Page 2
Release of Digi IX20 firmware version 22.11: December 2022 Updated the Linux kernel to version 5.19. The intelliFlow feature now integrates with Digi Remote Manager to provide aggregated insights and analytics for all Digi devices in your environment. Added an MQTT broker service, including support for: Multiple MQTT clients with unique topics and authentication credentials.
Page 3
Revision Date Description Redesigned Surelink configuration settings. Added show surelink state Admin CLI command to display the overall pass/fail status of enabled Surelink tests. WAN bonding Added options for WAN bonding configuration to set modes for the bonded tunnel and for each bonded interface.
Page 4
Release of DigiIX20 firmware version 23.9: October 2023 Register a device to DRM: Added a link to the Dashboard of the local web UI to register and add the device to Digi Remote Manager. Updated Dashboard: Updated the layout of the Dashboard page of the...
Page 5
Configure the system watchdog. Trademarks and copyright Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide. All other trademarks mentioned in this document are the property of IX20 User Guide...
Page 6
Information in this document is subject to change without notice and does not represent a commitment on the part of Digi International. Digi provides this document “as is,” without warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose.
Digi IX20 Quick Start Step 1: Connect your device Apply Dielectric Grease over SIM Contacts Step 2: Connect DCpower Step 3: Set up access to Digi Remote Manager Step 4: Register your device Step 5: Complete setup Step 6: Configure cellular APN...
Page 8
Proxy server method VPN Tunnel method Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Remote Manager Add a device to Remote Manager using information from the label Add a device to Remote Manager using your Remote Manager login credentials...
Page 9
Configure Remote Access mode Configure Application mode Configure PPP dial-in mode Configure UDP serial mode Configure Modem emulator mode Configure Modbus mode Configure RealPort mode using the Digi Navigator Installation and configuration process Digi Navigator features Install the Digi Navigator IX20 User Guide...
Page 10
Configure RealPort on a Digi device from the Digi Navigator Digi Navigator application features Advanced RealPort configuration without using the Digi Navigator Windows Operating System Linux Operating System Download the RealPort driver Configure RealPort on your laptop Configure the serial port for RealPort mode...
Page 11
Configure dynamic DNS Virtual Router Redundancy Protocol (VRRP) VRRP+ Configure VRRP Configure VRRP+ Example: VRRP/VRRP+ configuration Configure device one (master device) Configure device two (backup device) Show VRRP status and statistics Virtual Private Networks (VPN) IPsec IPsec data protection IPsec mode IPsec modes Internet Key Exchange (IKE) settings Authentication...
Page 12
Configure telnet access Configure DNS Show DNS server WAN bonding Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Configure WAN bonding on your local device Show WAN bonding status and statistics Simple Network Management Protocol (SNMP)
Page 13
Example: Set the LTE connection indicator to flashing purple Set up the IX20 to automatically run your applications Configure scripts to run automatically Show script information Stop a script that is currently running Start an interactive Python session Run a Python application at the shell prompt Configure scripts to run manually Task one: Upload the application Task two: Configure the application to run automatically...
Page 14
Configure web filtering with manual DNS servers Verify your web filtering configuration Show web filter service information Containers Use Digi Remote Manager to deploy and run containers Use an automation to start the container Upload a new LXCcontainer Configure a container...
Page 15
Save configuration to a file 1031 Restore the device configuration 1032 Schedule system maintenance tasks 1035 Disable device encryption 1041 Re-enable cryptography after it has been disabled. 1041 Configure the speed of your Ethernet ports 1043 Configure the system watchdog 1045 Monitoring intelliFlow...
Page 16
Ping to check internet connection 1114 Stop ping commands 1114 Use the traceroute command to diagnose IP routing problems 1114 Digi IX20 regulatory and safety statements RF exposure statement 1116 Federal Communication (FCC) Part 15 Class B 1116 Radio Frequency Interference (RFI) (FCC15.105)
Page 17
show config 1141 show system 1141 show network 1142 Device configuration using the command line interface 1142 Execute configuration commands at the root Admin CLI prompt 1142 Display help for the config command from the root Admin CLI prompt 1142 Configuration mode 1144 Enable configuration mode...
Page 18
monitoring 1167 monitoring metrics upload 1167 more 1167 1167 ping 1167 poweroff 1168 reboot 1168 1168 1169 show analyzer 1169 show arp 1169 show cloud 1169 show config 1170 show containers 1170 show dhcp-lease 1170 show dns 1170 show eth 1170 show event 1171...
Page 19
1180 system backup 1180 system cloud register 1180 system disable-cryptography 1181 system duplicate-firmware 1181 system factory-erase 1181 system find-me 1181 system firmware ota check 1181 system firmware ota list 1182 system firmware ota update 1182 system firmware update 1182 system power ignition off_delay 1182 system restore 1183...
What's new in Digi IX20 version 23.12 Release of DigiIX20 firmware version 23.12: Updated Active SIM slot definition: Configure cellular modem. FIPS feature is available for all DAL devices. Enable FIPS mode Link OSPF routes through a DMVPN tunnel and allow for redirection of packets between spokes.
If the IX20 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.
Apply Dielectric Grease over SIM Contacts Note Digi recommends using either the Loctite®LB 8423 Dielectric Grease or Synco Lube® Silicone Dielectric Grease. a. Use a sheet of paper or cardboard over the area where you intend to work.
Page 23
Digi IX20 Quick Start Apply Dielectric Grease over SIM Contacts 2. Attach cellular antennas. Securely finger tighten each antenna to the threaded barrel using the nut at the base of the antenna. 3. Use an Ethernet cable connect the IX20's WAN/ETH1 port to the internet, such as a home internet router or LAN Ethernet port in an office environment.
Step 2: Connect DCpower Step 2: Connect DC power Step 3: Set up access to Digi Remote Manager If you already have a Digi Remote Manager account, skip to Register your device. If you prefer to configure the device locally rather than using Remote Manager, see...
Digi IX20 Quick Start Step 6: Configure cellular APN Step 6: Configure cellular APN If you installed a SIM in step 1, the device will attempt to setup the APN automatically. However, if your SIM was set up with a custom APN, you will need to configure it manually: 1.
ERASE button again to also remove generated certificates and keys. 3. Firmware reversion: Press and hold the ERASE button and then power on the Digi IX20 to boot to the version of firmware that was used prior to the current version. LEDs...
Digi IX20 hardware reference IX20 LEDs Power No power. Solid green Device has power The WAN/ETH1 Ethernet port not connected. Flashing green The WAN/ETH1 Ethernet port is connecting. Solid green The WAN/ETH1 Ethernet port is connected and has activity. Wi-Fi Service (IX20W model only) No Wi-Fi access points or Wi-Fi clients are enabled.
Digi IX20 hardware reference IX20 LEDs SIM1 Indicates that SIM1 is in use. SIM1 not in use. Solid green SIM1 is in use. SIM2 Indicates that SIM2 is in use. SIM2 not in use. Solid green SIM2 is in use.
Digi IX20 hardware reference IX20 LEDs Alternating Red/yellow (or orange) Upgrading firmware. WARNING! DO NOT POWEROFF DURINGFIRMWARE UPGRADE. 1. Or an unknown type of cellular network. Signal quality indicators LEDs labeled 1 through 5 Indicate the cellular service quality level.
Solid green: 10/100 Mbps link detected. Signal quality bars explained The signal status bars for the Digi IX20 measure more than simply signal strength. The value reported by the signal bars is calculated using an algorithm that takes into consideration the Reference Signals Received Power (RSRP), the Signal-to-noise ratio (SNR), and the Received Signal Strength Indication (RSSI) to provide an accurate indicator of the quality of the signal that the device is receiving.
Use the included power supply (part number 24000154). If you are providing the DCpower source with a non-Digi power supply, you must use a certified LPS power supply rated at either 12 VDC/0.75 A or 24 VDC/0.375 A minimum. The voltage tolerance supports +/- 10% (9 VDCto 30 VDC) at 9 Watts minimum.
Page 33
Digi IX20 hardware reference Configuration for extreme thermal conditions 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Digi IX20 hardware reference QRcode definition Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 35
Digi IX20 hardware reference QRcode definition QR code items Semicolon separated list of: ProductName;DeviceID;Password;SerialNumber;SKUPartNumber-SKUPartRevision Example IX20;00000000-00000000-112233FF-FF445566;PW1234567890;50001001-00 IX20 User Guide...
Digi IX20 hardware setup This chapter contains the following topics: Install SIM cards in the Plug-in LTE modem Connect data cables Mount the IX20 device IX20 User Guide...
If the IX20 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.
8. Affix the cellular antennas to the two connectors protruding from the device. Apply Dielectric Grease over SIM Contacts Note Digi recommends using either the Loctite®LB 8423 Dielectric Grease or Synco Lube®Silicone Dielectric Grease. 1. Use a sheet of paper or cardboard over the area where you intend to work.
Move the device to another location. Try connecting a different set of antennas, if available. Purchase a Digi Antenna Extender Kit: Antenna Extender Kit, Connect data cables The IX20 supports two types of data ports: Ethernet (RJ-45): Use a Cat 5e or Cat 6 Ethernet cable.
Digi IX20 hardware setup Mount the IX20 device 1. Attach the DIN rail clip to the bottom of the device with the screws provided. 2. Set the IX20 device onto a DIN rail and gently press until the clip snaps into the rail.
Page 41
3. Set the bracket with the clip onto a DIN rail and gently press until the clip snaps into the rail. WARNING! If being installed above head height on a wall or ceiling, ensure the device is fitted securely to avoid the risk of personal injury. Digi recommends that this device be installed by an accredited contractor.
Page 42
Change the default password for the admin user Change the default SSID and pre-shared key for the preconfigured Wi-Fi access point Configuration methods Using Digi Remote Manager Using the local web interface Use the local REST API to configure the IX20 device...
Firmware configuration Review IX20 default settings Review IX20 default settings You can review the default settings for your IX20 device by using the local WebUI or Digi Remote Manager: Local WebUI 1. Log into the IX20 WebUI as a user with Admin access. See Using the local web interface details.
(Wi-Fi Wi-Fi access interface model only) point: Digi Other default configuration settings Feature Configuration Digi Remote Manager enabled as the central management service. Central management Packet filtering allows all outbound traffic. Security policies SSH and web administration: IX20 User Guide...
To enable Primary Responder mode: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. On the Dashboard, verify the current firmware version installed on the device. In the Device section, look at the Firmware Version field and verify that the version is 23.9.x or above.
To change the default password for the admin user: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 48
Firmware configuration Change the default password for the admin user a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users > admin. 4. Enter a new password for the admin user.The password must be at least eight characters long and must contain at least one uppercase letter, one lowercase letter, one number, and one special character.
Differences between standard firmware operation and Primary Responder mode. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 50
On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Wi-Fi > Digi AP. 4. Enter a new SSID and Pre-shared key. 5. Click Apply to save the configuration and apply the change.
Note Changes made to the device's configuration by using the local web interface will not be automatically reflected in Digi Remote Manager. You must manually refresh Remote Manager for the changes to be displayed. Web-based instructions in this guide are applicable to both the Remote Manager and the local web interface.
Shows how to perform a task by using the command line interface. Using Digi Remote Manager By default, your IX20 device is configured to use Digi Remote Manager as its central management server. Devices must be registered with Remote Manager using one of the following options: As part of the getting started process.
Provides information about the signal strength and technology of the cellular modem(s). Digi Remote Displays the device connection status for Digi Remote Manager, the amount of time Manager the connection has been up, and the Digi Remote Manager device ID.
Page 54
Firmware configuration Use the local REST API to configure the IX20 device To determine allowed values for path from the Admin CLI: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Firmware configuration Use the local REST API to configure the IX20 device For example, to use curl to return the ssh configuration: $ curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/value/service/ssh - X GET Enter host password for user 'admin': ok": true, "result": { "type": "object", "path": "service.ssh"...
Firmware configuration Use the local REST API to configure the IX20 device path is the path to the configuration parameter, in dot notation (for example, ssh.service.enable). new_value is the new value for the parameter. For example, to disable the ssh service using curl: $ curl -k -u admin "https://192.168.210.1/cgi- bin/config.cgi/value?path=service.ssh.enable&value=false"...
Page 57
Firmware configuration Use the local REST API to configure the IX20 device "result": { "type": "array", "path": "service.ssh.acl.zone" "collapsed": { "0": "internal" "1": "edge" "2": "ipsec" "3": "setup" "4": "external" 2. Use the DELETE method to remove the external zone (list item 4). $ curl -k -u admin https://192.168.210.1/cgi- bin/config.cgi/value?path=service.ssh.acl.zone.4 -X DELETE Enter host password for user 'admin':...
You can use an open-source terminal software, such as PuTTYor TeraTerm, to access the device through one of these mechanisms. You can also access the command line interface in the WebUI by using the Terminal, or the Digi Remote Manager by using the Console.
Firmware configuration Using the command line The default username is admin. The default unique password for your device is printed on the device label. 3. Depending on the device configuration, you may be presented with another menu, for example: Access selection menu: a: Admin CLI s: Shell q: Quit...
Configure your device for Digi Remote Manager support Reach Digi Remote Manager on a private network Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Remote Manager Configure multiple IX20 devices by using Digi Remote Manager configurations...
This URL is required to utilize the client-side certificate support. Prior to release 22.2.9.x, the default URL was my.devicecloud.com. If your Digi device is configured to use a non-default URL to connect to Remote Manager, updating the firmware will not change your configuration. However, if you erase the device's configuration, the Remote Manager URL will change to the default of edp12.devicecloud.com.
Page 62
HTTP proxy server support. To configure your device's Digi Remote Manager support: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 63
Configure your device for Digi Remote Manager support 3. Click Central management. The Central management configuration window is displayed. Digi Remote Manager support is enabled by default. To disable, toggle off Enable central management. 4. For Service, select Digi Remote Manager.
Page 64
Central management Configure your device for Digi Remote Manager support Allowed values are any number of hours, minutes, or seconds, and take the format number {h|m|s}. For example, to set Cellular keep-alive interval to ten minutes, enter 10m or 600s.
Page 65
2. At the command line, type config to enter configuration mode: > config (config)> 3. Digi Remote Manager support is enabled by default. To disable Remote Manager support: (config)> cloud enable false (config)> 4. (Optional) Set the URL for the central management server.
Page 66
7. (Optional) Set the amount of time that the IX20 device should wait between sending keep-alive messages to the Digi Remote Manager when using a cellular interface. Allowed values are from 30 seconds to two hours. The default is 290 seconds.
Page 67
14. (Optional) Configure the IX20 device to communicate with remote cloud services by using SMS: a. Enable SMS messaging: (config)> cloud drm sms enable true (config)> b. Set the phone number for Digi Remote Manager: (config)> cloud drm sms destination value (config)> where value is either:...
To disable the collection of device health data or enable it if it has been disabled, or to change the health sample interval: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 69
3. Click Monitoring > Device Health. 4. (Optional) Click to expand Data point tuning. Data point tuning options allow to you configure what data are uploaded to the Digi Remote Manager. All options are enabled by default. 5. Only report changed values to Digi Remote Manager is enabled by default.
Page 70
1, 5, 15, 30, or 60, and represents the number of minutes between uploads of health sample data. 5. By default, the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded. This is useful to reduce the bandwidth used to report health metrics.
To enable the event log upload, or disable it if it has been disabled, and to change the upload interval: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
Page 72
Central management Configure your device for Digi Remote Manager support a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
The device is capable of connecting through an HTTP proxy, such as Squid, but it is up to the network administrator to decide which HTTP proxy type to use. To enable a proxy server and enter the server and port in Digi Remote Manager, see step 17 in Configure your device for Digi Remote Manager support.
Central management Log into Digi Remote Manager To see instructions for setting up Squid and then configuring a device (not DAL) to reach Digi Remote Manager, see the Digi Quick Note, Connecting to Digi Remote Manager Through Web Proxy. Though this Quick Note references older technology and device types, it may provide a network administrator with concrete examples from which they can draw correlations to newer technology and devices.
Use Digi Remote Manager to view and manage your device To view and manage your device: 1. If you have not already done so, connect to your Digi Remote Manager account. 2. From the menu, click Devices to display a list of your devices.
4. For Digi Remote Manager Username, type your Remote Manager username. 5. For Digi Remote Manager Password, type your Remote Manager password. 6. For Digi Remote Manager Group (optional), type the group to which the device will be added, if needed.
Configure multiple IX20 devices by using Digi Remote Manager configurations Digi recommends you take advantage of Remote Manager configurations to manage multiple IX20 devices. A Remote Manager configuration is a named set of device firmware, settings, and file system options. You use the configuration to automatically update multiple devices and to periodically scan devices to check for compliance with the configuration.
Digi Remote Manager provides multiple methods for applying configurations to registered devices. You can also include site-specific settings with a profile to override settings on a device-by-device basis. View Digi Remote Manager connection status To view the current Digi Remote Manager connection status from the local device: IX20 User Guide...
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Learn more To learn more about Digi Remote Manager features and functions, see the Digi Remote Manager User Guide.
Interfaces IX20 devices have several physical communications interfaces. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN). This chapter contains the following topics: Wide Area Networks (WANs) Local Area Networks (LANs) Virtual LANs (VLANs) Bridging Show SureLink status and statistics...
Configured WAN and WWAN interfaces. This example uses the preconfigured ETH1 and Modem interfaces. The metric for each WAN. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 83
Interfaces Wide Area Networks (WANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Set the metrics for Modem: a. Click Network > Interfaces > Modem > IPv4. b. For Metric, type 1. c.
Page 84
Interfaces Wide Area Networks (WANs) 5. Click Apply to save the configuration and apply the change. The IX20 device is now configured to use the cellular modem WWAN, Modem, as its highest priority WAN, and its Ethernet WAN, ETH1, as its secondary WAN. ...
If your device is operating on a private APN or on wired network with firewall restrictions, ensure that the DNS servers on your private network allow DNS lookups for https://remotemanager.digi.com; otherwise, the SureLink DNS query test will fail and the IX20 device will determine that the interface is down.
WAN has failed, because the connection continues to work while the core problem exists somewhere else in the network. Using Digi SureLink, you can configure the IX20 device to regularly probe connections through the WAN to determine if the WAN has failed, and to perform recovery actions, such as changing the interface metric to use a new default gateway.
Page 87
Otherwise, the device will reboot and all recovery actions listed after the Reboot Device action will be ignored. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 88
Interfaces Wide Area Networks (WANs) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Create a new WAN or WWAN or select an existing one: To create a new WAN or WWAN, see Configure a Wide Area Network (WAN) Configure a Wireless Wide Area Network...
Page 89
Interfaces Wide Area Networks (WANs) 7. (Optional) If more than one test target is configured, for Success condition, select either: One test passes: Only one test needs to pass for Surelink to consider an interface to be All test pass: All tests need to pass for SureLink to consider the interface to be up. 8.
Page 90
Interfaces Wide Area Networks (WANs) HTTP test: Uses HTTP(s) GET requests to determine connectivity to the configured web server. If HTTP test is selected, complete the following: Web server: The URL of the web server. Test DNS servers configured for this interface: Tests communication with DNS servers that are either provided by DHCP, or statically configured for this interface.
Page 91
Interfaces Wide Area Networks (WANs) Down: The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable). e. Repeat for each additional test. 11. Add recovery actions: a. Click to expand Recovery actions. By default, there are two preconfigured recovery actions: Update routing: Uses the Change default gateway action, which increases the interface's metric by 100 to change the default gateway.
Page 92
Interfaces Wide Area Networks (WANs) Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. Switch to alternate SIM: Switches to an alternate SIM. This recovery action is available for WWAN interfaces only.
Page 93
Interfaces Wide Area Networks (WANs) For example, to set Delayed start to ten minutes, enter 10m or 600s. The default is 300 seconds. c. For Backoff interval, type the time to add to the test interval when restarting the list of actions.
Page 94
Interfaces Wide Area Networks (WANs) To add additional tests: a. Add a test: (config network interface my_wan)> add surelink tests end (config network interface my_wan surelink tests 1)> b. New tests are enabled by default. To disable: (config network interface my_wan surelink tests 1)> enable false (config network interface my_wan surelink tests 1)>...
Page 95
Interfaces Wide Area Networks (WANs) Set the number of bytes to send as part of the ping payload: (config network interface my_wan ipsec tunnel ipsec_example surelink tests 1)> ping_size int (config network interface my_wan surelink tests 1)> dns: Performs a DNS query to the named DNS server. If dns is set, set the IPv4 or IPv6 address of the DNS server: (config network interface my_wan surelink tests 1)>...
Page 96
Interfaces Wide Area Networks (WANs) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config network interface my_wan surelink tests 1)> interface_timeout 600s (config)>...
Page 97
Interfaces Wide Area Networks (WANs) (config network interface my_wan surelink tests 1)> other_ interface ii. Set the interface. For example: (config network interface my_wan surelink tests 1)> other_ interface /network/interface/eth1 (config network interface my_wan surelink tests 1)> Set the type of IP connection: (config network interface my_wan surelink tests 1)>...
Page 98
Interfaces Wide Area Networks (WANs) d. Create a label for the action: (config network interface my_wan surelink actions 0)> label string (config network interface my_wan surelink actions 0)> e. Set the type of recovery action. If multiple recovery actions are configured, they are performed in the order that they are listed.
Page 99
Interfaces Wide Area Networks (WANs) Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config network interface my_wan surelink actions 0)> test_ failures int (config network interface my_wan surelink actions 0)> The default is 3.
Page 100
Interfaces Wide Area Networks (WANs) modem_power_cycle: This recovery action is available for WWAN interfaces only. If modem_power_cycle is selected, complete the following: Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config network interface my_wan surelink actions 0)>...
Page 101
Interfaces Wide Area Networks (WANs) (config network interface my_wan surelink actions 0)> custom_ action_commands_modem "string" (config network interface my_wan surelink actions 0)> Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used.
Page 102
Interfaces Wide Area Networks (WANs) (config)> network interface my_wan surelink timeout value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set timeout to ten minutes, enter either 10m or 600s: (config)>...
Interfaces Wide Area Networks (WANs) (config)> network interface my_wan surelink advanced interface_gateway hostname/IP_address (config)> 8. Save the configuration and apply the change (config network interface my_wan ipv4 surelink)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 104
To configure the IX20 device to reboot when an interface has failed: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 105
Interfaces Wide Area Networks (WANs) 5. After creating or selecting the interface, click SureLink. By default, SureLink is enabled for the preconfigured WAN (ETH1) and WWAN (Modem). The default configuration tests the DNS servers configured for the interface. When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address.
Page 106
Interfaces Wide Area Networks (WANs) New tests are enabled by default. To disable, click to toggle off Enable. b. Type a Label for the test. c. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4. d.
Page 107
Interfaces Wide Area Networks (WANs) If Custom test is selected, complete the following: The Commands to run to test. TCP connection test: Tests that the interface can reach a destination port on the configured host. If TCP connection test is selected, complete the following: TCP connect host: The hostname or IP address of the host to create a TCP connection to.
Page 108
Interfaces Wide Area Networks (WANs) SureLink test failures: The number of failures for this recovery action to perform, before moving to the next recovery action. Increase metric to change active default gateway: Increase the interface's metric by this amount. This should be set to a number large enough to change the routing table to use another default gateway.
Page 109
Interfaces Wide Area Networks (WANs) Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. Powercycle the modem. This recovery action is available for WWAN interfaces only.
Page 110
Interfaces Wide Area Networks (WANs) 3. Create a new interface, or edit an existing one: To create a new interface, see Configure a Local Area Network (LAN), Configure a Wide Area Network (WAN), or Configure a Wide Area Network (WAN) Configure a Wireless Wide Area Network (WWAN).
Page 111
Interfaces Wide Area Networks (WANs) where value is one of: ping: Uses ICMP to determine connectivity. If ping is selected, complete the following: Set the ping_method: (config network interface my_wan surelink tests 1)> ping_ method value (config network interface my_wan surelink tests 1)> where value is one of: hostname: The hostname or IP address of an external server.
Page 112
Interfaces Wide Area Networks (WANs) Set the amount of time that the interface is down before the test can be considered to have failed. (config network interface my_wan surelink tests 1)> interface_down_time value (config network interface my_wan surelink tests 1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 113
Interfaces Wide Area Networks (WANs) Set the TCP port to create a TCP connection to. (config network interface my_wan surelink tests 1)> tcp_port port (config network interface my_wan surelink tests 1)> other: Tests the status of another interface. If other is selected, complete the following: Set the interface to test.
Page 114
Interfaces Wide Area Networks (WANs) up: The test will pass only if the referenced interface is up and passing its own SureLink tests (if applicable). down: The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable).
Page 115
Interfaces Wide Area Networks (WANs) a. Type ... to return to the root of the configuration: (config network interface my_wan surelink actions 0)> ... (config)> b. Set the test interval between connectivity tests: (config)> network interface my_wan surelink interval value (config)>...
Interfaces Wide Area Networks (WANs) (config)> network interface my_wan surelink advanced delayed_start value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set delayed_start to ten minutes, enter either 10m or 600s: (config)>...
Page 117
SureLink to disable the DNS test and use one or more other tests. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 118
WAN connections that do not allow DNS resolution, and configure alternate test. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 119
Interfaces Wide Area Networks (WANs) c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Select the appropriate WAN or WWAN on which the default DNS test should be disabled.. 5.
Page 120
Interfaces Wide Area Networks (WANs) 9. Click to add a new test. 10. Type a Label for the test. 11. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4. 12. Select the Test type. Available test types: Ping test: Uses ICMP to determine connectivity.
Page 121
Interfaces Wide Area Networks (WANs) Initial connection time: The amount of time to wait for the interface to connect for the first time before the test is considered to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
Page 122
Interfaces Wide Area Networks (WANs) (config)> network interface my_wan (config network interface my_wan)> 4. Disable the default DNS test: (config network interface my_wan)> surelink tests 0 enable false (config network interface my_wan)> 5. Add a new test: a. Add a test: (config network interface my_wan)>...
Page 123
Interfaces Wide Area Networks (WANs) Set the number of bytes to send as part of the ping payload: (config network interface my_wan ipsec tunnel ipsec_example surelink tests 1)> ping_size int (config network interface my_wan surelink tests 1)> dns: Performs a DNS query to the named DNS server. If dns is set, set the IPv4 or IPv6 address of the DNS server: (config network interface my_wan surelink tests 1)>...
Page 124
Interfaces Wide Area Networks (WANs) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config network interface my_wan surelink tests 1)> interface_timeout 600s (config)>...
Interfaces Wide Area Networks (WANs) (config network interface my_wan surelink tests 1)> other_ interface ii. Set the interface. For example: (config network interface my_wan surelink tests 1)> other_ interface /network/interface/eth1 (config network interface my_wan surelink tests 1)> Set the type of IP connection: (config network interface my_wan surelink tests 1)>...
Page 126
To achieve this WAN failover from the ETH1 to the Modem interface, the WAN failover configuration is: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 127
Interfaces Wide Area Networks (WANs) 3. Configure active recovery on ETH1: a. Click Network > Interface > ETH1 > SureLink. b. For Test interval, type 10s. c. Click to expand Tests. d. Disable the default DNS test: i. Click to expand the default DNS configured test. ii.
Interfaces Wide Area Networks (WANs) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Configure SureLink on ETH1: a. Set the interval to ten seconds: (config)> network interface eth1 surelink interval 10s (config)> b. Disable the default DNS test: (config)>...
Interfaces Wide Area Networks (WANs) By default, the WAN/ETH1 Ethernet device is configured as a WAN, named ETH1, with both DHCP and NAT enabled and using the External firewall zone. This means you should be able to connect to the Internet by connecting the WAN/ETH1 Ethernet port to another device that already has an internet connection.
Page 130
Interfaces Wide Area Networks (WANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 131
Interfaces Wide Area Networks (WANs) 6. For Match modem by, select the matching criteria used to determine if this modem configuration applies to the currently attached modem: Any modem: Applies this configuration to any modem that is attached. IMEI: Applies this configuration only to a modem that matches the identified IMEI. If IMEI is selected, for Match IMEI, type the IMEI of the modem that this configuration should be applied to.
Page 132
Interfaces Wide Area Networks (WANs) 4. For Access technology, select the type of cellular technology that this modem should use to access the cellular network, or select All technologies to configure the modem to use the best available technology. The default is All technologies. 5.
Page 133
Interfaces Wide Area Networks (WANs) Default value: /device/usb/modem/module Current value: /device/usb/modem/module (config)> network modem modem port b. Set the port: (config)> network modem modem port /device/usb/modem/module (config)> The default is any. 5. Set the SIM slot that should be used by the modem: (config)>...
Page 134
Interfaces Wide Area Networks (WANs) maintenance_window manual set_time The default is set_time. 8. Set the amount of time the system waits before polling the modem for signal information: (config)> network modem modem query_interval value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 135
APN. To configure the APN: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 136
Interfaces Wide Area Networks (WANs) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > Modem > APN list > APN. 4. For APN, type the Access Point Name (APN) to be used when connecting to the cellular carrier. 5.
Page 137
Interfaces Wide Area Networks (WANs) 8. Lightweight M2M support is enabled by default. Disable if you are using an AT&T SIM that does not support AT&T lightweight M2M. 9. To add additional APNs, for Add APN, click and repeat the preceding instructions. 10.
Page 138
Interfaces Wide Area Networks (WANs) where version is one of the following: auto: Requests both IPv4 and IPv6 address. ipv4: Requests only an IPv4 address. ipv6: Requests only an IPv6 address. The default is auto. 6. (Optional) Set the PDP context index: (config network interface wwan1 modem apn 0) >...
Page 139
Using an AT&T SIM with the Telit LE910-NAv2 module is supported. The Telit LE910-NAv2 module is used in the 1002-CM04 CORE modem. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 140
Interfaces Wide Area Networks (WANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Increase the maximum number of interfaces allowed for the modem: a. Click Network > Modems > Modem. b.
Page 141
Interfaces Wide Area Networks (WANs) g. For Add Interface, type WWAN_Private and click . h. For Interface type, select Modem. i. For Zone, select External. j. For Device, select Modem . This should be the same modem selected for the WWAN_Public WWAN. k.
Page 142
Interfaces Wide Area Networks (WANs) a. Click Network > Routes > Policy-based routing. b. Click the to add a new route policy. c. For Label, enter Route through public APN. d. For Interface, select Interface: WWAN_Public. e. Configure the source address: i.
Page 143
Interfaces Wide Area Networks (WANs) iii. For Interface, select Interface: WWAN_Private. 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 144
Interfaces Wide Area Networks (WANs) (config network interface WWANPublic)> modem apn public_apn (config network interface WWANPublic)> e. Use to periods (..) to move back one level in the configuration: (config network interface WWANPublic)> .. (config network interface)> f. Create the WWANPrivate interface: (config network interface)>...
Page 145
Interfaces Wide Area Networks (WANs) d. Configure the source address: i. Set the source type to interface: (config network route policy 0)> src type interface (config network route policy 0)> ii. Set the interface to LAN1: (config network route policy 0)> src interface LAN1 (config network route policy 0)>...
Page 146
Select Manual or Manual/Automatic carrier selection mode. The Network PLMN ID. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 147
Interfaces Wide Area Networks (WANs) b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > Modem. 4.
Page 148
Interfaces Wide Area Networks (WANs) Note You can use the modem scan command at the Admin CLI to scan for available carriers and determine their PLMN ID. See Scan for available cellular carriers for details. 6. Click Apply to save the configuration and apply the change. ...
Page 149
Interfaces Wide Area Networks (WANs) Note For devices using Unitac modems (such as devices with the 1002-CM45 core module), carrier scanning will not work if the modem has an active cellular connection. Log into the IX20 WebUI as a user with full Admin access rights. 1.
Page 150
Interfaces Wide Area Networks (WANs) Manual: Does not allow the device to use automatic carrier selection if this carrier is not available. Note If Manual is selected, your modem must support the Network technology or the modem will lose cellular connectivity. If you are using a cellular connection to perform this procedure, you may lose your connection and the device will no longer be accessible.
Page 151
Interfaces Wide Area Networks (WANs) 2. Use the show modem command: To view a status summary for the modem: > show modem Modem Status Signal Strength ----- ------------- --------- --------- -------------------- modem 1 (ready) connected 1234 Good (-84 dBm) > To view detailed status and statistics, use the show modem name name command:...
Page 152
Interfaces Wide Area Networks (WANs) SIM Slot SIM Status : ready IMSI : 61582122197895 ICCID : 26587628655003992180 SIM Provider : AT&T RSRQ : Good (-11.0 dB) RSRP : Good (-93.0 dBm) RSSI : Excellent (-64.0 dBm) : Good (6.4 dB) >...
Page 153
Move the IX20 device to another location. Try connecting a different set of antennas, if available. Purchase a Digi Antenna Extender Kit: Antenna Extender Kit, 1m AT command access To run AT commands from the IX20 command line: ...
Page 154
Interfaces Wide Area Networks (WANs) > modem at-interactive Do you want exclusive access to the modem? (y/n) [y]: 4. Type n if you do not want exclusive access. This allows you to send AT commands to the device while still allowing the device to connect, disconnect, and/or reconnect to the cellular network.
Additional IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the WAN. The relative weight for IPv4 routes associated with the WAN.
Page 156
MACaddress denylist and allowlist. To create a new WAN or edit an existing WAN: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 157
Interfaces Wide Area Networks (WANs) The Interface configuration window is displayed. New WANs are enabled by default. To disable, toggle off Enable. 5. For Interface type, leave at the default setting of Ethernet. 6. For Zone, select External. 7. For Device, select an Ethernet device, a Wi-Fi client, or a bridge. See Bridging for more information about bridging.
Page 158
Interfaces Wide Area Networks (WANs) server. RFC4702 for further information about DHCP server support for the Client FQDN option. Configure system information for information about setting the IX20 device's system name. d. Enable Force link to keep the network interface active even when the device link is down. 10.
Page 159
Interfaces Wide Area Networks (WANs) a. Click to expand MAC address denylist. b. For Add MAC address, click . c. Type the MAC address. 12. (Optional) Click to expand MAC address allowlist. If allowlist entries are specified, incoming packets will only be accepted from the listed MAC addresses.
Page 160
Interfaces Wide Area Networks (WANs) a. Enter device ? to view available devices and the proper syntax. (config network interface my_wan)> device ? Device: The network device used by this network interface. Format: /network/device/eth1 /network/device/eth2 /network/device/loopback /network/bridge/hotspot_bridge /network/bridge/lan /network/wireless/ap/digi_ap /network/wireless/ap/digi_hotspot_ap Current value: (config network interface my_wan)>...
Page 161
Interfaces Wide Area Networks (WANs) (config network interface my_wan)> ipv4 mgmt num (config network interface my_wan)> iv. Set the MTU: (config network interface my_wan)> ipv4 mtu num (config network interface my_wan)> v. Configure how to use DNS: (config network interface my_wan)> ipv4 use_dns value (config network interface my_wan)>...
Page 162
Interfaces Wide Area Networks (WANs) Parameters Current Value --------------------------------------------------------------------- ---------- dhcp_hostname false DHCP Hostname enable true Enable metric Metric mgmt Management priority 1500 type dhcpv6 Type use_dns always Use DNS weight Weight Additional Configuration --------------------------------------------------------------------- ---------- connection_monitor Active recovery (config network interface my_wan)> d.
Interfaces Wide Area Networks (WANs) a. Add a MAC address to the denylist: (config network interface my_wan)> add mac_denylist end mac_address (config network interface my_wan)> where mac_address is a hyphen-separated MACaddress, for example, 32-A6-84-2E-81-58. b. Repeat for each additional MAC address. 10.
Page 164
Configure SureLink active recovery to detect WAN/WWAN failures for further information. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 165
Interfaces Wide Area Networks (WANs) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Create the WWAN or select an existing WWAN: To create a new WWAN: a.
Page 166
Interfaces Wide Area Networks (WANs) If SIM slot is selected, for Match SIM slot, select which SIM slot must be in active for this WWAN to be used. If Carrier is selected, for Match SIM carrier, select which cellular carrier must be in active for this WWAN to be used.
Page 167
IPv4 support is Enabled by default. Click to disable. c. Set the Type. Static IP address - Digi device obtains the static IP address from the cellular network. DHCP address - Digi device obtains IP address through a DHCP server on the cellular network.
Page 168
Interfaces Wide Area Networks (WANs) DHCP address - Digi device obtains IP address through a DHCP server on the cellular network. a. Set the Metric. Configure WAN/WWAN priority and default route metrics for further information about metrics. b. For Weight, type the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, Weight is used to load balance traffic to the interfaces.
Page 169
Interfaces Wide Area Networks (WANs) 4. Set the appropriate firewall zone: (config network interface my_wwan)> zone zone (config network interface my_wwan)> Firewall configuration for further information. 5. Select a cellular modem: a. Enter modem device ? to view available modems and the proper syntax. (config network interface my_wwan)>...
Page 170
Interfaces Wide Area Networks (WANs) (config network interface my_wwan)> b. Set the carrier: (config network interface my_wwan)> modem carrier value (config network interface my_wwan)> iccid Set the unique SIM card ICCID that must be in active for this WWAN to be used: (config network interface my_wwan)>...
Page 171
Interfaces Wide Area Networks (WANs) 10. Set the carrier selection mode: (config network interface my_wwan)> modem operator_mode value (config network interface my_wwan)> where value is one of: automatic: The cellular carrier is selected automatically by the device. manual: The cellular carrier must be manually configured. If the configured network is not available, no cellular connection will be established.
Page 172
(config network interface my_wwan)> ipv4 modem_type value (config network interface my_wwan)> Where value is one of: static: Digi device obtains the static IP address from the cellular network. dhcp: Digi device obtains IP address via a DHCP server on the cellular network. IX20 User Guide...
Page 173
Interfaces Wide Area Networks (WANs) c. Set the metric: (config network interface my_wwan)> ipv4 metric num (config network interface my_wwan)> Configure WAN/WWAN priority and default route metrics for further information about metrics. d. Set the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, the weight is used to load balance traffic to the interfaces.
Page 174
Wide Area Networks (WANs) static: Digi device obtains the static IP address from the cellular network. dhcp: Digi device obtains IP address via a DHCP server on the cellular network. c. Set the metric: (config network interface my_wwan)> ipv4 metric num (config network interface my_wwan)>...
Interfaces Wide Area Networks (WANs) 18. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show WAN and WWAN status and statistics ...
Interfaces Wide Area Networks (WANs) eth1 IPv6 dhcp external eth1 eth2 IPv4 static internal eth2 eth2 IPv6 static internal eth2 loopback IPv4 static loopback loopback modem IPv4 modem external wwan1 modem IPv6 down modem external wwan1 > 4. Enter show network interface name at the Admin CLI prompt to display additional information about a specific WAN.
Page 177
Interfaces Wide Area Networks (WANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
The following table lists the default outbound network communications for IX20 WAN/WWAN interfaces: Port Description TCP/UDP number Digi Remote Manager connection to edp12.devicecloud.com . 3199 NTP date/time sync to time.devicecloud.com . DNS resolution using WAN-provided DNS servers. HTTPS for modem firmware downloads from firmware.devicecloud.com .
Interfaces Local Area Networks (LANs) Local Area Networks (LANs) The IX20 device is preconfigured with the following Local Area Networks (LANs): Interface type Preconfigured interfaces Devices Default configuration Local Area ETH2 Ethernet: Firewall zone: Network ETH2 (non- Internal (LAN) IP address: Wi-Fi 192.168.2.1/24 models)
IP address and subnet of LAN1. Additional configuration items Additional IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the LAN.
Page 181
MACaddress denylist and allowlist. To create a new LAN or edit an existing LAN: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 182
Interfaces Local Area Networks (LANs) 3. Click Network > Interfaces. 4. Create the LAN or select an existing LAN: To create a new LAN, for Add interface, type a name for the LAN and click . To edit an existing LAN, click to expand the LAN. The Interface configuration window is displayed.
Page 183
Interfaces Local Area Networks (LANs) c. For Address, type the IP address and subnet of the LAN interface. Use the format IPv4_ address/netmask, for example, 192.168.2.1/24. d. Optional IPv4 configuration items: i. Set the Metric. ii. For Weight, type the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, Weight is used to load balance traffic to the interfaces.
Page 184
Interfaces Local Area Networks (LANs) a. Click to expand MAC address allowlist. b. For Add MAC address, click . c. Type the MAC address. 14. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 185
Interfaces Local Area Networks (LANs) (config network interface my_lan)> device b. Set the device for the LAN: (config network interface my_lan)> device device (config network interface my_lan)> 6. Configure IPv4 settings: IPv4 support is enabled by default. To disable: (config network interface my_lan)> ipv4 enable false (config network interface my_lan)>...
Page 186
Interfaces Local Area Networks (LANs) c. Enable the DHCP server: (config network interface my_lan)> ipv4 dhcp_server enable true DHCP servers for information about configuring the DHCP server. 7. (Optional) Configure IPv6 settings: a. Enable IPv6 support: (config network interface my_lan)> ipv6 enable true (config network interface my_lan)>...
Page 187
Interfaces Local Area Networks (LANs) enable true Enable (config network interface my_lan)> d. Modify any of the remaining default settings as appropriate. For example, to change the minimum length of the prefix: (config network interface my_lan)> ipv6 prefix_length 60 (config network interface my_lan)> If the minimum length is not available, then a longer prefix will be used.
Create a bridge that includes the WAN/ETH1 port. To configure the WAN/ETH1 Ethernet port as a LAN: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 189
Interfaces Local Area Networks (LANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > ETH1. 4. For Zone, select Internal. 5. Configure IPv4 settings: a.
Page 190
Interfaces Local Area Networks (LANs) 6. (Optional) Configure IPv6 settings: a. Click to expand IPv6. b. For Type, select IPv6 prefix delegation. 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 191
To add the WAN/ETH1 port to the LAN bridge: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 192
Interfaces Local Area Networks (LANs) 5. Click Add Device . 6. For the new device, select Device: ETH1. 7. (Optional) Configure IPv6 settings: a. Click to expand IPv6. b. For Type, select IPv6 prefix delegation. 8. Disable the ETH1 interface: a.
Page 193
Interfaces Local Area Networks (LANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 194
Interfaces Local Area Networks (LANs) f. Click Add Device again and select or access point to add to the bridge. Note If you are adding a port or access point that is already part of the default LAN bridge, you should either disable the default bridge, or remove the port or access point: i.
Page 195
Interfaces Local Area Networks (LANs) g. Enable the DHCP server: i. Click to expand DHCP server. ii. Click to toggle on Enable. 5. Disable the ETH1 interface: a. Click Network > Interfaces > ETH1. b. Click to toggle off Enable. 6.
Page 196
Interfaces Local Area Networks (LANs) /network/bridge/lan1 /network/sdwan/wan_bonding /network/wifi/ap/digi_ap/network/wifi/ap/digi_hotspot_ap > ii. Add the device: (config network bridge LAN_bridge)> add device end device-path- and-name (config network bridge LAN_bridge)> iii. Repeat for additional access points. Note If you are adding a port or access point that is already part of the default LAN bridge, you should either disable the default bridge, or remove the port or access point: To disable the bridge:...
DHCP server range will also change to the range of the LAN subnet. To change the LAN subnet: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 198
Interfaces Local Area Networks (LANs) a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Interfaces Local Area Networks (LANs) 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show LAN status and statistics Log into the IX20 WebUI as a user with full Admin access rights.
Follow this procedure to delete any LANs that have been added to the system. You cannot delete the preconfigured LAN, LAN1. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 201
Local Area Networks (LANs) 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Interfaces Local Area Networks (LANs) 4. Save the configuration and apply the change (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. DHCP servers You can enable DHCP on your IX20 device to assign IP addresses to clients, using either: The DHCP server for the device's local network, which assigns IP addresses to clients on the...
Page 203
Interfaces Local Area Networks (LANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 204
Interfaces Local Area Networks (LANs) address (the final triplet in an IPv4 address, for example, 192.168.2.xxx). The remainder of the IP address will be based on the LAN's static IP address as defined in the Address field. Allowed values are between 1 and 254, and the default is 100 for Lease range start and 250 for Lease range end.
Page 205
Interfaces Local Area Networks (LANs) 10. See Configure DHCP options for information about Custom DHCP options. 11. See Map static IP addresses to hosts for information about Static leases. 12. Click Apply to save the configuration and apply the change. ...
Page 206
Interfaces Local Area Networks (LANs) 6. (Optional) Set the highest IP address that the DHCP server will assign to a client: (config)> network interface my_lan ipv4 dhcp_server lease_end num (config)> Allowed values are between 1 and 254, and the default is 250. 7.
Page 207
Interfaces Local Area Networks (LANs) The default is auto. d. Set the domain name that should be appended to host names: (config)> network interface my_lan ipv4 dhcp_server advanced domain_ suffix name (config)> e. Set the IP address or host name of the primary and secondary DNS, the primary and secondary NTP server, and the primary and secondary WINS servers: (config)>...
Page 208
A label for this instance of the static lease. To map static IP addresses: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 209
Interfaces Local Area Networks (LANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Click to expand an existing LAN, or create a new LAN. See Configure a Local Area Network (LAN).
Page 210
Interfaces Local Area Networks (LANs) (config)> add network interface my_lan ipv4 dhcp_server advanced static_ lease end (config network interface my_lan ipv4 dhcp_server advanced static_lease 0)> Configure a Local Area Network (LAN) for information about creating a LAN. 4. Set the MACaddress of the device associated with this static lease, using the colon-separated format: (config network interface my_lan ipv4 dhcp_server advanced static_lease 0)>...
Page 211
Delete static IP mapping entries To delete a static IP entry: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 212
Interfaces Local Area Networks (LANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Click to expand an existing LAN. 5. Click to expand IPv4 > DHCP server > Advanced settings > Static leases. 6.
Page 213
Force the option to be sent to the DHCP clients. A label for the custom option. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 214
Interfaces Local Area Networks (LANs) b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4.
Page 215
Interfaces Local Area Networks (LANs) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a custom DHCP option to the DHCP server configuration for an existing LAN. For example, to add static lease to a LAN named my_lan: (config)>...
Page 216
Interfaces Local Area Networks (LANs) (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> datatype value (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> where value is one of: 1byte 2byte 4byte ipv4 The default is str. 10. Save the configuration and apply the change (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)>...
Page 217
Interfaces Local Area Networks (LANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 218
Interfaces Local Area Networks (LANs) Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3.
Interfaces Local Area Networks (LANs) Show DHCP server status and settings View DHCP status to monitor which devices have been given IP configuration by the IX20 device and to diagnose DHCP issues. Log into the IX20 WebUI as a user with full Admin access rights. 1.
IP address assigned to it on a WAN or cellular modem interface, to a client connected to a LAN interface. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 221
Interfaces Local Area Networks (LANs) 4. Create the interface or select an existing interface: To create a new interface, for Add interface, type a name for the interface and click . To edit an existing interface, click to expand the interface. The Interface configuration window is displayed.
Page 222
Interfaces Local Area Networks (LANs) c. Ancillary DNS redirect is enabled by default, which means resolves all DNS requests to the connected device and redirects HTTP traffic to the device's web administration page. 12. For Server type, select the type of server to use to pass the IP address through to the client. 13.
Page 223
Interfaces Local Area Networks (LANs) 16. (Optional) Configure IPv6 settings: a. Click to expand IPv6. b. Enable IPv6 support. c. Set the Metric. d. For Weight, type the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, Weight is used to load balance traffic to the interfaces.
Page 224
Interfaces Local Area Networks (LANs) 4. Set the interface type to passthrough: (config network interface ip_passthrough_interface)> type passthrough (config network interface ip_passthrough_interface)> 5. Set the firewall zone to internal: (config network interface ip_passthrough_interface)> zone internal (config network interface ip_passthrough_interface)> 6. Select an Ethernet device or a Wi-Fi access point for this interface: a.
Page 225
Interfaces Local Area Networks (LANs) (config network interface ip_passthrough_interface)> ipv4 weight num (config network interface ip_passthrough_interface)> c. Set the management priority. This determines which interface will have priority for central management activity. The interface with the highest number will be used. (config network interface ip_passthrough_interface)>...
Interfaces Virtual LANs (VLANs) weight Weight (config network interface ip_passthrough_interface)> c. Modify any of the remaining default settings as appropriate. 10. (Optional) To configure 802.1x port based network access control: Note The IX20 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant.
The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 228
Interfaces Virtual LANs (VLANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN using switchport mode: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 230
Interfaces Virtual LANs (VLANs) a. Click STP. b. Click Enable. c. For Forwarding delay, enter the number of seconds that the device will spend in each of the listening and learning states before the bridge begins forwarding data. The default is 2 seconds.
Page 231
Interfaces Virtual LANs (VLANs) b. Add the device: (config network vlan vlan1)> device /network/device/ (config network vlan vlan1)> 5. Set the VLAN ID: (config network vlan vlan1)> id value where value is an integer between 1 and 4095. 6. Save the configuration and apply the change (config network vlan vlan1)>...
Enabled Used by the ETH2 model only) Wi-Fi access ETH1 interface point: Digi Default Interface type Preconfigured interfaces Devices configuration You can modify configuration settings for the existing bridge, and you can create new bridges. This section contains the following topics:...
Enable Spanning Tree Protocol (STP). To edit the preconfigured LAN bridge: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 234
5. Modify the list of devices that are a part of the bridge. By default, the LAN bridge includes the following devices: Ethernet: ETH2 Wi-Fi access point: Digi AP Note The MACaddress of the bridge is taken from the first available device in the list.
Page 235
0 /network/device/eth2 1 /network/wireless/ap/digi_ap (config)> ii. Use the index number to delete the appropriate device. For example, to delete the Digi AP Wi-Fi access point from the bridge: (config)> del network bridge lan device 1 (config)> Note If you are deleting multiple devices from the bridge, the device index may be reordered after each deletion.
Additional configuration items Enable Spanning Tree Protocol (STP). To create a bridge: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: IX20 User Guide...
Page 237
Interfaces Bridging Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 238
Interfaces Bridging d. For Priority, enter the system priority. The default priority number is 8. e. (Optional) For Custom mstpd options, enter the extra configuration options to pass to mspd daemon. 9. Add devices to the bridge: a. Click to expand Devices. b.
Page 239
/network/wireless/ap/digi_ap /network/wireless/ap/digi_hotspot_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge my_bridge)> b. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge my_bridge)> add device end /network/wireless/ap/digi_ap (config)> Note The MACaddress of the bridge is taken from the first available device in the list.
Interfaces Show SureLink status and statistics Show SureLink status and statistics You can show SureLink status for all interfaces, or for an individual interface. You can also show Surelink status for ipsec tunnels and OpenVPN clients. SureLink status is only available from the Admin CLI. ...
Interfaces Show SureLink status and statistics 2. At the Admin CLI prompt, type : > show surelink interface all Interface Test Proto Last Response Status --------- ----------------------------- ----- ------------- ------- eth1 Interface is up IPv4 32 seconds Passing eth1 Interface's DNS servers (DNS) IPv4 28 seconds Passing...
Interfaces Show SureLink status and statistics 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Interfaces Configure a TCP connection timeout 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 244
A low number of retries will end a "stale" connection more quickly that a larger number. The default is 15 retries. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Application: Provides access to the serial device from Python applications. dial-in: Allows the device to answer Point-to-Point Protocol (PPP) connections over serial ports. RealPort: Used in conjunction with the Digi RealPort driver. serial: Provides access to the serial port using UDP. Modem emulator: Allows the device to act as a dial-up modem emulator for handling incoming AT dial-ins.
Serial port Configure Login mode Enabled Serial mode: Remote Label: None Baud rate: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: None Configure Login mode Login mode allows the user to log into the device through the serial port. To change the configuration to match the serial configuration of the device to which you want to connect: ...
Page 247
Serial port Configure Login mode 4. (Optional) For Label, enter a label that will be used when referring to this port. 5. Expand Serial Settings. The entries in the following fields must match the information for the power controller. Refer to your power controller manual for the correct entries.
Page 248
Serial port Configure Login mode 3. The serial port is enabled by default. To disable: (config)> serial port1 enable false (config)> 4. Set the mode: (config)> serial port1 mode login (config)> 5. (Optional) Set a label that will be used when referring to this port. (config)>path-paramlabel label (config)>...
Serial port Configure Remote Access mode 11. Configure serial port logging: a. Enable serial port logging: (config)>serial port1 logging enable true (config)> b. Set the file name: (config)>serial port1 logging filename string (config)> c. Set the maximum allowed log size for the serial port log when starting the log: (config)>serial port1 logging size value (config)>...
Page 250
Serial port Configure Remote Access mode To change the configuration to match the serial configuration of the device to which you want to connect: Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
Page 251
Serial port Configure Remote Access mode d. Stop bits: For Stop bits, select the number of stop bits used by the device to which you want to connect. The default is 1. e. Flow control: For Flow control, select the type of flow control used by the device to which you want to connect.
Page 252
Serial port Configure Remote Access mode To limit access to specified IPv4 addresses and networks: i. Click IPv4 Addresses. ii. For Add Address, click . iii. For Address, enter the IPv4 address or network that can access the device's service-type. Allowed values are: A single IP address or host name.
Page 253
Serial port Configure Remote Access mode To limit access based on firewall zones: i. Click Zones. ii. For Add Zone, click . iii. For Zone, select the appropriate firewall zone from the dropdown. Firewall configuration for information about firewall zones. iv.
Page 254
Serial port Configure Remote Access mode 11. Expand Logging Settings to configure logging for this serial port. a. To enable logging, click to toggle on Enable. b. In the Log file name field, enter a descriptive name for the log file. c.
Page 255
Serial port Configure Remote Access mode 6. Set the baud rate used by the device to which you want to connect: (config)>serial port baudrate rate (config)> 7. Set the number of data bits used by the device to which you want to connect: (config)>serial port databits bits (config)>...
Page 256
Serial port Configure Remote Access mode (config)>serial port1 history bytes (config) The default is 4000 bytes. d. Set the amount of time to wait before disconnecting due to user inactivity: (config)>serial port1 idle_timeout value (config) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 257
Serial port Configure Remote Access mode i. Set the string that, when received, will trigger the connection: (config)>serial port1 autoconnect match_string string (config)> ii. flush_string is enabled by default, which will discard the matched string from data sent to the server. To disable: (config)>serial port1 autoconnect flush_string false (config)>...
Page 258
Serial port Configure Remote Access mode h. Set the text to be transmitted to the remote server when the socket connects: (config)>serial port1 socketid string (config)> 14. (Optional) Configure data framing: a. Enable data framing: (config)>serial port1 framing enable true (config) b.
Page 259
Serial port Configure Remote Access mode (config)>serial port1 service ssh nodelay true (config)> v. (Optional) Configure access control: To limit access to specified IPv4 addresses and networks: (config)> add serial port1 service ssh acl address end value (config)> Where value can be: A single IP address or host name.
Page 260
Serial port Configure Remote Access mode (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add serial port1 service ssh acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
Page 261
Serial port Configure Remote Access mode where int is any integer between 1 and 65535. The default is 4001. iii. Enable TCP keep-alive messages: (config)>serial port1 service tcp keepalive true (config)> iv. Set the option that initiates the connection: (config)>serial port1 service tcp conn_type value (config)>...
Page 262
Serial port Configure Remote Access mode (config)> add serial port1 service tcp acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ... network interface ? to display interface information: (config)>...
Page 263
Serial port Configure Remote Access mode ipsec loopback setup (config)> Repeat this step to include additional firewall zones. vii. (Optional) Enable Multicast DNS (mDNS): (config)>serial port1 service tcp mdns enable true (config)> c. Configure telnet settings: i. Enable Telnet: (config)>serial port1 service telnet enable true (config)>...
Page 264
Serial port Configure Remote Access mode (config)> add serial port1 service telnet acl address6 end value (config)> Where value can be: A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks.
Page 265
Serial port Configure Remote Access mode Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration ------------------------------------------------- ------------------------------ dynamic_routes edge external hotspot internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones.
Serial port Configure Application mode both arrows. This is the default. e. Log the time at which date was received or transmitted: (config)>serial port1 logging hex true (config)> f. Log data as hexadecimal values: (config)>serial port1 logging timestamp true (config)> 17.
Page 267
Serial port Configure Application mode 2. Click the name of the port that you want to configure. The serial port is enabled by default. To disable, toggle off Enable. 3. For Mode, select Application. The default is Remote. 4. (Optional) For Label, enter a label that will be used when referring to this port. 5.
To change the configuration to match the serial configuration of the device to which you want to connect: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 269
Serial port Configure PPP dial-in mode 4. For Mode, select PPP-Dial-in. The default is Remote. 5. (Optional) For Label, enter a label that will be used when referring to this port. 6. For Baud rate, select the baud rate used by the device to which you want to connect. The default is 9600.
Page 270
Serial port Configure PPP dial-in mode c. Click Override to override the default PPP configuration and only use the custom configuration file. If Override is not enabled, the custom PPP configuration file is used in addition to the default configuration. d.
Page 271
Serial port Configure PPP dial-in mode Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)>...
Page 272
Serial port Configure PPP dial-in mode 9. Set the local IP address assigned to this interface: (config)> serial port1 ppp_dialin local_address IPv4_address (config)> 10. Set the IP address assigned to the remote peer: (config)> serial port1 ppp_dialin remote_address IPv4_address (config)> 11.
Page 273
Serial port Configure PPP dial-in mode interface. Format: dynamic_routes edge external hotspot internal ipsec loopback setup Default value: internal Current value: internal (config)> b. Set the zone: (config)> serial port1 ppp_dialin zone zone (config)> 15. (Optional) Configure the serial port to use a custom PPP configuration file: a.
Page 274
Serial port Configure PPP dial-in mode a. Enable the use of a connection script. (config)> serial port1 ppp_dialin connect enable true (config)> b. Set the name of the script: (config)> serial port1 ppp_dialin connect script filename (config)> Scripts are located in the /etc/config/serial directory. An example script, windows_dun.sh is provided.
Serial port Configure UDP serial mode Configure UDP serial mode The UDP serial mode option in the serial port configuration provides access to the serial port using UDP. To change the configuration to match the serial configuration of the device to which you want to connect: ...
Page 276
Serial port Configure UDP serial mode a. For Baud rate, select the baud rate used by the device to which you want to connect. b. For Data bits, select the number of data bits used by the device to which you want to connect.
Page 277
Serial port Configure UDP serial mode b. (Optional) For Socket String ID, enter a string that should be added at the beginning of each packet. c. For Destinations, you can configure the remote sites to which you want to send data. If you do not specify any destinations, the IX20 sends new data from the last IP address and port from which data was received.
Page 278
Serial port Configure UDP serial mode To limit access to specified IPv4 addresses and networks: i. Click IPv4 Addresses. ii. For Add Address, click . iii. For Address, enter the IPv4 address or network that can access the device's service-type. Allowed values are: A single IP address or host name.
Page 279
Serial port Configure UDP serial mode A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. iv. Click again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: i.
Page 280
Serial port Configure UDP serial mode 2. At the command line, type config to enter configuration mode: > config (config)> 3. The serial port is enabled by default. To disable: (config)> serial port1 enable false (config)> 4. Set the mode: (config)>...
Page 281
Serial port Configure UDP serial mode Allowed values are: none rts/cts xon/xoff The default is none. 11. (Optional) Configure data framing: a. Enable data framing: (config)>serial port1 framing enable true (config) b. Set the maximum size of the packet: (config)>serial port1 framing max_count int (config) The default is 1024.
Page 282
Serial port Configure UDP serial mode i. Add a destination: (config)> add serial port1 upd destination end (config serial port1 udp destination 0)> ii. (Optional) Enter a description of the destination: (config serial port1 udp destination 0)> description string (config serial port1 udp destination 0)> iii.
Page 283
Serial port Configure UDP serial mode To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 udp acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 284
Serial port Configure UDP serial mode ipsec loopback setup (config)> Repeat this step to include additional firewall zones. To limit access to specified IPv4 addresses and networks: (config)> add serial port1 udp acl address end value (config)> Where value can be: A single IP address or host name.
Page 285
Serial port Configure UDP serial mode modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add serial port1 udp acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
To change the configuration to match the serial configuration of the device to which you want to connect: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 287
Serial port Configure Modem emulator mode b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click to expand the name of the port that you want to configure, for example, Port 1. The serial port is enabled by default.
Page 288
Serial port Configure Modem emulator mode 13. For Escape delay, type the delay between the escape sequence and an AT command to switch from data mode to command mode. The default is 1s. 14. For Auto-answer rings, type the number of rings to wait before auto-answering. Enter 0 (zero) to disable auto-answering.
Serial port Configure Modbus mode A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. iv. Click again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: i.
Page 290
Serial port Configure Modbus mode Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration > Serial. Changes made by using either Device Configuration or Serial Configuration will be reflected in both.
Page 291
Serial port Configure Modbus mode 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Digi Navigator on your computer, the RealPort application is automatically installed as well. With Digi Navigator, you can set all serial ports on the device to RealPort mode, and then also enable the RealPort service. The COM ports on your laptop are also configured. These processes ensure that RealPort is configured on the device and on your computer.
The Digi Navigator application can also be downloaded from your device's product support page. 2. Scroll down to the Product Resources tab, and in the Drivers & Patches section, click Digi Navigator. 3. From the list box, select the appropriate Microsoft Windows option from the list of driver options.
Enter the user name and password for the device in the User name and Password fields. v. Click Submit. vi. The device you just added displays at the bottom of the Digi Navigator screen. You can click Refresh to update the screen until the device appears. 5. Configure RealPort on the device.
Page 295
RealPort from within the Digi Navigator. 1. Launch the Digi Navigator if it is not currently open. A list of devices that have RealPort enabled and configured displays in the RealPort Devices section at the bottom of the application screen.
Item Description Filters Click Filters to display the types of filters that can be applied to Digi devices, services, and IP types. Device Filters: A list of the Digi device types displays. All types are disabled by default, and when all are disabled, all types are displayed.
Page 297
After you have enabled and configured RealPort on at least one Digi device, a list of configured devices displays at the bottom of the Digi Navigator. You can refresh the list and easily access the COM port configuration on your computer.
Page 298
Click Login. Filter devices for display in the Digi Navigator You can use the Digi Navigator filters to determine the types of Digi devices you want to display. Only the devices that are powered on and are discoverable are included.
Advanced RealPort configuration without using the Digi Navigator Access Digi Remote Manager from the Digi Navigator You can access Digi Remote Manager from the Digi Navigator. Within the Remote Manager, you can configure and monitor your Digi devices. For information about using Digi Remote Manager, refer to the Digi Remote Manager User Guide.
1. Navigate to the downloaded Realport .zip file. 2. Open the .zip file. 3. Click on setup.exe to launch the RealPort wizard. The Welcome to the Digi RealPort Setup Wizard screen displays. 4. If this is not the first time you have run the wizard, select the Add a New Device option. If this is the first time running the wizard, no options are available on the screen.
Page 301
Serial port Advanced RealPort configuration without using the Digi Navigator Step 2: Configure a RealPort connection on your laptop for your device 1. Follow the standard Windows process to access the Device Manager from your computer's operating system. 2. Select Multi-port Serial Adapters.
Serial port Advanced RealPort configuration without using the Digi Navigator Configure the serial port for RealPort mode RealPort mode allows you to use Realport. To change the configuration to match the serial configuration of the device to which you want to connect: ...
Page 303
Serial port Advanced RealPort configuration without using the Digi Navigator RS-232 RS-485 Enable Termination if you want to enable electrical termination on this serial port. The default is RS-232. 7. Expand Logging Settings to configure logging for this serial port.
Page 304
Serial port Advanced RealPort configuration without using the Digi Navigator 5. Set the sharing mode: (config)> serial port1 sharing value (config)> where value is one of: none: Only the user that opened the port can change the port settings. All other users are rejected.
Serial port Advanced RealPort configuration without using the Digi Navigator (config)>serial port1 logging size value (config)> where value is the size of the log file in bytes. The default is 65536. d. Specify the data type: (config)>serial port1 logging type value (config)>...
Page 306
Serial port Advanced RealPort configuration without using the Digi Navigator 8. Enable Encryption to enable encryption of data. This is enabled by default. 9. (Optional) Configure the authentication method the RealPort server uses to authenticate clients. a. From the Authentication Method list box, select the Shared Secret - SHA256 option.
Page 307
Serial port Advanced RealPort configuration without using the Digi Navigator 6. Data encryption is enabled by default. To disable: (config)> service realport encryption false (config)> 7. (Optional) Configure authentication. (config)> service realport auth value (config)> where value is one of: none: Do not use authentication.
Serial port Show serial status and statistics Show serial status and statistics To show the status and statistics for the serial port: Log into the IX20 WebUI as a user with full Admin access rights. 1. On the main menu, click Status 2.
Page 309
Serial port Review the serial port message log 4. Review the messages in the window. Click Refresh to refresh the log display. Click Download to download the serial port log to your local device. The log file is saved to the /opt/serial directory. Because this is being save to the device's memory, you should use serial logging for diagnostic purposes, rather than having it permanently enabled.
Page 310
Wi-Fi This chapter applies to the IX20WWi-Fi enabled model only. This chapter contains the following topics: Wi-Fi configuration Configure the Wi-Fi radio's channel Configure the Wi-Fi radio to support DFS channels in client mode Configure the Wi-Fi radio's band and protocol Configure the Wi-Fi radio's transmit power Configure an open Wi-Fi access point Configure a Wi-Fi access point with personal security...
2.4 GHz TX power percentage Access point mode 802.11b/g/n Channel Automatic Channel width 20/40 MHz Beacon interval Access point Default setting Name Digi AP Enabled or disabled Enabled SSID Digi-IX20W-serial_number SSID broadcast Enabled Encyrption WAP2 Personal (PSK) IX20 User Guide...
Page 312
Wi-Fi Wi-Fi configuration Default setting Pre-shared key The unique password printed on the bottom label of the device. Group rekey interval 10 minutes Client mode connections None. IX20 User Guide...
Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 314
Wi-Fi Configure the Wi-Fi radio's channel 4. For Channel, select the channel. Only channels appropriate for the band are displayed. 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 316
Wi-Fi Configure the Wi-Fi radio to support DFSchannels in client mode c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi. 4.
Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 318
Wi-Fi Configure the Wi-Fi radio's band and protocol 3. Click Network > WiFi. 4. For Frequency band, select either 2.4 GHz or 5 GHz. 5. For Access point mode, select the appropriate mode. Only modes appropriate for the selected band are displayed. 6.
100 percent. You can configure the Wi-Fi radio to transmit at a lower power. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 320
Wi-Fi Configure the Wi-Fi radio's transmit power 3. Click Network > WiFi. 4. For Tx power percentage, type or select the appropriate percentage for the Wi-Fi radio's transmit power. 5. Click Apply to save the configuration and apply the change. ...
The amount of time to wait before changing the group key. To configure a Wi-Fi access point with no security: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 322
Wi-Fi Configure an open Wi-Fi access point a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi > Access points. 4. Create a new access point or modify an existing access point: To create a new access point, for Add WiFi access point:, type a name for the access point and click .
Page 323
Wi-Fi Configure an open Wi-Fi access point 8. For Encryption, select one of the following: Open (Unencrypted) No encryption is used. WPA3 Enhanced Open (OWE) Uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection.
Page 324
Wi-Fi Configure an open Wi-Fi access point 4. Set the SSID for the Wi-Fi access point. Up to 32 characters are allowed. (config network wifi ap new_AP)> ssid my_SSID (config network wifi ap new_AP)> SSID broadcasting is enabled by default for new access points. 5.
Page 325
(config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID broadcasting is disabled: (config)>...
Page 326
Wi-Fi Configure an open Wi-Fi access point none: No encryption is used. owe: Uses WPA3 Enhanced Open, which uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection. Note Only select owe if you know that all Wi-Fi clients connecting to this device will have WPA3 capabilities.
The amount of time to wait before changing the group key. To configure a Wi-Fi access point to use personal security: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 328
Wi-Fi Configure a Wi-Fi access point with personal security a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi > Access points. 4. Create a new access point or modify an existing access point: To create a new access point, for Add WiFi access point:, type a name for the access point and click .
Page 329
If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre-shared key. The wpa_ passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 330
If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 331
Wi-Fi Configure a Wi-Fi access point with personal security psk2sae: Uses WPA2-PSK/WPA3-AES mixed mode. Wi-Fi clients that support WPA2 and WPA3 are able to authenticate. sae: Uses WPA3 Personal mode. All Wi-Fi clients must support WPA3 to be able to authenticate.
Page 332
(config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID...
Page 333
If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
RADIUS server, rather than using preshared key on the IX20 device. By default, the IX20Wdevice comes with one preconfigured access point, Digi AP. You cannot delete default access points, but you can modify them or you can create your own access points.
Page 335
The amount of time to wait before changing the group key. To configure a Wi-Fi access point with WPA2 enterprise security: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 336
Wi-Fi Configure a Wi-Fi access point with enterprise security 3. Click Network > WiFi > Access points. 4. Create a new access point or modify an existing access point: To create a new access point, for Add WiFi access point:, type a name for the access point and click .
Page 337
Wi-Fi Configure a Wi-Fi access point with enterprise security e. For RADIUS secret key, type the secret key as configured on the RADIUS server. f. To add additional RADIUS servers, click 10. (Optional) For Group rekey interval, type the amount of time to wait before changing the group key.
Page 338
Wi-Fi Configure a Wi-Fi access point with enterprise security 3. Create a new access point: (config)> add network wifi ap new_AP (config network wifi ap new_AP)> New access points are enabled by default. 4. Set the SSID for the Wi-Fi access point. Up to 32 characters are allowed. (config network wifi ap new_AP)>...
Page 339
Wi-Fi Configure a Wi-Fi access point with enterprise security (config network wifi ap new_AP encryption radius_servers 1)> host IP_address (config network wifi ap new_AP encryption radius_servers 1)> iii. Repeat for additional radius servers. 8. (Optional) Set the amount of time to wait before changing the group key. The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is changed.
Page 340
(config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID broadcasting is disabled: (config)>...
This section provides instructions for both mechanisms. Isolate clients connected to the same access point 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 342
Wi-Fi Isolate Wi-Fi clients Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
3. Assign those LAN interfaces to separate firewall zones. 4. Create firewall filters to prevent traffic between the two firewall zones. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 344
3. Create a new access point. By default, the IX20Wcomes with one preconfigured access point, named Digi AP. In these instructions, we will use the existing Digi AP access point and create another new access point, named new_AP. a. Click Network > WiFi > Access points.
Page 345
Wi-Fi Isolate Wi-Fi clients d. Create a firewall filter to drop traffic from the Internal zone (used by the LAN1 interface) to the LAN2_isolation_zone: i. Click Firewall > Packet filtering. ii. For Add packet filter, click . iii. For Label, type Drop traffic from Internal to LAN2_isolation_zone. iv.
Page 346
Wi-Fi Isolate Wi-Fi clients a. Click Configuration > Network > Interfaces. b. For Add interface, type a name for the LAN and click . c. For Zone, select LAN2_isolation_zone. d. For Device, select the new Wi-Fi access point. e. Click to expand IPv4. f.
Page 347
Wi-Fi Isolate Wi-Fi clients psk2 wpa2: d. Complete other encryption-related fields as appropriate based on the type of encryption. Configure an open Wi-Fi access point, Configure a Wi-Fi access point with personal security, or Configure a Wi-Fi access point with enterprise security for details.
Page 348
Wi-Fi Isolate Wi-Fi clients i. Add the new packet filter: (config firewall filter 2)> add .. 0 (config firewall filter 0)> ii. Set the label for the filter: (config firewall filter 0)> label "Drop traffic from Internal to LAN2_isolation_zone" (config firewall filter 0> iii.
Wi-Fi Configure a Wi-Fi client and add client networks e. Set the IP address and subnet mask of the LAN: (config network interface LAN2)> ipv4 address address/mask (config network interface LAN2)> f. Enable the DHCP server: (config network interface LAN2)> ipv4 dhcp_server enable true (config network interface LAN2)>...
Page 350
The IX20Wdevice supports a maximum of ten enabled Wi-Fi clients, regardless of the number of enabled access points. To configure a Wi-Fi client: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 351
If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 352
Wi-Fi Configure a Wi-Fi client and add client networks The Username. The CA certificate in PEM format. The Client certificate in PEM format. The Private key in PEM format. (Optional) The Private key passphrase. PEAP: Username/password authentication. If PEAP is selected, identify the Username and Password. SCEP certificates: Simple Certificate Enrollment Protocol (SCEP) certificate management.
Page 353
Wi-Fi Configure a Wi-Fi client and add client networks e. For Long interval, type the number of seconds to wait between scans for access points, when the signal strength from the access point to which the client is currently connected is stronger than the Scan threshold.
Page 354
If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
Page 355
Wi-Fi Configure a Wi-Fi client and add client networks ii. Set the password: (config network wifi client new_client)> ssid 0 encryption password_wpa2 password (config network wifi client new_client)> scep: Simple Certificate Enrollment Protocol (SCEP) certificate management. If scep is set: i.
Page 356
Wi-Fi Configure a Wi-Fi client and add client networks (config network wifi client new_client)> ssid 0 encryption ca_cert certificate (config network wifi client new_client)> iii. Set the client certificate by using the client_cert paramater and pasting the certificte in PEM format: (config network wifi client new_client)>...
Page 357
Wi-Fi Configure a Wi-Fi client and add client networks If bgscan_short_interval and bgscan_long_interval are set to the same value, bgscan_strength is ignored. For example, the default configuration has both bgscan_short_interval and bgscan_long_interval set to 1 second, which means that the device will scan for access points once per second regardless of the value of bgscan_strength.
Wi-Fi Show Wi-Fi access point status and statistics (config network wifi client new_client)> background_scanning scan_ freq 1 Scan frequency: Enable this frequency in the background scan. Format: 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 Current value: 2437 ii.
Page 359
Wi-Fi Show Wi-Fi access point status and statistics To show the status and statistics for Wi-Fi access points, use the show wifi ap command. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Wi-Fi Show Wi-Fi client status and statistics Radio : wifi BSSID : 01:41:D1:14:36:37 Client Signal RX Bytes TX Bytes Uptime ----------------- ------ -__----- -------- ------ cc:c0:78:34:d5:a2 260997 279481 > Show Wi-Fi client status and statistics You can show summary status for all Wi-Fi clients, and detailed status and statistics for individual Wi- Fi clients.
Page 361
Wi-Fi Show Wi-Fi client status and statistics To show a detailed status and statistics of a Wi-Fi client, use the show wifi client name name command. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Hotspot Hotspot is available for Wi-Fi-enabled models (IX20W), and offers the ability to create a publicly available hotspot, which allows you to provide internet access to users while restricting their ability to access other functionality on the IX20 device, as well as applying bandwidth limits, authenticating users, and other features.
Hotspot Hotspot authentication modes During hotspot configuration, you select one the following authentication modes for the hotspot: Click-through: Requires each user to accept the terms and conditions. The sample HTML page included with your IX20 device for click-through authentication is terms.html. Create a new hotspot for information about configuring hotspot for click-through authentication.
Hotspot Hotspot DHCP server When the hotspot is enabled on the IX20 device, it automatically enables a DHCP server. During hotspot configuration, you assign an IPv4 address to the hotspot, and the DHCP server then uses the subnet of the hotspot's IP address, along with the hotspot's subnet mask, to assign IPv4 addresses to clients that connect to the hotspot.
Hotspot Hotspot configuration This section provides information about enabling and configuring the default hotspot that is provided with your IX20 installation, as well as creating a new hotspot and configuring the type of authentication mode you select for your hotspot. This section contains the following topics: IX20 User Guide...
Page 366
Bandwidth limits: Maximum download speed: 10000 Kbps Maximum upload speed: 10000 Kbps Bridge Name: hotspot_bridge Disabled 2.4 GHz Wi-Fi access point: Digi Hotspot AP (Wi- Access points Name: Digi Hotspot AP (Wi-Fi) Disabled SSID: Digi Hotspot Encryption: Open (unencrypted) Hotspot access points should be set to open (unencrypted).
Page 367
See Edit sample hotspot HTML pages for information. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 368
Click Network > Hotspots > hotspot. b. Click Enable hotspot. 4. Enable the hotspot access points: a. Click Network > Wi-Fi > Access points > Digi Hotspot AP (Wi-Fi). b. Click Enable. 5. Enable the hotspot bridge: a. Click Network > Bridges > hotspot_bridge.
Page 369
Hotspot 6. Enable the hotspot LAN: a. Click Network > Interface > LAN > LAN hotspot. b. Click Enable. 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 370
Enable hotspot using the default configuration instructions. An SSID for the hotspot. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 371
Hotspot 4. Change the default SSID, Digi Hotspot, to your preferred value. 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 372
Lease range start and end. To change the default hotspot IP address and subnet: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 373
Hotspot 5. For Address, enter a new IP address and subnet mask. 6. (Optional) Change the default DHCP server configuration. Note The hotspot DHCP server is automatically enabled and cannot be disabled. a. Click to expand DHCP server. b. For Lease time, type the amount of time that a client DHCP lease is valid. The default is 10 minutes.
Page 374
Hotspot 2. At the command line, type config to enter configuration mode: > config (config)> 3. Change the default hotspot IP address and subnet mask: (config)> network hotspot hotspot ipv4 address ip_address/mask (config)> 4. (Optional) Change the default DHCP server configuration. Note The hotspot DHCP server is automatically enabled and cannot be disabled.
Page 375
Maximum upload speed, in Kbps. To change the default hotspot IP address and subnet: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 376
Hotspot 4. For Maximum download speed, type the maximum download speed in kilobytes per second (Kbps). Note Setting the Maximum download speed to 0 means that the bandwidth is unlimited. This can have an adverse effect on performance. 5. For Maximum upload speed, type the maximum upload speed in kilobytes per second (Kbps). Note Setting the Maximum upload speed to 0 means that the bandwidth is unlimited.
Page 377
Ethernet port to be added to the hotspot. To add an Ethernet port to the default hotspot: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 378
Hotspot a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Bridges > hotspot_bridge > Devices. 4. Click the to add a new device. 5. By default, For Device, select the appropriate Ethernet port. By default, the ETH1 device is configured as the device for the ETH1 interface, and ETH2 configured as device in the LAN bridge, which is used by the ETH2 interface.
Page 379
Hotspot a. Click Network > Bridges > LAN > Devices. b. Click the ... menu icon next to the Ethernet: device entry and select Delete. 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 380
Hotspot b. Use the index number, 0, to remove the device from the LAN bridge: (config)> del network bridge lan1 device 0 (config)> 5. Save the configuration and apply the change (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 381
Maximum download speed, in Kbps. Maximum upload speed, in Kbps. Enable verbose logging. To create a new hotspot: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 382
Hotspot 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a.
Page 383
Hotspot a. Click Network > Bridges. b. For Add Bridge:, type a name for the bridge and click . c. Add devices to the bridge: i. Click to expand Devices. ii. For Add device, click . iii. Select the Device. iv.
Page 384
Hotspot 8. For Zone, leave at the default setting of hotspot. The hotspot firewall zone provides the necessary firewall rules for hotspot functionality. 9. For Device, select an access point, and Ethernet port, or a bridge. 10. For Authentication Mode, select one of the following: Click-through: Requires each user to accept the terms and conditions.
Page 385
Hotspot 15. If Remote is selected for Login page source, click to expand Remote web server. a. For FQDN, type the IP address or fully-qualified domain name or the remote web server that will be used for client authentication. b. (Optional) For Secret, type the shared secret that the remote server and the hotspot. Used with cloud-based hotspot providers.
Page 386
Hotspot c. For Subnet, type an IPv4 address and optional subnet mask, using the format IPv4_ address[/netmask], or the keyword any. d. Repeat to add additional subnets. 17. (Optional) For Maximum download speed, type the maximum download speed in kilobytes per second (Kbps).
Page 387
Hotspot a. Create a new access point: (config)> add network wifi ap new_hotspot_AP1 (config network wifi ap new_hotspot_AP1)> New access points are enabled by default. b. Set the SSID: (config network wifi ap new_hotspot_AP1)> ssid my_SSID (config network wifi ap new_hotspot_AP1)> This will be the SSID used by clients to connect to the hotspot.
Page 388
/network/wireless/ap/digi_hotspot_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge new_hotspot_bridge)> ii. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge new_hotspot_bridge)> add device end /network/wireless/ap/digi_ap (config)> c. Type ... to return to the config prompt: (config network bridge new_hotspot_bridge)>...
Page 389
/network/wireless/ap/digi_hotspot_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge new_hotspot_bridge)> b. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge new_hotspot_bridge)> add device end /network/wireless/ap/digi_ap (config)> 7. Set an access point, and Ethernet port, or a bridge for the hotspot's device: a.
Page 390
Hotspot /network/wifi/ap/digi_hotspot_ap /network/wifi/ap/new_hotspot_ap Current value: (config network hotspot new_hotspot)> b. Add the device: (config network hotspot new_hotspot)> device /network/bridge/new_ hotspot_bridge (config network hotspot new_hotspot)> 8. Set the authentication mode: (config network hotspot new_hotspot)> auth value (config network hotspot new_hotspot)> where value is one of: click_through: Requires each user to accept the terms and conditions.
Page 391
Hotspot 10. (Optional) If local is selected for login, set the name of the local HTML file used for authentication. (This option is not available if auth is set to hotspotsystem.) (config network hotspot new_hotspot)> local_page HTML_filename (config network hotspot new_hotspot)> Normally, this parameter should be left blank, and the device will use the default authentication HTML page.
Page 392
Hotspot (config network hotspot new_hotspot)> ipv4 dhcp_server lease_time 600s (config network hotspot new_hotspot)> The default is 10 minutes. b. Set the lowest IP address in the range to assign to hotspot clients. This value represents the low order byte of the IP address, and is combined with the subnet of the hotspot's static IP address.
Page 393
Hotspot Note Setting the maximum download speed to 0 means that the bandwidth is unlimited. This can have an adverse effect on performance. 17. (Optional) Change the default maximum upload speed: (config network hotspot new_hotspot)> bandwidth_max_up value (config network hotspot new_hotspot)> where value is an integer between 1 and 100000 and represents the maximum upload speed in Kbps.
Page 394
Hotspot Configure hotspot for local shared password authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 395
Hotspot 2. At the command line, type config to enter configuration mode: > config (config)> Create a new hotspot Enable hotspot using the default configuration. 4. Set the authentication mode to local-shared-password: (config)> network hotspot hotspot_name auth local-shared-password (config)> 5. Set the password that all users will be required to enter to authentication with the hotspot: (config)>...
Page 396
Hotspot LAN configuration: Configure hotspot for RADIUS shared password authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 397
Hotspot b. (Optional) For Secondary server name, enter the IP address or fully-qualified domain name of the backup RADIUS server to use to authenticate hotspot users if the primary RADIUS server is not available. c. (Optional) For Port, type the port number to use for RADIUS authentication requests. The default is 1812.
Page 398
Hotspot 4. Set the authentication mode to radius-shared-password: (config)> network hotspot hotspot_name auth radius-shared-password (config)> 5. Configure the RADIUS server: a. Set the fully qualified domain name or IP address of the primary RADIUS server: (config)> network hotspot hotspot_name radius primary_radius_server address (config)>...
Page 399
Hotspot 6. Set walled garden settings. Walled garden settings define the "white list" of domains and subnets that unauthenticated clients are able to access. Include the domain or subnet of the RADIUS server(s) that are being used for authentication. Add domains that can be accessed by the client prior to authentication: (config network hotspot new_hotspot)>...
Page 400
Hotspot LAN configuration: Configure hotspot for RADIUS users authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 401
Hotspot 5. Click to expand Radius. a. For Primary server name, enter the IP address or fully-qualified domain name of the primary RADIUS server to use to authenticate hotspot users. b. (Optional) For Secondary server name, enter the IP address or fully-qualified domain name of the backup RADIUS server to use to authenticate hotspot users if the primary RADIUS server is not available.
Page 402
Hotspot Create a new hotspot Enable hotspot using the default configuration. 4. Set the authentication mode to radius-users: (config)> network hotspot hotspot_name auth radius-users (config)> 5. Configure the RADIUS server: a. Set the fully qualified domain name or IP address of the primary RADIUS server: (config)>...
Page 403
Hotspot 6. Set walled garden settings. Walled garden settings define the "white list" of domains and subnets that unauthenticated clients are able to access. Include the domain or subnet of the RADIUS server(s) that are being used for authentication. Add domains that can be accessed by the client prior to authentication: (config network hotspot new_hotspot)>...
Page 404
Configure hotspot for HotspotSystem authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 405
Hotspot c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. Create a new hotspot Enable hotspot using the default configuration. 4. During hotspot configuration, for Authentication mode, select HotspotSystem. 5.
Page 406
Hotspot c. For Subnet, type an IPv4 address and optional subnet mask, using the format IPv4_ address[/netmask], or the keyword any. d. Repeat to add additional subnets. 8. Click Apply to save the configuration and apply the change. Configure hotspot for HotspotSystem authentication from the Command line 1.
Hotspot 7. Set walled garden settings. Walled garden settings define the "white list" of domains and subnets that unauthenticated clients are able to access. Include the domain or subnet of supporting servers for payment or other external login and authentication (such as social media sites). Add domains that can be accessed by the client prior to authentication: (config network hotspot new_hotspot)>...
Page 408
Hotspot Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Hotspot > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Customize the hotspot login page The IX20 device provides three sample HTML webpages for use with the hotspot feature. When hotspot is enabled for the first time, the sample webpages are installed to the /etc/config/hotspot folder on the device's filesystem.
Page 410
Hotspot Edit sample hotspot HTML pages To edit the sample HTML pages, download the files and edit the files on your local machine. After they have been edited, upload the edited files to the IX20 device. The edited HTML page should call the same JavaScript functions that the sample HTML pages do. Additional pages and assets can be uploaded to the hotspot folder, and additional subfolders can be created as needed.
Page 411
Hotspot Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Download the file to your local machine. For example: > scp host 192.168.4.1 user admin remote /home/admin/temp/ local /etc/config/hotspot/login.html to remote admin@192.168.4.1's password: adminpwd login.html...
Page 412
Hotspot b. Highlight the hotspot directory and click to open the directory. c. Click (upload). d. Browse to the location of the HTML file on your local machine. Select the file and click Open to upload the file. 2.
Page 413
Hotspot e. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Restore hotspot default sample pages If you have customized the sample HTML pages without making a backup of the samples, you may wish to restore the original version of the HTML pages without doing a factory reset.
Hotspot g. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Hotspot RADIUS attributes The RADIUS server may send attributes to the hotspot to affect the operation of a client session. For example, here are some of the RADIUS attributes that the hotspot handles: Session-Timeout Idle-Timeout...
Routing This chapter contains the following topics: IP routing Show the routing table Dynamic DNS Virtual Router Redundancy Protocol (VRRP) IX20 User Guide...
Routing IP routing IP routing The IX20 device uses IP routes to decide where to send a packet it receives for a remote network. The process for deciding on a route to send the packet is as follows: 1. The device examines the destination IP address in the IP packet, and looks through the IP routing table to find a match for it.
The Maximum Transmission Units (MTU) of network packets using this route. To configure a static route: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 418
Routing IP routing 3. Click Network > Routes > Static routes. 4. Click the to add a new static route. The new static route configuration page is displayed: New static route configurations are enabled by default. To disable, toggle off Enable. 5.
Page 419
Routing IP routing Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a new static route: (config)>...
Type quit to disconnect from the device. Delete a static route 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 421
Routing IP routing a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Static routes. 4. Click the menu icon (...) for a static route and select Delete. 5.
Routing IP routing enable true gateway 192.168.5.1 interface /network/interface/lan2 label new_static_route_1 metric 0 mtu 0 (config)> 4. Use the index number to delete the static route: (config)> del network route static 0 (config)> 5. Save the configuration and apply the change (config)>...
To configure a routing policy: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 424
Routing IP routing 3. Click Network > Routes > Policy-based routing. 4. Click the to add a new route policy. The new route policy page is displayed: New route policies are enabled by default. To disable, toggle off Enable. 5.
Page 425
Routing IP routing IPv6 address: Matches the source IP address to the specified IP address or network. Use the format IPv6_address[/prefix_length], or use any to match any IPv6 address. MAC address: Matches the source MACaddress to the specified MACaddress. 12. Configure the destination address information: a.
Page 426
Routing IP routing New route policies are enabled by default. To disable: (config network route policy 0)> enable false (config network route policy 0)> 4. (Optional) Set the label that will be used to identify this route policy: (config network route policy 0)> label "New route policy" (config network route policy 0)>...
Page 427
Routing IP routing any: All protocols are matched. tcp: Source and destination ports are matched: a. Set the source port: (config network route policy 0)> src_port value (config network route policy 0)> where value is the port number, or the keyword any to match any port as the source port.
Page 428
Routing IP routing Zone: Match the IP address to the specified firewall zone. Format: dynamic_routes edge external hotspot internal ipsec loopback setup Default value: any Current value: any (config network route policy 0)> src zone b. Set the zone. For example: (config network route policy 0)>...
Page 429
Routing IP routing (config network route policy 0)> src address value (config network route policy 0)> where value uses the format IPv4_address[/netmask], or any to match any IPv4 address. address6: Matches the source IPv6 address to the specified IP address or network. Set the address that will be matched: (config network route policy 0)>...
Page 430
Routing IP routing b. Set the zone. For example: (config network route policy 0)> dst zone external (config network route policy 0)> Firewall configuration for more information about firewall zones. interface: Matches the destination IP address to the selected interface's network address.
This example routes traffic to a specific IP address to go through the cellular WWAN interface, while all other traffic uses the Ethernet WAN interface. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 432
Routing IP routing 3. Click Network > Routes > Policy-based routing. 4. Click the to add a new route policy. 5. For Label, type Route through cellular. 6. For Interface, select Modem. 7. Configure the source address: a. Click to expand Source address. b.
Page 433
Routing IP routing 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
This example routes traffic destined for a specific domain to the WAN Ethernet port, and never through the cellular modem. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 435
Routing IP routing 3. Click Network > Routes > Policy-based routing. 4. Click the to add a new route policy. 5. For Label, type Domain-based policy. 6. For Interface, select ETH1. 7. Configure the source address: a. Click to expand Source address. b.
Page 436
Routing IP routing 9. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
This example routes all data from a certain client device through a cellular WAN based on the device's MACaddress, while all other client devices are routed through the Ethernet WAN. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 438
Routing IP routing a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Create new firewall zones: a. Create a firewall zone named CellularWAN with Source NAT enabled: i. Click Firewall > Zones. ii.
Page 439
Routing IP routing b. Configure the Ethernet WAN interface: i. Click Network > Interfaces > ETH1. ii. For Zone, select EthernetWAN. 5. Configure the policy-based route for traffic from the client device that will be sent over the cellular WAN: a.
Page 440
Routing IP routing 6. Create a packet filtering rule that rejects all other LAN packets on the cellular WAN interface. a. Click Firewall > Packet filtering. b. Click the to add a new packet filtering rule. c. For Label, type Reject LAN traffic to cellular WAN. d.
Page 441
Routing IP routing b. Create second firewall zone named EthernetWAN with Source NAT enabled: i. Type .. to move back one node in the configuration: (config firewall zone CellularWAN)> .. (config firewall zone)> ii. Create the firewall zone: (config firewall zone)> add EthernetWAN (config firewall zone EthernetWAN)>...
Page 442
Routing IP routing d. Configure the source as the MACaddress of the VoIP phone: i. Set the source type to mac: (config network route policy 0)> src type mac (config network route policy 0)> ii. Set the MAC address to the MACaddress of the VoIP phone: (config network route policy 0)>...
Enable routing services. Enable and configure the types of routing services that will be used. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 444
Routing IP routing 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 445
Routing IP routing 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Type quit to disconnect from the device. Show the routing table To display the routing table: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 447
Routing Show the routing table The Configuration window is displayed. 3. Click Status > Routes. The Network Routing window is displayed. 4. Click IPv4 Load Balance to view IPv4 load balancing. 5. Click IPv6 Load Balance to view IPv6 load balancing. ...
Routing Dynamic DNS IPv4 Route Load Balance (%) ---------- ---------------- eth1 75.0 modem 25.0 IPv6 Route Load Balance (%) ---------- ---------------- eth1 75.0 modem 25.0 > You can limit the display to only IPv4 entries by using show route ipv4, or to IPv6 entries by using show route ipv6.
Page 449
The amount of time to wait for an IP address update to succeed before retrying the update. The number of times to retry a failed IP address update. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 450
Routing Dynamic DNS New Dynamic DNS configurations are enabled by default. To disable, toggle off Enable. 5. For Interface, select the interface that has its IP address registered with the Dynamic DNS provider. 6. For Service, select the Dynamic DNS provider, or select custom to enter a custom URL for the Dynamic DNS provider.
Page 451
Routing Dynamic DNS Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a new Dynamic DNS instance. For example, to add an instance named new_ddns_ instance: (config)>...
Page 452
Routing Dynamic DNS dnsdynamic.org Default value: custom Current value: custom (config network ddns new_ddns_instance)> service b. Set the service: (config network ddns new_ddns_instance)> service service_name (config network ddns new_ddns_instance)> 6. If custom is configured for service, set the custom URL that should be used to update the IP address with the Dynamic DNS provider: (config network ddns new_ddns_instance)>...
Routing Virtual Router Redundancy Protocol (VRRP) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set force_interval to ten minutes, enter either 10m or 600s: (config network ddns new_ddns_instance)> force_interval 600s (config network ddns new_ddns_instance)>...
VRRP-enabled devices and dynamically change the VRRP priorty of devices based on the status of their network connectivity. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 455
Routing Virtual Router Redundancy Protocol (VRRP) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP. 4. For Add VRRP instance, type a name for the VRRP instance and click . The new VRRP instance configuration is displayed.
Page 456
Routing Virtual Router Redundancy Protocol (VRRP) 9. (Optional) For Password, type a password that will be used to authenticate this VRRP router with VRRP peers. If the password length exceeds 8 characters, it will be truncated to 8 characters. 10. Configure the virtual IP addresses associated with this VRRP instance: a.
Page 457
Routing Virtual Router Redundancy Protocol (VRRP) Current value: (config network vrrp VRRP_test)> interface b. Set the interface, for example: (config network vrrp VRRP_test)> interface /network/interface/eth2 (config network vrrp VRRP_test)> c. Repeat for additional interfaces. 6. Set the router ID. The Router ID must be the same on all VRRP devices that participate in the same VRRP device pool.
For backup VRRP devices, enable the ability to monitor the VRRP master, so that a backup device can increase its priority when the master device fails SureLink tests. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 459
Routing Virtual Router Redundancy Protocol (VRRP) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP. 4. Create a new VRRP instance, or click to expand an existing VRRP instance. Configure VRRP for information about creating a new VRRP instance.
Page 460
Routing Virtual Router Redundancy Protocol (VRRP) 9. For Priority modifier, type or select the amount that the device's priority should be decreased due to SureLink connectivity failure, and increased when SureLink succeeds again. Along with the priority settings for devices in this VRRP pool, the amount entered here should be large enough to automatically demote a master device when SureLink connectivity fails.
Page 461
Click to expand Test targets > Test target. v. Configure the test target. For example, to configure SureLink to verify internet connectivity on the LAN by pinging https://remotemanager.digi.com: i. For Test Type, select Ping test. ii. For Ping host, type https://remotemanager.digi.com.
Page 462
Routing Virtual Router Redundancy Protocol (VRRP) 3. Create a new VRRP instance, or edit an existing one. See Configure VRRP for information about creating a new VRRP instance. 4. Enable VRRP+: (config)> network vrrp VRRP_test vrrp_plus enable true (config)> 5. Add interfaces to monitor. Generally, this will be a cellular or WAN interface. a.
Page 463
Routing Virtual Router Redundancy Protocol (VRRP) 8. Configure the VRRP interface: a. Configure the VRRP interface's DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses: i. Set the DHCP server gateway type to custom: (config)>...
Page 464
Routing Virtual Router Redundancy Protocol (VRRP) (config)> network interface eth2 ipv4 surelink interval 5s (config)> iv. Create a SureLink test target: (config)> add network interface eth2 ipv4 surelink target end (config network interface eth2 ipv4 surelink target 0)> v. Configure the type of test for the test target: (config network interface eth2 ipv4 surelink target 0)>...
Routing Virtual Router Redundancy Protocol (VRRP) (Optional) Set the amount of time that the interface can be down before this test is considered to have failed: (config network interface eth2 ipv4 surelink target 0)> interface_down_time value (config network interface eth2 ipv4 surelink target 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Configure device one (master device) Task 1: Configure VRRP on device one 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 467
Routing Virtual Router Redundancy Protocol (VRRP) 3. Click Network > VRRP. 4. For Add VRRP instance, type a name for the VRRP instance and click . The new VRRP instance configuration is displayed. 5. Click Enable. 6. For Interface, select Interface: ETH2. 7.
Page 468
Routing Virtual Router Redundancy Protocol (VRRP) 4. Click to add an interface for monitoring. 5. Select Interface: Modem. 6. For Priority modifier, type 30. Task 3: Configure the IP address for the VRRP interface, ETH2, on device one 1. Click Network > Interfaces > ETH2 > IPv4 2.
Page 469
Routing Virtual Router Redundancy Protocol (VRRP) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Create the VRRP instance: (config)> add network vrrp VRRP_test (config network vrrp VRRP_test)> 4. Enable the VRRP instance: (config network vrrp VRRP_test)> enable true (config network vrrp VRRP_test)>...
Configure device two (backup device) Task 1: Configure VRRP on device two 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 471
Routing Virtual Router Redundancy Protocol (VRRP) b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP. 4.
Page 472
Routing Virtual Router Redundancy Protocol (VRRP) 10. Click to add a virtual IP address. 11. For Virtual IP, type 192.168.3.3. Task 2: Configure VRRP+ on device two 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. 4.
Page 473
Routing Virtual Router Redundancy Protocol (VRRP) 6. For Ping host, type https://remotemanager.digi.com. Task 5: Configure the DHCP server for ETH2 on device two 1. Click to expand Network > Interfaces > ETH2 > IPv4 > DHCP Server 2. For Lease range start, type 200.
Page 474
Routing Virtual Router Redundancy Protocol (VRRP) 3. Create the VRRP instance: (config)> add network vrrp VRRP_test (config network vrrp VRRP_test)> 4. Enable the VRRP instance: (config network vrrp VRRP_test)> enable true (config network vrrp VRRP_test)> 5. Set the VRRP interface to ETH2: (config network vrrp VRRP_test)>...
Page 475
(config network interface eth2 ipv4 surelink target 0)> test ping (config network interface eth2 ipv4 surelink target 0)> 4. Set https://remotemanager.digi.com as the hostname to ping: (config network interface eth2 ipv4 surelink target 0)> ping_host https://remotemanager.digi.com(config network interface eth2 ipv4 surelink target 0)>...
This section describes how to display VRRP status and statistics for a IX20 device. VRRP status is available from the Web UI only. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 477
Routing Virtual Router Redundancy Protocol (VRRP) 3. Click Status > VRRP. The Virtual Router Redundancy Protocol window is displayed. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 478
Routing Virtual Router Redundancy Protocol (VRRP) ---- Virtual IP address(es) : 10.10.10.1, 100.100.100.1 Current State : Master Current Priority : 100 Last Transition : Tue Jan 1 00:00:39 2019 Became Master Released Master Adverts Sent : 71 Adverts Received Priority Zero Sent Priority zero Received : 0 >...
Page 479
Virtual Private Networks (VPN) Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices can connect from one network to the other using secure channels. This chapter contains the following topics: IPsec OpenVPN Generic Routing Encapsulation (GRE) Dynamic Multipoint VPN (DMVPN) L2TP L2TPv3 Ethernet...
Virtual Private Networks (VPN) IPsec IPsec IPsec is a suite of protocols for creating a secure communication link—an IPsec tunnel—between a host and a remote IP network or between two IP networks across a public network such as the Internet. IPsec data protection IPsec protects the data being sent across a public network by providing the following: Data origin authentication...
Virtual Private Networks (VPN) IPsec Main mode Main mode is the default mode. It is slower than aggressive mode, but more secure, in that all sensitive information sent between the device and its peer is encrypted. Aggressive mode Aggressive mode is faster than main mode, but is not as secure as main mode, because the device and its peer exchange their IDs and hash information in clear text instead of being encrypted.
Page 482
Virtual Private Networks (VPN) IPsec Required configuration items IPsec tunnel configuration items: A name for the tunnel. Note If the tunnel name is more than eight characters, the name will be truncated in the underlying network interface to the first six characters followed by three digits, incrementing from 000.
Page 483
Configure a static route for information about configuring a static route. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 484
Virtual Private Networks (VPN) IPsec 3. Click VPN > IPsec. 4. Click to expand Tunnels. 5. For Add IPsec tunnel, type a name for the tunnel and click . The new IPsec tunnel configuration is displayed. 6. The IPsec tunnel is enabled by default. To disable, toggle off Enable. 7.
Page 485
Virtual Private Networks (VPN) IPsec a. Click to expand Firewall > Packet filtering. b. For Add packet filter, click . c. For Label, type Allow incoming IPsec traffic. d. For Source zone, select IPsec. Leave all other fields at their default settings. 10.
Page 486
Virtual Private Networks (VPN) IPsec ii. For Remote key, type the remote pre-shared key. This must be the same as the local key on the remote host. RSA signature: Uses a private RSA key to authenticate with the remote peer. i.
Page 487
Virtual Private Networks (VPN) IPsec 19. Click to expand Local endpoint. a. For Type, select either: Default route: Uses the same network interface as the default route. Interface: Select the Interface to be used as the local endpoint. b. Click to expand ID. i.
Page 488
Virtual Private Networks (VPN) IPsec i. Click next to Add Hostname. ii. For Hostname, type a hostname or IPv4 address. If your device is not configured to initiate the IPsec connection (see IKE > Initiate connection), you can also use the keyword any, which means that the hostname is dynamic or unknown.
Page 489
Virtual Private Networks (VPN) IPsec b. Click to expand Local traffic selector. c. For Type, select one of the following: Address: The address of a local network interface. For Address, select the appropriate interface. Network: The subnet of a local network interface. For Address, select the appropriate interface.
Page 490
Virtual Private Networks (VPN) IPsec i. For Port, type the port matching criteria. Allowed values are a port number, a range of port numbers, or any. 22. Click to expand IKE. a. For IKE version, select either IKEv1 or IKEv2. This setting must match the peer's IKE version.
Page 491
Virtual Private Networks (VPN) IPsec h. For Lifetime margin, enter a randomizing amount of time before the IPsec tunnel is renegotiated. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Lifetime margin to ten minutes, enter 10m or 600s. i.
Page 492
Virtual Private Networks (VPN) IPsec Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3.
Page 493
Virtual Private Networks (VPN) IPsec Note Depending on your network configuration, you may need to add a packet filtering rule to allow incoming traffic. For example, for the IPsec zone: a. Type ... to move to the root of the configuration: (config vpn ipsec tunnel ipsec_example)>...
Page 494
Virtual Private Networks (VPN) IPsec esp (Encapsulating Security Payload): Provides encryption as well as authentication and integrity. ah (Authentication Header): Provides authentication and integrity only. The default is esp. 9. (Optional) Set the management priority for this IPsec tunnel: (config vpn ipsec tunnel ipsec_example)> mgmt value (config vpn ipsec tunnel ipsec_example)>...
Page 495
Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> auth peer_public_key (config vpn ipsec tunnel ipsec_example)> x509: Uses private key and X.509 certificates to authenticate with the remote peer. a. For the private_key parameter, paste the device's private RSA key in PEM format: (config vpn ipsec tunnel ipsec_example)>...
Page 496
Virtual Private Networks (VPN) IPsec b. Set the XAUTH client username: (config vpn ipsec tunnel ipsec_example)> xauth_client username name (config vpn ipsec tunnel ipsec_example)> c. Set the XAUTH client password: (config vpn ipsec tunnel ipsec_example)> xauth_client password pwd (config vpn ipsec tunnel ipsec_example)> 12.
Page 497
Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> local id type ipv4_id (config vpn ipsec tunnel ipsec_example)> ipv6: The ID will be interpreted as an IPv6 address and sent as an ID_IPV6_ADDR IKE identity. Set an IPv6 formatted ID. This can be a fully-qualified domain name or an IPv6 address.
Page 498
Virtual Private Networks (VPN) IPsec round_robin: Attempts to connect to hostnames sequentially based on the list order. random: Randomly selects an IPsec peer to connect to from the hostname list. priority: Selects the first hostname in the list that is resolvable. c.
Page 499
Virtual Private Networks (VPN) IPsec keyid: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity. Set the key ID: (config vpn ipsec tunnel ipsec_example)> remote id type keyid_id (config vpn ipsec tunnel ipsec_example)> mac_address: The device's MAC address will be used for the Key ID and sent as an ID_KEY_ID IKE identity.
Page 500
Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> ike pad false (config vpn ipsec tunnel ipsec_example)> f. Set the amount of time that the IKE security association expires after a successful negotiation and must be re-authenticated: (config vpn ipsec tunnel ipsec_example)> ike phase1_lifetime value (config vpn ipsec tunnel ipsec_example)>...
Page 501
Virtual Private Networks (VPN) IPsec ii. Set the type of encryption to use during phase 1: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> cipher value (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> where value is one of: 3des aes128 aes128gcm128 aes128gcm64...
Page 502
Virtual Private Networks (VPN) IPsec ecp224 (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> ii. Set the Diffie-Hellman group type: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> dh_group value (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> The default is modp2048. v.
Page 503
Virtual Private Networks (VPN) IPsec aes128gcm64 aes128gcm96 aes192 aes192gcm128 aes192gcm64 aes192gcm96 aes256 aes256gcm128 aes256gcm64 aes256gcm96 null The default is 3des. iv. Set the type of hash to use during phase 2 to verify communication integrity: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> hash value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>...
Page 504
Virtual Private Networks (VPN) IPsec i. Move back one level in the schema: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> (config vpn ipsec tunnel ipsec_example ike phase2_proposal)> ii. Add an additional proposal: (config vpn ipsec tunnel ipsec_example ike phase2_proposal)> add end (config vpn ipsec tunnel ipsec_example ike phase2_proposal 1)>...
Page 505
Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example nat 0)> dst value (config vpn ipsec tunnel ipsec_example nat 0)> 18. Configure policies that define the network traffic that will be encapsulated by this tunnel: a. Change to the root of the configuration schema: (config vpn ipsec tunnel ipsec_example nat 0)>...
Page 506
Virtual Private Networks (VPN) IPsec network: The subnet of a local network interface. Set the network: i. Use the ? to determine available interfaces: (config vpn ipsec tunnel ipsec_example policy 0)> local network ? Interface: The network interface. Format: defaultip defaultlinklocal eth1 eth2...
Page 507
Virtual Private Networks (VPN) IPsec udp: Matches UDP protocol only. icmp: Matches ICMP requests only. other: Matches an unlisted protocol. If other is used, set the number of the protocol: (config vpn ipsec tunnel ipsec_example policy 0)> local protocol_other int (config vpn ipsec tunnel ipsec_example policy 0)>...
Page 508
Virtual Private Networks (VPN) IPsec b. Use the ? to determine available options: (config)> vpn ipsec advanced ? Advanced: Advanced configuration that applies to all IPsec tunnels. Parameters Current Value --------------------------------------------------------------------- --------- debug none Debug level ike_fragment_size 1280 Maximum IKE fragment size ike_retransmit_tries IKE retransmit tries keep_alive...
Virtual Private Networks (VPN) IPsec Configure IPsec failover There are two methods to configure the IX20 device to fail over from a primary IPsec tunnel to a backup tunnel: SureLink active recovery—You can use SureLink along with the IPsec tunnel's metric to configure two or more tunnels so that when the primary tunnel is determined to be inactive by SureLink, a secondary tunnel can begin serving traffic that the primary tunnel was serving.
Page 510
Virtual Private Networks (VPN) IPsec Metric: 20 Local endpoint > Interface: ETH2 Remote endpoint > Hostname: 192.168.10.1 In this configuration: 1. Tunnel_1 will normally be used for traffic destined for the 192.168.10.1 endpoint. 2. If pings to 192.168.10.2 fail, SureLink will shut down the tunnel and renegotiate its IPsec connection.
Page 511
Virtual Private Networks (VPN) IPsec 1. Configure the primary IPsec tunnel. See Configure an IPsec tunnel for instructions. During configuration of the IPsec tunnel, set the metric to a low value (for example, 10): (config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)> metric 10 (config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)>...
To configure the IX20 device to regularly probe the IPsec connection: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 513
Virtual Private Networks (VPN) IPsec a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 514
Virtual Private Networks (VPN) IPsec 7. (Optional) Change the Test interval between connectivity tests. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Interval to ten minutes, enter 10m or 600s. The default is 15 minutes.
Page 515
Virtual Private Networks (VPN) IPsec The Interface address. The Interface DNS server. Ping payload size: The number of bytes to send as part of the ping payload. DNS test: Performs a DNS query to the named DNS server. If DNS test is selected, complete the following: DNS server: The IP address of the DNS server.
Page 516
Virtual Private Networks (VPN) IPsec Test interface: The interface to test. IP version: The type of IP connection, one of: Any: Either the IPv4 or IPv6 connection must be up. Both: Both the IPv4 or IPv6 connection must be up. IPv4: The IPv4 connection must be up.
Page 517
Virtual Private Networks (VPN) IPsec SureLink test failures: The number of failures for this recovery action to perform, before moving to the next recovery action. Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used.
Page 518
Virtual Private Networks (VPN) IPsec Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. f. Repeat for each additional recovery action. 13.
Page 519
Virtual Private Networks (VPN) IPsec 4. Enable SureLink: (config vpn ipsec tunnel ipsec_example)> surelink enable true (config vpn ipsec tunnel ipsec_example)> 5. By default, the Test DNS servers configured for this interface test is automatically configured and enabled. This tests communication with DNS servers that are either provided by DHCP, or statically configured for this interface.
Page 520
Virtual Private Networks (VPN) IPsec interface_gateway. If set, an initial traceroute is sent to the hostname or IP address configured in the SureLink advanced settings, and then the first hop in that route is used for the ping test. interface_address. interface_dns: The interface's DNS server.
Page 521
Virtual Private Networks (VPN) IPsec Set the amount of time to wait for the interface to connect for the first time before the test is considered to have failed. (config vpn ipsec tunnel ipsec_example surelink tests 1)> interface_timeout value (config vpn ipsec tunnel ipsec_example surelink tests 1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 522
Virtual Private Networks (VPN) IPsec /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config vpn ipsec tunnel ipsec_example surelink tests 1)> other_interface ii. Set the interface. For example: (config vpn ipsec tunnel ipsec_example surelink tests 1)> other_interface /network/interface/eth1 (config vpn ipsec tunnel ipsec_example surelink tests 1)> Set the type of IP connection: (config vpn ipsec tunnel ipsec_example surelink tests 1)>...
Page 523
Virtual Private Networks (VPN) IPsec c. New actions are enabled by default. To disable: (config vpn ipsec tunnel ipsec_example surelink actions 0)> enable false (config vpn ipsec tunnel ipsec_example surelink actions 0)> d. Create a label for the action: (config vpn ipsec tunnel ipsec_example surelink actions 0)> label string (config vpn ipsec tunnel ipsec_example surelink actions 0)>...
Page 524
Virtual Private Networks (VPN) IPsec where value is one of: update_routing_table: Increases the interface's metric to change the default gateway. If update_routing_table is selected, complete the following: Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn ipsec tunnel ipsec_example surelink actions 0)>...
Page 525
Virtual Private Networks (VPN) IPsec Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn ipsec tunnel ipsec_example surelink actions 0)> test_failures int (config vpn ipsec tunnel ipsec_example surelink actions 0)> The default is 3.
Page 526
Virtual Private Networks (VPN) IPsec reboot_device. If reboot_device is selected, complete the following: Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn ipsec tunnel ipsec_example surelink actions 0)> test_failures int (config vpn ipsec tunnel ipsec_example surelink actions 0)>...
Page 527
Virtual Private Networks (VPN) IPsec b. Set the test interval between connectivity tests: (config)> vpn ipsec tunnel ipsec_example surelink interval value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interval to ten minutes, enter either 10m or 600s: (config)>...
Virtual Private Networks (VPN) IPsec where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set delayed_start to ten minutes, enter either 10m or 600s: (config)> vpn ipsec tunnel ipsec_example surelink advanced delayed_ start 600s (config)>...
Virtual Private Networks (VPN) IPsec Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, select Status > IPsec. The IPsec page appears. 2. To view configuration details about an IPsec tunnel, click the (configuration) icon in the upper right of the tunnel's status pane.
Page 530
Virtual Private Networks (VPN) IPsec 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Virtual Private Networks (VPN) IPsec Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3.
Page 532
Virtual Private Networks (VPN) IPsec 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 533
Virtual Private Networks (VPN) IPsec 5. Click Enable to enable the SCEP client. 6. For Maximum Polling Time, type the maximum time that the device will poll the SCEP server, when operating in manual mode. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
Page 534
Virtual Private Networks (VPN) IPsec 14. For Path, Type the HTTP URL path required for accessing the certificate authority. You should leave this option at the default of /cgi-bin/pkiclient.exe unless directed by the CA to use another path. 15. For Password, type the challenge password as configured on the SCEP server. 16.
Page 535
Virtual Private Networks (VPN) IPsec 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 536
Virtual Private Networks (VPN) IPsec (config network scep_client scep_client_name)> distinguished_name c value (config network scep_client scep_client_name)> c. Set the State or Province: (config network scep_client scep_client_name)> distinguished_name st value (config network scep_clientscep_client_name )> d. Set the Locality: (config network scep_client scep_client_name)> distinguished_name l value (config network scep_client scep_client_name)>...
Page 537
Virtual Private Networks (VPN) IPsec c. If type is set to url, set the URL that should be used: (config network scep_client scep_client_name)> crl url value (config network scep_client scep_client_name)> 11. Configure certificate renewal: a. To enable the creation of a new private key for renewal requests: (config network scep_client scep_client_name)>...
Virtual Private Networks (VPN) IPsec 15. Set the number of days that the certificate enrollment can be renewed, prior to the request expiring. This value is configured on the SCEP server, and is used by the IX20 device to determine when to start attempting to auto-renew an existing certificate. The default is 7. (config network scep_client scep_client_name)>...
Page 539
Click OK. IX20 configuration On the IX20 device: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 540
Virtual Private Networks (VPN) IPsec The Configuration window is displayed. 3. Click Network > SCEP Client. 4. For Add clients, enter a name for the SCEP client and click . The new SCEP client configuration is displayed. 5. Click Enable to enable the SCEP client. 6.
Page 541
Virtual Private Networks (VPN) IPsec 10. For Password, type the challenge password. This corresponds to the Default enrollment password on the Fortinet server. 11. Click to expand Distinguished Name. 12. Type the value for each appropriate Distinguished Name attribute. The values entered here must correspond to the DN attributes in the Enrollment Request on the Fortinet server.
Page 542
Virtual Private Networks (VPN) IPsec (config network scep_client Fortinet_SCEP_client)> server password challenge_password (config network scep_client Fortinet_SCEP_client)> 7. Set Distinguished Name attributes. The values entered here must correspond to the DN attributes in the Enrollment Request on the Fortinet server. a. Set the Domain Component: (config network scep_client Fortinet_SCEP_client)>...
Virtual Private Networks (VPN) OpenVPN OpenVPN OpenVPN is an open-source Virtual Private Network (VPN) technology that creates secure point-to- point or site-to-site connections in routed or bridged configurations. OpenVPN uses a custom security protocol that is Secure Socket Layer (SSL) / Transport Layer Security (TLS) for key exchange. It uses standard encryption and authentication algorithms for data privacy and authentication over TCP or UDP.
Virtual Private Networks (VPN) OpenVPN OpenVPN managed—The IX20 device creates the interface and then uses its standard configuration to set up the connection (for example, its standard DHCP server configuration). Device only—IP addressing is controlled by the system, not by OpenVPN. Additional OpenVPN information For more information on OpenVPN, see these resources: Bridging vs.
Page 547
Access control list configuration to restrict access to the OpenVPN server through the firewall. Additional OpenVPN parameters. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 548
Virtual Private Networks (VPN) OpenVPN 4. For Add, type a name for the OpenVPN server and click . The new OpenVPN server configuration is displayed. The OpenVPN server is enabled by default. To disable, toggle off Enable. 5. For Device type, select the mode used by the OpenVPN server, either: TUN (OpenVPN managed) TAP - OpenVPN managed TAP - Device only...
Page 549
Virtual Private Networks (VPN) OpenVPN Username/password only: Uses a username and password for client authentication. You must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions. Certificate and username/password: Uses both certificates and a username and password for client authentication.
Page 550
Virtual Private Networks (VPN) OpenVPN 11. (Optional) Click to expand Advanced Options to manually set additional OpenVPN parameters. a. Click Enable to enable the use of additional OpenVPN parameters. b. Click Override if the additional OpenVPN parameters should override default options. c.
Page 551
Virtual Private Networks (VPN) OpenVPN 5. If tap or tun are set for device_type: a. Set the IP address and subnet mask of the OpenVPN server. (config vpn openvpn server name)> address ip_address/netmask (config vpn openvpn server name)> b. Set the firewall zone for the OpenVPN server. For TUN device types, this should be set to internal to treat clients as LAN devices.
Page 552
Virtual Private Networks (VPN) OpenVPN ii. Set the last address in the range limit: (config vpn openvpn server name)> server_last_ip value (config vpn openvpn server name)> where value is a number between 1 and 255. The number entered here will represent the last client IP address.
Page 553
Virtual Private Networks (VPN) OpenVPN iii. Paste the contents of the public key (for example, server.crt) into the value of the server_cert parameter: (config vpn openvpn server name)> server_cert value (config vpn openvpn server name)> iv. Paste the contents of the private key (for example, server.key) into the value of the server_key parameter: (config vpn openvpn server name)>...
Page 554
Virtual Private Networks (VPN) OpenVPN Use ... network interface ? to display interface information: (config vpn openvpn server name)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config vpn openvpn server name)>...
IX20 user authentication for more information about creating authentication groups and users. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 556
Virtual Private Networks (VPN) OpenVPN a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Add an OpenVPN authentication group: a. Click Authentication > Groups. b. For Add Group, type a name for the group (for example, OpenVPN_Group) and click . The new authentication group configuration is displayed.
Page 557
Virtual Private Networks (VPN) OpenVPN f. For Tunnel, select an OpenVPN tunnel to which users of this group will have access. g. Repeat to add additional OpenVPN tunnels. 4. Add an OpenVPN authentication user: a. Click Authentication > Users. b. For Add, type a name for the user (for example, OpenVPN_User) and click . c.
Page 558
Virtual Private Networks (VPN) OpenVPN Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 560
Virtual Private Networks (VPN) OpenVPN 4. For Add, type a name for the OpenVPN client and click . The new OpenVPN client configuration is displayed. 5. The OpenVPN client is enabled by default. To disable, toggle off Enable. 6. The default behavior is to use an OVPN file for client configuration. To disable this behavior and configure the client manually, click Use .ovpn file to disable.
Page 561
Virtual Private Networks (VPN) OpenVPN 3. At the config prompt, type: (config)> add vpn openvpn client name (config vpn openvpn client name)> where name is the name of the OpenVPN server. The OpenVPN client is enabled by default. To disable the client, type: (config vpn openvpn client name)>...
Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 563
Virtual Private Networks (VPN) OpenVPN a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Clients. 4. For Add, type a name for the OpenVPN client and click . The new OpenVPN client configuration is displayed.
Page 564
Virtual Private Networks (VPN) OpenVPN 6. The default behavior is to use an OVPN file for client configuration. To disable this behavior and configure the client manually, click Use .ovpn file to disable. 7. For Device type, select the mode used by the OpenVPN server, either TUN or TAP. 8.
Page 565
Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client name)> use_file false (config vpn openvpn client name)> 5. Set the mode used by the OpenVPN server: (config vpn openvpn client name)> device_type value (config vpn openvpn client name)> where value is either tun or tap. The default is tun. 6.
Virtual Private Networks (VPN) OpenVPN 10. (Optional) Set the port used by the OpenVPN server: (config vpn openvpn client name)> port port (config vpn openvpn client name)> The default is 1194. 11. Paste the contents of the CA certificate (usually in a ca.crt file) into the value of the cacert parameter: (config vpn openvpn client name)>...
Page 567
To configure the IX20 device to regularly probe the OpenVPN connection: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 568
Virtual Private Networks (VPN) OpenVPN 3. Click VPN > OpenVPN > Clients. 4. Create a new OpenVPN client or select an existing one: To create a new OpenVPN client, see Configure an OpenVPN client by using an .ovpn file Configure an OpenVPN client without using an .ovpn file.
Page 569
Virtual Private Networks (VPN) OpenVPN 10. (Optional) For Response timeout, type the amount of time that the device should wait for a response to a test failure before considering it to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
Page 570
Virtual Private Networks (VPN) OpenVPN Test the interface status: Tests the current status of the interface. The test fails if the interface is down. Failing this test infers that all other tests fail. If Test the interface status is selected, complete the following: Down time: The amount of time that the interface is down before the test can be considered to have failed.
Page 571
Virtual Private Networks (VPN) OpenVPN Update routing: Uses the Change default gateway action, which increases the interface's metric by 100 to change the default gateway. Restart interface. b. Click . New recovery actions are enabled by default. To disable, click to toggle off Enable. c.
Page 572
Virtual Private Networks (VPN) OpenVPN SureLink test failures: The number of failures for this recovery action to perform, before moving to the next recovery action. Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used.
Page 573
Virtual Private Networks (VPN) OpenVPN For example, to set Backoff interval to ten minutes, enter 10m or 600s. The default is 300 seconds. d. Test interface gateway by pinging is used by the Interface gateway Ping test as the endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8, and should only be changed if this IP address is not accessible due to networking issues.
Page 574
Virtual Private Networks (VPN) OpenVPN c. Create a label for the test: (config vpn openvpn client openvpn_client1 surelink tests 1)> label string (config vpn openvpn client openvpn_client1 surelink tests 1)> d. if the test should apply to both IPv6 rather than IPv4, enable IPv6: (config vpn openvpn client openvpn_client1 surelink tests 1)>...
Page 575
Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink tests 1)> dns_server IP_address (config vpn openvpn client openvpn_client1 surelink tests 1)> http: Uses HTTP(s) GET requests to determine connectivity to the configured web server. If http is set, set the URL of the web server. (config vpn openvpn client openvpn_client1 surelink tests 1)>...
Page 576
Virtual Private Networks (VPN) OpenVPN custom_test: Tests the interface with custom commands. If custom_test is set, set the commands to run to perform the test: (config vpn openvpn client openvpn_client1 surelink tests 1)> custom_test_commands "string" (config vpn openvpn client openvpn_client1 surelink tests 1)> tcp_connection: Tests that the interface can reach a destination port on the configured host.
Page 577
Virtual Private Networks (VPN) OpenVPN Set the type of IP connection: (config vpn openvpn client openvpn_client1 surelink tests 1)> other_ip_version value (config vpn openvpn client openvpn_client1 surelink tests 1)> where value is one of: any: Either the IPv4 or IPv6 connection must be up. both: Both the IPv4 or IPv6 connection must be up.
Page 578
Virtual Private Networks (VPN) OpenVPN e. Set the type of recovery action to reboot_device: (config vpn openvpn client openvpn_client1 surelink actions 0)> action reboot_device (config vpn openvpn client openvpn_client1 surelink actions 0)> Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn openvpn client openvpn_client1 surelink actions 0)>...
Page 579
Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink actions 0)> The default is 3. Set the amount that the interface's metric should be increased. This should be set to a number large enough to change the routing table to use another default gateway.
Page 580
Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink actions 0)> The default is 3. Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config vpn openvpn client openvpn_client1 surelink actions 0)>...
Page 581
Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink actions 0)> reboot_device. If reboot_device is selected, complete the following: Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn openvpn client openvpn_client1 surelink actions 0)>...
Page 582
Virtual Private Networks (VPN) OpenVPN a. Type ... to return to the root of the configuration: (config vpn openvpn client openvpn_client1 surelink actions 0)> ... (config)> b. Set the test interval between connectivity tests: (config)> vpn openvpn client openvpn_client1 surelink interval value (config)>...
Page 583
Virtual Private Networks (VPN) OpenVPN (config)> vpn openvpn client openvpn_client1 surelink advanced delayed_start value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set delayed_start to ten minutes, enter either 10m or 600s: (config)>...
Virtual Private Networks (VPN) OpenVPN Show OpenVPN server status and statistics You can view status and statistics for OpenVPN servers from either the web interface or the command line: Log into the IX20 WebUI as a user with full Admin access rights. 1.
Virtual Private Networks (VPN) OpenVPN Show OpenVPN client status and statistics You can view status and statistics for OpenVPN clients from either web interface or the command line: Log into the IX20 WebUI as a user with full Admin access rights. 1.
Page 586
Virtual Private Networks (VPN) OpenVPN 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Enable the device to respond to keepalive packets. Task One: Create a GRE loopback endpoint interface 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 588
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. For Add Interface, type a name for the GRE loopback endpoint interface and click . 5.
Page 589
Type quit to disconnect from the device. Task Two: Configure the GRE tunnel 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 590
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Click VPN > IP Tunnels. 4. For Add IP tunnel, type a name for the GRE tunnel and click . 5. Enable the tunnel. New tunnels are enabled by default. To disable, toggle off Enable. 6.
Page 591
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) GRE tunnels are enabled by default. To disable: (config vpn iptunnel gre_example)> enable false (config vpn iptunnel gre_example)> 4. Set the mode: (config vpn iptunnel gre_example)> type value (config vpn iptunnel gre_example)> where value is either: gre: Standard GRE point-to-point protocol.
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Show GRE tunnels To view information about currently configured GRE tunnels: Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click Status > IP tunnels. The IP Tunnelspage appears.
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Example: GRE tunnel over an IPSec tunnel The IX20 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel. The example configuration provides instructions for configuring the IX20 device with a GRE tunnel through IPsec.
Page 594
Configuration procedures Configure the IX20-1 device Task one: Create an IPsec tunnel 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 595
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Click VPN > IPsec > Tunnels. 4. For Add IPsec Tunnel, type ipsec_gre1 and click . 5. Click to expand Authentication. 6. For Pre-shared key, type testkey. 7. Click to expand Remote endpoint. 8.
Page 596
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 597
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Task two: Create an IPsec endpoint interface 1. Click Network > Interface. 2. For Add Interface, type ipsec_endpoint1 and click . 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5.
Page 598
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Set the zone to internal: (config network interface ipsec_endpoint1)> zone internal (config network interface ipsec_endpoint1)> 4. Set the device to /network/device/loopback: (config network interface ipsec_endpoint1)> device /network/device/loopback (config network interface ipsec_endpoint1)> 5.
Page 599
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 2. Add a GRE tunnel named gre_tunnel1: (config)> add vpn iptunnel gre_tunnel1 (config vpn iptunnel gre_tunnel1)> 3. Set the local endpoint to the IPsec endpoint interface created in Task two (/network/interface/ipsec_endpoint1): (config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_ endpoint1 (config vpn iptunnel gre_tunnel1)>...
Page 600
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 6. For Address, type 172.31.0.1/30 for a virtual IP address on the GRE tunnel. 7. Click Apply to save the configuration and apply the change. Command line 1. At the command line, type config to enter configuration mode: >...
Page 601
Generic Routing Encapsulation (GRE) Configure the IX20-2 device Task one: Create an IPsec tunnel 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 602
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 7. Click to expand Remote endpoint. 8. For Hostname, type public IP address of the IX20-1 device. 9. Click to expand Policies. 10. For Add Policy, click to add a new policy. 11.
Page 603
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) (config vpn ipsec tunnel ipsec_gre2)> auth secret testkey (config vpn ipsec tunnel ipsec_gre2)> 5. Set the remote endpoint to public IP address of the IX20-1 device: (config vpn ipsec tunnel ipsec_gre2)> remote hostname 192.168.100.1 (config vpn ipsec tunnel ipsec_gre2)>...
Page 604
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5. Click to expand IPv4. 6. For Address, type the IP address of the local GRE tunnel, 172.30.0.2/32. 7. Click Apply to save the configuration and apply the change. ...
Page 605
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 6. Save the configuration and apply the change (config vpn ipsec tunnel ipsec_endpoint2)> save Configuration saved. > Task three: Create a GRE tunnel 1. Click VPN > IP Tunnels. 2. For Add IP Tunnel, type gre_tunnel2 and click . 3.
Page 606
Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 4. Set the remote endpoint to the IP address of the GRE tunnel on IX20-1, 172.30.0.1: (config vpn iptunnel gre_tunnel2)> remote 172.30.0.1 (config vpn iptunnel gre_tunnel2)> 5. Save the configuration and apply the change (config vpn iptunnel gre_tunnel2)>...
Dynamic Multipoint VPN (DMVPN) Configure a DMVPN spoke To configure a DMVPN spoke: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 609
Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) e. For Key, type a four-octet value that matches the key on the remote endpoint. f. (Optional) Enable keep-alive reply to enable the device to reply to Cisco GRE keep-alive packets. g. (Optional) Enable open routing to enable packets destined for an address which is not explicitly in the routing table to exit the IP tunnel.
Page 610
Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) 5. Configure NHRP: a. Click Network > Routing Services. b. Enable routing services. c. Click to expand NHRP. d. Enable NHRP. e. Click to expand Network. f. Click to add a network. g.
Page 611
Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) 7. Configure the overlay connection: a. Click Network > Routing services > BGP. b. Enable BGP. c. For AS number, type the autonomous system number for this device. d. For Best path criteria, select Multipath. e.
Page 612
Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) b. Set the type to multipoint: (config vpn iptunnel dmvpn_tunnel)> type multipoint (config vpn iptunnel dmvpn_tunnel)> c. Set the local interface: i. Use the ? to determine available interfaces: (config vpn iptunnel dmvpn_tunnel)> local ? Interface: The network interface.
Page 613
Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) b. And a network interface. For example, to add an interface named dmvpn_tunnel_interface: (config)> add network interface dmvpn_tunnel_interface (config network interface dmvpn_tunnel_interface)> c. Set the zone to internal: (config network interface dmvpn_tunnel_interface)> zone internal (config network interface dmvpn_tunnel_interface)>...
Page 614
Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) f. Set the tunnel to the IP tunnel created above: (config network route service nhrp network 0)> tunnel /vpn/iptunnel/dmvpn_tunnel (config network route service nhrp network 0)> g. Add a net hop server: (config network route service nhrp network 0)>...
Virtual Private Networks (VPN) L2TP g. Enable eBGP multihop: (config network route service bgp neighbour 0)> ebgp_multihop true (config network route service bgp neighbour 0)> 9. Repeat to add additional spokes. 10. Save the configuration and apply the change (config)> save Configuration saved.
Page 616
Whether to override the default configuration and only use the custom options. Optional configuration data in the format of a pppd options file. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 617
Virtual Private Networks (VPN) L2TP c. For Address, enter the IPv4 address or network that can access the device's service-type. Allowed values are: A single IP address or host name. A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the service-type. d.
Page 618
Virtual Private Networks (VPN) L2TP i. Enable custom PPP configuration. ii. Enable Override if the custom configuration should override the default configuration and only use the custom options. iii. For Configuration file, paste or type the configuration data in the format of a pppd options file.
Page 619
Virtual Private Networks (VPN) L2TP i. Enable custom PPP configuration. ii. Enable Override if the custom configuration should override the default configuration and only use the custom options. iii. For Configuration file, paste or type the configuration data in the format of a pppd options file.
Page 620
Virtual Private Networks (VPN) L2TP To limit access to hosts connected through a specified interface on the IX20 device: (config)> add vpn l2tp acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 621
Virtual Private Networks (VPN) L2TP ipsec loopback setup (config)> Repeat this step to include additional firewall zones. 5. To add an L2TP access concentrator: a. Add an LAC: (config)> add vpn l2tp lac name (config add vpn l2tp lac name)> where name is the name of the LAC.
Page 622
Virtual Private Networks (VPN) L2TP i. Use the ? to determine available zones: (config vpn l2tp lac lac_tunnel)> zone ? Zone: The firewall zone assigned to this tunnel. This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel.
Page 623
Virtual Private Networks (VPN) L2TP (config)> add vpn l2tp lns lns_server (config vpn l2tp lns lns_server)> LACs are enabled by default. To disable: (config vpn l2tp lns lns_server)> enable false (config vpn l2tp lns lns_server)> b. Set the IP address of the L2TP access concentrator that this server will allow connections from: (config vpn l2tp lns lns_server)>...
Page 624
Virtual Private Networks (VPN) L2TP f. (Optional) Set the metric for the tunnel: (config vpn l2tp lns lns_server)> metric int (config vpn l2tp lns lns_server)> where int is an integer between 0 and 65535. The default is 1. g. Set the firewall zone for the tunnel. This is used by packet filtering rules and access control lists to restrict network traffic on the tunnel.
Virtual Private Networks (VPN) L2TP iii. Paste or type the configuration data in the format of a pppd options file: (config vpn l2tp lns lns_server)> custom config_file data (config vpn l2tp lns lns_server)> 7. Save the configuration and apply the change (config)>...
Page 626
Virtual Private Networks (VPN) L2TP Command line Show the status of L2TP access connectors from the Admin CLI 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Virtual Private Networks (VPN) L2TPv3 Ethernet > 3. To display details about a specific tunnel: > show l2tp lns name lns_test2 lns_test2 L2TP Access Concentrator Status ------------------------------------ Enabled : true Status : pending > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 628
Virtual Private Networks (VPN) L2TPv3 Ethernet 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 629
Virtual Private Networks (VPN) L2TPv3 Ethernet 10. Click to expand Sessions. a. For Add Sesssion, type a name for a session carried by the parent tunnel and click . b. For Session ID, type the session identifier for this session. This must match the value for Peer session ID on the remote peer.
Page 630
Virtual Private Networks (VPN) L2TPv3 Ethernet 5. Set the interface of the local endpoint: i. Use the ? to determine available interfaces: (config vpn l2tpeth L2TPv3_example)> local ? Local endpoint: The local network interface to connect to peer device. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1...
Page 631
Virtual Private Networks (VPN) L2TPv3 Ethernet c. (Optional) To calculate and check the UDP checksum: (config vpn l2tpeth L2TPv3_example)> udp_checksum true (config vpn l2tpeth L2TPv3_example)> 9. Add a session carried by the parent tunnel: (config vpn l2tpeth L2TPv3_example)> add session session_example (config vpn l2tpeth L2TPv3_example session_example)>...
Virtual Private Networks (VPN) L2TPv3 Ethernet both: Add a sequence number to each outgoing packet, and reorder packets if they are received out of order. The default is none. 16. Save the configuration and apply the change (config)> save Configuration saved. >...
Virtual Private Networks (VPN) MACsec Local IP : 4.3.2.1 Remote IP : 10.10.10.1 Tunnel ID : modem Peer Tunnel ID : 10.10.10.1 === 4.3.2.1 Session ID : 255 Peer Session ID : 1476 Lifetime (Actual) : 600 Device : le_test_test RX Packets : 2,102 RX Bytes...
Page 634
Virtual Private Networks (VPN) MACsec 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 635
Virtual Private Networks (VPN) MACsec 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Virtual Private Networks (VPN) NEMO 8. Save the configuration and apply the change (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. NEMO Network Mobility (NEMO) is a mobile networking technology that provides access to one or more Local Area Networks (LANs) on your device.
Page 637
If the local network is set to Interface, identify the local interface to be used. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 638
Virtual Private Networks (VPN) NEMO 5. For Zone, select Internal. The Internal firewall zone configures the IX20 device to trust traffic going to the tunnel and allows it through the network. 6. For Home agent server IP address, type the IPv4 address of the NEMO home agent. This is provided by your cellular carrier.
Page 639
Virtual Private Networks (VPN) NEMO 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 640
Virtual Private Networks (VPN) NEMO Allowed values are any integer between 68 and 1476. 9. Set the Security Parameter Index (SPI) value, which is used in the authentication extension when registering. This should be normally left at the default setting of 256 unless your service provider indicates a different value.
Page 641
Virtual Private Networks (VPN) NEMO (config vpn nemo nemo_example)> coaddress address IP_address (config vpn nemo nemo_example)> The default is defaultroute. 12. Set the GRE tunnel local endpoint: a. Set the method to determine the GRE tunnel local endpoint: (config vpn nemo nemo_example)> tun_local type value (config vpn nemo nemo_example)>...
Virtual Private Networks (VPN) NEMO 15. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show NEMO status Log into the IX20 WebUI as a user with full Admin access rights. 1.
Page 643
Virtual Private Networks (VPN) NEMO lan1 192.168.2.1/24 Advertized LAN2 192.168.3.1/24 Advertized > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 644
Services This chapter contains the following topics: Allow remote access for web administration and SSH Configure the web administration service Configure SSH access Use SSH with key authentication Configure telnet access Configure DNS WAN bonding Simple Network Management Protocol (SNMP) Location information Modbus gateway System time...
To allow web administration or SSH for the External firewall zone: Add the External firewall zone to the web administration service 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 646
Services Allow remote access for web administration and SSH 4. For Add Zone, click . 5. Select External. 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 647
Services Allow remote access for web administration and SSH 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 648
Services Allow remote access for web administration and SSH 5. Select External. 6. Click Apply to save the configuration and apply the change. IX20 User Guide...
Services Configure the web administration service Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 650
The web administration service is enabled by default. To disable the service, or enable it if it has been disabled: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 651
Type quit to disconnect from the device. Configure the service 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 652
Services Configure the web administration service 3. Click Services > Web administration. 4. (Optional) For Port, enter the port number for the service. Normally this should not be changed. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a.
Page 653
Services Configure the web administration service 6. Multicast DNS (mDNS) is enabled by default. mDNS is a protocol that resolves host names in small networks that do not have a DNS server. To disable mDNS, or enable it if it has been disabled, click Enable mDNS.
Page 654
Services Configure the web administration service 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 655
Services Configure the web administration service eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add service web_admin acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
Page 656
Services Configure the web administration service The private key can use one of the following algorithms: ECDSA ECDH Note Password-protected certificate keys are not supported. Example a. Generate the SSL certificate and private key, for example: # openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem b.
Page 657
Services Configure the web administration service Ktx72wurpnr2JYf1v3Vx+S9T9WvN52pGuBPJQla3YdWbSf18wr5iHm9NXIeMTsFc esdjEW07JRnxQEMZ1GPWT+YtH1+FzQ3+W9rFsFFzt0vcp5Lh1RGg0huzL2NQ5EcF 3brzIZjNAavMsdBFzdc2hcbYnbv7o1uGLujbtZ7WurNy7+Tc54gu2Ds25J0/0mgf OxmqFevIqVkqp2wOmeLtI4o77y6uCbhfA6I+GWTZEYECgYEA/uDzlbPMRcWuUig0 CymOKlhEpx9qxid2Ike0G57ykFaEsKxVMKHkv/yvAEHwazIEzlc2kcQrbLWnDQYx oKmXf87Y1T5AXs+ml1PlepXgveKpKrWwORsdDBd+OS34lyNJ0KCqqIzwAaf8lcSW tyShAZzvuH9GW9WlCc8g3ifp9WUCgYEA4WSSfqFkQLA09sI76VLvUqMbb31bNgOk ZuPg7uxuDk3yNY58LGQCoV8tUZuHtBJdrBDCtcJa5sasJZQrWUlZ8y/5zgCZmqQn MzTD062xaqTenL0jKgKQrWig4DpUUhfc4BFJmHyeitosDPG98oCxuh6HfuMOeM1v Xag6Z391VcsCgYBgBnpfFU1JoC+L7m+lIPPZykWbPT/qBeYBBki5+0lhzebR9Stn VicrmROjojQk/sRGxR7fDixaGZolUwcRg7N7SH/y3zA7SDp4WvhjFeKFR8b6O1d4 PFnWO2envUUiE/50ZoPFWsv1o8eK2XT67Qbn56t9NB5a7QPvzSSR7jG77QKBgD/w BrqTT9wl4DBrsxEiLK+1g0/iMKCm8dkaJbHBMgsuw1m7/K+fAzwBwtpWk21alGX+ Ly3eX2j9zNGwMYfXjgO1hViRxQEgNdqJyk9fA2gsMtYltTbymVYHyzMweMD88fRC Ey2FlHfxIfPeE7MaHNCeXnN5N56/MCtSUJcRihh3AoGAey0BGi4xLqSJESqZZ58p e71JHg4M46rLlrxi+4FXaop64LCxM8kPpROfasJJu5nlPpYHye959BBQnYcAheZZ 0siGswIauBd8BrZMIWf8JBUIC5EGkMiIyNpLJqPbGEImMUXk4Zane/cL7e06U8ft BUtOtMefbBDDxpP+E+iIiuM= -----END PRIVATE KEY-----" (config)> 5. (Optional) Configure Multicast DNS (mDNS): mDNS is a protocol that resolves host names in small networks that do not have a DNS server. mDNS is enabled by default.
Page 658
Services Configure the web administration service The default is TLS-1_2. 8. (Optional) Disable legacy port redirection. Legacy port redirection is used to redirect client HTTP requests to the HTTPS service. Legacy port redirection is enabled by default, and normally these settings should not be changed. To disable legacy port redirection: (config)>...
The SSH service is enabled by default. To disable the service, or enable it if it has been disabled: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
Page 660
Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure the service 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 661
Configure SSH access 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 662
Services Configure SSH access A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the SSH service. d. Click again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a.
Page 663
Services Configure SSH access Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. Configure access control: To limit access to specified IPv4 addresses and networks: (config)>...
Page 664
Services Configure SSH access loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add service ssh acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
Page 665
Services Configure SSH access To enable the mDNS protocol: (config)> service ssh mdns enable true (config> To disable the mDNS protocl: (config)> service ssh mdns enable false (config)> 6. (Optional) Set the port number for this service. The default setting of 22 normally should not be changed. (config)>...
Page 666
Services Configure SSH access 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
SSH service to allow SSH access for the External firewall zone. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 668
Services Use SSH with key authentication Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users. 4. Select an existing user or create a new user. See User authentication for information about creating a new user.
Page 669
Services Use SSH with key authentication key_name is a name for the key. key is a public SSH key, which you can enter by pasting or typing a public encryption key that this user can use for passwordless SSH login 4.
Enable the telnet service The telnet service is disabled by default. To enable the service: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 671
Type quit to disconnect from the device. Configure the service 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 672
Services Configure telnet access b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > telnet. 4.
Page 673
Services Configure telnet access To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces. b. For Add Interface, click . c. For Interface, select the appropriate interface from the dropdown. d. Click again to allow access through additional interfaces. To limit access based on firewall zones: a.
Page 674
Services Configure telnet access Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service telnet acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Services Configure DNS internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones. 4. (Optional) Configure Multicast DNS (mDNS) mDNS is a protocol that resolves host names in small networks that do not have a DNS server. mDNS is disabled by default.
Page 676
The device is configured by default with the hostname digi.device, which corresponds to the 192.168.210.1 IP address. To configure the DNS server: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 677
Services Configure DNS A single IP address or host name. A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the DNS service. d. Click again to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: a.
Page 678
Services Configure DNS e. Domain restricts the device's use of this DNS server based on the domain. If no domain are listed, then all queries may be sent to this server. 11. (Optional) To add host names and their IP addresses that the device's DNS server will resolve: a.
Page 679
Services Configure DNS Display a list of available interfaces: Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)>...
Page 680
Services Configure DNS 4. (Optional) Cache negative responses By default, the device's DNS server caches negative responses. Disabling this option may improve performance on networks with transient DNS results, when one or more DNS servers may have positive results. To disable: (config)>...
Services Configure DNS (config service dns server 0)> domain domain (config service dns server 0)> d. (Optional) Set a label for this DNS server: (config service dns server 0)> label label (config service dns server 0)> 10. (Optional) Add host names and their IP addresses that the device's DNS server will resolve a.
WAN bonding also provides seamless failover by automatically using multiple pipes within the bonded tunnel. The WAN bonding service for your IX20 device must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. This section contains the following topics:...
Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
Page 684
Services WAN bonding iii. Select for Tunnel password. iv. From the Common value menu, select Require override: e. Configure the device's WAN interfaces that will be bonded: i. ClickNetwork > SD-WAN > WAN bonding > Bonding interfaces. ii. Click to add an interface. iii.
Page 685
Services WAN bonding v. You can change the Mode that the interface will use: Automatic: Automatically sets the mode to Cellular Optimized for Speed-mode for cellular, and Ethernet for non-cellular. This is the default mode. Cellular Optimized for Speed: A general-purpose configuration suitable for most lines (4G, DSL, etc), with a fair tolerance for packet loss and latency.
Configure WAN bonding on your local device Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
Page 687
Additional configuration items The firewall zone for the new bonded interface, if other than External. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 688
4. Toggle on Enable. Note The WAN bonding service must be enabled for this device in Digi Remote Manager. Contact your Digi sales representative for information. 5. For Hostname, type the hostname or IPv4 address of the external server hosting the WAN bonding server.
Page 689
> config (config)> 3. Enable the WAN bonding service: (config)> network sdwan wan_bonding enable true (config)> Note The WAN bonding service must be enabled for this device in Digi Remote Manager. Contact your Digi sales representative for information. IX20 User Guide...
Page 690
Services WAN bonding 4. Set the hostname or IPv4 address of the external server hosting the WAN bonding service: (config)> network sdwan wan_bonding hostname hostname-or-IPv4-address (config)> 5. (Optional) Set the port number that the external server uses for the WAN bonding connection: (config)>...
Page 691
Services WAN bonding i. Set the interface: i. Use the ? to determine available interfaces: (config network sdwan wan_bonding interfaces 0)> interface ? Interface: The network interface. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config network sdwan wan_bonding interfaces 0)> interface ii.
Services WAN bonding The WAN bonding web interface can be used to view detailed WAN bonding statistics and to fine-tune the WAN bonding process, and is accessed via a web browser at http://ip- address:8088, where ip-address is the IP address of the local IX20 device. (config)>...
Page 693
Services WAN bonding Channel #0: : eth1 (eth1) Channel #1: : modem (wwan0.1) > 3. Use the show wan-bonding command to view additional status and statistics: > show wan-bonding verbose WAN Bonding Status ------------------ Tunnel Info ---------------- Status connected Endpoint 133.183.203.237:443 (#0) Network 146.78.40.226/255.255.255.0 gw 146.78.40.1...
Services Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is a protocol for remotely managing and monitoring network devices. Network administrators can use the SNMP architecture to manage nodes, including servers, workstations, routers, switches, hubs, and other equipment on an IP network, manage network performance, find and solve network problems, and plan for network growth.
Page 695
Services Simple Network Management Protocol (SNMP) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 696
Services Simple Network Management Protocol (SNMP) c. For Address, enter the IPv6 address or network that can access the device's SNMP agent. Allowed values are: A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the SNMP agent.
Page 697
Services Simple Network Management Protocol (SNMP) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Enable the SNMP agent: (config)> service snmp enable true (config)> 4. Configure access control: To limit access to specified IPv4 addresses and networks: (config)>...
Page 698
Services Simple Network Management Protocol (SNMP) eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add service snmp acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
Services Simple Network Management Protocol (SNMP) (config)> service snmp port port (config)> 8. (Optional) Configure Multicast DNS (mDNS) mDNS is a protocol that resolves host names in small networks that do not have a DNS server. For the SNMP agent, mDNS is disabled by default. To enable: (config)>...
Page 700
Services Simple Network Management Protocol (SNMP) Required configuration items Enable SNMP. To download a .zip archive of the SNMP MIBs supported by this device: Log into the IX20 WebUI as a user with full Admin access rights. 1. Enable SNMP. Configure Simple Network Management Protocol (SNMP) for information about enabling and configuring SNMP support on the IX20 device.
Services Location information Location information Your IX20 device can be configured to use the following location sources: In conjunction with the with the CM07 CORE modem, the modem's internal Global Navigation Satellite System (GNSS) module that provides information about the current location of the device.
The location service is enabled by default. You can disable it, or you can enable it if it has been disabled. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 703
Services Location information Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Location update interval to ten minutes, enter 10m or 600s. 6. For information about configuring Location sources, see the following: a.
To disable support for the modem's GNSS receiver, or enable it if it has been disabled: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 705
Services Location information 3. Click Services > Location > Location sources > modem. 4. (Optional) Type a Label for the Modem GNSS location source. 5. For Type of location source, leave the selection at Modem GNSS. 6. Click Enable the location source to disable the GNSS receiver, or to enable it if it has been disabled.
Configure the device to use a user-defined static location You can configured your IX20 device to use a user-defined static location. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 707
Services Location information Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Location sources. 4. Click to add a location source. 5. (Optional) Type a Label for this location source. 6.
Services Location information The location source is enabled by default. To disable: (config service location source 1)> enable false (config service location source 1)> 4. (Optional) Set a label for this location source: (config service location source 1)> label "label" (config)>...
Page 709
Access control list configuration to provide access to the port through the firewall. To configure the device to accept location messages from external sources: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 710
Services Location information To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c. For Address, enter the IPv4 address or network that can access the device's location server UDP port. Allowed values are: A single IP address or host name.
Page 711
Services Location information (config)> add service location source end (config service location source 1)> 4. (Optional) Set a label for this location source: (config service location source 1)> label "label" (config service location source 1)> 5. Set the type of location source to server: (config service location source 1)>...
Page 712
Services Location information Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)>...
A vehicle ID that is used in the TAIP ID message and can also be prepended to the forwarded message. Configure the IX20 device to forward location information: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 714
Services Location information c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Destination servers. 4. For Add destination server, click . 5.
Page 715
Services Location information RMC: Reports position, velocity, and time. VTG: Reports direction and speed over ground. 11. For TAIP filters, select the filters that represent the types of messages that will be forwarded. By default, all message types are forwarded. To remove a filter: a.
Page 716
Services Location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 717
Services Location information all remote sources, and all forwarded sentences from remote sources will use the configured Format: Default Default value: Default Current value: Default (config service location forward 0)> ii. Set the talker ID: (config service location forward 0)> talker_id value (config service location forward 0)>...
Page 718
Services Location information (config service location forward 0)> label "Remote host 1" (config service location forward 0)> 12. (Optional) Specify types of messages that will be forwarded. Allowed values vary depending on the message protocol type. By default, all message types are forwarded. If the message protocol type is NMEA: Allowed values are: gga: Reports time, position, and fix related data.
Services Location information id: Reports the vehicle ID. ln: Long navigation: reports the latitude, longitude, and altitude, the horizontal and vertical speed, and heading. pv: Position/velocity: reports the latitude, longitude, and heading. To remove a message type: a. Use the show command to determine the index number of the message type to be deleted: (config service location forward 0)>...
Page 720
Update interval, which determines the amount of time that the geofence should wait between polling for updated location data. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 721
Services Location information d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Geofence. 4. For Add Geofence, type a name for the geofence and click . The geofence is enabled by default.
Page 722
Click again to add an additional point, and continue adding points to create the desired polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: This defines a square-shaped polygon equivalent to the following: 7.
Page 723
Services Location information a. Click to expand On entry. b. (Optional) Enable Bootup action to configure the device to perform the On entry actions if the device is inside the geofence when it boots. c. For Number of intervals, type or select the number of Update Intervals that must take place prior to performing the On entry actions.
Page 724
Services Location information a. Click to expand On exit. b. (Optional) Enable Bootup action to configure the device to perform the On exit actions if the device is inside the geofence when it boots. c. For Number of intervals, type or select the number of Update Intervals that must take place prior to performing the On exit actions.
Page 725
Services Location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 726
Services Location information longitude int (config service location geofence test_geofence)> where int is: For latitude, any integer between -90 and 90, with up to six decimal places. For longitude, any integer between -180 and 180, with up to six decimal places.
Page 727
For longitude, any integer between -180 and 180, with up to six decimal places. Repeat for each vortex of the polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: (config service location geofence test_geofence)> add...
Page 728
Services Location information 6. Define actions to be taken when the device's location triggers a geofence event: To define actions that will be taken when the device enters the geofence, or is inside the geofence when it boots: a. (Optional) Configure the device to preform the actions if the device is inside the geofence when it boots: (config)>...
Page 729
Services Location information (config service location geofence test_geofence on_entry action 0)> where value is either: factory_erase— Erases the device configuration when the action is triggered. script—Executes a custom script when the action is triggered. factory_erase or script. If type is set to script: i.
Page 730
Services Location information v. A sandbox is enabled by default to prevent the script from adversely affecting the system. To disable the sandbox: (config service location geofence test_geofence on_entry action 0)> sandbox false (config service location geofence test_geofence on_entry action 0)> If you disable the sandbox, the script may render the system unusable.
Page 731
Services Location information where value is either: factory_erase— Erases the device configuration when the action is triggered. script—Executes a custom script when the action is triggered. factory_erase or script. If type is set to script: i. Type or paste the script, closed in quote marks: (config service location geofence test_geofence on_exit action 0)>...
Services Location information (config service location geofence test_geofence on_exit action 0)> sandbox false (config service location geofence test_geofence on_exit action 0)> If you disable the sandbox, the script may render the system unusable. vi. Repeat for any additional actions. 7. Save the configuration and apply the change (config)>...
Services Modbus gateway Velocity : 0 meters per second Direction : None Quality : Standard GNSS (2D/3D) UTC Date and Time : Fri, Jan 12, 2024 12:10:00 03 No. of Satellites : 7 > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Services Modbus gateway Configure the Modbus gateway Required configuration items Server configuration: Enable the server. Connection type, either socket or serial. If the connection type is socket, the IP protocol to be used. If the connection type is serial, the serial port to be used. Client configuration: Enable the client.
Page 735
Whether packets should be delivered to a fixed Modbus address. Whether packets should have their Modbus address adjusted downward before to delivery. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 736
Services Modbus gateway Configure gateway servers 1. Click to expand Gateway Servers. 2. For Add Modbus server, type a name for the server and click . The new Modbus gateway server configuration is displayed. 3. The new Modbus gateway server is enabled by default. Toggle off Enable the server to disable.
Page 737
Services Modbus gateway To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c. For Address, enter the IPv4 address or network that can access the device's web administration service. Allowed values are: A single IP address or host name.
Page 738
Services Modbus gateway 3. The new Modbus gateway client is enabled by default. Toggle off Enable the client to disable. 4. For Connection type, select Socket or Serial. Available options in the gateway server configuration vary depending on this setting. If Socket is selected for Connection type: a.
Page 739
Services Modbus gateway A single IP address or host name. A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the web administration service. d. Click again to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: a.
Page 740
Services Modbus gateway 14. For Fixed Modbus server address, if request messages handled by this client should always be forwarded to a specific device, type the device's Modbus address. Leave at the default setting of 0 to allow messages that match the Modbus address filter to be forwarded to devices based on the Modbuss address in the message.
Page 741
Services Modbus gateway 4. Configure servers: a. Add a server: (config)> add service modbus_gateway server name (config service modbus_gateway server name)> where name is a name for the server, for example: (config)> add service modbus_gateway server test_modbus_server (config service modbus_gateway server test_modbus_server)> The Modbus server is enabled by default.
Page 742
Services Modbus gateway where value is any number between 10 milliseconds and one second, and take the format number{ms|s}. For example, to set idle_gap to 20 milliseconds, enter 20ms. v. Set the amount of time to wait before disconnecting the socket when it has become inactive: (config service modbus_gateway server test_modbus_server)>...
Page 743
Services Modbus gateway iii. Set the maximum allowable time between bytes in a packet: (config service modbus_gateway server test_modbus_server)> serial idle_gap value (config service modbus_gateway server test_modbus_server)> where value is any number between 10 milliseconds and one second, and take the format number{ms|s}.
Page 744
Services Modbus gateway where value is either tcp or udp. ii. Set the port: (config service modbus_gateway client test_modbus_client)> socket port (config service modbus_gateway client test_modbus_client)> where port is an integer between 1 and 65535. The default is 502. iii. Set the packet mode: (config service modbus_gateway client test_modbus_client)>...
Page 745
Services Modbus gateway If connection_type is set to serial: i. Set the serial port: i. Use the ? to determine available serial ports: (config service modbus_gateway client test_modbus_ client)> ... serial port ? Serial Additional Configuration ------------------------------------------------------- ------------------------ port1 Port 1 (config service modbus_gateway client test_modbus_ client)>...
Page 746
Services Modbus gateway (config service modbus_gateway client test_modbus_client)> broadcast true (config service modbus_gateway client test_modbus_client)> e. Set the maximum time to wait for a response to a message: (config service modbus_gateway client test_modbus_client)> response_ timeout value (config service modbus_gateway client test_modbus_client)> Allowed values are between 1 millisecond and 700 milliseconds, and take the format numberms.
Services Modbus gateway (config service modbus_gateway client test_modbus_client)> fixed_ server_address value (config service modbus_gateway client test_modbus_client)> Leave at the default setting of 0 to allow messages that match the Modbus address filter to be forwarded to devices based on the Modbuss address in the message. h.
Page 748
Services Modbus gateway Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, select Status > Modbus Gateway. The Modbus Gateway page appears. Statistics related to the Modbus gateway server are displayed. If the message Server connections not available is displayed, this indicates that there are no connected clients.
Page 750
Services Modbus gateway RX Timeouts TX Broadcasts TX Requests > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
If t least one upstream NTP server for synchronization. Additional Configuration Options Additional upstream NTP servers. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 752
Services System time d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Time 4. (Optional) For Timezone, select either UTC or select the location nearest to your current location to set the timezone for your IX20 device.
Page 753
Services System time Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. (Optional) Set the timezone for the location of your IX20 device. The default is UTC. (config)>...
Page 754
Services System time Note This list is synchronized with the list of servers included with NTP server configuration, and changes made to one will be reflected in the other. See Configure the device as an NTP server for more information about NTP server configuration. 5.
Services Network Time Protocol 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
The time zone setting, if the default setting of UTCis not appropriate. To configure the IX20 device's NTP service: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 757
Services Network Time Protocol 3. Click Services > NTP. 4. Enable the IX20 device's NTP service by clicking Enable. 5. (Optional) Configure the access control list to limit downstream access to the IX20 device's NTP service. To limit access to specified IPv4 addresses and networks: a.
Page 758
Services Network Time Protocol Note By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX20 device can use the NTP service. 6. Enable Fall back to local clock to allow the device's local system clock to be used as backup time source.
Page 759
Services Network Time Protocol To delete the default NTP server, time.devicecloud.com: (config)> del service ntp server 0 (config)> To add the NTP server to the beginning of the list, use the index value of 0 to indicate that it should be added as the first server: (config)>...
Page 760
Services Network Time Protocol A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the NTP server agent. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)>...
Services Network Time Protocol dynamic_routes edge external hotspot internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones. Note By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX20 device can use the NTP service. 7.
To configure a multicast route: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 763
Services Configure a multicast route Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a.
Page 764
Services Configure a multicast route 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add the multicast route. For example, to add a route named test: (config)> add service multicast test (config service multicast test)> 4.
Create a new network interface for the bonded Ethernet devices, and disable the any interfaces associated with those Ethernet devices.. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 766
Services Ethernet network bonding a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 767
Services Ethernet network bonding 7. Add Ethernet devices: a. For Add device, click . b. For Device, select an Ethernet device to participate in the bond pool. c. Repeat for each appropriate Ethernet device. 8. Create a new network interface that is linked to the Ethernet bond: a.
Page 768
Services Ethernet network bonding In some cases, the device may be a part of a bridge, in which case you should remove the device from the bridge. Configure a bridge for more information. 9. Click Apply to save the configuration and apply the change. ...
Page 769
Services Ethernet network bonding round-robin: Alternates between bonded devices to provide load balancing as well as fault tolerance. 6. Add Ethernet devices: a. Use the ? to determine available devices: (config network bond eth_bond)> ... network device ? Additional Configuration --------------------------------------------------------------------- ------- eth1...
Multicast DNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server. You can enable the IX20 device to use mDNS. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 771
Services Enable service discovery (mDNS) 3. Click Services > Service Discovery (mDNS). 4. Enable the mDNS service. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c.
Page 772
Services Enable service discovery (mDNS) 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 773
Services Enable service discovery (mDNS) Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)>...
Whether to allow clients that have no client ID to connect. Whether replace the client's ID with its username. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 775
Services Use the MQTT broker service Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > MQTT broker. 4. Click Enable. 5. (Optional) For Port, type the port number for the MQTT broker to listen for incoming connections.
Page 776
Services Use the MQTT broker service To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces. b. For Add Interface, click . c. For Interface, select the appropriate interface from the dropdown. d. Click again to allow access through additional interfaces. To limit access based on firewall zones: a.
Page 777
Services Use the MQTT broker service Deny v. Click again to add additional topics. e. Click again to add additional clients. 12. Click to expand Encryption. 13. For Type, select either None or PSK. If PSK is selected: a.
Page 778
Services Use the MQTT broker service Read/write Deny e. Click again to add additional topics. 15. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 779
Services Use the MQTT broker service To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service mqtt acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 780
Services Use the MQTT broker service ipsec loopback setup (config)> Repeat this step to include additional firewall zones. 6. Enable the system to write MQTT debug messages to the system log: (config)> service mqtt debug true (config)> 7. Enable connections from clients that do not provide a username: (config)>...
Page 781
Services Use the MQTT broker service The topic. The signal level wildcard, +. The multi-level wildcard, #. iii. Set the access type to apply to the topic: (config service mqtt client 0 topic_acl 0)> access value (config service mqtt client 0 topic_acl 0)> where value is one of: deny read...
Page 782
Services Use the MQTT broker service c. Set the pre-shared keys: i. Add a pre-shared key: (config)> add service mqtt encryption psk end (config service mqtt encryption psk 0)> ii. Set the identity sent to the client: (config service mqtt encryption psk 0)> indentity value (config service mqtt encryption psk 0)>...
Page 783
Services Use the MQTT broker service d. Set the access type to apply to the topic: (config service mqtt topic_acl anonymous 0)> access value (config service mqtt topic_acl anonymous 0)> where value is one of: deny read readwrite write The default is readwrite. e.
Services Use the MQTT broker service readwrite write The default is readwrite. e. Add additional topics: (config service mqtt topic_acl pattern 0)> add ..pattern end (config service mqtt topic_acl pattern 1)> f. Repeat the above steps to set the topic and access type. 13.
Services Use the iPerf service Totals ------ Bytes sent : 158400 Bytes received : 4500 Messages sent Messages received : 0 Clients ------- Total Maximum Connected Disconnected Expired Subscriptions ------------- Total Shared Message Store ------------- Bytes : 151 Messages : 35 Retained messages : 40 PUBLISH Messages ----------------...
Page 786
To enable the iPerf3 server: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 787
Services Use the iPerf service 3. Click Services > iPerf. 4. Click Enable. 5. (Optional) For IPerf Server Port, type the appropriate port number for the iPerf server listening port. 6. (Optional) Click to expand Access control list to restrict access to the iPerf server: To limit access to specified IPv4 addresses and networks: a.
Page 788
Services Use the iPerf service d. Click again to allow access through additional firewall zones. 7. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 789
Services Use the iPerf service Where value is an interface defined on your device. Display a list of available interfaces: Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1...
IP address, interfaces, and/or zones. To enable the iPerf3 server: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 791
Configure the ping responder service 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 792
Services Configure the ping responder service A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the ping responder. d. Click again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a.
Page 793
Services Configure the ping responder service A single IP address or host name. A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: (config)>...
Services Configure the ping responder service Type ... firewall zone ? at the config prompt: (config)> ... firewall zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration -------------------------------------------------------- -----------------------...
Page 796
Applications The IX20 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. You can also specify Python applications and other scripts to be run each time the device system restarts, at specific intervals, or at a specified time. This chapter contains the following topics: Develop Python applications The use(led) function...
The IX20 features a standard Python 3.6 distribution. Python is a dynamic, object-oriented language for developing software applications, from simple programs to complex embedded applications. Digi offers the Digi IoT PyCharm Plugin to help you while writing, building, and testing your application. Create and test a Python application.
Applications Develop Python applications Set up the IX20 for Python development 1. Access the IX20 local web interface a. Use an Ethernet cable to connect the IX20 to your local laptop or PC. The factory default IP address is 192.168.2.1 b.
Page 799
Develop Python applications Develop an application in PyCharm The Digi IoT PyCharm Plugin allows you to write, build and run Python applications for Digi devices in a quick and easy way. See the Digi XBee PyCharm IDE Plugin User Guide for details.
Page 800
Applications Develop Python applications Example: Configure a custom port to listen for incoming socket connections The following example Python script configures a custom port, port 9999, to accept incoming socket connections. You will also need to add a custom firewall rule to accept the incoming traffic on this port. Example script import socket import socketserver...
Page 801
Create a custom firewall rule 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Applications Develop Python applications 6. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 803
Applications Develop Python applications LEDs: digidevice.led SMS: digidevice.sms GPS: digidevice.location Digi Remote Manager: digidevice.datapoint digidevice.device_request digidevice.name Device configuration: digidevice.config Command line interface: digidevice.cli Access runtime database: digidevice.runt Set the maintenance window: digidevice.maintenance Use the Python serial module—pySerial— to access the serial ports.
Page 804
4. Execute a CLI command using the cli.execute(command) function. For example, to print the system status and statistics to stdout using the show system command: >>> response = cli.execute("show system") >>> >>> print (response) Model : Digi IX20 Serial Number : IX20xxxxxxxxyyyyxx : IX20 Hostname : IX20...
Page 805
5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice.datapoint to upload custom datapoints to Digi Remote Manager Use the datapoint Python module to upload custom datapoints to Digi Remote Manager. The following characteristics can be defined for a datapoint:...
Page 806
Applications Develop Python applications Tuple of latitude, longitude and altitude Description (optional) Quality (optional) An integer describing the quality of the data point For example, to use an interactive Python session to upload datapoints related to velocity, temperature, and the state of the emergency door: 1.
Page 807
Help for using Python to upload custom datapoints to Remote Manager Get help for uploading datapoints to your Digi Remote Manager account by accessing help for datapoint.upload and datapoint.upload_multiple: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions >...
Page 808
Applications Develop Python applications upload(stream_id:str, data, *, description:str=None, timestamp:float=None, units:str=None, geo_location:Tuple[float, float, float]=None, quality:int=None, data_type:digidevice.datapoint.DataType=None, timeout:float=None) 5. Use the help command with datapoint.upload_multiple: >>> help(datapoint.upload_multiple) Help on function upload_multiple in module digidevice.datapoint: upload_multiple(datapoints:List[digidevice.datapoint.DataPoint], timeout:float=None) 6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice.config for device configuration Use the config Python module to access and modify the device configuration.
Page 809
Applications Develop Python applications network.interface.lan1.enable=true network.interface.lan1.ipv4.address=192.168.2.1/24 network.interface.lan1.ipv4.connection_monitor.attempts=3 b. Print a list of available interfaces: >>> cfg = config.load() >>> interfaces = cfg.get("network.interface") >>> print(interfaces.keys()) This returns the following: ['defaultip', 'defaultlinklocal', 'lan1', 'loopback', 'wan1', 'wwan1', 'wwan2'] c. Print the IPv4 address of the LAN interface: >>>...
Page 810
5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use Python to respond to Digi Remote Manager SCI requests The device_request Python module allows you to interact with Digi Remote Manager by using Remote Manager's Server Command Interface (SCI), a web service that allows users to access information and perform commands that relate to their devices.
Page 811
Ctrl-D. You can also exit the session using exit() or quit(). Task two: Create and send an SCI request from Digi Remote Manager The second step in using the device_request module is to create an SCI request that Remote Manager will forward to the device.
Page 812
Applications Develop Python applications d. Click Add. e. Click OK. 3. Click Examples > SCI > Data Service > Send Request. Code similar to the following will be displayed in the HTTP message body text box: <sci_request version="1.0"> <data_service> <targets> <device id="00000000-00000000-0000FFFF-A83CF6A3"/>...
Page 813
This can be done from either the WebUI or the command line: i. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. ii. Access the device configuration: Remote Manager: i.
Page 814
Applications Develop Python applications The Configuration window is displayed. iii. Click System > Scheduled tasks > Custom scripts. iv. Click to add a custom script. v. For Label, type Show system application. vi. For Run mode, select On boot. vii.
Page 815
Applications Develop Python applications iii. Add an application entry: (config)> add system schedule script end (config system schedule script 0)> Scheduled scripts are enabled by default. To disable: (config system schedule script 0)> enable false (config system schedule script 0)> iv.
Page 816
Applications Develop Python applications Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell. ii. Type the following at the shell prompt: # python /etc/config/scripts/showsystem.py & iii. Exit the shell: # exit 4.
Page 817
Applications Develop Python applications : Digi IX20 Serial Number : IX20-000068 Hostname : IX20 : 00:40:D0:13:35:36 Hardware Version : 50001959-01 A Firmware Version : 23.12.1.56 Bootloader Version Firmware Build Date : Fri, Jan 12, 2024 12:10:00 Schema Version : 461...
Page 818
</sci_request> Help for using Python to respond to Digi Remote Manager SCI requests Get help for respond to Digi Remote Manager Server Command Interface (SCI) requests by accessing help for digidevice.device_request: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions >...
Page 819
Applications Develop Python applications encoding:str='UTF-8') Use the help command with device_request.unregister: >>> help(device_request.unregister) Help on function unregister in module digidevice.device_request: unregister(target:str) -> bool 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice runtime to access the runtime database Use the runt submodule to access and modify the device runtime database.
Page 820
Applications Develop Python applications b. Print available keys for the system key: >>> print(runt.keys("system")) This will return the following: ['boot_count', 'chassis', 'cpu_temp', 'cpu_usage', 'disk', 'load_avg', 'local_time', 'mac', 'mcu', 'model', 'ram', 'serial', 'uptime'] c. Use the get() method to print the device's MACaddress: >>>...
Page 821
Use Python to upload the device name to Digi Remote Manager The name submodule can be used to upload a custom name for your device to Digi Remote Manager. When you use the name submodule to upload a custom device name to Remote Manager, the...
Page 822
As a result, support for this functionality is disabled by default on Remote Manager. Enable support on Digi Remote Manager for uploading custom device names 1. In Remote Manager, click API Explorer. 2. For the HTTP method, select PUT.
Page 823
Develop Python applications Help for uploading the device name to Digi Remote Manager Get help for uploading the device name to Digi Remote Managerby accessing help for digidevice.name: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions >...
Page 824
Applications Develop Python applications Type "help", "copyright", "credits" or "license" for more information. >>> 3. Import the location submodule: >>> from digidevice import location 4. Use the valid_fix object to determine if the device has a valid fix: >>> loc = location.Location() >>>...
Page 825
Applications Develop Python applications Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell. 2. At the shell prompt, use the python command with no parameters to enter an interactive Python session: # python Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux...
Page 827
Applications Develop Python applications Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell. 2. At the shell prompt, use the python command with no parameters to enter an interactive Python session: # python Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux...
Page 828
Applications Develop Python applications 4. To determine the current service state of the device: >>> maintenance.state() 'IN_SERVICE' >>> 5. To set the device to out of service: >>> maintenance.out_of_service() >>> maintenance.state() 'OUT_OF_SERVICE' >>> 6. To set the device to in service: >>>...
Page 829
Applications Develop Python applications DESCRIPTION API for setting the device's service state. The service state is stored in runt. 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). The digidevice led submodule Use the led submodule to redefine the purpose of any front-panel LED on the IX20 device.
Applications The use(led) function Available LED states State Attribute name Solid on State.ON State.OFF Flash State.FLASH Use Python to set the state of LEDs The following example uses an interactive Python session to set the state of all LEDs to flashing: 1.
Applications Releasing the LEDs to system control Releasing the LEDs to system control During a Python interactive session, or from within a Python script, you can release control of the LED from Python to system control using the led.release() method. If the Python script or session terminates prior to releasing control to the system, the LEDs will continue to have the state that Python set to them, until the device is rebooted.
Page 832
Applications Use Python to control the color of multi-colored LEDs LED attribute name Color State Led.COM Blue flashing Led.ETH Led.ONLINE FLASH Led.COM White Led.ETH Led.ONLINE Led.COM White flashing FLASH Led.ETH FLASH Led.ONLINE FLASH Led.COM Yellow Led.ETH Led.ONLINE Led.COM Yellow flashing FLASH Led.ETH FLASH...
SMS scripting. Enable the ability to schedule SMS scripting 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 834
Applications Use Python to control the color of multi-colored LEDs a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 835
Applications Use Python to control the color of multi-colored LEDs 2. At the command line, type config to enter configuration mode: > config (config)> 3. At the config prompt, type: (config)> system schedule sms_script_handling true (config)> 4. Save the configuration and apply the change (config)>...
Page 836
Applications Use Python to control the color of multi-colored LEDs passed.") # acquire the semaphore and wait until a callback occurs COND.acquire() try: COND.wait(60.0) except Exception as err: print("exception occured while waiting") print(err) COND.release() my_callback.unregister_callback() Example script using digidevice.sms to send CLI commands The following example script listens for an incoming SMS message from a specific phone number (2223334444) and then executes the SMS message as a CLI command.
Page 837
Applications Use Python to control the color of multi-colored LEDs if len(sys.argv) > 1: dest = sys.argv[1] else: dest = allowed_incoming_phone_number my_callback = Callback(sms_test_callback, metadata=True) #send_sms(dest, 'Ready to receive incoming SMS message') print("Waiting up to 60 seconds for incoming SMS message") # acquire the semaphore and wait until a callback occurs COND.acquire() try:...
Page 838
Applications Use Python to control the color of multi-colored LEDs >>> s = serial.Serial("/dev/serial/port1", 115200) >>> s.write(b"Hello from serial port") >>> 6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use the Paho MQTT python library Your IX20 device includes support for the Paho MQTT python library.
Page 839
Applications Use Python to control the color of multi-colored LEDs try: urllib.request.urlretrieve(fw_uri, fname) except: print("Failed to download FW file from URI {}".format(fw_uri)) return HTTPStatus.NOT_FOUND try: ret = cli.execute("system firmware update file " + fname, 60) except: print("Failed to run firmware update command") return HTTPStatus.INTERNAL_SERVER_ERROR if not "Firmware update completed"...
Page 840
Applications Use Python to control the color of multi-colored LEDs Supported commands: - "fw-update" params: - "uri": "<firmware_file_URL>" - "reboot" params: """ try: m = json.loads(msg.payload) cid = m["cid"] cmd = m["cmd"] try: payload = m["params"] except: payload = None except: print("Invalid command format: {}".format(msg.payload)) if not cid:...
Applications Set up the IX20 to automatically run your applications "disk_usage": { "/opt": disk_opt, "/etc/config:": disk_config, "ram": ram_used client.publish(PREFIX_EVENT + "/system", json.dumps(msg)) runt.start() serial = runt.get("system.serial") PREFIX = "router/" + serial PREFIX_EVENT = "event/" + PREFIX PREFIX_CMD = "cmd/" + PREFIX PREFIX_RSP = "rsp/"...
Page 842
Applications Set up the IX20 to automatically run your applications Select whether the script should run: When the device boots. At a specified time. At a specified interval. During system maintenance. Additional configuration items If the script is a Python application, include the full path to the script. A label used to identify the script.
Page 843
Applications Set up the IX20 to automatically run your applications 4. Browse to the location of the script on your local machine. Select the file and click Open to upload the file. The uploaded file is uploaded to the /etc/config/scripts directory. ...
Page 844
Applications Set up the IX20 to automatically run your applications 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 845
Applications Set up the IX20 to automatically run your applications Custom scripts are enabled by default. To disable, toggle off Enable to toggle off. 5. (Optional) For Label, provide a label for the script. 6. For Run mode, select the mode that will be used to run the script. Available options are: On boot: The script will run once each time the device boots.
Page 846
Applications Set up the IX20 to automatically run your applications 9. For Maximum memory, enter the maximum amount of memory available to be used by the script and its subprocesses, using the format number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}. 10. Sandbox is enabled by default, which restricts access to the file system and available commands that can be used by the script.
Page 847
Applications Set up the IX20 to automatically run your applications boot: The script will run once each time the device boots. If boot is selected, set the action that will be taken when the script completes: (config system schedule script 0)> exit_action action (config system schedule script 0)>...
Page 848
Applications Set up the IX20 to automatically run your applications (config system schedule script 0)> commands python "/etc/config/scripts/test.py" (config system schedule script 0)> If the script begins with #!, then the script will be invoked in the location specified by the path for the script command.
Applications Set up the IX20 to automatically run your applications 12. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show script information You can view status and statistics about location information from either the WebUI or the command line.
Page 850
Applications Set up the IX20 to automatically run your applications Log into the IX20 WebUI as a user with full Admin access rights. 1. At the Status page, click Scripts. The Scripts page displays: 2. For scripts that are currently running, click Stop Script to stop the script. ...
>>> help("digidevice") Help on package digidevice: NAME digidevice - Digi device python extensions DESCRIPTION This module includes various extensions that allow Python to interact with additional features offered by the device. 4. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().
Page 852
Applications Run a Python application at the shell prompt 1. Upload the Python application to the IX20 device: Log into the IX20 WebUI as a user with full Admin access rights. a. On the menu, click System. Under Administration, click File System. The File System page appears.
Applications Configure scripts to run manually For example: To upload a script from a remote host with an IP address of 192.168.4.1 to the /etc/config/scripts directory on the IX20 device, issue the following command: > scp host 192.168.4.1 user admin remote /home/admin/bin/test.py local /etc/config/scripts/ to local admin@192.168.4.1's password: adminpwd test.py...
Page 854
Applications Configure scripts to run manually Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Administration, click File System. The File System page appears. 2. Highlight the scripts directory and click to open the directory. 3.
This feature does not provide syntax or error checking. Certain commands can render the device inoperable. Use with care. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 856
Applications Configure scripts to run manually 3. Click System > Scheduled tasks > Custom scripts. 4. For Add Script, click . The script configuration window is displayed. Custom scripts are enabled by default. To disable, toggle off Enable to toggle off. 5.
Page 857
Applications Configure scripts to run manually 10. Sandbox is enabled by default, which restricts access to the file system and available commands that can be used by the script. This option protects the script from accidentally destroying the system it is running on. 11.
Page 858
Applications Configure scripts to run manually If a Python script is being used, include the full path to the Python script and enclose in quotation marks. For example: (config system schedule script 0)> commands python "/etc/config/scripts/test.py" (config system schedule script 0)> If the script begins with #!, then the script will be invoked in the location specified by the path for the script command.
Applications Start a manual script 12. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Start a manual script You can start a script that is enabled and configured to have a run mode of Manual. ...
Page 860
Applications Start a manual script 4. Save the configuration and apply the change (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 861
User authentication This chapter contains the following topics: IX20 user authentication User authentication methods Authentication groups Local users Terminal Access Controller Access-Control System Plus (TACACS+) Remote Authentication Dial-In User Service (RADIUS) LDAP Configure serial authentication Disable shell access Set the idle timeout for IX20 users Example user configuration IX20 User Guide...
User authentication IX20 user authentication IX20 user authentication User authentication on the IX20 has the following features and default configuration: Default Feature Description configuration Idle timeout 10 minutes Determines how long a user session can be idle before the system automatically disconnects. Allow shell If disabled, prevents all authentication prohibits access to Enabled...
Page 863
User authentication User authentication methods Local users: User are authenticated on the local device. RADIUS: Users authenticated by using a remote RADIUS server for authentication. Remote Authentication Dial-In User Service (RADIUS) for information about configuring RADIUS authentication. TACACS+: Users authenticated by using a remote TACACS+ server for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) for information about configuring TACACS+ authentication.
The types of authentication method to be used: To add an authentication method: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 865
User authentication User authentication methods 4. For Add Method, click . 5. Select the appropriate authentication type for the new method from the Method drop-down. Note Authentication methods are attempted in the order they are listed until the first successful authentication result is returned. See Rearrange the position of authentication methods for information about how to reorder the authentication methods.
Type quit to disconnect from the device. Delete an authentication method 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
Page 867
User authentication User authentication methods a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
To reorder these so that RADIUS is first and Local users is second: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 869
User authentication User authentication methods Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click to expand the first Method. 4. In the Method drop-down, select RADIUS. 5. Click to expand the second Method. 6.
User authentication Authentication groups 1 radius (config)> 4. Use the move command to rearrange the methods: (config)> move auth method 1 0 (config)> 5. Use the show command again to verify the change: (config)> show auth method 0 radius 1 local (config)>...
Page 871
User authentication Authentication groups The preconfigured authentication groups cannot be deleted, but the access rights defined for the group are configurable. This section contains the following topics: Change the access rights for a predefined group Add an authentication group Delete an authentication group IX20 User Guide...
By default, two authentication groups are predefined: admin and serial. To change the access rights of the predefined groups: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 873
User authentication Authentication groups Read-only access provides users of this group with read-only access to the WebUI and Admin CLI. The default is Full access. Serial access Interactive shell access Shell access is not available if the Allow shell parameter has been disabled. See Disable shell access for more information about the Allow shell parameter.
Access rights to captive portals, and the portals to which they have access. Access rights to query the device for Nagios monitoring. To add an authentication group: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 875
User authentication Authentication groups 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 876
User authentication Authentication groups 5. Click the following options, as appropriate, to enable or disable access rights for each: Admin access For groups assigned Admin access, you can also determine whether the Access level should be Full access or Read-only access. where value is either: Full access full: provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI.
Page 877
User authentication Authentication groups 10. (Optional) Enable users that belong to this group to query the device for Nagios monitoring by checking the box next to Nagios access. 11. (Optional) Enable users that belong to this group to access the Wi-Fi scanning service by checking the box next to Wi-Fi scanner access.
Page 878
User authentication Authentication groups Serial access: (config auth group test)> acl serial enable true (config)> 5. (Optional) Configure captive portal access: a. Return to the config prompt by typing three periods (...): (config auth group test)> ... (config)> b. Enable captive portal access rights for users of this group: (config)>...
To delete an authentication group that you have created: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 880
User authentication Authentication groups 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
User authentication Local users Local users Local users are authenticated on the device without using an external authentication mechanism such as TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default user. Default user At manufacturing time, each IX20 device comes with a default user configured as follows: Username: admin.
Local users Change a local user's password To change a user's password: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 883
User authentication Local users If the admin user's password has been changed from the default and the configuration saved, if you then clear the password field for the admin user, this will result in the device device's configuration being erased and reset to the default configuration. You can also change the password for the active user by clicking the user name in the menu bar: The active user must have full Admin access rights to be able to change the password.
User authentication Local users 4. Save the configuration and apply the change (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure a local user Required configuration items A username.
Page 885
User authentication Local users 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 886
User authentication Local users The user is enabled by default. To disable, toggle off Enable. 5. (Optional) For Username alias, type an alias for the user. Because the name used to create the user and cannot contain special characters such as hyphens (-) or periods (.), an alias allows the user to log in using a name that contains special characters.
Page 887
User authentication Local users Note Every user must be configured with at least one group. You can add multiple groups to a user by clicking Add again and selecting the next group. 9. (Optional) Add SSH keys for the user to use passwordless SSH login: a.
Page 888
User authentication Local users i. Click Scratch codes. ii. For Add Code, click . iii. For Code, enter the scratch code. The code must be eight digits, with a minimum of 10000000. iv. Click again to add additional scratch codes. 11.
Page 889
User authentication Local users b. Set the amount of time that the user is locked out after the number of unsuccessful login attempts defined in lockout tries: (config auth user new_user> lockout duration value (config auth user new_user)> where value is any number of minutes, or seconds, and takes the format number{m|s}. For example, to set duration to ten minutes, enter either 10m or 600s: (config auth user new_user)>...
Page 890
User authentication Local users a. Change to the user's ssh_key node: (config auth user new_user)> ssh_key (config auth user new_user ssh_key)> b. Add the key by using the ssh_key command and pasting or typing a public encryption key that this user can use for passwordless SSH login: (config auth user new_user ssh_key)>...
Page 891
User authentication Local users For example, to set refresh_interval to ten minutes, enter either 10m or 600s: (config auth user name 2fa)> refresh_interval 600s (config auth user name 2fa)> The default is 30s. g. Configure the valid code window size. This represents the allowed number of concurrently valid codes.
Delete a local user To delete a user from your IX20: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 893
User authentication Local users 4. Click the menu icon (...) next to the name of the user to be deleted and select Delete. 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
User authentication Terminal Access Controller Access-Control System Plus (TACACS+) Terminal Access Controller Access-Control System Plus (TACACS+) Your IX20 device supports Terminal Access Controller Access-Control System Plus (TACACS+), a networking protocol that provides centralized authentication and authorization management for users who connect to the device. With TACACS+ support, the IX20 device acts as a TACACS+ client, which sends user credentials and connection parameters to a TACACS+ server over TCP.
User authentication Terminal Access Controller Access-Control System Plus (TACACS+) TACACS+ user configuration When configured to use TACACS+ support, the IX20 device uses a remote TACACS+ server for user authentication (password verification) and authorization (assigning the access level of the user). Additional TACACS+ servers can be configured as backup servers for user authentication.
User authentication Terminal Access Controller Access-Control System Plus (TACACS+) Error: Unrecognised token on line 1 5. Restart the TACACS+ server: $ sudo /etc/init.d/tacacs_plus restart TACACS+ server failover and fallback to local authentication In addition to the primary TACACS+ server, you can also configure your IX20 device to use backup TACACS+ servers.
Page 897
The TACACS+ server port. It is configured to 49 by default. Add additional TACACS+ servers in case the first TACACS+ server is unavailable. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 898
User authentication Terminal Access Controller Access-Control System Plus (TACACS+) c. (Optional) Change the default Port setting to the appropriate port. Normally this should be left at the default setting of port 49. d. For Secret, type the TACACS+ server's shared secret. This is configured in the key parameter of the TACACS+ server's tac_plus.conf file, for example: key = testing123 Note...
Page 899
User authentication Terminal Access Controller Access-Control System Plus (TACACS+) 11. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 900
User authentication Terminal Access Controller Access-Control System Plus (TACACS+) 8. Add a TACACS+ server: a. Add the server: (config)> add auth tacacs+ server end (config auth tacacs+ server 0)> b. Enter the TACACS+ server's IP address or hostname: (config auth tacacs+ server 0)> hostname hostname|ip-address (config auth tacacs+ server 0)>...
User authentication Remote Authentication Dial-In User Service (RADIUS) Remote Authentication Dial-In User Service (RADIUS) Your IX20 device supports Remote Authentication Dial-In User Service (RADIUS), a networking protocol that provides centralized authentication and authorization management for users who connect to the device.
User authentication Remote Authentication Dial-In User Service (RADIUS) RADIUS user configuration When configured to use RADIUS support, the IX20 device uses a remote RADIUS server for user authentication (password verification) and authorization (assigning the access level of the user). Additional RADIUS servers can be configured as backup servers for user authentication. This section outlines how to configure a RADIUS server to be used for user authentication on your IX20 device.
60 seconds. Enable additional debug messages from the RADIUS client. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 904
User authentication Remote Authentication Dial-In User Service (RADIUS) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > RADIUS > Servers. 4. Add RADIUS servers: a. For Add server, click . b.
Page 905
User authentication Remote Authentication Dial-In User Service (RADIUS) value is used: If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd. 8.
User authentication LDAP default value is used: If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd. (config)>...
Page 907
User authentication LDAP authentication and authorization management for users who connect to the device. With LDAP support, the IX20 device acts as an LDAP client, which sends user credentials and connection parameters to an LDAP server. The LDAP server then authenticates the LDAP client requests and sends back a response message to the device.
User authentication LDAP LDAP user configuration When configured to use LDAP support, the IX20 device uses a remote LDAP server for user authentication (password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication. This section outlines how to configure a LDAP server to be used for user authentication on your IX20 device.
User authentication LDAP cn: John Smith sn: Smith uid: john ou: admin serial LDAP server failover and fallback to local configuration In addition to the primary LDAP server, you can also configure your IX20 device to use backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary LDAP server is unavailable.
Page 910
User authentication LDAP 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 911
User authentication LDAP c. (Optional) Change the default Port setting to the appropriate port. Normally this should be left at the default setting of port 389 for non-TLS and 636 for TLS. d. (Optional) Click again to add additional LDAP servers. 5.
Page 912
User authentication LDAP c. Select LDAP for the new method from the Method drop-down. Authentication methods are attempted in the order they are listed until an authentication response, either pass or fail, is received. If Authoritative is enabled (see above), non- authoritative methods are not attempted.
Page 913
User authentication LDAP The default is true. 6. Set the distinguished name (DN) that is used to bind to the LDAP server and search for users. Leave this option unset if the server allows anonymous connections. (config)> auth ldap bind_dn dn_value (config)>...
Configure serial authentication This section describes how to configure authentication for serial access. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 915
User authentication Configure serial authentication Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Serial. 4. (Optional) For TLS identity certificate, paste a TLS certificate and private key in PEM format. If empty, the certificate for the web administration service is used.
Page 916
User authentication Configure serial authentication 2. At the command line, type config to enter configuration mode: > config (config)> 3. (Optional) Paste a TLS certificate and private key in PEM format: (config)> auth serial identiy "cert-and-private-key" (config)> 4. Set the method used to verify the certificate of a remote peer: (config)>...
If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
User authentication Set the idle timeout for IX20 users 4. Click to disable Allow shell. Note If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset. 5. Click Apply to save the configuration and apply the change. ...
Page 919
User authentication Set the idle timeout for IX20 users 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 920
User authentication Set the idle timeout for IX20 users 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Goal: To create a user with administrator rights who is authenticated locally on the device. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 922
User authentication Example user configuration 4. In Add User: enter a name for the user and click . The user configuration window is displayed. 5. Enter a Password for the user. 6. Assign the user to the admin group: a. Click Groups. b.
Page 923
User authentication Example user configuration 2. At the command line, type config to enter configuration mode: > config (config)> 3. Verify that the admin group has full administrator rights: (config)> show auth group admin acl admin enable true level full (config)>...
User authentication Example user configuration (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Example 2: RADIUS, TACACS+, and local authentication for one user Goal: To create a user with administrator rights who is authenticated by using all three authentication methods.
Page 925
The authentication group on the IX20 device, admin, is identified in the groupname parameter. c. Save and close the tac_plus.conf file. 3. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 4. Access the device configuration:...
Page 926
User authentication Example user configuration a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 927
User authentication Example user configuration 6. Create the local user: a. Click Authentication > Users. b. In Add User:, type admin1 and click . c. For password, type password1. d. Assign the user to the admin group: i. Click Groups. ii.
Page 928
User authentication Example user configuration In this example: The user's username is admin1. The user's password is password1. The authentication group on the IX20 device, admin, is identified in the Unix-FTP- Group-Names parameter. c. Save and close the users file. 2.
Page 929
User authentication Example user configuration b. Add RADIUS authentication to the beginning of the list: (config)> add auth method 0 radius (config)> c. Add TACACS+ authentication second place in the list: (config)> add auth method 1 tacacs+(config)> d. Verify that authentication will occur in the correct order: (config)>...
Page 930
User authentication Example user configuration 8. Save the configuration and apply the change (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 931
Firewall This chapter contains the following topics: Firewall configuration Port forwarding rules Packet filtering Configure custom firewall rules Configure captive portals Configure Quality of Service options Web filtering IX20 User Guide...
To create a zone: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 933
Firewall Firewall configuration c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Zones. 4. In Add Zone, enter a name for the zone and click . The firewall configuration window is displayed.
This example procedure uses an existing network interface named ETH2 and changes the firewall zone from the default zone, Internal, to External. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 935
Firewall Firewall configuration a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > ETH2. 4. For Zone, select External. 5. Click Apply to save the configuration and apply the change. ...
Delete a custom firewall zone You cannot delete preconfigured firewall zones. To delete a custom firewall zone: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Firewall Port forwarding rules 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 938
A white list of devices, based on either IP address or firewall zone, that are authorized to leverage this forwarding rule. To configure a port forwarding rule: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 939
Firewall Port forwarding rules Port forwarding rules are enabled by default. To disable, toggle off Enable. 5. (Optional) Type a Label that will be used to identify the rule. 6. For Interface, select the network interface for the rule. Network connections will only be forwarded if their destination address matches the IP address of the selected network interface.
Page 940
Firewall Port forwarding rules 2. At the command line, type config to enter configuration mode: > config (config)> 3. At the config prompt, type: (config)> add firewall dnat end (config firewall dnat 0)> Port forwarding rules are enabled by default. To disable the rule: (config firewall dnat 0)>...
Page 941
Firewall Port forwarding rules (config firewall dnat 0)> port port (config firewall dnat 0)> 7. Set the type of internet protocol . (config firewall dnat 0)> protocol value (config firewall dnat 0)> Network connections will only be forwarded if they match the selected protocol. Allowed values are custom, tcp, tcpudp, or upd.
Delete a port forwarding rule To delete a port forwarding rule: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 943
Firewall Port forwarding rules d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Port forwarding. 4. Click the menu icon (...) next to the appropriate port forwarding rule and select Delete. 5.
Page 944
Firewall Port forwarding rules label IPv4 port forwarding rule port 10000 protocol tcp to_address6 10.10.10.10 to_port 10001 no address6 no zone enable false interface ip_version ipv6 label IPv6 port forwarding rule port 10002 protocol tcp to_address6 c097:4533:bd63:bb12:9a6f:5569:4b53:c29a to_port 10003 (config)> 4.
ICMP ICMP6 To configure a packet filtering rule: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 946
Firewall Packet filtering d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Packet filtering. To create a new packet filtering rule, for Add packet filter, click . To edit the default packet filtering rule or another existing packet filtering rule, click to expand the rule.
Page 947
Firewall Packet filtering 8. For Source zone, select the firewall zone that will be monitored by this rule for incoming connections from network interfaces that are a member of this zone. Firewall configuration for more information about firewall zones. 9. For Destination zone, select the firewall zone. Packets destined for network interfaces that are members of this zone will either be accepted, rejected or dropped by this rule.
Page 948
Firewall Packet filtering Packet filtering rules are enabled by default. To disable the rule: (config firewall filter 1)> enable false (config firewall filter 1)> 3. (Optional) Set the label for the rule. (config firewall filter 1)> label "My filter rule" (config firewall filter 1)>...
Enable or disable a packet filtering rule To enable or disable a packet filtering rule: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 950
Firewall Packet filtering 3. Click Firewall > Packet filtering. 4. Click the appropriate packet filtering rule. 5. Click Enable to toggle the rule between enabled and disabled. 6. Click Apply to save the configuration and apply the change. Command line 1.
Delete a packet filtering rule To delete a packet filtering rule: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 952
Firewall Packet filtering 3. Click Firewall > Packet filtering. 4. Click the menu icon (...) next to the appropriate packet filtering rule and select Delete. 5. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
To configure custom firewall rules: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 954
Firewall Configure custom firewall rules 3. Click Firewall > Custom rules. 4. Enable the custom rules. 5. (Optional) Enable Override to override all preconfigured firewall behavior and rely solely on the custom firewall rules. 6. For Rules, type the shell command that will execute the custom firewall rules script. 7.
Page 955
Firewall Configure custom firewall rules 6. Save the configuration and apply the change (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Captive portals are available on the IX20WWi-Fi enabled model only. To configure captive portals: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 957
Firewall Configure captive portals 4. For Add captive portal:, enter a name for the portal and click . The captive portal configuration window is displayed. The captive portal is enabled by default. To disable, toggle off Enable. 5. For Interface, select the network interface for the portal. Traffic received on this interface's network device will not be forwarded unless the client has been granted access.
Page 958
Firewall Configure captive portals 13. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 959
Firewall Configure captive portals (config firewall portal portal1)> timeout value (config firewall portal portal1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set Session timeout to ten minutes, enter either 10m or 600s: (config firewall portal portal1)>...
Type quit to disconnect from the device. Delete captive portals To delete captive portals: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Firewall Configure Quality of Service options 3. Click Firewall > Captive portals. 4. Click the down caret () next to the appropriate captive portal and select Delete. 5. Click Apply to save the configuration and apply the change. Command line 1.
Page 962
These example bindings are disabled by default. Enable the preconfigured bindings 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 963
Firewall Configure Quality of Service options 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 964
Type quit to disconnect from the device. Create a new binding 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 965
Firewall Configure Quality of Service options 5. Enable the binding. 6. (Optional) Type a Label for the binding. 7. Select an Interface to queue egress packets on. The binding will only match traffic that is being sent out on this interface. 8.
Page 966
Firewall Configure Quality of Service options f. Select Default to identify this policy as a fall-back policy. The fall-back policy will be used for traffic that is not matched by any other policy. If there is no default policy associated with this binding, packets that do not match any policy rules will be dropped.
Page 967
Firewall Configure Quality of Service options IPv4 address: Only traffic destined for the IP address typed in IPv4 address will be matched. Use the format IPv4_address[/netmask], or use any to match any IPv4 address. IPv6 address: Only traffic destined for the IP address typed in IPv6 address will be matched.
Page 968
Firewall Configure Quality of Service options (config firewall qos 2)> interface b. Set the interface. For example: (config firewall qos 2)> interface /network/interface/eth1 (config firewall qos 2)> 6. (Optional) Set the maximum egress bandwidth of the interface, in megabits, allocated to this binding.
Page 969
Firewall Configure Quality of Service options (config firewall qos 2 policy 0)> latency int (config firewall qos 2 policy 0)> where int is any integer, 1 or greater. The default is 100. f. To identify this policy as a fall-back policy: (config firewall qos 2 policy 0)>...
Page 970
Firewall Configure Quality of Service options vi. Set the source port to define a source traffic matching criteria: (config firewall qos 2 policy 0 rule 0)> srcport value (config firewall qos 2 policy 0 rule 0)> where value is the IP port number, a range of port numbers using the format IP_port- IP_port, or any.
Page 971
Firewall Configure Quality of Service options (config network qos 2 policy 0 rule 0)> src address value (config network qos 2 policy 0 rule 0)> where value uses the format IPv4_address[/netmask], or any to match any IPv4 address. address6: Only traffic from the IP address typed in IPv6 address will be matched.
Firewall Web filtering (config network qos 2 policy 0 rule 0)> dst interface /network/interface/eth1 (config network qos 2 policy 0 rule 0)> address: Only traffic destined for the IP address typed in IPv4 address will be matched. Set the address that will be matched: (config network qos 2 policy 0 rule 0)>...
5. Click Create. 6. Copy the token. Task two: Configure web filtering 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 974
Firewall Web filtering 3. Click Firewall > Web filtering service. 4. Click Enable web filtering to enable. 5. For Web filtering service, select Cisco Umbrella. 6. Paste the API token that was generated in Task one: Generate a Cisco Umbrella API token.
Firewall Web filtering 6. Save the configuration and apply the change (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Clear the Cisco Umbrella device ID If the Cisco Umbrella device ID being used by your IX20 is invalid, you can clear the device ID.
Page 976
Firewall Web filtering 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 977
Firewall Web filtering 8. For IP address, enter the IP address of the DNS server. 9. (Optional) Repeat for additional DNS servers. 10. Click Apply to save the configuration and apply the change. Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Firewall Web filtering b. Set the web filter service type to manual: (config)> firewall web-filter service manual (config)> c. Add the first DNS server: i. Add the server: (config)> add firewall web-filter server end (config firewall web-filter server 0)> ii. Set the server's IP address: (config firewall web-filter server 0)>...
Page 979
Configure web filtering with manual DNS servers for information about configuring web filtering to use Cisco open DNS servers. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 980
Firewall Web filtering 5. Return to the IX20 WebUI and enable web filtering: a. Click Firewall > Web filtering service. b. Click Enable web filtering to enable. c. Click Apply to save the configuration and apply the change. 6. From your browser, attempt to connect to http://www.internetbadguys.com again.
Firewall Web filtering 5. Attempt to connect to http://www.internetbadguys.com again: $ curl -I www.internetbadguys.com HTTP/1.1 403 Forbidden Server: openresty/1.9.7.3 Date: Thu, Jan 11, 2024 12:10:00 Content-Type: text/html Connection: keep-alive You should receive an "HTTP/1.1 403 Forbidden" message, as highlighted above. Show web filter service information To view information about the web filter service: ...
Page 982
Linux instances on a the same host using the host's Linux kernal. Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. This chapter contains the following topics:...
Use Digi Remote Manager to deploy and run containers Use Digi Remote Manager to deploy and run containers Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. 1. In Remote Manager, create a Configuration template. See the Remote Manager User Guide instructions.
Page 984
Containers Use Digi Remote Manager to deploy and run containers i. Click Browse and select the container file. ii. Type the Name of the container. The Name entered here must be the same name as the container .tgz file. This is absolutely necessary, otherwise the container file will not be properly configured on the local devices.
Page 985
Containers Use Digi Remote Manager to deploy and run containers c. For the Automation step: i. Click to toggle on Enable Scanning. ii. Click to toggle on Remediate. Run a manual configuration scan to apply the container and configuration settings to all applicable devices.
Containers Use Digi Remote Manager to deploy and run containers vi. Click the Stream ID to view container status. To verify by using the show containers command on the local device: a. From the Remote Manager main menu, click Management > Devices.
Containers Upload a new LXCcontainer Run the automation manually. Include the automation in a Configuration template as a post-remediation or post-scan step. When creating or editing a Configuration template, at the Automation page: 1. For Post Remediation Options, click Run Automation and select the automation. 2.
The network gateway. Serial ports on the device that the container will have access to. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 989
Containers Configure a container b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Containers. 4.
Page 990
Containers Configure a container 7. Enable Start on boot to configure the container to start when the system boots. a. For Restart timeout, set the amount of time to wait before restarting the container, if the container ever stops. The default timeout of 0s means that if the container stops, it will not be restarted.
Page 991
Containers Configure a container 5. By default, the container will use the device's system libraries. To disable: (config system container name)> dal false (config system container name)> 6. If the device will use virtual networking: a. Enable virtual networking: (config system container name)> network true (config system container name)>...
Page 992
Containers Configure a container (config system container name)> restart_timeout 600s (config system container name)> The default timeout of 0s means that if the container stops, it will not be restarted. 8. Type any optional parameters for the container: (config system container name)> args parameters (config system container name)>...
Authentication groups for information about configuring authentication groups that include shell access. Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. Starting the container There are two methods to start containers: Non-persistent: Changes made to the container file system will be lost when the container is stopped.
Containers View the status of containers 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Containers View the status of containers Command line Show status of all containers Use the show containers command with no additional arguments to show the status of all containers on the system: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
1. Start the container in non-persistent mode. 2. Execute a ping command every ten seconds from inside the container. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 997
Containers Schedule a script to run in the container 4. For Add Script, click . The script configuration window is displayed. 5. (Optional) For Label, type container_script. 6. For Run mode, select Interval. 7. For Interval, type 10s. 8. For Commands, type the following: lxc container_name /bin/ping -c 1 IP_address For example: lxc test_lxc /bin/ping -c 1 192.168.1.146...
In this example, we will use a simple container file named test_lxc.tgz. You can download test_lxc.tgz from the Digi website. At the command line of a Linux host, we will unpack the file, add a simple python script, and create a new container file that includes the python script.
Click Upload New Container. c. From your local file system, select the container file. You can download a simple example container file, test_lxc.tgz, from the Digi website. d. Create Configuration is selected by default. This will create a configuration on the device for the container when it is installed.
Page 1000
Containers Create a custom container configuration manually. e. Click Apply. 2. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.