Digi TX40 User Manual

page of 1150

/ 1150
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

TX40

User Guide

Firmware version 23.9

Table of Contents

Need help?

Do you have a question about the TX40 and is the answer not in the manual?

Questions and answers

Summary of Contents for Digi TX40

Page 1 TX40 User Guide Firmware version 23.9...
Page 2 Added information about adding a MACsec tunnel. Trademarks and copyright Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide. All other trademarks mentioned in this document are the property of their respective owners.
Page 3 Contact us at +1 952.912.3444 or visit us at www.digi.com/support. Feedback To provide feedback on this document, email your comments to techcomm@digi.com Include the document title and part number (TX40 User Guide, 90002528 n) in the subject line of your email. TX40 User Guide...
Page 4: Table Of Contents
What's new in Digi TX40 version 23.9 Digi TX40 Quick Start Step 1: Connect your device Step 2: Connect DCpower Step 3: Set up access to Digi Remote Manager Step 4: Register your device Step 5: Complete setup Step 6: Configure cellular APN...
Page 5 Using the local web interface Log out of the web interface Use the local REST API to configure the TX40 device Use the GET method to return device configuration information Use the POST method to modify device configuration parameters and list arrays...
Page 6 Configure Remote Access mode Configure Application mode Configure PPP dial-in mode Configure UDP serial mode Configure Modem emulator mode Configure Modbus mode Add a USB serial port Show serial status and statistics Review the serial port message log TX40 User Guide...
Page 7 Configure a static route Delete a static route Policy-based routing Configure a routing policy Example: Dual WAN policy-based routing Example: Domain-based routing with dual WAN Example: Route traffic to a specific WAN interface based on the client MAC address TX40 User Guide...
Page 8 Dynamic Multipoint VPN (DMVPN) Configure a DMVPN spoke L2TP Configure a PPP-over-L2TP tunnel L2TP with IPsec Show L2TP tunnel status L2TPv3 Ethernet Configure an L2TPv3 tunnel Show L2TPV3 tunnel status MACsec Configure a MACsec tunnel NEMO Configure a NEMO tunnel TX40 User Guide...
Page 9 Configure telnet access Configure DNS Show DNS server WAN bonding Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Configure WAN bonding on your local device Show WAN bonding status and statistics Simple Network Management Protocol (SNMP)
Page 10 Set up the TX40 for Python development Create and test a Python application Python modules Set up the TX40 to automatically run your applications Configure scripts to run automatically Show script information Stop a script that is currently running Start an interactive Python session...
Page 11 Configure web filtering with manual DNS servers Verify your web filtering configuration Show web filter service information Containers Use Digi Remote Manager to deploy and run containers Use an automation to start the container Upload a new LXCcontainer Configure a container...
Page 12 Use intelliFlow to display top data usage information 1022 Use intelliFlow to display data usage by host over time 1024 Configure NetFlow Probe 1025 File system The TX40 local file system 1031 Display directory contents 1031 Create a directory 1032 Display file contents...
Page 13 Ping to check internet connection 1076 Stop ping commands 1076 Use the traceroute command to diagnose IP routing problems 1076 Digi TX40 regulatory and safety statements RF exposure statement 1078 Federal Communication (FCC) Part 15 Class B 1078 Radio Frequency Interference (RFI) (FCC15.105)
Page 14 1127 modem pin disable 1127 modem pin enable 1128 modem pin status 1128 modem pin unlock 1128 modem puk status 1128 modem puk unlock 1129 modem reset 1129 modem scan 1129 modem sim-slot 1129 TX40 User Guide...
Page 15 1141 show vrrp 1141 show wan-bonding 1141 show web-filter 1141 show wifi ap 1142 show wifi client 1142 show wifi-scanner 1142 show wifi-scanner blocklist 1143 show wifi-scanner candidates 1143 show wifi-scanner log 1143 speedtest 1143 TX40 User Guide...
Page 16 1147 system serial save 1147 system serial show 1147 system support-report 1148 system time set 1148 system time sync 1148 system time test 1148 tail 1149 telnet 1149 traceroute 1149 calibrate analog input ports 1150 TX40 User Guide...
Page 17: What's New In Digi Tx40 Version 23.9
What's new in Digi TX40 version 23.9 Release of Digi TX40 firmware version 23.9: Register a device to DRM: Added a link to the Dashboard of the local web UI to register and add the device to Digi Remote Manager. Updated Dashboard: Updated the layout of the Dashboard page of the web UI to combine the network interface and cellular modem details into a single Network Activity panel.
Page 18: Digi Tx40 Quick Start
TX40 features to operate correctly. 3. (Optional) Using an Ethernet cable, connect the TX40's WAN/ETH1 port to the internet, such as an office network or LAN Ethernet port in an office environment.
Page 19: Step 3: Set Up Access To Digi Remote Manager
Step 3: Set up access to Digi Remote Manager Connection Ignition sense The Ignition sense line needs to be high in order for the TX40 to boot up. It can be connected to the +VE terminal if using a power supply. Positive (+VE)
Page 20: Step 6: Configure Cellular Apn
Digi TX40 Quick Start Step 6: Configure cellular APN 3. Click Done when the firmware update is complete. Step 6: Configure cellular APN If you installed a SIM in step 1, the device will attempt to setup the APN automatically. However, if your SIM was set up with a custom APN, you will need to configure it manually: 1.
Page 21: Digi Tx40 Hardware Reference
TX40 key features The Digi TX40 is a 5Grouter. Key features include: Some models of the Digi TX40 supports 5G, the fifth generation cellular networking technology, with 4Gfallback. In order to take advantage of the 5Gcapabilities of the device, you must use a SIM that has been provisioned for 5Gsupport.
Page 22: Tx40 Leds
TX40 LEDs. TX40 LEDs The TX40 LEDs are located on the top front panel. The number of LEDs varies by model. During bootup, the front-panel LEDs light up in sequence to indicate boot progress. WWAN Indicates strength of cellular signal.
Page 23: Gnss Service
Right LED (on top of port connector) Off: No Ethernet link detected. Solid green: 10/100 Mbps link detected. Solid amber: 1000 Mbps link detected. TX40 back view The following figures shows the back view of the TX40. 5Gmodels: TX40 User Guide...
Page 24: Tx40 5Gantennas
Digi TX40 hardware reference TX40 5Gantennas 4GLTE models: Item Description Antenna Connect antennas. connectors Note For information about the 5Gantenna configurations and supported bandwidths, see TX40 5Gantennas. Power Connect power. TX40 5G antennas Each antenna connector has different characteristics that support specific functionality. Make sure to attach the correct antenna to its corresponding connector.
Page 25 Digi TX40 hardware reference TX40 5Gantennas Antenna Port Technology WWAN3 WCDMA B1, B2, B4, B5, B6, B8, B19 B1, B2, B3, B4, B5, B7, B8, B12, B13, B14, B17, B18, B19, B20, B25, B26, B28, B29 (SDL), B30, B32(SDL), B34, B38, B39, B40,...
Page 26: Digi Tx40 Serial Connector Pinout
Digi TX40 hardware reference Digi TX40 serial connector pinout Digi TX40 serial connector pinout The TX40 is a DTE device. The pinout for the DB9 serial connector is as follows: Direction RS232 Signal name signal DB9 pin number Transmit Data...
Page 27 Digi TX40 hardware reference QRcode definition ProductName;DeviceID;Password;SerialNumber;SKUPartNumber-SKUPartRevision Example TX40;00000000-00000000-00409DFF-FF112233;1234567890;50002129-01-A TX40 User Guide...
Page 28: Hardware Setup
Hardware setup This chapter contains the following topics: Install SIM cards Connect data cables Connect antennas Mount the TX40 to a mounting surface Connect power TX40 User Guide...
Page 29: Install Sim Cards
Install SIM cards To install SIM cards: 1. On the TX40 front panel, use a screwdriver to remove the SIM slot cover. 2. For high-vibration environments, SIM card contact fretting may cause unexpected SIM card failures. To help avoid this, apply a thin layer of dielectric grease to the SIM contacts. See...
Page 30: Connect Antennas
Connect the TX40 power cable to a power source. Vehicle installation The TX40 shall be powered from a 5 A fused circuit or shall be installed with an in-line Slow Blow fuse rated at 5 A. Maximum ambient operating temperature is limited to 74°C.
Page 31: Mount And Ground Chassis
Hardware setup Connect power Mount and ground chassis If you intend to install the TX40 in a vehicle, follow these directions for mounting and grounding the device. Note Always follow the vehicle manufacturer recommendations for electrical accessories connections. Mount the device following these general guidelines: Device position allows easy access to all ports located on the back of the device.
Page 32: Tx40 Power Connector
The TX40 has a power connector located on the back of the device: Connection Ignition sense The Ignition sense line needs to be high in order for the TX40 to boot up. It can be connected to the +VE terminal if using a power supply. Positive (+VE)
Page 33 Change the default SSIDs and pre-shared keys for the preconfigured Wi-Fi access points Configuration methods Using Digi Remote Manager Using the local web interface Use the local REST API to configure the TX40 device Using the command line TX40 User Guide...
Page 34: Firmware Configuration
Firmware configuration Review TX40 default settings Review TX40 default settings You can review the default settings for your TX40 device by using the local WebUI or Digi Remote Manager: Local WebUI 1. Log into the TX40 WebUI as a user with Admin access. See Using the local web interface details.
Page 35 Firmware configuration Review TX40 default settings Interface type Preconfigured interfaces Devices Default configuration Local Area Bridge: LAN Firewall zone: Networks (LANs) Internal IP address: 192.168.2.1/24 DHCP server enabled LAN priority: Metric=5 LAN hotspot Bridge: Firewall zone: hotspot_ Internal DHCP server:...
Page 36: Other Default Configuration Settings
(on all hotspots) DHCP server lease range: 100-250 Other default configuration settings Feature Configuration Digi Remote Manager enabled as the central management service. Central management Packet filtering allows all outbound traffic. Security policies SSH and web administration: TX40 User Guide...
Page 37: Primary Responder Mode
Flow control: None Primary Responder mode You can use the Primary Responder mode configuration setting to manually enable the TX40 device to be in an AT&T FirstNet-compliant mode (Primary Responder mode). When a device is in Primary Responder mode, certain firmware features are disabled. See...
Page 38 To enable Primary Responder mode:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. On the Dashboard, verify the current firmware version installed on the device. In the Device section, look at the Firmware Version field and verify that the version is 23.9.x or above.
Page 39: Change The Default Password For The Admin User
To change the default password for the admin user:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 40  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 41: Change The Default Ssids And Pre-Shared Keys For The Preconfigured Wi-Fi Access Points
Differences between standard firmware operation and Primary Responder mode.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 42  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 43: Configuration Methods
Shows how to perform a task by using the command line interface. Using Digi Remote Manager By default, your TX40 device is configured to use Digi Remote Manager as its central management server. Devices must be registered with Remote Manager using one of the following options:...
Page 44: Using The Local Web Interface
Using the local web interface To connect to the TX40 local Web UI: 1. Use an Ethernet cable to connect the TX40's ETH2 port to a laptop or PC. 2. Open a browser and go to 192.168.2.1. 3. Log into the device using a configured user name and password.
Page 45: Use The Local Rest Api To Configure The Tx40 Device
Use the local REST API to configure the TX40 device Your TX40 device includes a REST API that can be used to return information about the device's configuration and to make modifications to the configuration. You can view the REST API specification from your web browser by opening the URL: https://ip-address/cgi-bin/config.cgi...
Page 46 Firmware configuration Use the local REST API to configure the TX40 device (config> service ? Services Additional Configuration ------------------------------------------------------------------- ------------ iperf IPerf location Location mdns Service Discovery (mDNS) modbus_gateway Modbus Gateway multicast Multicast ping Ping responder snmp SNMP telnet Telnet...
Page 47: Use The Post Method To Modify Device Configuration Parameters And List Arrays
Firmware configuration Use the local REST API to configure the TX40 device You can also use the GET method to return the configuration parameters associated with an item: curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/keys/service/ssh -X Enter host password for user 'admin': { "ok": true, "result": [ "acl", "custom", "enable", "key", "mdns", "port",...
Page 48: Use The Delete Method To Remove Items From A List Array
Firmware configuration Use the local REST API to configure the TX40 device $ curl -g -k -u admin "https://192.168.210.1/cgi- bin/config.cgi/value?path=network.route.static&append=true&collapsed [dst]=1.2.4.0/24&collapsed[interface]=/network/interface/wan" -X POST Enter host password for user 'admin': { "ok": true, "result": "network.route.static.1" } Use the DELETE method to remove items from a list array To remove items from a list array, use the DELETE method.
Page 49: Using The Command Line
Log in to the command line interface  Command line 1. Connect to the TX40 device by using a serial connection, SSH or telnet, or the Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command line interface more information.
Page 50: Exit The Command Line Interface
Admin CLI s: Shell q: Quit Select access or quit [admin] : Type a or admin to access the TX40 command line. You will now be connected to the Admin CLI: Connecting now... Press Tab to autocomplete commands Press '?' for a list of commands and details...
Page 51: Central Management
Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Remote Manager Configure multiple TX40 devices by using Digi Remote Manager configurations View Digi Remote Manager connection status Learn more TX40 User Guide...
Page 52: Digi Remote Manager Support
This URL is required to utilize the client-side certificate support. Prior to release 22.2.9.x, the default URL was my.devicecloud.com. If your Digi device is configured to use a non-default URL to connect to Remote Manager, updating the firmware will not change your configuration. However, if you erase the device's configuration, the Remote Manager URL will change to the default of edp12.devicecloud.com.
Page 53 HTTP proxy server support. To configure your device's Digi Remote Manager support:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 54 8. (Optional) For Speedtest server, type the name or IP address of the server to use to test the speed of the device's internet connection(s). 9. (Optional) For Retry interval, type the amount of time that the TX40 device should wait before reattempting to connect to remote cloud services after being disconnected. The default is 30 seconds.
Page 55 Within the US: 12029823370 International: 447537431797 d. (Optional) Type the Service identifier. 17. (Optional) Configure the TX40 device to communicate with remote cloud services via one of two methods: Pinhole or Proxy server. If using the Pinhole method, refer to the following If using the Proxy server method: a.
Page 56  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 57 (config)> cloud drm keep_alive 600s (config)> 7. (Optional) Set the amount of time that the TX40 device should wait between sending keep- alive messages to the Digi Remote Manager when using a cellular interface. Allowed values are from 30 seconds to two hours. The default is 290 seconds.
Page 58 Within the US: 12029823370 International: 447537431797 c. (Optional) Set the service identifier: (config)> cloud drm sms sercice_id id (config)> 15. (Optional) Configure the TX40 device to communicate with remote cloud services by using an HTTP proxy server: TX40 User Guide...
Page 59: Collect Device Health Data And Set The Sample Interval
To disable the collection of device health data or enable it if it has been disabled, or to change the health sample interval:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 60  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 61 1, 5, 15, 30, or 60, and represents the number of minutes between uploads of health sample data. 5. By default, the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded. This is useful to reduce the bandwidth used to report health metrics.
Page 62: Enable Event Log Upload To Digi Remote Manager
To enable the event log upload, or disable it if it has been disabled, and to change the upload interval:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
Page 63  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 64: Reach Digi Remote Manager On A Private Network
The device is capable of connecting through an HTTP proxy, such as Squid, but it is up to the network administrator to decide which HTTP proxy type to use. To enable a proxy server and enter the server and port in Digi Remote Manager, see step 17 in Configure your device for Digi Remote Manager support.
Page 65: Log Into Digi Remote Manager
Central management Log into Digi Remote Manager Step 2. Contact Digi Support. Digi Support configures the Digi cloud service to allow your VPN to communicate with Digi Remote Manager. Contact Digi Support at https://www.digi.com/contactus. Log into Digi Remote Manager To start Digi Remote Manager 1.
Page 66: Use Digi Remote Manager To View And Manage Your Device
Use Digi Remote Manager to view and manage your device To view and manage your device: 1. If you have not already done so, connect to your Digi Remote Manager account. 2. From the menu, click Devices to display a list of your devices.
Page 67: Add A Device To Remote Manager Using Your Remote Manager Login Credentials
6. (Optional) Complete the other fields. 1. Click Add Device. Remote Manager adds the TX40 device to your account and it appears in the Device Management view. Add a device to Remote Manager using your Remote Manager login credentials If you want to add a device to Remote Manager, and you do not have its password, you can add it using your Remote Manager login credentials.
Page 68: Configure Multiple Tx40 Devices By Using Digi Remote Manager Configurations
Remote Manager configurations. Typically, if you want to provision multiple TX40 routers: 1. Using the TX40 local WebUI, configure one TX40 router to use as the model configuration for all subsequent TX40s you need to manage. 2. Register the configured TX40 device in your Remote Manager account.
Page 69: View Digi Remote Manager Connection Status
View Digi Remote Manager connection status To view the current Digi Remote Manager connection status from the local device:  1. Log into the TX40 WebUI as a user with full Admin access rights. The dashboard includes a Digi Remote Manager status pane: ...
Page 70: Learn More
Central management Learn more 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 71: Interfaces
Interfaces TX40 devices have several physical communications interfaces. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN). This chapter contains the following topics: Wide Area Networks (WANs) Local Area Networks (LANs)
Page 72: Wide Area Networks (Wans)
Wide Area Networks (WANs) Wide Area Networks (WANs) The TX40 device is preconfigured with one Wide Area Network (WAN), named WAN, and one Wireless Wide Area Network (WWAN), named WWAN1. You can modify configuration settings for the existing WAN and WWANs, and you can create new WANs and WWANs.
Page 73: Wide Area Networks (Wans) And Wireless Wide Area Networks (Wwans)
Configured WAN and WWAN interfaces. This example uses the preconfigured WAN and WWAN1 interfaces. The metric for each WAN.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 74 For Metric, type 1. c. Click IPv6. d. For Metric, type 1. 4. Set the metrics for WAN: a. Click Network > Interfaces > WAN > IPv4. b. For Metric, type 2. c. Click IPv6. d. For Metric, type 2. TX40 User Guide...
Page 75  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 76: Wan/Wwan Failover
WAN, and its Ethernet WAN, WAN, as its secondary WAN. WAN/WWAN failover If a connection to a WAN interface is lost for any reason, the TX40 device will immediately fail over to the next WAN or WWAN interface, based on WAN priority. See...
Page 77: Configure Surelink Active Recovery To Detect Wan/Wwan Failures
Problems can occur beyond the immediate WAN/WWAN connection that prevent some IP traffic from reaching its destination. Normally this kind of problem does not cause the TX40 device to detect that the WAN has failed, because the connection continues to work while the core problem exists somewhere else in the network.
Page 78 Otherwise, the device will reboot and all recovery actions listed after the Reboot Device action will be ignored.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 79 When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address. Use the SIM failover options to configure the TX40 device to automatically recover the modem in the event that it cannot obtain an IP address. See Configure a Wireless Wide Area Network (WWAN) for details about SIM failover.
Page 80 Test the interface status: Tests the current status of the interface. The test fails if the interface is down. Failing this test infers that all other tests fail. If Test the interface status is selected, complete the following: TX40 User Guide...
Page 81 11. Add recovery actions: a. Click to expand Recovery actions. By default, there are two preconfigured recovery actions: Update routing: Uses the Change default gateway action, which increases the interface's metric by 100 to change the default gateway. Restart interface. TX40 User Guide...
Page 82 Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. TX40 User Guide...
Page 83 Test interface gateway by pinging is used by the Interface gateway Ping test as the endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8, and should only be changed if this IP address is not accessible due to networking issues. TX40 User Guide...
Page 84  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 85 Performs a DNS query to the named DNS server. If dns is set, set the IPv4 or IPv6 address of the DNS server: (config network interface my_wan surelink tests 1)> dns_server IP_address (config network interface my_wan surelink tests 1)> TX40 User Guide...
Page 86 For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config network interface my_wan surelink tests 1)> interface_timeout 600s (config)> custom_test: Tests the interface with custom commands. If custom_test is set, set the commands to run to perform the test: TX40 User Guide...
Page 87 The IPv6 connection must be up. The status required for the test to past. (config network interface my_wan surelink tests 1)> other_ status value (config network interface my_wan surelink tests 1)> where value is one of: TX40 User Guide...
Page 88 Increases the interface's metric to change the default gateway. If update_routing_table is selected, complete the following: Set the number of attempts for this recovery action to perform, before moving to the next recovery action: TX40 User Guide...
Page 89 Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config network interface my_wan surelink actions 0)> max_ attempts int (config network interface my_wan surelink actions 0)> The default is 3. TX40 User Guide...
Page 90 (config network interface my_wan surelink actions 0)> override_interval int (config network interface my_wan surelink actions 0)> reboot_device. If reboot_device is selected, complete the following: Set the number of attempts for this recovery action to perform, before moving to the next recovery action: TX40 User Guide...
Page 91 (config)> network interface my_wan surelink interval value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interval to ten minutes, enter either 10m or 600s: TX40 User Guide...
Page 92 For example, to set delayed_start to ten minutes, enter either 10m or 600s: (config)> network interface my_wan surelink advanced delayed_start 600s (config)> The default is 300s. TX40 User Guide...
Page 93: Configure The Device To Reboot When A Failure Is Detected
Type quit to disconnect from the device. Configure the device to reboot when a failure is detected Using SureLink, you can configure the TX40 device to reboot when it has determined that an interface has failed. Required configuration items Enable SureLink.
Page 94 To configure the TX40 device to reboot when an interface has failed:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 95 When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address. Use the SIM failover options to configure the TX40 device to automatically recover the modem in the event that it cannot obtain an IP address. See Configure a Wireless Wide Area Network (WWAN) for details about SIM failover.
Page 96 For example, to set Down time to ten minutes, enter 10m or 600s. Initial connection time: The amount of time to wait for the interface to connect for the first time before the test is considered to have failed. TX40 User Guide...
Page 97 100 to change the default gateway. Restart interface. b. Click . New recovery actions are enabled by default. To disable, click to toggle off Enable. c. Type a Label for the recovery action. d. For Recovery type, select Reboot device. TX40 User Guide...
Page 98 Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. TX40 User Guide...
Page 99  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 100 When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address. Use the SIM failover options to configure the TX40 device to automatically recover the modem in the event that it cannot obtain an IP address. See Configure a Wireless Wide Area Network (WWAN) for details about SIM failover.
Page 101 If http is set, set the URL of the web server. (config network interface my_wan surelink tests 1)> http url (config network interface my_wan surelink tests 1)> dns_configured: Tests communication with DNS servers that are either provided by DHCP, or statically configured for this interface. TX40 User Guide...
Page 102 (config network interface my_wan surelink tests 1)> custom_ test_commands "string" (config network interface my_wan surelink tests 1)> tcp_connection: Tests that the interface can reach a destination port on the configured host. If tcp_connection is selected, complete the following: TX40 User Guide...
Page 103 The test will pass only if the referenced interface is up and passing its own SureLink tests (if applicable). down: The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable). f. Repeat for each additional test. TX40 User Guide...
Page 104 7. Optional SureLink configuration parameters: a. Type ... to return to the root of the configuration: (config network interface my_wan surelink actions 0)> ... (config)> b. Set the test interval between connectivity tests: (config)> network interface my_wan surelink interval value (config)> TX40 User Guide...
Page 105 (config)> network interface my_wan surelink advanced delayed_start value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set delayed_start to ten minutes, enter either 10m or 600s: TX40 User Guide...
Page 106: Disable Surelink
DNS resolution, you can disable SureLink connectivity tests. You can also reconfigure SureLink to disable the DNS test and use one or more other tests.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. TX40 User Guide...
Page 107  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 108 WAN connections that do not allow DNS resolution, and configure alternate test.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 109 Ping payload size: The number of bytes to send as part of the ping payload. DNS test: Performs a DNS query to the named DNS server. If DNS test is selected, complete the following: DNS server: The IP address of the DNS server. TX40 User Guide...
Page 110 IPv6: The IPv6 connection must be up. Expected status: The status required for the test to past. Up: The test will pass only if the referenced interface is up and passing its own SureLink tests (if applicable). TX40 User Guide...
Page 111  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 112 Failing this test infers that all other tests fail. If interface_up is set, complete the following: Set the amount of time that the interface is down before the test can be considered to have failed. TX40 User Guide...
Page 113 If tcp_connection is selected, complete the following: Set the hostname or IP address of the host to create a TCP connection to: (config network interface my_wan surelink tests 1)> tcp_host hostname/IP_address (config network interface my_wan surelink tests 1)> TX40 User Guide...
Page 114 (config network interface my_wan ipv4 surelink)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 115: Example: Use A Ping Test For Wan Failover From Ethernet To Cellular
Update Routing recovery action will increase the metric for the WAN interface by 100, which will cause the TX40 device to start using the WWAN1 interface as the default route. It continues to regularly test the connection to WAN, and when tests on WAN succeed, the device falls back to that interface.
Page 116  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 117: Using Ethernet Devices In A Wan
Type quit to disconnect from the device. Using Ethernet devices in a WAN The TX40 device has two Ethernet devices, named ETH1 and ETH2. You can use these Ethernet interfaces as a WAN when connecting to the Internet, through a device such as a cable modem:...
Page 118: Using Cellular Modems In A Wireless Wan (Wwan)
Typically, you configure SIM1 of the cellular modem as the primary cellular interface, and SIM2 as the backup cellular interface. In this way, if the TX40 device cannot connect to the network using SIM1, it automatically fails over to SIM2. TX40 devices automatically use the correct cellular module firmware for each carrier when switching SIMs.
Page 119 Interfaces Wide Area Networks (WANs) To configure the modem:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 120  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 121 For example, to set query_interval to ten minutes, enter either 10m or 600s: (config)> network modem wan query_interval 600s (config)> The default is 30s. 7. Set the maximum number of interfaces. This is used when using dual-APN SIMs. The default is TX40 User Guide...
Page 122 The default is all, which uses the best available technology. 10. Set whether the modem should use the main antenna, the auxiliary antenna, or both the main and auxiliary antennas: (config)> network modem wwan1 antenna value (config)> where value is one of the following: main both TX40 User Guide...
Page 123 APN. To configure the APN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 124 8. To add additional APNs, for Add APN, click  and repeat the preceding instructions. 9. (Optional) To configure the device to bypass its preconfigured APN list and only use the configured APNs, enable APN list only. TX40 User Guide...
Page 125  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 126 APNs that can be used simultaneously. For example, Verizon offers this service as its Split Data Routing feature. This feature provides two separate networking paths through a single cellular modem and SIM card, and allows for configurations such as: TX40 User Guide...
Page 127 APNs, and then use routing roles to forward traffic to the appropriate WWAN interface.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 128 For Zone, select External. e. For Device, select WWAN1 cellular modem . f. (Optional): Configure the public APN. If the public APN is not configured, the TX40 will attempt to determine the APN. i. Click to expand APN list > APN.
Page 129 Click the  to add a new route policy. c. For Label, enter Route through public APN. d. For Interface, select Interface: WWAN_Public. e. Configure the source address: i. Click to expand Source address. ii. For Type, select Interface. iii. For Interface, select LAN1. TX40 User Guide...
Page 130 For Interface, select LAN2. k. Configure the destination address: i. Click to expand Destination address. ii. For Type, select Interface. iii. For Interface, select Interface: WWAN_Private. 6. Click Apply to save the configuration and apply the change.  Command line TX40 User Guide...
Page 131 Interfaces Wide Area Networks (WANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 132 (config network route policy 0)> src interface LAN1 (config network route policy 0)> e. Configure the destination address: i. Set the type to interface: (config network route policy 0)> dst type interface (config network route policy 0)> ii. Set the interface to WWANPublic : TX40 User Guide...
Page 133 (config network route policy 1)> ii. Set the interface to WWANPrivate : (config network route policy 1)> interface /network/interface/WWANPrivate (config network route policy 1)> 6. Save the configuration and apply the change (config network route policy 1)> save Configuration saved. > TX40 User Guide...
Page 134 Select Manual or Manual/Automatic carrier selection mode. The Network PLMN ID.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 135  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 136 Admin CLI.  Log into the TX40 WebUI as a user with full Admin access rights. 1. From the main menu, click Status > Modems. 2. For the appropriate modem, scroll to the Connection Status section and click SCAN.
Page 137  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 138  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 139 : Excellent (-51.0 dBm) : Good (9.0 dB) SINR : Good (9.6 dB) RRC State : Connected Bars : 2/5 Band : n71 RSRQ : Poor (-14 dB) RSRP : Good (-78 dBm) SINR : Poor (4.5 dB) > TX40 User Guide...
Page 140 Command line To unlock a SIM card: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 141  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 142 IMEI: 359072060451693 IMEI SV: 9 FSN: LQ650551070110 +GCAP: +CGSM 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 143: Configure A Wide Area Network (Wan)
Additional IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the WAN. The relative weight for IPv4 routes associated with the WAN.
Page 144 MACaddress denylist and allowlist. To create a new WAN or edit an existing WAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 145 8. (Optional) Click to expand 802.1x to configure 802.1x port based network access control. The TX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Click to expand Authentication. b. Click Enable server to enable the 802.1x authenticator on the TX40 device.
Page 146 Never: Never use DNS servers for this interface. k. Enable DHCP Hostname to instruct the TX40 device to include the device's system name with DHCP requests as the Client FQDN option. The DHCP server can then be configured to register the device's hostname and IP address with an associated DNS server.
Page 147  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 148 DNS server, the interface with the lowest metric will be used for DNS requests. primary: Only use the DNS servers provided for this interface when the interface is the primary route. never: Never use DNS servers for this interface. TX40 User Guide...
Page 149 Interfaces Wide Area Networks (WANs) vi. Enable DHCP Hostname to instruct the TX40 device to include the device's system name with DHCP requests as the Client FQDN option. The DHCP server can then be configured to register the device's hostname and IP address with an associated DNS server.
Page 150 8. (Optional) To configure 802.1x port based network access control: Note The TX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Enable the 802.1x authenticator on the TX40 device: (config network interface my_wan)> 802_1x authentication enable true (config network interface my_wan)>...
Page 151: Configure A Wireless Wide Area Network (Wwan)
APN configuration. The custom gateway/netmask. IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the WAN. The relative weight for IPv4 routes associated with the WAN.
Page 152 Configure SureLink active recovery to detect WAN/WWAN failures for further information.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 153 Manual: The cellular carrier must be manually configured. If the configured network is not available, no cellular connection will be established. Manual/Automatic: The carrier is manually configured. If the configured network is not available, automatic carrier selection is used. If Manual or Manual/Automatic is selected: TX40 User Guide...
Page 154 Reboot device: The device will reboot if automatic SIM switching is unavailable. 13. For APN list and APN list only, the TX40 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 155 IPv6 support is Enabled by default. Click to disable. c. Set the Type. Static IP address - Digi device obtains the static IP address from the cellular network. DHCP address - Digi device obtains IP address through a DHCP server on the cellular network.
Page 156 Interfaces Wide Area Networks (WANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 157 (config network interface my_wwan)> modem imsi IMSI (config network interface my_wwan)> plmn_id Set the PLMN id that must be in active for this WWAN to be used: (config network interface my_wwan)> modem plmn_id PLMN_ID (config network interface my_wwan)> TX40 User Guide...
Page 158 Set the cellular network technology: (config network interface my_wwan)> modem operator_technology value (config network interface my_wwan)> where value is one of: all: The best available technology will be used. 2G: Only 2Gtechnology will be used. 3G: Only 3Gtechnology will be used. TX40 User Guide...
Page 159 The device will reboot if automatic SIM switching is unavailable. 12. The TX40 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 160 Where value is one of: static: Digi device obtains the static IP address from the cellular network. dhcp: Digi device obtains IP address via a DHCP server on the cellular network. c. Set the metric: (config network interface my_wwan)> ipv4 metric num (config network interface my_wwan)>...
Page 161 Where value is one of: static: Digi device obtains the static IP address from the cellular network. dhcp: Digi device obtains IP address via a DHCP server on the cellular network. c. Set the metric: (config network interface my_wwan)> ipv4 metric num (config network interface my_wwan)>...
Page 162: Show Wan And Wwan Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 163 4. Enter show network interface name at the Admin CLI prompt to display additional information about a specific WAN. For example, to display information about WAN, enter show network interface wan1: > show network interface wan1 wan1 Interface Status --------------------- Device : wan1 Zone : external TX40 User Guide...
Page 164: Delete A Wan Or Wwan
Follow this procedure to delete any WANs and WWANs that have been added to the system. You cannot delete the preconfigured WAN, WAN, or the preconfigured WWAN, WWAN1.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 165: Default Outbound Wan/Wwan Ports
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 166: Local Area Networks (Lans)
Interfaces Local Area Networks (LANs) Local Area Networks (LANs) The TX40 device is preconfigured with the following Local Area Networks (LANs): You can modify configuration settings for LAN, and you can create new LANs. This section contains the following topics:...
Page 167: About Local Area Networks (Lans)
IP address and subnet of LAN1. Additional configuration items Additional IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the LAN.
Page 168 MACaddress denylist and allowlist. To create a new LAN or edit an existing LAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 169 8. (Optional) Click to expand 802.1x to configure 802.1x port based network access control. The TX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Click to expand Authentication. b. Click Enable server to enable the 802.1x authenticator on the TX40 device.
Page 170  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 171 LAN to be a DHCP client, rather than using a static IP addres: (config network interface my_lan)> ipv4 type dhcp (config network interface my_lan)> These instructions assume that the LAN will use a static IP address for its IPv4 configuration. TX40 User Guide...
Page 172 (config network interface my_lan)> ipv6 type dhcpv6 (config network interface my_lan)> c. Generally, the default settings for IPv6 support are sufficient. You can view the default IPv6 settings by using the question mark (?): (config network interface my_lan)> ipv6 ? IPv6 TX40 User Guide...
Page 173 Configure WAN/WWAN priority and default route metrics for further information about metrics. 8. (Optional) To configure 802.1x port based network access control: Note The TX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. TX40 User Guide...
Page 174: Configure The Wan/Eth1 Port As A Lan Or In A Bridge
Type quit to disconnect from the device. Configure the WAN/ETH1 port as a LAN or in a bridge By default, the WAN/ETH1 Ethernet port on your TX40 is configured to function as a WAN port, which means that it: Uses the External firewall zone.
Page 175 Create a bridge that includes the WAN/ETH1 port. To configure the WAN/ETH1 Ethernet port as a LAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 176  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 177 Ethernet ports on the device to function as a hub. To add the WAN/ETH1 port to the LAN bridge:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 178  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 179 To create a new bridge, and bridge the TX40 device's WAN/ETH1 Ethernet port with the ETH2 port or Wi-Fi access points:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 180 For Add Interface, type a name for the interface and click . c. For Zone, select Internal. d. For Device, select the new bridge. e. Click to expand IPv4. f. For Address, type the IPv4 address and netmask, using the format IPv4_address/netmask, for example, 192.168.3.1/24. TX40 User Guide...
Page 181  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 182 Create the bridge: (config)> add network interface interface_name (config network interface interface_name)> where interface_name is the name of the new interface. For example, to create a interface named LAN_bridge_interface: (config)> add network interface LAN_bridge_interface (config network interface LAN_bridge_interface)> TX40 User Guide...
Page 183: Change The Default Lan Subnet
DHCP server range will also change to the range of the LAN subnet. To change the LAN subnet:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 184: Example: Configure Two Lans
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 185 LAN2 will be configured to use the ETH2 device. Task one: Create a new access point (TX40W models only)  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 186  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 187 Type quit to disconnect from the device. Task two: Create a new bridge (TX40W )  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 188  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 189 Type quit to disconnect from the device. Task three: Create the LANs  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 190 For Zone, select Internal. d. For Device: If you are configuring a Wi-Fi enabled TX40W, select Bridge: Example_bridge. If you are configuring a non-Wi-Fi TX40, select Ethernet: ETH1. e. Click to expand IPv4. f. For Address, type 192.168.3.1/24. g. Click to expand DHCP server.
Page 191  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 192 Set the device for the LAN2 interface: (config network interface LAN2)> device /network/device/eth1 (config network interface LAN2)> c. Configure the firewall zone for the LAN2 interface to internal: (config network interface LAN2)> zone internal (config network interface LAN2)> TX40 User Guide...
Page 193: Show Lan Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 194 4. Enter show network interface name at the Admin CLI prompt to display additional information about a specific LAN. For example, to display information about LAN, enter show network interface lan1: > show network interface lan1 lan1 Interface Status --------------------- Device : lan1 Zone : internal TX40 User Guide...
Page 195: Delete A Lan
Follow this procedure to delete any LANs that have been added to the system. You cannot delete the preconfigured LAN, LAN1.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 196: Dhcp Servers
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 197 Map static IP addresses to hosts for information about static leases.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 198 For Gateway, select either: None: No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. Automatic: Broadcasts the TX40 device's gateway. Custom: Allows you to identify the IP address of a Custom gateway to be broadcast.
Page 199  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 200 No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. auto: Broadcasts the TX40 device's gateway. custom: Allows you to identify the IP address of a custom gateway to be broadcast: (config)> network interface my_lan ipv4 dhcp_server advanced gateway_custom ip_address (config)>...
Page 201 (config)> where value is one of: none: No server is broadcast. auto: Broadcasts the TX40 device's server. custom: Allows you to identify the IP address of the server. For example: (config)> network interface my_lan ipv4 dhcp_server advanced primary_dns_custom ip_address (config)>...
Page 202 A label for this instance of the static lease. To map static IP addresses:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 203  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 204  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 205 Delete static IP mapping entries To delete a static IP entry:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 206  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 207 Force the option to be sent to the DHCP clients. A label for the custom option.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 208  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 209 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure DHCP relay DHCP relay allows a router to forward DHCP requests from one LAN to a separate DHCP server, typically connected to a different LAN. TX40 User Guide...
Page 210 DHCP requests. Additional configuration items IP address of additional DHCP relay servers.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 211  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 212  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 213: Default Services Listening On Lan Ports
IP address assigned to it on a WAN or cellular modem interface, to a client connected to a LAN interface.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 214 For Ancillary address/netmask, type the IPv4 address and netmask to provide to the connected device when the source address is not available. b. For Ancillary gateway, type the IPv4 address of the network gateway to be used when the connected device when the source address is not available. TX40 User Guide...
Page 215 14. (Optional) Click to expand 802.1x to configure 802.1x port based network access control. The TX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Click to expand Authentication. b. Click Enable server to enable the 802.1x authenticator on the TX40 device.
Page 216  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 217 (config network interface ip_passthrough_interface)> c. Set the management priority. This determines which interface will have priority for central management activity. The interface with the highest number will be used. (config network interface ip_passthrough_interface)> ipv4 mgmt num (config network interface ip_passthrough_interface)> TX40 User Guide...
Page 218 Enable metric Metric mgmt Management priority 1500 use_dns always Use DNS weight Weight (config network interface ip_passthrough_interface)> c. Modify any of the remaining default settings as appropriate. 10. (Optional) To configure 802.1x port based network access control: TX40 User Guide...
Page 219: Virtual Lans (Vlans)
Interfaces Virtual LANs (VLANs) Note The TX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Enable the 802.1x authenticator on the TX40 device: (config network interface ip_passthrough_interface)> 802_1x authentication enable true (config network interface ip_passthrough_interface)>...
Page 220: Create A Trunked Vlan Route
The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 221: Create A Vlan Using Switchport Mode
Create a VLAN using switchport mode Required configuration items Device to be assigned to the VLAN. The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN using switchport mode:  TX40 User Guide...
Page 222 Interfaces Virtual LANs (VLANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 223 Interfaces Virtual LANs (VLANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 224: Bridging
Create a VLAN using switchport mode for more information about switchport bridging for VLANs. By default, the TX40 has the following preconfigured bridges: You can modify configuration settings for the existing bridge, and you can create new bridges. This section contains the following topics:...
Page 225: Edit The Preconfigured Lan Bridge
Enable Spanning Tree Protocol (STP). To edit the preconfigured LAN bridge:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 226  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 227 (config network bridge my_bridge)> ..interface lan1 device ? Default value: /network/bridge/lan1 Current value: /network/bridge/lan1 (config network bridge my_bridge)> ii. Add the appropriate device. For example, to add the Digi AP (Wi-Fi1) Wi-Fi access point: (config network bridge my_bridge)> add device end /network/wireless/ap/digi_ap1 (config)>...
Page 228: Configure A Bridge
Additional configuration items Enable Spanning Tree Protocol (STP). To create a bridge:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 229  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 230 (config network bridge my_bridge)> ..interface lan1 device ? Default value: /network/bridge/lan1 Current value: /network/bridge/lan1 (config network bridge my_bridge)> b. Add the appropriate device. For example, to add the Digi AP (Wi-Fi1) Wi-Fi access point: (config network bridge my_bridge)> add device end /network/wireless/ap/digi_ap1 (config)>...
Page 231: Show Surelink Status And Statistics
1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 232: Show Surelink Status For A Specific Interface
1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 233: Show Surelink Status For A Specific Ipsec Tunnel
Interfaces Show SureLink status and statistics 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 234: Show Surelink Status For A Specific Openvpn Client
Interfaces Configure a TCP connection timeout 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 235 A low number of retries will end a "stale" connection more quickly that a larger number. The default is 15 retries.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 236: Serial Port
Modbus: Allows the device to function as a Modbus protocol gateway. Add a USB serial port Your TX40 can be configured to support USB-to-serial adapters for serial access to the device, remote serial out-of-band (OOB) access to other devices, or for use in python applications. See...
Page 237: Configure Login Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 238  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 239 9. Set the stop bits used by the device to which you want to connect: (config)>serial port1 stopbits bits (config)> 10. Set the type of flow control used by the device to which you want to connect: (config)>serial port1 flow value (config)> where value is one of: none rts/cts xon/xoff TX40 User Guide...
Page 240: Configure Remote Access Mode
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure Remote Access mode Remote Access mode allows for remote access to another device that is connected to the serial port. TX40 User Guide...
Page 241 To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 242 Click to expand Access Control List. For example, to set the Access Control List for the SSH connection for serial port 1, click to expand Serial > Port 1 > SSH connection > Access Control List: TX40 User Guide...
Page 243 No limit to IPv6 addresses that can access the service-type. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: i. Click Interfaces. ii. For Add Interface, click .
Page 244 For Idle timeout, type the amount of time to wait before disconnecting due to user inactivity. 10. Expand Monitor Settings. a. Enable CTS to monitor CTS (Clear to Send) changes on this port. b. Enable DCD to monitor DCD (Data Carrier Detect) changes on this port. TX40 User Guide...
Page 245  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 246 Limit access to the serial port to a single active session: (config)>serial port1 exclusive true (config) c. Set the number of bytes of output from the serial port that are written to buffer. These bytes are redisplayed when a user connects to the serial port. TX40 User Guide...
Page 247 Enable autoconnect: (config)>serial port1 autoconnect enable true (config)> b. Set the option that will trigger the connection: (config)>serial port1 autoconnect trigger value (config)> where value is one of: always data destination match If match is selected: TX40 User Guide...
Page 248 (config)>serial port1 autoconnect port int (config)> where int is any integer between 1 and 65535. f. To enable TCP keepalive: (config)>serial port1 autoconnect keepalive true (config)> g. To enable TCP nodelay: (config)>serial port1 autoconnect nodely true (config)> TX40 User Guide...
Page 249 (config)>serial port1 service ssh port int (config)> where int is any integer between 1 and 65535. The default is 3001. iii. Enable TCP keep-alive messages: (config)>serial port1 service ssh keepalive true (config)> iv. Enable TCP nodelay messages: TX40 User Guide...
Page 250 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add serial port1 service ssh acl interface end value (config)>...
Page 251 1 and 65535. The default is 4001. iii. Enable TCP keep-alive messages: (config)>serial port1 service tcp keepalive true (config)> iv. Set the option that initiates the connection: (config)>serial port1 service tcp conn_type value (config)> TX40 User Guide...
Page 252 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add serial port1 service tcp acl interface end value (config)>...
Page 253 (config)>serial port1 service telnet enable true (config)> ii. Set the port to be used for ssh communications: (config)>serial port1 service telnet port int (config)> where int is any integer between 1 and 65535. The default is 3001. iii. Enable TCP keep-alive messages: TX40 User Guide...
Page 254 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add serial port1 service telnet acl interface end value (config)>...
Page 255 Set the maximum allowed log size for the serial port log when starting the log: (config)>serial port1 logging size value (config)> where value is the size of the log file in bytes. The default is 65536. d. Specify the data type: TX40 User Guide...
Page 256: Configure Application Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 257  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 258: Configure Ppp Dial-In Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 259 16. (Optional) Configure the serial port to use a custom PPP configuration file: a. Click to expand Custom PPP configuration. b. Click Enable to enable the use of a custom PPP configuration file. TX40 User Guide...
Page 260 18. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. TX40 User Guide...
Page 261 (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set idle_timeout to ten minutes, enter either 10m or 600s: (config)> serial port1 idle_timeout 600s (config)> TX40 User Guide...
Page 262 Use the ? to determine available zones: (config)> serial port1 ppp_dialin zone ? Zone: The firewall zone assigned to this interface. This can be used by packet filtering rules and access control lists to restrict network traffic on this TX40 User Guide...
Page 263 For example: (config)> serial port1 ppp_dialin custom config_file "debug lcp-echo- interval 10 lcp-echo-failure 2" (config)> 16. (Optional) Configure a script that will be run to prepare the link before PPP negotiations are started: TX40 User Guide...
Page 264 17. Save the configuration and apply the change (config)> save Configuration saved. > 18. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 265: Configure Udp Serial Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 266 Click Strip End Pattern if you want to remove the end pattern from the packet before it is sent. 7. Expand UDP Serial Settings. a. For Local port, enter the UDP port. The default is 4001 or serial port 1, 4002 for serial port 2, etc. TX40 User Guide...
Page 267 For Destinations, you can configure the remote sites to which you want to send data. If you do not specify any destinations, the TX40 sends new data from the last IP address and port from which data was received. To add a destination: i.
Page 268 To limit access to specified IPv6 addresses and networks: i. Click IPv6 Addresses. ii. For Add Address, click . iii. For Address, enter the IPv6 address or network that can access the device's service-type. Allowed values are: TX40 User Guide...
Page 269  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 270 9. Set the stop bits used by the device to which you want to connect: (config)>serial port1 label stopbits bits (config)> 10. Set the type of flow control used by the device to which you want to connect: (config)>serial port1 label flow type (config) TX40 User Guide...
Page 271 (config)> 14. Configure the remote sites to which you want to send data. If you do not specify any destinations, the TX40 send new data to the last hostname and port from which data was received. To add a destination:...
Page 272 Where value can be: A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. TX40 User Guide...
Page 273 Serial port Configure UDP serial mode To limit access to hosts connected through a specified interface on the TX40 device: (config)> add serial port1 udp acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 274 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add serial port1 udp acl interface end value (config)>...
Page 275 Log the time at which date was received or transmitted: (config)>serial port1 logging hex true (config)> f. Log data as hexadecimal values: (config)>serial port1 logging timestamp true (config)> 17. Save the configuration and apply the change (config)> save Configuration saved. > TX40 User Guide...
Page 276: Configure Modem Emulator Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 277 For Address, enter the IPv4 address or network that can access the device's service-type. Allowed values are: A single IP address or host name. A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the service-type. TX40 User Guide...
Page 278 No limit to IPv6 addresses that can access the service-type. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: i. Click Interfaces. ii. For Add Interface, click .
Page 279: Configure Modbus Mode
To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 280  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 281: Add A Usb Serial Port
FTDI Prolific To add a USB serial port:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 282 9. For Serial mode, select one of the following: Login: Allows the user to log into the device through the serial port. Remote access: Allows for remote access to another device that is connected to the serial port. TX40 User Guide...
Page 283 Note Beginning with firmware release 21.11.x, python is no longer included as part of the base firmware for the TX40 device. If you require Python in your environment and your device is running firmware 21.11.x or newer, see Install Python for information about installing Python on your device.
Page 284 A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: i. Click Interfaces.
Page 285 A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: i. Click Interfaces.
Page 286 A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: i. Click Interfaces.
Page 287 Serial port Add a USB serial port 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 288 (config serial USB_port)> history bytes (config serial USB_port) The default is 4000 bytes. d. Set the amount of time to wait before disconnecting due to user inactivity: (config serial USB_port)> idle_timeout value (config serial USB_port) TX40 User Guide...
Page 289 A single IP address or host name. A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the tcp port. Repeat this step to list additional IP addresses or networks. TX40 User Guide...
Page 290 No limit to IPv6 addresses that can access the tcp port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config serial USB_port)> add service tcp acl interface end value (config serial USB_port)>...
Page 291 No limit to IPv4 addresses that can access the telnet port. Repeat this step to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: (config serial USB_port)> add service telnet acl address6 end value (config serial USB_port)> Where value can be: TX40 User Guide...
Page 292 No limit to IPv6 addresses that can access the telnet port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config serial USB_port)> add service telnet acl interface end value (config serial USB_port)>...
Page 293 No limit to IPv6 addresses that can access the ssh port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config serial USB_port)> add service ssh acl interface end value (config serial USB_port)>...
Page 294 8. Save the configuration and apply the change (config serial USB_port)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 295: Show Serial Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 296  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 297 Configure a Wi-Fi access point with personal security Configure a Wi-Fi access point with enterprise security Isolate Wi-Fi clients Configure a Wi-Fi client and add client networks Show Wi-Fi access point status and statistics Show Wi-Fi client status and statistics TX40 User Guide...
Page 298: Wi-Fi Configuration
Wi-Fi Wi-Fi configuration Wi-Fi configuration The TX40 device has two Wi-Fi radios. You can configure the Wi-Fi radios for Wi-Fi access point mode and Wi-Fi client mode. By default, the TX40 radios are configured to use access point mode. Note When Primary Responder mode is enabled, pre-configured access points are disabled by default.
Page 299 Enabled Encyrption WPA2 Personal (PSK) WPA2 Personal (PSK) Pre-shared key Default password as found on Default password as found on the device's label the device's label Group rekey interval 10 minutes 10 minutes Client mode connections: none. TX40 User Guide...
Page 300: Configure The Wi-Fi Radio's Channel
Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 301  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 302: Configure The Wi-Fi Radio To Support Dfs Channels In Client Mode
In addition to the standard non-DFS channels (36, 40, 44, and 48), your TX40 can be configured to have one or more Wi-Fi clients that can connect to external Wi-Fi access points that support DFS channels:...
Page 303 Wi-Fi Configure the Wi-Fi radio to support DFSchannels in client mode 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 304: Configure The Wi-Fi Radio's Band And Protocol
Configure the Wi-Fi radio's band and protocol You can configure the band for Wi-Fi radios.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 305  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 306: Configure The Wi-Fi Radio's Transmit Power
100 percent. You can configure the Wi-Fi radio to transmit at a lower power.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 307  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 308: Configure An Open Wi-Fi Access Point
This procedure configures a Wi-Fi access point that does not require a password for client connections. By default, the TX40 device comes with two preconfigured access points, Digi AP (Wi-Fi1) and Digi AP (Wi-Fi2). You cannot delete default access points, but you can modify them or you can create your own access points.
Page 309 Wi-Fi Configure an open Wi-Fi access point 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 310 Command line Configure a new access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 311 The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is changed. TX40 User Guide...
Page 312 Type quit to disconnect from the device. Edit an existing Access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 313 Additional Configuration --------------------------------------------------------------------- ---------- wifi1 Wi-Fi1 radio wifi2 Wi-Fi2 radio (config)> b. Set the appropriate radio: (config)> network wifi ap digi_ap1 radio wifi1 (config)> 9. (Optional) Set the amount of time to wait before changing the group key. TX40 User Guide...
Page 314: Configure A Wi-Fi Access Point With Personal Security
Primary Responder mode. By default, the TX40 device comes with two preconfigured access points, Digi AP (Wi-Fi1) and Digi AP (Wi-Fi2). You cannot delete default access points, but you can modify them or you can create your own access points.
Page 315 The amount of time to wait before changing the group key. To configure a Wi-Fi access point to use personal security:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 316 Only select WPA3 Personal (SAE) if you know that all Wi-Fi clients connecting to this device will have WPA3 capabilities. 9. For Pre-shared key, enter the password that clients will use when connecting to the access point. TX40 User Guide...
Page 317 Command line Configure a new access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 318 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 319 (config network wireless ap new_AP)> encryption group_rekey 600s (config network wireless ap new_AP)> Increasing the time between rekeys can improve connectivity issues in noisy environments. To disable group rekeys, set to 0. This will allow any client that has previously connected to see TX40 User Guide...
Page 320 Type quit to disconnect from the device. Edit an existing Access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 321 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 322 2. Save the configuration and apply the change (config)> save Configuration saved. > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 323: Configure A Wi-Fi Access Point With Enterprise Security
To configure a Wi-Fi access point with WPA2 enterprise or WPA3 enterprise security:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 324 7. (Optional) Enable Isolate clients to prevent clients that are connected to this access point from communicating with each other. See Isolate Wi-Fi clients for information about how to prevent clients connected to different access points from communicating with each other. 8. For Encryption, select either: TX40 User Guide...
Page 325 The access point must be assigned to an active LAN, or a bridge that is assigned to an active LAN. 12. Click Apply to save the configuration and apply the change.  Command line TX40 User Guide...
Page 326 Configure a Wi-Fi access point with enterprise security Configure a new access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 327 The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is changed. (config network wifi ap new_AP)> encryption group_rekey value (config network wifi ap new_AP)> TX40 User Guide...
Page 328 Type quit to disconnect from the device. Edit an existing Access point 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 329 10. (Optional) Set the RADIUS server's port. The default is 1812. (config)> network wifi ap digi_ap1 encryption port_wpa2 port (config)> 11. (Optional) Change the Wi-Fi radio for the access point: a. Show available radios: (config)> network wifi radio ? Additional Configuration TX40 User Guide...
Page 330: Isolate Wi-Fi Clients
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Isolate Wi-Fi clients Client isolation prevents wireless clients connected to the TX40 device from communicating with other clients. There are two mechanisms for client isolation configuration: TX40 User Guide...
Page 331: Isolate Clients Connected To The Same Access Point
This section provides instructions for both mechanisms. Isolate clients connected to the same access point  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 332: Isolate Clients Connected To Different Access Points
2. Assign those LAN interfaces to separate firewall zones. 3. Create firewall filters to prevent traffic between the two firewall zones.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 333 Firewall filters are applied in the order that they are listed. As a result, in order to drop traffic from the Internal zone to the LAN2_isolation_zone, this filter must be listed prior to the Allow all outgoing traffic filter, which allows the Internal zone to have access to any zone. TX40 User Guide...
Page 334 We will use that LAN for the Digi AP (Wi-Fi1) access point, and create a new LAN for the Digi AP (Wi-Fi2) access point. In this step, we create a new LAN for the Digi AP (Wi-Fi2) access point; in the next step, we will remove the Digi AP (Wi-Fi2) access point from the default bridge (and thus from the default LAN).
Page 335 Wi-Fi Isolate Wi-Fi clients 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 336 Internal zone to the LAN2_isolation_zone, this filter must be added before the Allow all outgoing traffic filter, which allows the Internal zone to have access to any zone. In this example, we will add the new to the first position in the list (index position 0). TX40 User Guide...
Page 337 We will use that LAN for the Digi AP (Wi-Fi1) access point, and create a new LAN for the Digi AP (Wi-Fi2) access point. In this step, we create a new LAN for the Digi AP (Wi-Fi2) access point; in the next step, we will remove the Digi AP (Wi-Fi2) access point from the default bridge (and thus from the default LAN).
Page 338: Configure A Wi-Fi Client And Add Client Networks
Configure a Wi-Fi client and add client networks Required configuration items Create the Wi-Fi client. The TX40 device's Wi-Fi radio that the Wi-Fi client will use. SSID of the access point that the client will log into. The encryption type used by the access point: If a personal or mixed mode option is selected, identify the Pre-shared key.
Page 339 The TX40 supports one Wi-Fi client. To configure a Wi-Fi client:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 340 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 341 For Long interval, type the number of seconds to wait between scans for access points, when the signal strength from the access point to which the client is currently connected is stronger than the Scan threshold. TX40 User Guide...
Page 342  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 343 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 344 SCEP Client: The SCEP client which this Wi-Fi client will use to download the necessary keys and certificates from the SCEP server. Format: SCEP_test_client SCEP_test_client1 Current value: (config network wifi client new_client)> ii. Set the SCEP client, for example: TX40 User Guide...
Page 345 Enable background scanning: (config network wifi client new_client)> background_scanning enable true (config network wifi client new_client)> b. Set the scan threshold (bgscan_strength), in dB, that is used to determine the scanning frequency. TX40 User Guide...
Page 346 (config network wifi client new_client)> where value is any integer greater than 0. The default is 1. e. Configure the frequencies that will be scanned for available access points. The TX40 device has three preconfigured frequencies: 2412 MHz 2437 MHz 2462 MHz You can delete the preconfigured frequencies and add additional frequencies.
Page 347 Type quit to disconnect from the device. After you configure a Wi-Fi client, you must assign the Wi-Fi client to a WAN. See Wide Area Networks (WANs) and Wireless Wide Area Networks (WWANs) for further information. TX40 User Guide...
Page 348: Show Wi-Fi Access Point Status And Statistics
1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 349: Show Wi-Fi Client Status And Statistics
1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 350 To show a detailed status and statistics of a Wi-Fi client, use the show wifi client name name command. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 351: Hotspot
Hotspot Your TX40 device offers the ability to create a publicly available hotspot, which allows you to provide internet access to users while restricting their ability to access other functionality on the TX40 device, as well as applying bandwidth limits, authenticating users, and other features. The TX40 device's implementation of hotspot uses a "captive portal"...
Page 352: Hotspot Authentication Modes
Local shared password: Requires each user to enter a password. This password is validated locally on the TX40 device, and the password is the same for all users. The sample HTML page included with your TX40 device for local shared password authentication is password.html.
Page 353: Hotspot Dhcp Server
Hotspot DHCP server Hotspot DHCP server When the hotspot is enabled on the TX40 device, it automatically enables a DHCP server. During hotspot configuration, you assign an IPv4 address to the hotspot, and the DHCP server then uses the subnet of the hotspot's IP address, along with the hotspot's subnet mask, to assign IPv4 addresses to clients that connect to the hotspot.
Page 354: Hotspot Configuration
Hotspot configuration This section provides information about enabling and configuring the default hotspot that is provided with your TX40 installation, as well as creating a new hotspot and configuring the type of authentication mode you select for your hotspot. This section contains the following topics:...
Page 355: Enable Hotspot Using The Default Configuration
Hotspot Hotspot configuration Enable hotspot using the default configuration The default configuration of the TX40 device's hotspot is: Default configuration Hotspot Name: hotspot Disabled Authentication mode: Click-through IP address: 10.1.0.1/24 DHCP server: Automatically enabled DHCP server lease range: 100-250 Bandwidth limits:...
Page 356 See Edit sample hotspot HTML pages for information.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 357 Hotspot Hotspot configuration 4. Enable the hotspot access points: a. Click Network > Wi-Fi > Access points > Digi Hotspot AP (Wi-Fi1). b. Click Enable. c. Click Digi Hotspot AP (Wi-Fi2). d. Click Enable. 5. Enable the hotspot bridge: a. Click Network > Bridges > hotspot_bridge.
Page 358: Change The Default Hotspot Ssid
Hotspot Hotspot configuration 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 359 Hotspot Hotspot configuration 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 360: Change The Default Hotspot Ip Address And Subnet
Lease range start and end. To change the default hotspot IP address and subnet:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 361 Hotspot Hotspot configuration a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 362  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 363: Change The Default Hotspot Bandwidth Limits
Maximum upload speed, in Kbps. To change the default hotspot IP address and subnet:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 364  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 365: Add An Ethernet Port To The Default Hotspot
Ethernet port to be added to the hotspot. To add an Ethernet port to the default hotspot:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 366 Click Network > Bridges > LAN > Devices. b. Click the ... menu icon next to the Ethernet: ETH2 device entry and select Delete. 6. Click Apply to save the configuration and apply the change.  Command line TX40 User Guide...
Page 367 Hotspot Hotspot configuration 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 368: Use Policy Routes With Hotspot
If RADIUS shared password or RADIUS users is selected for the authentication mode, include RADIUS configuration information. If HotspotSystem is selected for the authentication mode, include HotspotSystem configuration information. Hotspot authentication modes for more information about authentication modes. TX40 User Guide...
Page 369 Maximum upload speed, in Kbps. Enable verbose logging. To create a new hotspot:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 370 For Add Interface, create a new interface and click . iii. For Device, select the bridge created above. iv. Click to expand IPv4. v. For Address, enter an IP address and subnet mask for the LAN. This IP address must be unique from all other interfaces. TX40 User Guide...
Page 371 Click-through: Requires each user to accept the terms and conditions. Local shared password: Requires each user to enter a password. This password is validated locally on the TX40 device, and the password is the same for all users. Configure the hotspot to use local shared password authentication for information about configuring hotspot for local shared password authentication.
Page 372 HotspotSystem authentication. 11. For Login page source, select either: Local: Uses an HTML page for authentication that is stored locally on the TX40 device's filesystem, in the /etc/config/hotspot directory. Note that the hotspot directory is not visible until hotspot has been enabled for the first time.
Page 373 Setting the Maximum download speed to 0 means that the bandwidth is unlimited. This can have an adverse effect on performance. 18. (Optional) For Maximum upload speed, type the maximum upload speed in kilobytes per second (Kbps). TX40 User Guide...
Page 374  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 375 Create a bridge: (config)> add network bridge new_hotspot_bridge (config network bridge new_hotspot_bridge)> b. Add devices to the bridge: i. Determine available devices: (config network bridge new_hotspot_bridge)> ..interface lan1 device ? Default value: /network/bridge/lan1 Current value: /network/bridge/lan1 TX40 User Guide...
Page 376 Hotspot Hotspot configuration (config network bridge new_hotspot_bridge)> ii. Add the appropriate device. For example, to add the Digi AP (Wi-Fi1) Wi-Fi access point: (config network bridge new_hotspot_bridge)> add device end /network/wireless/ap/digi_ap1 (config)> c. Type ... to return to the config prompt: (config network bridge new_hotspot_bridge)>...
Page 377 ? Default value: /network/bridge/lan1 Current value: /network/bridge/lan1 (config network bridge new_hotspot_bridge)> b. Add the appropriate device. For example, to add the Digi AP (Wi-Fi1) Wi-Fi access point: (config network bridge new_hotspot_bridge)> add device end /network/wireless/ap/digi_ap1 (config)> 7. Set an access point, and Ethernet port, or a bridge for the hotspot's device: a.
Page 378 Requires each user to accept the terms and conditions. local_shared_password: Requires each user to enter a password. This password is validated locally on the TX40 device, and the password is the same for all users. Configure the hotspot to use local shared password authentication for information about configuring hotspot for local shared password authentication.
Page 379 IP address, and is combined with the subnet of the hotspot's static IP address. (config network hotspot new_hotspot)> ipv4 address dhcp_server lease_ start value (config network hotspot new_hotspot)> where value is any integer between 1 and 254. The default is 100. TX40 User Guide...
Page 380 17. (Optional) Change the default maximum upload speed: (config network hotspot new_hotspot)> bandwidth_max_up value (config network hotspot new_hotspot)> where value is an integer between 1 and 100000 and represents the maximum upload speed in Kbps. TX40 User Guide...
Page 381: Configure The Hotspot To Use Local Shared Password Authentication
Hotspot LAN configuration:  Configure hotspot for local shared password authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 382 Configure hotspot for local shared password authentication from the Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 383: Configure The Hotspot To Use Radius Shared Password Authentication
Hotspot LAN configuration:  Configure hotspot for RADIUS shared password authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 384 Hotspot Hotspot configuration a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 385 Configure hotspot for RADIUS shared password authentication from the Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 386 7. Save the configuration and apply the change (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 387: Configure The Hotspot To Use Radius Users Authentication
Hotspot LAN configuration:  Configure hotspot for RADIUS users authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 388 For Subnet, type an IPv4 address and optional subnet mask, using the format IPv4_ address[/netmask], or the keyword any. d. Repeat to add additional subnets. 7. Click Apply to save the configuration and apply the change.  Configure hotspot for RADIUS users authentication from the Command line TX40 User Guide...
Page 389 Hotspot Hotspot configuration 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 390: Configure The Hotspot To Use Hotspotsystem Authentication
Type quit to disconnect from the device. Configure the hotspot to use HotspotSystem authentication You can configure TX40 hotspot to use HotspotSystem, a cloud hotspot service that supports various free and paid authentication methods, including social media accounts, SMS, voucher, and PayPal.
Page 391 Refer to the following page for an up-to-date list of social login domains that need to be whitelisted: Whitelist for hotspot free social login. Add routers to HotspotSystem's list of supported devices You can use the Remote Webserver feature to certify and add your device to Hotspotsystem's official list of supported devices. TX40 User Guide...
Page 392 Hotspot Hotspot configuration  Configure hotspot for HotspotSystem authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 393  Configure hotspot for HotspotSystem authentication from the Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 394: Show Hotspot Status And Statistics
Type quit to disconnect from the device. Show hotspot status and statistics  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the main menu, click Status 2. Under Networking, click Hotspot. TX40 User Guide...
Page 395  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 396: Customize The Hotspot Login Page
Type quit to disconnect from the device. Customize the hotspot login page The TX40 device provides three sample HTML webpages for use with the hotspot feature. When hotspot is enabled for the first time, the sample webpages are installed to the /etc/config/hotspot folder on the device's filesystem.
Page 397: Edit Sample Hotspot Html Pages
HTML files using utilities. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 398: Upload Custom Hotspot Html Pages
Supported file extensions include: .html, .gif, .js, .jpg, .mp4, .ogv, .png, .swf, .json, and .dat. You can configure the TX40 device to use your custom HTML page using either the WebUI or the command line: ...
Page 399  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 400: Restore Hotspot Default Sample Pages
The hotspot directory and files are loaded when the hotspot is enabled, and you can restore the default pages by doing the following: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 401: Hotspot Radius Attributes
Also, if the RADIUS server requests it, the hotspot will send accounting information back to the RADIUS server. For example, here are some of the RADIUS attributes that the hotspot sends: Acct-Input-Octets Acct-Output-Octets Acct-Session-Time Acct-Input-Packets Acct-Output-Packets Acct-Input-Gigawords Acct-Output-Gigawords TX40 User Guide...
Page 402: Routing
Routing This chapter contains the following topics: IP routing Show the routing table Dynamic DNS Virtual Router Redundancy Protocol (VRRP) TX40 User Guide...
Page 403: Ip Routing
IP routing IP routing The TX40 device uses IP routes to decide where to send a packet it receives for a remote network. The process for deciding on a route to send the packet is as follows: 1. The device examines the destination IP address in the IP packet, and looks through the IP routing table to find a match for it.
Page 404: Configure A Static Route
The Maximum Transmission Units (MTU) of network packets using this route. To configure a static route:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 405 7. For Interface, select the interface on the TX40 device that will be used with this static route. 8. (Optional) For Gateway, type the IPv4 address of the gateway used to reach the destination.
Page 406 The any keyword can also be used to route packets to any destination with this static route. 6. Set the interface on the TX40 device that will be used with this static route: a. Use the ? to determine available interfaces: b.
Page 407: Delete A Static Route
Type quit to disconnect from the device. Delete a static route  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 408: Policy-Based Routing
However, you can use policy-based routing to forward the packet based on other criteria, such as the source of the packet. For example, you can configure the TX40 device so that high-priority traffic is routed through the cellular connection, while all other traffic is routed through an Ethernet (WAN) connection.
Page 409: Configure A Routing Policy
To configure a routing policy:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 410 5. (Optional) For Label, type a label that will be used to identify this route policy. 6. For Interface, select the interface on the TX40 device that will be used with this route policy. 7. (Optional) Enable Exclusive to configure the policy to drop packets that match the policy when the gateway interface is disconnected, rather than forwarded through other interfaces.
Page 411  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 412 (config network route policy 0)> label "New route policy" (config network route policy 0)> 5. Set the interface on the TX40 device that will be used with this route policy: a. Use the ? to determine available interfaces: b. Set the interface. For example: (config network route policy 0)>...
Page 413 (config network route policy 0)> src zone ? Zone: Match the IP address to the specified firewall zone. Format: dynamic_routes edge external hotspot internal ipsec loopback setup Default value: any Current value: any (config network route policy 0)> src zone TX40 User Guide...
Page 414 Matches the destination IP address to the selected firewall zone. Set the zone: a. Use the ? to determine available zones: (config network route policy 0)> dst zone ? Zone: Match the IP address to the specified firewall zone. Format: TX40 User Guide...
Page 415 (config network route policy 0)> dst address6 value (config network route policy 0)> where value uses the format IPv6_address[/prefix_length], or any to match any IPv6 address. mac: Matches the destination MACaddress to the specified MACaddress. Set the MAC address to be matched: TX40 User Guide...
Page 416: Example: Dual Wan Policy-Based Routing
This example routes traffic to a specific IP address to go through the cellular WWAN interface, while all other traffic uses the Ethernet WAN interface.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 417  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 418: Example: Domain-Based Routing With Dual Wan
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Example: Domain-based routing with dual WAN This example routes traffic destined for a specific domain to the WAN Ethernet port, and never through the cellular modem. TX40 User Guide...
Page 419 Routing IP routing  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 420  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 421: Example: Route Traffic To A Specific Wan Interface Based On The Client Mac Address
This example routes all data from a certain client device through a cellular WAN based on the device's MACaddress, while all other client devices are routed through the Ethernet WAN.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. TX40 User Guide...
Page 422 Routing IP routing 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 423 Click to expand Source address. ii. For Type, select MAC address. iii. For MAC address, type 26:88:0E:23:50:C2. f. Configure the destination zone: i. Click to expand Destination address. ii. For Type, select Zone. iii. For Zone, select CellularWAN. TX40 User Guide...
Page 424  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 425 (config)> 5. Configure the policy-based route for traffic from the client device that will be sent over the cellular WAN: a. Add a new routing policy: (config)> add network route policy end (config network route policy 0)> TX40 User Guide...
Page 426 Create the packet filtering rule: (config)> add firewall filter end (config firewall filter 2)> b. Set the lable to Reject LAN traffic to cellular WAN: (config firewall filter 2)> label "Reject LAN traffic to cellular WAN" (config firewall filter 2)> TX40 User Guide...
Page 427: Routing Services
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Routing services Your TX40 includes support for dynamic routing services and protocols. The following routing services are supported: Service or...
Page 428: Configure Routing Services
Enable routing services. Enable and configure the types of routing services that will be used.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 429  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 430: Show The Routing Table
Type quit to disconnect from the device. Show the routing table To display the routing table:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 431: Dynamic Dns
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 432 The amount of time to wait for an IP address update to succeed before retrying the update. The number of times to retry a failed IP address update.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 433 14. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. TX40 User Guide...
Page 434 Set the service: (config network ddns new_ddns_instance)> service service_name (config network ddns new_ddns_instance)> 6. If custom is configured for service, set the custom URL that should be used to update the IP address with the Dynamic DNS provider: TX40 User Guide...
Page 435 (config network ddns new_ddns_instance)> The default is 3d. 12. (Optional) Set the amount of time to wait for an IP address update to succeed before retrying the update: (config network ddns new_ddns_instance)> retry_interval value (config network ddns new_ddns_instance)> TX40 User Guide...
Page 436: Virtual Router Redundancy Protocol (Vrrp)
Multiple TX40 devices can be configured as VRRP devices and assigned a priority. The router with the highest priority will be used as the master router. If the master router fails, then the IP address of the virtual router is mapped to the backup device with the next highest priority.
Page 437: Configure Vrrp
VRRP-enabled devices and dynamically change the VRRP priorty of devices based on the status of their network connectivity.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 438 For Virtual IP, type the IPv4 or IPv6 address for a virtual IP of this VRRP instance. d. (Optional) Repeat to add additional virtual IPs. 11. See Configure VRRP+ for information about configuring VRRP+. 12. Click Apply to save the configuration and apply the change.  Command line TX40 User Guide...
Page 439 Routing Virtual Router Redundancy Protocol (VRRP) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 440: Configure Vrrp
VRRP+ is an extension to the VRRP standard that uses SureLink network probing to monitor connections through VRRP-enabled devices and adjust devices' VRRP priority based on the status of the SureLink tests. This section describes how to configure VRRP+ on a TX40 device. Required configuration items Both master and backup devices: A configured and enabled instance of VRRP.
Page 441 Routing Virtual Router Redundancy Protocol (VRRP) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 442 VRRP virtual IP addresses: i. Click to expand DHCP Server > Advanced settings. ii. For Gateway, select Custom. iii. For Custom gateway, enter the IP address of one of the virtual IPs used by this VRRP TX40 User Guide...
Page 443  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 444 Configure the VRRP interface's DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses: i. Set the DHCP server gateway type to custom: (config)> network interface lan1 ipv4 dhcp_server advanced gateway custom (config)> TX40 User Guide...
Page 445 For example, to set interval to ten minutes, enter 5s: (config)> network interface lan1 ipv4 surelink interval 5s (config)> iv. Create a SureLink test target: (config)> add network interface lan1 ipv4 surelink target end (config network interface lan1 ipv4 surelink target 0)> TX40 User Guide...
Page 446 (config network interface lan1 ipv4 surelink target 0)> interface_down_time value (config network interface lan1 ipv4 surelink target 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. TX40 User Guide...
Page 447: Example: Vrrp/Vrrp+ Configuration
10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Example: VRRP/VRRP+ configuration This example configuration creates a VRRP pool containing two TX40 devices: TX40 User Guide...
Page 448: Configure Device One (Master Device)
Configure device one (master device)  Task 1: Configure VRRP on device one 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 449 Task 2: Configure VRRP+ on device one 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. 4. Click  to add an interface for monitoring. 5. Select Interface: WWAN1. 6. For Priority modifier, type 30. TX40 User Guide...
Page 450 Command line Task 1: Configure VRRP on device one 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 451 Task 3: Configure the IP address for the VRRP interface, LAN, on device one 1. Type ... to return to the root of the config prompt: (config network vrrp VRRP_test )> ... (config)> 2. Set the IP address for LAN: (config)> network interface lan1 ipv4 address 192.168.3.1/24 (config)> TX40 User Guide...
Page 452: Configure Device Two (Backup Device)
Configure device two (backup device)  Task 1: Configure VRRP on device two 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 453 9. Click to expand Virtual IP addresses. 10. Click  to add a virtual IP address. 11. For Virtual IP, type 192.168.3.3. Task 2: Configure VRRP+ on device two 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. TX40 User Guide...
Page 454 4. Click to expand Test targets > Test target. 5. For Test Type, select Ping test. 6. For Ping host, type https://remotemanager.digi.com. Task 5: Configure the DHCP server for LAN on device two 1. Click to expand Network > Interfaces > LAN > IPv4 > DHCP Server 2.
Page 455 Command line Task 1: Configure VRRP on device two 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 456 Task 3, step 2 (192.168.3.1). (config)> network interface lan1 ipv4 gateway 192.168.3.1 (config)> Task 4: Configure SureLink for LAN on device two 1. Enable SureLink on the LAN interface: (config)> network interface lan1 ipv4 surelink enable true (config)> TX40 User Guide...
Page 457 (config network interface lan1 ipv4 surelink target 0)> test ping (config network interface lan1 ipv4 surelink target 0)> 4. Set https://remotemanager.digi.com as the hostname to ping: (config network interface lan1 ipv4 surelink target 0)> ping_host https://remotemanager.digi.com(config network interface lan1 ipv4 surelink target 0)>...
Page 458: Show Vrrp Status And Statistics
This section describes how to display VRRP status and statistics for a TX40 device. VRRP status is available from the Web UI only.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 459 Virtual IP address(es) : 10.10.10.1, 100.100.100.1 Current State : Master Current Priority : 100 Last Transition : Tue Jan 1 00:00:39 2019 Became Master Released Master Adverts Sent : 71 Adverts Received Priority Zero Sent Priority zero Received : 0 > TX40 User Guide...
Page 460: Virtual Private Networks (Vpn)
Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices can connect from one network to the other using secure channels. This chapter contains the following topics: IPsec OpenVPN Generic Routing Encapsulation (GRE) Dynamic Multipoint VPN (DMVPN) L2TP L2TPv3 Ethernet MACsec NEMO TX40 User Guide...
Page 461: Ipsec
Authentication of data to ensure an unauthorized device has not injected it into the IPsec tunnel. IPsec mode The TX40 supports the Tunnel mode. With the Tunnel mode, the entire IP packet is encrypted and/or authenticated and then encapsulated as the payload in a new IP packet. Transport mode is not currently supported.
Page 462: Authentication
XAUTH client. RSASignatures With RSA signatures authentication, the TX40 device uses a private RSA key to authenticate with a remote peer that is using a corresponding public key. Certificate-based Authentication X.509 certificate-based authentication makes use of private keys on both the server and client which...
Page 463 NAT is being used. If using IPsec failover, identify the primary tunnel during configuration of the backup tunnel. The Network Address Translation (NAT) keep alive time. The protocol, either Encapsulating Security Payload (ESP) or Authentication Header (AH). TX40 User Guide...
Page 464 Configure a static route for information about configuring a static route.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 465 Click to expand Firewall > Packet filtering. b. For Add packet filter, click . c. For Label, type Allow incoming IPsec traffic. d. For Source zone, select IPsec. Leave all other fields at their default settings. TX40 User Guide...
Page 466 For Local key, type the local pre-shared key. This must be the same as the remote key on the remote host. ii. For Remote key, type the remote pre-shared key. This must be the same as the local key on the remote host. TX40 User Guide...
Page 467 SCEP certificates: Uses Simple Certificate Enrollment Protocol (SCEP) to download a private key, certificates, and an optional Certificate Revocation List (CRL) to the TX40 device from a SCEP server. You must create the SCEP client prior to configuring the IPsec tunnel. See...
Page 468 For Hostname, type a hostname or IPv4 address. If your device is not configured to initiate the IPsec connection (see IKE > Initiate connection), you can also use the keyword any, which means that the hostname is dynamic or unknown. iii. Click  again to add additional hostnames. TX40 User Guide...
Page 469 Serial number: The device's serial number will be used as the ID and sent as a ID_KEY_ID IKE identity. 21. Click to expand Policies. Policies define the network traffic that will be encapsulated by this tunnel. a. Click  to create a new policy. The new policy configuration is displayed. TX40 User Guide...
Page 470 For Protocol, select one of the following: Any: Matches any protocol. TCP: Matches TCP protocol only. UDP: Matches UDP protocol only. ICMP: Matches ICMP requests only. Other protocol: Matches an unlisted protocol. If Other protocol is selected, type the number of the protocol. TX40 User Guide...
Page 471 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Phase 2 lifetime to ten minutes, enter 10m or 600s. TX40 User Guide...
Page 472 27. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. TX40 User Guide...
Page 473 Zone: The firewall zone assigned to this IPsec tunnel. This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel. Format: dynamic_routes edge external hotspot internal ipsec loopback setup Default value: ipsec Current value: ipsec (config vpn ipsec tunnel ipsec_example)> TX40 User Guide...
Page 474 Only the payload of the IP packet is encrypted and/or authenticated. The IP header is unencrypted. The default is tunnel. 8. Set the protocol: (config vpn ipsec tunnel ipsec_example)> type protocol (config vpn ipsec tunnel ipsec_example)> where protocol is either: TX40 User Guide...
Page 475 Set the private key passphrase that is used to decrypt the private key. Leave blank if the private key is not encrypted. (config vpn ipsec tunnel ipsec_example)> auth private_key_ passphrase passphrase (config vpn ipsec tunnel ipsec_example)> c. For the peer_public_key parameter, paste the peer's public RSA key in PEM format: TX40 User Guide...
Page 476 (config vpn ipsec tunnel ipsec_example)> 11. (Optional) Configure the device to connect to its remote peer as an XAUTH client: a. Enable XAUTH client functionality: (config vpn ipsec tunnel ipsec_example)> xauth_client enable true (config vpn ipsec tunnel ipsec_example)> TX40 User Guide...
Page 477 Any ID will be accepted. ipv4: The ID will be interpreted as an IPv4 address and sent as an ID_IPV4_ADDR IKE identity. Set an IPv4 formatted ID. This can be a fully-qualified domain name or an IPv4 address. TX40 User Guide...
Page 478 Repeat for additional hostnames. b. Set the hostname selection type: (config vpn ipsec tunnel ipsec_example)> remote hostname_selection value (config vpn ipsec tunnel ipsec_example)> where value is one of: TX40 User Guide...
Page 479 Set the ID in internet email address format: (config vpn ipsec tunnel ipsec_example)> remote id type rfc822_ id id (config vpn ipsec tunnel ipsec_example)> fqdn: The ID will be interpreted as FQDN (Fully Qualified Domain Name) and sent as an ID_FQDN IKE identity. TX40 User Guide...
Page 480 Do not send oversized IKE messages in fragments, but announce support for fragmentation to the peer. The default is always. e. Padding of IKE packets is enabled by default and should normally not be disabled except for compatibility purposes. To disable: TX40 User Guide...
Page 481 Configure the types of encryption, hash, and Diffie-Hellman group to use during phase 1: i. Add a phase 1 proposal: (config vpn ipsec tunnel ipsec_example)> add ike phase1_proposal (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> TX40 User Guide...
Page 482 Set the type of Diffie-Hellman group to use for key exchange during phase 1: i. Use the ? to determine available Diffie-Hellman group types: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> dh_group ? curve25519 curve448 ecp192 TX40 User Guide...
Page 483 Set the type of encryption to use during phase 2: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> cipher value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> where value is one of: 3des aes128 aes128gcm128 TX40 User Guide...
Page 484 (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> ii. Set the Diffie-Hellman group type: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> dh_group value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> The default is modp2048. vi. (Optional) Add additional phase 2 proposals: TX40 User Guide...
Page 485 (config vpn ipsec tunnel ipsec_example nat 0)> b. Set the IPv4 address and optional netmask of a destination network that requires source NAT. You can also use any, meaning that any destination network connected to the tunnel will use source NAT. TX40 User Guide...
Page 486 (config vpn ipsec tunnel ipsec_example policy 0)> where value is the IPv4 address and optional netmask. The keyword any can also be used. request: Requests a network from the remote peer. dynamic: Uses the address of the local endpoint. TX40 User Guide...
Page 487 (config vpn ipsec tunnel ipsec_example policy 0)> remote protocol value (config vpn ipsec tunnel ipsec_example policy 0)> where value is one of: any: Matches any protocol. tcp: Matches TCP protocol only. udp: Matches UDP protocol only. icmp: Matches ICMP requests only. TX40 User Guide...
Page 488 IKE timeout (config)> Generally, the default settings for these should be sufficient. c. You can also enable debugging for IPsec: (config)> vpn ipsec advanced debug value (config)> where value is one of: none basic_auditing detailed_control generic_control raw_data sensitive_data TX40 User Guide...
Page 489 20. Save the configuration and apply the change (config)> save Configuration saved. > 21. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 490: Configure Ipsec Failover
Virtual Private Networks (VPN) IPsec Configure IPsec failover There are two methods to configure the TX40 device to fail over from a primary IPsec tunnel to a backup tunnel: SureLink active recovery—You can use SureLink along with the IPsec tunnel's metric to configure two or more tunnels so that when the primary tunnel is determined to be inactive by SureLink, a secondary tunnel can begin serving traffic that the primary tunnel was serving.
Page 491 See Configure an IPsec tunnel for instructions. During configuration of the IPsec tunnel, set the metric to a value that is higher than the metric of the primary tunnel (for example, 20).  Command line TX40 User Guide...
Page 492 Use the ? to view a list of available tunnels: (config vpn ipsec tunnel backup_ipsec_tunnel)> ipsec_failover ? Preferred tunnel: This tunnel will not start until the preferred tunnel has failed. It will continue to operate until the preferred tunnel returns to full operation TX40 User Guide...
Page 493: Configure Surelink Active Recovery For Ipsec
To configure the TX40 device to regularly probe the IPsec connection:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 494 Virtual Private Networks (VPN) IPsec a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 495 Ping payload size: The number of bytes to send as part of the ping payload. DNS test: Performs a DNS query to the named DNS server. If DNS test is selected, complete the following: DNS server: The IP address of the DNS server. TX40 User Guide...
Page 496 IPv6: The IPv6 connection must be up. Expected status: The status required for the test to past. Up: The test will pass only if the referenced interface is up and passing its own SureLink tests (if applicable). TX40 User Guide...
Page 497 Reset modem: This recovery action is available for WWAN interfaces only. If Reset modem is selected, complete the following: Attempts: The number of attempts for this recovery action to perform, before moving to the next recovery action. TX40 User Guide...
Page 498 For Delayed Start, type the amount of time to wait while the device is starting before SureLink testing begins. This setting is bypassed when the interface is determined to be Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. TX40 User Guide...
Page 499  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 500 1)> ping_size int (config vpn ipsec tunnel ipsec_example surelink tests 1)> dns: Performs a DNS query to the named DNS server. If dns is set, set the IPv4 or IPv6 address of the DNS server: TX40 User Guide...
Page 501 For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config vpn ipsec tunnel ipsec_example surelink tests 1)> interface_timeout 600s (config)> TX40 User Guide...
Page 502 Either the IPv4 or IPv6 connection must be up. both: Both the IPv4 or IPv6 connection must be up. ipv4 The IPv4 connection must be up. ipv6: The IPv6 connection must be up. TX40 User Guide...
Page 503 (config vpn ipsec tunnel ipsec_example surelink actions 0)> The default is 3. Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. TX40 User Guide...
Page 504 (config vpn ipsec tunnel ipsec_example surelink actions 0)> The default is 100. Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. TX40 User Guide...
Page 505 Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config vpn ipsec tunnel ipsec_example surelink actions 0)> max_attempts int (config vpn ipsec tunnel ipsec_example surelink actions 0)> The default is 3. TX40 User Guide...
Page 506 (config vpn ipsec tunnel ipsec_example surelink actions 0)> custom_action: Execute custom recovery commands. If custom_action is selected, complete the following: Set the number of attempts for this recovery action to perform, before moving to the next recovery action: TX40 User Guide...
Page 507 All tests need to pass for SureLink to consider the interface to be up. d. Set the number of times that the test must pass after failure, before the interface is determined to be working and is reinstated. TX40 User Guide...
Page 508 For example, to set backoff_interval to ten minutes, enter either 10m or 600s: (config)> vpn ipsec tunnel ipsec_example surelink advanced backoff_ interval 600s (config)> The default is 300 seconds. TX40 User Guide...
Page 509: Show Ipsec Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 510: Debug An Ipsec Configuration
 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 511: Configure A Simple Certificate Enrollment Protocol Client
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 512 The number of days that the certificate enrollment can be renewed, prior to the request expiring.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 513 9. For Renewable Time, type the number of days that the certificate enrollment can be renewed, prior to the request expiring. This value is configured on the SCEP server, and is used by the TX40 device to determine when to start attempting to auto-renew an existing certificate. The default is 7.
Page 514 Click Use New Private Key to enable the creation of a new private key for renewal requests. c. Use Client Certificate is enabled by default. Click to disable the use of a client certificate for renewal requrests. 22. Click Apply to save the configuration and apply the change.  Command line TX40 User Guide...
Page 515 Virtual Private Networks (VPN) IPsec 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 516 The URL to the file name used to access the certificate revocation list from the crldp: The CRL distribution point. getCRL: A CRL query using the issuer name and serial number from the certificate whose revocation status is being queried. The default is url. TX40 User Guide...
Page 517 (config network scep_client scep_client_name)> polling_interval 600s (config network scep_client scep_client_name)> The default is 5s. 14. Set the bit size of the private key: (config network scep_client scep_client_name)> key_length int (config network scep_client scep_client_name)> The default is 2048. TX40 User Guide...
Page 518: Example: Scep Client Configuration With Fortinet Scep Server
Type quit to disconnect from the device. Example: SCEP client configuration with Fortinet SCEP server In this example configuration, we will configure the TX40 device as a SCEP client that will connect to a Fortinet SCEP server. Fortinet configuration On the Fortinet server: 1.
Page 519 Click OK. TX40 configuration On the TX40 device:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 520 8. Click to expand SCEP server. 9. For FQDN, type the fully qualified domain name or IP address of the Fortinet server. 10. For Password, type the challenge password. This corresponds to the Default enrollment password on the Fortinet server. TX40 User Guide...
Page 521  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 522 8. Set the number of days that the certificate enrollment can be renewed, prior to the request expiring. This value must match the setting of the Allow renewal x days before the certified is expired option on the Fortinet server. TX40 User Guide...
Page 523: Show Scep Client Status And Information
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 524 Last Update : May 23 13:27:21 2022 GMT > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 525: Openvpn
OpenVPN clients. OpenVPN clients use Network Address Translation (NAT) to route traffic from devices connected on its LAN interfaces to the OpenVPN server. The manner in which the IP subnets are defined depends on the OpenVPN topology in use. The TX40 device supports two types of OpenVPN topology:...
Page 526: Configure An Openvpn Server
Virtual Private Networks (VPN) OpenVPN OpenVPN managed—The TX40 device creates the interface and then uses its standard configuration to set up the connection (for example, its standard DHCP server configuration). Device only—IP addressing is controlled by the system, not by OpenVPN.
Page 527 Access control list configuration to restrict access to the OpenVPN server through the firewall. Additional OpenVPN parameters.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 528 Certificate and username/password: Uses both certificates and a username and password for client authentication. Each client requires a public and private key, and you must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions. TX40 User Guide...
Page 529 No limit to IPv6 addresses that can access the service-type. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces. b. For Add Interface, click .
Page 530  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 531 1 and 255. The number entered here will represent the last client IP address. For example, if address is set to 192.168.1.1/24 and server_last_ip is set to 99, the last client IP address will be 192.168.1.80. TX40 User Guide...
Page 532 Paste the contents of the public key (for example, server.crt) into the value of the server_cert parameter: (config vpn openvpn server name)> server_cert value (config vpn openvpn server name)> iv. Paste the contents of the private key (for example, server.key) into the value of the server_key parameter: TX40 User Guide...
Page 533 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config vpn openvpn server name)> add acl interface end value (config vpn openvpn server name)>...
Page 534 10. Save the configuration and apply the change (config)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 535: Configure An Openvpn Authentication Group And User
TX40 user authentication for more information about creating authentication groups and users.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 536 Type a password for the user. This password is used for local authentication of the user. You can also configure the user to use RADIUS or TACACS+ authentication by configuring authentication methods. See User authentication methods for information. TX40 User Guide...
Page 537 OpenVPN d. Click to expand the Groups node. e. Click  to add a group to the user. f. Select a Group with OpenVPN access enabled. 5. Click Apply to save the configuration and apply the change. TX40 User Guide...
Page 538  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 539: Configure An Openvpn Client By Using An .Ovpn File
Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 540  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 541 8. Save the configuration and apply the change (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 542: Configure An Openvpn Client Without Using An .Ovpn File
Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 543 13. Paste the contents of the CA certificate (usually in a ca.crt file), the Public key (for example, client.crt), and the Private key (for example, client.key) into their respective fields. The contents will be hidden when the configuration is saved. 14. (Optional) Click to expand Advanced Options to manually set additional OpenVPN parameters. TX40 User Guide...
Page 544  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 545 12. Paste the contents of the public key (for example, client.crt) into the value of the public_cert parameter: (config vpn openvpn client name)> public_cert value (config vpn openvpn client name)> 13. Paste the contents of the private key (for example, client.key) into the value of the private_ key parameter: TX40 User Guide...
Page 546: Configure Surelink Active Recovery For Openvpn
Type quit to disconnect from the device. Configure SureLink active recovery for OpenVPN You can configure the TX40 device to regularly probe OpenVPN client connections to determine if the connection has failed and take remedial action. Required configuration items A valid OpenVPN client configuration.
Page 547 OpenVPN To configure the TX40 device to regularly probe the OpenVPN connection:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 548 The Interface gateway. If Interface gateway is selected, an initial traceroute is sent to the hostname or IP address configured in the SureLink advanced settings, and then the first hop in that route is used for the ping test. TX40 User Guide...
Page 549 TCP connect host: The hostname or IP address of the host to create a TCP connection to. TCP connect port: The TCP port to create a TCP connection to. Test another interface's status: Tests the status of another interface. If Test another interface's status is selected, complete the following: TX40 User Guide...
Page 550 Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. Restart interface. If Restart interface is selected, complete the following: TX40 User Guide...
Page 551 Powercycle the modem. This recovery action is available for WWAN interfaces only. If Powercycle the modem is selected, complete the following: Attempts: The number of attempts for this recovery action to perform, before moving to the next recovery action. TX40 User Guide...
Page 552  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 553 Uses ICMP to determine connectivity. If ping is selected, complete the following: Set the ping_method: (config vpn openvpn client openvpn_client1 surelink tests 1)> ping_method value (config vpn openvpn client openvpn_client1 surelink tests 1)> where value is one of: TX40 User Guide...
Page 554 (config vpn openvpn client openvpn_client1 surelink tests 1)> interface_down_time value (config vpn openvpn client openvpn_client1 surelink tests 1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. TX40 User Guide...
Page 555 Set the TCP port to create a TCP connection to. (config vpn openvpn client openvpn_client1 surelink tests 1)> tcp_port port (config vpn openvpn client openvpn_client1 surelink tests 1)> other: Tests the status of another interface. If other is selected, complete the following: TX40 User Guide...
Page 556 (config)> add vpn openvpn client openvpn_client1 surelink actions end (config vpn openvpn client openvpn_client1 surelink actions 0)> c. New actions are enabled by default. To disable: (config vpn openvpn client openvpn_client1 surelink actions 0)> enable false (config vpn openvpn client openvpn_client1 surelink actions 0)> TX40 User Guide...
Page 557 (config vpn openvpn client openvpn_client1 surelink actions 0)> modem_action value (config vpn openvpn client openvpn_client1 surelink actions 0)> where value is one of: update_routing_table: Increases the interface's metric to change the default gateway. If update_routing_table is selected, complete the following: TX40 User Guide...
Page 558 (config vpn openvpn client openvpn_client1 surelink actions 0)> override_interval int (config vpn openvpn client openvpn_client1 surelink actions 0)> reset_modem: This recovery action is available for WWAN interfaces only. If reset_modem is selected, complete the following: TX40 User Guide...
Page 559 0)> max_attempts int (config vpn openvpn client openvpn_client1 surelink actions 0)> The default is 3. Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. TX40 User Guide...
Page 560 Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config vpn openvpn client openvpn_client1 surelink actions 0)> override_interval int (config vpn openvpn client openvpn_client1 surelink actions 0)> g. Repeat for each additional recovery action. TX40 User Guide...
Page 561 For example, to set timeout to ten minutes, enter either 10m or 600s: (config)> vpn openvpn client openvpn_client1 surelink timeout 600s (config)> The default is 15s. TX40 User Guide...
Page 562 (config vpn openvpn client openvpn_client1 connection_monitor target 0)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 563: Show Openvpn Server Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 564: Show Openvpn Client Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 565 : udp Port : 1194 Type : tun > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 566: Generic Routing Encapsulation (Gre)
Enable the device to respond to keepalive packets. Task One: Create a GRE loopback endpoint interface  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 567  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 568 Type quit to disconnect from the device. Task Two: Configure the GRE tunnel  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 569  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 570 (config vpn iptunnel gre_example)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 571: Show Gre Tunnels
Show GRE tunnels To view information about currently configured GRE tunnels:  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the menu, click Status > IP tunnels. The IP Tunnelspage appears. 2. To view configuration details about a GRE tunnel, click the  (configuration) icon in the upper right of the tunnel's status pane.
Page 572: Example: Gre Tunnel Over An Ipsec Tunnel
Example: GRE tunnel over an IPSec tunnel The TX40 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel.
Page 573 Configuration procedures Configure the TX40-1 device Task one: Create an IPsec tunnel  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 574  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 575 4. Set the pre-shared key to testkey: (config vpn ipsec tunnel ipsec_gre1)> auth secret testkey (config vpn ipsec tunnel ipsec_gre1)> 5. Set the remote endpoint to public IP address of the TX40-2 device: (config vpn ipsec tunnel ipsec_gre1)> remote hostname 192.168.101.1 (config vpn ipsec tunnel ipsec_gre1)>...
Page 576 7. Click Apply to save the configuration and apply the change.  Command line 1. At the command line, type config to enter configuration mode: > config (config)> 2. Add an interface named ipsec_endpoint1: (config)> add network interface ipsec_endpoint1 (config network interface ipsec_endpoint1)> TX40 User Guide...
Page 577 3. For Local endpoint, select the IPsec endpoint interface created in Task two (Interface: ipsec_ endpoint1). 4. For Remote endpoint, type the IP address of the GRE tunnel on TX40-2, 172.30.0.2. 5. Click Apply to save the configuration and apply the change.  Command line 1.
Page 578 (config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_ endpoint1 (config vpn iptunnel gre_tunnel1)> 4. Set the remote endpoint to the IP address of the GRE tunnel on TX40-2, 172.30.0.2: (config vpn iptunnel gre_tunnel1)> remote 172.30.0.2 (config vpn iptunnel gre_tunnel1)> 5. Save the configuration and apply the change (config vpn iptunnel gre_tunnel1)>...
Page 579 (config network interface gre_interface1)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 580 Generic Routing Encapsulation (GRE) Configure the TX40-2 device Task one: Create an IPsec tunnel  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 581  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 582 Task two: Create an IPsec endpoint interface  1. Click Network > Interfaces. 2. For Add Interface, type ipsec_endpoint2 and click . 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5. Click to expand IPv4. TX40 User Guide...
Page 583 5. Set the IPv4 address to the IP address of the local GRE tunnel, 172.30.0.2/32: (config network interface ipsec_endpoint2)> ipv4 address 172.30.0.2/32 (config network interface ipsec_endpoint2)> 6. Save the configuration and apply the change (config vpn ipsec tunnel ipsec_endpoint2)> save Configuration saved. > Task three: Create a GRE tunnel  TX40 User Guide...
Page 584 (config vpn iptunnel gre_tunnel2)> local /network/interface/ipsec_ endpoint2 (config vpn iptunnel gre_tunnel2)> 4. Set the remote endpoint to the IP address of the GRE tunnel on TX40-1, 172.30.0.1: (config vpn iptunnel gre_tunnel2)> remote 172.30.0.1 (config vpn iptunnel gre_tunnel2)> 5. Save the configuration and apply the change (config vpn iptunnel gre_tunnel2)>...
Page 585 7. Click Apply to save the configuration and apply the change.  Command line 1. At the command line, type config to enter configuration mode: > config (config)> 2. Add an interface named gre_interface2: (config)> add network interface gre_interface2 (config network interface gre_interface2)> TX40 User Guide...
Page 586: Dynamic Multipoint Vpn (Dmvpn)
This is achieved by the creation of a dynamic GRE tunnel directly to the other spoke. The network address of the target spoke is resolved with the use of Next Hop Resolution Protocol (NHRP). This section contains the following topics: Configure a DMVPN spoke TX40 User Guide...
Page 587: Configure A Dmvpn Spoke
Dynamic Multipoint VPN (DMVPN) Configure a DMVPN spoke To configure a DMVPN spoke:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 588 For Address, type the IP address and netmask of the tunnel. The netmask must be set to /32. 5. Configure NHRP: a. Click Network > Routing Services. b. Enable routing services. c. Click to expand NHRP. d. Enable NHRP. e. Click to expand Network. TX40 User Guide...
Page 589 For AS number, type the autonomous system number for this device. d. For Best path criteria, select Multipath. e. Click to expand Neighbours. f. Click  to add a neighbour. g. For IP address, type the IP address of the hub. TX40 User Guide...
Page 590  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 591 IP address to 10.20.1.4/32: (config network interface dmvpn_tunnel_interface)> ipv4 address 10.20.1.4/32 (config network interface dmvpn_tunnel_interface)> 5. Configure NHRP: a. Type ... to return to the top level of the configuration schema: (config network interface dmvpn_tunnel_interface)> ... (config)> TX40 User Guide...
Page 592 Type ... to return to the top level of the configuration schema: (config network interface dmvpn_tunnel_interface)> ... (config)> b. Enable BGP: (config)> network route service bgp enable true (config)> c. Set the autonomous system number for this device. For example, to set the autonomous system number to 66007: TX40 User Guide...
Page 593: L2Tp
Your TX40 device supports PPP-over-L2TP (Layer 2 Tunneling Protocol). Configure a PPP-over-L2TP tunnel Your TX40 device supports PPP-over-L2TP (Layer 2 Tunneling Protocol). The tunnel endpoints are known as L2TP Access Concentrators (LAC) and L2TP Network Servers (LNS). Each endpoint terminates the PPP session.
Page 594 Whether to override the default configuration and only use the custom options. Optional configuration data in the format of a pppd options file.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 595 No limit to IPv6 addresses that can access the service-type. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces. b. For Add Interface, click .
Page 596 None: No authentication is required. Automatic: The device will attempt to connect using CHAP first, and then PAP. CHAP: Uses the Challenge Handshake Authentication Profile (CHAP) to authenticate. PAP: Uses the Password Authentication Profile (PAP) to authenticate. TX40 User Guide...
Page 597  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 598 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add vpn l2tp acl interface end value (config)>...
Page 599 0 and 65535. The default is 1. g. Set the firewall zone for the tunnel. This is used by packet filtering rules and access control lists to restrict network traffic on the tunnel. TX40 User Guide...
Page 600 6. To add an L2TP network server: a. Add an LNS: (config)> add vpn l2tp lns name (config add vpn l2tp lac name)> where name is the name of the LNS. For example, to add an LNS named lns_server: TX40 User Guide...
Page 601 If auto, chap, pap or mschapv2 is selected, enter the Username and Password required to authenticate: (config vpn l2tp lns lns_server)> username username (config vpn l2tp lns lns_server)> password password (config vpn l2tp lns lns_server)> The default is none. TX40 User Guide...
Page 602 (config vpn l2tp lac lns lns_server)> custom enable true (config vpn l2tp lns lns_server)> ii. Enable overriding, if the custom configuration should override the default configuration and only use the custom options: (config vpn l2tp lns lns_server)> custom override true (config vpn l2tp lns lns_server)> TX40 User Guide...
Page 603: L2Tp With Ipsec
This means that you cannot restrict traffic on the IPsec tunnel to L2TP traffic (typically UDP port 1701). While multiple L2TP clients are supported on the TX40 by configuring a separate LNS for each client, multiple clients behind a Network Address Translation (NAT) device are not supported, because they will all appear to have the same IP address.
Page 604 Show the status of L2TP access connectors from the Admin CLI 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 605: L2Tpv3 Ethernet
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. L2TPv3 Ethernet Your TX40 device supports Layer 2 Tunneling Protocol Version 3 (L2TPv3) static unmanaged Ethernet tunnels. Configure an L2TPv3 tunnel Your TX40 device supports Layer 2 Tunneling Protocol Version 3 (L2TPv3) static unmanaged Ethernet tunnels.
Page 606 Virtual Private Networks (VPN) L2TPv3 Ethernet  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 607  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 608 1 and 4294967295. 11. Set the session ID of the remote peer: (config vpn l2tpeth L2TPv3_example session_example)> peer_session_id value (config vpn l2tpeth L2TPv3_example session_example)> where value is any integer between 1 and 4294967295. TX40 User Guide...
Page 609: Show L2Tpv3 Tunnel Status
Type quit to disconnect from the device. Show L2TPV3 tunnel status  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the menu, select Status. Under VPN, select L2TPv3 Ethernet. The L2TPv3 Ethernet page appears.
Page 610  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 611: Macsec
The local network device to connect to the peer device. When using Manual mode, the connectivity association key and key name.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 612  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 613: Nemo
Local Area Networks (LANs) on your device. NEMO creates a tunnel between the home agent on the mobile private network and the TX40 device, isolating the connection from internet traffic and advertising the IP subnets of the LANs for remote access and device management.
Page 614: Configure A Nemo Tunnel
If the local network is set to Interface, identify the local interface to be used.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 615 10. For MTU discovery, leave enabled to determine the maximum transmission unit (MTU) size. If disabled, for MTU, type the MTU size. The default MTU size for LANs on the TX40 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
Page 616  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 617 (config vpn nemo nemo_example)> mtu_discovery false (config vpn nemo nemo_example)> If disabled, set the MTU size. The default MTU size for LANs on the TX40 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
Page 618: Show Nemo Status
Type quit to disconnect from the device. Show NEMO status  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the menu, select Status > NEMO. The NEMO page appears. 2. To view configuration details about an NEMO tunnel, click the  (configuration) icon in the upper right of the tunnel's status pane.
Page 619  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 620 System time Network Time Protocol Configure a multicast route Ethernet network bonding Enable service discovery (mDNS) Information Technology for Public Transport (ITxPT) support Use the MQTT broker service Use the iPerf service Configure the ping responder service TX40 User Guide...
Page 621: Allow Remote Access For Web Administration And Ssh
To allow web administration or SSH for the External firewall zone: Add the External firewall zone to the web administration service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 622  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 623 Services Allow remote access for web administration and SSH  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 624: Configure The Web Administration Service
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 625 The web administration service is enabled by default. To disable the service, or enable it if it has been disabled:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 626 Type quit to disconnect from the device. Configure the service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 627 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces.
Page 628  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 629 No limit to IPv6 addresses that can access the web administratrion service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add service web_admin acl interface end value (config)>...
Page 630 Paste the contents of certificate.pem and key.pem into the service web_admin cert command. Enclose the contents of certificate.pem and key.pem in quotes. For example: (config)> service web_admin cert "-----BEGIN CERTIFICATE----- MIID8TCCAtmgAwIBAgIULOwezcmbnQmIC9pT9txwCfUbkWQwDQYJKoZIhvcNAQEL BQAwgYcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xDjAMBgNVBAcMBUFs b2hhMRMwEQYDVQQKDApNY0JhbmUgSW5jMRAwDgYDVQQLDAdTdXBwb3J0MQ8wDQYD VQQDDAZtY2JhbmUxHzAdBgkqhkiG9w0BCQEWEGptY2JhbmVAZGlnaS5jb20wHhcN MjAwOTIyMTY1OTUyWhcNMjEwOTIyMTY1OTUyWjCBhzELMAkGA1UEBhMCVVMxDzAN BgNVBAgMBk9yZWdvbjEOMAwGA1UEBwwFQWxvaGExEzARBgNVBAoMCk1jQmFuZSBJ bmMxEDAOBgNVBAsMB1N1cHBvcnQxDzANBgNVBAMMBm1jYmFuZTEfMB0GCSqGSIb3 DQEJARYQam1jYmFuZUBkaWdpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAOBn19AX01LO9plYtfRZq0bETwNwSCYGeEIOGJ7gHt/rihLVBJS1woYv u1Oq1ohYxIawBY1iIPBD2GtzyEJXzBZdQRhwi/dRyRi4vr7EkjGDr0Vb/NVT0L5w UzcMeT+71DYvKYm6GpcWx+LoKqFTjbMFBIze5pbBfru+SicId6joCHIuYq8Ehflx 6sy6s4MDbyTUAEN2YhsBaOljej64LNzcsHeISbAWibXWjOSsK+N1MivQq5uwIYw/ 1fsnD8KDS43Wg57+far9fQ2MIHsgnoAGz+w6PIKJR594y/MfqQffDFNCh2lJY49F TX40 User Guide...
Page 631 DNS server. mDNS is enabled by default. To disable mDNS, or enable it if it has been disabled: To enable the mDNS protocol: (config)> service web_admin mdns enable true (config> TX40 User Guide...
Page 632 9. Save the configuration and apply the change (config)> save Configuration saved. > 10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 633: Configure Ssh Access
The SSH service is enabled by default. To disable the service, or enable it if it has been disabled:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
Page 634 Type quit to disconnect from the device. Configure the service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 635 No limit to IPv6 addresses that can access the SSH service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces.
Page 636  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 637 No limit to IPv6 addresses that can access the SSH service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add service ssh acl interface end value (config)>...
Page 638 SSH configuration. If override is set to false, entries in Configuration file will be added to the standard SSH configuration. The default is false. c. Set the configuration settings: (config)> service ssh custom config_file value (config)> TX40 User Guide...
Page 639 8. Save the configuration and apply the change (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 640: Use Ssh With Key Authentication
SSH service to allow SSH access for the External firewall zone.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 641 These instructions assume an existing user named temp_user. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 642 Services Use SSH with key authentication 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 643: Configure Telnet Access
Enable the telnet service The telnet service is disabled by default. To enable the service:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 644 Type quit to disconnect from the device. Configure the service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 645 No limit to IPv6 addresses that can access the telnet service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces.
Page 646  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 647 5. (Optional) Set the port number for this service. The default setting of 23 normally should not be changed. (config)> service telnet port 25 (config)> 6. Save the configuration and apply the change (config)> save Configuration saved. > TX40 User Guide...
Page 648: Configure Dns
The device is configured by default with the hostname digi.device, which corresponds to the 192.168.210.1 IP address. To configure the DNS server:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 649 No limit to IPv6 addresses that can access the DNS service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces.
Page 650  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 651 No limit to IPv6 addresses that can access the DNS service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add service dns acl interface end value (config)>...
Page 652 To restrict the device's use of this DNS server based on the domain, use the domain command. If no domain are listed, then all queries may be sent to this server. (config service dns server 0)> domain domain (config service dns server 0)> TX40 User Guide...
Page 653: Show Dns Server
Command line Show DNS information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 654: Wan Bonding
WAN bonding also provides seamless failover by automatically using multiple pipes within the bonded tunnel. The WAN bonding service for your TX40 device must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. This section contains the following topics:...
Page 655: Use Digi Remote Manager To Enable And Configure Wan Bonding On Multiple Devices
Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
Page 656 Select Interfaces and select a WAN interface to be bonded. Note By default, TX40 devices prioritize their WAN Ethernet connection over any WWAN cellular connections. Consider this prioritization if using both wired Ethernet and cellular Internet connections. Make sure to add the highest priority in-use interface(s) to the WAN Bonding settings.
Page 657 4. Create a site-specific settings file for the Tunnel username and Tunnel password options: a. Click  Home. b. Click  and select  Download to download a CSV file to your local filesystem, which you can use to set site-specific settings. TX40 User Guide...
Page 658: Configure Wan Bonding On Your Local Device
Configure WAN bonding on your local device Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
Page 659 Additional configuration items The firewall zone for the new bonded interface, if other than External.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 660 For Interfaces, select a WAN interface to be bonded. Note By default, TX40 devices prioritize their WAN Ethernet connection over any WWAN cellular connections. Consider this prioritization if using both wired Ethernet and cellular Internet connections. Make sure to add the highest priority in-use interface(s) to the WAN Bonding settings.
Page 661  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 662 Automatically sets the mode to Cellular Optimized for Speed-mode for cellular, and Ethernet for non-cellular. This is the default mode. mobileAggressive: A general-purpose configuration suitable for most lines (4G, DSL, etc), with a fair tolerance for packet loss and latency. TX40 User Guide...
Page 663: Show Wan Bonding Status And Statistics
Command line Show WAN bonding information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 664 RX 4 sent, 0 lost; TX 5 sent, 0 lost, 4 acked Total RX 16 sent, 0 lost; TX 18 sent, 0 lost, 18 acked Channel #1 (wwan0.1) ---------------- Enabled Status "connected" Uptime 5 sec Latency 55ms (current) / 57ms (idle) In Transit TX40 User Guide...
Page 665 RX 17 sent, 0 lost; TX 19 sent, 0 lost, 19 acked > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 666: Simple Network Management Protocol (Snmp)
By default, the TX40 device automatically blocks SNMP packets from being received over WAN and LAN interfaces. As a result, if you want a TX40 device to receive SNMP packets, you must configure the SNMP access control list to allow the device to receive the packets. See...
Page 667 Services Simple Network Management Protocol (SNMP) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 668  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 669 No limit to IPv6 addresses that can access the SNMP service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add service snmp acl interface end value (config)>...
Page 670 9. (Optional) Set the authentication type. Allowed values are MD5 or SHA. The default is MD5. (config)> service snmp auth_type SHA (config)> 10. (Optional) Set the privacy passphrase. If not set, the password, entered above, is used. (config)> service snmp privacy pwd (config)> TX40 User Guide...
Page 671: Download Mibs
Enable SNMP. To download a .zip archive of the SNMP MIBs supported by this device:  Log into the TX40 WebUI as a user with full Admin access rights. 1. Enable SNMP. Configure Simple Network Management Protocol (SNMP) for information about enabling and configuring SNMP support on the TX40 device.
Page 672 Services Simple Network Management Protocol (SNMP) The SNMP page is displayed. 3. Click Download. TX40 User Guide...
Page 673: Location Information
By default, both the internal GNSS module and the external dead-reckoning USB GNSS receiver are enabled. You can also configure your TX40 device to forward location messages, either from the TX40 device or from external sources, to a remote host. Additionally, the device can be configured to use a geofence, to allow you to determine actions that will be taken based on the physical location of the device.
Page 674: Configure The Location Service
The location service is enabled by default. You can disable it, or you can enable it if it has been disabled.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 675  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 676: Configure The Internal Gnss Module
In order for the internal GNSS module to be able to provide location information, you must connect an antenna to the GNSS antenna connector.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 677  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 678: Use A Dead Reckoning External Usb Gnss Receiver
To disable support for the external GNSS receiver, or enable it if it has been disabled:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 679  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 680: Configure The Device To Use A User-Defined Static Location
Configure the device to use a user-defined static location You can configured your TX40 device to use a user-defined static location.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 681  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 682: Configure The Device To Accept Location Messages From External Sources
Access control list configuration to provide access to the port through the firewall. To configure the device to accept location messages from external sources:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 683 No limit to IPv6 addresses that can access the location server UDP port. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces.
Page 684  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 685 No limit to IPv6 addresses that can access the location server UDP port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add service location source 1 acl interface end value (config)>...
Page 686 No limit to IPv6 addresses that can access the location server UDP port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add service location source 2 acl interface end value (config)>...
Page 687: Forward Location Information To A Remote Host
Type quit to disconnect from the device. Forward location information to a remote host You can configure location clients on the TX40 device that forward location messages in either NMEA or TAIP format to a remote host. Required configuration items Enable the location service.
Page 688 A vehicle ID that is used in the TAIP ID message and can also be prepended to the forwarded message. Configure the TX40 device to forward location information:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 689 13. (Optional) For Prepend text, enter text to prepend to the forwarded message. Two variables can be included in the prepended text: %s: Includes the TX40 device's serial number in the prepended text. %v: Includes the vehicle ID in the prepended text.
Page 690  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 691 9. (Optional) Set the text to prepend to the forwarded message. Two variables can be included in the prepended text: %s: Includes the TX40 device's serial number in the prepended text. %v: Includes the vehicle ID in the prepended text.
Page 692 To add a message type: a. Change to the filter_nmea node: (config service location forward 0)> filter_nmea (config service location forward 0 filter_nmea)> b. Use the add command to add the message type. For example, to add the gsa message type: TX40 User Guide...
Page 693 13. Save the configuration and apply the change (config)> save Configuration saved. > 14. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 694: Configure Geofencing
Update interval, which determines the amount of time that the geofence should wait between polling for updated location data.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. TX40 User Guide...
Page 695 Services Location information 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 696 Click  again to add an additional point, and continue adding points to create the desired polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: This defines a square-shaped polygon equivalent to the following: 7.
Page 697 If you disable Sandbox, the script may render the system unusable. vii. Repeat for any additional actions. To define actions that will be taken when the device exits the geofence, or is outside the geofence when it boots: TX40 User Guide...
Page 698 Sandbox is enabled by default. This prevents the script from adversely affecting the system. If you disable Sandbox, the script may render the system unusable. vii. Repeat for any additional actions. 8. Click Apply to save the configuration and apply the change.  Command line TX40 User Guide...
Page 699 Services Location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 700 Configure additional vortices: (config service location geofence test_geofence coordinates 0)> .. (config service location geofence test_geofence coordinates)> add end (config service location geofence test_geofence coordinates 1)> latitude int (config service location geofence test_geofence coordinates 1)> longitude int TX40 User Guide...
Page 701 For longitude, any integer between -180 and 180, with up to six decimal places. Repeat for each vortex of the polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: (config service location geofence test_geofence)> add...
Page 702 Add the action: (config)> add service location geofence test_geofence on_ entry action end (config service location geofence test_geofence on_entry action 0)> d. Set the type of action: (config service location geofence test_geofence on_entry action 0)> type value TX40 User Guide...
Page 703 For example. the allocate one megabyte of memory to the script and its spawned processes: (config service location geofence test_geofence on_entry action 0)> max_memory 1MB (config service location geofence test_geofence on_entry action 0)> TX40 User Guide...
Page 704 (config)> add service location geofence test_geofence on_exit action end (config service location geofence test_geofence on_exit action 0)> d. Set the type of action: (config service location geofence test_geofence on_exit action 0)> type value (config service location geofence test_geofence on_exit action 0)> TX40 User Guide...
Page 705 (config service location geofence test_geofence on_exit action 0)> max_memory 1MB (config service location geofence test_geofence on_exit action 0)> v. A sandbox is enabled by default to prevent the script from adversely affecting the system. To disable the sandbox: TX40 User Guide...
Page 706: Show Location Information
Command line Show location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 707: Modbus Gateway
Type quit to disconnect from the device. Show geofence information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 708: Configure The Modbus Gateway
The maximum time between bytes in a packets. Whether to send broadcast messages. Response timeout If connection type is set to socket: The port to use. The inactivity timeout. If connection type is set to serial: Whether to use half duplex (two wire) mode. TX40 User Guide...
Page 709 Whether packets should be delivered to a fixed Modbus address. Whether packets should have their Modbus address adjusted downward before to delivery.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 710 For Port, enter or select an appropriate port. The default is port 502. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the TX40 device. 5. For Packet mode, select RTU or RAW (if Connection type is set to Socket) or ASCII (if Connection typeis set to Serial) for the type of packet that will be used by this connection.
Page 711 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces.
Page 712 Modbus server is running. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the TX40 device. 5. For Packet mode, select RTU or RAW (if Connection type is set to Socket) or ASCII (if Connection typeis set to Serial) for the type of packet that will be used by this connection.
Page 713 No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces.
Page 714  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 715 (config service modbus_gateway server test_modbus_server)> where value is any number of minutes or seconds up to a maximum of 15 minutes, and takes the format number{m|s}. For example, to set inactivity_timeout to ten minutes, enter either 10m or 600s: TX40 User Guide...
Page 716 For example, to set idle_gap to one second, enter 1000ms or 1s. iv. (Optional) Enable half-duplex (two wire) mode: (config service modbus_gateway server test_modbus_server)> serial half_duplex true (config service modbus_gateway server test_modbus_server)> c. Repeat the above instructions for additional servers. TX40 User Guide...
Page 717 1 and 65535. The default is 502. iii. Set the packet mode: (config service modbus_gateway client test_modbus_client)> socket packet_mode value (config service modbus_gateway client test_modbus_client)> where value is either rtu or ascii. The default is rtu. TX40 User Guide...
Page 718 Set the serial port: i. Use the ? to determine available serial ports: (config service modbus_gateway client test_modbus_ client)> ... serial port ? Serial Additional Configuration ------------------------------------------------------- ------------------------ port1 Port 1 (config service modbus_gateway client test_modbus_ client)> TX40 User Guide...
Page 719 Allowed values are between 1 millisecond and 700 milliseconds, and take the format numberms. For example, to set response_timeout to 100 milliseconds: (config service modbus_gateway client test_modbus_client)> response_ timeout 100ms (config service modbus_gateway client test_modbus_client)> The default is 700ms. TX40 User Guide...
Page 720 This allows you to configure clients on the gateway that will forward messages to remote devices with the same Modbus address on different buses. For example, if there are two devices on two TX40 User Guide...
Page 721: Show Modbus Gateway Status And Statistics
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 722 ----------------- Configuration Updates Client Configuration Failure Server Configuration Failure Configuration Load Failure Incoming Connections Internal Error Resource Shortages Servers ------- modbus_socket ------------- Client Lookup Errors Incoming Connections Packet Errors RX Broadcasts RX Requests : 12 TX Exceptions TX40 User Guide...
Page 723 RX Responses RX Timeouts TX Broadcasts TX Requests > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 724: System Time
If t least one upstream NTP server for synchronization. Additional Configuration Options Additional upstream NTP servers.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 725  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 726 See Configure the device as an NTP server for more information about NTP server configuration. 5. Save the configuration and apply the change (config)> save Configuration saved. > TX40 User Guide...
Page 727  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 728: Manually Set The System Date And Time
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 729: Configure The Device As An Ntp Server
The time zone setting, if the default setting of UTCis not appropriate. To configure the TX40 device's NTP service:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 730 No limit to IPv6 addresses that can access the NTP service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces.
Page 731  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 732 6. Allow the device to use its on-board GNSS module as a time source: (config)> service ntp gnss true (config)> 7. (Optional) Configure the access control list to limit downstream access to the TX40 device's NTP service. To limit access to specified IPv4 addresses and networks: (config)>...
Page 733 By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the TX40 device can use the NTP service. 8. (Optional) Set the timezone for the location of your TX40 device. The default is UTC. (config)> system time timezone value (config)>...
Page 734: Show Status And Statistics Of The Ntp Server
Command line Show NTP information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 735: Configure A Multicast Route
To configure a multicast route:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 736  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 737: Ethernet Network Bonding
Create a new network interface for the bonded Ethernet devices, and disable the any interfaces associated with those Ethernet devices..  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 738 6. Click to expand Devices. 7. Add Ethernet devices: a. For Add device, click . b. For Device, select an Ethernet device to participate in the bond pool. c. Repeat for each appropriate Ethernet device. TX40 User Guide...
Page 739 In some cases, the device may be a part of a bridge, in which case you should remove the device from the bridge. i. Click to expand Network > Bridges. ii. Click to expand the appropriate bridge. iii. Click to expand Devices. TX40 User Guide...
Page 740  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 741 For example, if ETH1 and ETH2 were added to the Ethernet bond, and they are included with the WAN and LAN interfaces: a. Type ... to return to the root of the configuration: (config network interface eth_bonding_interface)> ... (config)> b. Disable the interfaces: TX40 User Guide...
Page 742: Enable Service Discovery (Mdns)
Multicast DNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server. You can enable the TX40 device to use mDNS.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 743 No limit to IPv6 addresses that can access the mDNS service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces.
Page 744 Services Enable service discovery (mDNS) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 745: Information Technology For Public Transport (Itxpt) Support
Information Technology for Public Transport (ITxPT) support ITxPT is an industry standard implementation of information technology for public transportation systems. Your TX40 router can function as a Vehicle Communications Gateway module, as well as a GNSS location server, time server, and MQTT broker.
Page 746: Configure The Itxpt Service
ITxPT multicast IP address, if different than the default. Configure the ITxPT service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 747 No limit to IPv6 addresses that can access the mDNS service. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: i. Click Interfaces.
Page 748 For Weight, type or select the relative weight for records with same priority. A higher number means that records from this service are more preferred. The default is 0. Network Time Protocol for more information about the NTP service. 11. Configure the MQTT broker for ITxPT: TX40 User Guide...
Page 749  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 750 No limit to IPv6 addresses that can access the mDNS service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add service mdns acl interface end value (config)>...
Page 751 The default is 0. e. Set the relative weight for records with same priority. A higher number means that records from this service are more preferred. (config)> service location itxpt weight int (config)> The default is 0. TX40 User Guide...
Page 752 Enable the device to include MQTT messages with ITxPT support: (config)> service mqtt itxpt enable true (config)> c. Set the priority for location information. A lower number represents higher priority. (config)> service mqtt itxpt priority int (config)> TX40 User Guide...
Page 753: Use The Mqtt Broker Service
Whether to allow clients that have no client ID to connect. Whether replace the client's ID with its username.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. TX40 User Guide...
Page 754 Use the MQTT broker service 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 755 Services Use the MQTT broker service To limit access to hosts connected through a specified interface on the TX40 device: a. Click Interfaces. b. For Add Interface, click . c. For Interface, select the appropriate interface from the dropdown. d. Click  again to allow access through additional interfaces.
Page 756 ID or username. If a variable is used, it can be the only text for that level of the hierarchy.. d. For Access, select the level of access that the client will have: Read Write TX40 User Guide...
Page 757  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 758 Services Use the MQTT broker service Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add service mqtt acl interface end value (config)> Where value is an interface defined on your device.
Page 759 The signal level wildcard, +. The multi-level wildcard, #. iii. Set the access type to apply to the topic: (config service mqtt client 0 topic_acl 0)> access value (config service mqtt client 0 topic_acl 0)> where value is one of: TX40 User Guide...
Page 760 Add a pre-shared key: (config)> add service mqtt encryption psk end (config service mqtt encryption psk 0)> ii. Set the identity sent to the client: (config service mqtt encryption psk 0)> indentity value (config service mqtt encryption psk 0)> TX40 User Guide...
Page 761 Set the access type to apply to the topic: (config service mqtt topic_acl anonymous 0)> access value (config service mqtt topic_acl anonymous 0)> where value is one of: deny read readwrite write The default is readwrite. TX40 User Guide...
Page 762 The default is readwrite. e. Add additional topics: (config service mqtt topic_acl pattern 0)> add ..pattern end (config service mqtt topic_acl pattern 1)> f. Repeat the above steps to set the topic and access type. TX40 User Guide...
Page 763: Show Mqtt Broker Information
Command line Show MQTT broker information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 764: Use The Iperf Service
Type quit to disconnect from the device. Use the iPerf service Your TX40 device includes an iPerf3 server that you can use to test the performance of your network. iPerf3 is a command-line tool that measures the maximum network throughput an interface can handle.
Page 765 To enable the iPerf3 server:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 766  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 767 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add service iperf acl interface end value (config)>...
Page 768: Example Performance Test Using Iperf3
Example performance test using iPerf3 On a remote host with iPerf3 installed, enter the following command: $ iperf3 -c device_ip where device_ip is the IP address of the TX40 device. For example: $ iperf3 -c 192.168.2.1 Connecting to host 192.168.2.1, port 5201 4] local 192.168.3.100 port 54934 connected to 192.168.1.1 port 5201...
Page 769: Configure The Ping Responder Service
IP address, interfaces, and/or zones. To enable the iPerf3 server:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 770  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 771 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the TX40 device: (config)> add service iperf acl interface end value (config)>...
Page 772: Example Performance Test Using Iperf3
Example performance test using iPerf3 On a remote host with Iperf3 installed, enter the following command: $ iperf3 -c device_ip where device_ip is the IP address of the TX40 device. For example: $ iperf3 -c 192.168.2.1 Connecting to host 192.168.2.1, port 5201 4] local 192.168.3.100 port 54934 connected to 192.168.1.1 port 5201...
Page 773 Applications The TX40 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. You can also specify Python applications and other scripts to be run each time the device system restarts, at specific intervals, or at a specified time.
Page 774: Develop Python Applications
Note .Beginning with firmware release 21.11.x, python is no longer included as part of the base firmware for the TX40 device. If you require Python in your environment and your device is running firmware 21.11.x or newer, see Install Python for information about installing Python on your device.
Page 775: Install Python
Option 2: Install Python via the local device Option 1: Enable Python via Digi Remote Manager As part of creating or updating a configuration profile for TX40 devices, you can enable the Python add-on at the automation tab for the configuration: 1.
Page 776: Set Up The Tx40 For Python Development
Develop Python applications 3. Create a /opt/lib/live_images directory on the local device: a. Log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 777: Create And Test A Python Application
TX40. Develop an application in PyCharm The Digi IoT PyCharm Plugin allows you to write, build and run Python applications for Digi devices in a quick and easy way. See the Digi XBee PyCharm IDE Plugin User Guide for details.
Page 778 PyCharm FAQ: My TX40 is not listed in Digi Device Selector If an TX40 does not appear on the list of the Digi Device Selector: Ensure that your device has the mDNS service enabled and is on the same network as the computer.
Page 779 Create a custom firewall rule  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 780  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 781: Python Modules
Type quit to disconnect from the device. Python modules The TX40 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. It also offers extensions to manage your TX40: The digidevice module provides platform-specific extensions that allow you to interact with the device’s configuration and interfaces.
Page 782 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 783 Get help executing a CLI command from Python by accessing help for cli.execute: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 784 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 785 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 786 Read the device configuration 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 787 Use the set() and commit() methods to modify the device configuration: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 788 Get help for reading and modifying the device configuration by accessing help for digidevice.config: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 789 Applications Develop Python applications Use Remote Manager's SCI interface to create SCI requests that are sent to your TX40 device, and use the device_request module to send responses to those requests to Remote Manager. See the Digi Remote Manager Programmers Guide for more information on SCI.
Page 790 Remote Manager. 1. Create a Python application, called showsystem.py, that uses the digidevice.cli module to create a response containing information about device and the device_request module to respond with this information to a request from Remote Manager: TX40 User Guide...
Page 791 This can be done from either the WebUI or the command line:  i. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. ii. Access the device configuration: Remote Manager: i.
Page 792 Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 793 Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 794 <device_request target_name="showSystem"> 8. Click Send. You should receive a response similar to the following: <sci_reply version="1.0"> <data_service> <device id="00000000-00000000-0000FFFF-A83CF6A3"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi TX40 Serial Number : TX40-000068 Hostname : TX40 : 00:40:D0:13:35:36 Hardware Version : 50001959-01 A Firmware Version : 23.9.74.0...
Page 795 Disk /tmp Usage : 0.004MB/40.96MB(0%) Disk /var Usage : 0.820MB/32.768MB(3%)</device_ request> </requests> </device> <device id="00000000-00000000-0000FFFF-485740BC"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi TX40 Serial Number : TX40-000023 Hostname : TX40 : 00:40:D0:26:79:1C Hardware Version : 50001959-01 A Firmware Version : 23.9.74.0...
Page 796 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 797 Use the keys() and get() methods to read the device configuration: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 798 Use the set() method to modify the runtime database: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 799 Use Python to upload the device name to Digi Remote Manager The name submodule can be used to upload a custom name for your device to Digi Remote Manager. When you use the name submodule to upload a custom device name to Remote Manager, the...
Page 800 Upload a custom name 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 801 Determine if the device's location 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 802 You can update this snapsot: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 803 You can update this snapsot 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 804 Get help for the digidevice location module: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 805 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 806 Get help for the digidevice maintenance module: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 807 SMS scripting. Enable the ability to schedule SMS scripting  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 808  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 809 = cli.execute("reboot") print (response) send_sms(dest, 'Message received (' + sms + '). Performing as CLI command...') response = cli.execute(sms) if not response: response = 'OK' send_sms(dest, 'CLI results: ' + response) print (response) COND.acquire() COND.notify() COND.release() TX40 User Guide...
Page 810 Use Python to access serial ports You can use the Python serial module to access serial ports on your TX40 device that are configured to be in Application mode. For example, you can configure USB ports to function serial ports and interact programmatically with those ports.
Page 811 6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use the Paho MQTT python library Your TX40 device includes support for the Paho MQTT python library. MQTT is a lightweight messaging protocol used to communicate with various applications including cloud-based applications such as Amazon Web Services and Microsoft Azure.
Page 812 = cmd_path[len(PREFIX_CMD):] else: print("Invalid command path ({}), cannot send reply".format(cmd_path)) return reply = { "cmd": cmd, "status": status client.publish(PREFIX_RSP + path + "/" + cid, json.dumps(reply, separators= (',',':'))) TX40 User Guide...
Page 813 = [] try: with open('/etc/config/dhcp.leases', 'r') as f: for line in f: elems = line.split() if len(elems) != 5: continue leases.append({"mac": elems[1], "ip": elems[2], "host": elems [3]}) if leases: client.publish(PREFIX_EVENT + "/leases", json.dumps(leases, separators=(',',':'))) TX40 User Guide...
Page 814: Set Up The Tx40 To Automatically Run Your Applications
Applications Set up the TX40 to automatically run your applications except: print("Failed to open DHCP leases file") def publish_system(): avg1, avg5, avg15 = runt.get("system.load_avg").split(', ') ram_used = runt.get("system.ram.per") disk_opt = runt.get("system.disk./opt.per") disk_config = runt.get("system.disk./etc/config.per") msg = json.dumps({ "load_avg": { "1min": avg1, "5min": avg5,...
Page 815: Configure Scripts To Run Automatically
Whether the script should run one time only. Task one: Upload the application  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Administration, click File System. TX40 User Guide...
Page 816  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 817 This feature does not provide syntax or error checking. Certain commands can render the device inoperable. Use with care.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 818 Applications Set up the TX40 to automatically run your applications 5. (Optional) For Label, provide a label for the script. 6. For Run mode, select the mode that will be used to run the script. Available options are: On boot: The script will run once each time the device boots.
Page 819  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 820 Applications Set up the TX40 to automatically run your applications Set the interval: (config system schedule script 0)> on_interval value (config system schedule script 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 821: Show Script Information
You can view status and statistics about location information from either the WebUI or the command line.  Log into the TX40 WebUI as a user with full Admin access rights. 1. At the Status page, click Scripts. The Scripts page displays:...
Page 822: Stop A Script That Is Currently Running
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 823: Start An Interactive Python Session
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 824: Run A Python Application At The Shell Prompt
1. Upload the Python application to the TX40 device:  Log into the TX40 WebUI as a user with full Admin access rights. a. On the menu, click System. Under Administration, click File System. The File System page appears.
Page 825 You can also create scripts by using the vi command when logged in with shell access. 2. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a TX40 User Guide...
Page 826: Configure Scripts To Run Manually
Whether the script should run one time only. Task one: Upload the application  Log into the TX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Administration, click File System. The File System page appears.
Page 827  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 828: Task Two: Configure The Application To Run Automatically
This feature does not provide syntax or error checking. Certain commands can render the device inoperable. Use with care.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 829  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 830 8. Set the maximum amount of memory available to be used by the script and its subprocesses: (config system schedule script 0)> max_memory value (config system schedule script 0)> where value uses the syntax number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}. TX40 User Guide...
Page 831: Start A Manual Script
You can start a script that is enabled and configured to have a run mode of Manual.  Log into the TX40 WebUI as a user with full Admin access rights. 1. At the Status page, click Scripts. The Scripts page displays: 2.
Page 832 Applications Start a manual script 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 833: User Authentication
User authentication methods Authentication groups Local users Terminal Access Controller Access-Control System Plus (TACACS+) Remote Authentication Dial-In User Service (RADIUS) LDAP Configure serial authentication Disable shell access Set the idle timeout for TX40 users Example user configuration TX40 User Guide...
Page 834: Tx40 User Authentication
User authentication TX40 user authentication TX40 user authentication User authentication on the TX40 has the following features and default configuration: Default Feature Description configuration Idle timeout 10 minutes Determines how long a user session can be idle before the system automatically disconnects.
Page 835 TACACS+: Users authenticated by using a remote TACACS+ server for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) for information about configuring TACACS+ authentication. LDAP: Users authenticated by using a remote LDAP server for authentication. LDAP for information about configuring LDAP authentication. TX40 User Guide...
Page 836: Add A New Authentication Method
The types of authentication method to be used: To add an authentication method:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 837 This procedure describes how to add methods to various places in the list. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 838: Delete An Authentication Method
Type quit to disconnect from the device. Delete an authentication method  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 839: Rearrange The Position Of Authentication Methods
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 840 To reorder these so that RADIUS is first and Local users is second: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 841: Authentication Groups
User authentication Authentication groups 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 842 Differences between standard firmware operation and Primary Responder mode. Serial access: Users with Serial access have the ability to log into the TX40 device by using the serial console. Preconfigured authentication groups The TX40 device has two preconfigured authentication groups: The admin group is configured by default to have full Admin access.
Page 843: Change The Access Rights For A Predefined Group
By default, two authentication groups are predefined: admin and serial. To change the access rights of the predefined groups:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 844  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 845: Add An Authentication Group
Access rights to query the device for Nagios monitoring. To add an authentication group:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 846 Full access or Read-only access. where value is either: Full access full: provides users of this group with the ability to manage the TX40 device by using the WebUI or the Admin CLI. Read-only access read-only: provides users of this group with read-only access to the WebUI and Admin CLI.
Page 847  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 848 (config)> where value is either: full: provides users of this group with the ability to manage the TX40 device by using the WebUI or the Admin CLI. read-only: provides users of this group with read-only access to the WebUI and Admin CLI.
Page 849: Delete An Authentication Group
To delete an authentication group that you have created:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 850  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 851: Local Users
TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default user. Default user At manufacturing time, each TX40 device comes with a default user configured as follows: Username: admin. Password: The default password is displayed on the label on the bottom of the device.
Page 852: Change A Local User's Password
Local users Change a local user's password To change a user's password:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 853  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 854: Configure A Local User
One-time use eight-digit emergency scratch codes. To configure a local user:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: TX40 User Guide...
Page 855 User authentication Local users Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 856 Check Enable to enable two-factor authentication for this user. c. Select the Verification type: Time-based (TOTP): Time-based One-Time Password (TOTP) authentication uses the current time to generate a one-time password. Counter-based (HOTP): HMAC-based One-Time Password (HOTP) uses a counter to validate a one-time password. TX40 User Guide...
Page 857  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 858 For example, to set duration to ten minutes, enter either 10m or 600s: (config auth user new_user)> lockout duration 600s (config auth user new_user)> TX40 User Guide...
Page 859 Add the key by using the ssh_key command and pasting or typing a public encryption key that this user can use for passwordless SSH login: (config auth user new_user ssh_key)> ssh_key key (config auth user new_user ssh_key)> 9. (Optional) Configure two-factor authentication for SSH, telnet, and serial console login: TX40 User Guide...
Page 860 Configure the valid code window size. This represents the allowed number of concurrently valid codes. In cases where TOTP is being used, increasing the valid code window size may be necessary when the clocks used by the server and client are not synchronized. TX40 User Guide...
Page 861: Delete A Local User
11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Delete a local user To delete a user from your TX40:  TX40 User Guide...
Page 862 User authentication Local users 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 863 User authentication Local users 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 864: Terminal Access Controller Access-Control System Plus (Tacacs+)
With TACACS+ support, the TX40 device acts as a TACACS+ client, which sends user credentials and connection parameters to a TACACS+ server over TCP. The TACACS+ server then authenticates the TACACS+ client requests and sends back a response message to the device.
Page 865: Tacacs+ User Configuration
The groupname attribute is optional. If used, the value must correspond to authentication groups configured on your TX40. Alternatively, if the user is also configured as a local user on the TX40 device and the LDAP server authenticates the user but does not return any groups, the local configuration determines the list of groups.
Page 866: Tacacs+ Server Failover And Fallback To Local Authentication
$ sudo /etc/init.d/tacacs_plus restart TACACS+ server failover and fallback to local authentication In addition to the primary TACACS+ server, you can also configure your TX40 device to use backup TACACS+ servers. Backup TACACS+ servers are used for authentication requests when the primary TACACS+ server is unavailable.
Page 867 The TACACS+ server port. It is configured to 49 by default. Add additional TACACS+ servers in case the first TACACS+ server is unavailable.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 868 TACACS+ login fails. 6. (Optional) For Group attribute, type the name of the attribute used in the TACACS+ server's configuration to identify the TX40 authentication group or groups that the user is a member of. For example, in TACACS+ user configuration, the group attribute in the sample tac_plus.conf...
Page 869  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 870 Note Beginning with firmware release 21.11.x, python is no longer included as part of the base firmware for the TX40 device. If you require Python in your environment and your device is running firmware 21.11.x or newer, see Install Python for information about installing Python on your device.
Page 871 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 872: Remote Authentication Dial-In User Service (Radius)
To use RADIUS authentication, you must set up a RADIUS server that is accessible by the TX40 device prior to configuration. The process of setting up a RADIUS server varies by the server environment. An example of a RADIUS server is FreeRADIUS.
Page 873: Radius User Configuration
TX40. Alternatively, if the user is also configured as a local user on the TX40 device and the RADIUS server authenticates the user but does not return any groups, the local configuration determines the list of groups. See Authentication groups more information about authentication groups.
Page 874: Configure Your Tx40 Device To Use A Radius Server
Add additional RADIUS servers in case the first RADIUS server is unavailable. The server NAS ID. If left blank, the default value is used: If you are access the TX40 device by using the WebUI, the default value is for NAS ID is httpd.
Page 875 NAS or any arbitrary string. If not set, the default value is used: If you are accessing the TX40 device by using the WebUI, the default value is for NAS ID is httpd.
Page 876  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 877: Ldap
Your TX40 device supports LDAP (Lightweight Directory Access Protocol), a protocol used for directory information services over an IP network. LDAP can be used with your TX40 device for centralized authentication and authorization management for users who connect to the device. With LDAP support, the TX40 device acts as an LDAP client, which sends user credentials and connection parameters to an LDAP server.
Page 878 When you are using LDAP authentication, you can have both local users and LDAP users able to log in to the device. To use LDAP authentication, you must set up a LDAP server that is accessible by the TX40 device prior to configuration. The process of setting up a LDAP server varies by the server environment.
Page 879: Ldap User Configuration
(password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication. This section outlines how to configure a LDAP server to be used for user authentication on your TX40 device.
Page 880: Ldap Server Failover And Fallback To Local Configuration
LDAP server failover and fallback to local configuration In addition to the primary LDAP server, you can also configure your TX40 device to use backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary LDAP server is unavailable.
Page 881 User authentication LDAP 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 882 If this attribute is not set, the user will be denied access. 12. (Optional) For Group attribute, type the name of the user attribute that contains the list of TX40 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute.
Page 883 User authentication LDAP 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 884 . If this attribute is not set, the user will be denied access. 10. (Optional) Set the name of the user attribute that contains the list of TX40 authentication groups that the authenticated user has access to. See...
Page 885: Configure Serial Authentication
Configure serial authentication This section describes how to configure authentication for serial access.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 886  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 887: Disable Shell Access
If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 888  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 889: Set The Idle Timeout For Tx40 Users
Idle timeout parameter. By default, the Idle timeout is set to 10 minutes.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 890 User authentication Set the idle timeout for TX40 users 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 891: Example User Configuration
Goal: To create a user with administrator rights who is authenticated locally on the device.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 892  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 893: Example 2: Radius, Tacacs+, And Local Authentication For One User
Goal: To create a user with administrator rights who is authenticated by using all three authentication methods. In this example, when the user attempts to log in to the TX40 device, user authentication will occur in the following order: TX40 User Guide...
Page 894 2. The user is authenticated by the TACACS+ server. If both the RADIUS and TACACS+ servers are unavailable, 3. The user is authenticated by the TX40 device using local authentication. This example uses a FreeRadius 3.0 server running on ubuntu, and a TACACS+ server running on ubuntu.
Page 895 The authentication group on the TX40 device, admin, is identified in the groupname parameter. c. Save and close the tac_plus.conf file. 3. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 4. Access the device configuration:...
Page 896 User authentication Example user configuration a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 897 In this example: The user's username is admin1. The user's password is password1. The authentication group on the TX40 device, admin, is identified in the Unix-FTP- Group-Names parameter. c. Save and close the users file. 2. Configure a user on the TACACS+ server: a.
Page 898 Save and close the tac_plus.conf file. 3. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 899 (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 900 Firewall This chapter contains the following topics: Firewall configuration Port forwarding rules Packet filtering Configure custom firewall rules Configure captive portals Configure Quality of Service options Web filtering TX40 User Guide...
Page 901: Firewall Configuration
To create a zone:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 902  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 903: Configure The Firewall Zone For A Network Interface
This example procedure uses an existing network interface named LAN and changes the firewall zone from the default zone, Internal, to External.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 904: Delete A Custom Firewall Zone
Delete a custom firewall zone You cannot delete preconfigured firewall zones. To delete a custom firewall zone:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 905  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 906: Port Forwarding Rules
A white list of devices, based on either IP address or firewall zone, that are authorized to leverage this forwarding rule. To configure a port forwarding rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 907 IP address or firewall zone: To white list IP addresses: a. Click Addresses. b. For Add Address, enter an IP address and click . c. Repeat for each additional IP address that should be white listed. TX40 User Guide...
Page 908  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 909 (config firewall dnat 0 acl> add address6 end ip-address (config firewall dnat 0 acl)> Repeat for each appropriate IP address. To specify the firewall zone for white listing: (config firewall dnat 0 acl)> add zone end zone TX40 User Guide...
Page 910: Delete A Port Forwarding Rule
Delete a port forwarding rule To delete a port forwarding rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 911  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 912 5. Save the configuration and apply the change (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 913: Packet Filtering
ICMP ICMP6 To configure a packet filtering rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 914 9. For Destination zone, select the firewall zone. Packets destined for network interfaces that are members of this zone will either be accepted, rejected or dropped by this rule. Firewall configuration for more information about firewall zones. 10. Click Apply to save the configuration and apply the change.  Command line TX40 User Guide...
Page 915 Firewall Packet filtering 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 916 (config firewall filter 1)> where value is one of: ipv4 ipv6 The default is any. 8. Set the protocol. (config firewall filter 1)> protocol value (config firewall filter 1)> where value is one of: icmp icmpv6 The default is any. TX40 User Guide...
Page 917: Enable Or Disable A Packet Filtering Rule
Enable or disable a packet filtering rule To enable or disable a packet filtering rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 918: Delete A Packet Filtering Rule
Firewall Packet filtering 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 919 Firewall Packet filtering  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 920: Configure Custom Firewall Rules
To configure custom firewall rules:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 921  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 922 6. Save the configuration and apply the change (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 923: Configure Captive Portals
To configure captive portals:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 924  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 925 This setting does not affect access to HTTP port 80 after the client has been granted access to the portal. 7. Set the method that will be used to authorize the user: (config firewall portal portal1)> auth value (config firewall portal portal1)> where value is one of: TX40 User Guide...
Page 926: Delete Captive Portals
Type quit to disconnect from the device. Delete captive portals To delete captive portals:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
Page 927: Configure Quality Of Service Options
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 928 These example bindings are disabled by default. Enable the preconfigured bindings  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 929 Type quit to disconnect from the device. Create a new binding  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 930 9. Create a policy for the binding: At least one policy is required for each binding. Each policy can contain up to 30 rules. a. Click to expand Policy. b. For Add Policy, click . The QoS binding policy configuration window is displayed. TX40 User Guide...
Page 931 (Optional) Type a Label for the binding policy rule. iv. For Type Of Service, type the value of the Type of Service (ToS) packet header that defines packet priority. If unspecified, this field is ignored. https://www.tucny.com/Home/dscp-tos for a list of common TOS values. TX40 User Guide...
Page 932  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 933 The larger the weight, with respect to the other policy weights, the larger portion of the maximum bandwidth is available for this policy. For example, if a binding contains three policies, and each policy contains a weight of 10, each policy will be allocated one third of the total interface bandwidth. TX40 User Guide...
Page 934 (config firewall qos 2 policy 0 rule 0)> tos value (config firewall qos 2 policy 0 rule 0)> where value is a hexadecimal number. See https://www.tucny.com/Home/dscp-tos a list of common TOS values. TX40 User Guide...
Page 935 (config network qos 2 policy 0 rule 0)> where value uses the format IPv4_address[/netmask], or any to match any IPv4 address. address6: Only traffic from the IP address typed in IPv6 address will be matched. Set the address that will be matched: TX40 User Guide...
Page 936 IPv6_address[/prefix_length], or any to match any IPv6 address. Repeat to add a new rule. Up to 30 rules can be configured. 8. Save the configuration and apply the change (config)> save Configuration saved. > TX40 User Guide...
Page 937: Web Filtering
5. Click Create. 6. Copy the token. Task two: Configure web filtering  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
Page 938  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 939: Configure Web Filtering With Manual Dns Servers
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Clear the Cisco Umbrella device ID If the Cisco Umbrella device ID being used by your TX40 is invalid, you can clear the device ID.  Command line 1.
Page 940 Firewall Web filtering To configure web filtering with manual DNS servers:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 941  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 942: Verify Your Web Filtering Configuration
DNS servers and uses the Cisco open DNS servers, you can verify the web filtering implementation by using the Cisco test site www.internetbadguys.com. To verify the implementation:  This procedure assumes you have already configured web filtering to use either Cisco Umbrella or the Cisco open DNS servers. TX40 User Guide...
Page 943 Configure web filtering with manual DNS servers for information about configuring web filtering to use Cisco open DNS servers. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 944 Cisco open DNS servers. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 945: Show Web Filter Service Information
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 946 Containers The TX40 device includes support for LXCLinux containers. LXCcontainers are a lightweight, operating system level method of virtualization that allows you to run one or more isolated Linux instances on a the same host using the host's Linux kernal.
Page 947: Use Digi Remote Manager To Deploy And Run Containers
Use Digi Remote Manager to deploy and run containers Use Digi Remote Manager to deploy and run containers Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. 1. In Remote Manager, create a Configuration template. See the Remote Manager User Guide instructions.
Page 948 Containers Use Digi Remote Manager to deploy and run containers i. Click Browse and select the container file. ii. Type the Name of the container. The Name entered here must be the same name as the container .tgz file. This is absolutely necessary, otherwise the container file will not be properly configured on the local devices.
Page 949 Containers Use Digi Remote Manager to deploy and run containers c. For the Automation step: i. Click to toggle on Enable Scanning. ii. Click to toggle on Remediate. Run a manual configuration scan to apply the container and configuration settings to all applicable devices.
Page 950: Use An Automation To Start The Container
Containers Use Digi Remote Manager to deploy and run containers vi. Click the Stream ID to view container status. To verify by using the show containers command on the local device: a. From the Remote Manager main menu, click  Management >  Devices.
Page 951: Upload A New Lxccontainer
Is one of the devices included on the Target page. Upload a new LXC container  Log into the TX40 WebUI as a user with full Admin access rights. 1. From the main menu, click Status. Under Services, click Containers. 2. Click Upload New Container.
Page 952: Configure A Container
The network gateway. Serial ports on the device that the container will have access to.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 953 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Restart timeout to ten minutes, enter 10m or 600s. 8. (Optional) Type any Optional parameters for the container. Parameters are in the format accepted by the lxc utility. TX40 User Guide...
Page 954  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 955 The default timeout of 0s means that if the container stops, it will not be restarted. 8. Type any optional parameters for the container: (config system container name)> args parameters (config system container name)> Parameters are in the format accepted by the lxc utility. TX40 User Guide...
Page 956 (config network wireless client new_client)> save Configuration saved. > 14. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. TX40 User Guide...
Page 957: Starting And Stopping The Container
To start the container in non-persistent mode: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 958: Stopping The Container
Stopping the container 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 959: Show Status Of All Containers
1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 960: Schedule A Script To Run In The Container
1. Start the container in non-persistent mode. 2. Execute a ping command every ten seconds from inside the container.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 961  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 962: Create A Custom Container
In this example, we will use a simple container file named test_lxc.tgz. You can download test_lxc.tgz from the Digi website. At the command line of a Linux host, we will unpack the file, add a simple python script, and create a new container file that includes the python script.
Page 963: Test The Custom Container File
Click Apply. 2. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the TX40 local command line as a user with shell access.
Page 964 Containers Create a custom container 3. At the shell prompt, type: # lxc python_lxc lxc # 4. Execute the python command: lxc # python /etc/test.py Hello world. lxc # TX40 User Guide...
Page 965 Review device status Configure system information Update system firmware Update cellular module firmware Reboot your TX40 device Erase device configuration and reset to factory defaults Locate the device by using the Find Me feature Power ignition sensor Enable FIPS mode...
Page 966: System Administration
 To display system information: Log into the TX40 WebUI as a user with full Admin access rights. 1. On the main menu, click Status. A secondary menu appears, along with a status panel. 2. On the secondary menu, click to display the details panel for the status you want to view.
Page 967 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 968: Configure System Information
A banner that will be displayed when users access terminal services on the device. To enter system information:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 969: Update System Firmware
For example, TX40-23.9.74.0.bin. Upgrading from releases prior to release If you are upgrading your TX40 device by using the local Web UI, you must first upgrade to release 22.2 prior to upgrading to the current release. TX40 User Guide...
Page 970: Manage Firmware Updates Using Digi Remote Manager
3. For Version:, select the appropriate version of the device firmware. 4. Click Update Firmware.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. TX40 User Guide...
Page 971 Newest firmware version available to download is '23.9.74.0' Device firmware update from '23.6.1.105' to '23.9.74.0' is needed > 3. Use the modem firmware ota list command to list available firmware on the Digi firmware repository. > system firmware ota list 23.6.1.105...
Page 972 1. Download the TX40 operating system firmware from the Digi Support FTP site to your local machine. 2. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 973 > reboot Rebooting system > 7. Once the device has rebooted, log into the TX40's command line as a user with Admin access and verify the running firmware version by entering the show system command. > show system...
Page 974: Dual Boot Behavior
> Dual boot behavior By default, the TX40 device stores two copies of firmware in two flash memory banks: The current firmware version that is used to boot the device. A copy of the firmware that was in use prior to your most recent firmware update.
Page 975: Update Cellular Module Firmware
System administration Update cellular module firmware 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 976: Update Modem Firmware Over The Air (Ota)
OTA modem firmware update: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights.
Page 977: Update Modem Firmware By Using A Local Firmware File
TX40 device. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. TX40 User Guide...
Page 978: Reboot Your Tx40 Device
Type quit to disconnect from the device. Reboot your TX40 device You can reboot the TX40 device immediately or schedule a reboot for a specific time every day. Note You may want to save your configuration settings to a file before rebooting. See...
Page 979: Reboot Your Device Immediately
2. At the prompt, type: > reboot Schedule reboots of your device  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 980  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 981: Erase Device Configuration And Reset To Factory Defaults
With firmware release 22.2.9.x and newer, erases the client-side certificate used for communication with Digi Remote Manager. If you are using Digi Remote Manager with firmware release 22.2.9.x and newer, by default the device uses a client-side certificate for communication with Remote Manager. If the client-side certificate is erased, you must use the Remote Manager interface to reset the certificate.
Page 982 2. In the Erase configuration section, click ERASE. 3. Click CONFIRM. 4. After resetting the device: a. Connect to the TX40 by using the serial port or by using an Ethernet cable to connect the TX40 LAN port to your PC. b. Log into the TX40: User name: Use the default user name: admin.
Page 983 Erase device configuration and reset to factory defaults 3. After resetting the device: a. Connect to the TX40 by using the serial port or by using an Ethernet cable to connect the TX40 LAN port to your PC. b. Log into the TX40: User name: Use the default user name: admin.
Page 984: Custom Factory Default Settings
Type quit to disconnect from the device. Custom factory default settings You can configure your TX40 device to use custom factory default settings. This way, when you erase the device's configuration, the device will reset to your custom configuration rather than to the original factory defaults.
Page 985 4. After the configuration backup file has been downloaded, rename the file to: custom-default-config.bin 5. Upload the file to the device: a. From the main menu, select System > Filesystem. b. Under Default device configuration, click . c. Select the file from your local file system. Reboot the device. TX40 User Guide...
Page 986  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 987: Locate The Device By Using The Find Me Feature
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 988: Power Ignition Sensor
Power ignition sensor Power ignition sensor When the TX40 device is used in a vehicle, Digi recommends that you use the ignition sense line. This allows the device to properly shutdown when the vehicle is turned off. This section contains the following topics:...
Page 989: Configure Power Delays For Power Ignition Sensor
Temporarily set the ignition power delay for more information.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 990: Temporarily Set The Ignition Power Delay
 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 991: Configure Automatic Reboot Behavior For Temporary Power Drop
To disable the automatic reboot behavior:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 992: Enable Fips Mode
When the FIPS setting is changed, the device will reboot automatically. Disabling FIPS after it has been enabled will cause the current configuration to be erased.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. TX40 User Guide...
Page 993 System administration Enable FIPSmode 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 994 System administration Enable FIPSmode 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 995: Configuration Files
If you do not save configuration changes, the system discards the changes.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 996: Save Configuration To A File
Type quit to disconnect from the device. Save configuration to a file You can save your TX40 device's configuration to a file and use this file to restore the configuration, either to the same device or to similar devices.
Page 997: Restore The Device Configuration
> scp host 192.168.4.1 user admin remote /home/admin/bin/ local /etc/config/backup-archive-0040FF800120-19.05.17-19.01.17.bin to remote Restore the device configuration You can restore a configuration file to your TX40 device by using a backup from the device, or a backup from a similar device. ...
Page 998  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the TX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 999 System administration Configuration files to the TX40 device. local-path is the location on the TX40 device where the copied file will be placed. For example: > scp host 192.168.4.1 user admin remote /home/admin/bin/backup-archive- 0040FF800120-23.9.74.0-19.23.42.bin local /opt to local 3. Enter the following: >...
Page 1000: Schedule System Maintenance Tasks
The frequency (daily, weekly, or monthly) that checks for firmware updates will run.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.

Digi TX40 User Manual

Quick Links

Need help?

Questions and answers

Related Manuals for Digi TX40

Summary of Contents for Digi TX40