Digi IX20-WAG4 User Manual

page of 882

/ 882
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

IX20

User Guide

Firmware version 21.8

Table of Contents

Need help?

Do you have a question about the IX20-WAG4 and is the answer not in the manual?

Questions and answers

Summary of Contents for Digi IX20-WAG4

Page 1 IX20 User Guide Firmware version 21.8...
Page 2: Revision History-90002381
Revision history—90002381 IX20 User Guide...
Page 3 Digi Remote Manager. Added the ability to select Digi aView as the cloud service. Added the ability to duplicate firmware to copy the active firmware to the secondary firmware partition.
Page 4 Revision Date Description TCP/Telnet/SSH connections to enable/disable TCP keep-alive messages and nodelay. Enhanced SMS support: Added System > Scheduled tasks > Allow scheduled scripts parameter to allow custom python scripts to handle sending/receiving SMS messages Added the digidevice.sms python module for sending/receiving SMS messages in a custom python script.
Page 5 Revision Date Description Release of Digi IX20 firmware version 20.11: December 2020 Modem firmware update commands added to the Admin CLI. Network bridging enhanced to use the MAC address of the first active device listed in Network > Bridges >...
Page 6 Revision Date Description Services > Ping responder allows you to control the interfaces and firewall zones on which the DAL device will respond to ICMP requests. Enhanced policy-based routing: Added a DSCP option to match the routing rule by the type of DSCP field in the packet. Added a Defaultroute option for matching policy- based routes to the device's active default route.
Page 7 Added 5GHz frequencies to the list of channels that can be scanned for client-mode Wi-Fi background scanning. Local REST API for automated configuration of the device. Support for remote CLI commands through Digi Remote Manager. Support for automatically checking for device and modem firmware updates. IX20 User Guide...
Page 8 Revision Date Description Release of Digi IX20 firmware version 21.5: June 2021 Wi-Fi enhancements: Added support for WPA3 Wi-Fi encryption: WPA2/WPA3 Personal WPA3 Enhanced Open WPA3 Personal Added support for WPA and WPA/WPA2 mised mode with TKIP. Cellular enhancements: Added support for modem firmware update to the Admin CLI.
Page 9 SureLink test must pass before an interface is considered to be working. Added the ability to test another interface's status. SNMPv2 supported added. Simple Certificate Enrollment Protocol (SCEP) supported added. Updated python to version 3.6.13. Added the default digi.device local domain. IX20 User Guide...
Page 10 Added LXC container support for running localized containers on the device. Added support for maintenance windows triggers to control when a device is available for Digi Remote Manager maintenance activity. Wi-Fi enhancements: Removed requirement to set a Wi-Fi SSID and passphrase to initially configure the device.
Page 11 Trademarks and copyright Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide. All other trademarks mentioned in this document are the property of their respective owners.
Page 12 Customer support Gather support information: Before contacting Digi technical support for help, gather the following information:  Product name and model  Product serial number (s)  Firmware version  Operating system/browser (if applicable)  Logs (from time of reported issue)  Trace (if possible)  Description of issue  Steps to reproduce...
Page 13: Table Of Contents
What's new in Digi IX20 version 21.8 Digi IX20 Quick Start Step 1: Connect your device Step 2: Connect DC power Step 3: Set up access to Digi Remote Manager Step 4: Register your device Step 5: Complete setup Step 6: Configure cellular APN...
Page 14 Change the default password for the admin user Reset default SSID and pre-shared key for the preconfigured Wi-Fi access point Configuration methods Using Digi Remote Manager Access Digi Remote Manager Using the web interface Log out of the web interface...
Page 15 Configure UDP serial mode Show serial status and statistics Log serial port messages Wi-Fi Wi-Fi configuration Default access point SSID and password Default Wi-Fi configuration Configure the Wi-Fi radio's channel Configure the Wi-Fi radio to support DFS channels in client mode Required configuration items Configure the Wi-Fi radio's band and protocol Configure the Wi-Fi radio's transmit power...
Page 16 Authentication Configure an IPsec tunnel Configure IPsec failover Configure SureLink active recovery for IPsec Show IPsec status and statistics Debug an IPsec configuration Configure a Simple Certificate Enrollment Protocol client Example: SCEP client configuration with Fortinet SCEP server OpenVPN Configure an OpenVPN server Configure an OpenVPN Authentication Group and User Configure an OpenVPN client by using an .ovpn file Configure an OpenVPN client without using an .ovpn file...
Page 17 Use Python to respond to Digi Remote Manager SCI requests Use digidevice runtime to access the runtime database Use Python to upload the device name to Digi Remote Manager Use Python to access the device location data Use Python to set the maintenance window...
Page 18 Configure a local user Delete a local user Terminal Access Controller Access-Control System Plus (TACACS+) TACACS+ user configuration TACACS+ server failover and fallback to local authentication Configure your IX20 device to use a TACACS+ server Remote Authentication Dial-In User Service (RADIUS) RADIUS user configuration RADIUS server failover and fallback to local configuration Configure your IX20 device to use a RADIUS server...
Page 19 Collect device health data and set the sample interval Enable event log upload to Digi Remote Manager Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Digi Remote Manager View Digi Remote Manager connection status...
Page 20 Use the ping command to troubleshoot network connections Ping to check internet connection Stop ping commands Use the traceroute command to diagnose IP routing problems Digi IX20 regulatory and safety statements RF exposure statement Federal Communication (FCC) Part 15 Class B Radio Frequency Interference (RFI) (FCC 15.105)
Page 21 Polish--Polskie Portuguese--Português Slovak--Slovák Slovenian--Esloveno Spanish--Español DigiIX20 Certifications International EMC (Electromagnetic Compatibility) and safety standards Command line interface Access the command line interface Log in to the command line interface Exit the command line interface Execute a command from the web interface Display help for commands and parameters The help command The question mark (?) command...
Page 22 ping reboot show speedtest system traceroute IX20 User Guide...
Page 23: What's New In Digi Ix20 Version 21.8
What's new in Digi IX20 version 21.8 Release of Digi IX20 firmware version 21.8: Added LXC container support for running localized containers on the device. Added support for maintenance windows triggers to control when a device is available for Digi Remote Manager maintenance activity. Wi-Fi enhancements: Removed requirement to set a Wi-Fi SSID and passphrase to initially configure the device.
Page 24 What's new in Digi IX20 version 21.8 Added datapoint.upload_multiple function to digidevice python module for uploading multiple datapoints to DigiRM at once. Added clear dhcp-lease command to remove all dynamic DHCP leases or certain DHCP leases based on MAC address or IP address.
Page 25: Digi Ix20 Quick Start
If the IX20 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.
Page 26 Digi IX20 Quick Start Step 1: Connect your device e. Secure the CORE modem with an anchor screw. f. Cover the installed Digi1002-CM unit with the CORE modem cover and secure the coverplate by tightening the thumb screw. 2. Attach cellular antennas.
Page 27: Step 2: Connect Dc Power
LAN Ethernet port in an office environment. Step 2: Connect DC power Step 3: Set up access to Digi Remote Manager If you already have a Digi Remote Manager account, skip to Register your device. If you prefer to configure the device locally rather than using Remote Manager, see Configuration and management in the IX20 User Guide.
Page 28: Step 4: Register Your Device
Digi IX20 Quick Start Step 4: Register your device 1. Go to shop.digi.com to create a new Remote Manager account. You will receive an email from Remote Manager after your registration is complete. 2. Click the link in the email to go to Remote Manager and click Forgot Password to set up your login and password.
Page 29: Digi Ix20 Hardware Reference
Digi IX20 hardware reference Digi IX20 features and specifications The Digi IX20 key features include: Industrial grade components. Operating temperatures: IX20W (Wi-Fi enabled version): -20C to +70C/-40F to +158F. IX20 (non-Wi-Fi version): -40C to +70C/-4F to +158F. Plug-in LTE modem (1002-CM).
Page 30: Ix20 Leds
Ethernet port, WAN-enabled by default. ETH2 Ethernet port, LAN-enabled by default Serial port Digi IX20 serial connector pinout for information about the serial port pin-out. SIM button The SIM button is used to manually toggle between the two SIM slots included in the CM module.
Page 31: Power
Digi IX20 hardware reference IX20 LEDs Power No power. Solid green Device has power The WAN/ETH1 Ethernet port not connected. Flashing green The WAN/ETH1 Ethernet port is connecting. Solid green The WAN/ETH1 Ethernet port is connected and has activity. Wi-Fi Service (IX20W model only) No Wi-Fi access points or Wi-Fi clients are enabled.
Page 32: Lte
Digi IX20 hardware reference IX20 LEDs SIM2 not in use. Solid green SIM2 is in use. Indicates that the status of the cellular module and the ETH2 Ethernet port connection: Solid yellow (or orange) Initializing or starting up. Flashing yellow (or orange)
Page 33: Ethernet Link And Activity
Solid amber: 1000 Mbps link detected. Signal quality bars explained The signal status bars for the Digi IX20 measure more than simply signal strength. The value reported by the signal bars is calculated using an algorithm that takes into consideration the Reference Signals Received Power (RSRP), the Signal-to-noise ratio (SNR), and the Received Signal Strength Indication (RSSI) to provide an accurate indicator of the quality of the signal that the device is receiving.
Page 34: Ix20 Power Supply Requirements
Use the included power supply (part number 24000154). If you are providing the DC power source with a non-Digi power supply, you must use a certified LPS power supply rated at either 12 VDC/0.75 A or 24 VDC/0.375 A minimum. The voltage tolerance supports +/- 10% (9 VDC to 30 VDC) at 9 Watts minimum.
Page 35: Configuration For Extreme Thermal Conditions
Digi IX20 hardware reference Configuration for extreme thermal conditions Direction RS232 Signal name signal DB9 pin number Receive Data Ready To Send Clear to Send Data Set Ready Ground Data Carrier Detect Data Terminal Ready Ring Indicate Configuration for extreme thermal conditions The IX20 has been verified to operate in the following temperate ranges: IX20W (Wi-Fi enabled version): -20C to +70C/-40F to +158F.
Page 36 Digi IX20 hardware reference Configuration for extreme thermal conditions 5. For Interface, select Modem. 6. For Interface bandwidth (Mbit), type 1. 7. Click to expand Policy. 8. For Add Policy, click . 9. Click to expand Rule. 10. For Add Rule, click .
Page 37 Digi IX20 hardware reference Configuration for extreme thermal conditions 6. Create a policy: (config firewall qos 2)> add policy end (config firewall qos 2 policy 0)> 7. Add a rule to the policy: (config firewall qos 2 policy 0)> add rule end (config firewall qos 2 policy 0 rule 0)>...
Page 38: Hardware Setup
Hardware setup This chapter contains the following topics: Install SIM cards in the Plug-in LTE modem Connect data cables Mount the IX20 device IX20 User Guide...
Page 39: Install Sim Cards In The Plug-In Lte Modem
If the IX20 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.
Page 40: Tips For Improving Cellular Signal Strength
Move the device to another location. Try connecting a different set of antennas, if available. Purchase a Digi Antenna Extender Kit: Antenna Extender Kit, Connect data cables The IX20 provides two types of data ports: Ethernet (RJ-45): Use a Cat 5e or Cat 6 Ethernet cable.
Page 41: Attach To A Mounting Surface By Using The Mounting Tabs
Hardware setup Mount the IX20 device Attach to a mounting surface by using the mounting tabs Attach to DIN rail with clip The DIN rail clip is an optional accessory included when the IX20 is purchased with accessories. 1. Attach the DIN rail clip to the bottom of the device with the screws provided. 2.
Page 42: Attach To Din Rail With Bracket
3. Set the bracket with the clip onto a DIN rail and gently press until the clip snaps into the rail. WARNING! If being installed above head height on a wall or ceiling, ensure the device is fitted securely to avoid the risk of personal injury. Digi recommends that this device be installed by an accredited contractor.
Page 43: Configuration And Management
Review IX20 default settings Change the default password for the admin user Reset default SSID and pre-shared key for the preconfigured Wi-Fi access point Configuration methods Using Digi Remote Manager Access Digi Remote Manager Using the web interface Using the command line...
Page 44: Review Ix20 Default Settings
Configuration and management Review IX20 default settings Review IX20 default settings You can review the default settings for your IX20 device by using the local WebUI or Digi Remote Manager: Local WebUI 1. Log into the IX20 WebUI as a user with Admin access. See Using the web interface for details.
Page 45: Other Default Configuration Settings
Bridges Bridge: LAN Ethernet: Enabled Used by the ETH1 (Wi-Fi ETH2 model Wi-Fi access interface only) point: Digi Other default configuration settings Feature Configuration Digi Remote Manager enabled as the central management service. Central management IX20 User Guide...
Page 46: Change The Default Password For The Admin User
Configuration Packet filtering allows all outbound traffic. Security policies SSH and web administration: Enabled for local administration Firewall zone: Internal Device heath metrics uploaded to Digi Remote Manager at 60 minute Monitoring interval. SNMP: Disabled Enabled Serial port Serial mode: Remote...
Page 47: Reset Default Ssid And Pre-Shared Key For The Preconfigured Wi-Fi Access Point
Configuration and Reset default SSID and pre-shared key for the preconfigured Wi-Fi access management point special character. 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 48 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Wi-Fi > Digi AP. 4. Enter a new SSID and Pre-shared key. 5. Click Apply to save the configuration and apply the change.
Page 49: Configuration Methods
IX20 device. Note Changes made to the device's configuration by using the local web interface will not be automatically reflected in Digi Remote Manager. You must manually refresh Remote Manager for the changes to be displayed. IX20 User Guide...
Page 50: Using Digi Remote Manager
Shows how to perform a task by using the command line interface. Using Digi Remote Manager By default, your IX20 device is configured to use Digi Remote Manager as its central management server. No configuration changes are required to begin using the Remote Manager.
Page 51: Log Out Of The Web Interface
Summarizes network statistics: the total number of bytes sent and received over all Network configured bridges and Ethernet devices. activity Digi Remote Displays the device connection status for Digi Remote Manager, the amount of time Manager the connection has been up, and the Digi Remote Manager device ID. Using Digi Remote Manager.
Page 52: Using The Command Line
You can use an open-source terminal software, such as PuTTY or TeraTerm, to access the device through one of these mechanisms. You can also access the command line interface in the WebUI by using the Terminal, or the Digi Remote Manager by using the Console.
Page 53: Exit The Command Line Interface
Configuration and management Exit the command line interface 3. Depending on the device configuration, you may be presented with another menu, for example: Access selection menu: a: Admin CLI s: Shell q: Quit Select access or quit [admin] : Type a or admin to access the IX20 command line. You will now be connected to the Admin CLI: Connecting now...
Page 54: Interfaces
Interfaces IX20 devices have several physical communications interfaces. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN). This chapter contains the following topics: Wide Area Networks (WANs) Local Area Networks (LANs) Bridging IX20 User Guide...
Page 55: Wide Area Networks (Wans)
Preconfigured interfaces Devices configuration Wide Area ETH1 Ethernet: Firewall Network (WAN) ETH1 zone: External WAN priority: Metric=1 IP Address: DHCP client Digi SureLink enabled for IPv4 Wireless Wide Modem Modem Firewall Area Network zone: (WWAN) External WAN priority: Metric=3 SIM failover...
Page 56: Wide Area Networks (Wans) And Wireless Wide Area Networks (Wwans)
Interfaces Wide Area Networks (WANs) Wide Area Networks (WANs) and Wireless Wide Area Networks (WWANs) A Wide Area Network (WAN) provides connectivity to the internet or a remote network. A WAN configuration consists of the following: A physical device, such as an Ethernet device or a cellular modem. Several networking parameters for the WAN, such as firewall configuration and IPv4 and IPv6 support.
Page 57 Interfaces Wide Area Networks (WANs) 3. Set the metrics for Modem: a. Click Network > Interfaces > Modem > IPv4. b. For Metric, type 1. c. Click IPv6. d. For Metric, type 1. 4. Set the metrics for ETH1: a. Click Network > Interfaces > ETH1 > IPv4. b.
Page 58 Interfaces Wide Area Networks (WANs) 5. Click Apply to save the configuration and apply the change. The IX20 device is now configured to use the cellular modem WWAN, Modem, as its highest priority WAN, and its Ethernet WAN, ETH1, as its secondary WAN. ...
Page 59: Wan/Wwan Failover
Active vs. passive failure detection There are two ways to detect WAN or WWAN failure: active detection and passive detection. Active detection uses Digi SureLink technology to send probe tests to a target host or to test the status of the interface. The WAN/WWAN is considered to be down if there are no responses for a configured amount of time.
Page 60: Configure Surelink Active Recovery To Detect Wan/Wwan Failures
WAN has failed, because the connection continues to work while the core problem exists somewhere else in the network. Using Digi SureLink, you can configure the IX20 device to regularly probe connections through the WAN to determine if the WAN has failed.
Page 61 Interfaces Wide Area Networks (WANs) If the type of probe test is: Ping: Configure the number of bytes in the ping packet. Interface status: Configure the amount of time that the interface is down before it is considered to have failed, and the amount of time it takes to make an initial connection before it is considered down.
Page 62 Interfaces Wide Area Networks (WANs) 5. After creating or selecting the WAN or WWAN, click IPv4 (or IPv6) > SureLink. 6. Enable SureLink. SureLink can be enabled for both IPv4 and IPv6 configurations. By default, SureLink is enabled for IPv4 for the preconfigured WAN (ETH1) and WWAN (Modem). It is disabled for IPv6. When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address.
Page 63 Interfaces Wide Area Networks (WANs) Test the interface status: The interface is considered to be down based on: Down time: The amount of time that the interface can be down before this test is considered to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
Page 64 Interfaces Wide Area Networks (WANs) The default is 15 seconds. 11. (Optional) Repeat this procedure for IPv6. 12. Click Apply to save the configuration and apply the change.  Command line Active recovery can be configured for both IPv4 and IPv6. These instructions are for IPv4; to configure IPv6 active recovery, replace ipv4 in the command line with ipv6.
Page 65 Interfaces Wide Area Networks (WANs) 6. Set the test type: (config network interface my_wan ipv4 surelink target 0)> test value (config network interface my_wan ipv4 surelink target 0)> where value is one of: ping: Tests connectivity by sending an ICMP echo request to a specified hostname or IP address.
Page 66 Interfaces Wide Area Networks (WANs) (config network interface my_wan ipv4 surelink target 0)> interface_down_time 600s (config network interface my_wan ipv4 surelink target 0)> The default is 60 seconds. (Optional) Set the amount of time to wait for an initial connection to the interface before this test is considered to have failed: (config network interface my_wan ipv4 surelink target 0)>...
Page 67 Interfaces Wide Area Networks (WANs) ii. Set the interface. For example: (config network interface my_wan ipv4 surelink target 0)> other_interface /network/interface/eth1 (config network interface my_wan ipv4 surelink target 0)> Set the alternate interface's IP version. This allows you to determine the alternate interface's status for a particular IP version.
Page 68: Configure The Device To Reboot When A Failure Is Detected
Interfaces Wide Area Networks (WANs) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interval to ten minutes, enter either 10m or 600s: (config network interface my_wan ipv4 surelink)> interval 600s (config network interface my_wan ipv4 surelink)>...
Page 69 Interfaces Wide Area Networks (WANs) Required configuration items Enable SureLink. SureLink can be enabled for both IPv4 and IPv6 configurations. By default, SureLink is enabled for IPv4 for the preconfigured WAN (ETH1) and WWAN (Modem). It is disabled for IPv6. When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address.
Page 70 Interfaces Wide Area Networks (WANs) 4. Create a new interface or select an existing one: To create a new interface, see Configure a LAN, Configure a Wide Area Network (WAN), Configure a Wireless Wide Area Network (WWAN). To edit an existing interface, click to expand the appropriate interface. 5.
Page 71 Interfaces Wide Area Networks (WANs) Ping test: Tests connectivity by sending an ICMP echo request to the hostname or IP address specified in Ping host. You can also optionally change the number of bytes in the Ping payload size. DNS test: Tests connectivity by sending a DNS query to the specified DNS server. HTTP test: Tests connectivity by sending an HTTP or HTTPS GET request to the URL specified in Web servers.
Page 72 Interfaces Wide Area Networks (WANs) 13. (Optional) Repeat this procedure for IPv6. 14. Click Apply to save the configuration and apply the change.  Command line Active recovery can be configured for both IPv4 and IPv6. These instructions are for IPv4; to configure IPv6 active recovery, replace ipv4 in the command line with ipv6.
Page 73 Interfaces Wide Area Networks (WANs) 6. (Optional) Set the number of times that the Surelink test must fail before the device is rebooted: (config network interface my_wan ipv4 surelink)> reboot_attempts int (config network interface my_wan ipv4 surelink> where int is any number greater than 0. The default is 1. 7.
Page 74 Interfaces Wide Area Networks (WANs) is considered to have failed. (Optional) Set the amount of time that the interface can be down before this test is considered to have failed: (config network interface my_wan ipv4 surelink target 0)> interface_down_time value (config network interface my_wan ipv4 surelink target 0)>...
Page 75 Interfaces Wide Area Networks (WANs) Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config network interface my_wan ipv4 surelink target 0)> other_interface ii. Set the interface. For example: (config network interface my_wan ipv4 surelink target 0)> other_interface /network/interface/eth1 (config network interface my_wan ipv4 surelink target 0)>...
Page 76: Disable Surelink
Interfaces Wide Area Networks (WANs) (config network interface my_wan ipv4 surelink)> interval 600s (config network interface my_wan ipv4 surelink)> The default is 15 minutes. c. If more than one test target is configured, determine whether the interface should fail over based on the failure of one of the test targets, or all of the test targets: (config network interface my_wan ipv4 surelink)>...
Page 77 Interfaces Wide Area Networks (WANs) 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4.
Page 78 Interfaces Wide Area Networks (WANs) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Change to the WAN or WWAN's node in the configuration schema. For example, to disable SureLink for the Modem interface: (config)>...
Page 79 Interfaces Wide Area Networks (WANs) 3. Click Network > Interfaces. 4. Select the appropriate WAN or WWAN on which SureLink should be disabled.. 5. After selecting the WAN or WWAN, click IPv4 > SureLink. 6. Click to expand Test targets. 7.
Page 80: Example: Use A Ping Test For Wan Failover From Ethernet To Cellular
Interfaces Wide Area Networks (WANs) 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 81 Interfaces Wide Area Networks (WANs) In this example configuration, SureLink is used over for the ETH1 interface to send a probe packet of size 256 bytes to the IP host 43.66.93.111 every 10 seconds. If there are three consecutive failed responses, the IX20 device brings the ETH1 interface down and starts using the Modem interface.
Page 82 Interfaces Wide Area Networks (WANs) e. For Add Test Target, click . f. For Test type, select Ping test. g. For Ping host, type 43.66.93.111. h. For Ping payload size, type 256. 4. Repeat the above step for Modem to enable SureLink on that interface. 5.
Page 83: Using Ethernet Devices In A Wan
Interfaces Wide Area Networks (WANs) (config network interface eth1 ipv4 surelink target 0)> test ping (config network interface eth1 ipv4 surelink target 0)> e. Set the packet size to 256 bytes: (config network interface eth1 ipv4 surelink target 0)> ping_size 256 (config network interface eth1 ipv4 surelink target 0)>...
Page 84 Interfaces Wide Area Networks (WANs) Configure cellular modem Configuring the IX20's cellular modem involves configuring the following items: Required configuration items Enable the cellular modem. The cellular modem is enabled by default. Configure the criteria used to determine which modem this modem configuration applies to. Determine the SIM slot that will be used when connecting to the cellular network.
Page 85 Interfaces Wide Area Networks (WANs) 3. Click Network > Modems > Modem. 4. Modem are enabled by default. Click to toggle Enable to off to disable. 5. For Match modem by, select the matching criteria used to determine if this modem configuration applies to the currently attached modem: Any modem: Applies this configuration to any modem that is attached.
Page 86 Interfaces Wide Area Networks (WANs)  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 87 Interfaces Wide Area Networks (WANs) (config)> network modem modem port b. Set the port: (config)> network modem modem port /device/usb/modem/module (config)> The default is any. 5. Set the SIM slot that should be used by the modem: (config)> network modem modem sim_slot value (config)>...
Page 88 Interfaces Wide Area Networks (WANs) Available options for value vary depending on the modem type. To determine available options: (config)> network modem modem access_tech ? Access technology: The cellular network technology that the modem may use. Format: Default value: all Current value: all (config)>...
Page 89 Interfaces Wide Area Networks (WANs) 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > Modem > APN list > APN. 4.
Page 90 Interfaces Wide Area Networks (WANs) 7. To add additional APNs, for Add APN, click  and repeat the preceding instructions. 8. (Optional) To configure the device to bypass its preconfigured APN list and only use the configured APNs, enable APN list only. 9.
Page 91 Interfaces Wide Area Networks (WANs) where version is one of the following: auto: Requests both IPv4 and IPv6 address. ipv4: Requests only an IPv4 address. ipv6: Requests only an IPv6 address. The default is auto. 6. (Optional) Set the authentication method: (config)>...
Page 92 Interfaces Wide Area Networks (WANs) Separate billing structures for public and private traffic. Site-to-site networking, without the overhead of tunneling for each device. In the following example configuration, all traffic on LAN1 is routed through the public APN to the internet, and all traffic on LAN2 is routed through the private APN to the customer's data center: To accomplish this, we will create separate WWAN interfaces that use the same modem but use different APNs, and then use routing roles to forward traffic to the appropriate WWAN interface.
Page 93 Interfaces Wide Area Networks (WANs) 3. Increase the maximum number of interfaces allowed for the modem: a. Click Network > Modems > Modem. b. For Maximum number of interfaces, type 2. 4. Create the WWAN interfaces: In this example, we will create two interfaces named WWAN_Public and WWAN_Private. a.
Page 94 Interfaces Wide Area Networks (WANs) g. For Add Interface, type WWAN_Private and click . h. For Interface type, select Modem. i. For Zone, select External. j. For Device, select Modem . This should be the same modem selected for the WWAN_Public WWAN. k.
Page 95 Interfaces Wide Area Networks (WANs) f. Configure the destination address: i. Click to expand Destination address. ii. For Type, select Interface. iii. For Interface, select Interface: WWAN_Public. g. Click the  to add another route policy. h. For Label, enter Route through private APN. i.
Page 96 Interfaces Wide Area Networks (WANs) 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 97 Interfaces Wide Area Networks (WANs) (config network interface WWANPrivate)> modem device modem (config network interface WWANPrivate)> i. Enable APN list only: (config network interface WWANPrivate)> apn_lock true (config network interface WWANPrivate)> j. Set the private APN: (config network interface WWANPublic)> modem apn private_apn (config network interface WWANPublic)>...
Page 98 Interfaces Wide Area Networks (WANs) (config network route policy 0)> interface /network/interface/WWANPublic (config network route policy 0)> f. Use to periods (..) to move back one level in the configuration: (config nnetwork route policy 0)> .. (config nnetwork route policy)> g.
Page 99 Interfaces Wide Area Networks (WANs) 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure manual carrier selection By default, your IX20 automatically selects the most appropriate cellular carrier based on the SIM that is in use and the status of available carriers in your area.
Page 100 Interfaces Wide Area Networks (WANs) 5. If Manual or Manual/Automatic are selected for Carrier section mode, enter the Network PLMN ID. Note You can use the modem scan command at the Admin CLI to scan for available carriers and determine their PLMN ID. See Scan for available cellular carriers for details.
Page 101 Interfaces Wide Area Networks (WANs) manual_automatic—The device will attempt to connect to the carrier identified in the Network PLMN ID. If the carrier is not available, the device will fall back to using automatic carrier selection. 4. If carrier section mode is set to manual or manual_automatic, set the network PLMN ID: (config)>...
Page 102 Interfaces Wide Area Networks (WANs) 4. When the Carrier Scan window opens, the results of the most recent previous scan are displayed. If there is no previous scan available, or to refresh the list, click SCAN. 5. The current carrier is highlighted in green. To switch to a different carrier: a.
Page 103 Interfaces Wide Area Networks (WANs)  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click Status. 3. Under Connections, click Modems. The modem status window is displayed  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 104 Interfaces Wide Area Networks (WANs) IPv4 address : 189.232.229.47 IPv4 gateway : 189.232.229.1 IPv4 MTU : 1500 IPv4 DNS server(s) : 245.144.162.207, 245.144.162.208 IPv6 surelink : passing IPv6 address : 11f6:4680:0d67:59d2:552b:3429:81a8:f1ea IPv6 gateway : ff50:d95d:7e98:abe8:3030:9138:4f25:f51b IPv6 MTU : 1500 TX bytes : 127941 RX bytes : 61026...
Page 105 If the signal strength LEDs or the signal quality for your device indicate Poor or No service, try the following things to improve signal strength: Move the IX20 device to another location. Try connecting a different set of antennas, if available. Purchase a Digi Antenna Extender Kit: Antenna Extender Kit, 1m Antenna Extender Kit, 3m AT command access To run AT commands from the IX20 command line: ...
Page 106 Interfaces Wide Area Networks (WANs) 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the Admin CLI prompt, type modem at-interactive and press Enter. Type n if you do not want exclusive access.
Page 107: Configure A Wide Area Network (Wan)
Interfaces Wide Area Networks (WANs) Configure a Wide Area Network (WAN) Configuring a Wide Area Network (WAN) involves configuring the following items: Required configuration items The interface type: Ethernet. The firewall zone: External. The network device or bridge that is used by the WAN. Configure the WAN as a DHCP client.
Page 108 Interfaces Wide Area Networks (WANs) 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4.
Page 109 Interfaces Wide Area Networks (WANs) 9. Configure IPv4 settings: a. Click to expand IPv4. IPv4 support is enabled by default. b. For Type, select DHCP address. c. Optional IPv4 configuration items: i. Set the Metric. Configure WAN/WWAN priority and default route metrics for further information about metrics.
Page 110 Interfaces Wide Area Networks (WANs) g. For Weight, type the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, Weight is used to load balance traffic to the interfaces. h. Set the Management priority. This determines which interface will have priority for central management activity.
Page 111 Interfaces Wide Area Networks (WANs) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Create a new WAN or edit an existing one: To create a new WAN named my_wan: (config)> add network interface my_wan (config network interface my_wan)>...
Page 112 Interfaces Wide Area Networks (WANs) Configure the WAN to be a DHCP client: (config network interface my_wan)> ipv4 type dhcp (config network interface my_wan)> a. Optional IPv4 configuration items: i. Set the IP metric: (config network interface my_wan)> ipv4 metric num (config network interface my_wan)>...
Page 113 Interfaces Wide Area Networks (WANs) (config network interface my_wan)> ipv4 dhcp_hostname true (config network interface my_wan)> RFC4702 for further information about DHCP server support for the Client FQDN option. Configure system information for information about setting the IX20 device's system name. b.
Page 114: Configure A Wireless Wide Area Network (Wwan)
Interfaces Wide Area Networks (WANs) (config network interface my_wan)> ipv6 metric 1 (config network interface my_wan)> If the minimum length is not available, then a longer prefix will be used. Configure WAN/WWAN priority and default route metrics for further information about metrics.
Page 115 Interfaces Wide Area Networks (WANs) Additional configuration items SIM selection for this WWAN. The SIM PIN. The SIM phone number for SMS connections. Enable or disable roaming. SIM failover configuration. APN configuration. The custom gateway/netmask. IPv4 configuration: The metric for IPv4 routes associated with the WAN. The relative weight for IPv4 routes associated with the WAN.
Page 116 Interfaces Wide Area Networks (WANs) 3. Click Network > Interfaces. 4. Create the WWAN or select an existing WWAN: To create a new WWAN, for Add interface, type a name for the WWAN and click . To edit an existing WWAN, click to expand the WWAN. New WWANs are enabled by default.
Page 117 Interfaces Wide Area Networks (WANs) If PLMN identifier is selected, for Match PLMN identifier, type the PLMN id that must be in active for this WWAN to be used. If IMSI is selected, for Match IMSI, type the International Mobile Subscriber Identity (IMSI) that must be in active for this WWAN to be used.
Page 118 Interfaces Wide Area Networks (WANs) 17. (Optional) To configure the IP address of a custom gateway or a custom netmask: a. Click Custom gateway to expand. b. Click Enable. c. For Gateway/Netmask, enter the IP address and netmask of the custom gateway. To override only the gateway netmask, but not the gateway IP address, use all zeros for the IP address.
Page 119 Interfaces Wide Area Networks (WANs) When primary default route: Only use the DNS servers provided for this WWAN when the WWAN is the primary route. Never: Never use DNS servers for this WWAN. The default setting is When primary default route. 1.
Page 120 Interfaces Wide Area Networks (WANs) b. Set the device: (config network interface my_wwan)> modem device modem (config network interface my_wwan)> 6. Set theSIM matching criteria to determine when this WWAN should be used: (config network interface my_wwan)> modem match value (config network interface my_wwan)>...
Page 121 Interfaces Wide Area Networks (WANs) (config network interface my_wwan)> modem imsi IMSI (config network interface my_wwan)> plmn_id Set the PLMN id that must be in active for this WWAN to be used: (config network interface my_wwan)> modem plmn_id PLMN_ID (config network interface my_wwan)> sim_slot Set which SIM slot must be in active for this WWAN to be used: (config network interface my_wwan)>...
Page 122 Interfaces Wide Area Networks (WANs) b. Set the cellular network technology: (config network interface my_wwan)> modem operator_technology value (config network interface my_wwan)> where value is one of: all: The best available technology will be used. 2G: Only 2G technology will be used. 3G: Only 3G technology will be used.
Page 123 Interfaces Wide Area Networks (WANs) 13. (Optional) To configure the IP address of a custom gateway or a custom netmask: a. Enable the custom gateway: (config network interface my_wwan)> modem custom_gw enable true (config network interface my_wwan)> b. Set the IP address and netmask of the custom gateway: (config network interface my_wwan)>...
Page 124 Interfaces Wide Area Networks (WANs) always: DNS will always be used for this WWAN; when multiple interfaces have the same DNS server, the interface with the lowest metric will be used for DNS requests. never: Never use DNS servers for this WWAN. primary: Only use the DNS servers provided for this WWAN when the WWAN is the primary route.
Page 125: Show Wan And Wwan Status And Statistics
Interfaces Wide Area Networks (WANs) The default setting is primary. g. See Configure SureLink active recovery to detect WAN/WWAN failures for information about configuring active recovery. Show WAN and WWAN status and statistics  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2.
Page 126: Delete A Wan Or Wwan
Interfaces Wide Area Networks (WANs) loopback IPv4 static loopback loopback modem IPv4 modem external wwan1 modem IPv6 down modem external wwan1 > 4. Enter show network interface name at the Admin CLI prompt to display additional information about a specific WAN. For example, to display information about ETH1, enter show network interface eth1: >...
Page 127 Interfaces Wide Area Networks (WANs) 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4.
Page 128: Default Outbound Wan/Wwan Ports
The following table lists the default outbound network communications for IX20 WAN/WWAN interfaces: Description TCP/UDP Port number Digi Remote Manager connection to my.devicecloud.com 3199 NTP date/time sync to time.devicecloud.com DNS resolution using WAN-provided DNS servers HTTPS for modem firmware downloads from firmware.accns.com...
Page 129: Local Area Networks (Lans)
Interfaces Local Area Networks (LANs) Local Area Networks (LANs) The IX20 device is preconfigured with the following Local Area Networks (LANs): Interface type Preconfigured interfaces Devices Default configuration Local Area ETH2 Ethernet: Firewall zone: Network ETH2 (non- Internal (LAN) IP address: Wi-Fi 192.168.2.1/24 models)
Page 130: About Local Area Networks (Lans)
A Local Area Network (LAN) connects network devices together, such as Ethernet or Wi-Fi, in a logical Layer-2 network. The following diagram shows a LAN connected to the ETH2 Ethernet device and the Digi AP access point (available for Wi-Fi enabled models only). Once the LAN is configured and enabled, the devices connected to the network interfaces can communicate with each other, as demonstrated by the ping commands.
Page 131 Interfaces Local Area Networks (LANs) IPv6 configuration: The metric for IPv6 routes associated with the LAN. The relative weight for IPv6 routes associated with the LAN. The IPv6 management priority of the LAN. The active interface with the highest management priority will have its address reported as the preferred contact address for central management and direct device access.
Page 132 Interfaces Local Area Networks (LANs) New LANs are enabled by default. To disable, click Enable. 5. For Interface type, leave at the default setting of Ethernet. 6. For Zone, select the appropriate firewall zone. See Firewall configuration for further information. 7.
Page 133 Interfaces Local Area Networks (LANs) d. For Prefix length, type the minimum length of the prefix to assign to this LAN. If the minimum length is not available, then a longer prefix will be used. e. For Prefix ID, type the identifier used to extend the prefix to the assigned length. Leave blank to use a random identifier.
Page 134 Interfaces Local Area Networks (LANs) To edit an existing LAN named my_lan, change to the my_lan node in the configuration schema: (config)> network interface my_lan (config network interface my_lan)> 4. Set the appropriate firewall zone: (config network interface my_lan)> zone zone (config network interface my_lan)>...
Page 135 Interfaces Local Area Networks (LANs) (config network interface my_lan)> ipv4 address ip_address/netmask (config network interface my_lan)> b. Optional IPv4 configuration items: i. Set the IP metric: (config network interface my_lan)> ipv4 metric num (config network interface my_lan)> ii. Set the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, the weight is used to load balance traffic to the interfaces.
Page 136 Interfaces Local Area Networks (LANs) ---------- enable true Enable metric Metric mgmt Management priority 1500 prefix_id Prefix ID prefix_length Prefix length type prefix_delegation Type weight Weight Additional Configuration --------------------------------------------------------------------- ---------- connection_monitor Active recovery dhcpv6_server DHCPv6 server (config network interface my_lan)> View default settings for the IPv6 DHCP server: (config network interface my_lan)>...
Page 137: Show Lan Status And Statistics
Interfaces Local Area Networks (LANs) (Optional) Configure the MAC address allowlist. If there allowlist entries are specified, incoming packets will only be accepted from the listed MAC addresses. a. Add a MAC address to the allowlist: (config network interface my_lan)> add mac_allowlist end mac_address (config network interface my_lan)>...
Page 138 Interfaces Local Area Networks (LANs) > 3. Additional information can be displayed by using the show network verbose command: > show network verbose Interface Proto Status Type Zone Device Metric Weight ---------------- ----- ------- ------ -------- -------- ------ ---- defaultip IPv4 static setup...
Page 139: Delete A Lan
Interfaces Local Area Networks (LANs) > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Delete a LAN Follow this procedure to delete any LANs that have been added to the system. You cannot delete the preconfigured LAN, LAN1.
Page 140: Dhcp Servers
Interfaces Local Area Networks (LANs) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Use the del command to delete the LAN. For example, to delete a LAN named my_lan: (config)> del network interface my_lan 4.
Page 141 Interfaces Local Area Networks (LANs) The TFTP server name. The filepath and name of the bootfile on the TFTP server. Custom DHCP options. See Configure DHCP options for information about custom DHCP options. Static leases. See Map static IP addresses to hosts for information about static leases.
Page 142 Interfaces Local Area Networks (LANs) a. Click to expand Advanced settings. b. For Gateway, select either: None: No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. Automatic: Broadcasts the IX20 device's gateway. Custom: Allows you to identify the IP address of a Custom gateway to be broadcast.
Page 143 Interfaces Local Area Networks (LANs) (config)> network interface my_lan ipv4 dhcp_server enable true (config)> Configure a LAN for information about creating a LAN. 4. (Optional) Set the amount of time that a DHCP lease is valid: (config)> network interface my_lan ipv4 dhcp_server lease_time value (config)>...
Page 144 Interfaces Local Area Networks (LANs) The default is auto. c. Determine how the DHCP server should broadcast the the MTU: (config)> network interface my_lan ipv4 dhcp_server advanced mtu value (config)> where value is one of: none: An MTU of length 0 is broadcast. This is not recommended. auto: No MTU is broadcast and clients will determine their own MTU.
Page 145 Interfaces Local Area Networks (LANs) f. Set the IP address or host name of the TFTP server: (config)> network interface my_lan ipv4 dhcp_server advanced nftp_ server ip_address (config)> g. Set the relative path and file name of the bootfile on the TFTP server: (config)>...
Page 146 Interfaces Local Area Networks (LANs) 3. Click Network > Interfaces. 4. Click to expand an existing LAN, or create a new LAN. See Configure a LAN. 5. Click to expand IPv4 > DHCP server > Advanced settings > Static leases. 6.
Page 147 Interfaces Local Area Networks (LANs) 4. Set the MAC address of the device associated with this static lease, using the colon-separated format: (config network interface my_lan ipv4 dhcp_server advanced static_lease 0)> mac 00:40:D0:13:35:36 (config network interface my_lan ipv4 dhcp_server advanced static_lease 0)>...
Page 148 Interfaces Local Area Networks (LANs) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Show the static lease configuration. For example, to show the static leases for a lan named my_lan: (config)> show network interface my_lan ipv4 dhcp_server advanced static_ lease ip 192.168.2.10 mac BF:C3:46:24:0E:D9...
Page 149 Interfaces Local Area Networks (LANs) 3. Click Network > Interfaces. 4. Click to expand an existing LAN. 5. Click to expand IPv4 > DHCP server > Advanced settings > Static leases. 6. Click the menu icon (...) next to the name of the static lease to be deleted and select Delete. 7.
Page 150 Interfaces Local Area Networks (LANs) 4. Use the del index_number command to delete a static lease. For example, to delete the static lease for the device listed in the above output with a mac address of BF:C3:46:24:0E:D9 (index number 0): (config)>...
Page 151 Interfaces Local Area Networks (LANs) 3. Click Network > Interfaces. 4. Click to expand an existing LAN, or create a new LAN. See Configure a LAN. 5. Click to expand IPv4 > DHCP server > Advanced settings > Custom DHCP option. 6.
Page 152 Interfaces Local Area Networks (LANs) 4. Custom options are enabled by default. To disable: (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> enable false (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> 5. Set the option number for the DHCP option: (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)>...
Page 153 Interfaces Local Area Networks (LANs) 10. Save the configuration and apply the change: (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 154 Interfaces Local Area Networks (LANs) 3. Click Network > Interfaces. 4. Click to expand an existing LAN, or create a new LAN. See Configure a LAN. 5. Disable the DHCP server, if it is enabled: a. Click to expand IPv4 > DHCP server. b.
Page 155 Interfaces Local Area Networks (LANs) 5. (Optional) Add additional DHCP relay servers: a. Move back one step in the configuration schema by typing two periods (..): (config network interface my_lan ipv4 dhcp_relay 0)> .. (config network interface my_lan ipv4 dhcp_relay)> b.
Page 156: Create A Virtual Lan (Vlan) Route
Interfaces Local Area Networks (LANs) 2. Enter the show dhcp-lease command at the Admn CLI prompt: > show dhcp-lease IP Address Hostname Expires ------------- --------------- ------- 192.168.2.194 MTK-ENG-USER1 192.168.2.195 MTK-ENG-USER2 > 3. Additional information can be returned by using the show dhcp-lease verbose command: >...
Page 157 Interfaces Local Area Networks (LANs) 3. Click Network > Virtual LAN. 4. Type a name for the VLAN and click . 5. Select the Device. 6. Type or select a unique numeric ID for the VLAN ID. 7. Click Apply to save the configuration and apply the change. ...
Page 158: Default Services Listening On Lan Ports
Interfaces Local Area Networks (LANs) (config network vlan vlan1)> b. Add the device: (config network vlan vlan1)> device /network/device/ (config network vlan vlan1)> 5. Set the VLAN ID: (config network vlan vlan1)> id value where value is an integer between 1 and 4095. 6.
Page 159: Bridging
Preconfigured interfaces Devices configuration Bridges (Wi-Fi Bridge: LAN Ethernet: Enabled Used by the model only) ETH2 Wi-Fi access ETH1 interface point: Digi Interface Default type Preconfigured interfaces Devices configuration Bridges (Wi-Fi Bridge: LAN Ethernet: Enabled Used by the model only)
Page 160: Edit The Preconfigured Eth2 Bridge
5. Modify the list of devices that are a part of the bridge. By default, the LAN bridge includes the following devices: Ethernet: ETH2 Wi-Fi access point: Digi AP Note The MAC address of the bridge is taken from the first available device in the list.
Page 161 Interfaces Bridging b. To add a device, for Add device, click  and select the Device. 6. (Optional) Enable Spanning Tree Protocol (STP). STP is used when using multiple LANs on the same device, to prevent bridge loops and other routing conflicts.
Page 162 /network/wireless/ap/digi_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge my_bridge)> ii. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge my_bridge)> add device end /network/wireless/ap/digi_ap (config)> 5. (Optional) Enable Spanning Tree Protocol (STP).
Page 163: Configure A Bridge
Interfaces Bridging a. Enable STP: (config)> network bridge eth2 stp enable true b. Set the number of seconds that the device will spend in each of the listening and learning states before the bridge begins forwarding data: (config)> network bridge eth2 stp forward_delay num (config)>...
Page 164 Interfaces Bridging 3. Click Network > Bridges. 4. For Add Bridge, type a name for the bridge and click . 5. Bridges are enabled by default. To disable, uncheck Enable. 6. Add devices to the bridge: a. Click to expand Devices. b.
Page 165 /network/bridge/lan /network/wireless/ap/digi_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge my_bridge)> b. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge my_bridge)> add device end /network/wireless/ap/digi_ap (config)> Note The MAC address of the bridge is taken from the first available device in the list.
Page 166 Interfaces Bridging (config network bridge my_bridge)> stp forward_delay num (config)> The default is 2 seconds. 7. Save the configuration and apply the change: (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 167: Serial Port
Serial port IX20 devices have a single serial port that provides access to the command-line interface. Use an RS-232 serial cable to establish a serial connection from your IX20 to your local laptop or PC. Use a terminal emulator program to establish the serial connection. The terminal emulator's serial connection must be configured to match the configuration of the IX20 device's serial port.
Page 168 Serial port Configure the serial port 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration > Serial. Changes made by using either Device Configuration or Serial Configuration will be reflected in both.
Page 169 Serial port Configure the serial port 7. If Login, Remote Access, or Modbus is selected for Mode: a. Click to expand Serial Settings. b. For Baud rate, select the baud rate used by the device to which you want to connect. c.
Page 170 Serial port Configure the serial port a. Enable CTS to monitor CTS (Clear to Send) changes on this port. b. Enable DCD to monitor DCD (Data Carrier Detect) changes on this port.  9. (Optional) Copy the serial port's configuration by clicking the (copy) icon.
Page 171 Serial port Configure the serial port 3. The serial port is enabled by default. To disable: (config)> serial port1 enable false (config)> 4. Set the mode: (config)> serial port1 mode mode (config)> where mode is either: login: Allows the user to log into the device through the serial port. remote: Allows for remote access to another device that is connected to the serial port.
Page 172 Serial port Configure the serial port d. Set the stop bits used by the device to which you want to connect: (config)> serial port1 stopbits bits (config)> e. Set the type of flow control used by the device to which you want to connect: (config)>...
Page 173 Serial port Configure the serial port e. (Optional) Enable monitoring of CTS (Clear to Send) changes on this port: (config)> serial port1 monitor cts true (config) f. (Optional) Enable monitoring of DCD (Data Carrier Detect) changes on this port: (config)> serial port1 monitor dcd true (config) g.
Page 174 Serial port Configure the serial port A single IP address or host name. A network designation in CIDR notation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the tcp port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config serial USB_port)>...
Page 175 Serial port Configure the serial port ------------------------------ dynamic_routes edge external internal ipsec loopback setup (config serial USB_port)> Repeat this step to list additional firewall zones. v. (Optional) Enable mDNS. mDNS is a protocol that resolves host names in small networks that do not have a DNS server. (config serial USB_port)>...
Page 176 Serial port Configure the serial port To limit access to specified IPv6 addresses and networks: (config serial USB_port)> add service telnet acl address6 end value (config serial USB_port)> Where value can be: A single IP address or host name. A network designation in CIDR notation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the telnet port.
Page 177 Serial port Configure the serial port Type ... firewall zone ? at the config prompt: (config serial USB_port)> ... firewall zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration ------------------------------------------------- ------------------------------...
Page 178 Serial port Configure the serial port Repeat this step to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: (config serial USB_port)> add service ssh acl address6 end value (config serial USB_port)> Where value can be: A single IP address or host name.
Page 179: Configure Udp Serial Mode
Serial port Configure UDP serial mode Type ... firewall zone ? at the config prompt: (config serial USB_port)> ... firewall zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration ------------------------------------------------- ------------------------------...
Page 180 Serial port Configure UDP serial mode 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration > Serial. Changes made by using either Device Configuration or Serial Configuration will be reflected in both.
Page 181 Serial port Configure UDP serial mode 7. Expand Data Framing Settings. a. Click Enable to enable the data framing feature. b. For Maximum Frame Count, enter the maximum size of the packet. The default is 1024. c. For Idle Time, enter the length of time the device should wait before sending the packet. d.
Page 182: Show Serial Status And Statistics
Serial port Show serial status and statistics 9. Click Apply to save the configuration and apply the change. The Apply button is located at the top of the WebUI page. You may need to scroll to the top of the page to locate it. Show serial status and statistics To show the status and statistics for the serial port: ...
Page 183 Serial port Log serial port messages 1. Log into the IX20 WebUI as a user with Admin access. 2. On the main menu, click Status 3. Under Connections, click Serial. 4. Click Log. The Serial port log window displays. 5. Click Start to start serial port logging. 6.
Page 184 Wi-Fi This chapter applies to the IX20W Wi-Fi enabled model only. This chapter contains the following topics: Wi-Fi configuration Configure the Wi-Fi radio's channel Configure the Wi-Fi radio to support DFS channels in client mode Configure the Wi-Fi radio's band and protocol Configure the Wi-Fi radio's transmit power Configure an open Wi-Fi access point Configure a Wi-Fi access point with personal security...
Page 185: Wi-Fi
Default access point SSID and password By default, the IX20W device has one access point enabled. The default SSID for the access points is: Digi-IX20W-serial_number The password for the default access point is the unique password as found on the device's label. See...
Page 186 Access point mode 802.11b/g/n Channel Automatic Channel width 20/40 MHz Beacon interval Access point: Default setting Name Digi AP Enabled or disabled Enabled SSID Digi-IX20W-serial_number SSID broadcast Enabled Encyrption WAP2 Personal (PSK) Pre-shared key The unique password printed on the bottom label of the device.
Page 187: Configure The Wi-Fi Radio's Channel
Wi-Fi Configure the Wi-Fi radio's channel Configure the Wi-Fi radio's channel By default, the Wi-Fi radio is configured to automatically select the best channel to use with respect to other Wi-Fi networks. You can configure a specific channel to use for the Wi-Fi radio by using the following steps.
Page 188 Wi-Fi Configure the Wi-Fi radio's channel 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 189: Configure The Wi-Fi Radio To Support Dfs Channels In Client Mode
Wi-Fi Configure the Wi-Fi radio to support DFS channels in client mode Configure the Wi-Fi radio to support DFS channels in client mode Dynamic Frequency Selection (DFS) is a mechanism for Wi-Fi connections to use 5 GHz frequencies that are normally reserved for non-Wi-Fi proposes. Your IX20W can be configured to have one or more Wi-Fi clients that can connect to external Wi-Fi access points that support DFS channels, in addition to the non-DFS channels 36, 40, 44, 48, 149, 153, 157, 161, and 165.
Page 190: Configure The Wi-Fi Radio's Band And Protocol
Wi-Fi Configure the Wi-Fi radio's band and protocol 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 191 Wi-Fi Configure the Wi-Fi radio's band and protocol 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi. 4.
Page 192: Configure The Wi-Fi Radio's Transmit Power
Wi-Fi Configure the Wi-Fi radio's transmit power 3. Set channel for the radio: a. Set the band for the radio: (config)> network wifi radio phy0 band value (config)> where value is either 2400mhz or 5000mhz. b. Set the mode for the Wi-Fi radio. For example: If the Wi-Fi radio has a band of 2400mhz: (config)>...
Page 193 Wi-Fi Configure the Wi-Fi radio's transmit power 3. Click Network > WiFi. 4. For Tx power percentage, type or select the appropriate percentage for the Wi-Fi radio's transmit power. 5. Click Apply to save the configuration and apply the change. ...
Page 194: Configure An Open Wi-Fi Access Point
This procedure configures a Wi-Fi access point that does not require a password for client connections. By default, the IX20W device comes with one preconfigured access point, Digi AP. You cannot delete default access points, but you can modify them or you can create your own access points.
Page 195 Wi-Fi Configure an open Wi-Fi access point 3. Click Network > WiFi > Access points. 4. Create a new access point or modify an existing access point: To create a new access point, for Add WiFi access point:, type a name for the access point and click .
Page 196 Wi-Fi Configure an open Wi-Fi access point The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is changed.
Page 197 Wi-Fi Configure an open Wi-Fi access point where value is either: none: No encryption is used. owe: Uses WPA3 Enhanced Open, which uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection. Note Only select owe if you know that all Wi-Fi clients connecting to this device will have WPA3 capabilities.
Page 198 (config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID broadcasting is disabled: (config)>...
Page 199: Configure A Wi-Fi Access Point With Personal Security
By default, the IX20W device comes with one preconfigured access point, Digi AP. You cannot delete default access points, but you can modify them or you can create your own access points.
Page 200 Wi-Fi Configure a Wi-Fi access point with personal security Required configuration items Enable the Wi-Fi access point The Service Set Identifier (SSID) for the access point. Configure security for the access point to use personal security. The password (preshared key) that clients will used to connect to the access point. LAN/bridge assignment.
Page 201 Wi-Fi Configure a Wi-Fi access point with personal security To modify an existing access point, click to expand the access point. The Wi-Fi access point configuration window is displayed. 5. For SSID, type the SSID. Up to 32 characters are allowed. 6.
Page 202 Wi-Fi Configure a Wi-Fi access point with personal security Increasing the time between rekeys can improve connectivity issues in noisy environments. To disable group rekeys, set to 0. This will allow any client that has previously connected to see all broadcast traffic on the wireless network until the Wi-Fi radio is restarted. The default is 10 minutes.
Page 203 Wi-Fi Configure a Wi-Fi access point with personal security psk2: Uses WPA2 Personal (PSK) mode. All Wi-Fi clients must support WPA2 to be able to authenticate. psk2sae: Uses WPA2-PSK/WPA3-AES mixed mode. Wi-Fi clients that support WPA2 and WPA3 are able to authenticate. sae: Uses WPA3 Personal mode.
Page 204 (config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID...
Page 205 Wi-Fi Configure a Wi-Fi access point with personal security (config)> network wifi ap digi_ap ssid_broadcast true (config)> 6. Set the security for the access point to a personal security option: (config network wifi ap new_AP)> encryption type value (config network wifi ap new_AP)> where value is one of: psk: Uses WPA Personal (PSK).
Page 206: Configure A Wi-Fi Access Point With Enterprise Security
RADIUS server, rather than using preshared key on the IX20 device. By default, the IX20W device comes with one preconfigured access point, Digi AP. You cannot delete default access points, but you can modify them or you can create your own access points.
Page 207 Wi-Fi Configure a Wi-Fi access point with enterprise security The server port for one or more RADIUS server. The amount of time to wait before changing the group key. To configure a Wi-Fi access point with WPA2 enterprise security:  WebUI 1.
Page 208 Wi-Fi Configure a Wi-Fi access point with enterprise security 5. For SSID, type the SSID. Up to 32 characters are allowed. 6. Enable SSID broadcast to configure the radio to broadcast the SSID. 7. (Optional) Enable Isolate clients to prevent clients that are connected to this access point from communicating with each other.
Page 209 Wi-Fi Configure a Wi-Fi access point with enterprise security  Command line Configure a new Access point 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 210 Wi-Fi Configure a Wi-Fi access point with enterprise security b. Set the secret key as configured on the RADIUS server: (config network wifi ap new_AP)> encryption radius_servers 0 key secret_key (config network wifi ap new_AP)> c. (Optional) Set the RADIUS server's port. The default is 1812. (config network wifi ap new_AP)>...
Page 211 (config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID broadcasting is disabled: (config)>...
Page 212 Wi-Fi Configure a Wi-Fi access point with enterprise security Isolate Wi-Fi clients for information about how to prevent clients connected to different access points from communicating with each other. 8. Set the IP address or hostname of the RADIUS server: (config)>...
Page 213: Isolate Wi-Fi Clients
Wi-Fi Isolate Wi-Fi clients Isolate Wi-Fi clients Client isolation prevents wireless clients connected to the IX20W device from communicating with other clients. There are two mechanisms for client isolation configuration: Isolate clients connected to the same access point Isolate clients connected to different access points This section provides instructions for both mechanisms.
Page 214: Isolate Clients Connected To Different Access Points
Wi-Fi Isolate Wi-Fi clients 2. At the command line, type config to enter configuration mode: > config (config)> 3. Create a new access point or modify an existing access point. See Configure an open Wi-Fi access point, Configure a Wi-Fi access point with personal security, or Configure a Wi-Fi access point with enterprise...
Page 215 3. Create a new access point. By default, the IX20W comes with one preconfigured access point, named Digi AP. In these instructions, we will use the existing Digi AP access point and create another new access point, named new_AP. a. Click Network > WiFi > Access points.
Page 216 Wi-Fi Isolate Wi-Fi clients d. Create a firewall filter to drop traffic from the Internal zone (used by the LAN1 interface) to the LAN2_isolation_zone: i. Click Firewall > Packet filtering. ii. For Add packet filter, click . iii. For Label, type Drop traffic from Internal to LAN2_isolation_zone. iv.
Page 217 Wi-Fi Isolate Wi-Fi clients a. Click Configuration > Network > Interfaces. b. For Add interface, type a name for the LAN and click . c. For Zone, select LAN2_isolation_zone. d. For Device, select the new Wi-Fi access point. e. Click to expand IPv4. f.
Page 218 Wi-Fi Isolate Wi-Fi clients none psk2 wpa2: d. Complete other encryption-related fields as appropriate based on the type of encryption. Configure an open Wi-Fi access point, Configure a Wi-Fi access point with personal security, or Configure a Wi-Fi access point with enterprise security for details.
Page 219 Wi-Fi Isolate Wi-Fi clients to any zone. In this example, we will add the new to the first position in the list (index position 0). i. Add the new packet filter: (config firewall filter 1)> add .. 0 (config firewall filter 0)> ii.
Page 220: Configure A Wi-Fi Client And Add Client Networks
Wi-Fi Configure a Wi-Fi client and add client networks e. Set the IP address and subnet mask of the LAN: (config network interface LAN2)> ipv4 address address/mask (config network interface LAN2)> f. Enable the DHCP server: (config network interface LAN2)> ipv4 dhcp_server enable true (config network interface LAN2)>...
Page 221 Wi-Fi Configure a Wi-Fi client and add client networks 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi > Client mode connections. 4.
Page 222 Wi-Fi Configure a Wi-Fi client and add client networks 6. (Optional) Configure Background scanning. Background scanning allows the device to scan for nearby access points and to move between access points that have the same SSID that is configured for the client connection, based on the signal strength of the access points.
Page 223 Wi-Fi Configure a Wi-Fi client and add client networks h. To add a channel, click Add Scan frequency and select the appropriate channel. 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 224 Wi-Fi Configure a Wi-Fi client and add client networks where value is the type of encryption used by the access point. Allowed values are: none: no encryption. owe: WPA3 Enhanced Open, which uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection.
Page 225 Wi-Fi Configure a Wi-Fi client and add client networks The scan threshold works with the short and long intervals (bgscan_short_interval and bgscan_long_interval) to determine how often the device should scan for available access points: If the signal strength from the access point to which the client is currently connected is below the value of bgscan_strength, it will use bgscan_short_ interval to determine how often to scan for available access points.
Page 226: Show Wi-Fi Access Point Status And Statistics
Wi-Fi Show Wi-Fi access point status and statistics ii. Use the appropriate index number to delete the channel. For example, to delete the 2412 frequency: (config network wifi client new_client)> del 0 (config network wifi client new_client)> g. To add a frequency: i.
Page 227 Wi-Fi Show Wi-Fi access point status and statistics 1. Log into the IX20 WebUI as a user with Admin access. 2. On the main menu, click Status. 3. Under Connections, click Wi-Fi > Access Points.  Command line Show summary of Wi-Fi access points To show the status and statistics for Wi-Fi access points, use the show wifi command.
Page 228: Show Wi-Fi Client Status And Statistics
Wi-Fi Show Wi-Fi client status and statistics SSID : my_AP Security : none Channel Channel Width Radio : wifi BSSID : 01:41:D1:14:36:37 Client Signal RX Bytes TX Bytes Uptime ----------------- ------ -__----- -------- ------ cc:c0:78:34:d5:a2 260997 279481 > Show Wi-Fi client status and statistics You can show summary status for all Wi-Fi clients, and detailed status and statistics for individual Wi- Fi clients.
Page 229 Wi-Fi Show Wi-Fi client status and statistics client2 true SSID2 down > Show detailed status and statistics of a specific Wi-Fi client To show a detailed status and statistics of a Wi-Fi client, use the show wifi client name name command.
Page 230: Routing
Routing This chapter contains the following topics: IP routing Show the routing table Dynamic DNS Virtual Router Redundancy Protocol (VRRP) IX20 User Guide...
Page 231: Ip Routing
Routing IP routing IP routing The IX20 device uses IP routes to decide where to send a packet it receives for a remote network. The process for deciding on a route to send the packet is as follows: 1. The device examines the destination IP address in the IP packet, and looks through the IP routing table to find a match for it.
Page 232: Configure A Static Route
Routing IP routing Configure a static route A static route is a manually configured routing entry. Information about the route is manually entered rather than obtained from dynamic routing traffic. Required configuration items The destination address or network. The interface to use to reach the destination. Additional configuration items A label used to identify this route.
Page 233 Routing IP routing New static route configurations are enabled by default. To disable, click to toggle Enable to off. 5. (Optional) For Label, type a label that will be used to identify this route. 6. For Destination, type the IP address or network of the destination of this route. For example, to route traffic to the 192.168.47.0 network that uses a subnet mask of 255.255.255.0, type 192.168.47.0/24.
Page 234 Routing IP routing 4. (Optional) set a label that will be used to identify this route. For example: (config network route static 0)> label "route to accounting network" (config network route static 0)> 5. Set the IP address or network of the destination of this route. For example: (config network route static 0)>...
Page 235: Delete A Static Route
Routing IP routing 9. (Optional) Set the Maximum Transmission Units (MTU) of network packets using this route: (config network route static 0)> mtu integer (config network route static 0)> 10. Save the configuration and apply the change: (config)> save Configuration saved. >...
Page 236 Routing IP routing  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 237: Policy-Based Routing
Routing IP routing Policy-based routing Normally, a routing device determines how to route a network packet based on its destination address. However, you can use policy-based routing to forward the packet based on other criteria, such as the source of the packet. For example, you can configure the IX20 device so that high-priority traffic is routed through the cellular connection, while all other traffic is routed through an Ethernet (WAN) connection.
Page 238 Routing IP routing 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Policy-based routing. 4.
Page 239 Routing IP routing 11. Configure source address information: a. Click to expand Source address. b. For Type, select one of the following: Zone: Matches the source IP address to the selected firewall zone. See Firewall configuration for more information about firewall zones. Interface: Matches the source IP address to the selected interface's network address.
Page 240 Routing IP routing 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: >...
Page 241 Routing IP routing 7. Select the IP version: (config network route policy 0)> ip_version value (config network route policy 0)> where value is one of any, ipv4, or ipv6. 8. Set the protocol: (config network route policy 0)> protocol value (config network route policy 0)>...
Page 242 Routing IP routing 9. Set the source address type: (config network route policy 0)> src type value (config network route policy 0)> where value is one of: zone: Matches the source IP address to the selected firewall zone. Set the zone: a.
Page 243 Routing IP routing b. Set the interface. For example: (config network route policy 0)> src interface /network/interface/eth1 (config network route policy 0)> address: Matches the source IPv4 address to the specified IP address or network. Set the address that will be matched: (config network route policy 0)>...
Page 244 Routing IP routing Current value: any (config network route policy 0)> dst zone b. Set the zone. For example: (config network route policy 0)> dst zone external (config network route policy 0)> Firewall configuration for more information about firewall zones. interface: Matches the destination IP address to the selected interface's network address.
Page 245: Example: Dual Wan Policy-Based Routing
Routing IP routing (config network route policy 0)> dst mac MAC_address (config network route policy 0)> 11. Save the configuration and apply the change: (config)> save Configuration saved. > 12. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 246 Routing IP routing 3. Click Network > Routes > Policy-based routing. 4. Click the  to add a new route policy. 5. For Label, enter Route through cellular. 6. For Interface, select Modem. 7. Configure the source address: a. Click to expand Source address. b.
Page 247 Routing IP routing  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 248: Example: Route Traffic To A Specific Wan Interface Based On The Client Mac Address
Routing IP routing (config network route policy 0)> dst address 241.236.162.59 (config network route policy 0)> 4. Save the configuration and apply the change: (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 249 Routing IP routing 3. Create new firewall zones: a. Create a firewall zone named CellularWAN with Source NAT enabled: i. Click Firewall > Zones. ii. For Add Zone, type CellularWAN and click . iii. Enable Source NAT. b. Create second firewall zone named EthernetWAN with Source NAT enabled: i.
Page 250 Routing IP routing c. For Label, type VoIP phone. d. For Interface, select Modem. e. Configure the source as the MAC address of the VoIP phone: i. Click to expand Source address. ii. For Type, select MAC address. iii. For MAC address, type 26:88:0E:23:50:C2. f.
Page 251 Routing IP routing  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 252 Routing IP routing ii. Set the zone: (config)> network interface modem zone CellularWAN (config)> b. Set the zone for the Ethernet WAN interface: (config)> network interface eth1 zone EthernetWAN (config)> 5. Configure the policy-based route for traffic from the client device that will be sent over the cellular WAN: a.
Page 253: Routing Services
Routing IP routing 6. Create a packet filtering rule that rejects all other LAN packets on the cellular WAN interface: a. Create a new packet filtering rule: i. Type ... to move to the root of the configuration: (config network route policy 0)> ... (config)>...
Page 254: Configure Routing Services
Routing IP routing Service or protocol Information RFC2080 RIPng The IPv6 Routing Information Protocol (RIP) service supports RIPng ( RFC2328 OSPFv2 The IPv4 Open Shortest Path First (OSPF) service supports OSPFv2 ( RFC2740 OSPFv3 The IPv6 Open Shortest Path First (OSPF) service supports OSPFv3 ( RFC1771 The Border Gateway Protocol (BGP) service supports BGP-4 ( IS-IS...
Page 255 Routing IP routing 4. Click Enable. The default firewall zone setting, Dynamic routes, is specifically designed to work with routing services and should be left as the default. 5. Configure the routing services that will be used: a. Click to expand a routing service. b.
Page 256: Show The Routing Table
Routing Show the routing table zone dynamic_routes Zone Additional Configuration --------------------------------------------------------------------- ---------- isis IS-IS ospfv2 OSPFv2 ospfv3 OSPFv3 ripng RIPng (config)> b. Enable a routing service that will be used. For example, to enable the RIP service: (config)> network route service rip enable true (config)>...
Page 257 Routing Show the routing table  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Status > Routes. The Network Routing window is displayed.
Page 258: Dynamic Dns
Routing Dynamic DNS fd00:2704::/64 fd00:2704::/48 2147483647 fe80::204:f3ff:fe80:e231 fe80::204:f3ff:fe80:e231 fe80::204:f3ff:ff80:c525 fe80::204:f3ff:fe80:e231 fe80::/64 fe80::/64 default fe80::204:f3ff:fe80:e231 default 1024 IPv4 Route Load Balance (%) ---------- ---------------- eth1 75.0 modem 25.0 IPv6 Route Load Balance (%) ---------- ---------------- eth1 75.0 modem 25.0 > You can limit the display to only IPv4 entries by using show route ipv4, or to IPv6 entries by using show route ipv6.
Page 259 Routing Dynamic DNS The name of a Dynamic DNS provider. The domain name that is linked to the interface's IP address. The username and password to authenticate with the Dynamic DNS provider. Additional configuration items If the Dynamic DNS service provider is set to custom, identify the URL that should be used to update the IP address with the Dynamic DNS provider.
Page 260 Routing Dynamic DNS New Dynamic DNS configurations are enabled by default. To disable, click to toggle Enable to off. 5. For Interface, select the interface that has its IP address registered with the Dynamic DNS provider. 6. For Service, select the Dynamic DNS provider, or select custom to enter a custom URL for the Dynamic DNS provider.
Page 261 Routing Dynamic DNS  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 262 Routing Dynamic DNS 3322.org changeip.com ddns.com.br dnsdynamic.org Default value: custom Current value: custom (config network ddns new_ddns_instance)> service b. Set the service: (config network ddns new_ddns_instance)> service service_name (config network ddns new_ddns_instance)> 6. If custom is configured for service, set the custom URL that should be used to update the IP address with the Dynamic DNS provider: (config network ddns new_ddns_instance)>...
Page 263: Virtual Router Redundancy Protocol (Vrrp)
Routing Virtual Router Redundancy Protocol (VRRP) (config network ddns new_ddns_instance)> force_interval value (config network ddns new_ddns_instance)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set force_interval to ten minutes, enter either 10m or 600s: (config network ddns new_ddns_instance)>...
Page 264: Vrrp
Routing Virtual Router Redundancy Protocol (VRRP) virtual router is mapped to the backup device with the next highest priority. Each VRRP router is configured with a unique LAN IP address, and the same shared VRRP address. VRRP+ VRRP+ is an extension to the VRRP standard that uses network probing to monitor connections through VRRP-enabled devices and can dynamically change the priority of the devices, including changing devices from master to backup, and from backup to master, even if the device has not failed.
Page 265 Routing Virtual Router Redundancy Protocol (VRRP) 3. Click Network > VRRP. 4. For Add VRRP instance, type a name for the VRRP instance and click . The new VRRP instance configuration is displayed. 5. Click Enable. 6. For Interface, select the interface on which this VRRP instance should run. 7.
Page 266 Routing Virtual Router Redundancy Protocol (VRRP) 10. Configure the virtual IP addresses associated with this VRRP instance: a. Click to expand Virtual IP addresses. b. Click  to add a virtual IP address. c. For Virtual IP, type the IPv4 or IPv6 address for a virtual IP of this VRRP instance. d.
Page 267 Routing Virtual Router Redundancy Protocol (VRRP) /network/interface/loopback Current value: (config network vrrp VRRP_test)> interface b. Set the interface, for example: (config network vrrp VRRP_test)> interface /network/interface/eth2 (config network vrrp VRRP_test)> c. Repeat for additional interfaces. 6. Set the router ID. The Router ID must be the same on all VRRP devices that participate in the same VRRP device pool.
Page 268: Configure Vrrp
Routing Virtual Router Redundancy Protocol (VRRP) Configure VRRP+ VRRP+ is an extension to the VRRP standard that uses SureLink network probing to monitor connections through VRRP-enabled devices and adjust devices' VRRP priority based on the status of the SureLink tests. This section describes how to configure VRRP+ on a IX20 device.
Page 269 Routing Virtual Router Redundancy Protocol (VRRP) 3. Click Network > VRRP. 4. Create a new VRRP instance, or click to expand an existing VRRP instance. Configure VRRP for information about creating a new VRRP instance. 5. Click to expand VRRP+. 6.
Page 270 Routing Virtual Router Redundancy Protocol (VRRP) SureLink fails on the master, it will lower its priority to below 80, and the backup device will assume the master role. 10. Configure the VRRP interface. The VRRP interface is defined in the Interface parameter of the VRRP configuration, and generally should be a LAN interface: To configure the VRRP interface: a.
Page 271 Routing Virtual Router Redundancy Protocol (VRRP) i. Click to expand IPv4 > SureLink. ii. Click Enable. iii. For Interval, type a the amount of time to wait between connectivity tests. To guarantee seamless internet access for VRRP+ purposes, SureLink tests should occur more often than the default of 15 minutes.
Page 272 Routing Virtual Router Redundancy Protocol (VRRP) 5. Add interfaces to monitor. Generally, this will be a cellular or WAN interface. a. Use the ? to determine available interfaces: (config)> network vrrp test interface ? Interface: The network interface. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2...
Page 273 Routing Virtual Router Redundancy Protocol (VRRP) i. Set the DHCP server gateway type to custom: (config)> network interface eth2 ipv4 dhcp_server advanced gateway custom (config)> ii. Determine the VRRP virtual IP addresses: (config)> show network vrrp VRRP_test virtual_address 0 192.168.3.3 1 10.10.10.1 (config)>...
Page 274 Routing Virtual Router Redundancy Protocol (VRRP) iv. Create a SureLink test target: (config)> add network interface eth2 ipv4 surelink target end (config network interface eth2 ipv4 surelink target 0)> v. Configure the type of test for the test target: (config network interface eth2 ipv4 surelink target 0)> test value (config network interface eth2 ipv4 surelink target 0)>...
Page 275: Example: Vrrp/Vrrp+ Configuration
Routing Virtual Router Redundancy Protocol (VRRP) (config network interface eth2 ipv4 surelink target 0)> interface_down_time value (config network interface eth2 ipv4 surelink target 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interface_down_time to ten minutes, enter either 10m or 600s: (config network interface eth2 ipv4 surelink target 0)>...
Page 276: Configure Device One (Master Device)
Routing Virtual Router Redundancy Protocol (VRRP) Configure device one (master device)  WebUI Task 1: Configure VRRP on device one 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 277 Routing Virtual Router Redundancy Protocol (VRRP) 3. Click Network > VRRP. 4. For Add VRRP instance, type a name for the VRRP instance and click . The new VRRP instance configuration is displayed. 5. Click Enable. 6. For Interface, select Interface: ETH2. 7.
Page 278 Routing Virtual Router Redundancy Protocol (VRRP) 4. Click  to add an interface for monitoring. 5. Select Interface: Modem. 6. For Priority modifier, type 30. Task 3: Configure the IP address for the VRRP interface, ETH2, on device one 1. Click Network > Interfaces > ETH2 > IPv4 2.
Page 279 Routing Virtual Router Redundancy Protocol (VRRP) Task 1: Configure VRRP on device one 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 280: Configure Device Two (Backup Device)
Routing Virtual Router Redundancy Protocol (VRRP) Task 3: Configure the IP address for the VRRP interface, ETH2, on device one 1. Type ... to return to the root of the config prompt: (config network vrrp VRRP_test )> ... (config)> 2. Set the IP address for ETH2: (config)>...
Page 281 Routing Virtual Router Redundancy Protocol (VRRP) Task 1: Configure VRRP on device two 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3.
Page 282 Routing Virtual Router Redundancy Protocol (VRRP) 10. Click  to add a virtual IP address. 11. For Virtual IP, type 192.168.3.3. Task 2: Configure VRRP+ on device two 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. 4.
Page 283 Routing Virtual Router Redundancy Protocol (VRRP) 6. For Ping host, type my.devicecloud.com. Task 5: Configure the DHCP server for ETH2 on device two 1. Click to expand Network > Interfaces > ETH2 > IPv4 > DHCP Server 2. For Lease range start, type 200. 3.
Page 284 Routing Virtual Router Redundancy Protocol (VRRP) 3. Create the VRRP instance: (config)> add network vrrp VRRP_test (config network vrrp VRRP_test)> 4. Enable the VRRP instance: (config network vrrp VRRP_test)> enable true (config network vrrp VRRP_test)> 5. Set the VRRP interface to ETH2: (config network vrrp VRRP_test)>...
Page 285 Routing Virtual Router Redundancy Protocol (VRRP) 2. Set the IP address for ETH2: (config)> network interface eth2 ipv4 address 192.168.3.2 (config)> 3. Set the default gateway to the IP address of the VRRP interface on the master device, configured above in Task 3, step 2 (192.168.3.1).
Page 286: Show Vrrp Status And Statistics
Routing Virtual Router Redundancy Protocol (VRRP) 3. Set the DHCP server gateway type to custom: (config)> network interface eth2 ipv4 dhcp_server advanced gateway custom (config)> 4. Set the custom gateway to 192.168.3.3: (config)> network interface eth2 ipv4 dhcp_server advanced gateway_custom 192.168.3.3 (config)>...
Page 287 Routing Virtual Router Redundancy Protocol (VRRP)  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 288: Virtual Private Networks (Vpn)
Virtual Private Networks (VPN) Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices can connect from one network to the other using secure channels. This chapter contains the following topics: IPsec OpenVPN Generic Routing Encapsulation (GRE) NEMO L2TPv3 IX20 User Guide...
Page 289: Ipsec
Virtual Private Networks (VPN) IPsec IPsec IPsec is a suite of protocols for creating a secure communication link—an IPsec tunnel—between a host and a remote IP network or between two IP networks across a public network such as the Internet. IPsec data protection IPsec protects the data being sent across a public network by providing the following: Data origin authentication...
Page 290: Authentication
Virtual Private Networks (VPN) IPsec Aggressive mode is usually used when one or both of the devices have a dynamic external IP address. Phase 2 In phase 2, IKE negotiates the SAs for IPsec. This creates two unidirectional SAs, one for each direction.
Page 291 Virtual Private Networks (VPN) IPsec If SCEP certificates will be selected as the Authentication type, create the SCEP client prior to configuring the IPsec tunnel. See Configure a Simple Certificate Enrollment Protocol client for instructions. The local endpoint type and ID values, and the remote endpoint host and ID values. IKE configuration items The IKE version, either IKEv1 or IKEv2.
Page 292 Virtual Private Networks (VPN) IPsec The amount of time before the IKE phase 2 lifetime expires The lifetime margin, a randomizing amount of time before the IPsec tunnel is renegotiated. Note if the remote networks for an IPsec tunnel overlap with the networks for a WAN internet connection (wired, cellular, or otherwise), you must configure a static route to direct the traffic either through the IPsec tunnel, or through the WAN (outside of the IPsec tunnel).
Page 293 Virtual Private Networks (VPN) IPsec 6. The IPsec tunnel is enabled by default. To disable, click Enable. 7. (Optional) Preferred tunnel provides an optional mechanism for IPsec failover behavior. See Configure IPsec failover for more information. 8. (Optional) Enable Force UDP encapsulation to force the tunnel to use UDP encapsulation even when it does not detect that NAT is being used.
Page 294 Virtual Private Networks (VPN) IPsec 11. Select the Mode, either: Tunnel mode: The entire IP packet is encrypted and/or authenticated and then encapsulated as the payload in a new IP packet. Transport mode: Only the payload of the IP packet is encrypted and/or authenticated. The IP header is unencrypted.
Page 295 Virtual Private Networks (VPN) IPsec iv. For Peer verification, select either: Peer certificate: For Peer certificate, paste the peer's X.509 certificate in PEM format. Certificate Authority: For Certificate Authority chain, paste the Certificate Authority (CA) certificates. These must include all peer certificates in the chain up to the root CA certificate, in PEM format.
Page 296 Virtual Private Networks (VPN) IPsec FQDN: The ID will be interpreted as FQDN (Fully Qualified Domain Name) and sent as an ID_FQDN IKE identity. For FQDN ID value, type the ID as an FQDN. KeyID: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity.
Page 297 Virtual Private Networks (VPN) IPsec For FQDN ID value, type the ID as an FQDN. KeyID: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity. For KEYID ID value, type the key ID. MAC address: The device's primary MAC address will be used as the ID and sent as a ID_KEY_ID IKE identity.
Page 298 Virtual Private Networks (VPN) IPsec 20. Click to expand IKE. a. For IKE version, select either IKEv1 or IKEv2. This setting must match the peer's IKE version. b. Initiate connection instructs the device to initiate the key exchange, rather than waiting for an incoming request.
Page 299 Virtual Private Networks (VPN) IPsec Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Lifetime margin to ten minutes, enter 10m or 600s. i. Click to expand Phase 1 Proposals. i.
Page 300 Virtual Private Networks (VPN) IPsec 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 301 Virtual Private Networks (VPN) IPsec Note Depending on your network configuration, you may need to add a packet filtering rule to allow incoming traffic. For example, for the IPsec zone: a. Type ... to move to the root of the configuration: (config vpn ipsec tunnel ipsec_example)>...
Page 302 Virtual Private Networks (VPN) IPsec esp (Encapsulating Security Payload): Provides encryption as well as authentication and integrity. ah (Authentication Header): Provides authentication and integrity only. The default is esp. 9. (Optional) Set the management priority for this IPsec tunnel: (config vpn ipsec tunnel ipsec_example)> mgmt value (config vpn ipsec tunnel ipsec_example)>...
Page 303 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> auth peer_public_key (config vpn ipsec tunnel ipsec_example)> x509: Uses private key and X.509 certificates to authenticate with the remote peer. a. For the private_key parameter, paste the device's private RSA key in PEM format: (config vpn ipsec tunnel ipsec_example)>...
Page 304 Virtual Private Networks (VPN) IPsec b. Set the XAUTH client username: (config vpn ipsec tunnel ipsec_example)> xauth_client username name (config vpn ipsec tunnel ipsec_example)> c. Set the XAUTH client password: (config vpn ipsec tunnel ipsec_example)> xauth_client password pwd (config vpn ipsec tunnel ipsec_example)> 12.
Page 305 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> local id type ipv4_id (config vpn ipsec tunnel ipsec_example)> ipv6: The ID will be interpreted as an IPv6 address and sent as an ID_IPV6_ADDR IKE identity. Set an IPv6 formatted ID. This can be a fully-qualified domain name or an IPv6 address.
Page 306 Virtual Private Networks (VPN) IPsec round_robin: Attempts to connect to hostnames sequentially based on the list order. random: Randomly selects an IPsec peer to connect to from the hostname list. priority: Selects the first hostname in the list that is resolvable. c.
Page 307 Virtual Private Networks (VPN) IPsec keyid: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity. Set the key ID: (config vpn ipsec tunnel ipsec_example)> remote id type keyid_id (config vpn ipsec tunnel ipsec_example)> mac_address: The device's MAC address will be used for the Key ID and sent as an ID_KEY_ID IKE identity.
Page 308 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> ike pad false (config vpn ipsec tunnel ipsec_example)> f. Set the amount of time that the IKE security association expires after a successful negotiation and must be re-authenticated: (config vpn ipsec tunnel ipsec_example)> ike phase1_lifetime value (config vpn ipsec tunnel ipsec_example)>...
Page 309 Virtual Private Networks (VPN) IPsec ii. Set the type of encryption to use during phase 1: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> cipher value (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> where value is one of 3des, aes128, aes192, aes256, or null. The default is 3des. iii.
Page 310 Virtual Private Networks (VPN) IPsec iii. Set the type of encryption to use during phase 2: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> cipher value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> where value is one of 3des, aes128, aes192, aes256, or null. The default is 3des. iv.
Page 311 Virtual Private Networks (VPN) IPsec b. To disable dead peer detection: (config)> vpn ipsec tunnel ipsec_example dpd enable false (config)> c. Set the number of seconds between transmissions of dead peer packets. Dead peer packets are only sent when the tunnel is idle. The default is 60. (config)>...
Page 312 Virtual Private Networks (VPN) IPsec where value is one of: address: The address of a local network interface. Set the address: i. Use the ? to determine available interfaces: (config vpn ipsec tunnel ipsec_example policy 0)> local address ? Address: The local network interface to use the address of. This field must be set when 'Type' is set to 'Address'.
Page 313 Virtual Private Networks (VPN) IPsec ii. Set the interface. For example: (config vpn ipsec tunnel ipsec_example policy 0)> local network eth1 (config vpn ipsec tunnel ipsec_example policy 0)> custom: A user-defined network. Set the custom network: (config vpn ipsec tunnel ipsec_example policy 0)> local custom value (config vpn ipsec tunnel ipsec_example policy 0)>...
Page 314 Virtual Private Networks (VPN) IPsec 20. Save the configuration and apply the change: (config)> save Configuration saved. > 21. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 315: Configure Ipsec Failover
Virtual Private Networks (VPN) IPsec Configure IPsec failover There are two methods to configure the IX20 device to fail over from a primary IPsec tunnel to a backup tunnel: SureLink active recovery—You can use SureLink along with the IPsec tunnel's metric to configure two or more tunnels so that when the primary tunnel is determined to be inactive by SureLink, a secondary tunnel can begin serving traffic that the primary tunnel was serving.
Page 316 Virtual Private Networks (VPN) IPsec Metric: 20 Local endpoint > Interface: ETH2 Remote endpoint > Hostname: 192.168.10.1 In this configuration: 1. Tunnel_1 will normally be used for traffic destined for the 192.168.10.1 endpoint. 2. If pings to 192.168.10.2 fail, SureLink will shut down the tunnel and renegotiate its IPsec connection.
Page 317 Virtual Private Networks (VPN) IPsec 1. Configure the primary IPsec tunnel. See Configure an IPsec tunnel for instructions. During configuration of the IPsec tunnel, set the metric to a low value (for example, 10): (config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)> metric 10 (config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)>...
Page 318: Configure Surelink Active Recovery For Ipsec
Virtual Private Networks (VPN) IPsec status. Format: primary_ipsec_tunnel backup_ipsec_tunnel Optional: yes Current value: (config vpn ipsec tunnel backup_ipsec_tunnel)> ipsec_failover b. Set the primary IPsec tunnel: (config vpn ipsec tunnel backup_ipsec_tunnel)> ipsec_failover primary_ ipsec_tunnel (config vpn ipsec tunnel backup_ipsec_tunnel)> Configure SureLink active recovery for IPsec You can configure the IX20 device to regularly probe IPsec client connections to determine if the connection has failed and take remedial action.
Page 319 Virtual Private Networks (VPN) IPsec 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > IPsec. 4.
Page 320 Virtual Private Networks (VPN) IPsec 9. Change the Interval between connectivity tests. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Interval to ten minutes, enter 10m or 600s. The default is 15 minutes.
Page 321 Virtual Private Networks (VPN) IPsec Test the interface status or Test the interface status IPv6: The interface is considered to be down based on: Down time: The amount of time that the interface can be down before this test is considered to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
Page 322 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> connection_monitor restart true (config vpn ipsec tunnel ipsec_example)> This is useful for interfaces that may regain connectivity after restarting, such as a cellular modem. 6. To configure the device to reboot when the interface is considered to have failed: (config vpn ipsec tunnel ipsec_example)>...
Page 323 Virtual Private Networks (VPN) IPsec The default is 15 seconds. 11. Configure test targets: a. Add a test target: (config vpn ipsec tunnel ipsec_example)> add connection_monitor target (config vpn ipsec tunnel ipsec_example connection_monitor target 0)> b. Set the test type: (config vpn ipsec tunnel ipsec_example connection_monitor target 0)>...
Page 324 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example connection_monitor target 0)> interface_up (IPv4) or interface_up6 (IPv6): : The interface is considered to be down based on the interfaces down time, and the amount of time an initial connection to the interface takes before this test is considered to have failed. (Optional) Set the amount of time that the interface can be down before this test is considered to have failed: (config vpn ipsec tunnel ipsec_example connection_monitor...
Page 325: Show Ipsec Status And Statistics
Virtual Private Networks (VPN) IPsec 13. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show IPsec status and statistics  WebUI 1.
Page 326: Debug An Ipsec Configuration
Virtual Private Networks (VPN) IPsec Debug an IPsec configuration If you experience issues with an IPsec tunnel not being successfully negotiated with the remote end of the tunnel, you can enable IPsec debug messages to be written to the system log. See View system and event logs for more information about viewing the system log.
Page 327: Configure A Simple Certificate Enrollment Protocol Client
Virtual Private Networks (VPN) IPsec 3 — Includes RAW data dumps in hexadecimal format. 4 — Also includes sensitive material in dumps (for example, encryption keys). To access the shell menu option, you must have shell access enabled. See Authentication groups information about configuring authentication groups that include shell access.
Page 328 Virtual Private Networks (VPN) IPsec  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > SCEP Client. 4.
Page 329 Virtual Private Networks (VPN) IPsec 8. Click to expand SCEP server. 9. For FQDN, type the fully qualified domain name or IP address of the SCEP server. 10. For Password, type the challenge password as configured on the SCEP server. 11.
Page 330 Virtual Private Networks (VPN) IPsec (config)> add network scep_client scep_client_name (config network scep_client scep_client_name )> 4. Enable the SCEP client: (config network scep_client scep_client_name)> enable true (config network scep_client scep_client_name)> 5. Set the url parameter to the fully qualified domain name or IP address of the SCEP server: (config network scep_client scep_client_name)>...
Page 331: Example: Scep Client Configuration With Fortinet Scep Server
Virtual Private Networks (VPN) IPsec (config network scep_client scep_client_name)> distinguished_name ou value (config network scep_client scep_client_name)> g. Set the Common Name: (config network scep_client scep_client_name)> distinguished_name cn value (config network scep_client scep_client_name)> 8. Set the number of days that the certificate enrollment can be renewed, prior to the request expiring.
Page 332 Virtual Private Networks (VPN) IPsec d. The remaining fields can be left at their defaults or changed as appropriate. e. Click OK. 2. Create a Certificate Authority (CA): a. From the menu, click Certificate Authorities > Local CAs. b. Click Create New. c.
Page 333 Virtual Private Networks (VPN) IPsec 3. Click Network > SCEP Client. 4. For Add clients, enter a name for the SCEP client and click . The new SCEP client configuration is displayed. 5. Click Enable to enable the SCEP client. 6.
Page 334 Virtual Private Networks (VPN) IPsec 11. Click to expand Distinguished Name. 12. Type the value for each appropriate Distinguished Name attribute. The values entered here must correspond to the DN attributes in the Enrollment Request on the Fortinet server. 13. Click Apply to save the configuration and apply the change. ...
Page 335 Virtual Private Networks (VPN) IPsec 6. Set the challenge password as configured on the SCEP server. This corresponds to the Default enrollment password on the Fortinet server. (config network scep_client Fortinet_SCEP_client)> server password challenge_password (config network scep_client Fortinet_SCEP_client)> 7. Set Distinguished Name attributes. The values entered here must correspond to the DN attributes in the Enrollment Request on the Fortinet server.
Page 336 Virtual Private Networks (VPN) IPsec (config network scep_client Fortinet_SCEP_client)> renewable_time integer (config network scep_client Fortinet_SCEP_client)> 9. (Optional) Set the filename of the Certificate Revocation List (CRL) from the CA. The CRL is stored on the IX20 device in the /etc/config/scep_client/client_name directory. (config network scep_client Fortinet_SCEP_client)>...
Page 337: Openvpn
Virtual Private Networks (VPN) OpenVPN OpenVPN OpenVPN is an open-source Virtual Private Network (VPN) technology that creates secure point-to- point or site-to-site connections in routed or bridged configurations. OpenVPN uses a custom security protocol that is Secure Socket Layer (SSL) / Transport Layer Security (TLS) for key exchange. It uses standard encryption and authentication algorithms for data privacy and authentication over TCP or UDP.
Page 338: Configure An Openvpn Server
Virtual Private Networks (VPN) OpenVPN OpenVPN managed—The IX20 device creates the interface and then uses its standard configuration to set up the connection (for example, its standard DHCP server configuration). Device only—IP addressing is controlled by the system, not by OpenVPN. Additional OpenVPN information For more information on OpenVPN, see these resources: Bridging vs.
Page 339 Virtual Private Networks (VPN) OpenVPN The Private key (for example, server.key). The Diffie Hellman key (usually in dh2048.pem). Active recovery configuration. See Configure SureLink active recovery for OpenVPN information about OpenVPN active recovery. Additional configuration items The route metric for the OpenVPN server. The range of IP addresses that the OpenVPN server will provide to clients.
Page 340 Virtual Private Networks (VPN) OpenVPN The OpenVPN server is enabled by default. To disable, click Enable. 5. For Device type, select the mode used by the OpenVPN server, either: TUN (OpenVPN managed) TAP - OpenVPN managed TAP - Device only OpenVPN for information about OpenVPN server modes.
Page 341 Virtual Private Networks (VPN) OpenVPN b. Paste the contents of the CA certificate (usually in a ca.crt file), the Public key (for example, server.crt), the Private key (for example, server.key), and the Diffie Hellman key (usually in dh2048.pem) into their respective fields. The contents will be hidden when the configuration is saved.
Page 342 Virtual Private Networks (VPN) OpenVPN  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 343 Virtual Private Networks (VPN) OpenVPN b. Set the firewall zone for the OpenVPN server. For TUN device types, this should be set to internal to treat clients as LAN devices. (config vpn openvpn server name)> zone value (config vpn openvpn server name)> To view a list of available zones: (config vpn openvpn server name)>...
Page 344 Virtual Private Networks (VPN) OpenVPN where value is a number between 1 and 255. The number entered here will represent the last client IP address. For example, if address is set to 192.168.1.1/24 and server_last_ip is set to 99, the last client IP address will be 192.168.1.80. The default is from 80.
Page 345 Virtual Private Networks (VPN) OpenVPN iv. Paste the contents of the private key (for example, server.key) into the value of the server_key parameter: (config vpn openvpn server name)> server_key value (config vpn openvpn server name)> v. Paste the contents of the Diffie Hellman key (usually in dh2048.pem) into the value of the diffie parameter: (config vpn openvpn server name)>...
Page 346 Virtual Private Networks (VPN) OpenVPN defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config vpn openvpn server name)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config vpn openvpn server name)> add acl zone end value Where value is a firewall zone defined on your device, or the any keyword.
Page 347: Configure An Openvpn Authentication Group And User
Virtual Private Networks (VPN) OpenVPN c. Set the additional OpenVPN parameters: (config vpn openvpn server name)> extra parameters (config vpn openvpn server name)> 10. Save the configuration and apply the change: (config)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 348 Virtual Private Networks (VPN) OpenVPN 3. Add an OpenVPN authentication group: a. Click Authentication > Groups. b. For Add Group, type a name for the group (for example, OpenVPN_Group) and click . The new authentication group configuration is displayed. c. Click OpenVPN access to enable OpenVPN access rights for users of this group. d.
Page 349 Virtual Private Networks (VPN) OpenVPN 4. Add an OpenVPN authentication user: a. Click Authentication > Users. b. For Add, type a name for the user (for example, OpenVPN_User) and click . c. Type a password for the user. This password is used for local authentication of the user. You can also configure the user to use RADIUS or TACACS+ authentication by configuring authentication methods.
Page 350 Virtual Private Networks (VPN) OpenVPN  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 351: Configure An Openvpn Client By Using An .Ovpn File
Virtual Private Networks (VPN) OpenVPN Configure an OpenVPN client by using an .ovpn file Required configuration items Enable the OpenVPN client. The OpenVPN client is enabled by default. The firewall zone to be used by the OpenVPN client. Additional configuration items The route metric for the OpenVPN client.
Page 352 Virtual Private Networks (VPN) OpenVPN 5. The OpenVPN client is enabled by default. To disable, click Enable. 6. The default behavior is to use an OVPN file for client configuration. To disable this behavior and configure the client manually, click Use .ovpn file to disable. If Use .ovpn file is disabled, Configure an OpenVPN client without using an .ovpn file for configuration information.
Page 353 Virtual Private Networks (VPN) OpenVPN 4. Set the firewall zone for the OpenVPN client: (config vpn openvpn client name)> zone value (config vpn openvpn client name)> To view a list of available zones: (config vpn openvpn client name)> zone ? Zone: The zone for the openvpn client interface.
Page 354: Configure An Openvpn Client Without Using An .Ovpn File
Virtual Private Networks (VPN) OpenVPN Configure an OpenVPN client without using an .ovpn file Required configuration items Enable the OpenVPN client. The OpenVPN client is enabled by default. The mode used by the OpenVPN server, either routing (TUN), or bridging (TAP). The firewall zone to be used by the OpenVPN client.
Page 355 Virtual Private Networks (VPN) OpenVPN 4. For Add, type a name for the OpenVPN client and click . The new OpenVPN client configuration is displayed. 5. The OpenVPN client is enabled by default. To disable, click Enable. 6. The default behavior is to use an OVPN file for client configuration. To disable this behavior and configure the client manually, click Use .ovpn file to disable.
Page 356 Virtual Private Networks (VPN) OpenVPN a. Click Enable to enable the use of additional OpenVPN parameters. b. Click Override if the additional OpenVPN parameters should override default options. c. For OpenVPN parameters, type the additional OpenVPN parameters. For example, to override the configuration by using a configuration file, enter --config filename, for example, --config /etc/config/openvpn_config.
Page 357 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client name)> zone ? Zone: The zone for the openvpn client interface. Format: dynamic_routes edge external internal ipsec loopback setup Current value: (config vpn openvpn client name)> 7. (Optional) Set the route metric for the OpenVPN server. If multiple active routes match a destination, the route with the lowest metric will be used.
Page 358: Configure Surelink Active Recovery For Openvpn
Virtual Private Networks (VPN) OpenVPN 13. Paste the contents of the private key (for example, client.key) into the value of the private_key parameter: (config vpn openvpn client name)> private_key value (config vpn openvpn client name)> 14. (Optional) Set additional OpenVPN parameters. a.
Page 359 Virtual Private Networks (VPN) OpenVPN The amount of time that the device should wait for a response to a probe attempt before considering it to have failed. To configure the IX20 device to regularly probe the OpenVPN connection:  WebUI 1.
Page 360 Virtual Private Networks (VPN) OpenVPN 6. Enable active recovery. 7. For Restart interface, enable to configure the device to restart the interface when its connection is considered to have failed. This is useful for interfaces that may regain connectivity after restarting, such as a cellular modem. 8.
Page 361 Virtual Private Networks (VPN) OpenVPN HTTP test HTTP test (IPv6): Tests connectivity by sending an HTTP or HTTPS GET request to the URL specified in Web servers. The URL should take the format of http[s]://hostname/[path]. Test DNS servers configured for this interface or Test DNS servers configured for this interface (IPv6): Tests connectivity by sending a DNS query to the DNS servers configured for this interface.
Page 362 Virtual Private Networks (VPN) OpenVPN 4. Enable active recovery: (config vpn openvpn client openvpn_client1)> connection_monitor enable true (config vpn openvpn client openvpn_client1)> 5. To configure the device to restart the interface when its connection is considered to have failed: (config vpn openvpn client openvpn_client1)> connection_monitor restart true (config vpn openvpn client openvpn_client1)>...
Page 363 Virtual Private Networks (VPN) OpenVPN 10. Set the amount of time that the device should wait for a response to a probe attempt before considering it to have failed: (config vpn openvpn client openvpn_client1)> connection_monitor timeout value (config vpn openvpn client openvpn_client1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 364 Virtual Private Networks (VPN) OpenVPN Specify the DNS server. Allowed value is the IP address of the DNS server. (config vpn openvpn client openvpn_client1 connection_monitor target 0)> dns_server ip_address (config vpn openvpn client openvpn_client1 connection_monitor target 0)> dns_configured (IPv4) or dns_configured6 (IPv6): Tests connectivity by sending a DNS query to the DNS servers configured for this interface.
Page 365: Show Openvpn Server Status And Statistics
Virtual Private Networks (VPN) OpenVPN For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config vpn openvpn client openvpn_client1 connection_monitor target 0)> interface_timeout 600s (config vpn openvpn client openvpn_client1 connection_monitor target 0)> The default is 60 seconds. 12.
Page 366: Show Openvpn Client Status And Statistics
Virtual Private Networks (VPN) OpenVPN 3. To display details about a specific server: > show openvpn server name OpenVPN_server1 Server : OpenVPN_server1 Enable : true Type : tun Zone : internal IP Address : 192.168.30.1/24 Port : 1194 Use File : true Metric Protocol...
Page 367 Virtual Private Networks (VPN) OpenVPN 3. To display details about a specific client: > show openvpn client name OpenVPN_client1 Client : OpenVPN_client1 Enable : true Status : up Username : user1 IP address : 123.122.121.120 Remote : 120.121.122.123 : 1492 Zone : internal IP Address...
Page 368: Generic Routing Encapsulation (Gre)
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Generic Routing Encapsulation (GRE) Generic Routing Encapsulation (GRE) is an IP packet encapsulation protocol that allow for networks and routes to be advertized from one network device to another. You can use GRE to encapsulate a wide variety of network layer protocols inside virtual point-to-point links over an IP network.
Page 369 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Click Network > Interfaces. 4. For Add Interface, type a name for the GRE loopback endpoint interface and click . 5. Enable the interface. New interfaces are enabled by default. To disable, or to enable if it has been disabled, click Enable.
Page 370 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 7. Save the configuration and apply the change: (config network interface gre_interface)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 371 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 372 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 373: Show Gre Tunnels
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Show GRE tunnels To view information about currently configured GRE tunnels:  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click Status > IP tunnels. The IP Tunnelspage appears.
Page 374: Example: Gre Tunnel Over An Ipsec Tunnel
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Example: GRE tunnel over an IPSec tunnel The IX20 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel. The example configuration provides instructions for configuring the IX20 device with a GRE tunnel through IPsec.
Page 375 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 2. Create an IPsec endpoint interface named ipsec_endpoint2: a. Zone set to Internal. b. Device set to Ethernet: Loopback. c. IPv4 Address set to the IP address of the local GRE tunnel, 172.30.0.2/32. 3.
Page 376 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 6. For Pre-shared key, type testkey. 7. Click to expand Remote endpoint. 8. For Hostname, type public IP address of the IX20-2 device. 9. Click to expand Policies. 10. For Add Policy, click  to add a new policy. 11.
Page 377 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Add an IPsec tunnel named ipsec_gre1: (config)> add vpn ipsec tunnel ipsec_gre1 (config vpn ipsec tunnel ipsec_gre1)> 4. Set the pre-shared key to testkey: (config vpn ipsec tunnel ipsec_gre1)> auth secret testkey (config vpn ipsec tunnel ipsec_gre1)>...
Page 378 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 1. Click Network > Interface. 2. For Add Interface, type ipsec_endpoint1 and click . 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5. Click to expand IPv4. 6. For Address, type the IP address of the local GRE tunnel, 172.30.0.1/32. 7.
Page 379 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 2. Add an interface named ipsec_endpoint1: (config)> add network interface ipsec_endpoint1 (config network interface ipsec_endpoint1)> 3. Set the zone to internal: (config network interface ipsec_endpoint1)> zone internal (config network interface ipsec_endpoint1)> 4. Set the device to /network/device/loopback: (config network interface ipsec_endpoint1)>...
Page 380 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)  Command line 1. At the command line, type config to enter configuration mode: > config (config)> 2. Add a GRE tunnel named gre_tunnel1: (config)> add vpn iptunnel gre_tunnel1 (config vpn iptunnel gre_tunnel1)> 3.
Page 381 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 4. For Device, select the GRE tunnel created in Task three (IP tunnel: gre_tunnel1). 5. Click to expand IPv4. 6. For Address, type 172.31.0.1/30 for a virtual IP address on the GRE tunnel. 7.
Page 382 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 5. Set 172.31.0.1/30 as the virtual IP address on the GRE tunnel: (config network interface gre_interface1)> ipv4 address 172.31.0.1/30 (config network interface gre_interface1)> 6. Save the configuration and apply the change: (config network interface gre_interface1)> save Configuration saved.
Page 383 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 7. Click to expand Remote endpoint. 8. For Hostname, type public IP address of the IX20-1 device. 9. Click to expand Policies. 10. For Add Policy, click  to add a new policy. 11.
Page 384 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 4. Set the pre-shared key to the same pre-shared key that was configured for the IX20-1 (testkey): (config vpn ipsec tunnel ipsec_gre2)> auth secret testkey (config vpn ipsec tunnel ipsec_gre2)> 5. Set the remote endpoint to public IP address of the IX20-1 device: (config vpn ipsec tunnel ipsec_gre2)>...
Page 385 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 1. Click Network > Interfaces. 2. For Add Interface, type ipsec_endpoint2 and click . 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5. Click to expand IPv4. 6. For Address, type the IP address of the local GRE tunnel, 172.30.0.2/32. 7.
Page 386 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 2. Add an interface named ipsec_endpoint2: (config)> add network interface ipsec_endpoint2 (config network interface ipsec_endpoint2)> 3. Set the zone to internal: (config network interface ipsec_endpoint2)> zone internal (config network interface ipsec_endpoint2)> 4. Set the device to /network/device/loopback: (config network interface ipsec_endpoint2)>...
Page 387 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)  Command line 1. At the command line, type config to enter configuration mode: > config (config)> 2. Add a GRE tunnel named gre_tunnel2: (config)> add vpn iptunnel gre_tunnel2 (config vpn iptunnel gre_tunnel2)> 3.
Page 388 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 4. For Device, select the GRE tunnel created in Task three (IP tunnel: gre_tunnel2). 5. Click to expand IPv4. 6. For Address, type 172.31.1.1/30 for a virtual IP address on the GRE tunnel. 7.
Page 389: Nemo
Virtual Private Networks (VPN) NEMO 5. Set 172.31.0.1/30 as the virtual IP address on the GRE tunnel: (config network interface gre_interface2)> ipv4 address 172.31.1.1/30 (config network interface gre_interface2)> 6. Save the configuration and apply the change: (config network interface gre_interface2)> save Configuration saved.
Page 390 Virtual Private Networks (VPN) NEMO Home agent registration lifetime. This is provided by your cellular carrier. The local network interfaces that will be advertised on NEMO. Additional configuration items The home agent Software Parameter Index (SPI). Path MTU discovery. Path MTU discovery is enabled by default. If it is disabled, identify the MTU. Care of address: the local network interface that is used to communicate with the peer.
Page 391 Virtual Private Networks (VPN) NEMO 9. For Home agent registration lifetime, in seconds, type the number of seconds number of seconds until the authorization key expires. This is provided by your cellular carrier. 10. For MTU discovery, leave enabled to determine the maximum transmission unit (MTU) size. If disabled, for MTU, type the MTU size.
Page 392 Virtual Private Networks (VPN) NEMO 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a NEMO tunnel. For example, to add a NEMO tunnel named nemo_example: (config)> add vpn nemo nemo_example (config vpn nemo nemo_example)> The NEMO tunnel is enabled by default.
Page 393 Virtual Private Networks (VPN) NEMO (config vpn nemo nemo_example)> spi integer (config vpn nemo nemo_example)> Allowed values are any integer between 256 and 4294967295. 10. Set the firewall zone for the NEMO tunnel: (config vpn nemo nemo_example)> zone zone (config vpn nemo nemo_example)> To view a list of available zones: (config vpn nemo nemo_example)>...
Page 394 Virtual Private Networks (VPN) NEMO eth1 eth2 loopback Current value: (config vpn nemo nemo_example)> coaddress interface ii. Set the interface. For example: (config vpn nemo nemo_example)> coaddress interface eth1 (config vpn nemo nemo_example)> If ip is used, set the IP address: (config vpn nemo nemo_example)>...
Page 395: Show Nemo Status
Virtual Private Networks (VPN) NEMO 13. Configure one or more local networks to use as a virtual NEMO network interface. Generally, this will be a Local Area Network (LAN): a. Add a local network to use as a virtual NEMO network interface: (config vpn nemo nemo_example)>...
Page 396: L2Tpv3
Virtual Private Networks (VPN) L2TPv3 test NEMO Status ---------------- Enabled : true Status : up Home Agent : 4.3.2.1 Care of Address : 10.10.10.1 Interface : modem GRE Tunnel : 10.10.10.1 === 4.3.2.1 Metric : 255 : 1476 Lifetime (Actual) : 600 Local Network Subnet Status...
Page 397 Virtual Private Networks (VPN) L2TPv3 The session cookie. The peer session cookie. The Layer2SpecificHeader type. The Sequence numbering control.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 398 Virtual Private Networks (VPN) L2TPv3 e. (Optional) For Peer cookie, type the Cookie value of the remote peer. f. For Layer2SpecificHeader type, select the Layer2Specific header type. This must match what is configured on the remote peer. g. For Sequence numbering control, determine the sequence number control to prevent or detect out of order packets.
Page 399 Virtual Private Networks (VPN) L2TPv3 device. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config vpn l2tpeth L2TPv3_example)> local ii. Set the interface. For example: (config vpn l2tpeth L2TPv3_example)> local /network/interface/eth1 (config vpn l2tpeth L2TPv3_example)> 6. Set the tunnel identifier for this tunnel. This must match the value for peer tunnel ID on the remote peer.
Page 400 Virtual Private Networks (VPN) L2TPv3 9. Add a session carried by the parent tunnel: (config vpn l2tpeth L2TPv3_example)> add session session_example (config vpn l2tpeth L2TPv3_example session_example)> 10. Set the session identifier for this session. This must match the value for peer session ID on the remote peer.
Page 401: Show L2Tpv3 Tunnel Status
Virtual Private Networks (VPN) L2TPv3 16. Save the configuration and apply the change: (config)> save Configuration saved. > 17. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show L2TPV3 tunnel status ...
Page 402 Virtual Private Networks (VPN) L2TPv3 Peer Tunnel ID : 10.10.10.1 === 4.3.2.1 Session ID : 255 Peer Session ID : 1476 Lifetime (Actual) : 600 Device : le_test_test RX Packets : 2,102 RX Bytes : 462 TX Packets : 2,787 TX Byptes : 3,120 >...
Page 403 Services This chapter contains the following topics: Allow remote access for web administration and SSH Configure the web administration service Configure SSH access Use SSH with key authentication Configure telnet access Configure DNS Simple Network Management Protocol (SNMP) Location information Modbus gateway System time Network Time Protocol Configure a multicast route...
Page 404: Allow Remote Access For Web Administration And Ssh
Services Allow remote access for web administration and SSH Allow remote access for web administration and SSH By default, only devices connected to the IX20's LAN have access to the device via web administration and SSH. To enable these services for access from remote devices: The IX20 device must have a publicly reachable IP address.
Page 405 Services Allow remote access for web administration and SSH 5. Select External. 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 406 Services Allow remote access for web administration and SSH 3. Click Configuration > Services > SSH > Access Control List > Zones. 4. For Add Zone, click . 5. Select External. 6. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 407: Configure The Web Administration Service
Services Configure the web administration service  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 408 Services Configure the web administration service Enable or disable the web administration service The web administration service is enabled by default. To disable the service, or enable it if it has been disabled:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2.
Page 409 Services Configure the web administration service To disable the sevice: (config)> service web_admin enable false (config)> 4. Save the configuration and apply the change: (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 410 Services Configure the web administration service d. Click  again to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: a. Click IPv6 Addresses. b. For Add Address, click . c. For Address, enter the IPv6 address or network that can access the device's web administration service.
Page 411 Services Configure the web administration service b. Paste the contents of certificate.pem and key.pem into the SSL certificate field. The contents of the certificate.pem must be first. For example: 8. For Allow legacy encryption protocols, enable this option to allow clients to connect to the HTTPS session by using encryption protocols older than TLS 1.2, in addition to TLS 1.2 and later protocols.
Page 412 Services Configure the web administration service A single IP address or host name. A network designation in CIDR notation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the web administratrion service. Repeat this step to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: (config)>...
Page 413 Services Configure the web administration service Type ... firewall zone ? at the config prompt: (config)> ... firewall zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration -------------------------------------------------------- -----------------------...
Page 414 Services Configure the web administration service (config)> service web_admin cert "-----BEGIN CERTIFICATE----- MIID8TCCAtmgAwIBAgIULOwezcmbnQmIC9pT9txwCfUbkWQwDQYJKoZIhvcNAQEL BQAwgYcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xDjAMBgNVBAcMBUFs b2hhMRMwEQYDVQQKDApNY0JhbmUgSW5jMRAwDgYDVQQLDAdTdXBwb3J0MQ8wDQYD VQQDDAZtY2JhbmUxHzAdBgkqhkiG9w0BCQEWEGptY2JhbmVAZGlnaS5jb20wHhcN MjAwOTIyMTY1OTUyWhcNMjEwOTIyMTY1OTUyWjCBhzELMAkGA1UEBhMCVVMxDzAN BgNVBAgMBk9yZWdvbjEOMAwGA1UEBwwFQWxvaGExEzARBgNVBAoMCk1jQmFuZSBJ bmMxEDAOBgNVBAsMB1N1cHBvcnQxDzANBgNVBAMMBm1jYmFuZTEfMB0GCSqGSIb3 DQEJARYQam1jYmFuZUBkaWdpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAOBn19AX01LO9plYtfRZq0bETwNwSCYGeEIOGJ7gHt/rihLVBJS1woYv u1Oq1ohYxIawBY1iIPBD2GtzyEJXzBZdQRhwi/dRyRi4vr7EkjGDr0Vb/NVT0L5w UzcMeT+71DYvKYm6GpcWx+LoKqFTjbMFBIze5pbBfru+SicId6joCHIuYq8Ehflx 6sy6s4MDbyTUAEN2YhsBaOljej64LNzcsHeISbAWibXWjOSsK+N1MivQq5uwIYw/ 1fsnD8KDS43Wg57+far9fQ2MIHsgnoAGz+w6PIKJR594y/MfqQffDFNCh2lJY49F hOqEtA5B9TyXRKwoa3j/lIC/t5cpIBcCAwEAAaNTMFEwHQYDVR0OBBYEFDVtrWBH E1ZcBg9TRRxMn7chKYjXMB8GA1UdIwQYMBaAFDVtrWBHE1ZcBg9TRRxMn7chKYjX MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALj/mrgaKDNTspv9 ThyZTBlRQ59wIzwRWRYRxUmkVcR8eBcjwdBTWjSBLnFlD2WFOEEEnVz2Dzcixmj4 /Fw7GQNcYIKj+aIGJzbcKgox10mZB3VKYRmPpnpzHCkvFi4o81+bC8HJQfK9U80e vDV0/vA5OB2j/DrjvlOrapCTkuyA0TVyGvgTASx2ATu9U45KZofm4odThQs/9FRQ +cwSTb5v47KYffeyY+g3dyJw1/KgMJGpBUYNJDIsFQC9RfzPjKE2kz41hx4VksT/ q81WGstDXH++QTu2sj7vWkFJH5xPFt80HjtWKKpIfeOIlBPGeRHvdH2PQibx0OOt Sa+P5O8= -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgZ9fQF9NSzvaZ WLX0WatGxE8DcEgmBnhCDhie4B7f64oS1QSUtcKGL7tTqtaIWMSGsAWNYiDwQ9hr c8hCV8wWXUEYcIv3UckYuL6+xJIxg69FW/zVU9C+cFM3DHk/u9Q2LymJuhqXFsfi 6CqhU42zBQSM3uaWwX67vkonCHeo6AhyLmKvBIX5cerMurODA28k1ABDdmIbAWjp...
Page 415 Services Configure the web administration service 0siGswIauBd8BrZMIWf8JBUIC5EGkMiIyNpLJqPbGEImMUXk4Zane/cL7e06U8ft BUtOtMefbBDDxpP+E+iIiuM= -----END PRIVATE KEY-----" (config)> 5. (Optional) Configure Multicast DNS (mDNS): mDNS is a protocol that resolves host names in small networks that do not have a DNS server. mDNS is enabled by default. To disable mDNS, or enable it if it has been disabled: To enable the mDNS protocol: (config)>...
Page 416 Services Configure the web administration service 10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 417: Configure Ssh Access
Services Configure SSH access Configure SSH access The IX20's default configuration has SSH access enabled, and allows SSH access to the device from authorized users within the Internal firewall zone. If this configuration is sufficient for your needs, no further configuration is required. See Allow remote access for web administration and SSH information about configuring the SSH service to allow access from remote devices.
Page 418 Services Configure SSH access 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 419 Services Configure SSH access 3. Click Services > SSH. 4. (Optional) For Port, enter the port number for the service. Normally this should not be changed. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a.
Page 420 Services Configure SSH access 6. Multicast DNS (mDNS) is enabled by default. mDNS is a protocol that resolves host names in small networks that do not have a DNS server. To disable mDNS, or enable it if it has been disabled, click Enable mDNS. 7.
Page 421 Services Configure SSH access A single IP address or host name. A network designation in CIDR notation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the SSH service. Repeat this step to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: (config)>...
Page 422 Services Configure SSH access Type ... firewall zone ? at the config prompt: (config)> ... firewall zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration -------------------------------------------------------- ----------------------- dynamic_routes...
Page 423 Services Configure SSH access 7. To create custom SSH configuration settings: a. Enable custom configurations: (config)> service ssh custom enable true (config)> b. To override the standard SSH configuration and only use the config_file parameter: (config)> service ssh custom override true (config)> If override is set to true, entries in Configuration file will be used in place of the standard SSH configuration.
Page 424: Use Ssh With Key Authentication
Services Use SSH with key authentication Use SSH with key authentication Rather than using passwords, you can use SSH keys to authenticate users connecting via SSH, SFTP, or SCP. SSH keys provide security and scalability: Security: Using SSH keys for authentication is more secure than using passwords. Unlike a password that can be guessed by an unauthorized user, SSH key pairs provide more sophisticated security.
Page 425 Services Use SSH with key authentication 3. Click Authentication > Users. 4. Select an existing user or create a new user. See User authentication for information about creating a new user. 5. Click SSH keys. 6. In Add SSH key, enter a name for the SSH key and click . 7.
Page 426 Services Use SSH with key authentication 4. Save the configuration and apply the change: (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 427: Configure Telnet Access
Services Configure telnet access Configure telnet access By default, the telnet service is disabled. Note Telnet is an insecure protocol and should only be used for backward-compatibility reasons, and only if the network connection is otherwise secured. Required configuration items Enable telnet access.
Page 428 Services Configure telnet access 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 429 Services Configure telnet access 3. Click Services > telnet. 4. (Optional) For Port, enter the port number for the service. Normally this should not be changed. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a.
Page 430 Services Configure telnet access 6. Multicast DNS (mDNS) is disabled by default. mDNS is a protocol that resolves host names in small networks that do not have a DNS server. To enable mDNS, click Enable mDNS. 7. Click Apply to save the configuration and apply the change. ...
Page 431 Services Configure telnet access Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)>...
Page 432: Configure Dns
Additional DNS servers, in addition to the ones associated with the device's network interfaces. Specific host names and their IP addresses. The device is configured by default with the hostname digi.device, which corresponds to the 192.168.210.1 IP address. To configure the DNS server: ...
Page 433 Services Configure DNS 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > DNS. 4. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a.
Page 434 Services Configure DNS To limit access based on firewall zones: a. Click Zones. b. For Add Zone, click . c. For Zone, select the appropriate firewall zone from the dropdown. Firewall configuration for information about firewall zones. d. Click  again to allow access through additional firewall zones. 5.
Page 435 Services Configure DNS 3. Configure access control: To limit access to specified IPv4 addresses and networks: (config)> add service dns acl address end value (config)> Where value can be: A single IP address or host name. A network designation in CIDR notation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the DNS service.
Page 436 Services Configure DNS To limit access based on firewall zones: (config)> add service dns acl zone end value Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ... firewall zone ? at the config prompt: (config)>...
Page 437 Services Configure DNS (config)> service dns stop_dns_rebind false (config)> 7. (Optional) Allow localhost rebinding By default, localhost rebinding is enabled by default if rebind protection is enabled. This is useful for Real-time Black List (RBL) servers. To disable: (config)> service dns rebind_localhost_ok false (config)>...
Page 438: Show Dns Server
Services Configure DNS 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show DNS server You can display status for DNS servers. This command is available only at the Admin CLI. ...
Page 439: Simple Network Management Protocol (Snmp)
Services Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is a protocol for remotely managing and monitoring network devices. Network administrators can use the SNMP architecture to manage nodes, including servers, workstations, routers, switches, hubs, and other equipment on an IP network, manage network performance, find and solve network problems, and plan for network growth.
Page 440 Services Simple Network Management Protocol (SNMP) 3. Click Services > SNMP. 4. Click Enable. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c.
Page 441 Services Simple Network Management Protocol (SNMP) 6. Type the Username used to connect to the SNMP agent. 7. Type the Password used to connect to the SNMP agent. 8. (Optional) For Port, type the port number. The default is 161. 9.
Page 442 Services Simple Network Management Protocol (SNMP) A single IP address or host name. A network designation in CIDR notation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the SNMP service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)>...
Page 443 Services Simple Network Management Protocol (SNMP) edge external internal ipsec loopback setup (config)> Repeat this step to list additional firewall zones. 5. Set the name of the user that will be used to connect to the SNMP agent. (config)> service snmp username name (config)>...
Page 444: Download Mibs
Services Simple Network Management Protocol (SNMP) 13. Save the configuration and apply the change: (config)> save Configuration saved. > 14. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 445: Location Information
Services Location information Location information Your IX20 device can be configured to use the following location sources: In conjunction with the with the CM07 CORE modem, the modem's internal Global Navigation Satellite System (GNSS) module that provides information about the current location of the device.
Page 446: Configure The Location Service
Services Location information Configure the location service The location service is enabled by default. You can disable it, or you can enable it if it has been disabled.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2.
Page 447 Services Location information If multiple location sources are enabled at the same time, the device's location will be determined based on the order that the location sources are listed here. 7. For information about configuring Destination servers, see Forward location information to a remote host.
Page 448: Enable Or Disable Modem Gnss Support
Services Location information 5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Enable or disable modem GNSS support Note Modem GNSS support is currently only available with the CM07 CORE modem.
Page 449 Services Location information 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 450: Configure The Device To Use A User-Defined Static Location
Services Location information 5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure the device to use a user-defined static location You can configured your IX20 device to use a user-defined static location.
Page 451 Services Location information  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 452: Configure The Device To Accept Location Messages From External Sources
Services Location information 9. Save the configuration and apply the change: (config)> save Configuration saved. > 10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure the device to accept location messages from external sources You can configure the IX20 device to accept NMEA and TAIP messages from external sources.
Page 453 Services Location information 5. (Optional) Type a Label for this location source. 6. For Type of location source, select Server. 7. For Location server port, type the number of the UDP port that will receive incoming location messages. 8. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a.
Page 454 Services Location information 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: >...
Page 455 Services Location information To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service location source 1 acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 456: Forward Location Information To A Remote Host
Services Location information setup (config)> Repeat this step to list additional firewall zones. 8. 1. Save the configuration and apply the change: (config)> save Configuration saved. > 2. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 457 Services Location information 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Destination servers. 4.
Page 458 Services Location information 11. For TAIP filters, select the filters that represent the types of messages that will be forwarded. By default, all message types are forwarded. To remove a filter: a. Click the down arrow () next to the appropriate message type. b.
Page 459 Services Location information 3. Add a remote host to which location messages will be sent: (config)> add service location forward end (config service location forward 0)> 4. Set the hostname or IP address of the remote host to which location messages will be sent: (config service location forward 0)>...
Page 460 Services Location information If the message protocol type is NMEA: Allowed values are: gga: Reports time, position, and fix related data. gll: Reports position data: position fix, time of position fix, and status. gsa: Reports GPS DOP and active satellites. gsv: Reports the number of SVs in view, PRN, elevation, azimuth, and SNR.
Page 461: Configure Geofencing
Services Location information To remove a message type: a. Use the show command to determine the index number of the message type to be deleted: (config service location forward 0)> show filter_taip 0 al 1 cp 2 id 3 ln 4 pv (config service location forward 0)>...
Page 462 Services Location information The boundary type of the geofence, either circular or polygonal. If boundary type is circular, the latitude and longitude of the center point of the circle, and the radius. If boundary type is polygonal, the latitude and longitude of the polygon's vertices (a vertex is the point at which two sides of a polygon meet).
Page 463 Services Location information 3. Click Services > Location > Geofence. 4. For Add Geofence, type a name for the geofence and click . The geofence is enabled by default. Click Enable to disable, or to enable if it has been disabled.
Page 464 Click  again to add an additional point, and continue adding points to create the desired polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: This defines a square-shaped polygon equivalent to the following: 7.
Page 465 Services Location information c. For Number of intervals, type or select the number of Update Intervals that must take place prior to performing the On entry actions. For example, if the Update interval is 1m (one minute) and the Number of intervals is 3, the On entry actions will not be performed until the device has been inside the geofence for three minutes.
Page 466 Services Location information c. For Number of intervals, type or select the number of Update Intervals that must take place prior to performing the On exit actions. For example, if the Update interval is 1m (one minute) and the Number of intervals is 3, the On entry actions will not be performed until the device has been inside the geofence for three minutes.
Page 467 Services Location information 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a geofence: (config)> add service location geofence name (config service location geofence name)> where name is a name for the geofence. For example: (config)>...
Page 468 Services Location information For latitude, any integer between -90 and 90, with up to six decimal places. For longitude, any integer between -180 and 180, with up to six decimal places. b. Set the radius of the circle: (config service location geofence test_geofence)> radius radius (config service location geofence test_geofence)>...
Page 469 For longitude, any integer between -180 and 180, with up to six decimal places. Repeat for each vortex of the polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: (config service location geofence test_geofence)> add...
Page 470 Services Location information 6. Define actions to be taken when the device's location triggers a geofence event: To define actions that will be taken when the device enters the geofence, or is inside the geofence when it boots: a. (Optional) Configure the device to preform the actions if the device is inside the geofence when it boots: (config)>...
Page 471 Services Location information (config service location geofence test_geofence on_entry action 0)> where value is either: factory_erase—Erases the device configuration when the action is triggered. script—Executes a custom script when the action is triggered. factory_erase or script. If type is set to script: i.
Page 472 Services Location information v. A sandbox is enabled by default to prevent the script from adversely affecting the system. To disable the sandbox: (config service location geofence test_geofence on_entry action 0)> sandbox false (config service location geofence test_geofence on_entry action 0)> If you disable the sandbox, the script may render the system unusable.
Page 473 Services Location information where value is either: factory_erase—Erases the device configuration when the action is triggered. script—Executes a custom script when the action is triggered. factory_erase or script. If type is set to script: i. Type or paste the script, closed in quote marks: (config service location geofence test_geofence on_exit action 0)>...
Page 474: Show Location Information
Services Location information (config service location geofence test_geofence on_exit action 0)> sandbox false (config service location geofence test_geofence on_exit action 0)> If you disable the sandbox, the script may render the system unusable. vi. Repeat for any additional actions. 7. Save the configuration and apply the change: (config)>...
Page 475: Modbus Gateway
Services Modbus gateway Direction : None Quality : Standard GNSS (2D/3D) UTC Date and Time : Mon, 13 September 2021 8:04:23 03 No. of Satellites : 7 > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 476: Configure The Modbus Gateway
Services Modbus gateway Configure the Modbus gateway Required configuration items Server configuration: Enable the server. Connection type, either socket or serial. If the connection type is socket, the IP protocol to be used. If the connection type is serial, the serial port to be used. Client configuration: Enable the client.
Page 477 Services Modbus gateway Whether packets should be delivered to a fixed Modbus address. Whether packets should have their Modbus address adjusted downward before to delivery.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2.
Page 478 Services Modbus gateway 3. The new Modbus gateway server is enabled by default. Toggle off Enable the server to disable. 4. For Connection type, select Socket or Serial. Available options in the gateway server configuration vary depending on this setting. If Socket is selected for Connection type: a.
Page 479 Services Modbus gateway To limit access to specified IPv6 addresses and networks: a. Click IPv6 Addresses. b. For Add Address, click . c. For Address, enter the IPv6 address or network that can access the device's web administration service. Allowed values are: A single IP address or host name.
Page 480 Services Modbus gateway 3. The new Modbus gateway client is enabled by default. Toggle off Enable the client to disable. 4. For Connection type, select Socket or Serial. Available options in the gateway server configuration vary depending on this setting. If Socket is selected for Connection type: a.
Page 481 Services Modbus gateway any: No limit to IPv6 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a.
Page 482 Services Modbus gateway Modbus address on different buses. For example, if there are two devices on two different buses that have the same Modbus address of 10, you can create two clients on the gateway: Client one: Modbus address filter set to 10. This will configure the gateway to deliver all messages that have the Modbus server address of 10 to this device.
Page 483 Services Modbus gateway (config service modbus_gateway server test_modbus_server)> enable false (config service modbus_gateway server test_modbus_server)> b. Set the connection type: (config service modbus_gateway server test_modbus_server)> connection_ type type (config service modbus_gateway server test_modbus_server)> where type is either socket or serial. The default is socket. If connection_type is set to socket: i.
Page 484 Services Modbus gateway For example, to set inactivity_timeout to ten minutes, enter either 10m or 600s: (config service modbus_gateway server test_modbus_server)> inactivity_timeout 600s (config service modbus_gateway server test_modbus_server)> If connection_type is set to serial: i. Set the serial port: i. Use the ? to determine available serial ports: (config service modbus_gateway server test_modbus_ server)>...
Page 485 Services Modbus gateway iv. (Optional) Enable half-duplex (two wire) mode: (config service modbus_gateway server test_modbus_server)> serial half_duplex true (config service modbus_gateway server test_modbus_server)> c. Repeat the above instructions for additional servers. 5. Configure clients: a. Type ... to return to the root of the configuration: (config)>...
Page 486 Services Modbus gateway iii. Set the packet mode: (config service modbus_gateway client test_modbus_client)> socket packet_mode value (config service modbus_gateway client test_modbus_client)> where value is either rtu or ascii. The default is rtu. iv. Set the maximum allowable time between bytes in a packet: (config service modbus_gateway client test_modbus_client)>...
Page 487 Services Modbus gateway ------------------------ port1 Port 1 (config service modbus_gateway client test_modbus_ client)> ii. Set the port: (config service modbus_gateway client test_modbus_ client)> serial port (config service modbus_gateway client test_modbus_ client)> ii. Set the packet mode: (config service modbus_gateway client test_modbus_client)> serial packet_mode value (config service modbus_gateway client test_modbus_client)>...
Page 488 Services Modbus gateway For example, to set response_timeout to 100 milliseconds: (config service modbus_gateway client test_modbus_client)> response_ timeout 100ms (config service modbus_gateway client test_modbus_client)> The default is 700ms. f. Configure the address filter: This filter is used by the gateway to determine if a message should be forwarded to a destination device.
Page 489: Show Modbus Gateway Status And Statistics
Services Modbus gateway where value is an integer from 0 to 255. Leave at the default setting of 0 to not adjust the server address. If a packet contains a Modbus server address above the amount entered here, the address will be adjusted downward by this amount before the packet is delivered.
Page 490 Services Modbus gateway  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 491 Services Modbus gateway Client Lookup Errors Incoming Connections Packet Errors RX Broadcasts RX Requests : 12 TX Exceptions TX Responses : 12 Clients ------- modbus_socket_41 ---------------- Address Translation Errors Connection Errors Packet Errors RX Responses RX Timeouts TX Broadcasts TX Requests modbus_socket_21 ---------------- Address Translation Errors...
Page 492: System Time
Services System time System time By default, the IX20 device synchronizes the system time by periodically connecting to the Digi NTP server, time.devicecloud.com. In this mode, the device queries the time server based on following events and schedule: At boot time.
Page 493 Services System time 3. Click System > Time 4. (Optional) For Timezone, select either UTC or select the location nearest to your current location to set the timezone for your IX20 device. The default is UTC. 5. (Optional) Add upstream NTP servers that the device will use to synchronize its time. The default setting is time.devicecloud.com.
Page 494 Services System time (config)> system time timezone value (config)> Where value is the timezone using the format specified with the following command: (config)> system time timezone ? Timezone: The timezone for the location of this device. This is used to adjust the time for log messages.
Page 495 Services System time 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Test the connection to the NTP servers The following procedure tests the configured NTP servers for connectivity. This test does not affect the device's current local date and time.
Page 496: Manually Set The System Date And Time
Services Network Time Protocol NTP sync to time.devicecloud.com successful > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Manually set the system date and time If your network restricts access to NTP servers, use this procedure to set the local date and time.
Page 497: Configure The Device As An Ntp Server
Network Time Protocol Configure the device as an NTP server Required Configuration Items Enable the NTP service. At least one upstream NTP server for synchronization. The default setting is the Digi NTP server, time.devicecloud.com. Additional Configuration Options Additional upstream NTP servers.
Page 498 Services Network Time Protocol d. Click  again to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: a. Click IPv6 Addresses. b. For Add Address, click . c. For Address, enter the IPv6 address or network that can access the device's NTP service.
Page 499 Services Network Time Protocol a. Click System > Time b. Select the Timezone for the location of your IX20 device. 8. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 500 Services Network Time Protocol 5. (Optional) Configure the access control list to limit downstream access to the IX20 device's NTP service. To limit access to specified IPv4 addresses and networks: (config)> add service ntp acl address end value (config)> Where value can be: A single IP address or host name.
Page 501 Services Network Time Protocol To limit access based on firewall zones: (config)> add service ntp acl zone end value Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
Page 502: Show Status And Statistics Of The Ntp Server
Services Network Time Protocol (config)> 7. Save the configuration and apply the change: (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show status and statistics of the NTP server You can display status and statistics for active NTP servers ...
Page 503: Configure A Multicast Route
Services Configure a multicast route > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure a multicast route Multicast routing allows a device to transmit data to a single multicast address, which is then distributed to a group of devices that are configured to be members of that group.
Page 504 Services Configure a multicast route 10. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 505: Ethernet Network Bonding
Services Ethernet network bonding (config service multicast test)> src_interface b. Set the interface. For example: (config service multicast test)> src_interface /network/interface/eth1 (config service multicast test)> 8. Set a destination interface that the IX20 device will send mutlicast packets to: a. Use the ? to determine available interfaces: (config service multicast test)>...
Page 506 Services Ethernet network bonding Required configuration items Enable Ethernet bonding. The mode, either: Active-backup. Provides fault tolerance. Round-robin. Provides load balancing as well as fault tolerance. The Ethernet devices in the bonded pool.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2.
Page 507 Services Ethernet network bonding 7. Add Ethernet devices: a. For Add device, click  b. For Device, select an Ethernet device to participate in the bond pool. c. Repeat for each appropriate Ethernet device. 8. Click Apply to save the configuration and apply the change. ...
Page 508: Enable Service Discovery (Mdns)
Services Enable service discovery (mDNS) 5. Add Ethernet devices: a. Use the ? to determine available devices: (config network bond name)> ... network device ? Additional Configuration --------------------------------------------------------------------- ------- eth1 eth2 loopback (config network bond name)> b. Add a device: (config network bond name)>...
Page 509 Services Enable service discovery (mDNS) 3. Click Services > Service Discovery (mDNS). 4. Enable the mDNS service. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c.
Page 510 Services Enable service discovery (mDNS) 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 511 Services Enable service discovery (mDNS) Display a list of available interfaces: Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem...
Page 512: Use The Iperf Service
Using iPerf clients that are at a version earlier than iPerf3 to connect to the IX20 device's iPerf3 server may result in unpredictable results. As a result, Digi recommends using an iPerf client at version 3 or newer to connect to the IX20 device's iPerf3 server.
Page 513 Services Use the iPerf service 3. Click Services > iPerf. 4. Click Enable. 5. (Optional) For IPerf Server Port, type the appropriate port number for the iPerf server listening port. 6. (Optional) Click to expand Access control list to restrict access to the iPerf server: To limit access to specified IPv4 addresses and networks: a.
Page 514 Services Use the iPerf service d. Click  again to allow access through additional firewall zones. 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 515 Services Use the iPerf service To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service iperf acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 516: Example Performance Test Using Iperf3
Services Configure the ping responder service setup (config)> Repeat this step to list additional firewall zones. 6. Save the configuration and apply the change: (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 517 Services Configure the ping responder service 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Ping responder. The ping responder service is enabled by default.
Page 518 Services Configure the ping responder service c. For Interface, select the appropriate interface from the dropdown. d. Click  again to allow access through additional interfaces. To limit access based on firewall zones: a. Click Zones. b. For Add Zone, click . c.
Page 519 Services Configure the ping responder service To limit access to specified IPv6 addresses and networks: (config)> add service iperf acl address6 end value (config)> Where value can be: A single IP address or host name. A network designation in CIDR notation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type.
Page 520: Example Performance Test Using Iperf3
Services Configure the ping responder service Additional Configuration -------------------------------------------------------- ----------------------- dynamic_routes edge external internal ipsec loopback setup (config)> Repeat this step to list additional firewall zones. 6. Save the configuration and apply the change: (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 521 Applications The IX20 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. You can also specify Python applications and other scripts to be run each time the device system restarts, at specific intervals, or at a specified time. This chapter contains the following topics: Configure scripts to run automatically Configure scripts to run manually...
Page 522: Configure Scripts To Run Automatically
Applications Configure scripts to run automatically Configure scripts to run automatically You can configure a script or a python application to run automatically when the system restarts, at specific intervals, or at a specified time. By default, scripts execute in a "sandbox," which restricts access to the file system and available commands that can be used by the script.
Page 523 Applications Configure scripts to run automatically The File System page appears. 3. Highlight the scripts directory and click  to open the directory. 4. Click  (upload). 5. Browse to the location of the script on your local machine. Select the file and click Open to upload the file.
Page 524: Task Two: Configure The Application To Run Automatically
Applications Configure scripts to run automatically Task two: Configure the application to run automatically Note This feature does not provide syntax or error checking. Certain commands can render the device inoperable. Use with care.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2.
Page 525 Applications Configure scripts to run automatically 6. For Run mode, select the mode that will be used to run the script. Available options are: On boot: The script will run once each time the device boots. If On boot is selected, select the action that will be taken when the script completes in Exit action.
Page 526 Applications Configure scripts to run automatically  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 527 Applications Configure scripts to run automatically Set the interval: (config system schedule script 0)> on_interval value (config system schedule script 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set on_interval to ten minutes, enter either 10m or 600s: (config system schedule script 0)>...
Page 528: Configure Scripts To Run Manually
Applications Configure scripts to run manually 8. Set the maximum amount of memory available to be used by the script and its subprocesses: (config system schedule script 0)> max_memory value (config system schedule script 0)> where value uses the syntax number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}. 9.
Page 529: Task One: Upload The Application
Applications Configure scripts to run manually Task one: Upload the application  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. The File System page appears. 3.
Page 530: Task Two: Configure The Application To Run Automatically
Applications Configure scripts to run manually For example: To upload a Python application from a remote host with an IP address of 192.168.4.1 to the /etc/config/scripts directory on the IX20 device, issue the following command: > scp host 192.168.4.1 user admin remote /home/admin/bin/test.py local /etc/config/scripts/ to local admin@192.168.4.1's password: adminpwd test.py...
Page 531 Applications Configure scripts to run manually 4. For Add Script, click . The script configuration window is displayed. Custom scripts are enabled by default. To disable, click Enable to toggle off. 5. (Optional) For Label, provide a label for the script. 6.
Page 532 Applications Configure scripts to run manually  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 533: Start A Manual Script
Applications Start a manual script To log script errors to the system log: (config system schedule script 0)> syslog_stderr true (config system schedule script 0)> If syslog_stdout and syslog_stderr are not enabled, only the script's exit code is written to the system log.
Page 534: Stop A Script That Is Currently Running
Applications Stop a script that is currently running 3. For scripts that are enabled and configured to have a run mode of Manual, click Start Script to start the script.  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 535: Show Script Information
Applications Show script information 1. Log into the IX20 WebUI as a user with Admin access. 2. At the Status page, click Scripts. The Scripts page displays: 3. For scripts that are currently running, click Stop Script to stop the script. ...
Page 536: Run A Python Application At The Shell Prompt
Applications Run a Python application at the shell prompt  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. At the Status page, click Scripts. The Scripts page displays:  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 537 Applications Run a Python application at the shell prompt a. Log into the IX20 WebUI as a user with Admin access. b. On the menu, click System. Under Administration, click File System. The File System page appears. c. Highlight the scripts directory and click  to open the directory. d.
Page 538: Start An Interactive Python Session
Applications Start an interactive Python session > scp host 192.168.4.1 user admin remote /home/admin/bin/test.py local /etc/config/scripts/ to local admin@192.168.4.1's password: adminpwd test.py 100% 36MB 11.1MB/s 00:03 > c. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 539 Applications Start an interactive Python session NAME digidevice - Digi device python extensions DESCRIPTION This module includes various extensions that allow Python to interact with additional features offered by the device. 4. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().
Page 540: Digidevice Module
Use Python to respond to Digi Remote Manager SCI requests Use digidevice runtime to access the runtime database Use Python to upload the device name to Digi Remote Manager Use Python to access the device location data Use Python to set the maintenance window...
Page 541: Use Digidevice.cli To Execute Cli Commands
4. Execute a CLI command using the cli.execute(command) function. For example, to print the system status and statistics to stdout using the show system command: >>> response = cli.execute("show system") >>> >>> print (response) Model : Digi IX20 Serial Number : IX20-000065 : IX20 Hostname : IX20...
Page 542: Use Digidevice.datapoint To Upload Custom Datapoints To Digi Remote Manager
5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice.datapoint to upload custom datapoints to Digi Remote Manager Use the datapoint Python module to upload custom datapoints to Digi Remote Manager. The following characteristics can be defined for a datapoint: Stream ID...
Page 543 Applications Digidevice module Location (optional) Tuple of latitude, longitude and altitude Description (optional) Quality (optional) An integer describing the quality of the data point For example, to use an interactive Python session to upload datapoints related to velocity, temperature, and the state of the emergency door: 1.
Page 544 Help for using Python to upload custom datapoints to Remote Manager Get help for uploading datapoints to your Digi Remote Manager account by accessing help for datapoint.upload and datapoint.upload_multiple: 1. Log into the IX20 command line as a user with shell access.
Page 545: Use Digidevice.config For Device Configuration
Applications Digidevice module timestamp:float=None, units:str=None, geo_location:Tuple[float, float, float]=None, quality:int=None, data_type:digidevice.datapoint.DataType=None, timeout:float=None) 5. Use the help command with datapoint.upload_multiple: >>> help(datapoint.upload_multiple) Help on function upload_multiple in module digidevice.datapoint: upload_multiple(datapoints:List[digidevice.datapoint.DataPoint], timeout:float=None) 6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice.config for device configuration Use the config Python module to access and modify the device configuration.
Page 546 Applications Digidevice module network.interface.lan1.enable=true network.interface.lan1.ipv4.address=192.168.2.1/24 network.interface.lan1.ipv4.connection_monitor.attempts=3 b. Print a list of available interfaces: >>> cfg = config.load() >>> interfaces = cfg.get("network.interface") >>> print(interfaces.keys()) This returns the following: ['defaultip', 'defaultlinklocal', 'lan1', 'loopback', 'wan1', 'wwan1', 'wwan2'] c. Print the IPv4 address of the LAN interface: >>>...
Page 547: Use Python To Respond To Digi Remote Manager Sci Requests
5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use Python to respond to Digi Remote Manager SCI requests The device_request Python module allows you to interact with Digi Remote Manager by using Remote Manager's Server Command Interface (SCI), a web service that allows users to access information and perform commands that relate to their devices.
Page 548 Ctrl-D. You can also exit the session using exit() or quit(). Task two: Create and send an SCI request from Digi Remote Manager The second step in using the device_request module is to create an SCI request that Remote Manager will forward to the device.
Page 549 Applications Digidevice module d. Click Add. e. Click OK. 3. Click Examples > SCI > Data Service > Send Request. Code similar to the following will be displayed in the HTTP message body text box: <sci_request version="1.0"> <data_service> <targets> <device id="00000000-00000000-0000FFFF-A83CF6A3"/> </targets>...
Page 550 True: time.sleep(10) 2. Upload the showsystem.py application to the /etc/config/scripts directory on two or more Digi devices. In this example, we will upload it to two devices, and use the same request in Remote Manager to query both devices.
Page 551 Applications Digidevice module iv. Click  to add a custom script. v. For Label, type Show system application. vi. For Run mode, select On boot. vii. For Exit action, select Restart script. viii. For Commands, type python /etc/config/scripts/showsystem.py. ix. Click Apply to save the configuration and apply the change. ...
Page 552 Applications Digidevice module Scheduled scripts are enabled by default. To disable: (config system schedule script 0)> enable false (config system schedule script 0)> iv. Provide a label for the script: (config system schedule script 0)> label "Show system application" v. Configure the application to run automatically when the device reboots: (config system schedule script 0)>...
Page 553 <device_request target_name="showSystem"> 8. Click Send. You should receive a response similar to the following: <sci_reply version="1.0"> <data_service> <device id="00000000-00000000-0000FFFF-A83CF6A3"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi IX20 Serial Number : IX20-000068 Hostname : IX20 : 00:40:D0:13:35:36 Hardware Version : 50001959-01 A Firmware Version : 21.8.24.120...
Page 554 Disk /tmp Usage : 0.004MB/40.96MB(0%) Disk /var Usage : 0.820MB/32.768MB(3%)</device_ request> </requests> </device> <device id="00000000-00000000-0000FFFF-485740BC"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi IX20 Serial Number : IX20-000023 Hostname : IX20 : 00:40:D0:26:79:1C Hardware Version : 50001959-01 A Firmware Version : 21.8.24.120...
Page 555 </sci_request> Help for using Python to respond to Digi Remote Manager SCI requests Get help for respond to Digi Remote Manager Server Command Interface (SCI) requests by accessing help for digidevice.device_request: 1. Log into the IX20 command line as a user with shell access.
Page 556: Use Digidevice Runtime To Access The Runtime Database
Applications Digidevice module 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice runtime to access the runtime database Use the runt submodule to access and modify the device runtime database. Read from the runtime database Use the keys() and get() methods to read the device configuration: 1.
Page 557 Applications Digidevice module c. Use the get() method to print the device's MAC address: >>> print(runt.get("system.mac")) This will return the MAC address of the device. 6. Use the stop() method to close the runtime database: 7. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Modify the runtime database Use the set() method to modify the runtime database: 1.
Page 558: Use Python To Upload The Device Name To Digi Remote Manager
Use Python to upload the device name to Digi Remote Manager The name submodule can be used to upload a custom name for your device to Digi Remote Manager. When you use the name submodule to upload a custom device name to Remote Manager, the...
Page 559 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Help for uploading the device name to Digi Remote Manager Get help for uploading the device name to Digi Remote Managerby accessing help for digidevice.name: 1.
Page 560: Use Python To Access The Device Location Data
Applications Digidevice module 2. At the shell prompt, use the python command with no parameters to enter an interactive Python session: # python Python 3.6.13 (default, May 9 2021, 22:49:59) [GCC 8.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>>...
Page 561 Applications Digidevice module 4. Use the valid_fix object to determine if the device has a valid fix: >>> loc = location.Location() >>> loc.valid_fix True >>> 5. Use the position object to return the device's position: >>> loc.position (44.926195299999998, -93.397084499999999, 292.39999399999999) >>>...
Page 562 Applications Digidevice module Type "help", "copyright", "credits" or "license" for more information. >>> 3. Import the location submodule: >>> from digidevice import location 4. Update the location object with the latest location data: >>> loc = location.Location() >>> loc.position >>> (44.926195299999998, -93.397084499999999, 292.39999399999999) >>>...
Page 563 Applications Digidevice module 44.926195299999998, -93.397084499999999, 273.20001200000002 "properties": { "direction": "None", "horizontal_velocity": "0.0", "latitude.deg_min_sec": "44* 54' 45.586\" N", "longitude.deg_min_sec": "93* 33' 52.334\" W", "num_satellites": "12", "quality": "Standard GNSS (2D/3D)", "selected_source_idx": "0", "source": "USB (/dev/ttyACM0)", "source_idx.0.altitude": "273.200012", "source_idx.0.direction": "None", "source_idx.0.horizontal_velocity": "0.195489", "source_idx.0.label": "usb", "source_idx.0.latitude": "44.902662", "source_idx.0.latitude.deg_min_sec": "44* 55' 45.065\"...
Page 564: Use Python To Set The Maintenance Window
Applications Digidevice module Type "help", "copyright", "credits" or "license" for more information. >>> 3. Import the location submodule: >>> from digidevice import location >>> 4. Use the help command with location: >>> help(location) Help on module digidevice.location in digidevice: NAME digidevice.location - digidevice.location - API for accessing location data 5.
Page 565 Applications Digidevice module 5. To set the device to out of service: >>> maintenance.out_of_service() >>> maintenance.state() 'OUT_OF_SERVICE' >>> 6. To set the device to in service: >>> maintenance.in_service() >>> maintenance.state() 'IN_SERVICE' >>> Note Leave the interactive Python session active while completing task two, below. Once you have completed task two, exit the interactive session by using Ctrl-D.
Page 566: Use Python To Send And Receive Sms Messages
You can create Python scripts that send and receive SMS message in tandem with the Digi Remote Manager or Digi aView by using the digidevice.sms module. To use a script to send or receive SMS messages, you must also enable the ability to schedule SMS scripting.
Page 567 # DIGI HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, # ENHANCEMENTS, OR MODIFICATIONS. # IN NO EVENT SHALL DIGI BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, # SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, # ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF # DIGI HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Page 568: Use Python To Access Serial Ports
Applications Use Python to access serial ports print(sms) condition.acquire() condition.notify() condition.release() def send_sms(destination, msg): print("sending SMS message", msg) if len(destination) > 10: destination = "+1" + destination # NOTE: The number must include either the + prefix or leading zeros (e.g, either +1 or 00).
Page 569: Use The Paho Mqtt Python Library
Applications Use the Paho MQTT python library # python Python 3.6.13 (default, May 9 2021, 22:49:59) [GCC 8.3.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> 4. Import the serial module: >>> import serial >>> 5. You can now perform operations on the serial port. For example, to write a message to the serial port: >>>...
Page 570 Applications Use the Paho MQTT python library return HTTPStatus.INTERNAL_SERVER_ERROR return HTTPStatus.OK def cmd_fwupdate(params): try: fw_uri = params["uri"] except: print("Firmware file URI not passed") return HTTPStatus.BAD_REQUEST print("Request to update firmware with URI: {}".format(fw_uri)) try: fd, fname = tempfile.mkstemp() os.close(fd) try: urllib.request.urlretrieve(fw_uri, fname) except: print("Failed to download FW file from URI {}".format(fw_uri)) return HTTPStatus.NOT_FOUND...
Page 571 Applications Use the Paho MQTT python library (',',':'))) def on_connect(client, userdata, flags, rc): print("Connected to MQTT server") client.subscribe(PREFIX_CMD + "/system") def on_message(client, userdata, msg): """ Supporting only a single topic for now, no need for filters Expects the following message format: "cid": "<client-id>", "cmd": "<command>", "params": {...
Page 572: Use The Local Rest Api To Configure The Ix20 Device
Applications Use the local REST API to configure the IX20 device client.publish(PREFIX_EVENT + "/leases", json.dumps(leases, separators=(',',':'))) except: print("Failed to open DHCP leases file") def publish_system(): avg1, avg5, avg15 = runt.get("system.load_avg").split(', ') ram_used = runt.get("system.ram.per") disk_opt = runt.get("system.disk./opt.per") disk_config = runt.get("system.disk./etc/config.per") msg = json.dumps({ "load_avg": { "1min": avg1, "5min": avg5,...
Page 573: Use The Get Method To Return Device Configuration Information
Applications Use the local REST API to configure the IX20 device https://192.168.210.1/cgi-bin/config.cgi Use the GET method to return device configuration information To return device configuration, issue the GET method. For example, using curl: $ curl -k -u admin https://ip-address/cgi-bin/config.cgi/value/path -X GET where: ip-address is the IP address of the IX20 device.
Page 574 Applications Use the local REST API to configure the IX20 device modbus_gateway Modbus Gateway multicast Multicast ping Ping responder snmp SNMP telnet Telnet web_admin Web administration (config)> service For example, to use curl to return the ssh configuration: $ curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/value/service/ssh - X GET Enter host password for user 'admin': ok": true,...
Page 575: Use The Post Method To Modify Device Configuration Parameters And List Arrays
Applications Use the local REST API to configure the IX20 device Use the POST method to modify device configuration parameters and list arrays Use the POST method to modify device configuration parameters To modify configuration parameters, use the POST method with the path and value parameters. $ curl -k -u admin "https://ip-address/cgi- bin/config.cgi/value?path=path&value=new_value"...
Page 576 Applications Use the local REST API to configure the IX20 device where path is the path to the list item, including the list number, in dot notation (for example, service.ssh.acl.zone.4). For example, to remove the external firewall zone to the ssh service: 1.
Page 577: User Authentication
User authentication This chapter contains the following topics: IX20 user authentication User authentication methods Authentication groups Local users Terminal Access Controller Access-Control System Plus (TACACS+) Remote Authentication Dial-In User Service (RADIUS) LDAP Configure serial authentication Disable shell access Set the idle timeout for IX20 users Example user configuration IX20 User Guide...
Page 578: Ix20 User Authentication
User authentication IX20 user authentication IX20 user authentication User authentication on the IX20 has the following features and default configuration: Default Feature Description configuration Idle timeout 10 minutes. Determines how long a user session can be idle before the system automatically disconnects. Allow shell If disabled, prevents all authentication prohibits access to Enabled.
Page 579 User authentication User authentication methods Local users: User are authenticated on the local device. RADIUS: Users authenticated by using a remote RADIUS server for authentication. Remote Authentication Dial-In User Service (RADIUS) for information about configuring RADIUS authentication. TACACS+: Users authenticated by using a remote TACACS+ server for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) for information about configuring TACACS+ authentication.
Page 580: Add A New Authentication Method
User authentication User authentication methods Add a new authentication method Required configuration items The types of authentication method to be used: To add an authentication method:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2.
Page 581 User authentication User authentication methods 6. Repeat these steps to add additional methods. 7. Click Apply to save the configuration and apply the change.  Command line Authentication methods are attempted in the order they are listed until the first successful authentication result is returned.
Page 582: Delete An Authentication Method
User authentication User authentication methods (config)> add auth method end auth_type (config)> where auth_type is one of local, radius, tacacs+, or ldap. To add the new authentication in another location in the list, use an index value to indicate the appropriate position. For example: (config)>...
Page 583 User authentication User authentication methods 4. Click the menu icon (...) next to the method and select Delete. 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 584: Rearrange The Position Of Authentication Methods
User authentication User authentication methods Rearrange the position of authentication methods  WebUI Authentication methods are reordered by changing the method type in the Method drop-down for each authentication method to match the appropriate order. For example, the following configuration has Local users as the first method, and RADIUS as the second.
Page 585: Authentication Groups
User authentication Authentication groups 7. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 586 User authentication Authentication groups Admin access: Users with Admin access can be configured to have either: The ability to manage the IX20 device by using the WebUI or the Admin CLI. Read-only access to the WebUI and Admin CLI. Shell access: Users with Shell access have the ability to access the shell when logging into the IX20 via ssh, telnet, or the serial console.
Page 587: Change The Access Rights For A Predefined Group
User authentication Authentication groups Change the access rights for a predefined group By default, two authentication groups are predefined: admin and serial. To change the access rights of the predefined groups:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2.
Page 588 User authentication Authentication groups 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 589: Add An Authentication Group
User authentication Authentication groups To disable Admin access for the admin group: (config)> auth group admin acl admin enable false (config)> Shell access: To enable Shell access for the serial group: (config)> auth group serial acl shell enable true (config)> Shell access is not available if the Allow shell parameter has been disabled.
Page 590 User authentication Authentication groups 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Groups. 4. For Add, type a name for the group and click . The group configuration window is displayed.
Page 591 User authentication Authentication groups The default is Full access full. Shell access Shell access is not available if the Allow shell parameter has been disabled. See Disable shell access for more information about the Allow shell parameter. Serial access 6. (Optional) Configure OpenVPN access. See for further information. 7.
Page 592 User authentication Authentication groups 4. Enable access rights for the group: Admin access: (config auth group test)> acl admin enable true (config)> Set the access level for Admin access: (config)> auth group admin acl admin level value (config)> where value is either: full: provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI.
Page 593: Delete An Authentication Group
User authentication Authentication groups no redirect_url no terms timeout 24h no title (config)> ii. Add a captive portal: (config)> add auth group test acl portal portals end portal1 (config)> 6. (Optional) Configure Nagios monitoring: (config)> auth group test acl nagios enable true (config)>...
Page 594 User authentication Authentication groups 3. Click Authentication > Groups. 4. Click the menu icon (...) next to the group to be deleted and select Delete. 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 595: Local Users
User authentication Local users Local users Local users are authenticated on the device without using an external authentication mechanism such as TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default user. Default user At manufacturing time, each IX20 device comes with a default user configured as follows: Username: admin.
Page 596: Change A Local User's Password
User authentication Local users Change a local user's password To change a user's password:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 597 User authentication Local users You can also change the password for the active user by clicking the user name in the menu bar: The active user must have full Admin access rights to be able to change the password. 6. Click Apply to save the configuration and apply the change. ...
Page 598: Configure A Local User
User authentication Local users Configure a local user Required configuration items A username. A password. The password must be at least eight characters long and must contain at least one uppercase letter, one lowercase letter, one number, and one special character. For security reasons, passwords are stored in hash form.
Page 599 User authentication Local users 3. Click Authentication > Users. 4. In Add User, type a name for the user and click . The user configuration window is displayed. The user is enabled by default. To disable, click to toggle off Enable. 5.
Page 600 User authentication Local users a. Click to expand Groups. b. For Add Group, click . c. For Group, select an appropriate group. Note Every user must be configured with at least one group. You can add multiple groups to a user by clicking Add again and selecting the next group.
Page 601 User authentication Local users g. In Valid code window size, type the allowed number of concurrently valid codes. In cases where TOTP is being used, increasing the Valid code window size may be necessary when the clocks used by the server and client are not synchronized. h.
Page 602 User authentication Local users (config auth user new_user> password pwd (config auth user new_user)> 5. Configure login failure lockout settings: The login failure lockout feature is enabled by default. To disable: (config auth user new_user> lockout enable false (config auth user new_user)> a.
Page 603 User authentication Local users b. Type the following: (config auth user new_user)> del group n (config auth user new_user)> Where n is index number of the authentication method to be deleted. For example, to delete the serial group as displayed by the example show command, above: (config auth user new_user)>...
Page 604 User authentication Local users (config auth user new_user 2fa)> disallow_reuse true (config auth user new_user 2fa)> f. For time-based verification only, configure the code refresh interval. This is the amount of time that a code will remain valid. (config auth user new_user 2fa)> refresh_interval value (config auth user new_user 2fa)>...
Page 605: Delete A Local User
User authentication Local users i. Change to the user's scratch code node: (config auth user new_user 2fa)> scratch_code (config auth user new_user 2fa scratch_code)> ii. Add a scratch code: (config auth user new_user 2fa scratch_code)> add end code (config auth user new_user 2fa scratch_code)> Where code is an digit number, with a minimum of 10000000.
Page 606 User authentication Local users 4. Click the menu icon (...) next to the name of the user to be deleted and select Delete. 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 607: Terminal Access Controller Access-Control System Plus (Tacacs+)
User authentication Terminal Access Controller Access-Control System Plus (TACACS+) Terminal Access Controller Access-Control System Plus (TACACS+) Your IX20 device supports Terminal Access Controller Access-Control System Plus (TACACS+), a networking protocol that provides centralized authentication and authorization management for users who connect to the device. With TACACS+ support, the IX20 device acts as a TACACS+ client, which sends user credentials and connection parameters to a TACACS+ server over TCP.
Page 608: Tacacs+ User Configuration
User authentication Terminal Access Controller Access-Control System Plus (TACACS+) TACACS+ user configuration When configured to use TACACS+ support, the IX20 device uses a remote TACACS+ server for user authentication (password verification) and authorization (assigning the access level of the user). Additional TACACS+ servers can be configured as backup servers for user authentication.
Page 609: Tacacs+ Server Failover And Fallback To Local Authentication
User authentication Terminal Access Controller Access-Control System Plus (TACACS+) Error: Unrecognised token on line 1 5. Restart the TACACS+ server: $ sudo /etc/init.d/tacacs_plus restart TACACS+ server failover and fallback to local authentication In addition to the primary TACACS+ server, you can also configure your IX20 device to use backup TACACS+ servers.
Page 610 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > TACACS+ > Servers. 4.
Page 611 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) 7. (Optional) For Service, type the value of the service attribute in the the TACACS+ server's configuration. For example, in TACACS+ user configuration, the value of the service attribute in the sample tac_plus.conf file is system, which is also the default setting in the IX20 configuration.
Page 612 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) IX20 configuration. (config)> auth tacacs+ group_attribute attribute-name (config)> 5. (Optional) Configure the type of service. This is the value of the service attribute in the the TACACS+ server's configuration. For example, in TACACS+ user configuration, the value of the service attribute in the sample tac_plus.conf file is system, which is also the default setting in...
Page 613: Remote Authentication Dial-In User Service (Radius)
User authentication Remote Authentication Dial-In User Service (RADIUS) Remote Authentication Dial-In User Service (RADIUS) Your IX20 device supports Remote Authentication Dial-In User Service (RADIUS), a networking protocol that provides centralized authentication and authorization management for users who connect to the device.
Page 614: Radius User Configuration
User authentication Remote Authentication Dial-In User Service (RADIUS) RADIUS user configuration When configured to use RADIUS support, the IX20 device uses a remote RADIUS server for user authentication (password verification) and authorization (assigning the access level of the user). Additional RADIUS servers can be configured as backup servers for user authentication. This section outlines how to configure a RADIUS server to be used for user authentication on your IX20 device.
Page 615: Configure Your Ix20 Device To Use A Radius Server
User authentication Remote Authentication Dial-In User Service (RADIUS) servers are unavailable. Additionally, users who are configured locally but are not configured on the RADIUS server are still able to log into the device. Authentication methods are attempted in the order they are listed until the first successful authentication result is returned;...
Page 616 User authentication Remote Authentication Dial-In User Service (RADIUS) 3. Click Authentication > RADIUS > Servers. 4. Add RADIUS servers: a. For Add server, click . b. For Hostname, type the hostname or IP address of the RADIUS server. c. (Optional) Change the default Port setting to the appropriate port. Normally this should be left at the default setting of port 1812.
Page 617 User authentication Remote Authentication Dial-In User Service (RADIUS) 8. Add RADIUS to the authentication methods: a. Click Authentication > Methods. b. For Add method, click . c. Select RADIUS for the new method from the Method drop-down. Authentication methods are attempted in the order they are listed until the first successful authentication result is returned.
Page 618: Ldap
User authentication LDAP If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd. (config)> auth radius nas_id id (config)>...
Page 619 User authentication LDAP support, the IX20 device acts as an LDAP client, which sends user credentials and connection parameters to an LDAP server. The LDAP server then authenticates the LDAP client requests and sends back a response message to the device. When you are using LDAP authentication, you can have both local users and LDAP users able to log in to the device.
Page 620: Ldap User Configuration
User authentication LDAP LDAP user configuration When configured to use LDAP support, the IX20 device uses a remote LDAP server for user authentication (password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication. This section outlines how to configure a LDAP server to be used for user authentication on your IX20 device.
Page 621: Ldap Server Failover And Fallback To Local Configuration
User authentication LDAP cn: John Smith sn: Smith uid: john ou: admin serial LDAP server failover and fallback to local configuration In addition to the primary LDAP server, you can also configure your IX20 device to use backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary LDAP server is unavailable.
Page 622 User authentication LDAP 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > LDAP > Servers. 4.
Page 623 User authentication LDAP Start TLS: Makes a non-secure TCP connection to the LDAP server on port 389, then sends a request to upgrade the connection to a secure TLS connection. This is the preferred method for LDAP. 7. If Enable TLS or Start TLS are selected for TLS connection: Leave Verify server certificate at the default setting of enabled to verify the server certificate with a known Certificate Authority.
Page 624 User authentication LDAP  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 625 User authentication LDAP For example: (config)> auth ldap bind_dn cn=user,dc=example,dc=com (config)> 7. Set the password used to log into the LDAP server. Leave this option unset if the server allows anonymous connections. (config)> auth ldap bind_password password (config)> 8. Set the distinguished name (DN) on the server to search for users. This can be the root of the directory tree (for example, dc=example,dc=com) or a sub-tree (for example.
Page 626: Configure Serial Authentication
User authentication Configure serial authentication b. Enter the LDAP server's IP address or hostname: (config auth ldap server 0)> hostname hostname|ip-address (config auth ldap server 0)> c. (Optional) Change the default port setting to the appropriate port: (config auth ldap server 0)> port port (config auth ldap server 0)>...
Page 627 User authentication Configure serial authentication 3. Click Authentication > Serial. 4. (Optional) For TLS identity certificate, paste a TLS certificate and private key in PEM format. If empty, the certificate for the web administration service is used. See Configure the web administration service for more information.
Page 628: Disable Shell Access
User authentication Disable shell access 4. Set the method used to verify the certificate of a remote peer: (config)> auth serial verify value (config)> where value is either: ca: Uses certificate authorities (CAs) to verify. peer: Uses the remote peer's public certificate to verify. 5.
Page 629 User authentication Disable shell access 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication. 4. Click to disable Allow shell. Note If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset.
Page 630: Set The Idle Timeout For Ix20 Users
User authentication Set the idle timeout for IX20 users 3. Set the allow_shell parameter to false: (config)> auth allow_shell false Note If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset. 4. Save the configuration and apply the change: (config)>...
Page 631 User authentication Set the idle timeout for IX20 users 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 632: Example User Configuration
User authentication Example user configuration Example user configuration Example 1: Administrator user with local authentication Goal: To create a user with administrator rights who is authenticated locally on the device.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2.
Page 633 User authentication Example user configuration 6. Assign the user to the admin group: a. Click Groups. b. For Add Group, click . c. For Group, select the admin group. d. Verify that the admin group has full administrator rights: i. Click Authentication > Groups. ii.
Page 634: Example 2: Radius, Tacacs+, And Local Authentication For One User
User authentication Example user configuration If admin > level is set to read-only: (config)> auth group admin acl admin level full (config)> 4. Verify that local is one of the configured authentication methods: (config)> show auth method 0 local (config)> If local is not listed: (config)>...
Page 635 User authentication Example user configuration This example uses a FreeRadius 3.0 server running on ubuntu, and a TACACS+ server running on ubuntu. Server configuration may vary depending on the platforms or type of servers used in your environment. IX20 User Guide...
Page 636 User authentication Example user configuration  WebUI 1. Configure a user on the RADIUS server: a. On the ubuntu machine hosting the FreeRadius server, open the /etc/freeradius/3.0/users file: $ sudo gedit /etc/freeradius/3.0/users b. Add a RADIUS user to the users file: admin1 Cleartext-Password := "password1" Unix-FTP-Group-Names := "admin"...
Page 637 User authentication Example user configuration The Configuration window is displayed. 5. Configure the authentication methods: a. Click Authentication > Methods. b. For Method, select RADIUS. c. For Add Method, click  to add a new method. d. For the new method, select TACACS+. e.
Page 638 User authentication Example user configuration iii. For Group, select the admin group. a. Verify that the admin group has full administrator rights: i. Click Authentication > Groups. ii. Click admin. iii. Verify that the admin group has Admin access enabled. If not, click Admin access to enable.
Page 639 User authentication Example user configuration service = system { groupname = admin In this example: The user's username is admin1. The user's password is password1. The authentication group on the IX20 device, admin, is identified in the groupname parameter. c. Save and close the tac_plus.conf file. 3.
Page 640 User authentication Example user configuration enable true level full (config)> If admin > enable is set to false: (config)> auth group admin acl admin enable true (config)> If admin > level is set to read-only: (config)> auth group admin acl admin level full (config)>...
Page 641 Firewall This chapter contains the following topics: Firewall configuration Port forwarding rules Packet filtering Configure custom firewall rules Configure Quality of Service options IX20 User Guide...
Page 642: Firewall Configuration
Firewall Firewall configuration Firewall configuration Firewall configuration includes the following configuration options: Zones: A zone is a firewall access group to which network interfaces can be added. You then use zones to configure packet filtering and access control lists for interfaces that are included in the zone.
Page 643 Firewall Firewall configuration 3. Click Firewall > Zones. 4. In Add Zone, enter a name for the zone and click . The firewall configuration window is displayed. 5. (Optional) If traffic on this zone will be forwarded from a private network to the internet, enable Network Address Translation (NAT).
Page 644: Configure The Firewall Zone For A Network Interface
Firewall Firewall configuration 4. (Optional) Enable Network Address Translation (NAT): (config firewall zone my_zone)> src_nat true (config firewall zone my_zone)> 5. Save the configuration and apply the change: (config firewall zone my_zone)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 645: Delete A Custom Firewall Zone
Firewall Firewall configuration 4. For Zone, select External. 5. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 646 Firewall Firewall configuration 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Zones. 4. Click the menu icon (...) next to the appropriate custom firewall zone and select Delete. 5.
Page 647: Port Forwarding Rules
Firewall Port forwarding rules 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Port forwarding rules Most computers are protected by a firewall that prevents users on a public network from accessing servers on the private network.
Page 648 Firewall Port forwarding rules 3. Click Firewall > Port forwarding. 4. For Add port forward, click . The port forwarding rule configuration window is displayed. Port forwarding rules are enabled by default. To disable, click to toggle off Enable. 5. (Optional) Type a Label that will be used to identify the rule. 6.
Page 649 Firewall Port forwarding rules To white list IP addresses: a. Click Addresses. b. For Add Address, enter an IP address and click . c. Repeat for each additional IP address that should be white listed. To specify firewall zones for white listing: a.
Page 650 Firewall Port forwarding rules destination address matches the IP address of this network interface. Format: defaultip defaultlinklocal eth1 eth2 loopback Current value: (config firewall dnat 0)> interface b. Set the interface. For example: (config firewall dnat 0)> interface eth1 (config firewall dnat 0)> 5.
Page 651 Firewall Port forwarding rules where value is the port number, comma-separated list of port numbers, or range of port numbers on the server to which traffic should be forwarded. For example, to forward traffic to ports one, three, and five through ten, enter 1, 3, 5-10. 10.
Page 652: Delete A Port Forwarding Rule
Firewall Port forwarding rules 11. Save the configuration and apply the change: (config)> save Configuration saved. > 12. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Delete a port forwarding rule To delete a port forwarding rule: ...
Page 653 Firewall Port forwarding rules 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 654: Packet Filtering
Firewall Packet filtering Packet filtering By default, one preconfigured packet filtering rule, Allow all outgoing traffic, is enabled and monitors traffic going to and from the IX20 device. The predefined settings are intended to block unauthorized inbound traffic while providing an unrestricted flow of outgoing data. You can modify the default packet filtering rule and create additional rules to define how the device accepts or rejects traffic that is forwarded through the device.
Page 655 Firewall Packet filtering 3. Click Firewall > Packet filtering. To create a new packet filtering rule, for Add packet filter, click . To edit the default packet filtering rule or another existing packet filtering rule, click to expand the rule. The packet filtering rule configuration window is displayed.
Page 656 Firewall Packet filtering  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 657 Firewall Packet filtering 3. (Optional) Set the label for the rule. (config firewall filter 1)> label "My filter rule" (config firewall filter 1)> 4. Set the action to be performed by the filter rule. (config firewall filter 1)> action value (config firewall filter 1)>...
Page 658: Enable Or Disable A Packet Filtering Rule
Firewall Packet filtering The default is any. 9. Save the configuration and apply the change: (config)> save Configuration saved. > 10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 659 Firewall Packet filtering 6. Click Apply to save the configuration and apply the change.  Command line 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 660: Delete A Packet Filtering Rule
Firewall Packet filtering (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Delete a packet filtering rule To delete a packet filtering rule: ...
Page 661: Configure Custom Firewall Rules
Firewall Configure custom firewall rules 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 662 Firewall Configure custom firewall rules 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Custom rules. 4.
Page 663: Configure Quality Of Service Options
Firewall Configure Quality of Service options 3. Enable custom firewall rules: (config)> firewall custom enable true (config)> 4. (Optional) Instruct the device to override all preconfigured firewall behavior and rely solely on the custom firewall rules: (config)> firewall custom override true (config)>...
Page 664 Firewall Configure Quality of Service options 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Quality of Service. 4.
Page 665 Firewall Configure Quality of Service options To enable the Inbound binding: (config)> firewall qos 1 enable true (config)> 4. Set the interface for the binding. Use the index number of the binding; for example, to set the interface for the Outbound binding: a.
Page 666 Firewall Configure Quality of Service options 3. Click Firewall > Quality of Service. 4. For Add Binding, click . The quality of service binding configuration window is displayed. 5. Enable the binding. 6. (Optional) Type a Label for the binding. 7.
Page 667 Firewall Configure Quality of Service options New QoS binding policies are enabled by default. To disable, click Enable. c. (Optional) Type a Label for the binding policy. d. For Weight, type a value for the amount of available bandwidth allocated to the policy, relative to other policies for this binding.
Page 668 Firewall Configure Quality of Service options v. For Protocol, select the IP protocol matching criteria for this rule. vi. For Source port, type the port, or any, as a source traffic matching criteria. vii. For Destination port, type the port, or any, as a destination traffic matching criteria. viii.
Page 669 Firewall Configure Quality of Service options (config firewall qos 2)> enable false (config firewall qos 2)> 4. (Optional) Set a label for the new binding: (config firewall qos 2)> label my_binding (config firewall qos 2)> 5. Set the interface to queue egress packets on. The binding will only match traffic that is being sent out on this interface: a.
Page 670 Firewall Configure Quality of Service options (config firewall qos 2 policy 0)> enable false (config firewall qos 2 policy 0)> c. (Optional) Set a label for the new binding policy: (config firewall qos 2 policy 0)> label my_binding_policy (config firewall qos 2 policy 0)> d.
Page 671 Firewall Configure Quality of Service options iii. (Optional) Set a label for the new binding policy rule: (config firewall qos 2 policy 0 rule 0)> label my_binding_policy_ rule (config firewall qos 2 policy 0 rule 0)> iv. Set the value of the Type of Service (ToS) packet header that defines packet priority. If unspecified, this field is ignored.
Page 672 Firewall Configure Quality of Service options interface's network address. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config network qos 2 policy 0 rule 0)> src interface ii. Set the interface. For example: (config network qos 2 policy 0 rule 0)> src interface /network/interface/eth1 (config network qos 2 policy 0 rule 0)>...
Page 673 Firewall Configure Quality of Service options i. Use the ? to determine available interfaces: (config network qos 2 policy 0 rule 0)> dst interface ? Interface: Match the IP address with the specified interface's network address. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value:...
Page 674: Upload A New Lxc Container
4. From your local file system, select the container file in *.tgz format. You can download a simple example container file, test_lxc.tgz, from the Digi website. 5. Create Configuration is selected by default. This will create a configuration on the device for the container when it is installed.
Page 675: Configure A Container
Containers Configure a container Configure a container Required configuration items The following configuration options are completed automatically if Create Configuration was selected when the container was created. See Upload a new LXC container for details: Name of the container. Enable the container. Whether or not the container should use the device's system libraries.
Page 676 Containers Configure a container New containers are enabled by default. To disable, or to enable a container if it has been disabled, click Enable. 5. Clone DAL is enabled by default. This allows the container to use the device's system libraries. 6.
Page 677 Containers Configure a container 5. By default, the container will use the device's system libraries. To disable: (config system container name)> dal false (config system container name)> 6. If the device will use virtual networking: a. Enable virtual networking: (config system container name)> network true (config system container name)>...
Page 678: Starting And Stopping The Container
Containers Starting and stopping the container (config system container name)> b. Add the port: (config system container name)> add ports end port1 (config system container name)> 8. Save the configuration and apply the change: (config network wireless client new_client)> save Configuration saved.
Page 679: Stopping The Container
Containers View the status of containers Starting a container in persistent mode To start the container in persistent mode, include the -p option at the command line. For example: 1. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 680: Schedule A Script To Run In The Container
Containers Schedule a script to run in the container  Command line 1. Log into the IX20 command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell. 2.
Page 681 Containers Schedule a script to run in the container 3. Click System > Scheduled tasks > Custom scripts. 4. For Add Script, click . The script configuration window is displayed. 5. (Optional) For Label, type container_script. 6. For Run mode, select Interval. 7.
Page 682 Containers Schedule a script to run in the container 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 683: Create A Custom Container
In this example, we will use a simple container file named test_lxc.tgz. You can download test_lxc.tgz from the Digi website. At the command line of a Linux host, we will unpack the file, add a simple python script, and create a new container file that includes the python script.
Page 684: Test The Custom Container File
Click Upload New Container. iv. From your local file system, select the container file. You can download a simple example container file, test_lxc.tgz, from the Digi website. v. Create Configuration is selected by default. This will create a configuration on the device for the container when it is installed.
Page 685: System Administration
System administration This chapter contains the following topics: Review device status Configure system information Update system firmware Update cellular module firmware Reboot your IX20 device Erase device configuration and reset to factory defaults Locate the device by using the Find Me feature Configuration files Schedule system maintenance tasks Disable device encryption...
Page 686: Review Device Status
Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Enter show system at the prompt: > show system Model : Digi IX20 Serial Number : IX20-000065 : IX20 Hostname...
Page 687: Configure System Information
Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Enter show system verbose at the prompt: > show system verbose Model : Digi IX20 Serial Number : IX20-000065 : IX20 Hostname...
Page 688 System administration Configure system information The location of the device. A description of the device. A banner that will be displayed when users access terminal services on the device. To enter system information:  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2.
Page 689: Update System Firmware
For example, IX20-21.8.24.120.bin. Manage firmware updates using Digi Remote Manager If you have a network of many devices, you can use Digi Remote Manager Profiles to manage firmware updates. Profiles ensure all your devices are running the correct firmware version and that all newly installed devices are updated to that same version.
Page 690: Certificate Management For Firmware Images
Update system firmware Certificate management for firmware images The system firmware files are signed to ensure that only Digi-approved firmware load onto the device. The IX20 device validates the system firmware image as part of the update process and only successfully updates if the system firmware image can be authenticated.
Page 691 Newest firmware version available to download is '21.8.24.120' Device firmware update from '21.5.56.129' to '21.8.24.120' is needed > 3. Use the modem firmware ota list command to list available firmware on the Digi firmware repository. > system firmware ota list 21.5.56.129...
Page 692 Update firmware from a local file  WebUI 1. Download the IX20 operating system firmware from the Digi Support FTP site to your local machine. 2. Log into the IX20 WebUI as a user with Admin access. 3. On the main menu, click System. Under Administration, click Firmware Update.
Page 693: Dual Boot Behavior
> show system Hostname : IX20 FW Version : 21.8.24.120 : 0040FF800120 Model : Digi IX20 Current Time : Mon, 13 September 2021 8:04:23 +0000 Uptime : 42 seconds (42s) > Dual boot behavior By default, the IX20 device stores two copies of firmware in two flash memory banks:...
Page 694 System administration Update system firmware The current firmware version that is used to boot the device. A copy of the firmware that was in use prior to your most recent firmware update. When the device reboots, it will attempt to use the current firmware version. If the current firmware version fails to load after three consecutive attempts, it is marked as invalid and the device will use the previous firmware version stored in the alternate memory bank.
Page 695: Update Cellular Module Firmware
Command line Update modem firmware over the air (OTA) You can update your modem firmware by querying the Digi firmware repository to determine if there is new firmware available for your modem and performing an OTA modem firmware update: IX20 User Guide...
Page 696 Newest firmware version available to download is '24.01.5x4_ATT' Modem firmware update from '24.01.544_ATT' to '24.01.5x4_ATT' is needed 24.01.5x4_ATT 24.01.544_ATT > 3. Use the modem firmware ota list command to list available firmware on the Digi firmware repository. > modem firmware ota list Retrieving modem firmware list ...
Page 697: Update Modem Firmware By Using A Local Firmware File
Update modem firmware by using a local firmware file You can update your modem firmware by uploading a modem firmware file to your IX20 device. Firmware should be uploaded to /opt/MODEM_MODEL/Custom_Firmware, for example, /opt/LM940/Custom_Firmware. Modem firmware can be downloaded from Digi at https://ftp1.digi.com/support/firmware/dal/carrier_firmware/. See Use the scp command information about uploading files to the IX20 device.
Page 698: Reboot Your Ix20 Device
System administration Reboot your IX20 device ATT, 24.01.544_ATT, current Generic, 24.01.514_Generic, image Verizon, 24.01.524_Verizon, image ATT, 24.01.544_ATT, image Sprint, 24.01.531-B003_Sprint, image > 4. To perform an firmware update by using a local file, use the version parameter to identify the appropriate firmware version as determined using the modem firmware check or modem firmware list command.
Page 699: Schedule Reboots Of Your Device
System administration Reboot your IX20 device 3. Click Reboot. 4. Click Reboot to confirm that you want to reboot the device.  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 700 System administration Reboot your IX20 device If Reboot time is set, but the device is unable to synchronize its time with an NTP server, the device will reboot after it has been up for 24 hours. See System time for information about configuring NTP servers.
Page 701: Erase Device Configuration And Reset To Factory Defaults
System administration Erase device configuration and reset to factory defaults (config)> system schedule reboot_window 600s (config)> 5. Save the configuration and apply the change: (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 702 System administration Erase device configuration and reset to factory defaults 3. In the Erase configuration section, click ERASE. 4. Click CONFIRM. 5. After resetting the device: a. Connect to the IX20 by using the serial port or by using an Ethernet cable to connect the IX20 ETH2 port to your PC.
Page 703 System administration Erase device configuration and reset to factory defaults For Wi-Fi enabled models, when you first log into the WebUI or the command line, you will be required the change the SSID and pre-shared key (password) for the preconfigured Wi- Fi access point before you can save any configuration changes.
Page 704: Configure The Ix20 Device To Use Custom Factory Default Settings
System administration Erase device configuration and reset to factory defaults You can reset the device to the default configuration without removing scripts, keys, and logfiles by using the revert command: 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 705 System administration Erase device configuration and reset to factory defaults 3. On the main menu, click System. Under Configuration, click Configuration Maintenance. The Configuration Maintenance windows is displayed. 4. In the Configuration backup section, click SAVE. Do not set a Passphrase for the configuration backup. The file will be downloaded using your browser's standard download process.
Page 706: Locate The Device By Using The Find Me Feature
System administration Locate the device by using the Find Me feature 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 707 System administration Locate the device by using the Find Me feature 2. To activate the Find Me feature, at the prompt, type the following at the command prompt: > system find-me on > 3. To deactivate the Find Me feature, type the following at the command prompt: >...
Page 708: Configuration Files
System administration Configuration files Configuration files The IX20 configuration file, /etc/config/accns.json, contains all configuration changes that have been made to the device. It does not contain the complete device configuration; it only contains changes to the default configuration. Both the default configuration and the changes contained in the accns.json file are applied when the device reboots.
Page 709: Save Configuration To A File
System administration Configuration files 2. At the command line, type config to enter configuration mode: > config (config)> 3. Make any necessary configuration changes. 4. Save the configuration and apply the change: (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 710: Restore The Device Configuration
System administration Configuration files The file will be downloaded using your browser's standard download process.  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 711 System administration Configuration files 1. Log into the IX20 WebUI as a user with Admin access. 2. On the main menu, click System. Under Configuration, click Configuration Maintenance. The Configuration Maintenance windows is displayed. 3. In the Configuration Restore section: a.
Page 712 System administration Configuration files For example: > scp host 192.168.4.1 user admin remote /home/admin/bin/backup-archive- 0040FF800120-21.8.24.120-19.23.42.bin local /opt to local 3. Enter the following: > system restore filepath [passphrase passphrase] where filepath is the the path and filename of the configuration backup file on the IX20's filesystem (local-path in the previous step).
Page 713: Schedule System Maintenance Tasks
Schedule system maintenance tasks You can configure tasks to be run during a specified maintenance window. When the device is within its maintenance window, firmware updates and Digi Remote Manager configuration checks will be performed. You can also schedule custom scripts to run during the maintenance window. See...
Page 714 System administration Schedule system maintenance tasks 3. Click System > Scheduled tasks > System maintenance. 4. Click to expand Maintenance window triggers. 5. Click  to add a maintenance window trigger. 6. For Maintenance window trigger type, select one of the following: Check if interface is up, for Test Interface, select the interface.
Page 715 System administration Schedule system maintenance tasks If Check if Python Out-of-Service is set, the maintenance window will only start if the Python Out-of-Service is set. See Use Python to set the maintenance window for further information. 7. (Optional) Click to enable Modem firmware update to instruct the system to look for any updated modem firmware during the maintenance window.
Page 716 System administration Schedule system maintenance tasks interface_up: If interface_up is set: i. Set the interface: (config add system schedule maintenance trigger)> interface value (config)> i. Use the ? to determine available interfaces: (config system schedule maintenance trigger 0)> interface Test interface: Test the status of this interface to see if it is up.
Page 717 System administration Schedule system maintenance tasks If the duration length is set to any value other than to 0 or 24 hours, the maintenance tasks will run at a random time during the time allotted for the duration window. If the duration length is set to one or more hours, the minutes field in the start time is ignored and the duration window will begin at the beginning of the specified hour.
Page 718: Disable Device Encryption
System administration Disable device encryption 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Disable device encryption You can disable the cryptography on your IX20 device. This can be used to ship unused devices from overseas without needing export licenses from the country from which the device is being shipped.
Page 719 System administration Disable device encryption a. Select the Properties of the relevant network connection on the Windows PC. b. Click the Internet Protocol Version 4 (TCP/IPv4) parameter. c. Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog appears. d. Configure with the following details: IP address for PC: 192.168.210.2 Subnet: 255.255.255.0 Gateway: 192.168.210.1...
Page 720: Configure The Speed Of Your Ethernet Ports
System administration Configure the speed of your Ethernet ports 2. Connect the PC's Ethernet port to the ETH1 Ethernet port on your IX20 device. 3. Open a telnet session and connect to the IX20 device at the IP address of 192.168.210.1. 4.
Page 721 System administration Configure the speed of your Ethernet ports 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Device. 4.
Page 722 System administration Configure the speed of your Ethernet ports 1000—Sets the speed to 1 Gbps. Available only for devices with Gigabit Ethernet ports. auto—Configures the device to automatically determine the best speed for the Ethernet port. The default is auto. 4.
Page 723 Monitoring This chapter contains the following topics: intelliFlow Configure NetFlow Probe IX20 User Guide...
Page 724: Intelliflow
Note When intelliFlow is enabled, it adds an estimated 50MB of data usage for the device by reporting the metrics to Digi Remote Manager. Enable intelliFlow Required configuration items Enable intelliFlow.
Page 725 Monitoring intelliFlow 3. Click Monitoring > intelliFlow. The intelliFlow configuration window is displayed. 4. Click Enable intelliFlow. 5. For Zone, select the firewall zone. Internal clients that are being monitored by IntelliFlow should be present on the specified zone. 6. Click Apply to save the configuration and apply the change. ...
Page 726 Monitoring intelliFlow that intelliFlow will see as internal clients. intelliFlow relies on an internal to external relationship, where the internal clients are present on the zone specified. Format: dynamic_routes edge external internal ipsec loopback setup Default value: internal Current value: internal (config)>...
Page 727: Use Intelliflow To Display Average Cpu And Ram Usage
Monitoring intelliFlow Use intelliFlow to display average CPU and RAM usage This procedure is only available from the WebUI. To display display average CPU and RAM usage:  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
Page 728: Use Intelliflow To Display Top Data Usage Information
Monitoring intelliFlow 3. Click Reset zoom to return to the original display: Change the time period displayed by the chart. By default, the System utilisation chart displays the average CPU and RAM usage over the last minute. You can change this to display the average CPU and RAM usage: Over the last hour.
Page 729 Monitoring intelliFlow 4. Display a data usage chart: To display the Top Data Usage by Host chart, click Top Data Usage by Host. To display the Top Data Usage by Server chart, click Top Data Usage by Server. To display the Top Data Usage by Service chart, click Top Data Usage by Service. 5.
Page 730: Use Intelliflow To Display Data Usage By Host Over Time
Monitoring intelliFlow a. Click the menu icon (). b. Select the number of top users to displayed. 7. Save or print the chart. a. Click the menu icon (). b. To save the chart to your local filesystem, select Export to PNG. c.
Page 731: Configure Netflow Probe
Monitoring Configure NetFlow Probe b. Release to display the selected portion of the chart: c. Click Reset zoom to return to the original display: Save or print the chart. a. Click the menu icon (). b. To save the chart to your local filesystem, select Export to PNG. c.
Page 732 Monitoring Configure NetFlow Probe  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Monitoring > NetFlow probe. 4.
Page 733 Monitoring Configure NetFlow Probe Hash—Randomly selects one out of every n flows using the hash of the flow key, where n is the value of Flow sampler population. 7. For Flow sampler population, if you selected a flow sampler, enter the number of flows for the sampler.
Page 734 Monitoring Configure NetFlow Probe v10—NetFlow v10 (IPFIX) supports both IPv4 and IPv6 and includes IP Flow Information Export (IPFIX). The default is v10. 1. Enable flow sampling by selecting a sampling technique. Flow sampling can reduce flow processing and transmission overhead by providing a representative subset of all flows. (config)>...
Page 735 Monitoring Configure NetFlow Probe b. Set the IP address of the collector: (config monitoring netflow collector 0)> address ip_address (config monitoring netflow collector 0)> c. (Optional) Set the port used by the collector: (config monitoring netflow collector 0)> port port (config monitoring netflow collector 0)>...
Page 736: Central Management
Collect device health data and set the sample interval Enable event log upload to Digi Remote Manager Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Digi Remote Manager View Digi Remote Manager connection status...
Page 737: Digi Remote Manager Support
Additional configuration options These additional configuration settings are not typically configured, but you can set them as needed: Disable the Digi Remote Manager connection if it is not required. You can also configure an alternate cloud-based central management application. Change the reconnection timer.
Page 738 Central management Configure Digi Remote Manager IX20 User Guide...
Page 739 Digi Remote Manager support is enabled by default. To disable, click Enable central management. 4. (Optional) For Service, select either Digi Remote Manager or Digi aView. The default is Digi Remote Manager. 5. (Optional) For Management server, type the URL for the central management server. The default is the Digi Remote Manager server, my.devicecloud.com.
Page 740 Central management Configure Digi Remote Manager 12. If Enable watchdog is enabled: a. (Optional) For Restart Timeout, type the amount of time to wait before restarting the connection to the remote cloud services, once the connection is down. Allowed values are any number of hours, minutes, or seconds, and take the format number{h|m|s}.
Page 741 Digi Remote Manager aview: Digi aView The default is Digi Remote Manager. 5. (Optional) Set the URL for the central management server. The default is the Digi Remote Manager server, my.devicecloud.com. (config)> cloud drm drm_url url (config)>...
Page 742 8. (Optional) Set the amount of time that the IX20 device should wait between sending keep-alive messages to the Digi Remote Manager when using a cellular interface. Allowed values are from 30 seconds to two hours. The default is 290 seconds.
Page 743 13. (Optional) Configure the IX20 device to communicate with remote cloud services by using SMS: a. Enable SMS messaging: (config)> cloud drm sms enable true (config)> b. Set the phone number for Digi Remote Manager: (config)> cloud drm sms destination drm_phone_number (config)> c. (Optional) Set the service identifier: (config)>...
Page 744: Collect Device Health Data And Set The Sample Interval
Collect device health data and set the sample interval You can enable or disable the collection of device health data to upload to Digi Remote Manager, and configure the interval between health sample uploads. By default, device health data upload is enabled, and the health sample interval is set to 60 minutes.
Page 745 1, 5, 15, 30, or 60, and represents the number of minutes between uploads of health sample data. 5. By default, the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded. This is useful to reduce the bandwidth used to report health metrics.
Page 746 (config)> When disabled, all metrics are uploaded every Health sample interval. 6. (Optional) Tuning parameters allow to you configure what data are uploaded to the Digi Remote Manager. By default, all tuning parameters are enabled. To view a list of all available tuning parameters, use the show command: (config)>...
Page 747: Enable Event Log Upload To Digi Remote Manager
Type quit to disconnect from the device. Enable event log upload to Digi Remote Manager You can configure your device to upload the event log to Digi Remote Manager, and configure the interval between event log uploads. To enable the event log upload, or disable it if it has been disabled, and to change the upload interval: ...
Page 748: Log Into Digi Remote Manager
Log into Digi Remote Manager To start Digi Remote Manager 1. If you have not already done so, click here to sign up for a Digi Remote Manager account. 2. Check your email for Digi Remote Manager login instructions. IX20 User Guide...
Page 749 Central management Log into Digi Remote Manager 3. Go to remotemanager.digi.com. 4. Log into your Digi Remote Manager account. IX20 User Guide...
Page 750: Use Digi Remote Manager To View And Manage Your Device
Use Digi Remote Manager to view and manage your device To view and manage your device: 1. If you have not already done so, connect to your Digi Remote Manager account. 2. Click Device Management to display a list of your devices.
Page 751: Add A Device To Digi Remote Manager
The same default password is also shown on the label affixed to the bottom of the device. 6. Click Add. 7. Click OK. Digi Remote Manager adds your IX20 device to your account and it appears in the Device Management view. View Digi Remote Manager connection status To view the current Digi Remote Manager configuration: ...
Page 752: Configure Multiple Devices Using Profiles
The Device ID is the unique identifier for the device, as used by the Remote Manager. Configure multiple devices using profiles Digi recommends you take advantage of Digi Remote Manager profiles to manage multiple IX20 routers. Typically, if you want to provision multiple IX20 routers: 1.
Page 753: Learn More
Central management Learn more Learn more For information on using Digi Remote Manager to configure and manage IX20 routers, see the Digi Remote Manager User Guide. For information on using Digi Remote Manager APIs to develop custom applications, see the Digi Remote Manager Programmer Guide.
Page 754 File system This chapter contains the following topics: The IX20 local file system Display directory contents Create a directory Display file contents Copy a file or directory Move or rename a file or directory Delete a file or directory Upload and download files IX20 User Guide...
Page 755: File System
File system The IX20 local file system The IX20 local file system The IX20 local file system has approximately 150 MB of space available for storing files, such as Python programs, alternative configuration files and firmware versions, and release files, such as cellular module images.
Page 756: Create A Directory
File system Create a directory > ls /etc/config -rw-r--r-- 1 root root 856 Nov 20 20:12 accns.json drw------- 2 root root 160 Sep 23 04:02 analyzer drwxr-xr-x 3 root root 224 Sep 23 04:02 cc_acl -rw-r--r-- 1 root root 47 Sep 23 04:02 dhcp.leases >...
Page 757: Display File Contents
File system Display file contents Display file contents This procedure is not available through the WebUI. To display the contents of a file by using the Admin CLI, , use the more command, specifying the name of the directory. For example: ...
Page 758: Move Or Rename A File Or Directory
File system Move or rename a file or directory To copy the file /etc/config/accns.json to a file named backup_cfg.json in a directory named /etc/config/test, enter the following: > cp /etc/config/accns.json /etc/config/test/backup_cfg.json > To copy a directory named /etc/config/test to /opt: >...
Page 759: Delete A File Or Directory
File system Delete a file or directory Delete a file or directory To delete a file or directory by using the WebUI or the Admin CLI:  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2.
Page 760: Upload And Download Files
File system Upload and download files 2. At the Admin CLI prompt, type: > rm /opt/temp/ rm: descend into directory '/opt/temp'? yes rm: remove directory '/opt/temp'? yes > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 761: Upload And Download Files By Using The Secure Copy Command
File system Upload and download files Download files 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. The File System page appears. 3. Highlight the directory to which the file will be uploaded and click  to open the directory. 4.
Page 762: Upload And Download Files Using Sftp
File system Upload and download files Transfer a file from the IX20 device to a remote host To copy a file from the IX20 device to a remote host, use the command as follows: > scp host hostname-or-ip user username remote remote-path local local-path to remote where: hostname-or-ip is the hostname or ip address of the remote host.
Page 763 File system Upload and download files $ sftp ahmed@192.168.2.1 Password: Connected to 192.168.2.1 sftp> get test.py Fetching test.py to test.py test.py 100% 0.3KB/s 00:00 sftp> exit IX20 User Guide...
Page 764 Diagnostics This chapter contains the following topics: Perform a speedtest Generate a support report View system and event logs Configure syslog servers Configure options for the event and system logs Analyze network traffic Use the ping command to troubleshoot network connections Use the traceroute command to diagnose IP routing problems IX20 User Guide...
Page 765: Perform A Speedtest
Diagnostics Perform a speedtest Perform a speedtest To perform a speedtest:  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 766 Diagnostics Generate a support report 1. Log into the IX20 WebUI as a user with Admin access. 2. On the main menu, click System. Under Administration, click Support Report. 3. Click  to generate and download the support report. Attach the support report to any support requests. ...
Page 767: View System And Event Logs
Diagnostics View system and event logs View system and event logs Configure options for the event and system logs for information about configuring the information displayed in event and system logs. View System Logs  WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2.
Page 768 Diagnostics View system and event logs 5. Click  to download the system log.  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 769: View Event Logs
Diagnostics View system and event logs 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. View Event Logs  WebUI 1.
Page 770 Diagnostics View system and event logs 2. Use show event at the Admin CLI prompt: > show event Timestamp Type Category Message ---------------- ------- --------- -------------------------------------- ----- Nov 26 21:42:37 status stat intf=eth1~type=ethernet~rx=11332435~tx=5038762 Nov 26 21:42:35 status system local_time=Thu, 08 Aug 2019 21:42:35 +0000~uptime=3 hours, 0 minutes, 48 seconds >...
Page 771: Configure Syslog Servers
Diagnostics Configure syslog servers Configure syslog servers You can configure remote syslog servers for storing event and system logs.  WebUI 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed.
Page 772 Diagnostics Configure syslog servers Log servers are enabled by default. To disable, click to toggle off Enable. c. Type the host name or IP address of the Server. d. Select the event categories that will be sent to the server. By default, all event categories are enabled.
Page 773: Configure Options For The Event And System Logs
Diagnostics Configure options for the event and system logs d. The event categories that will be sent to the server are automatically enabled when the server is enabled. To disable informational event messages: (config system log remote 0)> info false (config system log remote 0)>...
Page 774 Diagnostics Configure options for the event and system logs 1. Log into the IX20 WebUI as a user with full Admin access rights. 2. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Log. 4.
Page 775 Diagnostics Configure options for the event and system logs Note You should only enable Preserve system logs temporarily to debug issues. Once you are finished debugging, immediately disable Preserve system logs to avoid unnecessary wear to the flash memory. 8. Click Apply to save the configuration and apply the change. ...
Page 776 Diagnostics Configure options for the event and system logs 5. (Optional) To disable event categories, or to enable them if they have been disabled: a. Use the question mark (?) to determine available event categories: (config)> system log event ? Event categories: Settings to enable individual event categories.
Page 777 Diagnostics Configure options for the event and system logs info true Enable informational events status true Enable status events status_interval Status interval (config)> system log event dhcpserver ii. To disable informational messages for the DHCP server: (config)> system log event dhcpserver info false (config)>...
Page 778: Analyze Network Traffic
Diagnostics Analyze network traffic Analyze network traffic The IX20 device includes a network analyzer tool that captures data traffic on any interface and decodes the captured data traffic for diagnostics. You can capture data traffic on multiple interfaces at the same time and define capture filters to reduce the captured data. You can capture up to 10 MB of data traffic in two 5 MB files per interface.
Page 779: Configure Packet Capture For The Network Analyzer
Diagnostics Analyze network traffic Configure packet capture for the network analyzer To use the network analyzer, you must create one or more packet capture configuration. Required configuration items The interface used by this packet capture configuration. Additional configuration items The filter expression for this packet capture configuration. Schedule the analyzer to run based on a specified event or at a particular time: The events or time that will trigger the analyzer to run, using this capture configuration.
Page 780 Diagnostics Analyze network traffic 5. (Optional) Add a filter type: a. Click to expand Filter. You can select from preconfigured filters to determine which types of packets to capture or ignore, or you can create your own Berkeley packet filter expression. b.
Page 781 Diagnostics Analyze network traffic d. To create a filter that either captures or ignores packets from a particular port: i. Click to expand Filter TCP/UDP port. ii. Click  to add a TCP /UDP port. iii. For IP TCP/UDP port to capture or ignore, type the number of the port to be captured or ingored.
Page 782 Diagnostics Analyze network traffic c. For Device, select an interface. d. Repeat to add additional interfaces to the capture filter. 7. (Optional) For Berkeley packet filter expression, type a filter using Berkeley Packet Filter (BPF) syntax. See Example filters for capturing data traffic for examples of filters using BPF syntax.
Page 783 Diagnostics Analyze network traffic 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a new capture filter: (config)> add network analyzer name (config network analyzer name)> 4. Add an interface to the capture filter: (config network analyzer name)>...
Page 784 Diagnostics Analyze network traffic either: The filter will apply to packets when the IP address/network is either the source or the destination. iv. (Optional) Set the filter should ignore packets from this IP address/network: (config network analyzer name filter address 0)> ignore true (config network analyzer name filter address 0)>...
Page 785 Diagnostics Analyze network traffic v. (Optional) Set the filter should ignore packets from this protocol: (config network analyzer name filter protocol 0)> ignore true (config network analyzer name filter protocol 0)> By default, is option is set to false, which means that the filter will capture packets from this protocol.
Page 786 Diagnostics Analyze network traffic ii. Set the MAC address that should be be captured or ignored: (config network analyzer name filter mac_address 0)> address value (config network analyzer name filter mac_address 0)> where value is the MAC address to be filtered, using colon-hexadecimal notation with lower case, for example, 00:aa:11:bb:22:cc.
Page 787 Diagnostics Analyze network traffic (config network analyzer name)> filter custom value (config network analyzer name)> where value is a filter using Berkeley Packet Filter (BPF) syntax. Values that contain spaces must be enclosed in double quotes ("). Example filters for capturing data traffic for examples of filters using BPF syntax.
Page 788: Example Filters For Capturing Data Traffic
Diagnostics Analyze network traffic (config network analyzer name)> save_interval 600s (config network analyzer name)> d. Set the frequency with which captured events will be saved: (config network analyzer name)> save_interval value (config network analyzer name)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 789: Capture Packets From The Command Line
Diagnostics Analyze network traffic Capture traffic to and from a TCP port 80: ip proto tcp and port 80 Capture traffic to UDP port 53: ip proto udp and dst port 53 Capture traffic from UDP port 53: ip proto udp and src port 53 Capture to and from IP host 10.0.0.1 but filter out ports 22 and 80: ip host 10.0.0.1 and not (port 22 or port 80) Example Ethernet capture filters...
Page 790: Stop Capturing Packets
Diagnostics Analyze network traffic 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Type the following at the Admin CLI prompt: >...
Page 791: Show Captured Traffic Data
Diagnostics Analyze network traffic test_capture capture_ping > analyzer stop name Show captured traffic data To view captured data traffic, use the show analyzer command. The command output show the following information for each packet: The packet number. The timestamp for when the packet was captured. The length of the packet and the amount of data captured.
Page 792: Save Captured Data Traffic To A File
Diagnostics Analyze network traffic Total Length : 40 bytes : 15670 (0x3d36) Flags : Do not fragment Fragment Offset : 0 (0x0000) : 128 (0x80) Protocol : TCP (6) Checksum : 0x14bc Source IP Address : 10.10.74.130 Dest. IP Address : 10.10.74.72 TCP Header Source Port...
Page 793: Download Captured Data To Your Pc
Diagnostics Analyze network traffic 2. Type the following at the Admin CLI prompt: > analyzer save filename filename name capture_filter > where: filename is the name of the file that the captured data will be saved to. Determine filenames already in use: Use the tab autocomplete feature to determine filenames that are currently in use: >...
Page 794: Clear Captured Data
Diagnostics Analyze network traffic 3. Highlight the analyzer directory and click  to open the directory. 4. Select the saved analyzer report you want to download and click  (download).  Command line 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 795 Diagnostics Analyze network traffic where capture_filter is the name of a packet capture configuration. See Configure packet capture for the network analyzer for more information. To determine available packet capture configurations, use the ?: > anaylzer clear name ? name: Name of the capture filter to use. Format: test_capture capture_ping...
Page 796: Use The Ping Command To Troubleshoot Network Connections
Diagnostics Use the ping command to troubleshoot network connections Use the ping command to troubleshoot network connections Use the ping command troubleshoot connectivity problems. Ping to check internet connection To check your internet connection: 1. Log into the IX20 command line as a user with Admin access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 797 Diagnostics Use the traceroute command to diagnose IP routing problems ipchecksums: Calculate ip checksums. max_ttl: Specifies the maximum number of hops. (Default: 30) nomap: Do not map IP addresses to host names nqueries: Sets the number of probe packets per hop. (Default: 3) packetlen: Total size of the probing packet.
Page 798: Digi Ix20 Regulatory And Safety Statements
Radio Frequency Interference (RFI) (FCC 15.105) The Digi IX20 has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Page 799: European Community - Ce Mark Declaration Of Conformity (Doc)
Digi IX20 regulatory and safety statements European Community - CE Mark Declaration of Conformity (DoC) European Community - CE Mark Declaration of Conformity (DoC) Digi has issued Declarations of Conformity for the IX20 concerning emissions, EMC, and safety. For more information, see www.digi.com/resources/certifications. Important note Digi customers assume full responsibility for learning and meeting the required guidelines for each country in their distribution market.
Page 800: Maximum Transmit Power For Radio Frequencies
Digi IX20 regulatory and safety statements Maximum transmit power for radio frequencies Maximum transmit power for radio frequencies The following tables show the maximum transmit power for frequency bands. Cellular frequency bands Frequency bands Maximum transmit power Cellular LTE 700 MHz...
Page 801: Rohs Compliance Statement
However, cellular-based products contain radio devices which require specific consideration. Take the time to read and understand the following guidance. Digi International assumes no liability for an end user’s failure to comply with these precautions.
Page 802: Product Disposal Instructions
At the end of its life this product MUST NOT be mixed with other commercial waste for disposal. Check with the terms and conditions of your supplier for disposal information. Digi International Ltd WEEE Registration number: WEE/HF1515VU IX20 User Guide...
Page 803 Safety warnings English Bulgarian--бъ л га рс ки Croatian--Hrvatski French--Français Greek--Ε λλην ικά Hungarian--Magyar Italian--Italiano Latvian--Latvietis Lithuanian--Lietuvis Polish--Polskie Portuguese--Português Slovak--Slovák Slovenian--Esloveno Spanish--Español IX20 User Guide...
Page 804: English
English Ensure that the power cord is connected to a socket-outlet with earthing connection. To comply with FCC/IC RF exposure limits at least 20 cm separation distance must be maintained between any antenna of the unit and any part of the user at all times. This appliance does not contain any user-serviceable parts.
Page 805: Bulgarian--Бъ Л Га Рс Ки
Bulgarian--б ъ л га рс ки У в е ре т е с е , ч е з а х ра нв а щ ия т ка бе л е с в ъ рз а н къ м конт а кт с ъ с з...
Page 806: Croatian--Hrvatski
Croatian--Hrvatski Provjerite je li kabel za napajanje spojen na utičnicu s uzemljenjem. Da bi se udovoljilo FCC / IC ograničenjima izlaganja RF, mora se održavati najmanje 20 cm udaljenosti odvojenosti od bilo koje antene uređaja i bilo kojeg dijela korisnika u svakom trenutku.
Page 807: French--Français
French--Français Assurez-vous que le cordon d'alimentation est connecté à une prise de courant avec mise à la terre. Pour se conformer aux limites d'exposition RF FCC/IC, une distance de séparation d'au moins 20 cm doit être maintenue entre toute antenne de l'unité et toute partie de l'utilisateur à...
Page 808: Greek--Ε Λλην Ικά
Greek--Ε λλην ικά Β εβαιωθείτ ε ότ ι τ ο καλώδιο τ ρ οφοδοσ ίας είν αι σ υν δεδεμέν ο σ ε πρ ίζ α με σ ύν δεσ η γ είωσ ης . Γ ια σ υμμόρ φωσ η με τ α FCC / IC RF όρ ια έκθεσ ης πρ έπει ν α διατ ηρ είτ αι τ...
Page 809: Hungarian--Magyar
Hungarian--Magyar Győződjön meg arról, hogy a tápkábel csatlakozik egy földelő csatlakozóaljzathoz. Az FCC / IC rádiófrekvenciás expozíciós határértékeinek betartása érdekében a berendezés bármely antennája és a felhasználó bármely része között legalább 20 cm távolságot kell tartani. Ez a készülék nem tartalmaz a felhasználó által javítható alkatrészeket. Soha ne nyissa ki a berendezést.
Page 810: Italian--Italiano
Italian--Italiano Assicurarsi che il cavo di alimentazione sia collegato ad una presa con messa a terra. Per rispettare i limiti di esposizione RF FCC/IC è necessario mantenere sempre una distanza di separazione di almeno 20 cm tra qualsiasi antenna dell'unità e qualsiasi parte dell'utente.
Page 811: Latvian--Latvietis
Latvian--Latvietis Pārliecinieties, ka strāvas vads ir pievienots kontaktligzdai ar zemējuma savienojumu. Lai ievērotu FCC / IC radiofrekvenču iedarbības robežas, vienmēr jābūt vismaz 20 cm attālumam starp jebkuru ierīces antenu un jebkuru lietotāja daļu. Šajā ierīcē nav nevienas lietotāja apkalpojamas daļas. Nekad neatveriet aprīkojumu. Drošības apsvērumu dēļ...
Page 812: Lithuanian--Lietuvis
Lithuanian--Lietuvis Įsitikinkite, kad maitinimo laidas yra prijungtas prie lizdo su įžeminimu. Kad būtų laikomasi FCC / IC radijo dažnių apšvitos ribų, tarp bet kurios įrenginio antenos ir bet kurios vartotojo dalies visada turi būti išlaikytas bent 20 cm atstumas. Šiame prietaise nėra naudotojui prižiūrimų dalių. Niekada neatidarykite įrangos. Saugumo sumetimais įrangą...
Page 813: Polish--Polskie
Polish--Polskie Upewnij się, że przewód zasilający jest podłączony do gniazdka z uziemieniem. Aby zachować zgodność z limitami ekspozycji FCC/IC RF, między anteną urządzenia a jakąkolwiek częścią użytkownika musi być zachowana odległość co najmniej 20 cm. To urządzenie nie zawiera żadnych części, które mogą być naprawiane przez użytkownika. Nigdy nie otwieraj urządzenia.
Page 814: Portuguese--Português
Portuguese--Português Certifique-se de que o cabo de alimentação esteja conectado a uma tomada com conexão de aterramento. Para cumprir os limites de exposição à RF da FCC / IC, pelo menos 20 cm de distância de separação deve ser mantida entre qualquer antena da unidade e qualquer parte do usuário o tempo todo.
Page 815: Slovak--Slovák
Slovak--Slovák Uistite sa, že je napájací kábel pripojený k zásuvke so zemniacim pripojením. Aby boli dodržané limity vystavenia vysokofrekvenčným lúčom FCC / IC, musí byť medzi anténou jednotky a akoukoľvek časťou používateľa neustále udržiavaná vzdialenosť najmenej 20 cm. Toto zariadenie neobsahuje žiadne diely opraviteľné používateľom. Nikdy neotvárajte zariadenie.
Page 816: Slovenian--Esloveno
Slovenian--Esloveno Prepričajte se, da je napajalni kabel priključen v vtičnico z ozemljitvenim priključkom. Da bi izpolnili omejitve izpostavljenosti FCC / IC RF, mora biti med katero koli anteno enote in katerim koli delom uporabnika ves čas vzdrževana najmanj 20 cm razdalja. Ta naprava ne vsebuje nobenih delov, ki bi jih lahko uporabljal uporabnik.
Page 817: Spanish--Español
Spanish--Español Asegúrese de que el cable de alimentación esté conectado a una toma de corriente con conexión a tierra. Para cumplir con los límites de exposición a RF de la FCC / IC, se debe mantener una distancia de separación de al menos 20 cm entre cualquier antena de la unidad y cualquier parte del usuario en todo momento.
Page 818 DigiIX20 Certifications International EMC (Electromagnetic Compatibility) and safety standards There are no user-serviceable parts inside the product. Contact your Digi representative for repair information. Certification category Standards EN 300 328 v1.8.1 Electromagnetic Compatibility (EMC) compliance standards EN 301 893 v1.7.2...
Page 819 Command line interface This chapter contains the following topics: Access the command line interface Log in to the command line interface Exit the command line interface Execute a command from the web interface Display help for commands and parameters Auto-complete commands and parameters Available commands Use the scp command Display status and statistics using the show command...
Page 820: Command Line Interface
You can use an open-source terminal software, such as PuTTY or TeraTerm, to access the device through one of these mechanisms. You can also access the command line interface in the WebUI by using the Terminal, or the Digi Remote Manager by using the Console.
Page 821: Exit The Command Line Interface
Command line interface Exit the command line interface Select access or quit [admin] : Type a or admin to access the IX20 command line. You will now be connected to the Admin CLI: Connecting now... Press Tab to autocomplete commands Press '?' for a list of commands and details Type 'help' for details on navigating the CLI Type 'exit' to disconnect from the Admin CLI...
Page 822: Display Help For Commands And Parameters
Command line interface Display help for commands and parameters Display help for commands and parameters The help command When executed from the root command prompt, help displays information about autocomplete operations, how to move the cursor on the IX20 command line, and other keyboard shortcuts: >...
Page 823: Display Help For Individual Commands
Command line interface Display help for commands and parameters traceroute Print the route packets trace to network host. update Update firmware. > Display help for individual commands When included with a command name, both ? and help provide further information about the command.
Page 824: Auto-Complete Commands And Parameters
Command line interface Auto-complete commands and parameters Auto-complete commands and parameters When entering a command and parameter, press the Tab key to cause the command line interface to auto-complete as much of the command and parameter as possible. Typing the space bar has similar behavior.
Page 825: Available Commands
Command line interface Available commands Available commands The following commands are available from the Admin CLI prompt: Command Description config Used to view and modify the configuration. Device configuration using the command line interface for more information about using the config command. exit Exits the CLI.
Page 826: Use The Scp Command
Command line interface Use the scp command Note For commands that operate on the IX20's file system, such as the cp, ls, and mkdir commands, File system for information about the file system, including how to copy, move and delete files and directories.
Page 827: Display Status And Statistics Using The Show Command
Command line interface Display status and statistics using the show command Transfer a file from the IX20 device to a remote host To copy a file from the IX20 device to a remote host, use the command as follows: > scp host hostname-or-ip user username remote remote-path local local-path to remote where: hostname-or-ip is the hostname or ip address of the remote host.
Page 828: Show System
"445" > show system show system command displays system information and statistics for the device, including CPU usage. > show system Model : Digi IX20 Serial Number : IX20-000065 : IX20 Hostname : IX20 MAC Address : DF:DD:E2:AE:21:18...
Page 829: Execute Configuration Commands At The Root Admin Cli Prompt
Command line interface Execute configuration commands at the root Admin CLI prompt Execute the config command and parameters at the root prompt. See Execute configuration commands at the root Admin CLI prompt for more information. Enter configuration mode by executing the config command without any parameters. See Configuration mode for more information.
Page 830 Command line interface Execute configuration commands at the root Admin CLI prompt > config 2. You can then display help for the additional configuration commands. For example, to display help for the config service command: > config service ? Services Additional Configuration ------------------------------------------------------------------------- mdns...
Page 831: Configuration Mode
Command line interface Configuration mode Current value: true > config service ssh enable Configuration mode Configuration mode allows you to perform multiple configuration tasks and validate the changes prior to saving them. You can cancel all changes without saving them at any time. Configuration changes do not take effect until the configuration is saved.
Page 832: Save Changes And Exit Configuration Mode
Command line interface Configuration mode Save changes and exit configuration mode To save changes that you have made to the configuration while in configuration mode, use save. The save command automatically validates the configuration changes; the configuration will not be saved if it is not valid.
Page 833: Display Command Line Help In Configuration Mode
Command line interface Configuration mode Configuration actions Description Deletes a named element, or an element in a list. See Manage elements in lists for information about using the del command with lists. Moves elements in a list. See Manage move elements in lists for information about using the move command with lists.
Page 834 Command line interface Configuration mode b. Enter ? to display help for the service node: (config service)> ? Either of these methods will display the following information: config> service ? Services Additional Configuration ------------------------------------------------------------------------ mdns Service Discovery (mDNS) multicast Multicast remote_control Remote control snmp...
Page 835: Move Within The Configuration Schema
Command line interface Configuration mode ------------------------------------------------------------------------ enable true Enable [private] Private key port Port Additional Configuration ------------------------------------------------------------------------ Access control list mdns (config)> service ssh 4. Lastly, to display allowed values and other information for the enable parameter, use one of the following methods: At the config prompt, enter service ssh enable ?: (config)>...
Page 836: Manage Elements In Lists
Command line interface Configuration mode Move forward one node in the configuration by entering the name of an Additional Configuration option: 1. At the config prompt, type service to move to the service node: (config)> service (config service)> 2. Type ssh to move to the ssh node: (config service)>...
Page 837 Command line interface Configuration mode For example, to add an authentication method: 1. Display current authentication method by using the show command: (config)> show auth method 0 local (config)> 2. Add an authentication method by using the add index_item command. For example: To add the TACACS+ authentication method to the beginning of the list, use the index number 0: (config)>...
Page 838: The Revert Command
Command line interface Configuration mode 1. Use the show command to display current authentication method configuration: (config)> show auth method 0 local 1 tacacs+ 2 radius (config)> 2. Delete one of the authentication methods by using the del index_number command. For example: a.
Page 839 Command line interface Configuration mode After executing the revert command, you must save the configuration changes by using the save command. You can also discard the configuration changes by using the cancel command. CAUTION! The revert command reverts all changes to the default configuration, not only unsaved changes.
Page 840: Enter Strings In Configuration Commands
For string parameters, if the string value contains a space, the value must be enclosed in quotation marks. For example, to assign a descriptive name for the device using the system command, enter: (config)> system description "Digi IX20" Example: Create a new user by using the command line In this example, you will use the IX20 command line to create a new user, provide a password for the user, and assign the user to authentication groups.
Page 841 Command line interface Configuration mode 1. Log into the IX20 command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2.
Page 842 Command line interface Configuration mode serial enable false no ports shell enable false serial admin enable true nagios enable false openvpn enable false no tunnels portal enable false no portals serial enable true ports 0 port1 shell enable false (config auth user user1)> 6.
Page 843: Command Line Reference
Command line interface Command line reference Command line reference analyzer clear help mkdir modem monitoring more ping reboot show speedtest system traceroute IX20 User Guide...
Page 844: Analyzer
Command line interface Command line reference analyzer Analyzer commands. analyzer clear name STRING Clears the traffic captured by the analyzer. Parameters name Name of the capture filter to use. Syntax: STRING analyzer save filename STRING name STRING Saves the current captured traffic to a file. Parameters filename The filename to save captured traffic to.
Page 845 Command line interface Command line reference clear dhcp-lease Clear one or more DHCP leases. ip-address ADDRESS Clear the DHCP lease for an IP address. Parameters ADDRESS An IPv4 or IPv6 address (Required). clear dhcp-lease mac ADDRESS Clear the DHCP lease for a MAC address. Parameters ADDRESS 12-digit, colon-delimited MAC address [00:11:22:AA:BB:CC] (Required).
Page 846 Command line interface Command line reference cp commands. [force] SOURCE DESTINATION Copy a file or directory. Parameters source The source file or directory to copy. Syntax: STRING destination The destination path to copy the source file or directory to. Syntax: STRING force Do not ask to overwrite the destination file if it exists.
Page 847: Help
Command line interface Command line reference help Show CLI editing and navigation commands. Parameters None IX20 User Guide...
Page 848 Command line interface Command line reference Directory listing command. ls [show-hidden] PATH List a directory. Parameters path List files and directories under this path. Syntax: STRING show-hidden Show hidden files and directories. Hidden filenames begin with '.'. Syntax: BOOLEAN Default: False Optional: True IX20 User Guide...
Page 849: Mkdir
Command line interface Command line reference mkdir mkdir PATH Create a directory. Parent directories are created as needed. Parameters path The directory path to create. Syntax: STRING IX20 User Guide...
Page 850: Modem
Command line interface Command line reference modem Modem commands. modem at [imei STRING] [name STRING] CMD Send an AT command to the modem and display the response. Parameters The AT command string. Syntax: STRING imei The IMEI of the modem to execute this CLI command on. Syntax: STRING Optional: True name...
Page 851 Commands for performing FOTA (firmware-over-the-air) interactions with cellular modem. ota check [imei STRING] [name STRING] Query the Digi firmware server for the latest remote modem firmware version. Parameters imei The IMEI of the modem to execute this CLI command on...
Page 852 Command line interface Command line reference ota list [imei STRING] [name STRING] Query the Digi firmware server for a list of modem firmware versions. Parameters imei The IMEI of the modem to execute this CLI command on Optional: True Type: string...
Page 853 Command line interface Command line reference Optional: True Type: string name The configured name of the modem to execute this CLI command on Optional: True Ref: /network/modem Type: string version Firmware version name Optional: True Type: string modem pin PIN commands. pin change [imei STRING] [name STRING] OLD-PIN NEW-PIN Change the SIM's PIN code.
Page 854 Command line interface Command line reference Syntax: STRING imei The IMEI of the modem to execute this CLI command on. Syntax: STRING Optional: True name The configured name of the modem to execute this CLI command on. Syntax: STRING Optional: True pin enable [imei STRING] [name STRING] PIN Enable the PIN lock on the SIM card that is active in the modem.
Page 855 Command line interface Command line reference pin unlock [imei STRING] [name STRING] PIN Temporarily unlock the SIM card with a PIN code. Set the PIN field in the modem interface's configuration to unlock the SIM card automatically before use. Warning: Attempting to use an incorrect PIN code may PUK lock the SIM.
Page 856 Command line interface Command line reference new-pin The PIN code to change to. Syntax: STRING imei The IMEI of the modem to execute this CLI command on. Syntax: STRING Optional: True name The configured name of the modem to execute this CLI command on. Syntax: STRING Optional: True modem reset [imei STRING] [name STRING]...
Page 857: Monitoring
Command line interface Command line reference Parameters slot The SIM slot to change to. Syntax: (1|2|show) imei The IMEI of the modem to execute this CLI command on. Syntax: STRING Optional: True name The configured name of the modem to execute this CLI command on. Syntax: STRING Optional: True monitoring...
Page 858: More
Command line interface Command line reference more path The file to view. Syntax: STRING IX20 User Guide...
Page 859 Command line interface Command line reference Move a file or directory. mv [force] SOURCE DESTINATION Parameters source The source file or directory to move. Syntax: STRING destination The destination path to move the source file or directory to. Syntax: STRING force Do not ask to overwrite the destination file if it exists.
Page 860: Ping
Command line interface Command line reference ping Ping a host using ICMP echo. ping [broadcast|ipv6] [count INTEGER] [interface STRING] [size INTEGER] [source STRING] HOST Parameters host The name or address of the remote host to send ICMP ping requests to. If broadcast is enabled, can be the broadcast address.
Page 861 Command line interface Command line reference source The ping command will send a packet with the source address set to the IP address of this interface, rather than the address of the interface the packet is sent from. Syntax: STRING Optional: True IX20 User Guide...
Page 862: Reboot
Command line interface Command line reference reboot Reboot the system. Parameters None IX20 User Guide...
Page 863 Command line interface Command line reference Remove a file or directory. rm [force] PATH Parameters path The path to remove. Syntax: STRING force Force the file to be removed without asking. Syntax: BOOLEAN Default: False Optional: True IX20 User Guide...
Page 864: Scp
Command line interface Command line reference Copy a file or directory over SSH. scp host STRING local STRING [port INTEGER] remote STRING to STRING user STRING Parameters host The name or address of the remote host. Syntax: STRING local The file to copy to or from on the local device. Syntax: STRING port The SSH port to use to connect to the remote host.
Page 865: Show
Default: False Optional: True verbose Display more information (less concise, more detail). Syntax: BOOLEAN Default: False Optional: True show cloud Show Digi Remote Manager status and statistics. Parameters None show config Show changes made to default configuration. IX20 User Guide...
Page 866 Command line interface Command line reference Parameters None show dhcp-lease [all|verbose] Show DHCP leases. Parameters Show all leases (active and inactive (not in etc/config/dhcp.*lease)). Syntax: BOOLEAN Default: False Optional: True verbose Display more information (less concise, more detail). Syntax: BOOLEAN Default: False Optional: True show dns...
Page 867 Command line interface Command line reference Syntax: STRING Optional: True name The configured instance name of the hotspot. Syntax: STRING Optional: True show ipsec [all] [tunnel STRING] Show IPsec status statistics. Parameters Display all tunnels including disabled tunnels. Syntax: BOOLEAN Default: False Optional: True tunnel...
Page 868 Command line interface Command line reference Syntax: (critical|warning|debug|info) Optional: True number Number of lines to retrieve from log. Syntax: INT Minimum: 1 Default: 20 show manufacture [verbose] Show manufacturer information. Parameters verbose Display more information (less concise, more detail). Syntax: BOOLEAN Default: False Optional: True show modbus-gateway [verbose]...
Page 869 Command line interface Command line reference Syntax: BOOLEAN Default: False Optional: True show nemo [name STRING] Show NEMO status and statistics. Parameters name The name of a specific NEMO instance. show network [all|verbose] [interface STRING] Show network interface status and statistics. Parameters Display all interfaces including disabled interfaces.
Page 870 Command line interface Command line reference Syntax: BOOLEAN Default: False Optional: True name Display more details and config data for a specific OpenVPN client. Syntax: STRING Optional: True openvpn server [all] [name STRING] Show OpenVPN server status and statistics. Parameters Display all servers including disabled servers.
Page 871 Command line interface Command line reference Optional: True show scripts Show scheduled system scripts Parameters None show serial PORT Show serial status and statistics. Parameters port Display more details and config data for a specific serial port. Syntax: STRING Optional: True show system [verbose] Show system status and statistics.
Page 872 Command line interface Command line reference show vrrp [all|verbose] [name STRING] Show VRRP status and statistics. Parameters Display all VRRP instances including disabled instances. Syntax: {True|False} Type: boolean name Display more details and configuration data for a specific VRRP instance. Optional: True Type: string verbose...
Page 873: Speedtest
Command line interface Command line reference wifi client [all] [name STRING] Display details for Wi-Fi client mode connections. Parameters Display all Wi-Fi clients including disabled Wi-Fi client mode connections. Syntax: BOOLEAN Default: False Optional: True name Display more details for a specific Wi-Fi client mode connection. Syntax: STRING Optional: True show wifi-scanner...
Page 874 Command line interface Command line reference ssh [command STRING] host STRING [port INTEGER] user STRING Parameters command The command that will be automatically executed once the SSH session to the remote host is established. Optional: True Type: string host The hostname or IP address of the remote host Syntax: {hostname|IPv4_address|IPv6_address} Type: string port...
Page 875: System
Command line interface Command line reference system System commands. system backup Save the device's configuration to a file. Archives are full backups including generated SSH keys and dynamic DHCP lease information. Command backups are a list of CLI commands required to build the device's configuration.
Page 876 Query the Digi firmware server for the latest device firmware version. Syntax system firmware ota check Parameters None system firmware ota list Query the Digi firmware server for a list of device firmware versions. Syntax system firmware ota list Parameters None system firmware ota update Perform FOTA (firmware-over-the-air) update.
Page 877 Command line interface Command line reference Syntax system firmware update [version STRING] Parameters version: Firmware version name system restore Restore the device's configuration from a backup archive or CLI commands file. Syntax system restore PATH [passphrase STRING] Parameters PATH: The path to the backup file. (Required) passphrase: Decrypt the archive with a passphrase.
Page 878 Command line interface Command line reference system serial save Saves the current serial log to a file. Syntax system serial save PORT FILENAME Parameters PORT: Serial port (Required). FILENAME: The filename to save the serial log. The file will be saved to the device's /etc/config/serial directory.
Page 879 Command line interface Command line reference Syntax system support-report path Parameters path: The file path to save the support report to. (Default: /var/log/) system time set Set the local date and time using the timezone set in the system.time.timezone config setting. Syntax system time set DATETIME Parameters...
Page 880: Traceroute
Command line interface Command line reference traceroute Print the route packets trace to network host. traceroute [bypass|debug|dontfragment|icmp|ipv6|nomap] [first_ttl INTEGER] [gateway STRING] [interface STRING] [max_ttl INTEGER] [nqueries INTEGER] [packetlen INTEGER] [pausemsecs INTEGER] [port INTEGER] [src_addr STRING] [tos INTEGER] [waittime INTEGER] HOST Parameters bypass Bypass the normal routing tables and send directly to a host on an attached network.
Page 881 Command line interface Command line reference Optional: True interface Specifies the interface through which traceroute should send packets. By default, the interface is selected according to the routing table. Syntax: STRING Optional: True ipv6 If a hostname is defined as the value of the 'host' parameter, use the hosts IPV6 address. Syntax: BOOLEAN Default: False Optional: True...
Page 882 Command line interface Command line reference port Specifies the destination port base traceroute will use (the destination port number will be incremented by each probe). A value of -1 specifies that no specific port will be used. Syntax: INT Minimum: -1 Default: -1 src_addr Chooses an alternative source address.

This manual is also suitable for:

Ix20

Digi IX20-WAG4 User Manual

What's New in Digi IX20 Version 21.8

Digi IX20 Quick Start

Digi IX20 Hardware Reference

Hardware Setup

Configuration and Management

Interfaces

Serial Port

Wi-Fi

Routing

Virtual Private Networks (VPN)

Services

Applications

User Authentication

Firewall

Containers

System Administration

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Digi IX20-WAG4

Summary of Contents for Digi IX20-WAG4