network interface eth_bonding_interface)> ... (config)> IX20 User Guide...
Page 770: Enable Service Discovery (Mdns)
Multicast DNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server. You can enable the IX20 device to use mDNS.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 771 No limit to IPv6 addresses that can access the mDNS service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 772  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 773 Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration -------------------------------------------------------- ----------------------- dynamic_routes edge external hotspot internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones. IX20 User Guide...
Page 774: Use The Mqtt Broker Service
Whether to allow clients that have no client ID to connect. Whether replace the client's ID with its username.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 775 A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the iperf service. d. Click  again to list additional IP addresses or networks. IX20 User Guide...
Page 776 Services Use the MQTT broker service To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces. b. For Add Interface, click . c. For Interface, select the appropriate interface from the dropdown. d. Click  again to allow access through additional interfaces.
Page 777 ID or username. If a variable is used, it can be the only text for that level of the hierarchy.. d. For Access, select the level of access that the client will have: Read Write IX20 User Guide...
Page 778  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 779 Services Use the MQTT broker service To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service mqtt acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 780 (config service mqtt client 0)> add topic_acl end (config service mqtt client 0 topic_acl 0)> ii. Set the topic: (config service mqtt client 0 topic_acl 0)> topic value (config service mqtt client 0 topic_acl 0)> where value is one of: IX20 User Guide...
Page 781 (Optional) Set a string that identifies the listener and is sent to the clients: (config)> service mqtt encryption identifier string (config)> b. Enable the PSK identity sent by the client to be used as its username: (config)> service mqtt encryption use_identity_as_username true (config)> IX20 User Guide...
Page 782 (config service mqtt topic_acl anonymous 0)> c. Set the topic: (config service mqtt topic_acl anonymous 0)> topic value (config service mqtt topic_acl anonymous 0)> where value is one of: The topic. The signal level wildcard, +. The multi-level wildcard, #. IX20 User Guide...
Page 783 If a variable is used, it can be the only text for that level of the hierarchy. d. Set the access type to apply to the topic: (config service mqtt topic_acl pattern 0)> access value (config service mqtt topic_acl pattern 0)> where value is one of: deny read IX20 User Guide...
Page 784: Show Mqtt Broker Information
Command line Show MQTT broker information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 785: Use The Iperf Service
Type quit to disconnect from the device. Use the iPerf service Your IX20 device includes an iPerf3 server that you can use to test the performance of your network. iPerf3 is a command-line tool that measures the maximum network throughput an interface can handle.
Page 786 To enable the iPerf3 server:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 787 No limit to IPv6 addresses that can access the iperf service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces.
Page 788  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 789 (config)> ... firewall zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration -------------------------------------------------------- ----------------------- dynamic_routes edge external hotspot internal ipsec loopback setup (config)> IX20 User Guide...
Page 790: Example Performance Test Using Iperf3
IP address, interfaces, and/or zones. To enable the iPerf3 server:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 791 Configure the ping responder service 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 792  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 793 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service iperf acl interface end value (config)>...
Page 794: Example Performance Test Using Iperf3
Example performance test using iPerf3 On a remote host with Iperf3 installed, enter the following command: $ iperf3 -c device_ip where device_ip is the IP address of the IX20 device. For example: $ iperf3 -c 192.168.2.1 Connecting to host 192.168.2.1, port 5201 4] local 192.168.3.100 port 54934 connected to 192.168.1.1 port 5201...
Page 795 - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr 0.00-10.00 315 MBytes 264 Mbits/sec sender 0.00-10.00 313 MBytes 262 Mbits/sec receiver iperf Done. IX20 User Guide...
Page 796 Applications The IX20 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. You can also specify Python applications and other scripts to be run each time the device system restarts, at specific intervals, or at a specified time.
Page 797: Develop Python Applications
Digi IoT PyCharm Plugin to help you while writing, building, and testing your application. Create and test a Python application. In addition to the standard Python library, the IX20 includes a set of extensions to access its configuration and interfaces. See Python modules.
Page 798: Set Up The Ix20 For Python Development
Set up the IX20 for Python development 1. Access the IX20 local web interface a. Use an Ethernet cable to connect the IX20 to your local laptop or PC. The factory default IP address is 192.168.2.1 b. Log into the IX20 WebUI as a user with full admin access rights.
Page 799 Develop Python applications Develop an application in PyCharm The Digi IoT PyCharm Plugin allows you to write, build and run Python applications for Digi devices in a quick and easy way. See the Digi XBee PyCharm IDE Plugin User Guide for details.
Page 800 """ def handle(self): # self.request is the TCP socket connected to the client self.data = self.request.recv(1024).strip() print("{} wrote:".format(self.client_address[0])) print(self.data) # just send back the same data, but upper-cased self.request.sendall(self.data.upper()) IX20 User Guide...
Page 801 Create a custom firewall rule  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 802: Python Modules
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 803 Digidevice module section. Digidevice module The Python digidevice module provides platform-specific extensions that allow you to interact with the device’s configuration and interfaces. The following submodules are included with the digidevice module: This section contains the following topics: IX20 User Guide...
Page 804 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 805 Get help executing a CLI command from Python by accessing help for cli.execute: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 806 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 807 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 808 Read the device configuration 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 809 Use the set() and commit() methods to modify the device configuration: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 810 Get help for reading and modifying the device configuration by accessing help for digidevice.config: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 811 Applications Develop Python applications Use Remote Manager's SCI interface to create SCI requests that are sent to your IX20 device, and use the device_request module to send responses to those requests to Remote Manager. See the Digi Remote Manager Programmers Guide for more information on SCI.
Page 812 Remote Manager. 1. Create a Python application, called showsystem.py, that uses the digidevice.cli module to create a response containing information about device and the device_request module to respond with this information to a request from Remote Manager: IX20 User Guide...
Page 813 This can be done from either the WebUI or the command line:  i. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. ii. Access the device configuration: Remote Manager: i.
Page 814 Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 815 Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access. IX20 User Guide...
Page 816 7. For the device_request element, replace the value of target_name with showSystem. This matches the target parameter of the device_request.register function in the showsystem.py application. <device_request target_name="showSystem"> 8. Click Send. You should receive a response similar to the following: <sci_reply version="1.0"> <data_service> <device id="00000000-00000000-0000FFFF-A83CF6A3"/> <requests> <device_request target_name="showSystem" status="0">Model IX20 User Guide...
Page 817 Applications Develop Python applications : Digi IX20 Serial Number : IX20-000068 Hostname : IX20 : 00:40:D0:13:35:36 Hardware Version : 50001959-01 A Firmware Version : 23.9.74.0 Bootloader Version Firmware Build Date : Fri, Sept 29, 2023 12:10:00 Schema Version : 461...
Page 818 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 819 Use the keys() and get() methods to read the device configuration: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 820 Use the set() method to modify the runtime database: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 821 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 822 Upload a custom name 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 823 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 824 You can update this snapsot: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 825 You can update this snapsot 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 826 Get help for the digidevice location module: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 827 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 828 Get help for the digidevice maintenance module: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 829 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). The digidevice led submodule Use the led submodule to redefine the purpose of any front-panel LED on the IX20 device. With this submodule, you can: Gain control of the LED with the led.acquire() function.
Page 830: The Use(Led) Function
To create a function that acquires control of the power LED, sets it to a state of fast flashing, and then releases control when the function has completed, use the following code in a python application: with use(Led.POWER) as pwr: pwr(State.FLASH) IX20 User Guide...
Page 831: Releasing The Leds To System Control
Use Python to control the color of multi-colored LEDs One or more LEDs in the IX20 are RGB (red, green, and blue) LEDs, capable of producing a wide range of colors. You can use the digidevice.led Python module to control the color as well as the state of these LEDs.
Page 832 Cyan flashing Led.ETH FLASH Led.ONLINE FLASH The digidevice led submodule for a definition of the IX20's LEDs, including RGB leds, and the names of the attributes for each LED that will be used by the digidevice.led module. IX20 User Guide...
Page 833: Example: Set The Lte Connection Indicator To Flashing Purple
SMS scripting. Enable the ability to schedule SMS scripting  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 834  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 835 __name__ == '__main__': if len(sys.argv) > 1: dest = sys.argv[1] else: dest = '+15005550006' my_callback = Callback(sms_test_callback, metadata=True) send_sms(dest, 'Hello World!') print("Please send an SMS message now.") print("Execution halted until a message is received or 60 seconds have IX20 User Guide...
Page 836 = 'OK' send_sms(dest, 'CLI results: ' + response) print (response) COND.acquire() COND.notify() COND.release() def send_sms(destination, msg): print("sending SMS message", msg) if len(destination) == 10: destination = "+1" + destination send(destination, msg) if __name__ == '__main__': IX20 User Guide...
Page 837 SMS messages") os._exit(0) Use Python to access serial ports You can use the Python serial module to access serial ports on your IX20 device that are configured to be in Application mode. See Configure Application mode for information about configuring a serial port in Application mode.
Page 838 6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use the Paho MQTT python library Your IX20 device includes support for the Paho MQTT python library. MQTT is a lightweight messaging protocol used to communicate with various applications including cloud-based applications such as Amazon Web Services and Microsoft Azure.
Page 839 MQTT server") client.subscribe(PREFIX_CMD + "/system") def on_message(client, userdata, msg): """ Supporting only a single topic for now, no need for filters Expects the following message format: "cid": "<client-id>", "cmd": "<command>", "params": { <optional_parameters> IX20 User Guide...
Page 840 + "/leases", json.dumps(leases, separators=(',',':'))) except: print("Failed to open DHCP leases file") def publish_system(): avg1, avg5, avg15 = runt.get("system.load_avg").split(', ') ram_used = runt.get("system.ram.per") disk_opt = runt.get("system.disk./opt.per") disk_config = runt.get("system.disk./etc/config.per") msg = json.dumps({ "load_avg": { "1min": avg1, "5min": avg5, "15min": avg15 IX20 User Guide...
Page 841: Set Up The Ix20 To Automatically Run Your Applications
Applications Set up the IX20 to automatically run your applications "disk_usage": { "/opt": disk_opt, "/etc/config:": disk_config, "ram": ram_used client.publish(PREFIX_EVENT + "/system", json.dumps(msg)) runt.start() serial = runt.get("system.serial") PREFIX = "router/" + serial PREFIX_EVENT = "event/" + PREFIX PREFIX_CMD = "cmd/" + PREFIX PREFIX_RSP = "rsp/"...
Page 842 Whether the script should run one time only. Task one: Upload the application  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Administration, click File System. The File System page appears.
Page 843  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 844 Applications Set up the IX20 to automatically run your applications 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 845 Applications Set up the IX20 to automatically run your applications Custom scripts are enabled by default. To disable, toggle off Enable to toggle off. 5. (Optional) For Label, provide a label for the script. 6. For Run mode, select the mode that will be used to run the script. Available options are: On boot: The script will run once each time the device boots.
Page 846  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 847 Applications Set up the IX20 to automatically run your applications boot: The script will run once each time the device boots. If boot is selected, set the action that will be taken when the script completes: (config system schedule script 0)> exit_action action (config system schedule script 0)>...
Page 848 Applications Set up the IX20 to automatically run your applications (config system schedule script 0)> commands python "/etc/config/scripts/test.py" (config system schedule script 0)> If the script begins with #!, then the script will be invoked in the location specified by the path for the script command.
Page 849: Show Script Information
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 850  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 851: Start An Interactive Python Session
1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 852 IX20 device. local-path is the location on the IX20 device where the copied file will be placed. IX20 User Guide...
Page 853: Configure Scripts To Run Manually
You can also create scripts by using the vi command when logged in with shell access. 2. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 854  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 855: Task Two: Configure The Application To Run Automatically
This feature does not provide syntax or error checking. Certain commands can render the device inoperable. Use with care.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 856 If neither option is selected, only the script's exit code is written to the system log. 9. For Maximum memory, enter the maximum amount of memory available to be used by the script and its subprocesses, using the format number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}. IX20 User Guide...
Page 857  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 858 10. Sandbox is enabled by default. This option protects the script from accidentally destroying the system it is running on. (config system schedule script 0)> sandbox true (config system schedule script 0)> 11. Save the configuration and apply the change (config)> save Configuration saved. > IX20 User Guide...
Page 859: Start A Manual Script
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 860 4. Save the configuration and apply the change (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 861 User authentication methods Authentication groups Local users Terminal Access Controller Access-Control System Plus (TACACS+) Remote Authentication Dial-In User Service (RADIUS) LDAP Configure serial authentication Disable shell access Set the idle timeout for IX20 users Example user configuration IX20 User Guide...
Page 862: Ix20 User Authentication
User authentication IX20 user authentication IX20 user authentication User authentication on the IX20 has the following features and default configuration: Default Feature Description configuration Idle timeout 10 minutes Determines how long a user session can be idle before the system automatically disconnects.
Page 863 TACACS+: Users authenticated by using a remote TACACS+ server for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) for information about configuring TACACS+ authentication. LDAP: Users authenticated by using a remote LDAP server for authentication. LDAP for information about configuring LDAP authentication. IX20 User Guide...
Page 864: Add A New Authentication Method
The types of authentication method to be used: To add an authentication method:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 865 This procedure describes how to add methods to various places in the list. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 866: Delete An Authentication Method
Type quit to disconnect from the device. Delete an authentication method  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
Page 867  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 868: Rearrange The Position Of Authentication Methods
To reorder these so that RADIUS is first and Local users is second: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 869  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 870: Authentication Groups
Differences between standard firmware operation and Primary Responder mode. Serial access: Users with Serial access have the ability to log into the IX20 device by using the serial console. Preconfigured authentication groups The IX20 device has two preconfigured authentication groups: The admin group is configured by default to have full Admin access.
Page 871 The preconfigured authentication groups cannot be deleted, but the access rights defined for the group are configurable. This section contains the following topics: Change the access rights for a predefined group Add an authentication group Delete an authentication group IX20 User Guide...
Page 872: Change The Access Rights For A Predefined Group
By default, two authentication groups are predefined: admin and serial. To change the access rights of the predefined groups:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 873  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 874: Add An Authentication Group
Access rights to captive portals, and the portals to which they have access. Access rights to query the device for Nagios monitoring. To add an authentication group:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 875 User authentication Authentication groups 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 876 Full access or Read-only access. where value is either: Full access full: provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI. Read-only access read-only: provides users of this group with read-only access to the WebUI and Admin CLI.
Page 877  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 878 7. (Optional) Enable users that belong to this group to access the Wi-Fi scanning service: (config)> auth group group test acl wifi_scanner enable true (config)> 8. Save the configuration and apply the change (config)> save Configuration saved. > IX20 User Guide...
Page 879: Delete An Authentication Group
To delete an authentication group that you have created:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 880  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 881: Local Users
TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default user. Default user At manufacturing time, each IX20 device comes with a default user configured as follows: Username: admin. Password: The default password is displayed on the label on the bottom of the device.
Page 882: Change A Local User's Password
Local users Change a local user's password To change a user's password:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 883  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 884: Configure A Local User
Whether to allow passcode reuse (time based verification only). The passcode refresh interval (time based verification only). The valid code window size. The login limit. The login limit period. One-time use eight-digit emergency scratch codes. To configure a local user:  IX20 User Guide...
Page 885 User authentication Local users 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 886 8. Add groups for the user. Groups define user access rights. See Authentication groups for information about configuring groups. a. Click to expand Groups. b. For Add Group, click . c. For Group, select an appropriate group. IX20 User Guide...
Page 887 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Login limit period to ten minutes, enter 10m or 600s. j. Scratch codes are emergency codes that may be used once, at any time. To add a scratch code: IX20 User Guide...
Page 888  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 889 Where n is index number of the authentication method to be deleted. For example, to delete the serial group as displayed by the example show command, above: (config auth user new_user)> del group 1 (config auth user new_user)> 8. (Optional) Add SSH keys for the user to use passwordless SSH login: IX20 User Guide...
Page 890 For time-based verification only, configure the code refresh interval. This is the amount of time that a code will remain valid. (config auth user new_user 2fa)> refresh_interval value (config auth user new_user 2fa)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. IX20 User Guide...
Page 891 (config auth user new_user 2fa scratch_code)> add end code (config auth user new_user 2fa scratch_code)> Where code is an digit number, with a minimum of 10000000. iii. To add additional scratch codes, use the add end code command again. IX20 User Guide...
Page 892: Delete A Local User
Delete a local user To delete a user from your IX20:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 893  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 894: Terminal Access Controller Access-Control System Plus (Tacacs+)
With TACACS+ support, the IX20 device acts as a TACACS+ client, which sends user credentials and connection parameters to a TACACS+ server over TCP. The TACACS+ server then authenticates the TACACS+ client requests and sends back a response message to the device.
Page 895: Tacacs+ User Configuration
The groupname attribute is optional. If used, the value must correspond to authentication groups configured on your IX20. Alternatively, if the user is also configured as a local user on the IX20 device and the LDAP server authenticates the user but does not return any groups, the local configuration determines the list of groups.
Page 896: Tacacs+ Server Failover And Fallback To Local Authentication
$ sudo /etc/init.d/tacacs_plus restart TACACS+ server failover and fallback to local authentication In addition to the primary TACACS+ server, you can also configure your IX20 device to use backup TACACS+ servers. Backup TACACS+ servers are used for authentication requests when the primary TACACS+ server is unavailable.
Page 897 The TACACS+ server port. It is configured to 49 by default. Add additional TACACS+ servers in case the first TACACS+ server is unavailable.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 898 TACACS+ login fails. 6. (Optional) For Group attribute, type the name of the attribute used in the TACACS+ server's configuration to identify the IX20 authentication group or groups that the user is a member of. For example, in TACACS+ user configuration, the group attribute in the sample tac_plus.conf...
Page 899  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 900 10. Save the configuration and apply the change (config)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 901: Remote Authentication Dial-In User Service (Radius)
To use RADIUS authentication, you must set up a RADIUS server that is accessible by the IX20 device prior to configuration. The process of setting up a RADIUS server varies by the server environment. An example of a RADIUS server is FreeRADIUS.
Page 902: Radius User Configuration
(password verification) and authorization (assigning the access level of the user). Additional RADIUS servers can be configured as backup servers for user authentication. This section outlines how to configure a RADIUS server to be used for user authentication on your IX20 device.
Page 903: Configure Your Ix20 Device To Use A Radius Server
Add additional RADIUS servers in case the first RADIUS server is unavailable. The server NAS ID. If left blank, the default value is used: If you are access the IX20 device by using the WebUI, the default value is for NAS ID is httpd.
Page 904 6. (Optional) Click RADIUS debug to enable additional debug messages from the RADIUS client. 7. (Optional) For NAS ID, type the unique identifier for this network access server (NAS). You can use the fully-qualified domain name of the NAS or any arbitrary string. If not set, the default IX20 User Guide...
Page 905 Remote Authentication Dial-In User Service (RADIUS) value is used: If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd.
Page 906: Ldap
LDAP default value is used: If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd.
Page 907 When you are using LDAP authentication, you can have both local users and LDAP users able to log in to the device. To use LDAP authentication, you must set up a LDAP server that is accessible by the IX20 device prior to configuration. The process of setting up a LDAP server varies by the server environment.
Page 908: Ldap User Configuration
(password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication. This section outlines how to configure a LDAP server to be used for user authentication on your IX20 device.
Page 909: Ldap Server Failover And Fallback To Local Configuration
LDAP server failover and fallback to local configuration In addition to the primary LDAP server, you can also configure your IX20 device to use backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary LDAP server is unavailable.
Page 910 User authentication LDAP 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 911 If this attribute is not set, the user will be denied access. 12. (Optional) For Group attribute, type the name of the user attribute that contains the list of IX20 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute.
Page 912  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 913 . If this attribute is not set, the user will be denied access. 10. (Optional) Set the name of the user attribute that contains the list of IX20 authentication groups that the authenticated user has access to. See...
Page 914: Configure Serial Authentication
Configure serial authentication This section describes how to configure authentication for serial access.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 915  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 916: Disable Shell Access
To prohibit access to the shell prompt for all authentication groups, disable the Allow shell parameter.. This does not prevent access to the Admin CLI. Note If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset.  IX20 User Guide...
Page 917 User authentication Disable shell access 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 918: Set The Idle Timeout For Ix20 Users
Idle timeout parameter. By default, the Idle timeout is set to 10 minutes.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 919  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 920 User authentication Set the idle timeout for IX20 users where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set idle_timeout to ten minutes, enter either 10m or 600s: (config)> auth idle_timeout 600s (config)>...
Page 921: Example User Configuration
Goal: To create a user with administrator rights who is authenticated locally on the device.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 922  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 923 (config auth user adminuser)> password pwd (config auth user adminuser)> 7. Assign the user to the admin group: (config auth user adminuser)> add group end admin (config auth user adminuser)> 8. Save the configuration and apply the change IX20 User Guide...
Page 924: Example 2: Radius, Tacacs+, And Local Authentication For One User
Goal: To create a user with administrator rights who is authenticated by using all three authentication methods. In this example, when the user attempts to log in to the IX20 device, user authentication will occur in the following order: 1. The user is authenticated by the RADIUS server. If the RADIUS server is unavailable, 2.
Page 925 The authentication group on the IX20 device, admin, is identified in the groupname parameter. c. Save and close the tac_plus.conf file. 3. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 4. Access the device configuration:...
Page 926 User authentication Example user configuration a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 927 1. Configure a user on the RADIUS server: a. On the ubuntu machine hosting the FreeRadius server, open the /etc/freeradius/3.0/users file: $ sudo gedit /etc/freeradius/3.0/users b. Add a RADIUS user to the users file: admin1 Cleartext-Password := "password1" Unix-FTP-Group-Names := "admin" IX20 User Guide...
Page 928 Save and close the tac_plus.conf file. 3. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 929 Assign a password to the user: (config auth user adminuser)> password password1 (config auth user adminuser)> c. Assign the user to the admin group: (config auth user adminuser)> add group end admin (config auth user adminuser)> IX20 User Guide...
Page 930 (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 931 Firewall This chapter contains the following topics: Firewall configuration Port forwarding rules Packet filtering Configure custom firewall rules Configure captive portals Configure Quality of Service options Web filtering IX20 User Guide...
Page 932: Firewall Configuration
To create a zone:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 933  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 934: Configure The Firewall Zone For A Network Interface
This example procedure uses an existing network interface named ETH2 and changes the firewall zone from the default zone, Internal, to External.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 935  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 936: Delete A Custom Firewall Zone
Delete a custom firewall zone You cannot delete preconfigured firewall zones. To delete a custom firewall zone:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 937: Port Forwarding Rules
Firewall Port forwarding rules 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 938 A white list of devices, based on either IP address or firewall zone, that are authorized to leverage this forwarding rule. To configure a port forwarding rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 939  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 940 5. Set the IP version. Allowed values are ipv4 and ipv6. The default is ipv4. (config firewall dnat 0)> ip_version ipv6 (config firewall dnat 0)> 6. Set the public-facing port number that network connections must use for their traffic to be forwarded. IX20 User Guide...
Page 941 (config firewall dnat 0 acl> add address6 end ip-address (config firewall dnat 0 acl)> Repeat for each appropriate IP address. To specify the firewall zone for white listing: (config firewall dnat 0 acl)> add zone end zone IX20 User Guide...
Page 942: Delete A Port Forwarding Rule
Delete a port forwarding rule To delete a port forwarding rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 943  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 944 5. Save the configuration and apply the change (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 945: Packet Filtering
ICMP ICMP6 To configure a packet filtering rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 946 Accept: Allows matching network connections. Reject: Blocks matching network connections, and sends an ICMP error if appropriate. Drop: Blocks matching network connections, and does not send a reply. 6. Select the IP version. 7. Select the Protocol. IX20 User Guide...
Page 947  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 948 7. Set the IP version. (config firewall filter 1)> ip_version value (config firewall filter 1)> where value is one of: ipv4 ipv6 The default is any. 8. Set the protocol. (config firewall filter 1)> protocol value (config firewall filter 1)> IX20 User Guide...
Page 949: Enable Or Disable A Packet Filtering Rule
Enable or disable a packet filtering rule To enable or disable a packet filtering rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 950  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 951: Delete A Packet Filtering Rule
Delete a packet filtering rule To delete a packet filtering rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 952  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 953: Configure Custom Firewall Rules
To configure custom firewall rules:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 954  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 955 6. Save the configuration and apply the change (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 956: Configure Captive Portals
Captive portals are available on the IX20WWi-Fi enabled model only. To configure captive portals:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 957 12. (Optional) For Redirect to URL, enter the URL to which the user will be directed when granted access to the portal. If left blank, the user will be directed to the domain of the URL in the original access request. IX20 User Guide...
Page 958  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 959 (config firewall portal portal1)> 10. (Optional) Set the terms and conditions that ill appear on the portal page. Users will be required to agree to the terms and conditions before being granted access to the portal. IX20 User Guide...
Page 960: Delete Captive Portals
Type quit to disconnect from the device. Delete captive portals To delete captive portals:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 961: Configure Quality Of Service Options
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 962 These example bindings are disabled by default. Enable the preconfigured bindings  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 963 Firewall Configure Quality of Service options 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 964 Type quit to disconnect from the device. Create a new binding  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 965 10, each policy will be allocated one third of the total interface bandwidth. e. For Latency, type the maximum delay before the transmission of packets. A lower latency means that the packets will be scheduled more quickly for transmission. IX20 User Guide...
Page 966 MAC address: Only traffic from the MAC address typed in MAC address will be matched. ix. Click to expand Destination address and select the Type: Any: Traffic destined for anywhere will be matched. Interface: Only traffic destined for the selected Interface will be matched. IX20 User Guide...
Page 967  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 968 1 and 65535. The default is 10. e. Set the maximum delay before the transmission of packets. A lower number means that the packets will be scheduled more quickly for transmission. IX20 User Guide...
Page 969 Set the IP protocol matching criteria for this rule: (config firewall qos 2 policy 0 rule 0)> protocol value (config firewall qos 2 policy 0 rule 0)> where value is one of tcp, udp, or any. IX20 User Guide...
Page 970 (config network qos 2 policy 0 rule 0)> src interface /network/interface/eth1 (config network qos 2 policy 0 rule 0)> address: Only traffic from the IP address typed in IPv4 address will be matched. Set the address that will be matched: IX20 User Guide...
Page 971 (config network qos 2 policy 0 rule 0)> dst interface ? Interface: Match the IP address with the specified interface's network address. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config network qos 2 policy 0 rule 0)> dst interface ii. Set the interface. For example: IX20 User Guide...
Page 972: Web Filtering
Type quit to disconnect from the device. Web filtering Web filtering allows you to control access to services that can be accessed through the IX20 device by forwarding all Domain Name System (DNS) traffic to a web filtering service. This allows the network security administrator to configure a set of policies with the web filtering service that are applied to all routing devices with web filtering enabled.
Page 973: Configure Web Filtering With Cisco Umbrella
5. Click Create. 6. Copy the token. Task two: Configure web filtering  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 974  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 975: Configure Web Filtering With Manual Dns Servers
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Clear the Cisco Umbrella device ID If the Cisco Umbrella device ID being used by your IX20 is invalid, you can clear the device ID.  Command line 1.
Page 976 Firewall Web filtering 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 977  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 978: Verify Your Web Filtering Configuration
DNS servers and uses the Cisco open DNS servers, you can verify the web filtering implementation by using the Cisco test site www.internetbadguys.com. To verify the implementation:  This procedure assumes you have already configured web filtering to use either Cisco Umbrella or the Cisco open DNS servers. IX20 User Guide...
Page 979 Configure web filtering with manual DNS servers for information about configuring web filtering to use Cisco open DNS servers. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 980 Cisco open DNS servers. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 981: Show Web Filter Service Information
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 982 Containers The IX20 device includes support for LXCLinux containers. LXCcontainers are a lightweight, operating system level method of virtualization that allows you to run one or more isolated Linux instances on a the same host using the host's Linux kernal.
Page 983: Use Digi Remote Manager To Deploy And Run Containers
Use Digi Remote Manager to deploy and run containers Use Digi Remote Manager to deploy and run containers Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. 1. In Remote Manager, create a Configuration template. See the Remote Manager User Guide instructions.
Page 984 Containers Use Digi Remote Manager to deploy and run containers i. Click Browse and select the container file. ii. Type the Name of the container. The Name entered here must be the same name as the container .tgz file. This is absolutely necessary, otherwise the container file will not be properly configured on the local devices.
Page 985 Containers Use Digi Remote Manager to deploy and run containers c. For the Automation step: i. Click to toggle on Enable Scanning. ii. Click to toggle on Remediate. Run a manual configuration scan to apply the container and configuration settings to all applicable devices.
Page 986: Use An Automation To Start The Container
Containers Use Digi Remote Manager to deploy and run containers vi. Click the Stream ID to view container status. To verify by using the show containers command on the local device: a. From the Remote Manager main menu, click  Management >  Devices.
Page 987: Upload A New Lxccontainer
Is one of the devices included on the Target page. Upload a new LXC container  Log into the IX20 WebUI as a user with full Admin access rights. 1. From the main menu, click Status. Under Services, click Containers. 2. Click Upload New Container.
Page 988: Configure A Container
The network gateway. Serial ports on the device that the container will have access to.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 989 (Optional) Enter a static IP Address and netmask for the container. This must be a valid IP address for the bridge, or, if left blank, a DHCP server can assign the container an IP address. c. (Optional) For Gateway, type the IP address of the network gateway. IX20 User Guide...
Page 990  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 991 (config system container name)> restart_timeout value (config system container name)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set restart_timeout to ten minutes, enter either 10m or 600s: IX20 User Guide...
Page 992 Determine available serial ports: (config system container name)> ... serial Serial Additional Configuration --------------------------------------------------------------------- ---------- port1 Port 1 (config system container name)> b. Add the port: (config system container name)> add ports end port1 (config system container name)> IX20 User Guide...
Page 993: Starting And Stopping The Container
To start the container in non-persistent mode: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 994: Stopping The Container
View the status of containers 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 995: Show Status Of All Containers
1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 996: Schedule A Script To Run In The Container
1. Start the container in non-persistent mode. 2. Execute a ping command every ten seconds from inside the container.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 997  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 998: Create A Custom Container
In this example, we will use a simple container file named test_lxc.tgz. You can download test_lxc.tgz from the Digi website. At the command line of a Linux host, we will unpack the file, add a simple python script, and create a new container file that includes the python script.
Page 999: Create The Custom Container File
Test the custom container file 1. Add the new container to your IX20 device: Log into the IX20 WebUI as a user with full Admin access rights. a. From the main menu, click Status. Under Services, click Containers. b. Click Upload New Container.
Page 1000 Click Apply. 2. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.

Digi IX20 User Manual

Quick Links

Related Manuals for Digi IX20

Summary of Contents for Digi IX20