Digi IX40 User Manual

page of 1024

/ 1024
Contents
Table of Contents
Bookmarks

Table of Contents

Quick Links

Download this manual

IX40

User Guide

Firmware version 23.12

Table of Contents

Need help?

Do you have a question about the IX40 and is the answer not in the manual?

Questions and answers

Summary of Contents for Digi IX40

Page 1 IX40 User Guide Firmware version 23.12...
Page 2: Revision History-90002537
New After option for the SIM preference schedule. Configure cellular modem. New WAN Bonding proxy and Client devices options. Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Configure WAN bonding on your local device.
Page 3 Added information about adding a MACsec tunnel. Trademarks and copyright Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide. All other trademarks mentioned in this document are the property of their respective owners.
Page 4 Contact us at +1 952.912.3444 or visit us at www.digi.com/support. Feedback To provide feedback on this document, email your comments to techcomm@digi.com Include the document title and part number (IX40 User Guide, 90002537 A) in the subject line of your email. IX40 User Guide...
Page 5: Table Of Contents
What's new in IX40 version 23.12 Digi IX40 Quick start Step 1: Connect your Digi IX40 Step 2: Set up access to Digi Remote Manager Step 3: Add your router to Digi Remote Manager Step 4: Complete setup Step 5: Configure cellular APN...
Page 6 Log out of the web interface Use the local REST API to configure the IX40 device Use the GET method to return device configuration information Use the POST method to modify device configuration parameters and list arrays Use the DELETE method to remove items from a list array...
Page 7 Installation and configuration process Digi Navigator features Install the Digi Navigator Configure RealPort on a Digi device from the Digi Navigator Digi Navigator device discovery process Services used to discover a device when connected to a network Digi Navigator application features...
Page 8 Configuring a GRE tunnel Show GRE tunnels Example: GRE tunnel over an IPSec tunnel Dynamic Multipoint VPN (DMVPN) Configure a DMVPN spoke L2TP Configure a PPP-over-L2TP tunnel L2TP with IPsec Show L2TP tunnel status L2TPv3 Ethernet Configure an L2TPv3 tunnel IX40 User Guide...
Page 9 Configure telnet access Configure DNS Show DNS server WAN bonding Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Configure WAN bonding on your local device Show WAN bonding status and statistics Simple Network Management Protocol (SNMP)
Page 10 Releasing the LEDs to system control Use Python to control the color of multi-colored LEDs Example: Set the LTE connection indicator to flashing purple Set up the IX40 to automatically run your applications Configure scripts to run automatically Show script information...
Page 11 Configure analog input ports Analog input port sensor calibration Send digital and analog I/O monitoring information to a remote server Send digital and analog I/O monitoring information to Digi Remote Manager Show digital I/O and analog input status and statistics System administration...
Page 12 Manage firmware updates using Digi Remote Manager Certificate management for firmware images Downgrading Dual boot behavior Update cellular module firmware Update modem firmware over the air (OTA) Update modem firmware by using a local firmware file Reboot your IX40 device...
Page 13 Use the ping command to troubleshoot network connections Ping to check internet connection Stop ping commands Use the traceroute command to diagnose IP routing problems Digi IX40 regulatory and safety statements RF exposure statement Federal Communication (FCC) Part 15 Class B Radio Frequency Interference (RFI) (FCC15.105)
Page 14 1000 modem at 1000 modem at-interactive 1000 modem firmware check 1000 modem firmware list 1000 modem firmware ota check 1001 modem firmware ota download 1001 modem firmware ota list 1001 IX40 User Guide...
Page 15 1012 show network 1013 show ntp 1013 show openvpn client 1013 show openvpn server 1013 show route 1014 show scep-client 1014 show scripts 1014 show serial 1014 show surelink interface 1014 show surelink ipsec 1015 IX40 User Guide...
Page 16 1021 system serial restart 1021 system serial save 1021 system serial show 1021 system support-report 1022 system time set 1022 system time sync 1022 system time test 1022 tail 1022 telnet 1023 traceroute 1023 vtysh 1024 IX40 User Guide...
Page 17: What's New In Ix40 Version 23.12
Telnet connection to access a serial port on a service. Configure serial authentication. New Advanced watchdog Modem check and recovery setting to control whether watchdog will monitor initialization of the IX40 cellular modem. Configure the system watchdog. IX40 User Guide...
Page 18: Digi Ix40 Quick Start
Step 1: Connect your Digi IX40 1. Connect your router. a. Locate the SIM Cover on the left side of the Digi IX40. b. Use a #0 Philips screwdriver to loosen the SIM Cover screw. c. Remove the SIM Cover and expose the two SIM Card Slots and Trays.
Page 19 2. Attach and hand-tighten the four cellular antennas to the WWAN1, WWAN2, WWAN3, and WWAN4 ports. 3. To connect the Digi IX40 to the internet, attach the Ethernet cable into the WAN/ETH1 port and then connect the other end of the cable to a device with internet connectivity (e.g., corporate...
Page 20: Step 2: Set Up Access To Digi Remote Manager
Step 5: Configure cellular APN If you inserted a SIM card in the Digi IX40, once the it is powered up, it will attempt to set up the APN automatically. However, if your SIM was set up with a custom APN, it must be manually configured.
Page 21 6. In the WWAN1 menu, click modem. 7. For the APN list only option, toggle this option so it is enabled. 8. Click Apply to save your changes. You have completed the quick start process for your Digi IX40. IX40 User Guide...
Page 22: About The Digi Ix40
About the Digi IX40 For the peak performance, reliability, and longevity of your Digi IX40, make sure you are familiar with its features, external hardware, installation, and configuration. This chapter contains the following topics: Digi IX40 key features Digi IX40 accessories...
Page 23: Digi Ix40 Key Features
Digi IX40 external hardware It is important to understand the external hardware that comes on your IX40. For clarity, Digi organizes the descriptions of the external hardware - like the LED lights or the SMA antenna ports - by their position on the IX40.
Page 24: Digi Ix40 Front
3. Firmware reversion: Press and hold the ERASE button and then power on the Digi IX40 to boot to the version of firmware that was used prior to the current version.
Page 25: Digi Ix40 Back
For external mounting of the antennas, routing and installation of the antennas shall be in accordance with the appropriate location regulations. GNSS The IX40 supports a passive GNSS antenna. antenna port Ground Electric ground screw for fastening a ground wire.
Page 26: Digi Ix40 Left Side
About the Digi IX40 Digi IX40 external hardware Number Item Description Product label Includes information about the device: Product Name Part Number Revision QR Code Password Serial Number Manufacturing Approval Number QR code definition for more information about how to use this code.
Page 27 When the SFP/ETH1 card slot is unpopulated, WAN/ETH1 is a 10/100/1000 copper Ethernet port. ERASE The ERASE button resets the Digi AP (Wi-Fi) IX40, and it has three modes: button 1. Configuration reset: Press the ERASE button one time to reset the Digi IX40 configurations to the factory default.
Page 28 About the Digi IX40 Digi IX40 external hardware Number Item Description Port The LEDs for each port indicate Ethernet link and activity. Port LEDs. LEDs Status The Status LEDs are located on the top front panel. The number of LEDs LEDs varies by model.
Page 29 Digi IX40 external hardware By default, the IX40 Ethernet WAN interface metric defaults to 1, so the LED will be solid on when the ETH1 is up and connected, and flashes cellular WWAN1 is up and connected (metric defaults to 3).
Page 30 LED indicators. Signal quality bars explained The signal status bars for the Digi IX40 measure more than simply signal strength. The value reported by the signal bars is calculated using an algorithm that takes into consideration the Reference Signals Received Power (RSRP), the Signal-to-noise ratio (SNR), and the Received Signal Strength Indication (RSSI) to provide an accurate indicator of the quality of the signal that the device is receiving.
Page 31 IX40 serial port connector pinout The IX40 is a DTE serial device capable of supporting the RS-232, RS-422, or RS-485 electrical signaling modes. The IX40 default setting RS-232 signaling. Change the signaling mode To change the signaling mode: É...
Page 32 About the Digi IX40 Digi IX40 external hardware 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 33 About the Digi IX40 Digi IX40 external hardware 3. Set the signalling mode: (config)> serial port1 signal_mode value (config)> where value is one of: rs-232 rs-422 rs-485 If this is the end device along a cabled RS-485 daisy chain and termination resistors are recommended, enable an internal electrical termination: (config)>...
Page 34 About the Digi IX40 Digi IX40 external hardware IX40 RS-232 pinout DB9 pin Pin direction RS-232 function Input Input Output Output Ground Input Output Input Input IX40 RS-422 pinout DB9 pin Pin direction RS-422 function Input CTS- Input RXD+ Output...
Page 35 Input/Output Low (internally connected to pin 6) Digital input/output and analog input connections The IX40 has an input/output connector with four digital input/output connections, and four analog input connections. I/O connector pin assignments The figure and table show the I/O connector, pin assignments, and the signals for each pin.
Page 36 About the Digi IX40 Digi IX40 external hardware Pin # Symbol Description Analog Input 1 AIN1 AGND Analog Return AIN2 Analog Input 2 Analog Return IX40 User Guide...
Page 37 Analog Return DIO1 Includes an OKInternal Pull up options DIO2 Includes an OKInternal Pull up options IX40 digital input/output: representative circuit IX40 analog input: representative circuit Example digital and analog I/O wiring Digital input with pullup Digital input without pullup Note that input is HIGH when the contact is CLOSED.
Page 38 About the Digi IX40 Digi IX40 external hardware Digital output The wiring diagram assumes a current-limiting resistor provided by installation or connected device is in use. Analog input, 4-20mA input mode Analog input, 0-10V input mode Digital and analog I/O specifications...
Page 39 About the Digi IX40 Digi IX40 external hardware Digital input specifications This input is a non-inverting Schmitt-trigger input. The default state at power-up with no voltage applied is LOW. Specification Units + Threshold - Threshold Input impedance 4.7M Ohms Digital output This output is an open-collector, sinking driver output.
Page 40: Ix40 Bottom View
Digi IX40 external hardware Digi IX40 power supply requirements The Digi IX40 is intended to be powered by a certified power supply with output rated at 12 to 30 volts DCwith 2.5 amps. 2-pin Terminal block with screw down support, marked +/- for 12 to 30 volts DCinput The Digi IX40 is intended to be powered by a certified power supply that can supply a peak power of 8W.
Page 41: Ix40 Left Side View
About the Digi IX40 Digi IX40 external hardware Number Item Description QR code definition for more information about how to use this code. QR code definition A QR code is printed on the label attached to the device and on the loose label included in the box with the device components.
Page 42: Ix40 Back View
For external mounting of the antennas, routing and installation of the antennas shall be in accordance with the appropriate location regulations. GNSS The IX40 supports a passive GNSS antenna. antenna port Ground Electric ground screw for fastening a ground wire.
Page 43: Digi Ix40 Hardware Setup
About the Digi IX40 Digi IX40 hardware setup Antennas and supported bandwidths for each port Antenna Port Technology ANT0 WCDMA B1, B2, B4, B5, B6, B8, B19 B1, B2, B4, B5, B6, B8, B19 B1, B2, B3, B4, B5, B6, B7,...
Page 44: Apply Dielectric Grease
Ethernet (RJ-45): Use a Cat 5e or Cat 6 Ethernet cable. Configuration for extreme thermal conditions The IX40 has been verified to operate in the temperate range of -40Cto +70C/-4F to +158F. However, in extreme temperature conditions (up to +70C/+158F), you must add a Quality of Service (QOS) rule that limits the upload speed of the modem to 1 Mpbs.
Page 45 About the Digi IX40 Digi IX40 hardware setup 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 46 About the Digi IX40 Digi IX40 hardware setup 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a binding: (config)> add firewall qos end (config firewall qos 2)> 4. Set the interface to the modem interface: (config firewall qos 2)>...
Page 47: Firmware Configuration
This chapter contains the following topics: Primary Responder mode Change the default password for the admin user Configuration methods Using Digi Remote Manager Using the local web interface Use the local REST API to configure the IX40 device Using the command line IX40 User Guide...
Page 48: Primary Responder Mode
To enable Primary Responder mode: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. On the Dashboard, verify the current firmware version installed on the device. In the Device section, look at the Firmware Version field and verify that the version is 23.9.x or above.
Page 49 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 50: Change The Default Password For The Admin User
To change the default password for the admin user: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 51: Configuration Methods
5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 52: Using Digi Remote Manager
Shows how to perform a task by using the command line interface. Using Digi Remote Manager By default, your IX40 device is configured to use Digi Remote Manager as its central management server. Devices must be registered with Remote Manager using one of the following options: As part of the getting started process.
Page 53: Log Out Of The Web Interface
Use the local REST API to configure the IX40 device Your IX40 device includes a REST API that can be used to return information about the device's configuration and to make modifications to the configuration. You can view the REST API specification from your web browser by opening the URL: https://ip-address/cgi-bin/config.cgi...
Page 54 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 55: Use The Post Method To Modify Device Configuration Parameters And List Arrays
Firmware configuration Use the local REST API to configure the IX40 device (config)> service For example, to use curl to return the ssh configuration: $ curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/value/service/ssh -X GET Enter host password for user 'admin': ok": true, "result": {...
Page 56: Use The Delete Method To Remove Items From A List Array
Firmware configuration Use the local REST API to configure the IX40 device path is the path to the configuration parameter, in dot notation (for example, ssh.service.enable). new_value is the new value for the parameter. For example, to disable the ssh service using curl: $ curl -k -u admin "https://192.168.210.1/cgi-bin/config.cgi/value?path=service.ssh.enable&value=false"...
Page 57 Firmware configuration Use the local REST API to configure the IX40 device "path": "service.ssh.acl.zone" "collapsed": { "0": "internal" "1": "edge" "2": "ipsec" "3": "setup" "4": "external" 2. Use the DELETE method to remove the external zone (list item 4). $ curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/value?path=service.ssh.acl.zone.4 -X...
Page 58: Using The Command Line
Log in to the command line interface Command line 1. Connect to the IX40 device by using a serial connection, SSH or telnet, or the Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command line interface more information.
Page 59: Exit The Command Line Interface
Admin CLI s: Shell q: Quit Select access or quit [admin] : Type a or admin to access the IX40 command line. You will now be connected to the Admin CLI: Connecting now... Press Tab to autocomplete commands Press '?' for a list of commands and details...
Page 60 Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Remote Manager Configure multiple IX40 devices by using Digi Remote Manager configurations View Digi Remote Manager connection status Learn more IX40 User Guide...
Page 61: Digi Remote Manager Support
This URL is required to utilize the client-side certificate support. Prior to release 22.2.9.x, the default URL was my.devicecloud.com. If your Digi device is configured to use a non-default URL to connect to Remote Manager, updating the firmware will not change your configuration. However, if you erase the device's configuration, the Remote Manager URL will change to the default of edp12.devicecloud.com.
Page 62 HTTP proxy server support. To configure your device's Digi Remote Manager support: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 63 8. (Optional) For Speedtest server, type the name or IP address of the server to use to test the speed of the device's internet connection(s). 9. (Optional) For Retry interval, type the amount of time that the IX40 device should wait before reattempting to connect to remote cloud services after being disconnected. The default is 30 seconds.
Page 64 Within the US: 12029823370 International: 447537431797 d. (Optional) Type the Service identifier. 17. (Optional) Configure the IX40 device to communicate with remote cloud services via one of two methods: Pinhole or Proxy server. If using the Pinhole method, refer to the following If using the Proxy server method: a.
Page 65 18. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 66 (config)> cloud drm keep_alive 600s (config)> 7. (Optional) Set the amount of time that the IX40 device should wait between sending keep-alive messages to the Digi Remote Manager when using a cellular interface. Allowed values are from 30 seconds to two hours. The default is 290 seconds.
Page 67 If set to false, no login prompt will be presented and the user will be logged in as admin. The default is false. 14. (Optional) Configure the IX40 device to communicate with remote cloud services by using SMS: a. Enable SMS messaging: (config)>...
Page 68: Collect Device Health Data And Set The Sample Interval
To disable the collection of device health data or enable it if it has been disabled, or to change the health sample interval: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 69 8. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 70 1, 5, 15, 30, or 60, and represents the number of minutes between uploads of health sample data. 5. By default, the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded. This is useful to reduce the bandwidth used to report health metrics.
Page 71: Enable Event Log Upload To Digi Remote Manager
To enable the event log upload, or disable it if it has been disabled, and to change the upload interval: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 72 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 73: Reach Digi Remote Manager On A Private Network
The device is capable of connecting through an HTTP proxy, such as Squid, but it is up to the network administrator to decide which HTTP proxy type to use. To enable a proxy server and enter the server and port in Digi Remote Manager, see step 17 in Configure your device for Digi Remote Manager support.
Page 74: Log Into Digi Remote Manager
Central management Log into Digi Remote Manager Digi Support configures the Digi cloud service to allow your VPN to communicate with Digi Remote Manager. Contact Digi Support at https://www.digi.com/contactus. Log into Digi Remote Manager To start Digi Remote Manager 1. If you have not already done so, click here to sign up for a Digi Remote Manager account.
Page 75: Use Digi Remote Manager To View And Manage Your Device
Use Digi Remote Manager to view and manage your device To view and manage your device: 1. If you have not already done so, connect to your Digi Remote Manager account. 2. From the menu, click Devices to display a list of your devices.
Page 76: Add A Device To Remote Manager Using Your Remote Manager Login Credentials
6. (Optional) Complete the other fields. 1. Click Add Device. Remote Manager adds the IX40 device to your account and it appears in the Device Management view. Add a device to Remote Manager using your Remote Manager login credentials If you want to add a device to Remote Manager, and you do not have its password, you can add it using your Remote Manager login credentials.
Page 77: Configure Multiple Ix40 Devices By Using Digi Remote Manager Configurations
Remote Manager configurations. Typically, if you want to provision multiple IX40 routers: 1. Using the IX40 local WebUI, configure one IX40 router to use as the model configuration for all subsequent IX40s you need to manage. 2. Register the configured IX40 device in your Remote Manager account.
Page 78: View Digi Remote Manager Connection Status
View Digi Remote Manager connection status To view the current Digi Remote Manager connection status from the local device: É 1. Log into the IX40 WebUI as a user with full Admin access rights. The dashboard includes a Digi Remote Manager status pane: Command line...
Page 79: Learn More
Central management Learn more 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 80: Interfaces
Interfaces IX40 devices have several physical communications interfaces. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN). This chapter contains the following topics: Wide Area Networks (WANs) Local Area Networks (LANs)
Page 81: Wide Area Networks (Wans)
Wide Area Networks (WANs) Wide Area Networks (WANs) The IX40 device is preconfigured with one Wide Area Network (WAN), named ETH1, and one Wireless Wide Area Network (WWAN), named Modem. You can modify configuration settings for the existing WAN and WWANs, and you can create new WANs and WWANs.
Page 82: Wide Area Networks (Wans) And Wireless Wide Area Networks (Wwans)
Configured WAN and WWAN interfaces. This example uses the preconfigured ETH1 and Modem interfaces. The metric for each WAN. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 83 For Metric, type 1. c. Click IPv6. d. For Metric, type 1. 4. Set the metrics for ETH1: a. Click Network > Interfaces > ETH1 > IPv4. b. For Metric, type 2. c. Click IPv6. d. For Metric, type 2. IX40 User Guide...
Page 84 WAN, and its Ethernet WAN, ETH1, as its secondary WAN. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 85: Wan/Wwan Failover
WAN, and its Ethernet WAN, ETH1, as its secondary WAN. WAN/WWAN failover If a connection to a WAN interface is lost for any reason, the IX40 device will immediately fail over to the next WAN or WWAN interface, based on WAN priority. See...
Page 86: Configure Surelink Active Recovery To Detect Wan/Wwan Failures
Problems can occur beyond the immediate WAN/WWAN connection that prevent some IP traffic from reaching its destination. Normally this kind of problem does not cause the IX40 device to detect that the WAN has failed, because the connection continues to work while the core problem exists somewhere else in the network.
Page 87 Otherwise, the device will reboot and all recovery actions listed after the Reboot Device action will be ignored. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 88 When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address. Use the SIM failover options to configure the IX40 device to automatically recover the modem in the event that it cannot obtain an IP address.
Page 89 Test the interface status: Tests the current status of the interface. The test fails if the interface is down. Failing this test infers that all other tests fail. If Test the interface status is selected, complete the following: IX40 User Guide...
Page 90 11. Add recovery actions: a. Click to expand Recovery actions. By default, there are two preconfigured recovery actions: Update routing: Uses the Change default gateway action, which increases the interface's metric by 100 to change the default gateway. Restart interface. IX40 User Guide...
Page 91 Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. IX40 User Guide...
Page 92 Test interface gateway by pinging is used by the Interface gateway Ping test as the endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8, and should only be changed if this IP address is not accessible due to networking issues. IX40 User Guide...
Page 93 13. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 94 If dns is set, set the IPv4 or IPv6 address of the DNS server: (config network interface my_wan surelink tests 1)> dns_server IP_address (config network interface my_wan surelink tests 1)> http: Uses HTTP(s) GET requests to determine connectivity to the configured web server. IX40 User Guide...
Page 95 (config network interface my_wan surelink tests 1)> custom_test_commands " string " (config network interface my_wan surelink tests 1)> tcp_connection: Tests that the interface can reach a destination port on the configured host. If tcp_connection is selected, complete the following: IX40 User Guide...
Page 96 The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable). f. Repeat for each additional test. 6. Add recovery actions: a. Type ... to return to the root of the configuration: (config network interface my_wan surelink tests 1)> ... (config)> IX40 User Guide...
Page 97 (config network interface my_wan surelink actions 0)> metric_adjustment_modem (config network interface my_wan surelink actions 0)> The default is 100. Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. IX40 User Guide...
Page 98 Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config network interface my_wan surelink actions 0)> override_interval int (config network interface my_wan surelink actions 0)> IX40 User Guide...
Page 99 (config network interface my_wan surelink actions 0)> custom_action_commands_ modem " string " (config network interface my_wan surelink actions 0)> Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. IX40 User Guide...
Page 100 For example, to set timeout to ten minutes, enter either 10m or 600s: (config)> network interface my_wan surelink timeout 600s (config)> IX40 User Guide...
Page 101: Configure The Device To Reboot When A Failure Is Detected
Type quit to disconnect from the device. Configure the device to reboot when a failure is detected Using SureLink, you can configure the IX40 device to reboot when it has determined that an interface has failed. IX40 User Guide...
Page 102 To configure the IX40 device to reboot when an interface has failed: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 103 When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address. Use the SIM failover options to configure the IX40 device to automatically recover the modem in the event that it cannot obtain an IP address.
Page 104 DHCP, or statically configured for this interface. Test the interface status: Tests the current status of the interface. The test fails if the interface is down. Failing this test infers that all other tests fail. IX40 User Guide...
Page 105 11. Add recovery actions: a. Click to expand Recovery actions. By default, there are two preconfigured recovery actions: Update routing: Uses the Change default gateway action, which increases the interface's metric by 100 to change the default gateway. Restart interface. IX40 User Guide...
Page 106 Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. IX40 User Guide...
Page 107 Test interface gateway by pinging is used by the Interface gateway Ping test as the endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8, and should only be changed if this IP address is not accessible due to networking issues. IX40 User Guide...
Page 108 13. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 109 If dns is set, set the IPv4 or IPv6 address of the DNS server: (config network interface my_wan surelink tests 1)> dns_server IP_address (config network interface my_wan surelink tests 1)> http: Uses HTTP(s) GET requests to determine connectivity to the configured web server. IX40 User Guide...
Page 110 (config network interface my_wan surelink tests 1)> custom_test_commands " string " (config network interface my_wan surelink tests 1)> tcp_connection: Tests that the interface can reach a destination port on the configured host. If tcp_connection is selected, complete the following: IX40 User Guide...
Page 111 The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable). f. Repeat for each additional test. 6. Add recovery actions: a. Type ... to return to the root of the configuration: (config network interface my_wan surelink tests 1)> ... (config)> IX40 User Guide...
Page 112 For example, to set interval to ten minutes, enter either 10m or 600s: (config)> network interface my_wan surelink interval 600s (config)> The default is 15m. IX40 User Guide...
Page 113 (config)> The default is 300s. g. Set the time to add to the test interval when restarting the list of actions. This option is capped at 15 minutes. (config)> network interface my_wan surelink advanced backoff_interval value (config)> IX40 User Guide...
Page 114: Disable Surelink
SureLink to disable the DNS test and use one or more other tests. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 115 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 116 WAN connections that do not allow DNS resolution, and configure alternate test. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 117 Ping payload size: The number of bytes to send as part of the ping payload. DNS test: Performs a DNS query to the named DNS server. If DNS test is selected, complete the following: DNS server: The IP address of the DNS server. IX40 User Guide...
Page 118 IPv6: The IPv6 connection must be up. Expected status: The status required for the test to past. Up: The test will pass only if the referenced interface is up and passing its own SureLink tests (if applicable). IX40 User Guide...
Page 119 13. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 120 If interface_up is set, complete the following: Set the amount of time that the interface is down before the test can be considered to have failed. (config network interface my_wan surelink tests 1)> interface_down_time value (config network interface my_wan surelink tests 1)> IX40 User Guide...
Page 121 Set the TCP port to create a TCP connection to. (config network interface my_wan surelink tests 1)> tcp_port port (config network interface my_wan surelink tests 1)> other: Tests the status of another interface. If other is selected, complete the following: IX40 User Guide...
Page 122: Example: Use A Ping Test For Wan Failover From Ethernet To Cellular
Update Routing recovery action will increase the metric for the ETH1 interface by 100, which will cause the IX40 device to start using the Modem interface as the default route. It continues to regularly test the connection to ETH1, and when tests on ETH1 succeed, the device falls back to that interface.
Page 123 Interfaces Wide Area Networks (WANs) É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 124 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 125: Using Ethernet Devices In A Wan
Typically, you configure SIM1 of the cellular modem as the primary cellular interface, and SIM2 as the backup cellular interface. In this way, if the IX40 device cannot connect to the network using SIM1, it automatically fails over to SIM2. IX40 devices automatically use the correct cellular module firmware for each carrier when switching SIMs.
Page 126 SIM that has been provisioned for 5Gsupport. To configure the modem: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 127 All technologies to configure the modem to use the best available technology. The default is All technologies. 5. For Antennas, select whether the modem should use the main antenna, the auxiliary antenna, or both the main and auxiliary antennas. IX40 User Guide...
Page 128 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 129 8. Set the maximum number of interfaces. This is used when using dual-APN SIMs. The default is (config)> network modem modem max_intfs int (config)> 9. Carrier switching allows the modem to automatically match the carrier for the active SIM. Carrier switching is enabled by default. To disable: IX40 User Guide...
Page 130 12. Configure default slice information: a. Enable the default slice for this modem: (config)> network modem modem default_slice_info enabled true (config)> b. Set the type of slice to be used: (config)> network modem modem default_slice_info sst value (config)> IX40 User Guide...
Page 131 APN. To configure the APN: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 132 9. To add additional APNs, for Add APN, click g and repeat the preceding instructions. 10. (Optional) To configure the device to bypass its preconfigured APN list and only use the configured APNs, enable APN list only. IX40 User Guide...
Page 133 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 134 APNs that can be used simultaneously. For example, Verizon offers this service as its Split Data Routing feature. This feature provides two separate networking paths through a single cellular modem and SIM card, and allows for configurations such as: IX40 User Guide...
Page 135 APNs, and then use routing roles to forward traffic to the appropriate WWAN interface. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 136 For Zone, select External. e. For Device, select Modem . f. (Optional): Configure the public APN. If the public APN is not configured, the IX40 will attempt to determine the APN. i. Click to expand APN list > APN.
Page 137 Configure the source address: i. Click to expand Source address. ii. For Type, select Interface. iii. For Interface, select LAN1. f. Configure the destination address: i. Click to expand Destination address. ii. For Type, select Interface. IX40 User Guide...
Page 138 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 139 Set the modem device: (config network interface WWANPublic)> modem device modem (config network interface WWANPublic)> d. (Optional): Set the public APN. If the public APN is not configured, the IX40 will attempt to determine the APN. (config network interface WWANPublic)> modem apn public_apn (config network interface WWANPublic)>...
Page 140 Set the interface to WWANPublic : (config network route policy 0)> interface /network/interface/WWANPublic (config network route policy 0)> f. Use to periods (..) to move back one level in the configuration: (config nnetwork route policy 0)> .. (config nnetwork route policy)> IX40 User Guide...
Page 141 Type quit to disconnect from the device. Configure manual carrier selection By default, your IX40 automatically selects the most appropriate cellular carrier based on the SIM that is in use and the status of available carriers in your area.
Page 142 Select Manual or Manual/Automatic carrier selection mode. The Network PLMN ID. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 143 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 144 Admin CLI. É Log into the IX40 WebUI as a user with full Admin access rights. 1. From the main menu, click Status > Modems. 2. croll to the Connection Status section and click SCAN.
Page 145 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 146 The modem status window is displayed Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 147 A SIM card can be locked if a user tries to set an invalid PIN for the SIM card too many times. In addition, some cellular carriers require a SIM PIN to be added before the SIM card can be used. If the SIM card is locked, the IX40 device cannot make a cellular connection. Command line...
Page 148 Wide Area Networks (WANs) To unlock a SIM card: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 149 To run AT commands from the IX40 command line: Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 150 IMEI: 359072060451693 IMEI SV: 9 FSN: LQ650551070110 +GCAP: +CGSM 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 151: Configure A Wide Area Network (Wan)
Additional IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the WAN. The relative weight for IPv4 routes associated with the WAN.
Page 152 MACaddress denylist and allowlist. To create a new WAN or edit an existing WAN: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 153 8. (Optional) Click to expand 802.1x to configure 802.1x port based network access control. The IX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Click to expand Authentication. b. Click Enable server to enable the 802.1x authenticator on the IX40 device.
Page 154 Never: Never use DNS servers for this interface. k. Enable DHCP Hostname to instruct the IX40 device to include the device's system name with DHCP requests as the Client FQDN option. The DHCP server can then be configured to register the device's hostname and IP address with an associated DNS server.
Page 155 13. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 156 DNS server, the interface with the lowest metric will be used for DNS requests. primary: Only use the DNS servers provided for this interface when the interface is the primary route. never: Never use DNS servers for this interface. IX40 User Guide...
Page 157 Interfaces Wide Area Networks (WANs) vi. Enable DHCP Hostname to instruct the IX40 device to include the device's system name with DHCP requests as the Client FQDN option. The DHCP server can then be configured to register the device's hostname and IP address with an associated DNS server.
Page 158 8. (Optional) To configure 802.1x port based network access control: Note The IX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Enable the 802.1x authenticator on the IX40 device: (config network interface my_wan)> 802_1x authentication enable true (config network interface my_wan)>...
Page 159: Configure A Wireless Wide Area Network (Wwan)
APN configuration. The custom gateway/netmask. IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the WAN. The relative weight for IPv4 routes associated with the WAN.
Page 160 Configure SureLink active recovery to detect WAN/WWAN failures for further information. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 161 Manual: The cellular carrier must be manually configured. If the configured network is not available, no cellular connection will be established. Manual/Automatic: The carrier is manually configured. If the configured network is not available, automatic carrier selection is used. If Manual or Manual/Automatic is selected: IX40 User Guide...
Page 162 Reboot device: The device will reboot if automatic SIM switching is unavailable. 13. For APN list and APN list only, the IX40 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 163 IPv6 support is Enabled by default. Click to disable. c. Set the Type. Static IP address - Digi device obtains the static IP address from the cellular network. DHCP address - Digi device obtains IP address through a DHCP server on the cellular network.
Page 164 Interfaces Wide Area Networks (WANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 165 (config network interface my_wwan)> modem imsi IMSI (config network interface my_wwan)> plmn_id Set the PLMN id that must be in active for this WWAN to be used: (config network interface my_wwan)> modem plmn_id PLMN_ID (config network interface my_wwan)> IX40 User Guide...
Page 166 Set the cellular network technology: (config network interface my_wwan)> modem operator_technology value (config network interface my_wwan)> where value is one of: all: The best available technology will be used. 2G: Only 2Gtechnology will be used. 3G: Only 3Gtechnology will be used. IX40 User Guide...
Page 167 The device will reboot if automatic SIM switching is unavailable. 12. The IX40 device uses a preconfigured list of Access Point Names (APNs) when attempting to connect to a cellular carrier for the first time. After the device has successfully connected, it will remember the correct APN.
Page 168 Where value is one of: static: Digi device obtains the static IP address from the cellular network. dhcp: Digi device obtains IP address via a DHCP server on the cellular network. c. Set the metric: (config network interface my_wwan)> ipv4 metric num (config network interface my_wwan)>...
Page 169 Where value is one of: static: Digi device obtains the static IP address from the cellular network. dhcp: Digi device obtains IP address via a DHCP server on the cellular network. c. Set the metric: (config network interface my_wwan)> ipv4 metric num (config network interface my_wwan)>...
Page 170: Show Wan And Wwan Status And Statistics
2. Under Networking, click Interfaces. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 171 WAN. For example, to display information about ETH1, enter show network interface eth1: > show network interface eth1 wan1 Interface Status --------------------- Device : eth1 Zone : external IPv4 Status : up IPv4 Type : dhcp IPv4 Address(es) : 10.10.10.10/24 IPv4 Gateway : 10.10.10.1 IX40 User Guide...
Page 172: Delete A Wan Or Wwan
Follow this procedure to delete any WANs and WWANs that have been added to the system. You cannot delete the preconfigured WAN, ETH1, or the preconfigured WWAN, Modem. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 173: Default Outbound Wan/Wwan Ports
5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 174: Local Area Networks (Lans)
Interfaces Local Area Networks (LANs) Local Area Networks (LANs) The IX40 device is preconfigured with the following Local Area Networks (LANs): You can modify configuration settings for ETH2, and you can create new LANs. This section contains the following topics:...
Page 175: About Local Area Networks (Lans)
IP address and subnet of LAN1. Additional configuration items Additional IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the LAN.
Page 176 MACaddress denylist and allowlist. To create a new LAN or edit an existing LAN: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 177 8. (Optional) Click to expand 802.1x to configure 802.1x port based network access control. The IX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Click to expand Authentication. b. Click Enable server to enable the 802.1x authenticator on the IX40 device.
Page 178 14. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 179 (config network interface my_lan)> ipv4 metric num (config network interface my_lan)> ii. Set the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, the weight is used to load balance traffic to the interfaces. IX40 User Guide...
Page 180 (config network interface my_lan)> ipv6 ? IPv6 Parameters Current Value ------------------------------------------------------------------------------- enable true Enable metric Metric mgmt Management priority 1500 prefix_id Prefix ID prefix_length Prefix length type prefix_delegation Type weight Weight Additional Configuration ------------------------------------------------------------------------------- connection_monitor Active recovery dhcpv6_server DHCPv6 server IX40 User Guide...
Page 181 8. (Optional) To configure 802.1x port based network access control: Note The IX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Enable the 802.1x authenticator on the IX40 device: (config network interface my_lan)> 802_1x authentication enable true (config network interface my_lan)>...
Page 182: Configure The Wan/Eth1 Port As A Lan Or In A Bridge
WAN/ETH1 port. To configure the WAN/ETH1 Ethernet port as a LAN: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
Page 183 Interfaces Local Area Networks (LANs) a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 184 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 185 Ethernet ports to function as a hub. To bridge the IX40 device's WAN/ETH1 Ethernet port with the ETH2 port: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 186 Click to expand IPv4. f. For Address, type the IPv4 address and netmask, using the format IPv4_address/netmask, for example, 192.168.3.1/24. g. Enable the DHCP server: i. Click to expand DHCP server. ii. Click to toggle on Enable. IX40 User Guide...
Page 187 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 188: Change The Default Lan Subnet
DHCP server range will also change to the range of the LAN subnet. To change the LAN subnet: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 189: Show Lan Status And Statistics
5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 190 2. Under Networking, click Interfaces. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 191: Delete A Lan
Follow this procedure to delete any LANs that have been added to the system. You cannot delete the preconfigured LAN, LAN1. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 192: Dhcp Servers
5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 193 Map static IP addresses to hosts for information about static leases. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 194 For Gateway, select either: None: No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. Automatic: Broadcasts the IX40 device's gateway. Custom: Allows you to identify the IP address of a Custom gateway to be broadcast.
Page 195 12. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 196 DHCP address allocation generally should not be used. 8. Optional DHCP server settings: a. Click to expand Advanced settings. b. Determine how the DHCP server should broadcast the gateway server: (config)> network interface my_lan ipv4 dhcp_server advanced gateway value (config)> IX40 User Guide...
Page 197 No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway. auto: Broadcasts the IX40 device's gateway. custom: Allows you to identify the IP address of a custom gateway to be broadcast: (config)> network interface my_lan ipv4 dhcp_server advanced gateway_custom ip_ address (config)>...
Page 198 Additional configuration items A label for this instance of the static lease. To map static IP addresses: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX40 User Guide...
Page 199 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 200 2. Under Networking, click DHCP Leases. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 201 Delete static IP mapping entries To delete a static IP entry: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 202 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 203 Force the option to be sent to the DHCP clients. A label for the custom option. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 204 12. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 205 LAN. For the IX40 device, DHCP relay is configured by providing the IP address of a DHCP relay server, rather than an IP address range. If both the DHCP relay server and an IP address range are specified, DHCP relay is used, and the specified IP address range is ignored.
Page 206 DHCP requests. Additional configuration items IP address of additional DHCP relay servers. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 207 Interfaces Local Area Networks (LANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 208: Default Services Listening On Lan Ports
2. Under Networking, click DHCP Leases. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 209: Configure An Interface To Operate In Passthrough Mode
IP address assigned to it on a WAN or cellular modem interface, to a client connected to a LAN interface. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 210 For Access concentrator name, type the name of the access concentrator to report to the client. If no name is provided, the host name is used. d. For Authentication method, select the authentication method used to connect to the remote peer. IX40 User Guide...
Page 211 14. (Optional) Click to expand 802.1x to configure 802.1x port based network access control. The IX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Click to expand Authentication. b. Click Enable server to enable the 802.1x authenticator on the IX40 device.
Page 212 17. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 213 DNS server, the interface with the lowest metric will be used for DNS requests. primary: Only use the DNS servers provided for this interface when the interface is the primary route. never: Never use DNS servers for this interface. IX40 User Guide...
Page 214 Modify any of the remaining default settings as appropriate. 10. (Optional) To configure 802.1x port based network access control: Note The IX40 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant. a. Enable the 802.1x authenticator on the IX40 device: (config network interface ip_passthrough_interface)>...
Page 215: Virtual Lans (Vlans)
VLAN can only access other devices on the same VLAN and each device is unaware of any other VLAN, which isolates networks from one another, even though they run over the same physical network. Your IX40 device supports two VLANs modes: Trunking: Supports multiple VLANs per Ethernet port, which enables you to extend your VLAN across multiple switches through your entire network.
Page 216: Create A Trunked Vlan Route
The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 217: Create A Vlan Using Switchport Mode
Create a VLAN using switchport mode Required configuration items Device to be assigned to the VLAN. The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN using switchport mode: É IX40 User Guide...
Page 218 Interfaces Virtual LANs (VLANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 219 Interfaces Virtual LANs (VLANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 220: Bridging
You can also use bridging to create a Vitural LAN switchport bridge. See Create a VLAN using switchport mode for more information about switchport bridging for VLANs. This section contains the following topics: Configure a bridge IX40 User Guide...
Page 221: Configure A Bridge
Additional configuration items Enable Spanning Tree Protocol (STP). To create a bridge: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 222 10. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 223 8. (Optional) Enable Rapid Spanning Tree Protocol (RSTP) for faster response to topology changes on the network. (config network bridge my_bridge)> rstp enable true 9. Save the configuration and apply the change (config)> save Configuration saved. > IX40 User Guide...
Page 224: Show Surelink Status And Statistics
1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 225: Show Surelink Status For A Specific Interface
Interfaces Show SureLink status and statistics 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 226: Show Surelink Status For All Ipsec Tunnels
1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 227: Show Surelink Status For All Openvpn Clients
1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 228: Configure A Tcp Connection Timeout
A low number of retries will end a "stale" connection more quickly that a larger number. The default is 15 retries. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 229: Serial Port
Serial port IX40 devices have access to different features, depending on the serial port mode selection. Default serial port configuration You can review the default serial port configuration for your device. Serial mode options You can choose a serial mode option for each serial port, depending on the feature that you want to use.
Page 230: Configure Login Mode
To change the configuration to match the serial configuration of the device to which you want to connect: É Log into the IX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 231 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 232 9. Set the stop bits used by the device to which you want to connect: (config)>serial port1 stopbits bits (config)> 10. Set the type of flow control used by the device to which you want to connect: (config)>serial port1 flow value (config)> where value is one of: none rts/cts xon/xoff IX40 User Guide...
Page 233: Configure Remote Access Mode
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure Remote Access mode Remote Access mode allows for remote access to another device that is connected to the serial port. IX40 User Guide...
Page 234 To change the configuration to match the serial configuration of the device to which you want to connect: É Log into the IX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 235 Click to expand Access Control List. For example, to set the Access Control List for the SSH connection for serial port 1, click to expand Serial > Port 1 > SSH connection > Access Control List: IX40 User Guide...
Page 236 No limit to IPv6 addresses that can access the service-type. iv. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: i. Click Interfaces. ii. For Add Interface, click g .
Page 237 For Idle timeout, type the amount of time to wait before disconnecting due to user inactivity. 10. Expand Monitor Settings. a. Enable CTS to monitor CTS (Clear to Send) changes on this port. b. Enable DCD to monitor DCD (Data Carrier Detect) changes on this port. IX40 User Guide...
Page 238 12. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 239 Limit access to the serial port to a single active session: (config)>serial port1 exclusive true (config) c. Set the number of bytes of output from the serial port that are written to buffer. These bytes are redisplayed when a user connects to the serial port. IX40 User Guide...
Page 240 Enable autoconnect: (config)>serial port1 autoconnect enable true (config)> b. Set the option that will trigger the connection: (config)>serial port1 autoconnect trigger value (config)> where value is one of: always data destination match If match is selected: IX40 User Guide...
Page 241 (config)>serial port1 autoconnect port int (config)> where int is any integer between 1 and 65535. f. To enable TCP keepalive: (config)>serial port1 autoconnect keepalive true (config)> g. To enable TCP nodelay: (config)>serial port1 autoconnect nodely true (config)> IX40 User Guide...
Page 242 (config)>serial port1 service ssh port int (config)> where int is any integer between 1 and 65535. The default is 3001. iii. Enable TCP keep-alive messages: (config)>serial port1 service ssh keepalive true (config)> iv. Enable TCP nodelay messages: IX40 User Guide...
Page 243 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add serial port1 service ssh acl interface end value (config)>...
Page 244 Enable TCP keep-alive messages: (config)>serial port1 service tcp keepalive true (config)> iv. Set the option that initiates the connection: (config)>serial port1 service tcp conn_type value (config)> where value is one of: tls_auth The default is tls. IX40 User Guide...
Page 245 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add serial port1 service tcp acl interface end value (config)>...
Page 246 1 and 65535. The default is 3001. iii. Enable TCP keep-alive messages: (config)>serial port1 service telnet keepalive true (config)> iv. Enable TCP nodelay messages: (config)>serial port1 service telnet nodelay true (config)> v. (Optional) Configure access control: IX40 User Guide...
Page 247 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add serial port1 service telnet acl interface end value (config)>...
Page 248 Specify the data type: (config)>serial port1 logging type value (config)> where value is one of: received transmitted both arrows. This is the default. e. Log the time at which date was received or transmitted: (config)>serial port1 logging hex true (config)> IX40 User Guide...
Page 249: Configure Application Mode
To change the configuration to match the serial configuration of the device to which you want to connect: É Log into the IX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 250 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 251: Configure Ppp Dial-In Mode
To change the configuration to match the serial configuration of the device to which you want to connect: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 252 Click Enable to enable the use of a connection script. c. For Connect script filename, type the name of the script. Scripts are located in the /etc/config/serial directory. An example script, windows_dun.sh is provided. Example windows_dun.sh file: IX40 User Guide...
Page 253 18. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 254 No authentication is required. auto: Attempt to authenticate using CHAP first, and then PAP. chap: Use Challenge Handshake Authentication Protocol (CHAP) to authenticate. pap: Use Password Authentication Protocol (PAP) to authenticate. IX40 User Guide...
Page 255 15. (Optional) Configure the serial port to use a custom PPP configuration file: a. Enable the use of a custom PPP configuration file: (config)> serial port1 ppp_dialin custom enable true (config)> b. Enable override to override the default PPP configuration and only use the custom configuration file: IX40 User Guide...
Page 256 # Read input from the serial port, one line at a time. while read -r line; do case "$line" in ATDT123) echo "CONNECT" # instruct the peer to start PPP exit 0 # start up the local PPP session IX40 User Guide...
Page 257: Configure Udp Serial Mode
To change the configuration to match the serial configuration of the device to which you want to connect: É Log into the IX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 258 Click Enable to enable the data framing feature. ii. For Maximum Frame Count, enter the maximum size of the packet. The default is 1024. iii. For Idle Time, enter the length of time the device should wait before sending the packet. IX40 User Guide...
Page 259 For Destinations, you can configure the remote sites to which you want to send data. If you do not specify any destinations, the IX40 sends new data from the last IP address and port from which data was received. To add a destination: i.
Page 260 To limit access to specified IPv6 addresses and networks: i. Click IPv6 Addresses. ii. For Add Address, click g . iii. For Address, enter the IPv6 address or network that can access the device's service-type. Allowed values are: IX40 User Guide...
Page 261 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 262 9. Set the stop bits used by the device to which you want to connect: (config)>serial port1 label stopbits bits (config)> 10. Set the type of flow control used by the device to which you want to connect: (config)>serial port1 label flow type (config) IX40 User Guide...
Page 263 (config)> 14. Configure the remote sites to which you want to send data. If you do not specify any destinations, the IX40 send new data to the last hostname and port from which data was received. To add a destination:...
Page 264 A single IP address or host name. A network designation in CIDR notation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. IX40 User Guide...
Page 265 Serial port Configure UDP serial mode To limit access to hosts connected through a specified interface on the IX40 device: (config)> add serial port1 udp acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 266 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add serial port1 udp acl interface end value (config)>...
Page 267: Configure Modem Emulator Mode
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure Modem emulator mode Modem emulator mode allows the device to act as a dial-up modem emulator for handling incoming AT dial-ins. IX40 User Guide...
Page 268 To change the configuration to match the serial configuration of the device to which you want to connect: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 269 To limit access to specified IPv6 addresses and networks: i. Click IPv6 Addresses. ii. For Add Address, click g . iii. For Address, enter the IPv6 address or network that can access the device's service-type. Allowed values are: IX40 User Guide...
Page 270: Configure Modbus Mode
No limit to IPv6 addresses that can access the service-type. iv. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: i. Click Interfaces. ii. For Add Interface, click g .
Page 271 Serial port Configure Modbus mode Log into the IX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration > Serial. Changes made by using either Device Configuration or Serial Configuration will be reflected in both.
Page 272 Serial port Configure Modbus mode 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 273: Configure Realport Mode Using The Digi Navigator
Navigator. With Digi Navigator, For each of the devices that have been discovered, you can set all serial ports on the device to RealPort mode, and then also enable the RealPort service. The COM ports on your laptop are also configured.
Page 274: Install The Digi Navigator
The Digi Navigator application can also be downloaded from your device's product support page. 2. Scroll down to the Product Resources tab, and in the Drivers & Patches section, click Digi Navigator. 3. From the list box, select the appropriate Microsoft Windows option from the list of driver options.
Page 275: Configure Realport On A Digi Device From The Digi Navigator
3. Launch the Digi Navigator. 4. A list of the devices discovered by the Digi Navigator displays. Click on the device that you want to configure. For information about how devices are discovered and how to add a device...
Page 276 RealPort from within the Digi Navigator. 1. Launch the Digi Navigator if it is not currently open. A list of devices that have RealPort enabled and configured displays in the RealPort Devices section at the bottom of the application screen.
Page 277: Digi Navigator Device Discovery Process
Digi Navigator. If a Digi device is not on the same network as your computer or the device is undiscoverable, the device is not displayed in the Digi Navigator. You can add the device using that device's IP address, and after it has been added, it also displays in the Digi Navigator.
Page 278 Assign a generic IP address to the device If the IX40 device is directly connected to a computer or connected to a network with no DHCP server, you can assign a generic IP address to the device. Using this IP address requires you to set this IP...
Page 279 Step 1: Assign a generic IP address to the device 1. Make sure Digi Navigator is installed and the IX40 is powered and connected to your local network or computer with an Ethernet cable. 2. Launch the Digi Navigator. 3. Click Filters from the green toolbar to expand the toolbar and display the filter options.
Page 280 Serial port Configure RealPort mode using the Digi Navigator 4. Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog appears. 5. Select Use the following IP address. Note IMPORTANT: Make note of the current IP address entries for IP address, Subnet mask, and Default gateway.
Page 281 Click OK. Specify the IP address to discover a Digi device If a Digi device is not on the same network as your computer or the device is undiscoverable, you can manually add the device using that device's IP address.
Page 282: Digi Navigator Application Features
6. Enter the user name and password for the device in the User name and Password fields. 7. Click Submit. 8. The device you just added displays at the bottom of the Digi Navigator screen. You can click Refresh to update the screen until the device appears.
Page 283 After you have enabled and configured RealPort on at least one Digi device, a list of configured devices displays at the bottom of the Digi Navigator. You can refresh the list and easily access the COM port configuration on your computer.
Page 284 Click Login. Filter devices for display in the Digi Navigator You can use the Digi Navigator filters to determine the types of Digi devices you want to display. Only the devices that are powered on and are discoverable are included.
Page 285: Advanced Realport Configuration Without Using The Digi Navigator
Serial port Advanced RealPort configuration without using the Digi Navigator 4. In the Device Filters section, a list of the Digi device types display. All types are disabled by default, and when all are disabled, all types are displayed. 5. To filter the types that are displayed, click the enable slider for the types you want to display.
Page 286: Windows Operating System
Serial port Advanced RealPort configuration without using the Digi Navigator Windows Operating System This method can be used if your computer has a Windows OS installed and you choose not to use the Digi Navigator to discover devices and configure RealPort.
Page 287 1. Navigate to the downloaded Realport .zip file. 2. Open the .zip file. 3. Click on setup.exe to launch the RealPort wizard. The Welcome to the Digi RealPort Setup Wizard screen displays. 4. If this is not the first time you have run the wizard, select the Add a New Device option. If this is the first time running the wizard, no options are available on the screen.
Page 288: Configure The Serial Port For Realport Mode
Serial port Advanced RealPort configuration without using the Digi Navigator 7. Select the Encrypt Network Traffic check box to enable encrypted network traffic. When you select this option, the TCP Port for Encrypted Traffic field becomes available. 8. The TCP Port for Encrypted Traffic field has a default value of 1027. The entry must match the device's TCP port setting.
Page 289 Serial port Advanced RealPort configuration without using the Digi Navigator Log into the IX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 290 8. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 291 Serial port Advanced RealPort configuration without using the Digi Navigator peer: Any user that tries to open the port can change the port settings. All users that try to open the port receive all of the data read to the port.
Page 292: Configure The Realport Service
Configure the RealPort service After you have configured RealPort mode on the IX40, you must enable and configure the RealPort service. When this step is complete, all of the serial ports on the IX40 are configured to use the RealPort service.
Page 293 14. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 294: Show Serial Status And Statistics
Show serial status and statistics To show the status and statistics for the serial port: É Log into the IX40 WebUI as a user with full Admin access rights. 1. On the main menu, click Status 2. Under Connections, click Serial.
Page 295: Review The Serial Port Message Log
Serial port Review the serial port message log 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 296 Serial port Review the serial port message log 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 297: Routing
Routing This chapter contains the following topics: IP routing Show the routing table Dynamic DNS Virtual Router Redundancy Protocol (VRRP) IX40 User Guide...
Page 298: Ip Routing
IP routing IP routing The IX40 device uses IP routes to decide where to send a packet it receives for a remote network. The process for deciding on a route to send the packet is as follows: 1. The device examines the destination IP address in the IP packet, and looks through the IP routing table to find a match for it.
Page 299: Configure A Static Route
The Maximum Transmission Units (MTU) of network packets using this route. To configure a static route: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 300 7. For Interface, select the interface on the IX40 device that will be used with this static route. 8. (Optional) For Gateway, type the IPv4 address of the gateway used to reach the destination.
Page 301 The any keyword can also be used to route packets to any destination with this static route. 6. Set the interface on the IX40 device that will be used with this static route: a. Use the ?to determine available interfaces: b.
Page 302: Delete A Static Route
Type quit to disconnect from the device. Delete a static route É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 303: Policy-Based Routing
However, you can use policy-based routing to forward the packet based on other criteria, such as the source of the packet. For example, you can configure the IX40 device so that high-priority traffic is routed through the cellular connection, while all other traffic is routed through an Ethernet (WAN) connection.
Page 304: Configure A Routing Policy
To configure a routing policy: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 305 5. (Optional) For Label, type a label that will be used to identify this route policy. 6. For Interface, select the interface on the IX40 device that will be used with this route policy. 7. (Optional) Enable Exclusive to configure the policy to drop packets that match the policy when the gateway interface is disconnected, rather than forwarded through other interfaces.
Page 306 13. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 307 (config network route policy 0)> label "New route policy" (config network route policy 0)> 5. Set the interface on the IX40 device that will be used with this route policy: a. Use the ?to determine available interfaces: b. Set the interface. For example: (config network route policy 0)>...
Page 308 (config network route policy 0)> src zone ? Zone: Match the IP address to the specified firewall zone. Format: dynamic_routes edge external internal ipsec loopback setup Default value: any Current value: any (config network route policy 0)> src zone IX40 User Guide...
Page 309 Matches the destination IP address to the selected firewall zone. Set the zone: a. Use the ?to determine available zones: (config network route policy 0)> dst zone ? Zone: Match the IP address to the specified firewall zone. Format: IX40 User Guide...
Page 310 IPv6_address[/prefix_length], or any to match any IPv6 address. mac: Matches the destination MACaddress to the specified MACaddress. Set the MAC address to be matched: (config network route policy 0)> dst mac MAC_address (config network route policy 0)> IX40 User Guide...
Page 311: Example: Dual Wan Policy-Based Routing
This example routes traffic to a specific IP address to go through the cellular WWAN interface, while all other traffic uses the Ethernet WAN interface. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 312 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 313: Example: Domain-Based Routing With Dual Wan
This example routes traffic destined for a specific domain to the WAN Ethernet port, and never through the cellular modem. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 314 Routing IP routing a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 315 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 316: Example: Route Traffic To A Specific Wan Interface Based On The Client Mac Address
This example routes all data from a certain client device through a cellular WAN based on the device's MACaddress, while all other client devices are routed through the Ethernet WAN. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 317 Configure the Ethernet WAN interface: i. Click Network > Interfaces > . ii. For Zone, select EthernetWAN. 5. Configure the policy-based route for traffic from the client device that will be sent over the cellular WAN: IX40 User Guide...
Page 318 6. Create a packet filtering rule that rejects all other LAN packets on the cellular WAN interface. a. Click Firewall > Packet filtering. b. Click the g to add a new packet filtering rule. c. For Label, type Reject LAN traffic to cellular WAN. d. For Action, select Drop. IX40 User Guide...
Page 319 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 320 (config network route policy 0)> src mac 26:88:0E:23:50:C2 (config network route policy 0)> e. Configure the destination zone: i. Set the source destination to zone: (config network route policy 0)> dst type zone (config network route policy 0)> IX40 User Guide...
Page 321: Routing Services
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Routing services Your IX40 includes support for dynamic routing services and protocols. The following routing services are supported: IX40 User Guide...
Page 322: Configure Routing Services
Enable routing services. Enable and configure the types of routing services that will be used. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 323 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 324: Show The Routing Table
Type quit to disconnect from the device. Show the routing table To display the routing table: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX40 User Guide...
Page 325: Dynamic Dns
5. Click IPv6 Load Balance to view IPv6 load balancing. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 326: Configure Dynamic Dns
The amount of time to wait for an IP address update to succeed before retrying the update. The number of times to retry a failed IP address update. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 327 The setting for Forced update interval must be larger than the setting for Check Interval. 12. (Optional) For Retry interval, type the amount of time to wait for an IP address update to succeed before retrying the update. IX40 User Guide...
Page 328 14. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 329 (config network ddns new_ddns_instance)> force_interval value (config network ddns new_ddns_instance)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set force_interval to ten minutes, enter either 10m or 600s: IX40 User Guide...
Page 330: Virtual Router Redundancy Protocol (Vrrp)
Multiple IX40 devices can be configured as VRRP devices and assigned a priority. The router with the highest priority will be used as the master router. If the master router fails, then the IP address of the virtual router is mapped to the backup device with the next highest priority.
Page 331: Configure Vrrp
VRRP-enabled devices and dynamically change the VRRP priorty of devices based on the status of their network connectivity. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 332 For Virtual IP, type the IPv4 or IPv6 address for a virtual IP of this VRRP instance. d. (Optional) Repeat to add additional virtual IPs. 11. See Configure VRRP+ for information about configuring VRRP+. 12. Click Apply to save the configuration and apply the change. Command line IX40 User Guide...
Page 333 Routing Virtual Router Redundancy Protocol (VRRP) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 334: Configure Vrrp
VRRP+ is an extension to the VRRP standard that uses SureLink network probing to monitor connections through VRRP-enabled devices and adjust devices' VRRP priority based on the status of the SureLink tests. This section describes how to configure VRRP+ on a IX40 device. Required configuration items Both master and backup devices: A configured and enabled instance of VRRP.
Page 335 Routing Virtual Router Redundancy Protocol (VRRP) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 336 VRRP virtual IP addresses: i. Click to expand DHCP Server > Advanced settings. ii. For Gateway, select Custom. iii. For Custom gateway, enter the IP address of one of the virtual IPs used by this VRRP IX40 User Guide...
Page 337 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 338 VRRP virtual IP addresses: i. Set the DHCP server gateway type to custom: (config)> network interface eth2 ipv4 dhcp_server advanced gateway custom (config)> ii. Determine the VRRP virtual IP addresses: (config)> show network vrrp VRRP_test virtual_address 0 192.168.3.3 IX40 User Guide...
Page 339 (config)> add network interface eth2 ipv4 surelink target end (config network interface eth2 ipv4 surelink target 0)> v. Configure the type of test for the test target: (config network interface eth2 ipv4 surelink target 0)> test value (config network interface eth2 ipv4 surelink target 0)> IX40 User Guide...
Page 340 For example, to set interface_down_time to ten minutes, enter either 10m or 600s: (config network interface eth2 ipv4 surelink target 0)> interface_down_time 600s (config network interface eth2 ipv4 surelink target 0)> The default is 60 seconds. IX40 User Guide...
Page 341: Example: Vrrp/Vrrp+ Configuration
Configure device one (master device) É Task 1: Configure VRRP on device one 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 342 9. Click to expand Virtual IP addresses. 10. Click g to add a virtual IP address. 11. For Virtual IP, type 192.168.3.3. Task 2: Configure VRRP+ on device one 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. IX40 User Guide...
Page 343 Command line Task 1: Configure VRRP on device one 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 344 Task 3: Configure the IP address for the VRRP interface, ETH2, on device one 1. Type ... to return to the root of the config prompt: (config network vrrp VRRP_test )> ... (config)> 2. Set the IP address for ETH2: (config)> network interface eth2 ipv4 address 192.168.3.1/24 (config)> IX40 User Guide...
Page 345: Configure Device Two (Backup Device)
Configure device two (backup device) É Task 1: Configure VRRP on device two 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 346 9. Click to expand Virtual IP addresses. 10. Click g to add a virtual IP address. 11. For Virtual IP, type 192.168.3.3. Task 2: Configure VRRP+ on device two 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. IX40 User Guide...
Page 347 4. Click to expand Test targets > Test target. 5. For Test Type, select Ping test. 6. For Ping host, type https://remotemanager.digi.com. Task 5: Configure the DHCP server for ETH2 on device two 1. Click to expand Network > Interfaces > ETH2 > IPv4 > DHCP Server 2.
Page 348 Command line Task 1: Configure VRRP on device two 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 349 1. Enable SureLink on the ETH2 interface: (config)> network interface eth2 ipv4 surelink enable true (config)> 2. Create a SureLink test target: (config)> add network interface eth2 ipv4 surelink target end (config network interface eth2 ipv4 surelink target 0)> IX40 User Guide...
Page 350: Show Vrrp Status And Statistics
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show VRRP status and statistics This section describes how to display VRRP status and statistics for a IX40 device. VRRP status is available from the Web UI only. IX40 User Guide...
Page 351 Routing Virtual Router Redundancy Protocol (VRRP) É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 352 Virtual IP address(es) : 10.10.10.1, 100.100.100.1 Current State : Master Current Priority : 100 Last Transition : Tue Jan 1 00:00:39 2019 Became Master Released Master Adverts Sent : 71 Adverts Received Priority Zero Sent Priority zero Received : 0 > IX40 User Guide...
Page 353: Virtual Private Networks (Vpn)
Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices can connect from one network to the other using secure channels. This chapter contains the following topics: IPsec OpenVPN Generic Routing Encapsulation (GRE) Dynamic Multipoint VPN (DMVPN) L2TP L2TPv3 Ethernet MACsec NEMO IX40 User Guide...
Page 354: Ipsec
Authentication of data to ensure an unauthorized device has not injected it into the IPsec tunnel. IPsec mode The IX40 supports the Tunnel mode. With the Tunnel mode, the entire IP packet is encrypted and/or authenticated and then encapsulated as the payload in a new IP packet. Transport mode is not currently supported.
Page 355: Authentication
XAUTH client. RSASignatures With RSA signatures authentication, the IX40 device uses a private RSA key to authenticate with a remote peer that is using a corresponding public key. Certificate-based Authentication X.509 certificate-based authentication makes use of private keys on both the server and client which...
Page 356 NAT is being used. If using IPsec failover, identify the primary tunnel during configuration of the backup tunnel. The Network Address Translation (NAT) keep alive time. The protocol, either Encapsulating Security Payload (ESP) or Authentication Header (AH). IX40 User Guide...
Page 357 Configure a static route for information about configuring a static route. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 358 Click to expand Firewall > Packet filtering. b. For Add packet filter, click g . c. For Label, type Allow incoming IPsec traffic. d. For Source zone, select IPsec. Leave all other fields at their default settings. IX40 User Guide...
Page 359 For Local key, type the local pre-shared key. This must be the same as the remote key on the remote host. ii. For Remote key, type the remote pre-shared key. This must be the same as the local key on the remote host. IX40 User Guide...
Page 360 SCEP certificates: Uses Simple Certificate Enrollment Protocol (SCEP) to download a private key, certificates, and an optional Certificate Revocation List (CRL) to the IX40 device from a SCEP server. You must create the SCEP client prior to configuring the IPsec tunnel. See...
Page 361 For Hostname, type a hostname or IPv4 address. If your device is not configured to initiate the IPsec connection (see IKE > Initiate connection), you can also use the keyword any, which means that the hostname is dynamic or unknown. iii. Click g again to add additional hostnames. IX40 User Guide...
Page 362 Serial number: The device's serial number will be used as the ID and sent as a ID_KEY_ID IKE identity. 21. Click to expand Policies. Policies define the network traffic that will be encapsulated by this tunnel. a. Click g to create a new policy. The new policy configuration is displayed. IX40 User Guide...
Page 363 For Protocol, select one of the following: Any: Matches any protocol. TCP: Matches TCP protocol only. UDP: Matches UDP protocol only. ICMP: Matches ICMP requests only. Other protocol: Matches an unlisted protocol. If Other protocol is selected, type the number of the protocol. IX40 User Guide...
Page 364 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Phase 2 lifetime to ten minutes, enter 10m or 600s. IX40 User Guide...
Page 365 27. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 366 Default value: ipsec Current value: ipsec (config vpn ipsec tunnel ipsec_example)> Note Depending on your network configuration, you may need to add a packet filtering rule to allow incoming traffic. For example, for the IPsec zone: IX40 User Guide...
Page 367 (config vpn ipsec tunnel ipsec_example)> type protocol (config vpn ipsec tunnel ipsec_example)> where protocol is either: esp (Encapsulating Security Payload): Provides encryption as well as authentication and integrity. ah (Authentication Header): Provides authentication and integrity only. The default is esp. IX40 User Guide...
Page 368 (config vpn ipsec tunnel ipsec_example)> auth private_key_passphrase passphrase (config vpn ipsec tunnel ipsec_example)> c. For the peer_public_key parameter, paste the peer's public RSA key in PEM format: (config vpn ipsec tunnel ipsec_example)> auth peer_public_key key (config vpn ipsec tunnel ipsec_example)> IX40 User Guide...
Page 369 Enable XAUTH client functionality: (config vpn ipsec tunnel ipsec_example)> xauth_client enable true (config vpn ipsec tunnel ipsec_example)> b. Set the XAUTH client username: (config vpn ipsec tunnel ipsec_example)> xauth_client username name (config vpn ipsec tunnel ipsec_example)> IX40 User Guide...
Page 370 (config vpn ipsec tunnel ipsec_example)> ipv6: The ID will be interpreted as an IPv6 address and sent as an ID_IPV6_ADDR IKE identity. Set an IPv6 formatted ID. This can be a fully-qualified domain name or an IPv6 address. IX40 User Guide...
Page 371 Randomly selects an IPsec peer to connect to from the hostname list. priority: Selects the first hostname in the list that is resolvable. c. Set the ID type: (config vpn ipsec tunnel ipsec_example)> remote id type value (config vpn ipsec tunnel ipsec_example)> IX40 User Guide...
Page 372 The device's MAC address will be used for the Key ID and sent as an ID_KEY_ID IKE identity. serial_number: The ID device's serial number will be used for the Key ID and sent as an ID_KEY_ID IKE identity. IX40 User Guide...
Page 373 (config vpn ipsec tunnel ipsec_example)> ike phase1_lifetime value (config vpn ipsec tunnel ipsec_example)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set phase1_lifetime to ten minutes, enter either 10m or 600s: IX40 User Guide...
Page 374 Set the type of encryption to use during phase 1: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> cipher value (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> where value is one of: 3des aes128 aes128gcm128 aes128gcm64 aes128gcm96 aes192 IX40 User Guide...
Page 375 The default is modp2048. v. (Optional) Add additional phase 1 proposals: i. Move back one level in the schema: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> .. (config vpn ipsec tunnel ipsec_example ike phase1_proposal)> ii. Add an additional proposal: IX40 User Guide...
Page 376 Set the type of hash to use during phase 2 to verify communication integrity: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> hash value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> where value is one of: sha1 IX40 User Guide...
Page 377 Change to the root of the configuration schema: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> ... (config)> b. To disable dead peer detection: (config)> vpn ipsec tunnel ipsec_example dpd enable false (config)> IX40 User Guide...
Page 378 The address of a local network interface. Set the address: i. Use the ?to determine available interfaces: ii. Set the interface. For example: (config vpn ipsec tunnel ipsec_example policy 0)> local address eth1 (config vpn ipsec tunnel ipsec_example policy 0)> IX40 User Guide...
Page 379 Allowed values are an integer between 1 and 255. f. Set the IP address and optional netmask of the remote traffic selector: (config vpn ipsec tunnel ipsec_example policy 0)> remote network value (config vpn ipsec tunnel ipsec_example policy 0)> IX40 User Guide...
Page 380 Maximum IKE fragment size ike_retransmit_tries IKE retransmit tries keep_alive NAT keep alive time Additional Configuration ------------------------------------------------------------------------------- connection_retry_timeout Connection retry timeout connection_try_interval Connection try interval ike_timeout IKE timeout (config)> Generally, the default settings for these should be sufficient. IX40 User Guide...
Page 381 20. Save the configuration and apply the change (config)> save Configuration saved. > 21. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 382: Configure Ipsec Failover
Virtual Private Networks (VPN) IPsec Configure IPsec failover There are two methods to configure the IX40 device to fail over from a primary IPsec tunnel to a backup tunnel: SureLink active recovery—You can use SureLink along with the IPsec tunnel's metric to configure two or more tunnels so that when the primary tunnel is determined to be inactive by SureLink, a secondary tunnel can begin serving traffic that the primary tunnel was serving.
Page 383 See Configure an IPsec tunnel for instructions. During configuration of the IPsec tunnel, set the metric to a value that is higher than the metric of the primary tunnel (for example, 20). Command line IX40 User Guide...
Page 384 Use the ?to view a list of available tunnels: (config vpn ipsec tunnel backup_ipsec_tunnel)> ipsec_failover ? Preferred tunnel: This tunnel will not start until the preferred tunnel has failed. It will continue to operate until the preferred tunnel returns to full operation status. Format: primary_ipsec_tunnel IX40 User Guide...
Page 385: Configure Surelink Active Recovery For Ipsec
To configure the IX40 device to regularly probe the IPsec connection: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 386 All test pass: All tests need to pass for SureLink to consider the interface to be up. 9. (Optional) For Pass threshold, type or select the number of times that the test must pass after failure, before the interface is determined to be working and is reinstated. IX40 User Guide...
Page 387 If HTTP test is selected, complete the following: Web server: The URL of the web server. Test DNS servers configured for this interface: Tests communication with DNS servers that are either provided by DHCP, or statically configured for this interface. IX40 User Guide...
Page 388 Down: The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable). e. Repeat for each additional test. 12. Add recovery actions: a. Click to expand Recovery actions. By default, there are two preconfigured recovery actions: IX40 User Guide...
Page 389 If set to the default value of 0s, the Test interval is used. Switch to alternate SIM: Switches to an alternate SIM. This recovery action is available for WWAN interfaces only. If Switch to alternate SIM is selected, complete the following: IX40 User Guide...
Page 390 For Backoff interval, type the time to add to the test interval when restarting the list of actions. This option is capped at 15 minutes. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. IX40 User Guide...
Page 391 14. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 392 If dns is set, set the IPv4 or IPv6 address of the DNS server: (config vpn ipsec tunnel ipsec_example surelink tests 1)> dns_server IP_address (config vpn ipsec tunnel ipsec_example surelink tests 1)> http: Uses HTTP(s) GET requests to determine connectivity to the configured web server. IX40 User Guide...
Page 393 If custom_test is set, set the commands to run to perform the test: (config vpn ipsec tunnel ipsec_example surelink tests 1)> custom_test_commands " string " (config vpn ipsec tunnel ipsec_example surelink tests 1)> tcp_connection: Tests that the interface can reach a destination port on the configured host. IX40 User Guide...
Page 394 The test will pass only if the referenced interface is up and passing its own SureLink tests (if applicable). down: The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable). f. Repeat for each additional test. IX40 User Guide...
Page 395 (config vpn ipsec tunnel ipsec_example surelink actions 0)> modem_action value (config vpn ipsec tunnel ipsec_example surelink actions 0)> WAN interfaces: (config vpn ipsec tunnel ipsec_example surelink actions 0)> action value (config vpn ipsec tunnel ipsec_example surelink actions 0)> IX40 User Guide...
Page 396 (config vpn ipsec tunnel ipsec_example surelink actions 0)> override_interval int (config vpn ipsec tunnel ipsec_example surelink actions 0)> reset_modem: This recovery action is available for WWAN interfaces only. If reset_modem is selected, complete the following: IX40 User Guide...
Page 397 (config vpn ipsec tunnel ipsec_example surelink actions 0)> override_interval int (config vpn ipsec tunnel ipsec_example surelink actions 0)> reboot_device. If reboot_device is selected, complete the following: Set the number of failures for this recovery action to perform, before moving to the next recovery action: IX40 User Guide...
Page 398 For example, to set interval to ten minutes, enter either 10m or 600s: (config)> vpn ipsec tunnel ipsec_example surelink interval 600s (config)> The default is 15m. IX40 User Guide...
Page 399 The default is 300s. g. Set the time to add to the test interval when restarting the list of actions. This option is capped at 15 minutes. (config)> vpn ipsec tunnel ipsec_example surelink advanced backoff_interval value (config)> IX40 User Guide...
Page 400: Show Ipsec Status And Statistics
Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 401: Debug An Ipsec Configuration
É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 402 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 403: Configure A Simple Certificate Enrollment Protocol Client
The number of days that the certificate enrollment can be renewed, prior to the request expiring. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 404 9. For Renewable Time, type the number of days that the certificate enrollment can be renewed, prior to the request expiring. This value is configured on the SCEP server, and is used by the IX40 device to determine when to start attempting to auto-renew an existing certificate. The default is 7.
Page 405 Click to expand CRL. b. Click Enable to enable the CRL. c. For Type, select the type of CRL: URL: The URL to the file name used to access the certificate revocation list from the CRLDP: The CRL distribution point. IX40 User Guide...
Page 406 22. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 407 Set the Common Name: (config network scep_client scep_client_name)> distinguished_name cn value (config network scep_client scep_client_name)> 10. (Optional) Configure the certificate revocation list (CRL): a. Enable the CRL: (config network scep_client scep_client_name)> crl enable true (config network scep_client scep_client_name)> IX40 User Guide...
Page 408 (config network scep_client scep_client_name)> polling_interval value (config network scep_client scep_client_name)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set polling_interval to ten minutes, enter either 10m or 600s: IX40 User Guide...
Page 409: Example: Scep Client Configuration With Fortinet Scep Server
Type quit to disconnect from the device. Example: SCEP client configuration with Fortinet SCEP server In this example configuration, we will configure the IX40 device as a SCEP client that will connect to a Fortinet SCEP server. Fortinet configuration On the Fortinet server: 1.
Page 410 Click OK. IX40 configuration On the IX40 device: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 411 Fortinet server. 7. (Optional) Click Debug to enable verbose logging in /var/log/scep_client. 8. Click to expand SCEP server. 9. For FQDN, type the fully qualified domain name or IP address of the Fortinet server. IX40 User Guide...
Page 412 13. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 413 This value must match the setting of the Allow renewal x days before the certified is expired option on the Fortinet server. (config network scep_client Fortinet_SCEP_client)> renewable_time integer (config network scep_client Fortinet_SCEP_client)> 9. (Optional) Enable verbose logging in /var/log/scep_client: (config network scep_client Fortinet_SCEP_client)> debug true (config network scep_client Fortinet_SCEP_client)> IX40 User Guide...
Page 414: Show Scep Client Status And Information
This procedure is only available from the Admin CLI. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 415 Last Update : May 23 13:27:21 2022 GMT > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 416: Openvpn
OpenVPN clients. OpenVPN clients use Network Address Translation (NAT) to route traffic from devices connected on its LAN interfaces to the OpenVPN server. The manner in which the IP subnets are defined depends on the OpenVPN topology in use. The IX40 device supports two types of OpenVPN topology:...
Page 417: Configure An Openvpn Server
Virtual Private Networks (VPN) OpenVPN OpenVPN managed—The IX40 device creates the interface and then uses its standard configuration to set up the connection (for example, its standard DHCP server configuration). Device only—IP addressing is controlled by the system, not by OpenVPN.
Page 418 Access control list configuration to restrict access to the OpenVPN server through the firewall. Additional OpenVPN parameters. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 419 Certificate and username/password: Uses both certificates and a username and password for client authentication. Each client requires a public and private key, and you must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions. IX40 User Guide...
Page 420 No limit to IPv6 addresses that can access the service-type. d. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: a. Click Interfaces. b. For Add Interface, click g .
Page 421 OpenVPN Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 422 1 and 255. The number entered here will represent the last client IP address. For example, if address is set to 192.168.1.1/24 and server_last_ip is set to 99, the last client IP address will be 192.168.1.80. The default is from 80. IX40 User Guide...
Page 423 Paste the contents of the public key (for example, server.crt) into the value of the server_cert parameter: (config vpn openvpn server name )> server_cert value (config vpn openvpn server name )> iv. Paste the contents of the private key (for example, server.key) into the value of the server_key parameter: IX40 User Guide...
Page 424 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config vpn openvpn server name)> add acl interface end value (config vpn openvpn server name)>...
Page 425: Configure An Openvpn Authentication Group And User
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure an OpenVPN Authentication Group and User If username and password authentication is used for the OpenVPN server, you must create an OpenVPN authentication group and user. IX40 User Guide...
Page 426 IX40 user authentication for more information about creating authentication groups and users. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 427 Type a password for the user. This password is used for local authentication of the user. You can also configure the user to use RADIUS or TACACS+ authentication by configuring authentication methods. See User authentication methods for information. IX40 User Guide...
Page 428 OpenVPN d. Click to expand the Groups node. e. Click g to add a group to the user. f. Select a Group with OpenVPN access enabled. 5. Click Apply to save the configuration and apply the change. IX40 User Guide...
Page 429 OpenVPN Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 430: Configure An Openvpn Client By Using An .Ovpn File
Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 431 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 432 8. Save the configuration and apply the change (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 433: Configure An Openvpn Client Without Using An .Ovpn File
Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 434 13. Paste the contents of the CA certificate (usually in a ca.crt file), the Public key (for example, client.crt), and the Private key (for example, client.key) into their respective fields. The contents will be hidden when the configuration is saved. 14. (Optional) Click to expand Advanced Options to manually set additional OpenVPN parameters. IX40 User Guide...
Page 435 15. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 436 12. Paste the contents of the public key (for example, client.crt) into the value of the public_cert parameter: (config vpn openvpn client name )> public_cert value (config vpn openvpn client name )> 13. Paste the contents of the private key (for example, client.key) into the value of the private_key parameter: IX40 User Guide...
Page 437: Configure Surelink Active Recovery For Openvpn
Type quit to disconnect from the device. Configure SureLink active recovery for OpenVPN You can configure the IX40 device to regularly probe OpenVPN client connections to determine if the connection has failed and take remedial action. Required configuration items A valid OpenVPN client configuration.
Page 438 OpenVPN To configure the IX40 device to regularly probe the OpenVPN connection: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 439 The Interface gateway. If Interface gateway is selected, an initial traceroute is sent to the hostname or IP address configured in the SureLink advanced settings, and then the first hop in that route is used for the ping test. IX40 User Guide...
Page 440 TCP connect host: The hostname or IP address of the host to create a TCP connection to. TCP connect port: The TCP port to create a TCP connection to. Test another interface's status: Tests the status of another interface. If Test another interface's status is selected, complete the following: IX40 User Guide...
Page 441 Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. Restart interface. If Restart interface is selected, complete the following: IX40 User Guide...
Page 442 Powercycle the modem. This recovery action is available for WWAN interfaces only. If Powercycle the modem is selected, complete the following: SureLink test failures: The number of failures for this recovery action to perform, before moving to the next recovery action. IX40 User Guide...
Page 443 14. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 444 The hostname or IP address of an external server. Set ping_host to the hostname or IP address of the server: (config vpn openvpn client openvpn_client1 surelink tests 1)> ping_host hostname/IP_address (config vpn openvpn client openvpn_client1 surelink tests 1)> IX40 User Guide...
Page 445 For example, to set interface_down_time to ten minutes, enter either 10m or 600s: (config vpn openvpn client openvpn_client1 surelink tests 1)> interface_down_time 600s (config)> Set the amount of time to wait for the interface to connect for the first time before the test is considered to have failed. IX40 User Guide...
Page 446 (config vpn openvpn client openvpn_client1 surelink tests 1)> other_interface /network/interface/eth1 (config vpn openvpn client openvpn_client1 surelink tests 1)> Set the type of IP connection: (config vpn openvpn client openvpn_client1 surelink tests 1)> other_ip_version value (config vpn openvpn client openvpn_client1 surelink tests 1)> IX40 User Guide...
Page 447 Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn openvpn client openvpn_client1 surelink actions 0)> test_failures int (config vpn openvpn client openvpn_client1 surelink actions 0)> The default is 3. IX40 User Guide...
Page 448 Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config vpn openvpn client openvpn_client1 surelink actions 0)> override_interval int (config vpn openvpn client openvpn_client1 surelink actions 0)> restart_interface. If restart_interface is selected, complete the following: IX40 User Guide...
Page 449 (config vpn openvpn client openvpn_client1 surelink actions 0)> modem_power_cycle: This recovery action is available for WWAN interfaces only. If modem_power_cycle is selected, complete the following: Set the number of failures for this recovery action to perform, before moving to the next recovery action: IX40 User Guide...
Page 450 Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config vpn openvpn client openvpn_client1 surelink actions 0)> override_interval int (config vpn openvpn client openvpn_client1 surelink actions 0)> g. Repeat for each additional recovery action. 7. Optional SureLink configuration parameters: IX40 User Guide...
Page 451 (config)> vpn openvpn client openvpn_client1 surelink timeout 600s (config)> The default is 15s. f. Set the amount of time to wait while the device is starting before SureLink testing begins. This setting is bypassed when the interface is determined to be up. IX40 User Guide...
Page 452: Show Openvpn Server Status And Statistics
Show SureLink status and statistics for information about showing Surelink status for OpenVPN clients. Show OpenVPN server status and statistics You can view status and statistics for OpenVPN servers from either the web interface or the command line: É IX40 User Guide...
Page 453: Show Openvpn Client Status And Statistics
OpenVPN server's status pane. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 454 OpenVPN client's status pane. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 455: Generic Routing Encapsulation (Gre)
Enable the device to respond to keepalive packets. Task One: Create a GRE loopback endpoint interface É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 456 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 457 Type quit to disconnect from the device. Task Two: Configure the GRE tunnel É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 458 12. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 459 (config vpn iptunnel gre_example)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 460: Show Gre Tunnels
Show GRE tunnels To view information about currently configured GRE tunnels: É Log into the IX40 WebUI as a user with full Admin access rights. 1. On the menu, click Status > IP tunnels. The IP Tunnelspage appears. 2. To view configuration details about a GRE tunnel, click the (configuration) icon in the upper right of the tunnel's status pane.
Page 461: Example: Gre Tunnel Over An Ipsec Tunnel
Example: GRE tunnel over an IPSec tunnel The IX40 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel.
Page 462 Configuration procedures Configure the IX40-1 device Task one: Create an IPsec tunnel É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 463 15. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 464 4. Set the pre-shared key to testkey: (config vpn ipsec tunnel ipsec_gre1)> auth secret testkey (config vpn ipsec tunnel ipsec_gre1)> 5. Set the remote endpoint to public IP address of the IX40-2 device: (config vpn ipsec tunnel ipsec_gre1)> remote hostname 192.168.101.1 (config vpn ipsec tunnel ipsec_gre1)>...
Page 465 4. Set the device to /network/device/loopback: (config network interface ipsec_endpoint1)> device /network/device/loopback (config network interface ipsec_endpoint1)> 5. Set the IPv4 address to the IP address of the local GRE tunnel, 172.30.0.1/32: (config network interface ipsec_endpoint1)> ipv4 address 172.30.0.1/32 (config network interface ipsec_endpoint1)> IX40 User Guide...
Page 466 (/network/interface/ipsec_endpoint1): (config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_endpoint1 (config vpn iptunnel gre_tunnel1)> 4. Set the remote endpoint to the IP address of the GRE tunnel on IX40-2, 172.30.0.2: (config vpn iptunnel gre_tunnel1)> remote 172.30.0.2 (config vpn iptunnel gre_tunnel1)> IX40 User Guide...
Page 467 Task three (IP tunnel: gre_tunnel1). 5. Click to expand IPv4. 6. For Address, type 172.31.0.1/30 for a virtual IP address on the GRE tunnel. 7. Click Apply to save the configuration and apply the change. Command line IX40 User Guide...
Page 468 Type quit to disconnect from the device. Configure the IX40-2 device Task one: Create an IPsec tunnel É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 469 3. Click VPN > IPsec > Tunnels. 4. For Add IPsec Tunnel, type ipsec_gre2 and click g . 5. Click to expand Authentication. 6. For Pre-shared key, type the same pre-shared key that was configured for the IX40-1 (testkey). 7. Click to expand Remote endpoint.
Page 470 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 471 7. Click Apply to save the configuration and apply the change. Command line 1. At the command line, type config to enter configuration mode: > config (config)> 2. Add an interface named ipsec_endpoint2: (config)> add network interface ipsec_endpoint2 (config network interface ipsec_endpoint2)> IX40 User Guide...
Page 472 Task two (Interface: ipsec_ endpoint2). 4. For Remote endpoint, type the IP address of the GRE tunnel on IX40-1, 172.30.0.1. 5. Click Apply to save the configuration and apply the change. Command line 1. At the command line, type config to enter configuration mode: >...
Page 473 (/network/interface/ipsec_endpoint2): (config vpn iptunnel gre_tunnel2)> local /network/interface/ipsec_endpoint2 (config vpn iptunnel gre_tunnel2)> 4. Set the remote endpoint to the IP address of the GRE tunnel on IX40-1, 172.30.0.1: (config vpn iptunnel gre_tunnel2)> remote 172.30.0.1 (config vpn iptunnel gre_tunnel2)> 5. Save the configuration and apply the change (config vpn iptunnel gre_tunnel2)>...
Page 474 (config network interface gre_interface2)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 475: Dynamic Multipoint Vpn (Dmvpn)
This is achieved by the creation of a dynamic GRE tunnel directly to the other spoke. The network address of the target spoke is resolved with the use of Next Hop Resolution Protocol (NHRP). This section contains the following topics: Configure a DMVPN spoke IX40 User Guide...
Page 476: Configure A Dmvpn Spoke
Dynamic Multipoint VPN (DMVPN) Configure a DMVPN spoke To configure a DMVPN spoke: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 477 For Address, type the IP address and netmask of the tunnel. The netmask must be set to /32. 5. Configure NHRP: a. Click Network > Routing Services. b. Enable routing services. c. Click to expand NHRP. d. Enable NHRP. e. Click to expand Network. IX40 User Guide...
Page 478 Click Network > Routing services > BGP. b. Enable BGP. c. For AS number, type the autonomous system number for this device. d. For Best path criteria, select Multipath. e. Click to expand Neighbours. f. Click g to add a neighbour. IX40 User Guide...
Page 479 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 480 IP address to 10.20.1.4/32: (config network interface dmvpn_tunnel_interface)> ipv4 address 10.20.1.4/32 (config network interface dmvpn_tunnel_interface)> 5. Configure NHRP: a. Type ... to return to the top level of the configuration schema: (config network interface dmvpn_tunnel_interface)> ... (config)> IX40 User Guide...
Page 481 Type ... to return to the top level of the configuration schema: (config network interface dmvpn_tunnel_interface)> ... (config)> b. Enable BGP: (config)> network route service bgp enable true (config)> c. Set the autonomous system number for this device. For example, to set the autonomous system number to 66007: IX40 User Guide...
Page 482: L2Tp
Your IX40 device supports PPP-over-L2TP (Layer 2 Tunneling Protocol). Configure a PPP-over-L2TP tunnel Your IX40 device supports PPP-over-L2TP (Layer 2 Tunneling Protocol). The tunnel endpoints are known as L2TP Access Concentrators (LAC) and L2TP Network Servers (LNS). Each endpoint terminates the PPP session.
Page 483 Whether to override the default configuration and only use the custom options. Optional configuration data in the format of a pppd options file. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 484 No limit to IPv6 addresses that can access the service-type. d. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: a. Click Interfaces. b. For Add Interface, click g .
Page 485 None: No authentication is required. Automatic: The device will attempt to connect using CHAP first, and then PAP. CHAP: Uses the Challenge Handshake Authentication Profile (CHAP) to authenticate. PAP: Uses the Password Authentication Profile (PAP) to authenticate. IX40 User Guide...
Page 486 8. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 487 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add vpn l2tp acl interface end value (config)>...
Page 488 Use the ?to determine available zones: (config vpn l2tp lac lac_tunnel)> zone ? Zone: The firewall zone assigned to this tunnel. This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel. IX40 User Guide...
Page 489 (config vpn l2tp lns lns_server)> LACs are enabled by default. To disable: (config vpn l2tp lns lns_server)> enable false (config vpn l2tp lns lns_server)> b. Set the IP address of the L2TP access concentrator that this server will allow connections from: IX40 User Guide...
Page 490 0 and 65535. The default is 1. g. Set the firewall zone for the tunnel. This is used by packet filtering rules and access control lists to restrict network traffic on the tunnel. IX40 User Guide...
Page 491 7. Save the configuration and apply the change (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 492: L2Tp With Ipsec
Show the status of L2TP access connectors from the Admin CLI 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 493 Show the status of L2TP network servers from the Admin CLI 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 494: L2Tpv3 Ethernet
The peer session cookie. The Layer2SpecificHeader type. The Sequence numbering control. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 495 Both: Add a sequence number to each outgoing packet, and reorder packets if they are received out of order. The default is None. h. Repeat for additional sessions. 11. Click Apply to save the configuration and apply the change. Command line IX40 User Guide...
Page 496 Virtual Private Networks (VPN) L2TPv3 Ethernet 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 497 14. Set the Layer2Specific header type. This must match what is configured on the remote peer. (config vpn l2tpeth L2TPv3_example session_example)> l2spec_type value (config vpn l2tpeth L2TPv3_example session_example)> where value is either none or default. The default is default. IX40 User Guide...
Page 498: Show L2Tpv3 Tunnel Status
Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 499: Macsec
Automatic: Uses a pre-shared key to generate association key information, which is periodically rotated through using 802.1x. Manual: Uses connectivity association key information that is manually entered in the CAK and CKN fields. Configure a MACsec tunnel Your IX40 device supports MACsec (Layer 2 Tunneling Protocol). IX40 User Guide...
Page 500 The local network device to connect to the peer device. When using Manual mode, the connectivity association key and key name. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 501 The key format is 16 hex digits. b. Specify the connectivity association key name: (config vpn macsec tunnel1) association ckn value (config vpn macsec tunnel1)> where value is the association key name. The key format is 32 hex digits. IX40 User Guide...
Page 502: Nemo
Local Area Networks (LANs) on your device. NEMO creates a tunnel between the home agent on the mobile private network and the IX40 device, isolating the connection from internet traffic and advertising the IP subnets of the LANs for remote access and device management.
Page 503 Virtual Private Networks (VPN) NEMO 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 504 14. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 505 (config vpn nemo nemo_example)> mtu_discovery false (config vpn nemo nemo_example)> If disabled, set the MTU size. The default MTU size for LANs on the IX40 device is 1500. The MTU size of the NEMO tunnel will be smaller, to take into account the required headers.
Page 506 Add a local network to use as a virtual NEMO network interface: (config vpn nemo nemo_example)> add network end eth2 (config vpn nemo nemo_example)> b. (Optional) Repeat for additional interfaces. 14. Save the configuration and apply the change (config)> save Configuration saved. > IX40 User Guide...
Page 507: Show Nemo Status
Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 508 NEMO lan1 192.168.2.1/24 Advertized LAN2 192.168.3.1/24 Advertized > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 509 Simple Network Management Protocol (SNMP) Location information Modbus gateway System time Network Time Protocol Configure a multicast route Ethernet network bonding Enable service discovery (mDNS) Use the MQTT broker service Use the iPerf service Configure the ping responder service IX40 User Guide...
Page 510: Allow Remote Access For Web Administration And Ssh
To allow web administration or SSH for the External firewall zone: Add the External firewall zone to the web administration service É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 511 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 512 Services Allow remote access for web administration and SSH É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 513: Configure The Web Administration Service
Configure the web administration service Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 514 The web administration service is enabled by default. To disable the service, or enable it if it has been disabled: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 515 Type quit to disconnect from the device. Configure the service É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 516 No limit to IPv6 addresses that can access the web administration service. d. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: a. Click Interfaces.
Page 517 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 518 No limit to IPv6 addresses that can access the web administratrion service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add service web_admin acl interface end value (config)>...
Page 519 Paste the contents of certificate.pem and key.pem into the service web_admin cert command. Enclose the contents of certificate.pem and key.pem in quotes. For example: (config)> service web_admin cert "-----BEGIN CERTIFICATE----- MIID8TCCAtmgAwIBAgIULOwezcmbnQmIC9pT9txwCfUbkWQwDQYJKoZIhvcNAQEL BQAwgYcxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZPcmVnb24xDjAMBgNVBAcMBUFs b2hhMRMwEQYDVQQKDApNY0JhbmUgSW5jMRAwDgYDVQQLDAdTdXBwb3J0MQ8wDQY VQQDDAZtY2JhbmUxHzAdBgkqhkiG9w0BCQEWEGptY2JhbmVAZGlnaS5jb20wHhcN MjAwOTIyMTY1OTUyWhcNMjEwOTIyMTY1OTUyWjCBhzELMAkGA1UEBhMCVVMxDzAN BgNVBAgMBk9yZWdvbjEOMAwGA1UEBwwFQWxvaGExEzARBgNVBAoMCk1jQmFuZSBJ bmMxEDAOBgNVBAsMB1N1cHBvcnQxDzANBgNVBAMMBm1jYmFuZTEfMB0GCSqGSIb3 DQEJARYQam1jYmFuZUBkaWdpLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAOBn19AX01LO9plYtfRZq0bETwNwSCYGeEIOGJ7gHt/rihLVBJS1woYv u1Oq1ohYxIawBY1iIPBD2GtzyEJXzBZdQRhwi/dRyRi4vr7EkjGDr0Vb/NVT0L5w UzcMeT+71DYvKYm6GpcWx+LoKqFTjbMFBIze5pbBfru+SicId6joCHIuYq8Ehflx 6sy6s4MDbyTUAEN2YhsBaOljej64LNzcsHeISbAWibXWjOSsK+N1MivQq5uwIYw/ 1fsnD8KDS43Wg57+far9fQ2MIHsgnoAGz+w6PIKJR594y/MfqQffDFNCh2lJY49F hOqEtA5B9TyXRKwoa3j/lIC/t5cpIBcCAwEAAaNTMFEwHQYDVR0OBBYEFDVtrWBH E1ZcBg9TRRxMn7chKYjXMB8GA1UdIwQYMBaAFDVtrWBHE1ZcBg9TRRxMn7chKYjX IX40 User Guide...
Page 520 To disable mDNS, or enable it if it has been disabled: To enable the mDNS protocol: (config)> service web_admin mdns enable true (config> To disable the mDNS protocl: (config)> service web_admin mdns enable false (config)> IX40 User Guide...
Page 521 9. Save the configuration and apply the change (config)> save Configuration saved. > 10. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 522: Configure Ssh Access
The SSH service is enabled by default. To disable the service, or enable it if it has been disabled: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
Page 523 Type quit to disconnect from the device. Configure the service É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 524 No limit to IPv6 addresses that can access the SSH service. d. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: a. Click Interfaces.
Page 525 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 526 No limit to IPv6 addresses that can access the SSH service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add service ssh acl interface end value (config)>...
Page 527 The default is false. c. Set the configuration settings: (config)> service ssh custom config_file value (config)> where value is one or more entires in the form of an OpenSSH sshd_config file. For example, to enable the diffie-helman-group-sha-14 key exchange algorithm: IX40 User Guide...
Page 528 8. Save the configuration and apply the change (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 529: Use Ssh With Key Authentication
SSH service to allow SSH access for the External firewall zone. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 530 These instructions assume an existing user named temp_user. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 531 Services Use SSH with key authentication 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 532: Configure Telnet Access
Enable the telnet service The telnet service is disabled by default. To enable the service: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 533 Type quit to disconnect from the device. Configure the service É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 534 No limit to IPv6 addresses that can access the telnet service. d. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: a. Click Interfaces.
Page 535 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 536 6. Save the configuration and apply the change (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 537: Configure Dns
The device is configured by default with the hostname digi.device, which corresponds to the 192.168.210.1 IP address. To configure the DNS server: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 538 No limit to IPv6 addresses that can access the DNS service. d. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: a. Click Interfaces.
Page 539 12. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 540 Services Configure DNS Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add service dns acl interface end value (config)> Where value is an interface defined on your device.
Page 541 (Optional) Set a label for this DNS server: (config service dns server 0)> label label (config service dns server 0)> 10. (Optional) Add host names and their IP addresses that the device's DNS server will resolve IX40 User Guide...
Page 542: Show Dns Server
Command line Show DNS information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 543: Wan Bonding
WAN bonding also provides seamless failover by automatically using multiple pipes within the bonded tunnel. The WAN bonding service for your IX40 device must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. This section contains the following topics:...
Page 544: Use Digi Remote Manager To Enable And Configure Wan Bonding On Multiple Devices
Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
Page 545 Select Interfaces and select a WAN interface to be bonded. Note By default, IX40 devices prioritize their WAN Ethernet connection over any WWAN cellular connections. Consider this prioritization if using both wired Ethernet and cellular Internet connections. Make sure to add the highest priority in-use interface(s) to the WAN Bonding settings.
Page 546 4. Create a site-specific settings file for the Tunnel username and Tunnel password options: a. Click Home. b. Click and select Download to download a CSV file to your local filesystem, which you can use to set site-specific settings. IX40 User Guide...
Page 547: Configure Wan Bonding On Your Local Device
Configure WAN bonding on your local device Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
Page 548 Additional configuration items The firewall zone for the new bonded interface, if other than External. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 549 For Interfaces, select a WAN interface to be bonded. Note By default, IX40 devices prioritize their WAN Ethernet connection over any WWAN cellular connections. Consider this prioritization if using both wired Ethernet and cellular Internet connections. Make sure to add the highest priority in-use interface(s) to the WAN Bonding settings.
Page 550 12. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 551 Automatically sets the mode to Cellular Optimized for Speed-mode for cellular, and Ethernet for non-cellular. This is the default mode. mobileAggressive: A general-purpose configuration suitable for most lines (4G, DSL, etc), with a fair tolerance for packet loss and latency. IX40 User Guide...
Page 552: Show Wan Bonding Status And Statistics
The current status of the device's bonding interfaces is displayed. Command line Show WAN bonding information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. IX40 User Guide...
Page 553 Current (1sec) RX 4 sent, 0 lost; TX 5 sent, 0 lost, 4 acked Total RX 16 sent, 0 lost; TX 18 sent, 0 lost, 18 acked Channel #1 (wwan0.1) ---------------- Enabled Status "connected" Uptime 5 sec IX40 User Guide...
Page 554 RX 17 sent, 0 lost; TX 19 sent, 0 lost, 19 acked > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 555: Simple Network Management Protocol (Snmp)
By default, the IX40 device automatically blocks SNMP packets from being received over WAN and LAN interfaces. As a result, if you want a IX40 device to receive SNMP packets, you must configure the SNMP access control list to allow the device to receive the packets. See...
Page 556 Services Simple Network Management Protocol (SNMP) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 557 15. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 558 No limit to IPv6 addresses that can access the SNMP service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add service snmp acl interface end value (config)>...
Page 559 (config)> service snmp auth_type SHA (config)> 10. (Optional) Set the privacy passphrase. If not set, the password, entered above, is used. (config)> service snmp privacy pwd (config)> 11. (Optional) Set the privacy protocol, either DES or AES. The default is DES. IX40 User Guide...
Page 560: Download Mibs
Enable SNMP. To download a .zip archive of the SNMP MIBs supported by this device: É Log into the IX40 WebUI as a user with full Admin access rights. 1. Enable SNMP. Configure Simple Network Management Protocol (SNMP) for information about enabling and configuring SNMP support on the IX40 device.
Page 561 Services Simple Network Management Protocol (SNMP) The SNMP page is displayed. 3. Click Download. IX40 User Guide...
Page 562: Location Information
Location messages forwarded to the device from other location-enabled devices. You can also configure your IX40 device to forward location messages, either from the IX40 device or from external sources, to a remote host. Additionally, the device can be configured to use a geofence, to allow you to determine actions that will be taken based on the physical location of the device.
Page 563: Configure The Location Service
The location service is enabled by default. You can disable it, or you can enable it if it has been disabled. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 564 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 565: Configure The Device To Use A User-Defined Static Location
Configure the device to use a user-defined static location You can configured your IX40 device to use a user-defined static location. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 566 Services Location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 567: Configure The Device To Accept Location Messages From External Sources
Access control list configuration to provide access to the port through the firewall. To configure the device to accept location messages from external sources: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 568 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 569 No limit to IPv6 addresses that can access the location server UDP port. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add service location source 1 acl interface end value (config)>...
Page 570: Forward Location Information To A Remote Host
Type quit to disconnect from the device. Forward location information to a remote host You can configure location clients on the IX40 device that forward location messages in either NMEA or TAIP format to a remote host. IX40 User Guide...
Page 571 A vehicle ID that is used in the TAIP ID message and can also be prepended to the forwarded message. Configure the IX40 device to forward location information: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 572 PV: Position/velocity: reports the latitude, longitude, and heading. 12. For Outgoing message type, select either NMEA or TAIP for the type of message that the device will forward to a remote host. (Optional) If NMEAis selected: IX40 User Guide...
Page 573 15. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 574 (config service location forward 0)> ii. Set the talker ID: (config service location forward 0)> talker_id value (config service location forward 0)> The default setting is Default, which means that the talker ID provided by the source will be used. IX40 User Guide...
Page 575 9. (Optional) Set the text to prepend to the forwarded message. Two variables can be included in the prepended text: %s: Includes the IX40 device's serial number in the prepended text. %v: Includes the vehicle ID in the prepended text.
Page 576 (config service location forward 0)> b. Use the index number to delete the message type. For example, to delete the id (index number 2) message type: (config service location forward 0)> del filter_taip 2 (config service location forward 0)> IX40 User Guide...
Page 577: Configure Geofencing
Type quit to disconnect from the device. Configure geofencing Geofencing is a mechanism to create a virtual perimeter that allows you configure your IX40 device to perform actions when entering or exiting the perimeter. For example, you can configure a device to factory default if its location service indicates that it has been moved outside of the geofence.
Page 578 Update interval, which determines the amount of time that the geofence should wait between polling for updated location data. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 579 For Longitude, any integer between -180 and 180, with up to six decimal places. d. Click g again to add an additional point, and continue adding points to create the desired polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: IX40 User Guide...
Page 580 For example, if the Update interval is 1m (one minute) and the Number of intervals is 3, the On entry actions will not be performed until the device has been inside the geofence for three minutes. d. Click to expand Actions. e. Click g to create a new action. IX40 User Guide...
Page 581 For example, if the Update interval is 1m (one minute) and the Number of intervals is 3, the On entry actions will not be performed until the device has been inside the geofence for three minutes. d. Click to expand Actions. e. Click g to create a new action. IX40 User Guide...
Page 582 8. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 583 100m or 1km. If boundary is set to polygonal: a. Set the coordinates of one vertex of the polygon. A vertex is the point at which two sides of a polygon meet. IX40 User Guide...
Page 584 For longitude, any integer between -180 and 180, with up to six decimal places. Repeat for each vortex of the polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: (config service location geofence test_geofence)> add coordinates end (config service location geofence test_geofence coordinates 0)>...
Page 585 Type ... to return to the root of the configuration: (config service location geofence test_geofence coordinates 3)> ... (config)> ii. Add the action: (config)> add service location geofence test_geofence on_entry action end (config service location geofence test_geofence on_entry action 0)> IX40 User Guide...
Page 586 (config service location geofence test_geofence on_entry action 0)> max_memory (config service location geofence test_geofence on_entry action 0)> v. A sandbox is enabled by default to prevent the script from adversely affecting the system. To disable the sandbox: IX40 User Guide...
Page 587 If type is set to script: i. Type or paste the script, closed in quote marks: (config service location geofence test_geofence on_exit action 0)> commands " script " (config service location geofence test_geofence on_exit action 0)> IX40 User Guide...
Page 588: Show Location Information
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show location information You can view status and statistics about location information from either the WebUI or the command line. É IX40 User Guide...
Page 589 Command line Show location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 590: Modbus Gateway
Type quit to disconnect from the device. Modbus gateway The IX40 supports the ability to function as a Modbus gateway, to provide serial-to-Ethernet connectivity to Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and other industrial devices. MODBUS provides client/server communication between devices connected on different types of buses and networks, and the Modbus gateway allows for communication between buses and networks that use the Modbus protocol.
Page 591: Configure The Modbus Gateway
The maximum time between bytes in a packets. Whether to send broadcast messages. Response timeout If connection type is set to socket: The port to use. The inactivity timeout. If connection type is set to serial: Whether to use half duplex (two wire) mode. IX40 User Guide...
Page 592 Whether packets should be delivered to a fixed Modbus address. Whether packets should have their Modbus address adjusted downward before to delivery. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 593 For Port, enter or select an appropriate port. The default is port 502. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the IX40 device. 5. For Packet mode, select RTU or RAW (if Connection type is set to Socket) or ASCII (if Connection typeis set to Serial) for the type of packet that will be used by this connection.
Page 594 No limit to IPv6 addresses that can access the web administration service. d. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: a. Click Interfaces.
Page 595 Modbus server is running. If Serial is selected for Connection type: a. For Serial port, select the appropriate serial port on the IX40 device. 5. For Packet mode, select RTU or RAW (if Connection type is set to Socket) or ASCII (if Connection typeis set to Serial) for the type of packet that will be used by this connection.
Page 596 No limit to IPv6 addresses that can access the web administration service. d. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: a. Click Interfaces.
Page 597 17. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 598 (config service modbus_gateway server test_modbus_server)> where value is any number of minutes or seconds up to a maximum of 15 minutes, and takes the format number{m|s}. For example, to set inactivity_timeout to ten minutes, enter either 10m or 600s: IX40 User Guide...
Page 599 For example, to set idle_gap to one second, enter 1000ms or 1s. iv. (Optional) Enable half-duplex (two wire) mode: (config service modbus_gateway server test_modbus_server)> serial half_duplex true (config service modbus_gateway server test_modbus_server)> c. Repeat the above instructions for additional servers. IX40 User Guide...
Page 600 (config service modbus_gateway client test_modbus_client)> where value is either rtu or ascii. The default is rtu. iv. Set the maximum allowable time between bytes in a packet: (config service modbus_gateway client test_modbus_client)> socket idle_gap value (config service modbus_gateway client test_modbus_client)> IX40 User Guide...
Page 601 (config service modbus_gateway client test_modbus_client)> ii. Set the port: (config service modbus_gateway client test_modbus_client)> serial port (config service modbus_gateway client test_modbus_client)> ii. Set the packet mode: (config service modbus_gateway client test_modbus_client)> serial packet_mode value (config service modbus_gateway client test_modbus_client)> IX40 User Guide...
Page 602 10, set the index 0 entry to 10: (config service modbus_gateway client test_modbus_client)> filter 0 10 (config service modbus_gateway client test_modbus_client)> To filter for all messages with addresses in the range of 20 to 30, set the index 0 entry to 20-30: IX40 User Guide...
Page 603 This will configure the gateway to deliver all messages that have the Modbus server address address of 20 to the device with address 10. i. Repeat the above instructions for additional clients. 6. Save the configuration and apply the change (config)> save Configuration saved. > IX40 User Guide...
Page 604: Show Modbus Gateway Status And Statistics
Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 605 Packet Errors RX Broadcasts RX Requests : 12 TX Exceptions TX Responses : 12 Clients ------- modbus_socket_41 ---------------- Address Translation Errors Connection Errors Packet Errors RX Responses RX Timeouts TX Broadcasts TX Requests modbus_socket_21 ---------------- Address Translation Errors IX40 User Guide...
Page 606 RX Responses RX Timeouts TX Broadcasts TX Requests > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 607: System Time
If t least one upstream NTP server for synchronization. Additional Configuration Options Additional upstream NTP servers. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 608 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 609 See Configure the device as an NTP server for more information about NTP server configuration. 5. Save the configuration and apply the change (config)> save Configuration saved. > IX40 User Guide...
Page 610 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 611: Manually Set The System Date And Time
This procedure is available at the Admin CLI only. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 612: Configure The Device As An Ntp Server
The time zone setting, if the default setting of UTCis not appropriate. To configure the IX40 device's NTP service: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 613 No limit to IPv6 addresses that can access the NTP service. d. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: a. Click Interfaces.
Page 614 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 615 5. Allow the device's local system clock to be used as backup time source: (config)> service ntp local true (config)> 6. (Optional) Configure the access control list to limit downstream access to the IX40 device's NTP service. To limit access to specified IPv4 addresses and networks: (config)>...
Page 616 By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX40 device can use the NTP service. 7. (Optional) Set the timezone for the location of your IX40 device. The default is UTC. (config)> system time timezone value (config)>...
Page 617: Show Status And Statistics Of The Ntp Server
Command line Show NTP information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 618 Services Configure a multicast route 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 619: Ethernet Network Bonding
Type quit to disconnect from the device. Ethernet network bonding The IX40 device supports bonding mode for the Ethernet network. This allows you to configure the device so that Ethernet ports share one IP address. When both ports are being used, they act as one Ethernet network port.
Page 620 Create a new network interface for the bonded Ethernet devices, and disable the any interfaces associated with those Ethernet devices.. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 621 8. Create a new network interface that is linked to the Ethernet bond: a. Click Network > Interface. b. For Add Interface, type a name for the interface and click g . c. For Device, select the Ethernet bond created above: IX40 User Guide...
Page 622 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 623 8. Disable any other interfaces associated with the devices that were added to the Ethernet bond. For example, if ETH1 and ETH2 were added to the Ethernet bond, and they are included with the ETH1 and ETH2 interfaces: IX40 User Guide...
Page 624: Enable Service Discovery (Mdns)
Multicast DNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server. You can enable the IX40 device to use mDNS. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 625 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 626 No limit to IPv6 addresses that can access the mDNS service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add service mdns acl interface end value (config)>...
Page 627: Use The Mqtt Broker Service
MQTT is a lightweight publish/subscribe messaging protocol for the Internet of Things (IoT) applications, designed to connect devices using a small footprint and minimum network bandwidth. Your IX40 device includes an MQTT broker service that serves as an intermediary between MQTT clients. The broker receives and distributes client messages.
Page 628 Whether to allow clients that have no client ID to connect. Whether replace the client's ID with its username. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 629 No limit to IPv6 addresses that can access the iperf service. d. Click g again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: a. Click Interfaces.
Page 630 For Access, select the level of access that the client will have: Read Write Read/write Deny e. Click g again to add additional topics. To restrict access to topics based on pattern substitution: a. Click to expand Pattern. b. Click g to add a topic. IX40 User Guide...
Page 631 15. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 632 No limit to IPv6 addresses that can access the iperf service. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add service mqtt acl interface end value (config)>...
Page 633 The signal level wildcard, +. The multi-level wildcard, #. iii. Set the access type to apply to the topic: (config service mqtt client 0 topic_acl 0)> access value (config service mqtt client 0 topic_acl 0)> where value is one of: IX40 User Guide...
Page 634 Add a pre-shared key: (config)> add service mqtt encryption psk end (config service mqtt encryption psk 0)> ii. Set the identity sent to the client: (config service mqtt encryption psk 0)> indentity value (config service mqtt encryption psk 0)> IX40 User Guide...
Page 635 Set the access type to apply to the topic: (config service mqtt topic_acl anonymous 0)> access value (config service mqtt topic_acl anonymous 0)> where value is one of: deny read readwrite write The default is readwrite. IX40 User Guide...
Page 636 (config service mqtt topic_acl pattern 0)> add ..pattern end (config service mqtt topic_acl pattern 1)> f. Repeat the above steps to set the topic and access type. 13. Save the configuration and apply the change (config)> save Configuration saved. > IX40 User Guide...
Page 637: Show Mqtt Broker Information
Command line Show MQTT broker information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 638: Use The Iperf Service
Type quit to disconnect from the device. Use the iPerf service Your IX40 device includes an iPerf3 server that you can use to test the performance of your network. iPerf3 is a command-line tool that measures the maximum network throughput an interface can handle.
Page 639 To enable the iPerf3 server: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 640 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 641 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add service iperf acl interface end value (config)>...
Page 642: Example Performance Test Using Iperf3
Done. Configure the ping responder service Your IX40 device's ping responder service replies to ICMP and ICMPv6 echo requests. The service is enabled by default. You can disable the service, or you can configure the service to use an access control list to limit the service to specified IP address, interfaces, and/or zones.
Page 643 Services Configure the ping responder service 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 644 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 645 No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX40 device: (config)> add service iperf acl interface end value (config)>...
Page 646: Example Performance Test Using Iperf3
Example performance test using iPerf3 On a remote host with Iperf3 installed, enter the following command: $ iperf3 -c device_ip where device_ip is the IP address of the IX40 device. For example: $ iperf3 -c 192.168.2.1 Connecting to host 192.168.2.1, port 5201 [ 4] local 192.168.3.100 port 54934 connected to 192.168.1.1 port 5201...
Page 647 Applications The IX40 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. You can also specify Python applications and other scripts to be run each time the device system restarts, at specific intervals, or at a specified time.
Page 648: Develop Python Applications
Digi IoT PyCharm Plugin to help you while writing, building, and testing your application. Create and test a Python application. In addition to the standard Python library, the IX40 includes a set of extensions to access its configuration and interfaces. See Python modules.
Page 649: Set Up The Ix40 For Python Development
Set up the IX40 for Python development 1. Access the IX40 local web interface a. Use an Ethernet cable to connect the IX40 to your local laptop or PC. The factory default IP address is 192.168.2.1 b. Log into the IX40 WebUI as a user with full admin access rights.
Page 650 Develop Python applications Develop an application in PyCharm The Digi IoT PyCharm Plugin allows you to write, build and run Python applications for Digi devices in a quick and easy way. See the Digi XBee PyCharm IDE Plugin User Guide for details.
Page 651 """ def handle(self): # self.request is the TCP socket connected to the client self.data = self.request.recv(1024).strip() print("{} wrote:".format(self.client_address[0])) print(self.data) # just send back the same data, but upper-cased self.request.sendall(self.data.upper()) IX40 User Guide...
Page 652 Create a custom firewall rule É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 653: Python Modules
Develop Python applications Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 654 Digidevice module section. Digidevice module The Python digidevice module provides platform-specific extensions that allow you to interact with the device’s configuration and interfaces. The following submodules are included with the digidevice module: This section contains the following topics: IX40 User Guide...
Page 655 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 656 Get help executing a CLI command from Python by accessing help for cli.execute: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 657 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 658 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 659 Read the device configuration 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 660 Use the set() and commit() methods to modify the device configuration: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 661 Remote Manager's Server Command Interface (SCI), a web service that allows users to access information and perform commands that relate to their devices. Use Remote Manager's SCI interface to create SCI requests that are sent to your IX40 device, and use the device_request module to send responses to those requests to Remote Manager.
Page 662 Task one: Use the device_request module on your IX40 device to create a response 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 663 1. Create a Python application, called showsystem.py, that uses the digidevice.cli module to create a response containing information about device and the device_request module to respond with this information to a request from Remote Manager: from digidevice import device_request from digidevice import cli IX40 User Guide...
Page 664 This can be done from either the WebUI or the command line: É i. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. ii. Access the device configuration: Remote Manager: i.
Page 665 Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 666 Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 667 <device_request target_name="showSystem"> 8. Click Send. You should receive a response similar to the following: <sci_reply version="1.0"> <data_service> <device id="00000000-00000000-0000FFFF-A83CF6A3"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi IX40 Serial Number : IX40-000068 Hostname : IX40 : 00:40:D0:13:35:36 Hardware Version : 50001959-01 A Firmware Version : 23.12.1.56...
Page 668 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 669 Use the keys() and get() methods to read the device configuration: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 670 Use the set() method to modify the runtime database: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user IX40 User Guide...
Page 671 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access. Depending on your device configuration, you may be presented with an Access selection menu.
Page 672 Use Python to upload the device name to Digi Remote Manager The name submodule can be used to upload a custom name for your device to Digi Remote Manager. When you use the name submodule to upload a custom device name to Remote Manager, the...
Page 673 Upload a custom name 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 674 Determine if the device's location 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 675 You can update this snapsot: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 676 You can update this snapsot 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 677 Get help for the digidevice location module: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 678 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 679 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). The digidevice led submodule Use the led submodule to redefine the purpose of any front-panel LED on the IX40 device. With this submodule, you can: Gain control of the LED with the led.acquire() function.
Page 680 Type "help", "copyright", "credits" or "license" for more information. >>> 2. Import the led submodule: >>> from digidevice import led 3. Import the Led and State objects from the led submodule: >>> from digidevice.led import Led, State IX40 User Guide...
Page 681: The Use(Led) Function
Use Python to control the color of multi-colored LEDs One or more LEDs in the IX40 are RGB (red, green, and blue) LEDs, capable of producing a wide range of colors. You can use the digidevice.led Python module to control the color as well as the state of these LEDs.
Page 682 Led.ONLINE Led.COM Green Led.ETH Led.ONLINE Led.COM Green flashing Led.ETH FLASH Led.ONLINE Led.COM Blue Led.ETH Led.ONLINE Led.COM Blue flashing Led.ETH Led.ONLINE FLASH Led.COM White Led.ETH Led.ONLINE Led.COM White flashing FLASH Led.ETH FLASH Led.ONLINE FLASH Led.COM Yellow Led.ETH Led.ONLINE IX40 User Guide...
Page 683: Example: Set The Lte Connection Indicator To Flashing Purple
FLASH The digidevice led submodule for a definition of the IX40's LEDs, including RGB leds, and the names of the attributes for each LED that will be used by the digidevice.led module. Example: Set the LTE connection indicator to flashing purple 1.
Page 684 SMS scripting. Enable the ability to schedule SMS scripting É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 685 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 686 # a CLI command. Send a reponse SMS to the sender before running the command import os import threading import sys from digidevice import cli from digidevice.sms import Callback, send COND = threading.Condition() allowed_incoming_phone_number = '2223334444' def sms_test_callback(sms, info): if info['content.number'] == allowed_incoming_phone_number: print(f"SMS message from {info['content.number']} received") print(sms) IX40 User Guide...
Page 687 Please re-run if you want to check for more incoming SMS messages") os._exit(0) Use Python to access serial ports You can use the Python serial module to access serial ports on your IX40 device that are configured to be in Application mode. See Configure Application mode for information about configuring a serial port in Application mode.
Page 688 6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use the Paho MQTT python library Your IX40 device includes support for the Paho MQTT python library. MQTT is a lightweight messaging protocol used to communicate with various applications including cloud-based applications such as Amazon Web Services and Microsoft Azure.
Page 689 HTTPStatus.OK CMD_HANDLERS = { "reboot": cmd_reboot, "fw-update": cmd_fwupdate def send_cmd_reply(client, cmd_path, cid, cmd, status): if not status or not cid: return if cmd_path.startswith(PREFIX_CMD): path = cmd_path[len(PREFIX_CMD):] else: print("Invalid command path ({}), cannot send reply".format(cmd_path)) return IX40 User Guide...
Page 690 None send_cmd_reply(client, msg.topic, cid, cmd, HTTPStatus.BAD_REQUEST) try: status = CMD_HANDLERS[cmd](payload) except: print("Invalid command: {}".format(cmd)) status = HTTPStatus.NOT_IMPLEMENTED send_cmd_reply(client, msg.topic, cid, cmd, status) def publish_dhcp_leases(): leases = [] try: with open('/etc/config/dhcp.leases', 'r') as f: for line in f: IX40 User Guide...
Page 691: Set Up The Ix40 To Automatically Run Your Applications
Applications Set up the IX40 to automatically run your applications elems = line.split() if len(elems) != 5: continue leases.append({"mac": elems[1], "ip": elems[2], "host": elems[3]}) if leases: client.publish(PREFIX_EVENT + "/leases", json.dumps(leases, separators=(',',':'))) except: print("Failed to open DHCP leases file") def publish_system(): avg1, avg5, avg15 = runt.get("system.load_avg").split(', ')
Page 692: Configure Scripts To Run Automatically
Applications Set up the IX40 to automatically run your applications Configure scripts to run automatically Show script information Stop a script that is currently running Configure scripts to run automatically You can configure a script or a python application to run automatically when the system restarts, at specific intervals, or at a specified time.
Page 693 The uploaded file is uploaded to the /etc/config/scripts directory. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 694 This feature does not provide syntax or error checking. Certain commands can render the device inoperable. Use with care. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 695 Applications Set up the IX40 to automatically run your applications The script configuration window is displayed. Custom scripts are enabled by default. To disable, toggle off Enable to toggle off. 5. (Optional) For Label, provide a label for the script.
Page 696 12. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 697 Applications Set up the IX40 to automatically run your applications boot: The script will run once each time the device boots. If boot is selected, set the action that will be taken when the script completes: (config system schedule script 0)> exit_action action (config system schedule script 0)>...
Page 698 Applications Set up the IX40 to automatically run your applications (config system schedule script 0)> commands python "/etc/config/scripts/test.py" (config system schedule script 0)> If the script begins with #!, then the script will be invoked in the location specified by the path for the script command.
Page 699: Show Script Information
The Scripts page displays: Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 700: Start An Interactive Python Session
2. For scripts that are currently running, click Stop Script to stop the script. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 701: Run A Python Application At The Shell Prompt
1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 702 IX40 device. local-path is the location on the IX40 device where the copied file will be placed. For example: To upload a script from a remote host with an IP address of 192.168.4.1 to the...
Page 703: Configure Scripts To Run Manually
You can also create scripts by using the vi command when logged in with shell access. 2. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 704 The uploaded file is uploaded to the /etc/config/scripts directory. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 705: Task Two: Configure The Application To Run Automatically
This feature does not provide syntax or error checking. Certain commands can render the device inoperable. Use with care. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 706 If Once is enabled, rebooting the device will cause the script to not run again. The only way to re-run the script is to: Remove the script from the device and add it again. Make a change to the script. Uncheck Once. 12. Click Apply to save the configuration and apply the change. IX40 User Guide...
Page 707 Configure scripts to run manually Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 708: Start A Manual Script
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Start a manual script You can start a script that is enabled and configured to have a run mode of Manual. É IX40 User Guide...
Page 709 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 710: User Authentication
User authentication methods Authentication groups Local users Terminal Access Controller Access-Control System Plus (TACACS+) Remote Authentication Dial-In User Service (RADIUS) LDAP Configure serial authentication Disable shell access Set the idle timeout for IX40 users Example user configuration IX40 User Guide...
Page 711: Ix40 User Authentication
User authentication IX40 user authentication IX40 user authentication User authentication on the IX40 has the following features and default configuration: Default Feature Description configuration Idle timeout 10 minutes Determines how long a user session can be idle before the system automatically disconnects.
Page 712 TACACS+: Users authenticated by using a remote TACACS+ server for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) for information about configuring TACACS+ authentication. LDAP: Users authenticated by using a remote LDAP server for authentication. LDAP for information about configuring LDAP authentication. IX40 User Guide...
Page 713: Add A New Authentication Method
The types of authentication method to be used: To add an authentication method: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 714 This procedure describes how to add methods to various places in the list. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 715: Delete An Authentication Method
Type quit to disconnect from the device. Delete an authentication method É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 716: Rearrange The Position Of Authentication Methods
5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 717 To reorder these so that RADIUS is first and Local users is second: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 718: Authentication Groups
User authentication Authentication groups 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 719 Differences between standard firmware operation and Primary Responder mode. Serial access: Users with Serial access have the ability to log into the IX40 device by using the serial console. Preconfigured authentication groups The IX40 device has two preconfigured authentication groups: The admin group is configured by default to have full Admin access.
Page 720: Change The Access Rights For A Predefined Group
By default, two authentication groups are predefined: admin and serial. To change the access rights of the predefined groups: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 721 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 722: Add An Authentication Group
Access rights to query the device for Nagios monitoring. To add an authentication group: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 723 Full access or Read-only access. where value is either: Full access full: provides users of this group with the ability to manage the IX40 device by using the WebUI or the Admin CLI. Read-only access read-only: provides users of this group with read-only access to the WebUI and Admin CLI.
Page 724 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 725 (config)> where value is either: full: provides users of this group with the ability to manage the IX40 device by using the WebUI or the Admin CLI. read-only: provides users of this group with read-only access to the WebUI and Admin CLI.
Page 726: Delete An Authentication Group
To delete an authentication group that you have created: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 727 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 728: Local Users
TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default user. Default user At manufacturing time, each IX40 device comes with a default user configured as follows: Username: admin. Password: The default password is displayed on the label on the bottom of the device.
Page 729: Change A Local User's Password
Local users Change a local user's password To change a user's password: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 730 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 731: Configure A Local User
The login limit period. One-time use eight-digit emergency scratch codes. To configure a local user: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX40 User Guide...
Page 732 User authentication Local users 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 733 Check Enable to enable two-factor authentication for this user. c. Select the Verification type: Time-based (TOTP): Time-based One-Time Password (TOTP) authentication uses the current time to generate a one-time password. Counter-based (HOTP): HMAC-based One-Time Password (HOTP) uses a counter to validate a one-time password. IX40 User Guide...
Page 734 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 735 For example, to set duration to ten minutes, enter either 10m or 600s: (config auth user new_user)> lockout duration 600s (config auth user new_user)> The minimum value is 1 second, and the maximum is 15 minutes. The default is 15 minutes. IX40 User Guide...
Page 736 (config auth user new_user ssh_key)> ssh_key key (config auth user new_user ssh_key)> 9. (Optional) Configure two-factor authentication for SSH, telnet, and serial console login: a. Change to the user's two-factor authentication node: (config auth user new_user)> 2fa (config auth user new_user 2fa)> IX40 User Guide...
Page 737 Configure the login limit. This represents the number of times that the user is allowed to attempt to log in during the Login limit period. Set to 0 to allow an unlimited number of login attempts during the Login limit period IX40 User Guide...
Page 738: Delete A Local User
Delete a local user To delete a user from your IX40: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: IX40 User Guide...
Page 739 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 740: Terminal Access Controller Access-Control System Plus (Tacacs+)
With TACACS+ support, the IX40 device acts as a TACACS+ client, which sends user credentials and connection parameters to a TACACS+ server over TCP. The TACACS+ server then authenticates the TACACS+ client requests and sends back a response message to the device.
Page 741: Tacacs+ User Configuration
The groupname attribute is optional. If used, the value must correspond to authentication groups configured on your IX40. Alternatively, if the user is also configured as a local user on the IX40 device and the LDAP server authenticates the user but does not return any groups, the local configuration determines the list of groups.
Page 742: Tacacs+ Server Failover And Fallback To Local Authentication
$ sudo /etc/init.d/tacacs_plus restart TACACS+ server failover and fallback to local authentication In addition to the primary TACACS+ server, you can also configure your IX40 device to use backup TACACS+ servers. Backup TACACS+ servers are used for authentication requests when the primary TACACS+ server is unavailable.
Page 743 The TACACS+ server port. It is configured to 49 by default. Add additional TACACS+ servers in case the first TACACS+ server is unavailable. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 744 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 745 (config)> auth tacacs+ authoritative true (config)> 4. (Optional) Configure the group_attribute. This is the name of the attribute used in the TACACS+ server's configuration to identify the IX40 authentication group or groups that the user is a member of. For example, in TACACS+ user configuration, the group attribute in the sample tac_plus.conf file is groupname, which is also the default setting for the group_attribute in the...
Page 746 10. Save the configuration and apply the change (config)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 747: Remote Authentication Dial-In User Service (Radius)
To use RADIUS authentication, you must set up a RADIUS server that is accessible by the IX40 device prior to configuration. The process of setting up a RADIUS server varies by the server environment. An example of a RADIUS server is FreeRADIUS.
Page 748: Radius User Configuration
(password verification) and authorization (assigning the access level of the user). Additional RADIUS servers can be configured as backup servers for user authentication. This section outlines how to configure a RADIUS server to be used for user authentication on your IX40 device.
Page 749: Configure Your Ix40 Device To Use A Radius Server
Add additional RADIUS servers in case the first RADIUS server is unavailable. The server NAS ID. If left blank, the default value is used: If you are access the IX40 device by using the WebUI, the default value is for NAS ID is httpd.
Page 750 NAS or any arbitrary string. If not set, the default value is used: If you are accessing the IX40 device by using the WebUI, the default value is for NAS ID is httpd.
Page 751 You can use the fully-qualified domain name of the NAS or any arbitrary string. If not set, the default value is used: If you are accessing the IX40 device by using the WebUI, the default value is for NAS ID is httpd.
Page 752: Ldap
Your IX40 device supports LDAP (Lightweight Directory Access Protocol), a protocol used for directory information services over an IP network. LDAP can be used with your IX40 device for centralized authentication and authorization management for users who connect to the device. With LDAP support, the IX40 device acts as an LDAP client, which sends user credentials and connection parameters to an LDAP server.
Page 753 When you are using LDAP authentication, you can have both local users and LDAP users able to log in to the device. To use LDAP authentication, you must set up a LDAP server that is accessible by the IX40 device prior to configuration. The process of setting up a LDAP server varies by the server environment.
Page 754: Ldap User Configuration
(password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication. This section outlines how to configure a LDAP server to be used for user authentication on your IX40 device.
Page 755: Ldap Server Failover And Fallback To Local Configuration
LDAP server failover and fallback to local configuration In addition to the primary LDAP server, you can also configure your IX40 device to use backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary LDAP server is unavailable.
Page 756 User authentication LDAP 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 757 If this attribute is not set, the user will be denied access. 12. (Optional) For Group attribute, type the name of the user attribute that contains the list of IX40 authentication groups that the authenticated user has access to. See LDAP user configuration for further information about the group attribute.
Page 758 User authentication LDAP 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 759 . If this attribute is not set, the user will be denied access. 10. (Optional) Set the name of the user attribute that contains the list of IX40 authentication groups that the authenticated user has access to. See...
Page 760: Configure Serial Authentication
Configure serial authentication This section describes how to configure authentication for serial access. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 761 10. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 762: Disable Shell Access
If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 763 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 764: Set The Idle Timeout For Ix40 Users
Idle timeout parameter. By default, the Idle timeout is set to 10 minutes. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 765 User authentication Set the idle timeout for IX40 users 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 766: Example User Configuration
Goal: To create a user with administrator rights who is authenticated locally on the device. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 767 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 768: Example 2: Radius, Tacacs+, And Local Authentication For One User
Goal: To create a user with administrator rights who is authenticated by using all three authentication methods. In this example, when the user attempts to log in to the IX40 device, user authentication will occur in the following order: IX40 User Guide...
Page 769 2. The user is authenticated by the TACACS+ server. If both the RADIUS and TACACS+ servers are unavailable, 3. The user is authenticated by the IX40 device using local authentication. This example uses a FreeRadius 3.0 server running on ubuntu, and a TACACS+ server running on ubuntu.
Page 770 The authentication group on the IX40 device, admin, is identified in the groupname parameter. c. Save and close the tac_plus.conf file. 3. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 4. Access the device configuration:...
Page 771 User authentication Example user configuration a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 772 In this example: The user's username is admin1. The user's password is password1. The authentication group on the IX40 device, admin, is identified in the Unix-FTP- Group-Names parameter. c. Save and close the users file. 2. Configure a user on the TACACS+ server: a.
Page 773 Save and close the tac_plus.conf file. 3. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 774 (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 775 Firewall This chapter contains the following topics: Firewall configuration Port forwarding rules Packet filtering Configure custom firewall rules Configure Quality of Service options Web filtering IX40 User Guide...
Page 776: Firewall Configuration
To create a zone: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 777 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 778: Configure The Firewall Zone For A Network Interface
This example procedure uses an existing network interface named ETH2 and changes the firewall zone from the default zone, Internal, to External. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 779: Delete A Custom Firewall Zone
Delete a custom firewall zone You cannot delete preconfigured firewall zones. To delete a custom firewall zone: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 780 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 781: Port Forwarding Rules
A white list of devices, based on either IP address or firewall zone, that are authorized to leverage this forwarding rule. To configure a port forwarding rule: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 782 IP address or firewall zone: To white list IP addresses: a. Click Addresses. b. For Add Address, enter an IP address and click g . c. Repeat for each additional IP address that should be white listed. IX40 User Guide...
Page 783 13. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 784 (config firewall dnat 0 acl> add address6 end ip-address (config firewall dnat 0 acl)> Repeat for each appropriate IP address. To specify the firewall zone for white listing: (config firewall dnat 0 acl)> add zone end zone IX40 User Guide...
Page 785: Delete A Port Forwarding Rule
Delete a port forwarding rule To delete a port forwarding rule: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 786 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 787 5. Save the configuration and apply the change (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 788: Packet Filtering
ICMP ICMP6 To configure a packet filtering rule: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 789 9. For Destination zone, select the firewall zone. Packets destined for network interfaces that are members of this zone will either be accepted, rejected or dropped by this rule. Firewall configuration for more information about firewall zones. 10. Click Apply to save the configuration and apply the change. Command line IX40 User Guide...
Page 790 Firewall Packet filtering 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 791 (config firewall filter 1)> where value is one of: ipv4 ipv6 The default is any. 8. Set the protocol. (config firewall filter 1)> protocol value (config firewall filter 1)> where value is one of: icmp icmpv6 The default is any. IX40 User Guide...
Page 792: Enable Or Disable A Packet Filtering Rule
Enable or disable a packet filtering rule To enable or disable a packet filtering rule: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 793: Delete A Packet Filtering Rule
Firewall Packet filtering 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 794 Firewall Packet filtering É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 795: Configure Custom Firewall Rules
To configure custom firewall rules: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 796 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 797: Configure Quality Of Service Options
These example bindings are disabled by default. Enable the preconfigured bindings É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 798 8. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 799 Firewall Configure Quality of Service options Create a new binding É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 800 If Default is disabled, you must configure at least one rule: i. Click to expand Rule. ii. For Add Rule, click g . The QoS binding policy rule configuration window is displayed. IX40 User Guide...
Page 801 10. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 802 (config firewall qos 2 policy)> add end (config firewall qos 2 policy 0)> New QoS binding policies are enabled by default. To disable: (config firewall qos 2 policy 0)> enable false (config firewall qos 2 policy 0)> IX40 User Guide...
Page 803 (config firewall qos 2 policy 0 rule 0)> iii. (Optional) Set a label for the new binding policy rule: (config firewall qos 2 policy 0 rule 0)> label my_binding_policy_rule (config firewall qos 2 policy 0 rule 0)> IX40 User Guide...
Page 804 Only traffic from the IP address typed in IPv4 address will be matched. Set the address that will be matched: (config network qos 2 policy 0 rule 0)> src address value (config network qos 2 policy 0 rule 0)> IX40 User Guide...
Page 805 (config network qos 2 policy 0 rule 0)> src address6 value (config network qos 2 policy 0 rule 0)> where value uses the format IPv6_address[/prefix_length], or any to match any IPv6 address. Repeat to add a new rule. Up to 30 rules can be configured. IX40 User Guide...
Page 806: Web Filtering
Type quit to disconnect from the device. Web filtering Web filtering allows you to control access to services that can be accessed through the IX40 device by forwarding all Domain Name System (DNS) traffic to a web filtering service. This allows the network security administrator to configure a set of policies with the web filtering service that are applied to all routing devices with web filtering enabled.
Page 807 Firewall Web filtering 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 808 Type quit to disconnect from the device. Clear the Cisco Umbrella device ID If the Cisco Umbrella device ID being used by your IX40 is invalid, you can clear the device ID. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 809: Configure Web Filtering With Manual Dns Servers
To configure web filtering with manual DNS servers: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 810 10. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 811: Verify Your Web Filtering Configuration
If your web filtering implementation has the service set to Cisco Umbrella, or if it is configured to use manual DNS servers and uses the Cisco open DNS servers, you can verify the web filtering implementation by using the Cisco test site www.internetbadguys.com. IX40 User Guide...
Page 812 Configure web filtering with manual DNS servers for information about configuring web filtering to use Cisco open DNS servers. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 813 Cisco open DNS servers. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 814: Show Web Filter Service Information
To view information about the web filter service: Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 815 Containers The IX40 device includes support for LXCLinux containers. LXCcontainers are a lightweight, operating system level method of virtualization that allows you to run one or more isolated Linux instances on a the same host using the host's Linux kernal.
Page 816: Use Digi Remote Manager To Deploy And Run Containers
Use Digi Remote Manager to deploy and run containers Use Digi Remote Manager to deploy and run containers Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. 1. In Remote Manager, create a Configuration template. See the Remote Manager User Guide instructions.
Page 817 Containers Use Digi Remote Manager to deploy and run containers i. Click Browse and select the container file. ii. Type the Name of the container. The Name entered here must be the same name as the container .tgz file. This is absolutely necessary, otherwise the container file will not be properly configured on the local devices.
Page 818 Containers Use Digi Remote Manager to deploy and run containers c. For the Automation step: i. Click to toggle on Enable Scanning. ii. Click to toggle on Remediate. Run a manual configuration scan to apply the container and configuration settings to all applicable devices.
Page 819: Use An Automation To Start The Container
Containers Use Digi Remote Manager to deploy and run containers vi. Click the Stream ID to view container status. To verify by using the show containers command on the local device: a. From the Remote Manager main menu, click ® Management > Devices.
Page 820: Upload A New Lxccontainer
Is one of the devices included on the Target page. Upload a new LXC container É Log into the IX40 WebUI as a user with full Admin access rights. 1. From the main menu, click Status. Under Services, click Containers. 2. Click Upload New Container.
Page 821: Configure A Container
The network gateway. Serial ports on the device that the container will have access to. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 822 9. (Optional) Type a Working directory to configure an initial working directory for the container. The directory is an absolute path within the container and must begin with "/". The default is /. IX40 User Guide...
Page 823 12. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 824 The default timeout of 0s means that if the container stops, it will not be restarted. 8. Type any optional parameters for the container: (config system container name )> args parameters (config system container name )> Parameters are in the format accepted by the lxc utility. IX40 User Guide...
Page 825 (config network wireless client new_client)> save Configuration saved. > 14. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 826: Starting And Stopping The Container
To start the container in non-persistent mode: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 827: Stopping The Container
Stopping the container 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 828: Show Status Of All Containers
1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 829: Schedule A Script To Run In The Container
1. Start the container in non-persistent mode. 2. Execute a ping command every ten seconds from inside the container. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 830 10. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 831: Create A Custom Container
In this example, we will use a simple container file named test_lxc.tgz. You can download test_lxc.tgz from the Digi website. At the command line of a Linux host, we will unpack the file, add a simple python script, and create a new container file that includes the python script.
Page 832: Test The Custom Container File
Click Apply. 2. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX40 local command line as a user with shell access.
Page 833 Containers Create a custom container 4. Execute the python command: lxc # python /etc/test.py Hello world. lxc # IX40 User Guide...
Page 834: Digital Input/Output And Analog Input
Configure digital Input/Output ports Configure analog input ports Send digital and analog I/O monitoring information to a remote server Send digital and analog I/O monitoring information to Digi Remote Manager Show digital I/O and analog input status and statistics IX40 User Guide...
Page 835: Configure Digital Input/Output Ports
The default state, either On or Off. Additional configuration items A label for the Input/Output pin. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 836 10. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 837: Change The Output State Of Digital I/O Ports
5. Click Apply to apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 838 Configure analog input ports Additional configuration items A label for the Input/Output pin. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 839: Analog Input Port Sensor Calibration
7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 840: Send Digital And Analog I/O Monitoring Information To A Remote Server
The communication protocol (either TCP or UDP). The polling period that the device will use to gather monitoring information. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 841 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 842: Send Digital And Analog I/O Monitoring Information To Digi Remote Manager
The communication protocol (either TCP or UDP). The polling period that the device will use to gather monitoring information. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 843 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 844 Digital Input/Output and Analog Send digital and analog I/Omonitoring information to Digi Remote Input Manager 3. Uploading I/O logs to Remote Manager is enabled by default. To disable: (config)> io monitoring drm enable false (config)> 4. Set the number of minutes to wait between uploading I/O logs: (config)>...
Page 845: Show Digital I/O And Analog Input Status And Statistics
Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 846 Reading : 15 mV Calibrated : false > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 847: System Administration
Review device status Configure system information Update system firmware Update cellular module firmware Reboot your IX40 device Erase device configuration and reset to factory defaults Locate the device by using the Find Me feature Configure a power profile Enable FIPS mode...
Page 848: Review Device Status
É To display system information: Log into the IX40 WebUI as a user with full Admin access rights. 1. On the main menu, click Status. A secondary menu appears, along with a status panel. 2. On the secondary menu, click to display the details panel for the status you want to view.
Page 849: Configure System Information
Disk /opt Usage : 215.739MB/458.328MB(50%) Disk /tmp Usage : 0.003MB/120.0MB(0%) Disk /var Usage : 0.816MB/32.0MB(3%) > Configure system information You can configure information related to your IX40 device, such as providing a name and location for the device. IX40 User Guide...
Page 850 A banner that will be displayed when users access terminal services on the device. To enter system information: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 851: Update System Firmware
For example, IX40-23.12.1.56.bin. Manage firmware updates using Digi Remote Manager If you have a network of many devices, you can use Digi Remote Manager Profiles to manage firmware updates. Profiles ensure all your devices are running the correct firmware version and that all newly installed devices are updated to that same version.
Page 852: Certificate Management For Firmware Images
3. For Version:, select the appropriate version of the device firmware. 4. Click Update Firmware. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. IX40 User Guide...
Page 853 Newest firmware version available to download is '23.12.1.56' Device firmware update from '23.9.74.0' to '23.12.1.56' is needed > 3. Use the modem firmware ota list command to list available firmware on the Digi firmware repository. > system firmware ota list 23.9.74.0...
Page 854 1. Download the IX40 operating system firmware from the Digi Support FTP site to your local machine. 2. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 855 > reboot Rebooting system > 7. Once the device has rebooted, log into the IX40's command line as a user with Admin access and verify the running firmware version by entering the show system command. > show system...
Page 856: Dual Boot Behavior
3. Click Duplicate Firmware. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 857: Update Cellular Module Firmware
> system duplicate-firmware > Update cellular module firmware You can update modem firmware by downloading firmware from the Digi firmware repository, or by uploading firmware from your local storage onto the device. You can also schedule modem firmware updates. See Schedule system maintenance tasks for details.
Page 858: Update Modem Firmware Over The Air (Ota)
OTA modem firmware update: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 859: Update Modem Firmware By Using A Local Firmware File
IX40 device. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 860: Reboot Your Ix40 Device
Type quit to disconnect from the device. Reboot your IX40 device You can reboot the IX40 device immediately or schedule a reboot for a specific time every day. Note You may want to save your configuration settings to a file before rebooting. See...
Page 861: Schedule Reboots Of Your Device
2. At the prompt, type: > reboot Schedule reboots of your device É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 862 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 863: Erase Device Configuration And Reset To Factory Defaults
With firmware release 22.2.9.x and newer, erases the client-side certificate used for communication with Digi Remote Manager. If you are using Digi Remote Manager with firmware release 22.2.9.x and newer, by default the device uses a client-side certificate for communication with Remote Manager. If the client-side certificate is erased, you must use the Remote Manager interface to reset the certificate.
Page 864 2. In the Erase configuration section, click ERASE. 3. Click CONFIRM. 4. After resetting the device: a. Connect to the IX40 by using the serial port or by using an Ethernet cable to connect the IX40 ETH2 port to your PC. b. Log into the IX40: User name: Use the default user name: admin.
Page 865 The device reboots again and resets to factory defaults, as well as also removing generated certificates and keys. 3. After resetting the device: a. Connect to the IX40 by using the serial port or by using an Ethernet cable to connect the IX40 ETH2 port to your PC. b. Log into the IX40: User name: Use the default user name: admin.
Page 866: Custom Factory Default Settings
Type quit to disconnect from the device. Custom factory default settings You can configure your IX40 device to use custom factory default settings. This way, when you erase the device's configuration, the device will reset to your custom configuration rather than to the original factory defaults.
Page 867 Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 868: Locate The Device By Using The Find Me Feature
To use this feature: É Log into the IX40 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Administration, click Find Me. A notification message appears, noting that the LED is flashing on the device. Click the x in the message to close it.
Page 869: Configure A Power Profile
You can also disable the IX40's LEDs to save power and reduce light pollution. To change the active power profile: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 870 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 871 6. Save the configuration and apply the change (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 872: Enable Fips Mode
When the FIPS setting is changed, the device will reboot automatically. Disabling FIPS after it has been enabled will cause the current configuration to be erased. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 873 6. Click System > Reboot to reboot the device. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 874: Configuration Files
If you do not save configuration changes, the system discards the changes. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 875: Save Configuration To A File
Type quit to disconnect from the device. Save configuration to a file You can save your IX40 device's configuration to a file and use this file to restore the configuration, either to the same device or to similar devices.
Page 876: Restore The Device Configuration
> scp host 192.168.4.1 user admin remote /home/admin/bin/ local /etc/config/backup-archive- 0040FF800120-19.05.17-19.01.17.bin to remote Restore the device configuration You can restore a configuration file to your IX40 device by using a backup from the device, or a backup from a similar device. É...
Page 877 The configuration will be restored and the device will be rebooted. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 878 > system restore filepath [passphrase passphrase ] where filepath is the the path and filename of the configuration backup file on the IX40's filesystem (local-path in the previous step). passphrase (optional) is the passphrase to restore the configuration backup, if a passphrase was used when the backup was created.
Page 879: Schedule System Maintenance Tasks
The frequency (daily, weekly, or monthly) that checks for firmware updates will run. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 880 For Duration window, select the amount of time that the maintenance tasks will be run. If Immediately is selected, all scheduled tasks will begin at the exact time specified in Start time. d. For Frequency, select whether the maintenance window will be started every day, or once per week. IX40 User Guide...
Page 881 10. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 882 If 0 is used, all scheduled tasks will begin at the start time, defined in the previous step. (config system schedule maintenance trigger 0)> length num (config system schedule maintenance trigger 0)> where num is any whole number between 0 and 24. IX40 User Guide...
Page 883 7. Save the configuration and apply the change (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 884: Disable Device Encryption
Type quit to disconnect from the device. Disable device encryption You can disable the cryptography on your IX40 device. This can be used to ship unused devices from overseas without needing export licenses from the country from which the device is being shipped.
Page 885: Re-Enable Cryptography After It Has Been Disabled
Select the Properties of the relevant network connection on the Windows PC. b. Click the Internet Protocol Version 4 (TCP/IPv4) parameter. c. Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog appears. d. Configure with the following details: IP address for PC: 192.168.210.2 Subnet: 255.255.255.0 IX40 User Guide...
Page 886: Configure The Speed Of Your Ethernet Ports
Gateway: 192.168.210.1 2. Connect the PC's Ethernet port to the ETH1 Ethernet port on your IX40 device. 3. Open a telnet session and connect to the IX40 device at the IP address of 192.168.210.1. 4. Log into the device: Username: admin Password: The default unique password for your device is printed on the device label.
Page 887 System administration Configure the speed of your Ethernet ports 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 888: Configure The System Watchdog
You can configure your IX40 device's advanced watchdog to test the system for problems, and to reboot the device when problems are encountered. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 889 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 890 7. Save the configuration and apply the change (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 891 Monitoring This chapter contains the following topics: intelliFlow Configure NetFlow Probe IX40 User Guide...
Page 892: Intelliflow
Digi intelliFlow is a reporting and graphical presentation tool for visualizing your network’s data usage and network traffic information. intelliFlow can be enabled on Digi Remote Manager to provide a full analysis of all Digi devices on your network. Contact your Digi sales representative for information about enabling intelliFlow on Remote Manager.
Page 893: Enable Intelliflow
The firewall zone for internal clients being monitored by intelliFlow. To enable intelliFlow: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 894 Monitoring intelliFlow 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 895: Configure Service Types
For example, to define a service type called "MyService" using ports 9000 and 9001: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 896 12. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 897: Configure Domain Name Groups
Digi. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 898 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 899 7. Set the port number: (config monitoring intelliflow groups 2)> domain devicecloud.com (config monitoring intelliflow groups 2)> 8. Set the service type: (config monitoring intelliflow groups 2)> group Digi (config monitoring intelliflow groups 2)> 9. Save the configuration and apply the change (config)> save Configuration saved.
Page 900: Use Intelliflow To Display Average Cpu And Ram Usage
This procedure is only available from the WebUI. To display display average CPU and RAM usage: É Log into the IX40 WebUI as a user with full Admin access rights. 1. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
Page 901: Use Intelliflow To Display Top Data Usage Information
Top data usage by server Top data usage by service To generate a top data usage chart: É Log into the IX40 WebUI as a user with full Admin access rights. 1. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
Page 902 4. Change the type of chart that is used to display the data: a. Click the menu icon (É ). b. Select the type of chart. 5. Change the number of top users displayed. You can display the top five, top ten, or top twenty data users. IX40 User Guide...
Page 903: Use Intelliflow To Display Data Usage By Host Over Time
Use intelliFlow to display data usage by host over time To generate a chart displaying a host's data usage over time: É Log into the IX40 WebUI as a user with full Admin access rights. 1. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
Page 904: Configure Netflow Probe
To save the chart to your local filesystem, select Export to PNG. c. To print the chart, select Print chart. Configure NetFlow Probe NetFlow probe is used to probe network traffic on the IX40 device and export statistics to NetFlow collectors. Required configuration items Enable NetFlow.
Page 905 Monitoring Configure NetFlow Probe É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 906 12. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 907 9. Add collectors: a. Add a collector: (config)> add monitoring netflow collector end (config monitoring netflow collector 0)> b. Set the IP address of the collector: (config monitoring netflow collector 0)> address ip_address (config monitoring netflow collector 0)> IX40 User Guide...
Page 908 (config monitoring netflow collector 0)> save Configuration saved. > 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 909: File System
File system This chapter contains the following topics: The IX40 local file system Display directory contents Create a directory Display file contents Copy a file or directory Move or rename a file or directory Delete a file or directory Upload and download files...
Page 910: The Ix40 Local File System
2. Highlight a directory and click d to open the directory and view the files in the directory. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 911: Create A Directory
For example: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 912: Display File Contents
For example: Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 913: Move Or Rename A File Or Directory
Command line To rename a file named test.py in /etc/config/scripts to final.py: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 914: Delete A File Or Directory
Command line To delete a file named test.py in /etc/config/scripts: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 915: Upload And Download Files
Upload and download files To delete a directory named temp from /opt: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 916: Upload And Download Files By Using The Secure Copy Command
IX40 device. local-path is the location on the IX40 device where the copied file will be placed. For example: To copy firmware from a remote host with an IP address of 192.168.4.1 to the /etc/config directory on the IX40 device, issue the following command: >...
Page 917: Upload And Download Files Using Sftp
IX40 device. For example: To copy a support report from the IX40 device to a remote host at the IP address of 192.168.4.1: 1. Use the system support-report command to generate the report: >...
Page 918 File system Upload and download files $ sftp ahmed@192.168.2.1 Password: Connected to 192.168.2.1 sftp> get test.py Fetching test.py to test.py test.py 100% 254 0.3KB/s 00:00 sftp> exit IX40 User Guide...
Page 919 Generate a support report View system and event logs Configure syslog servers Configure options for the event and system logs Analyze network traffic Use the ping command to troubleshoot network connections Use the traceroute command to diagnose IP routing problems IX40 User Guide...
Page 920: Perform A Speedtest
To perform a speedtest: Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 921: Support Report Overview
Attach the support report to any support requests. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 922 A breakdown of memory utilization at the time when the support report was generated config_dump- The device's current settings, scrubbed of passwords public and preshared keys conntrack_-L A list of all currently tracked connections through the system IX40 User Guide...
Page 923 AT commands netstat_-i Interface statistics for transmitted/ received packets netstat_-na List of both listening and non-listening network sockets on the device ps_l A snapshot of the current processes running at the time of generating the report IX40 User Guide...
Page 924 Rollover syslog information /var/run This directory can be disregarded for most troubleshooting/ diagnostic purposes. Directory Filename Notes /var/run all files Runtime settings for the device -- referenced in the syslog data gathered in /tmp (see above) IX40 User Guide...
Page 925: View System And Event Logs
View System Logs É Log into the IX40 WebUI as a user with full Admin access rights. 1. On the main menu, click System > Logs. The system log displays: 2. Limit the display in the system log by using the Find search tool.
Page 926 4. Click to download the system log. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 927: View Event Logs
5. Click to download the event log. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 928 Nov 26 22:01:25 info user name=admin~service=cli~state=closed~remote=192.168.1.2 > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 929: Configure Syslog Servers
Configure syslog servers You can configure remote syslog servers for storing event and system logs. É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 930 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 931: Configure Options For The Event And System Logs
30 minutes. All event categories are enabled. To change or disable the heartbeat interval, or to disable event categories, and to perform other log configuration: É IX40 User Guide...
Page 932 Diagnostics Configure options for the event and system logs 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 933 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 934 Configure options for the event and system logs 4. Enable preserve system logs functionality to save the current session's system log after a reboot. By default, the IX40 device erases system logs each time the device is powered off or rebooted.
Page 935 7. Save the configuration and apply the change (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 936: Analyze Network Traffic
Analyze network traffic Analyze network traffic The IX40 device includes a network analyzer tool that captures data traffic on any interface and decodes the captured data traffic for diagnostics. You can capture data traffic on multiple interfaces at the same time and define capture filters to reduce the captured data. You can capture up to 10 MB of data traffic in two 5 MB files per interface.
Page 937: Configure Packet Capture For The Network Analyzer
The frequency with which captured events will be saved. To configure a packet capture configuration: É 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 938 Click Ignore this IP address or network if the filter should ignore packets from this IP address/network. By default, is option is disabled, which means that the filter will capture packets from this IP address/network. vi. Click g to add additional IP address/network filters. IX40 User Guide...
Page 939 Click Ignore this VLAN if the filter should ignore packets that use this port. By default, is option is disabled, which means that the filter will capture packets that use this port. v. Click g to add additional VLAN filters. IX40 User Guide...
Page 940 Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Save interval to ten minutes, enter 10m or 600s. 9. Click Apply to save the configuration and apply the change. Command line IX40 User Guide...
Page 941 Diagnostics Analyze network traffic 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 942 If other is set for the protocol, set the number of the protocol: (config network analyzer name filter protocol 0)> protocol_other value (config network analyzer name filter protocol 0)> where value is an integer between 1 and 255 and represents the the number of the protocol. IX40 User Guide...
Page 943 To create a filter that either captures or ignores packets from one or more specified MAC addresses: i. Add a new MACaddress filter: (config network analyzer name )> add filter mac_address end (config network analyzer name filter mac_address 0)> IX40 User Guide...
Page 944 By default, is option is set to false, which means that the filter will capture packets from this MACaddress. iv. Repeat these steps to add additional VLANs. f. To create a filter using Berkeley Packet Filter (BPF) syntax: IX40 User Guide...
Page 945 (config network analyzer name )> duration value (config network analyzer name )> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set duration to ten minutes, enter either 10m or 600s: IX40 User Guide...
Page 946: Example Filters For Capturing Data Traffic
Capture traffic for a particular IP protocol: ip proto protocol where protocol is a number in the range of 1 to 255 or one of the following keywords: icmp, icmp6, igmp, pim, ah, esp, vrrp, udp, or tcp. IX40 User Guide...
Page 947: Capture Packets From The Command Line
To start packet capture from the command line: Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. IX40 User Guide...
Page 948: Stop Capturing Packets
To stop packet capture from the command line: Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 949: Show Captured Traffic Data
To show captured data traffic: Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 950: Save Captured Data Traffic To A File
Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 951: Download Captured Data To Your Pc
3. Select the saved analyzer report you want to download and click (download). Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 952: Clear Captured Data
Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 953: Use The Ping Command To Troubleshoot Network Connections
Ping to check internet connection To check your internet connection: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 954 (www.google.com) through the default gateway. The command output shows that 15 routing hops were required to reach the host: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 955: Digi Ix40 Regulatory And Safety Statements
Radio Frequency Interference (RFI) (FCC 15.105) The Digi IX40 has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCCRules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
Page 956 Digi IX40 regulatory and safety statements European Community - CEMark Declaration of Conformity (DoC) Digi customers assume full responsibility for learning and meeting the required guidelines for each country in their distribution market. Refer to the radio regulatory agency in the desired countries of operation for more information.
Page 957: Maximum Transmit Power For Radio Frequencies
Digi IX40 regulatory and safety statements Maximum transmit power for radio frequencies Maximum transmit power for radio frequencies The following tables show the maximum transmit power for frequency bands. Cellular frequency bands Frequency bands Maximum transmit power Cellular LTE 700 MHz...
Page 958: Rohs Compliance Statement
However, cellular-based products contain radio devices which require specific consideration. Take the time to read and understand the following guidance. Digi International assumes no liability for an end user’s failure to comply with these precautions.
Page 959: Product Disposal Instructions
At the end of its life this product MUST NOT be mixed with other commercial waste for disposal. Check with the terms and conditions of your supplier for disposal information. Digi International Ltd WEEE Registration number: WEE/HF1515VU IX40 User Guide...
Page 960: Safety Warnings
У в е ре т е с е , ч е з а х ра нв а щ ия т ка бе л е с в ъ рз а н къ м конт а кт с ъ с з а з е м ит е л на в ръ з ка . IX40 User Guide...
Page 961: Croatian--Hrvatski
j edinicu ni u jednom zrakoplovu. Rad ove opreme u stambenom okruženju mogao bi prouzročiti radio smetnje. Za okolne temperature iznad 60 ° C, ova oprema mora biti instalirana samo na mjestu s ograničenim pristupom. IX40 User Guide...
Page 962: French--Français
τ ο χ ρ ήσ τ η. Μην αν οίγ ετ ε ποτ έ τ ον εξ οπλισ μό. Γ ια λόγ ους ασ φαλείας , ο εξ οπλισ μός πρ έπει ν α αν οίγ ει μόν ο από εξ ειδικευμέν ο πρ οσ ωπικό. IX40 User Guide...
Page 963: Hungarian--Magyar
A berendezés lakókörnyezetben történő működtetése rádiózavarokat okozhat. 60 ° Cfeletti környezeti hőmérséklet esetén ezt a berendezést csak korlátozott hozzáférésű helyre kell telepíteni. Italian--Italiano Assicurarsi che il cavo di alimentazione sia collegato ad una presa con messa a terra. IX40 User Guide...
Page 964: Latvian--Latvietis
Drošības apsvērumu dēļ aprīkojumu drīkst atvērt tikai kvalificēts personāls. Iekārtai jābūt izslēgtai, ja notiek spridzināšana, sprādzienbīstama vide vai medicīnas vai dzīvības uzturēšanas aprīkojuma tuvumā. Nevienā lidmašīnā neieslēdziet ierīci. Šīs ierīces darbība dzīvojamā vidē var izraisīt radio traucējumus. IX40 User Guide...
Page 965: Lithuanian--Lietuvis
20 cm. To urządzenie nie zawiera żadnych części, które mogą być naprawiane przez użytkownika. Nigdy nie otwieraj urządzenia. Ze względów bezpieczeństwa urządzenie powinno być otwierane wyłącznie przez wykwalifikowany personel. IX40 User Guide...
Page 966: Portuguese--Português
A operação deste equipamento em um ambiente residencial pode causar interferência de rádio. Para temperaturas ambientes acima de 60 ° C, este equipamento deve ser instalado apenas em locais de acesso restrito. Slovak--Slovák Uistite sa, že je napájací kábel pripojený k zásuvke so zemniacim pripojením. IX40 User Guide...
Page 967: Slovenian--Esloveno
Enoto je treba izklopiti tam, kjer poteka razstreljevanje, kjer so prisotne eksplozivne atmosfere ali v bližini medicinske opreme ali opreme za vzdrževanje življenja. Enote ne vklopite v nobenem letalu. Delovanje te opreme v stanovanjskem okolju lahko povzroči radijske motnje. IX40 User Guide...
Page 968: Spanish--Español
Para temperaturas ambiente superiores a 60 ° C, este equipo debe instalarse únicamente en una ubicación de acceso restringido. Digi IX40 Certifications You can review certification information for the IX40 on the Digi Certifications page. International EMC (Electromagnetic Compatibility) and safety...
Page 969 Digi IX40 Certifications International EMC(Electromagnetic Compatibility) and safety standards There are no user-serviceable parts inside the product. Contact your Digi representative for repair information. Certification category Standards EN 300 328 v1.8.1 Electromagnetic Compatibility (EMC) compliance standards EN 301 893 v1.7.2...
Page 970: Command Line Interface
Auto-complete commands and parameters Available commands Use the scp command Display status and statistics using the show command Device configuration using the command line interface Execute configuration commands at the root Admin CLI prompt Configuration mode Command line reference IX40 User Guide...
Page 971: Access The Command Line Interface
Log in to the command line interface Command line 1. Connect to the IX40 device by using a serial connection, SSH or telnet, or the Terminal in the WebUI or the Console in the Digi Remote Manager. See Access the command line interface more information.
Page 972: Exit The Command Line Interface
1. At the main menu, click Terminal. The device console appears. IX40 login: 2. Select the device in Remote Manager and click Actions > Open Console, or log into the IX40 local command line as a user with full Admin access rights.
Page 973 Command line interface Execute a command from the web interface Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. The Admin CLI prompt appears. > IX40 User Guide...
Page 974: Display Help For Commands And Parameters
Display help for commands and parameters The help command When executed from the root command prompt, help displays information about autocomplete operations, how to move the cursor on the IX40 command line, and other keyboard shortcuts: > help Commands ------------------------------------------------------------------------------- Show commands help <Tab>...
Page 975: Display Help For Individual Commands
Show web filter information. > show Use the Tab key or the space bar to display abbreviated help When executed from the root command prompt, pressing the Tab key or the space bar displays an abbreviated list of available commands: IX40 User Guide...
Page 976: Auto-Complete Commands And Parameters
Parameter values, where the value is one of an enumeration or an on|off type; for example: (config)> serial port1 enable t<Tab> auto-completes to (config)> serial port1 enable true Auto-complete does not function for: Parameter values that are string types. Integer values. File names. Select parameters passed to commands that perform an action. IX40 User Guide...
Page 977: Available Commands
Pings a remote host using Internet Control Message Protocol (ICMP) Echo Request messages. poweroff Powers off the system. reboot Reboots the IX40 device. Removes a file. Uses the secure copy protocol (SCP) to transfer files between the IX40 device and a IX40 User Guide...
Page 978: Use The Scp Command
The hostname or IP address of the remote host. The username and password of the user on the remote host. Whether the file is being copied to the IX40 device from a remote host, or to the remote host from the IX40 device.
Page 979: Display Status And Statistics Using The Show Command
IX40 device. For example: To copy a support report from the IX40 device to a remote host at the IP address of 192.168.4.1: 1. Use the system support-report command to generate the report: >...
Page 980: Show Config
"445" > show system show system command displays system information and statistics for the device, including CPU usage. > show system Model : Digi IX40 Serial Number : IX40xxxxxxxxyyyyxx : IX40 Hostname : IX40 MAC Address : DF:DD:E2:AE:21:18...
Page 981: Device Configuration Using The Command Line Interface
For example, to disable the SSH service from the root prompt, enter the following command: > config service ssh enable false > The IX40 device's ssh service is now disabled. Note When the config command is executed at the root prompt, certain configuration actions that are available in configuration mode cannot be performed.
Page 982 Web administration > config service 3. Next, display help for the config service ssh command: > config service ssh ? SSH: An SSH server for managing the device. Parameters Current Value -------------------------------------------------------------------------- enable true Enable [private] Private key IX40 User Guide...
Page 983: Configuration Mode
For example, to disable the ssh service by entering the full command string at the config prompt: (config)> service ssh enable false (config)> Execute commands by moving through the configuration schema. For example, to disable the ssh service by moving through the configuration and then executing the enable false command: IX40 User Guide...
Page 984: Save Changes And Exit Configuration Mode
The commands can be listed by entering a question mark (?) at the config prompt. The following actions are available: Configuration actions Description cancel Discards unsaved configuration IX40 User Guide...
Page 985: Display Command Line Help In Configuration Mode
1. Enter ?at the config prompt: (config)> ? This will display the following help information: (config)> ? Additional Configuration -------------------------------------------------------------------------- application Custom scripts auth Authentication cloud Central management firewall Firewall monitoring Monitoring network Network serial Serial service Services system System IX40 User Guide...
Page 986 3. Next, to display help for the service ssh command, use one of the following methods: At the config prompt, enter service ssh ?: (config)> service ssh ? At the config prompt: a. Enter service to move to the service node: (config)> service (config service)> IX40 User Guide...
Page 987 (config)> service (config service)> b. Enter ssh to move to the ssh node: (config service)> ssh (config service ssh)> c. Enter enable ?to display help for the enable parameter: (config service ssh)> enable ? (config service ssh)> IX40 User Guide...
Page 988: Move Within The Configuration Schema
(config service ssh acl zone)> .. (config service ssh acl)> You can also move back multiples nodes in the configuration by typing multiple sets of two periods: (config service ssh acl zone)> ..(config service)> IX40 User Guide...
Page 989: Manage Elements In Lists
For example, to add an authentication group to a user that has just been created: 1. Use the show command to verify that the user is not currently a member of any groups: (config)> show auth user new-user group (config)> IX40 User Guide...
Page 990 Use the move command to reorder elements in a list. For example, to reorder the authentication methods: 1. Use the show command to display current authentication method configuration: (config)> show auth method 0 local 1 tacacs+ 2 radius (config)> IX40 User Guide...
Page 991: The Revert Command
(config)> The revert command The revert command is used to revert changes to the IX40 device's configuration and restore default configuration settings. The behavior of the revert command varies depending on where in the configuration hierarchy the command is executed, and whether the optional path parameter is used.
Page 992 You can also use a combination of both of these methods: 1. Change to the auth node: (config)> auth (config auth)> 2. Enter the revert command with the path set to method: (config auth)> revert method (config auth)> IX40 User Guide...
Page 993: Enter Strings In Configuration Commands
(config)> system description "Digi IX40" Example: Create a new user by using the command line In this example, you will use the IX40 command line to create a new user, provide a password for the user, and assign the user to authentication groups.
Page 994 0 port1 shell enable false (config auth user user1)> 6. Add the user to the admin group: (config auth user user1)> add group end admin (config auth user user1)> IX40 User Guide...
Page 995 (config auth user user1)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX40 User Guide...
Page 996: Command Line Reference
<name> Parameters name: Name of the capture filter to use. analyzer stop Stops the traffic capture session. Syntax analyzer stop <name> Parameters name: Name of the capture filter to use. View the contents of a file. IX40 User Guide...
Page 997: Clear Dhcp-Lease Ip-Address
Filepath for container image to be created. . container delete Delete a LXCcontainer. This will remove the LXCcontainer configuration and the container image. Syntax container delete <container> Parameters container: Filepath for container image to be deleted. This process also removes any associated configuration. IX40 User Guide...
Page 998: Grep
Do not ask to overwrite the destination file if it exists. grep Grep the contents of a file. Syntax grep <match> <path> Parameters match: Output all lines in file matching string. path: The file to grep. help Show CLI editing and navigation commands. Syntax help Parameters None IX40 User Guide...
Page 999 Command line interface Command line reference List a directory. Syntax ls <path> [ show-hidden ] Parameters path: List files and directories under this path. show-hidden: Show hidden files and directories. Hidden filenames begin with '.'. IX40 User Guide...
Page 1000: Mkdir
The configured name of the modem to execute this CLI command on. imei: The IMEI of the modem to execute this CLI command on. modem firmware list List modem firmware files found in the /opt/[MODEM_MODEL]/ directory. IX40 User Guide 1000...

Digi IX40 User Manual

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Digi IX40

Summary of Contents for Digi IX40