1. Manuals
  2. Brands
  3. Digi Manuals
  4. Network Router
  5. IX20W-PR
  6. User manual

Digi IX20W-PR User Manual

Hide thumbs
1
2
3
4
5
6
Table Of Contents
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

Download this manual
IX20
User Guide
Firmware version 23.12

Advertisement

Table of Contents
loading

Related Manuals for Digi IX20W-PR

Summary of Contents for Digi IX20W-PR

  • Page 1 IX20 User Guide Firmware version 23.12...
  • Page 2 Release of Digi IX20 firmware version 22.11: December 2022 Updated the Linux kernel to version 5.19. The intelliFlow feature now integrates with Digi Remote Manager to provide aggregated insights and analytics for all Digi devices in your environment. Added an MQTT broker service, including support for: Multiple MQTT clients with unique topics and authentication credentials.
  • Page 3 Revision Date Description Redesigned Surelink configuration settings. Added show surelink state Admin CLI command to display the overall pass/fail status of enabled Surelink tests. WAN bonding Added options for WAN bonding configuration to set modes for the bonded tunnel and for each bonded interface.
  • Page 4 Release of DigiIX20 firmware version 23.9: October 2023 Register a device to DRM: Added a link to the Dashboard of the local web UI to register and add the device to Digi Remote Manager. Updated Dashboard: Updated the layout of the Dashboard page of the...
  • Page 5 Configure the system watchdog. Trademarks and copyright Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide. All other trademarks mentioned in this document are the property of IX20 User Guide...
  • Page 6 Information in this document is subject to change without notice and does not represent a commitment on the part of Digi International. Digi provides this document “as is,” without warranty of any kind, expressed or implied, including, but not limited to, the implied warranties of fitness or merchantability for a particular purpose.

  • Page 7: Table Of Contents

    Digi IX20 Quick Start Step 1: Connect your device Apply Dielectric Grease over SIM Contacts Step 2: Connect DCpower Step 3: Set up access to Digi Remote Manager Step 4: Register your device Step 5: Complete setup Step 6: Configure cellular APN...
  • Page 8 Proxy server method VPN Tunnel method Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Remote Manager Add a device to Remote Manager using information from the label Add a device to Remote Manager using your Remote Manager login credentials...
  • Page 9 Configure Remote Access mode Configure Application mode Configure PPP dial-in mode Configure UDP serial mode Configure Modem emulator mode Configure Modbus mode Configure RealPort mode using the Digi Navigator Installation and configuration process Digi Navigator features Install the Digi Navigator IX20 User Guide...
  • Page 10 Configure RealPort on a Digi device from the Digi Navigator Digi Navigator application features Advanced RealPort configuration without using the Digi Navigator Windows Operating System Linux Operating System Download the RealPort driver Configure RealPort on your laptop Configure the serial port for RealPort mode...
  • Page 11 Configure dynamic DNS Virtual Router Redundancy Protocol (VRRP) VRRP+ Configure VRRP Configure VRRP+ Example: VRRP/VRRP+ configuration Configure device one (master device) Configure device two (backup device) Show VRRP status and statistics Virtual Private Networks (VPN) IPsec IPsec data protection IPsec mode IPsec modes Internet Key Exchange (IKE) settings Authentication...
  • Page 12 Configure telnet access Configure DNS Show DNS server WAN bonding Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Configure WAN bonding on your local device Show WAN bonding status and statistics Simple Network Management Protocol (SNMP)
  • Page 13 Example: Set the LTE connection indicator to flashing purple Set up the IX20 to automatically run your applications Configure scripts to run automatically Show script information Stop a script that is currently running Start an interactive Python session Run a Python application at the shell prompt Configure scripts to run manually Task one: Upload the application Task two: Configure the application to run automatically...
  • Page 14 Configure web filtering with manual DNS servers Verify your web filtering configuration Show web filter service information Containers Use Digi Remote Manager to deploy and run containers Use an automation to start the container Upload a new LXCcontainer Configure a container...
  • Page 15 Save configuration to a file 1031 Restore the device configuration 1032 Schedule system maintenance tasks 1035 Disable device encryption 1041 Re-enable cryptography after it has been disabled. 1041 Configure the speed of your Ethernet ports 1043 Configure the system watchdog 1045 Monitoring intelliFlow...
  • Page 16 Ping to check internet connection 1114 Stop ping commands 1114 Use the traceroute command to diagnose IP routing problems 1114 Digi IX20 regulatory and safety statements RF exposure statement 1116 Federal Communication (FCC) Part 15 Class B 1116 Radio Frequency Interference (RFI) (FCC15.105)
  • Page 17 show config 1141 show system 1141 show network 1142 Device configuration using the command line interface 1142 Execute configuration commands at the root Admin CLI prompt 1142 Display help for the config command from the root Admin CLI prompt 1142 Configuration mode 1144 Enable configuration mode...
  • Page 18 monitoring 1167 monitoring metrics upload 1167 more 1167 1167 ping 1167 poweroff 1168 reboot 1168 1168 1169 show analyzer 1169 show arp 1169 show cloud 1169 show config 1170 show containers 1170 show dhcp-lease 1170 show dns 1170 show eth 1170 show event 1171...
  • Page 19 1180 system backup 1180 system cloud register 1180 system disable-cryptography 1181 system duplicate-firmware 1181 system factory-erase 1181 system find-me 1181 system firmware ota check 1181 system firmware ota list 1182 system firmware ota update 1182 system firmware update 1182 system power ignition off_delay 1182 system restore 1183...

  • Page 20: What's New In Digi Ix20 Version 23.12

    What's new in Digi IX20 version 23.12 Release of DigiIX20 firmware version 23.12: Updated Active SIM slot definition: Configure cellular modem. FIPS feature is available for all DAL devices. Enable FIPS mode Link OSPF routes through a DMVPN tunnel and allow for redirection of packets between spokes.

  • Page 21: Digi Ix20 Quick Start

    If the IX20 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.

  • Page 22: Apply Dielectric Grease Over Sim Contacts

    Apply Dielectric Grease over SIM Contacts Note Digi recommends using either the Loctite®LB 8423 Dielectric Grease or Synco Lube® Silicone Dielectric Grease. a. Use a sheet of paper or cardboard over the area where you intend to work.
  • Page 23 Digi IX20 Quick Start Apply Dielectric Grease over SIM Contacts 2. Attach cellular antennas. Securely finger tighten each antenna to the threaded barrel using the nut at the base of the antenna. 3. Use an Ethernet cable connect the IX20's WAN/ETH1 port to the internet, such as a home internet router or LAN Ethernet port in an office environment.

  • Page 24: Step 2: Connect Dcpower

    Step 2: Connect DCpower Step 2: Connect DC power Step 3: Set up access to Digi Remote Manager If you already have a Digi Remote Manager account, skip to Register your device. If you prefer to configure the device locally rather than using Remote Manager, see...

  • Page 25: Step 6: Configure Cellular Apn

    Digi IX20 Quick Start Step 6: Configure cellular APN Step 6: Configure cellular APN If you installed a SIM in step 1, the device will attempt to setup the APN automatically. However, if your SIM was set up with a custom APN, you will need to configure it manually: 1.

  • Page 26: Digi Ix20 Hardware Reference

    Digi IX20 hardware reference Digi IX20 features and specifications The Digi IX20 key features include: Industrial grade components. Operating temperatures: IX20W(Wi-Fi enabled version): -20Cto +70C/-4F to +158F. IX20 (non-Wi-Fi version): -40Cto +70C/-40F to +158F. Plug-in LTE modem (1002-CM). 802.11b/g/n/ac 2.4/5Ghz Wi-Fi (Wi-Fi enabled IX20Wmodel only).

  • Page 27: Ix20 Leds

    ERASE button again to also remove generated certificates and keys. 3. Firmware reversion: Press and hold the ERASE button and then power on the Digi IX20 to boot to the version of firmware that was used prior to the current version. LEDs...

  • Page 28: Power

    Digi IX20 hardware reference IX20 LEDs Power No power. Solid green Device has power The WAN/ETH1 Ethernet port not connected. Flashing green The WAN/ETH1 Ethernet port is connecting. Solid green The WAN/ETH1 Ethernet port is connected and has activity. Wi-Fi Service (IX20W model only) No Wi-Fi access points or Wi-Fi clients are enabled.

  • Page 29: Sim1

    Digi IX20 hardware reference IX20 LEDs SIM1 Indicates that SIM1 is in use. SIM1 not in use. Solid green SIM1 is in use. SIM2 Indicates that SIM2 is in use. SIM2 not in use. Solid green SIM2 is in use.

  • Page 30: Signal Quality Indicators

    Digi IX20 hardware reference IX20 LEDs Alternating Red/yellow (or orange) Upgrading firmware. WARNING! DO NOT POWEROFF DURINGFIRMWARE UPGRADE. 1. Or an unknown type of cellular network. Signal quality indicators LEDs labeled 1 through 5 Indicate the cellular service quality level.

  • Page 31: Signal Quality Bars Explained

    Solid green: 10/100 Mbps link detected. Signal quality bars explained The signal status bars for the Digi IX20 measure more than simply signal strength. The value reported by the signal bars is calculated using an algorithm that takes into consideration the Reference Signals Received Power (RSRP), the Signal-to-noise ratio (SNR), and the Received Signal Strength Indication (RSSI) to provide an accurate indicator of the quality of the signal that the device is receiving.

  • Page 32: Ix20 Power Supply Requirements

    Use the included power supply (part number 24000154). If you are providing the DCpower source with a non-Digi power supply, you must use a certified LPS power supply rated at either 12 VDC/0.75 A or 24 VDC/0.375 A minimum. The voltage tolerance supports +/- 10% (9 VDCto 30 VDC) at 9 Watts minimum.
  • Page 33 Digi IX20 hardware reference Configuration for extreme thermal conditions 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.

  • Page 34: Qrcode Definition

    Digi IX20 hardware reference QRcode definition  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 35 Digi IX20 hardware reference QRcode definition QR code items Semicolon separated list of: ProductName;DeviceID;Password;SerialNumber;SKUPartNumber-SKUPartRevision Example IX20;00000000-00000000-112233FF-FF445566;PW1234567890;50001001-00 IX20 User Guide...

  • Page 36: Digi Ix20 Hardware Setup

    Digi IX20 hardware setup This chapter contains the following topics: Install SIM cards in the Plug-in LTE modem Connect data cables Mount the IX20 device IX20 User Guide...

  • Page 37: Install Sim Cards In The Plug-In Lte Modem

    If the IX20 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.

  • Page 38: Apply Dielectric Grease Over Sim Contacts

    8. Affix the cellular antennas to the two connectors protruding from the device. Apply Dielectric Grease over SIM Contacts Note Digi recommends using either the Loctite®LB 8423 Dielectric Grease or Synco Lube®Silicone Dielectric Grease. 1. Use a sheet of paper or cardboard over the area where you intend to work.

  • Page 39: Tips For Improving Cellular Signal Strength

    Move the device to another location. Try connecting a different set of antennas, if available. Purchase a Digi Antenna Extender Kit: Antenna Extender Kit, Connect data cables The IX20 supports two types of data ports: Ethernet (RJ-45): Use a Cat 5e or Cat 6 Ethernet cable.

  • Page 40: Attach To Din Rail With Bracket

    Digi IX20 hardware setup Mount the IX20 device 1. Attach the DIN rail clip to the bottom of the device with the screws provided. 2. Set the IX20 device onto a DIN rail and gently press until the clip snaps into the rail.
  • Page 41 3. Set the bracket with the clip onto a DIN rail and gently press until the clip snaps into the rail. WARNING! If being installed above head height on a wall or ceiling, ensure the device is fitted securely to avoid the risk of personal injury. Digi recommends that this device be installed by an accredited contractor.
  • Page 42 Change the default password for the admin user Change the default SSID and pre-shared key for the preconfigured Wi-Fi access point Configuration methods Using Digi Remote Manager Using the local web interface Use the local REST API to configure the IX20 device...

  • Page 43: Firmware Configuration

    Firmware configuration Review IX20 default settings Review IX20 default settings You can review the default settings for your IX20 device by using the local WebUI or Digi Remote Manager: Local WebUI 1. Log into the IX20 WebUI as a user with Admin access. See Using the local web interface details.

  • Page 44: Other Default Configuration Settings

    (Wi-Fi Wi-Fi access interface model only) point: Digi Other default configuration settings Feature Configuration Digi Remote Manager enabled as the central management service. Central management Packet filtering allows all outbound traffic. Security policies SSH and web administration: IX20 User Guide...

  • Page 45: Primary Responder Mode

    Firmware configuration Primary Responder mode Feature Configuration Enabled for local administration Firewall zone: Internal Device heath metrics uploaded to Digi Remote Manager at 60 minute Monitoring interval. SNMP: Disabled Enabled Serial port Serial mode: Remote Label: None Baud rate: 9600...

  • Page 46: Enable Primary Responder Mode

    To enable Primary Responder mode:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. On the Dashboard, verify the current firmware version installed on the device. In the Device section, look at the Firmware Version field and verify that the version is 23.9.x or above.

  • Page 47: Change The Default Password For The Admin User

    To change the default password for the admin user:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 48 Firmware configuration Change the default password for the admin user a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users > admin. 4. Enter a new password for the admin user.The password must be at least eight characters long and must contain at least one uppercase letter, one lowercase letter, one number, and one special character.

  • Page 49: Change The Default Ssid And Pre-Shared Key For The Preconfigured Wi-Fi Access Point

    Differences between standard firmware operation and Primary Responder mode.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 50 On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Wi-Fi > Digi AP. 4. Enter a new SSID and Pre-shared key. 5. Click Apply to save the configuration and apply the change.

  • Page 51: Configuration Methods

    Note Changes made to the device's configuration by using the local web interface will not be automatically reflected in Digi Remote Manager. You must manually refresh Remote Manager for the changes to be displayed. Web-based instructions in this guide are applicable to both the Remote Manager and the local web interface.

  • Page 52: Using Digi Remote Manager

    Shows how to perform a task by using the command line interface. Using Digi Remote Manager By default, your IX20 device is configured to use Digi Remote Manager as its central management server. Devices must be registered with Remote Manager using one of the following options: As part of the getting started process.

  • Page 53: Log Out Of The Web Interface

    Provides information about the signal strength and technology of the cellular modem(s). Digi Remote Displays the device connection status for Digi Remote Manager, the amount of time Manager the connection has been up, and the Digi Remote Manager device ID.
  • Page 54 Firmware configuration Use the local REST API to configure the IX20 device To determine allowed values for path from the Admin CLI: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 55: Use The Post Method To Modify Device Configuration Parameters And List Arrays

    Firmware configuration Use the local REST API to configure the IX20 device For example, to use curl to return the ssh configuration: $ curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/value/service/ssh - X GET Enter host password for user 'admin': ok": true, "result": { "type": "object", "path": "service.ssh"...

  • Page 56: Use The Delete Method To Remove Items From A List Array

    Firmware configuration Use the local REST API to configure the IX20 device path is the path to the configuration parameter, in dot notation (for example, ssh.service.enable). new_value is the new value for the parameter. For example, to disable the ssh service using curl: $ curl -k -u admin "https://192.168.210.1/cgi- bin/config.cgi/value?path=service.ssh.enable&value=false"...
  • Page 57 Firmware configuration Use the local REST API to configure the IX20 device "result": { "type": "array", "path": "service.ssh.acl.zone" "collapsed": { "0": "internal" "1": "edge" "2": "ipsec" "3": "setup" "4": "external" 2. Use the DELETE method to remove the external zone (list item 4). $ curl -k -u admin https://192.168.210.1/cgi- bin/config.cgi/value?path=service.ssh.acl.zone.4 -X DELETE Enter host password for user 'admin':...

  • Page 58: Using The Command Line

    You can use an open-source terminal software, such as PuTTYor TeraTerm, to access the device through one of these mechanisms. You can also access the command line interface in the WebUI by using the Terminal, or the Digi Remote Manager by using the Console.

  • Page 59: Exit The Command Line Interface

    Firmware configuration Using the command line The default username is admin. The default unique password for your device is printed on the device label. 3. Depending on the device configuration, you may be presented with another menu, for example: Access selection menu: a: Admin CLI s: Shell q: Quit...

  • Page 60: Central Management

    Configure your device for Digi Remote Manager support Reach Digi Remote Manager on a private network Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Remote Manager Configure multiple IX20 devices by using Digi Remote Manager configurations...

  • Page 61: Digi Remote Manager Support

    This URL is required to utilize the client-side certificate support. Prior to release 22.2.9.x, the default URL was my.devicecloud.com. If your Digi device is configured to use a non-default URL to connect to Remote Manager, updating the firmware will not change your configuration. However, if you erase the device's configuration, the Remote Manager URL will change to the default of edp12.devicecloud.com.
  • Page 62 HTTP proxy server support. To configure your device's Digi Remote Manager support:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 63 Configure your device for Digi Remote Manager support 3. Click Central management. The Central management configuration window is displayed. Digi Remote Manager support is enabled by default. To disable, toggle off Enable central management. 4. For Service, select Digi Remote Manager.
  • Page 64 Central management Configure your device for Digi Remote Manager support Allowed values are any number of hours, minutes, or seconds, and take the format number {h|m|s}. For example, to set Cellular keep-alive interval to ten minutes, enter 10m or 600s.
  • Page 65 2. At the command line, type config to enter configuration mode: > config (config)> 3. Digi Remote Manager support is enabled by default. To disable Remote Manager support: (config)> cloud enable false (config)> 4. (Optional) Set the URL for the central management server.
  • Page 66 7. (Optional) Set the amount of time that the IX20 device should wait between sending keep-alive messages to the Digi Remote Manager when using a cellular interface. Allowed values are from 30 seconds to two hours. The default is 290 seconds.
  • Page 67 14. (Optional) Configure the IX20 device to communicate with remote cloud services by using SMS: a. Enable SMS messaging: (config)> cloud drm sms enable true (config)> b. Set the phone number for Digi Remote Manager: (config)> cloud drm sms destination value (config)> where value is either:...

  • Page 68: Collect Device Health Data And Set The Sample Interval

    To disable the collection of device health data or enable it if it has been disabled, or to change the health sample interval:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 69 3. Click Monitoring > Device Health. 4. (Optional) Click to expand Data point tuning. Data point tuning options allow to you configure what data are uploaded to the Digi Remote Manager. All options are enabled by default. 5. Only report changed values to Digi Remote Manager is enabled by default.
  • Page 70 1, 5, 15, 30, or 60, and represents the number of minutes between uploads of health sample data. 5. By default, the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded. This is useful to reduce the bandwidth used to report health metrics.

  • Page 71: Enable Event Log Upload To Digi Remote Manager

    To enable the event log upload, or disable it if it has been disabled, and to change the upload interval:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
  • Page 72 Central management Configure your device for Digi Remote Manager support a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.

  • Page 73: Reach Digi Remote Manager On A Private Network

    The device is capable of connecting through an HTTP proxy, such as Squid, but it is up to the network administrator to decide which HTTP proxy type to use. To enable a proxy server and enter the server and port in Digi Remote Manager, see step 17 in Configure your device for Digi Remote Manager support.

  • Page 74: Vpn Tunnel Method

    Central management Log into Digi Remote Manager To see instructions for setting up Squid and then configuring a device (not DAL) to reach Digi Remote Manager, see the Digi Quick Note, Connecting to Digi Remote Manager Through Web Proxy. Though this Quick Note references older technology and device types, it may provide a network administrator with concrete examples from which they can draw correlations to newer technology and devices.

  • Page 75: Use Digi Remote Manager To View And Manage Your Device

    Use Digi Remote Manager to view and manage your device To view and manage your device: 1. If you have not already done so, connect to your Digi Remote Manager account. 2. From the menu, click Devices to display a list of your devices.

  • Page 76: Add A Device To Remote Manager Using Your Remote Manager Login Credentials

    4. For Digi Remote Manager Username, type your Remote Manager username. 5. For Digi Remote Manager Password, type your Remote Manager password. 6. For Digi Remote Manager Group (optional), type the group to which the device will be added, if needed.

  • Page 77: Configure Multiple Ix20 Devices By Using Digi Remote Manager Configurations

    Configure multiple IX20 devices by using Digi Remote Manager configurations Digi recommends you take advantage of Remote Manager configurations to manage multiple IX20 devices. A Remote Manager configuration is a named set of device firmware, settings, and file system options. You use the configuration to automatically update multiple devices and to periodically scan devices to check for compliance with the configuration.

  • Page 78: View Digi Remote Manager Connection Status

    Digi Remote Manager provides multiple methods for applying configurations to registered devices. You can also include site-specific settings with a profile to override settings on a device-by-device basis. View Digi Remote Manager connection status To view the current Digi Remote Manager connection status from the local device:  IX20 User Guide...

  • Page 79: Learn More

    Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Learn more To learn more about Digi Remote Manager features and functions, see the Digi Remote Manager User Guide.

  • Page 80: Interfaces

    Interfaces IX20 devices have several physical communications interfaces. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN). This chapter contains the following topics: Wide Area Networks (WANs) Local Area Networks (LANs) Virtual LANs (VLANs) Bridging Show SureLink status and statistics...

  • Page 81: Wide Area Networks (Wans)

    Preconfigured interfaces Devices configuration Wide Area ETH1 Ethernet: Firewall Network (WAN) ETH1 zone: External WAN priority: Metric=1 IP Address: DHCP client Digi SureLink enabled for IPv4 Wireless Wide Modem Modem Firewall Area Network zone: (WWAN) External WAN priority: Metric=3 SIM failover...

  • Page 82: Wide Area Networks (Wans) And Wireless Wide Area Networks (Wwans)

    Configured WAN and WWAN interfaces. This example uses the preconfigured ETH1 and Modem interfaces. The metric for each WAN.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 83 Interfaces Wide Area Networks (WANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Set the metrics for Modem: a. Click Network > Interfaces > Modem > IPv4. b. For Metric, type 1. c.
  • Page 84 Interfaces Wide Area Networks (WANs) 5. Click Apply to save the configuration and apply the change. The IX20 device is now configured to use the cellular modem WWAN, Modem, as its highest priority WAN, and its Ethernet WAN, ETH1, as its secondary WAN. ...

  • Page 85: Wan/Wwan Failover

    If your device is operating on a private APN or on wired network with firewall restrictions, ensure that the DNS servers on your private network allow DNS lookups for https://remotemanager.digi.com; otherwise, the SureLink DNS query test will fail and the IX20 device will determine that the interface is down.

  • Page 86: Configure Surelink Active Recovery To Detect Wan/Wwan Failures

    WAN has failed, because the connection continues to work while the core problem exists somewhere else in the network. Using Digi SureLink, you can configure the IX20 device to regularly probe connections through the WAN to determine if the WAN has failed, and to perform recovery actions, such as changing the interface metric to use a new default gateway.
  • Page 87 Otherwise, the device will reboot and all recovery actions listed after the Reboot Device action will be ignored.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 88 Interfaces Wide Area Networks (WANs) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Create a new WAN or WWAN or select an existing one: To create a new WAN or WWAN, see Configure a Wide Area Network (WAN) Configure a Wireless Wide Area Network...
  • Page 89 Interfaces Wide Area Networks (WANs) 7. (Optional) If more than one test target is configured, for Success condition, select either: One test passes: Only one test needs to pass for Surelink to consider an interface to be All test pass: All tests need to pass for SureLink to consider the interface to be up. 8.
  • Page 90 Interfaces Wide Area Networks (WANs) HTTP test: Uses HTTP(s) GET requests to determine connectivity to the configured web server. If HTTP test is selected, complete the following: Web server: The URL of the web server. Test DNS servers configured for this interface: Tests communication with DNS servers that are either provided by DHCP, or statically configured for this interface.
  • Page 91 Interfaces Wide Area Networks (WANs) Down: The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable). e. Repeat for each additional test. 11. Add recovery actions: a. Click to expand Recovery actions. By default, there are two preconfigured recovery actions: Update routing: Uses the Change default gateway action, which increases the interface's metric by 100 to change the default gateway.
  • Page 92 Interfaces Wide Area Networks (WANs) Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. Switch to alternate SIM: Switches to an alternate SIM. This recovery action is available for WWAN interfaces only.
  • Page 93 Interfaces Wide Area Networks (WANs) For example, to set Delayed start to ten minutes, enter 10m or 600s. The default is 300 seconds. c. For Backoff interval, type the time to add to the test interval when restarting the list of actions.
  • Page 94 Interfaces Wide Area Networks (WANs) To add additional tests: a. Add a test: (config network interface my_wan)> add surelink tests end (config network interface my_wan surelink tests 1)> b. New tests are enabled by default. To disable: (config network interface my_wan surelink tests 1)> enable false (config network interface my_wan surelink tests 1)>...
  • Page 95 Interfaces Wide Area Networks (WANs) Set the number of bytes to send as part of the ping payload: (config network interface my_wan ipsec tunnel ipsec_example surelink tests 1)> ping_size int (config network interface my_wan surelink tests 1)> dns: Performs a DNS query to the named DNS server. If dns is set, set the IPv4 or IPv6 address of the DNS server: (config network interface my_wan surelink tests 1)>...
  • Page 96 Interfaces Wide Area Networks (WANs) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config network interface my_wan surelink tests 1)> interface_timeout 600s (config)>...
  • Page 97 Interfaces Wide Area Networks (WANs) (config network interface my_wan surelink tests 1)> other_ interface ii. Set the interface. For example: (config network interface my_wan surelink tests 1)> other_ interface /network/interface/eth1 (config network interface my_wan surelink tests 1)> Set the type of IP connection: (config network interface my_wan surelink tests 1)>...
  • Page 98 Interfaces Wide Area Networks (WANs) d. Create a label for the action: (config network interface my_wan surelink actions 0)> label string (config network interface my_wan surelink actions 0)> e. Set the type of recovery action. If multiple recovery actions are configured, they are performed in the order that they are listed.
  • Page 99 Interfaces Wide Area Networks (WANs) Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config network interface my_wan surelink actions 0)> test_ failures int (config network interface my_wan surelink actions 0)> The default is 3.
  • Page 100 Interfaces Wide Area Networks (WANs) modem_power_cycle: This recovery action is available for WWAN interfaces only. If modem_power_cycle is selected, complete the following: Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config network interface my_wan surelink actions 0)>...
  • Page 101 Interfaces Wide Area Networks (WANs) (config network interface my_wan surelink actions 0)> custom_ action_commands_modem "string" (config network interface my_wan surelink actions 0)> Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used.
  • Page 102 Interfaces Wide Area Networks (WANs) (config)> network interface my_wan surelink timeout value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set timeout to ten minutes, enter either 10m or 600s: (config)>...

  • Page 103: Configure The Device To Reboot When A Failure Is Detected

    Interfaces Wide Area Networks (WANs) (config)> network interface my_wan surelink advanced interface_gateway hostname/IP_address (config)> 8. Save the configuration and apply the change (config network interface my_wan ipv4 surelink)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 104 To configure the IX20 device to reboot when an interface has failed:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 105 Interfaces Wide Area Networks (WANs) 5. After creating or selecting the interface, click SureLink. By default, SureLink is enabled for the preconfigured WAN (ETH1) and WWAN (Modem). The default configuration tests the DNS servers configured for the interface. When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address.
  • Page 106 Interfaces Wide Area Networks (WANs) New tests are enabled by default. To disable, click to toggle off Enable. b. Type a Label for the test. c. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4. d.
  • Page 107 Interfaces Wide Area Networks (WANs) If Custom test is selected, complete the following: The Commands to run to test. TCP connection test: Tests that the interface can reach a destination port on the configured host. If TCP connection test is selected, complete the following: TCP connect host: The hostname or IP address of the host to create a TCP connection to.
  • Page 108 Interfaces Wide Area Networks (WANs) SureLink test failures: The number of failures for this recovery action to perform, before moving to the next recovery action. Increase metric to change active default gateway: Increase the interface's metric by this amount. This should be set to a number large enough to change the routing table to use another default gateway.
  • Page 109 Interfaces Wide Area Networks (WANs) Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. Powercycle the modem. This recovery action is available for WWAN interfaces only.
  • Page 110 Interfaces Wide Area Networks (WANs) 3. Create a new interface, or edit an existing one: To create a new interface, see Configure a Local Area Network (LAN), Configure a Wide Area Network (WAN), or Configure a Wide Area Network (WAN) Configure a Wireless Wide Area Network (WWAN).
  • Page 111 Interfaces Wide Area Networks (WANs) where value is one of: ping: Uses ICMP to determine connectivity. If ping is selected, complete the following: Set the ping_method: (config network interface my_wan surelink tests 1)> ping_ method value (config network interface my_wan surelink tests 1)> where value is one of: hostname: The hostname or IP address of an external server.
  • Page 112 Interfaces Wide Area Networks (WANs) Set the amount of time that the interface is down before the test can be considered to have failed. (config network interface my_wan surelink tests 1)> interface_down_time value (config network interface my_wan surelink tests 1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
  • Page 113 Interfaces Wide Area Networks (WANs) Set the TCP port to create a TCP connection to. (config network interface my_wan surelink tests 1)> tcp_port port (config network interface my_wan surelink tests 1)> other: Tests the status of another interface. If other is selected, complete the following: Set the interface to test.
  • Page 114 Interfaces Wide Area Networks (WANs) up: The test will pass only if the referenced interface is up and passing its own SureLink tests (if applicable). down: The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable).
  • Page 115 Interfaces Wide Area Networks (WANs) a. Type ... to return to the root of the configuration: (config network interface my_wan surelink actions 0)> ... (config)> b. Set the test interval between connectivity tests: (config)> network interface my_wan surelink interval value (config)>...

  • Page 116: Disable Surelink

    Interfaces Wide Area Networks (WANs) (config)> network interface my_wan surelink advanced delayed_start value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set delayed_start to ten minutes, enter either 10m or 600s: (config)>...
  • Page 117 SureLink to disable the DNS test and use one or more other tests.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 118 WAN connections that do not allow DNS resolution, and configure alternate test.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 119 Interfaces Wide Area Networks (WANs) c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Select the appropriate WAN or WWAN on which the default DNS test should be disabled.. 5.
  • Page 120 Interfaces Wide Area Networks (WANs) 9. Click  to add a new test. 10. Type a Label for the test. 11. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4. 12. Select the Test type. Available test types: Ping test: Uses ICMP to determine connectivity.
  • Page 121 Interfaces Wide Area Networks (WANs) Initial connection time: The amount of time to wait for the interface to connect for the first time before the test is considered to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
  • Page 122 Interfaces Wide Area Networks (WANs) (config)> network interface my_wan (config network interface my_wan)> 4. Disable the default DNS test: (config network interface my_wan)> surelink tests 0 enable false (config network interface my_wan)> 5. Add a new test: a. Add a test: (config network interface my_wan)>...
  • Page 123 Interfaces Wide Area Networks (WANs) Set the number of bytes to send as part of the ping payload: (config network interface my_wan ipsec tunnel ipsec_example surelink tests 1)> ping_size int (config network interface my_wan surelink tests 1)> dns: Performs a DNS query to the named DNS server. If dns is set, set the IPv4 or IPv6 address of the DNS server: (config network interface my_wan surelink tests 1)>...
  • Page 124 Interfaces Wide Area Networks (WANs) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config network interface my_wan surelink tests 1)> interface_timeout 600s (config)>...

  • Page 125: Example: Use A Ping Test For Wan Failover From Ethernet To Cellular

    Interfaces Wide Area Networks (WANs) (config network interface my_wan surelink tests 1)> other_ interface ii. Set the interface. For example: (config network interface my_wan surelink tests 1)> other_ interface /network/interface/eth1 (config network interface my_wan surelink tests 1)> Set the type of IP connection: (config network interface my_wan surelink tests 1)>...
  • Page 126 To achieve this WAN failover from the ETH1 to the Modem interface, the WAN failover configuration is:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 127 Interfaces Wide Area Networks (WANs) 3. Configure active recovery on ETH1: a. Click Network > Interface > ETH1 > SureLink. b. For Test interval, type 10s. c. Click to expand Tests. d. Disable the default DNS test: i. Click to expand the default DNS configured test. ii.

  • Page 128: Using Ethernet Devices In A Wan

    Interfaces Wide Area Networks (WANs) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Configure SureLink on ETH1: a. Set the interval to ten seconds: (config)> network interface eth1 surelink interval 10s (config)> b. Disable the default DNS test: (config)>...

  • Page 129: Using Cellular Modems In A Wireless Wan (Wwan)

    Interfaces Wide Area Networks (WANs) By default, the WAN/ETH1 Ethernet device is configured as a WAN, named ETH1, with both DHCP and NAT enabled and using the External firewall zone. This means you should be able to connect to the Internet by connecting the WAN/ETH1 Ethernet port to another device that already has an internet connection.
  • Page 130 Interfaces Wide Area Networks (WANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 131 Interfaces Wide Area Networks (WANs) 6. For Match modem by, select the matching criteria used to determine if this modem configuration applies to the currently attached modem: Any modem: Applies this configuration to any modem that is attached. IMEI: Applies this configuration only to a modem that matches the identified IMEI. If IMEI is selected, for Match IMEI, type the IMEI of the modem that this configuration should be applied to.
  • Page 132 Interfaces Wide Area Networks (WANs) 4. For Access technology, select the type of cellular technology that this modem should use to access the cellular network, or select All technologies to configure the modem to use the best available technology. The default is All technologies. 5.
  • Page 133 Interfaces Wide Area Networks (WANs) Default value: /device/usb/modem/module Current value: /device/usb/modem/module (config)> network modem modem port b. Set the port: (config)> network modem modem port /device/usb/modem/module (config)> The default is any. 5. Set the SIM slot that should be used by the modem: (config)>...
  • Page 134 Interfaces Wide Area Networks (WANs) maintenance_window manual set_time The default is set_time. 8. Set the amount of time the system waits before polling the modem for signal information: (config)> network modem modem query_interval value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
  • Page 135 APN. To configure the APN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 136 Interfaces Wide Area Networks (WANs) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > Modem > APN list > APN. 4. For APN, type the Access Point Name (APN) to be used when connecting to the cellular carrier. 5.
  • Page 137 Interfaces Wide Area Networks (WANs) 8. Lightweight M2M support is enabled by default. Disable if you are using an AT&T SIM that does not support AT&T lightweight M2M. 9. To add additional APNs, for Add APN, click  and repeat the preceding instructions. 10.
  • Page 138 Interfaces Wide Area Networks (WANs) where version is one of the following: auto: Requests both IPv4 and IPv6 address. ipv4: Requests only an IPv4 address. ipv6: Requests only an IPv6 address. The default is auto. 6. (Optional) Set the PDP context index: (config network interface wwan1 modem apn 0) >...
  • Page 139 Using an AT&T SIM with the Telit LE910-NAv2 module is supported. The Telit LE910-NAv2 module is used in the 1002-CM04 CORE modem.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 140 Interfaces Wide Area Networks (WANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Increase the maximum number of interfaces allowed for the modem: a. Click Network > Modems > Modem. b.
  • Page 141 Interfaces Wide Area Networks (WANs) g. For Add Interface, type WWAN_Private and click . h. For Interface type, select Modem. i. For Zone, select External. j. For Device, select Modem . This should be the same modem selected for the WWAN_Public WWAN. k.
  • Page 142 Interfaces Wide Area Networks (WANs) a. Click Network > Routes > Policy-based routing. b. Click the  to add a new route policy. c. For Label, enter Route through public APN. d. For Interface, select Interface: WWAN_Public. e. Configure the source address: i.
  • Page 143 Interfaces Wide Area Networks (WANs) iii. For Interface, select Interface: WWAN_Private. 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 144 Interfaces Wide Area Networks (WANs) (config network interface WWANPublic)> modem apn public_apn (config network interface WWANPublic)> e. Use to periods (..) to move back one level in the configuration: (config network interface WWANPublic)> .. (config network interface)> f. Create the WWANPrivate interface: (config network interface)>...
  • Page 145 Interfaces Wide Area Networks (WANs) d. Configure the source address: i. Set the source type to interface: (config network route policy 0)> src type interface (config network route policy 0)> ii. Set the interface to LAN1: (config network route policy 0)> src interface LAN1 (config network route policy 0)>...
  • Page 146 Select Manual or Manual/Automatic carrier selection mode. The Network PLMN ID.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 147 Interfaces Wide Area Networks (WANs) b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > Modem. 4.
  • Page 148 Interfaces Wide Area Networks (WANs) Note You can use the modem scan command at the Admin CLI to scan for available carriers and determine their PLMN ID. See Scan for available cellular carriers for details. 6. Click Apply to save the configuration and apply the change. ...
  • Page 149 Interfaces Wide Area Networks (WANs) Note For devices using Unitac modems (such as devices with the 1002-CM45 core module), carrier scanning will not work if the modem has an active cellular connection.  Log into the IX20 WebUI as a user with full Admin access rights. 1.
  • Page 150 Interfaces Wide Area Networks (WANs) Manual: Does not allow the device to use automatic carrier selection if this carrier is not available. Note If Manual is selected, your modem must support the Network technology or the modem will lose cellular connectivity. If you are using a cellular connection to perform this procedure, you may lose your connection and the device will no longer be accessible.
  • Page 151 Interfaces Wide Area Networks (WANs) 2. Use the show modem command: To view a status summary for the modem: > show modem Modem Status Signal Strength ----- ------------- --------- --------- -------------------- modem 1 (ready) connected 1234 Good (-84 dBm) > To view detailed status and statistics, use the show modem name name command:...
  • Page 152 Interfaces Wide Area Networks (WANs) SIM Slot SIM Status : ready IMSI : 61582122197895 ICCID : 26587628655003992180 SIM Provider : AT&T RSRQ : Good (-11.0 dB) RSRP : Good (-93.0 dBm) RSSI : Excellent (-64.0 dBm) : Good (6.4 dB) >...
  • Page 153 Move the IX20 device to another location. Try connecting a different set of antennas, if available. Purchase a Digi Antenna Extender Kit: Antenna Extender Kit, 1m AT command access To run AT commands from the IX20 command line: ...
  • Page 154 Interfaces Wide Area Networks (WANs) > modem at-interactive Do you want exclusive access to the modem? (y/n) [y]: 4. Type n if you do not want exclusive access. This allows you to send AT commands to the device while still allowing the device to connect, disconnect, and/or reconnect to the cellular network.

  • Page 155: Configure A Wide Area Network (Wan)

    Additional IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the WAN. The relative weight for IPv4 routes associated with the WAN.
  • Page 156 MACaddress denylist and allowlist. To create a new WAN or edit an existing WAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 157 Interfaces Wide Area Networks (WANs) The Interface configuration window is displayed. New WANs are enabled by default. To disable, toggle off Enable. 5. For Interface type, leave at the default setting of Ethernet. 6. For Zone, select External. 7. For Device, select an Ethernet device, a Wi-Fi client, or a bridge. See Bridging for more information about bridging.
  • Page 158 Interfaces Wide Area Networks (WANs) server. RFC4702 for further information about DHCP server support for the Client FQDN option. Configure system information for information about setting the IX20 device's system name. d. Enable Force link to keep the network interface active even when the device link is down. 10.
  • Page 159 Interfaces Wide Area Networks (WANs) a. Click to expand MAC address denylist. b. For Add MAC address, click . c. Type the MAC address. 12. (Optional) Click to expand MAC address allowlist. If allowlist entries are specified, incoming packets will only be accepted from the listed MAC addresses.
  • Page 160 Interfaces Wide Area Networks (WANs) a. Enter device ? to view available devices and the proper syntax. (config network interface my_wan)> device ? Device: The network device used by this network interface. Format: /network/device/eth1 /network/device/eth2 /network/device/loopback /network/bridge/hotspot_bridge /network/bridge/lan /network/wireless/ap/digi_ap /network/wireless/ap/digi_hotspot_ap Current value: (config network interface my_wan)>...
  • Page 161 Interfaces Wide Area Networks (WANs) (config network interface my_wan)> ipv4 mgmt num (config network interface my_wan)> iv. Set the MTU: (config network interface my_wan)> ipv4 mtu num (config network interface my_wan)> v. Configure how to use DNS: (config network interface my_wan)> ipv4 use_dns value (config network interface my_wan)>...
  • Page 162 Interfaces Wide Area Networks (WANs) Parameters Current Value --------------------------------------------------------------------- ---------- dhcp_hostname false DHCP Hostname enable true Enable metric Metric mgmt Management priority 1500 type dhcpv6 Type use_dns always Use DNS weight Weight Additional Configuration --------------------------------------------------------------------- ---------- connection_monitor Active recovery (config network interface my_wan)> d.

  • Page 163: Configure A Wireless Wide Area Network (Wwan)

    Interfaces Wide Area Networks (WANs) a. Add a MAC address to the denylist: (config network interface my_wan)> add mac_denylist end mac_address (config network interface my_wan)> where mac_address is a hyphen-separated MACaddress, for example, 32-A6-84-2E-81-58. b. Repeat for each additional MAC address. 10.
  • Page 164 Configure SureLink active recovery to detect WAN/WWAN failures for further information.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 165 Interfaces Wide Area Networks (WANs) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Create the WWAN or select an existing WWAN: To create a new WWAN: a.
  • Page 166 Interfaces Wide Area Networks (WANs) If SIM slot is selected, for Match SIM slot, select which SIM slot must be in active for this WWAN to be used. If Carrier is selected, for Match SIM carrier, select which cellular carrier must be in active for this WWAN to be used.
  • Page 167 IPv4 support is Enabled by default. Click to disable. c. Set the Type. Static IP address - Digi device obtains the static IP address from the cellular network. DHCP address - Digi device obtains IP address through a DHCP server on the cellular network.
  • Page 168 Interfaces Wide Area Networks (WANs) DHCP address - Digi device obtains IP address through a DHCP server on the cellular network. a. Set the Metric. Configure WAN/WWAN priority and default route metrics for further information about metrics. b. For Weight, type the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, Weight is used to load balance traffic to the interfaces.
  • Page 169 Interfaces Wide Area Networks (WANs) 4. Set the appropriate firewall zone: (config network interface my_wwan)> zone zone (config network interface my_wwan)> Firewall configuration for further information. 5. Select a cellular modem: a. Enter modem device ? to view available modems and the proper syntax. (config network interface my_wwan)>...
  • Page 170 Interfaces Wide Area Networks (WANs) (config network interface my_wwan)> b. Set the carrier: (config network interface my_wwan)> modem carrier value (config network interface my_wwan)> iccid Set the unique SIM card ICCID that must be in active for this WWAN to be used: (config network interface my_wwan)>...
  • Page 171 Interfaces Wide Area Networks (WANs) 10. Set the carrier selection mode: (config network interface my_wwan)> modem operator_mode value (config network interface my_wwan)> where value is one of: automatic: The cellular carrier is selected automatically by the device. manual: The cellular carrier must be manually configured. If the configured network is not available, no cellular connection will be established.
  • Page 172 (config network interface my_wwan)> ipv4 modem_type value (config network interface my_wwan)> Where value is one of: static: Digi device obtains the static IP address from the cellular network. dhcp: Digi device obtains IP address via a DHCP server on the cellular network. IX20 User Guide...
  • Page 173 Interfaces Wide Area Networks (WANs) c. Set the metric: (config network interface my_wwan)> ipv4 metric num (config network interface my_wwan)> Configure WAN/WWAN priority and default route metrics for further information about metrics. d. Set the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, the weight is used to load balance traffic to the interfaces.
  • Page 174 Wide Area Networks (WANs) static: Digi device obtains the static IP address from the cellular network. dhcp: Digi device obtains IP address via a DHCP server on the cellular network. c. Set the metric: (config network interface my_wwan)> ipv4 metric num (config network interface my_wwan)>...

  • Page 175: Show Wan And Wwan Status And Statistics

    Interfaces Wide Area Networks (WANs) 18. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show WAN and WWAN status and statistics ...

  • Page 176: Delete A Wan Or Wwan

    Interfaces Wide Area Networks (WANs) eth1 IPv6 dhcp external eth1 eth2 IPv4 static internal eth2 eth2 IPv6 static internal eth2 loopback IPv4 static loopback loopback modem IPv4 modem external wwan1 modem IPv6 down modem external wwan1 > 4. Enter show network interface name at the Admin CLI prompt to display additional information about a specific WAN.
  • Page 177 Interfaces Wide Area Networks (WANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.

  • Page 178: Default Outbound Wan/Wwan Ports

    The following table lists the default outbound network communications for IX20 WAN/WWAN interfaces: Port Description TCP/UDP number Digi Remote Manager connection to edp12.devicecloud.com . 3199 NTP date/time sync to time.devicecloud.com . DNS resolution using WAN-provided DNS servers. HTTPS for modem firmware downloads from firmware.devicecloud.com .

  • Page 179: Local Area Networks (Lans)

    Interfaces Local Area Networks (LANs) Local Area Networks (LANs) The IX20 device is preconfigured with the following Local Area Networks (LANs): Interface type Preconfigured interfaces Devices Default configuration Local Area ETH2 Ethernet: Firewall zone: Network ETH2 (non- Internal (LAN) IP address: Wi-Fi 192.168.2.1/24 models)

  • Page 180: About Local Area Networks (Lans)

    IP address and subnet of LAN1. Additional configuration items Additional IPv4 configuration: The type being the way to control how the modem in the Digi device obtains an IP address from the cellular network. The metric for IPv4 routes associated with the LAN.
  • Page 181 MACaddress denylist and allowlist. To create a new LAN or edit an existing LAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 182 Interfaces Local Area Networks (LANs) 3. Click Network > Interfaces. 4. Create the LAN or select an existing LAN: To create a new LAN, for Add interface, type a name for the LAN and click . To edit an existing LAN, click to expand the LAN. The Interface configuration window is displayed.
  • Page 183 Interfaces Local Area Networks (LANs) c. For Address, type the IP address and subnet of the LAN interface. Use the format IPv4_ address/netmask, for example, 192.168.2.1/24. d. Optional IPv4 configuration items: i. Set the Metric. ii. For Weight, type the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, Weight is used to load balance traffic to the interfaces.
  • Page 184 Interfaces Local Area Networks (LANs) a. Click to expand MAC address allowlist. b. For Add MAC address, click . c. Type the MAC address. 14. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 185 Interfaces Local Area Networks (LANs) (config network interface my_lan)> device b. Set the device for the LAN: (config network interface my_lan)> device device (config network interface my_lan)> 6. Configure IPv4 settings: IPv4 support is enabled by default. To disable: (config network interface my_lan)> ipv4 enable false (config network interface my_lan)>...
  • Page 186 Interfaces Local Area Networks (LANs) c. Enable the DHCP server: (config network interface my_lan)> ipv4 dhcp_server enable true DHCP servers for information about configuring the DHCP server. 7. (Optional) Configure IPv6 settings: a. Enable IPv6 support: (config network interface my_lan)> ipv6 enable true (config network interface my_lan)>...
  • Page 187 Interfaces Local Area Networks (LANs) enable true Enable (config network interface my_lan)> d. Modify any of the remaining default settings as appropriate. For example, to change the minimum length of the prefix: (config network interface my_lan)> ipv6 prefix_length 60 (config network interface my_lan)> If the minimum length is not available, then a longer prefix will be used.

  • Page 188: Configure The Wan/Eth1 Port As A Lan Or In A Bridge

    Create a bridge that includes the WAN/ETH1 port. To configure the WAN/ETH1 Ethernet port as a LAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 189 Interfaces Local Area Networks (LANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > ETH1. 4. For Zone, select Internal. 5. Configure IPv4 settings: a.
  • Page 190 Interfaces Local Area Networks (LANs) 6. (Optional) Configure IPv6 settings: a. Click to expand IPv6. b. For Type, select IPv6 prefix delegation. 7. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 191 To add the WAN/ETH1 port to the LAN bridge:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 192 Interfaces Local Area Networks (LANs) 5. Click Add Device . 6. For the new device, select Device: ETH1. 7. (Optional) Configure IPv6 settings: a. Click to expand IPv6. b. For Type, select IPv6 prefix delegation. 8. Disable the ETH1 interface: a.
  • Page 193 Interfaces Local Area Networks (LANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 194 Interfaces Local Area Networks (LANs) f. Click Add Device  again and select or access point to add to the bridge. Note If you are adding a port or access point that is already part of the default LAN bridge, you should either disable the default bridge, or remove the port or access point: i.
  • Page 195 Interfaces Local Area Networks (LANs) g. Enable the DHCP server: i. Click to expand DHCP server. ii. Click to toggle on Enable. 5. Disable the ETH1 interface: a. Click Network > Interfaces > ETH1. b. Click to toggle off Enable. 6.
  • Page 196 Interfaces Local Area Networks (LANs) /network/bridge/lan1 /network/sdwan/wan_bonding /network/wifi/ap/digi_ap/network/wifi/ap/digi_hotspot_ap > ii. Add the device: (config network bridge LAN_bridge)> add device end device-path- and-name (config network bridge LAN_bridge)> iii. Repeat for additional access points. Note If you are adding a port or access point that is already part of the default LAN bridge, you should either disable the default bridge, or remove the port or access point: To disable the bridge:...

  • Page 197: Change The Default Lan Subnet

    DHCP server range will also change to the range of the LAN subnet. To change the LAN subnet:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
  • Page 198 Interfaces Local Area Networks (LANs) a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.

  • Page 199: Show Lan Status And Statistics

    Interfaces Local Area Networks (LANs) 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show LAN status and statistics  Log into the IX20 WebUI as a user with full Admin access rights.

  • Page 200: Delete A Lan

    Follow this procedure to delete any LANs that have been added to the system. You cannot delete the preconfigured LAN, LAN1.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
  • Page 201 Local Area Networks (LANs) 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.

  • Page 202: Dhcp Servers

    Interfaces Local Area Networks (LANs) 4. Save the configuration and apply the change (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. DHCP servers You can enable DHCP on your IX20 device to assign IP addresses to clients, using either: The DHCP server for the device's local network, which assigns IP addresses to clients on the...
  • Page 203 Interfaces Local Area Networks (LANs)  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 204 Interfaces Local Area Networks (LANs) address (the final triplet in an IPv4 address, for example, 192.168.2.xxx). The remainder of the IP address will be based on the LAN's static IP address as defined in the Address field. Allowed values are between 1 and 254, and the default is 100 for Lease range start and 250 for Lease range end.
  • Page 205 Interfaces Local Area Networks (LANs) 10. See Configure DHCP options for information about Custom DHCP options. 11. See Map static IP addresses to hosts for information about Static leases. 12. Click Apply to save the configuration and apply the change. ...
  • Page 206 Interfaces Local Area Networks (LANs) 6. (Optional) Set the highest IP address that the DHCP server will assign to a client: (config)> network interface my_lan ipv4 dhcp_server lease_end num (config)> Allowed values are between 1 and 254, and the default is 250. 7.
  • Page 207 Interfaces Local Area Networks (LANs) The default is auto. d. Set the domain name that should be appended to host names: (config)> network interface my_lan ipv4 dhcp_server advanced domain_ suffix name (config)> e. Set the IP address or host name of the primary and secondary DNS, the primary and secondary NTP server, and the primary and secondary WINS servers: (config)>...
  • Page 208 A label for this instance of the static lease. To map static IP addresses:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 209 Interfaces Local Area Networks (LANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Click to expand an existing LAN, or create a new LAN. See Configure a Local Area Network (LAN).
  • Page 210 Interfaces Local Area Networks (LANs) (config)> add network interface my_lan ipv4 dhcp_server advanced static_ lease end (config network interface my_lan ipv4 dhcp_server advanced static_lease 0)> Configure a Local Area Network (LAN) for information about creating a LAN. 4. Set the MACaddress of the device associated with this static lease, using the colon-separated format: (config network interface my_lan ipv4 dhcp_server advanced static_lease 0)>...
  • Page 211 Delete static IP mapping entries To delete a static IP entry:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 212 Interfaces Local Area Networks (LANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Click to expand an existing LAN. 5. Click to expand IPv4 > DHCP server > Advanced settings > Static leases. 6.
  • Page 213 Force the option to be sent to the DHCP clients. A label for the custom option.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 214 Interfaces Local Area Networks (LANs) b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4.
  • Page 215 Interfaces Local Area Networks (LANs) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a custom DHCP option to the DHCP server configuration for an existing LAN. For example, to add static lease to a LAN named my_lan: (config)>...
  • Page 216 Interfaces Local Area Networks (LANs) (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> datatype value (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> where value is one of: 1byte 2byte 4byte ipv4 The default is str. 10. Save the configuration and apply the change (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)>...
  • Page 217 Interfaces Local Area Networks (LANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 218 Interfaces Local Area Networks (LANs) Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3.

  • Page 219: Default Services Listening On Lan Ports

    Interfaces Local Area Networks (LANs) Show DHCP server status and settings View DHCP status to monitor which devices have been given IP configuration by the IX20 device and to diagnose DHCP issues.  Log into the IX20 WebUI as a user with full Admin access rights. 1.

  • Page 220: Configure An Interface To Operate In Passthrough Mode

    IP address assigned to it on a WAN or cellular modem interface, to a client connected to a LAN interface.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 221 Interfaces Local Area Networks (LANs) 4. Create the interface or select an existing interface: To create a new interface, for Add interface, type a name for the interface and click . To edit an existing interface, click to expand the interface. The Interface configuration window is displayed.
  • Page 222 Interfaces Local Area Networks (LANs) c. Ancillary DNS redirect is enabled by default, which means resolves all DNS requests to the connected device and redirects HTTP traffic to the device's web administration page. 12. For Server type, select the type of server to use to pass the IP address through to the client. 13.
  • Page 223 Interfaces Local Area Networks (LANs) 16. (Optional) Configure IPv6 settings: a. Click to expand IPv6. b. Enable IPv6 support. c. Set the Metric. d. For Weight, type the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, Weight is used to load balance traffic to the interfaces.
  • Page 224 Interfaces Local Area Networks (LANs) 4. Set the interface type to passthrough: (config network interface ip_passthrough_interface)> type passthrough (config network interface ip_passthrough_interface)> 5. Set the firewall zone to internal: (config network interface ip_passthrough_interface)> zone internal (config network interface ip_passthrough_interface)> 6. Select an Ethernet device or a Wi-Fi access point for this interface: a.
  • Page 225 Interfaces Local Area Networks (LANs) (config network interface ip_passthrough_interface)> ipv4 weight num (config network interface ip_passthrough_interface)> c. Set the management priority. This determines which interface will have priority for central management activity. The interface with the highest number will be used. (config network interface ip_passthrough_interface)>...

  • Page 226: Virtual Lans (Vlans)

    Interfaces Virtual LANs (VLANs) weight Weight (config network interface ip_passthrough_interface)> c. Modify any of the remaining default settings as appropriate. 10. (Optional) To configure 802.1x port based network access control: Note The IX20 can function as an 802.1x authenticator; it does not function as an 802.1x supplicant.

  • Page 227: Create A Trunked Vlan Route

    The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 228 Interfaces Virtual LANs (VLANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 229: Create A Vlan Using Switchport Mode

    The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN using switchport mode:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 230 Interfaces Virtual LANs (VLANs) a. Click STP. b. Click Enable. c. For Forwarding delay, enter the number of seconds that the device will spend in each of the listening and learning states before the bridge begins forwarding data. The default is 2 seconds.
  • Page 231 Interfaces Virtual LANs (VLANs) b. Add the device: (config network vlan vlan1)> device /network/device/ (config network vlan vlan1)> 5. Set the VLAN ID: (config network vlan vlan1)> id value where value is an integer between 1 and 4095. 6. Save the configuration and apply the change (config network vlan vlan1)>...

  • Page 232: Bridging

    Enabled Used by the ETH2 model only) Wi-Fi access ETH1 interface point: Digi Default Interface type Preconfigured interfaces Devices configuration You can modify configuration settings for the existing bridge, and you can create new bridges. This section contains the following topics:...

  • Page 233: Edit The Preconfigured Eth2 Bridge

    Enable Spanning Tree Protocol (STP). To edit the preconfigured LAN bridge:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 234 5. Modify the list of devices that are a part of the bridge. By default, the LAN bridge includes the following devices: Ethernet: ETH2 Wi-Fi access point: Digi AP Note The MACaddress of the bridge is taken from the first available device in the list.
  • Page 235 0 /network/device/eth2 1 /network/wireless/ap/digi_ap (config)> ii. Use the index number to delete the appropriate device. For example, to delete the Digi AP Wi-Fi access point from the bridge: (config)> del network bridge lan device 1 (config)> Note If you are deleting multiple devices from the bridge, the device index may be reordered after each deletion.

  • Page 236: Configure A Bridge

    Additional configuration items Enable Spanning Tree Protocol (STP). To create a bridge:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: IX20 User Guide...
  • Page 237 Interfaces Bridging Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
  • Page 238 Interfaces Bridging d. For Priority, enter the system priority. The default priority number is 8. e. (Optional) For Custom mstpd options, enter the extra configuration options to pass to mspd daemon. 9. Add devices to the bridge: a. Click to expand Devices. b.
  • Page 239 /network/wireless/ap/digi_ap /network/wireless/ap/digi_hotspot_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge my_bridge)> b. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge my_bridge)> add device end /network/wireless/ap/digi_ap (config)> Note The MACaddress of the bridge is taken from the first available device in the list.

  • Page 240: Show Surelink Status And Statistics

    Interfaces Show SureLink status and statistics Show SureLink status and statistics You can show SureLink status for all interfaces, or for an individual interface. You can also show Surelink status for ipsec tunnels and OpenVPN clients. SureLink status is only available from the Admin CLI. ...

  • Page 241: Show Surelink Status For A Specific Interface

    Interfaces Show SureLink status and statistics 2. At the Admin CLI prompt, type : > show surelink interface all Interface Test Proto Last Response Status --------- ----------------------------- ----- ------------- ------- eth1 Interface is up IPv4 32 seconds Passing eth1 Interface's DNS servers (DNS) IPv4 28 seconds Passing...

  • Page 242: Show Surelink Status For A Specific Ipsec Tunnel

    Interfaces Show SureLink status and statistics 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 243: Show Surelink Status For A Specific Openvpn Client

    Interfaces Configure a TCP connection timeout 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 244 A low number of retries will end a "stale" connection more quickly that a larger number. The default is 15 retries.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.

  • Page 245: Serial Port

    Application: Provides access to the serial device from Python applications. dial-in: Allows the device to answer Point-to-Point Protocol (PPP) connections over serial ports. RealPort: Used in conjunction with the Digi RealPort driver. serial: Provides access to the serial port using UDP. Modem emulator: Allows the device to act as a dial-up modem emulator for handling incoming AT dial-ins.

  • Page 246: Configure Login Mode

    Serial port Configure Login mode Enabled Serial mode: Remote Label: None Baud rate: 9600 Data bits: 8 Parity: None Stop bits: 1 Flow control: None Configure Login mode Login mode allows the user to log into the device through the serial port. To change the configuration to match the serial configuration of the device to which you want to connect: ...
  • Page 247 Serial port Configure Login mode 4. (Optional) For Label, enter a label that will be used when referring to this port. 5. Expand Serial Settings. The entries in the following fields must match the information for the power controller. Refer to your power controller manual for the correct entries.
  • Page 248 Serial port Configure Login mode 3. The serial port is enabled by default. To disable: (config)> serial port1 enable false (config)> 4. Set the mode: (config)> serial port1 mode login (config)> 5. (Optional) Set a label that will be used when referring to this port. (config)>path-paramlabel label (config)>...

  • Page 249: Configure Remote Access Mode

    Serial port Configure Remote Access mode 11. Configure serial port logging: a. Enable serial port logging: (config)>serial port1 logging enable true (config)> b. Set the file name: (config)>serial port1 logging filename string (config)> c. Set the maximum allowed log size for the serial port log when starting the log: (config)>serial port1 logging size value (config)>...
  • Page 250 Serial port Configure Remote Access mode To change the configuration to match the serial configuration of the device to which you want to connect:  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed.
  • Page 251 Serial port Configure Remote Access mode d. Stop bits: For Stop bits, select the number of stop bits used by the device to which you want to connect. The default is 1. e. Flow control: For Flow control, select the type of flow control used by the device to which you want to connect.
  • Page 252 Serial port Configure Remote Access mode To limit access to specified IPv4 addresses and networks: i. Click IPv4 Addresses. ii. For Add Address, click . iii. For Address, enter the IPv4 address or network that can access the device's service-type. Allowed values are: A single IP address or host name.
  • Page 253 Serial port Configure Remote Access mode To limit access based on firewall zones: i. Click Zones. ii. For Add Zone, click . iii. For Zone, select the appropriate firewall zone from the dropdown. Firewall configuration for information about firewall zones. iv.
  • Page 254 Serial port Configure Remote Access mode 11. Expand Logging Settings to configure logging for this serial port. a. To enable logging, click to toggle on Enable. b. In the Log file name field, enter a descriptive name for the log file. c.
  • Page 255 Serial port Configure Remote Access mode 6. Set the baud rate used by the device to which you want to connect: (config)>serial port baudrate rate (config)> 7. Set the number of data bits used by the device to which you want to connect: (config)>serial port databits bits (config)>...
  • Page 256 Serial port Configure Remote Access mode (config)>serial port1 history bytes (config) The default is 4000 bytes. d. Set the amount of time to wait before disconnecting due to user inactivity: (config)>serial port1 idle_timeout value (config) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
  • Page 257 Serial port Configure Remote Access mode i. Set the string that, when received, will trigger the connection: (config)>serial port1 autoconnect match_string string (config)> ii. flush_string is enabled by default, which will discard the matched string from data sent to the server. To disable: (config)>serial port1 autoconnect flush_string false (config)>...
  • Page 258 Serial port Configure Remote Access mode h. Set the text to be transmitted to the remote server when the socket connects: (config)>serial port1 socketid string (config)> 14. (Optional) Configure data framing: a. Enable data framing: (config)>serial port1 framing enable true (config) b.
  • Page 259 Serial port Configure Remote Access mode (config)>serial port1 service ssh nodelay true (config)> v. (Optional) Configure access control: To limit access to specified IPv4 addresses and networks: (config)> add serial port1 service ssh acl address end value (config)> Where value can be: A single IP address or host name.
  • Page 260 Serial port Configure Remote Access mode (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add serial port1 service ssh acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
  • Page 261 Serial port Configure Remote Access mode where int is any integer between 1 and 65535. The default is 4001. iii. Enable TCP keep-alive messages: (config)>serial port1 service tcp keepalive true (config)> iv. Set the option that initiates the connection: (config)>serial port1 service tcp conn_type value (config)>...
  • Page 262 Serial port Configure Remote Access mode (config)> add serial port1 service tcp acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ... network interface ? to display interface information: (config)>...
  • Page 263 Serial port Configure Remote Access mode ipsec loopback setup (config)> Repeat this step to include additional firewall zones. vii. (Optional) Enable Multicast DNS (mDNS): (config)>serial port1 service tcp mdns enable true (config)> c. Configure telnet settings: i. Enable Telnet: (config)>serial port1 service telnet enable true (config)>...
  • Page 264 Serial port Configure Remote Access mode (config)> add serial port1 service telnet acl address6 end value (config)> Where value can be: A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks.
  • Page 265 Serial port Configure Remote Access mode Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration ------------------------------------------------- ------------------------------ dynamic_routes edge external hotspot internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones.

  • Page 266: Configure Application Mode

    Serial port Configure Application mode both arrows. This is the default. e. Log the time at which date was received or transmitted: (config)>serial port1 logging hex true (config)> f. Log data as hexadecimal values: (config)>serial port1 logging timestamp true (config)> 17.
  • Page 267 Serial port Configure Application mode 2. Click the name of the port that you want to configure. The serial port is enabled by default. To disable, toggle off Enable. 3. For Mode, select Application. The default is Remote. 4. (Optional) For Label, enter a label that will be used when referring to this port. 5.

  • Page 268: Configure Ppp Dial-In Mode

    To change the configuration to match the serial configuration of the device to which you want to connect:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 269 Serial port Configure PPP dial-in mode 4. For Mode, select PPP-Dial-in. The default is Remote. 5. (Optional) For Label, enter a label that will be used when referring to this port. 6. For Baud rate, select the baud rate used by the device to which you want to connect. The default is 9600.
  • Page 270 Serial port Configure PPP dial-in mode c. Click Override to override the default PPP configuration and only use the custom configuration file. If Override is not enabled, the custom PPP configuration file is used in addition to the default configuration. d.
  • Page 271 Serial port Configure PPP dial-in mode Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)>...
  • Page 272 Serial port Configure PPP dial-in mode 9. Set the local IP address assigned to this interface: (config)> serial port1 ppp_dialin local_address IPv4_address (config)> 10. Set the IP address assigned to the remote peer: (config)> serial port1 ppp_dialin remote_address IPv4_address (config)> 11.
  • Page 273 Serial port Configure PPP dial-in mode interface. Format: dynamic_routes edge external hotspot internal ipsec loopback setup Default value: internal Current value: internal (config)> b. Set the zone: (config)> serial port1 ppp_dialin zone zone (config)> 15. (Optional) Configure the serial port to use a custom PPP configuration file: a.
  • Page 274 Serial port Configure PPP dial-in mode a. Enable the use of a connection script. (config)> serial port1 ppp_dialin connect enable true (config)> b. Set the name of the script: (config)> serial port1 ppp_dialin connect script filename (config)> Scripts are located in the /etc/config/serial directory. An example script, windows_dun.sh is provided.

  • Page 275: Configure Udp Serial Mode

    Serial port Configure UDP serial mode Configure UDP serial mode The UDP serial mode option in the serial port configuration provides access to the serial port using UDP. To change the configuration to match the serial configuration of the device to which you want to connect: ...
  • Page 276 Serial port Configure UDP serial mode a. For Baud rate, select the baud rate used by the device to which you want to connect. b. For Data bits, select the number of data bits used by the device to which you want to connect.
  • Page 277 Serial port Configure UDP serial mode b. (Optional) For Socket String ID, enter a string that should be added at the beginning of each packet. c. For Destinations, you can configure the remote sites to which you want to send data. If you do not specify any destinations, the IX20 sends new data from the last IP address and port from which data was received.
  • Page 278 Serial port Configure UDP serial mode To limit access to specified IPv4 addresses and networks: i. Click IPv4 Addresses. ii. For Add Address, click . iii. For Address, enter the IPv4 address or network that can access the device's service-type. Allowed values are: A single IP address or host name.
  • Page 279 Serial port Configure UDP serial mode A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: i.
  • Page 280 Serial port Configure UDP serial mode 2. At the command line, type config to enter configuration mode: > config (config)> 3. The serial port is enabled by default. To disable: (config)> serial port1 enable false (config)> 4. Set the mode: (config)>...
  • Page 281 Serial port Configure UDP serial mode Allowed values are: none rts/cts xon/xoff The default is none. 11. (Optional) Configure data framing: a. Enable data framing: (config)>serial port1 framing enable true (config) b. Set the maximum size of the packet: (config)>serial port1 framing max_count int (config) The default is 1024.
  • Page 282 Serial port Configure UDP serial mode i. Add a destination: (config)> add serial port1 upd destination end (config serial port1 udp destination 0)> ii. (Optional) Enter a description of the destination: (config serial port1 udp destination 0)> description string (config serial port1 udp destination 0)> iii.
  • Page 283 Serial port Configure UDP serial mode To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 udp acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
  • Page 284 Serial port Configure UDP serial mode ipsec loopback setup (config)> Repeat this step to include additional firewall zones. To limit access to specified IPv4 addresses and networks: (config)> add serial port1 udp acl address end value (config)> Where value can be: A single IP address or host name.
  • Page 285 Serial port Configure UDP serial mode modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add serial port1 udp acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...

  • Page 286: Configure Modem Emulator Mode

    To change the configuration to match the serial configuration of the device to which you want to connect:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 287 Serial port Configure Modem emulator mode b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click to expand the name of the port that you want to configure, for example, Port 1. The serial port is enabled by default.
  • Page 288 Serial port Configure Modem emulator mode 13. For Escape delay, type the delay between the escape sequence and an AT command to switch from data mode to command mode. The default is 1s. 14. For Auto-answer rings, type the number of rings to wait before auto-answering. Enter 0 (zero) to disable auto-answering.

  • Page 289: Configure Modbus Mode

    Serial port Configure Modbus mode A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: i.
  • Page 290 Serial port Configure Modbus mode Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration > Serial. Changes made by using either Device Configuration or Serial Configuration will be reflected in both.
  • Page 291 Serial port Configure Modbus mode 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 292: Configure Realport Mode Using The Digi Navigator

    Digi Navigator on your computer, the RealPort application is automatically installed as well. With Digi Navigator, you can set all serial ports on the device to RealPort mode, and then also enable the RealPort service. The COM ports on your laptop are also configured. These processes ensure that RealPort is configured on the device and on your computer.

  • Page 293: Install The Digi Navigator

    The Digi Navigator application can also be downloaded from your device's product support page. 2. Scroll down to the Product Resources tab, and in the Drivers & Patches section, click Digi Navigator. 3. From the list box, select the appropriate Microsoft Windows option from the list of driver options.

  • Page 294: Configure Realport On A Digi Device From The Digi Navigator

    Enter the user name and password for the device in the User name and Password fields. v. Click Submit. vi. The device you just added displays at the bottom of the Digi Navigator screen. You can click Refresh to update the screen until the device appears. 5. Configure RealPort on the device.
  • Page 295 RealPort from within the Digi Navigator. 1. Launch the Digi Navigator if it is not currently open. A list of devices that have RealPort enabled and configured displays in the RealPort Devices section at the bottom of the application screen.

  • Page 296: Digi Navigator Application Features

    Item Description Filters Click Filters to display the types of filters that can be applied to Digi devices, services, and IP types. Device Filters: A list of the Digi device types displays. All types are disabled by default, and when all are disabled, all types are displayed.
  • Page 297 After you have enabled and configured RealPort on at least one Digi device, a list of configured devices displays at the bottom of the Digi Navigator. You can refresh the list and easily access the COM port configuration on your computer.
  • Page 298 Click Login. Filter devices for display in the Digi Navigator You can use the Digi Navigator filters to determine the types of Digi devices you want to display. Only the devices that are powered on and are discoverable are included.

  • Page 299: Advanced Realport Configuration Without Using The Digi Navigator

    Advanced RealPort configuration without using the Digi Navigator Access Digi Remote Manager from the Digi Navigator You can access Digi Remote Manager from the Digi Navigator. Within the Remote Manager, you can configure and monitor your Digi devices. For information about using Digi Remote Manager, refer to the Digi Remote Manager User Guide.

  • Page 300: Configure Realport On Your Laptop

    1. Navigate to the downloaded Realport .zip file. 2. Open the .zip file. 3. Click on setup.exe to launch the RealPort wizard. The Welcome to the Digi RealPort Setup Wizard screen displays. 4. If this is not the first time you have run the wizard, select the Add a New Device option. If this is the first time running the wizard, no options are available on the screen.
  • Page 301 Serial port Advanced RealPort configuration without using the Digi Navigator Step 2: Configure a RealPort connection on your laptop for your device 1. Follow the standard Windows process to access the Device Manager from your computer's operating system. 2. Select Multi-port Serial Adapters.

  • Page 302: Configure The Serial Port For Realport Mode

    Serial port Advanced RealPort configuration without using the Digi Navigator Configure the serial port for RealPort mode RealPort mode allows you to use Realport. To change the configuration to match the serial configuration of the device to which you want to connect: ...
  • Page 303 Serial port Advanced RealPort configuration without using the Digi Navigator RS-232 RS-485 Enable Termination if you want to enable electrical termination on this serial port. The default is RS-232. 7. Expand Logging Settings to configure logging for this serial port.
  • Page 304 Serial port Advanced RealPort configuration without using the Digi Navigator 5. Set the sharing mode: (config)> serial port1 sharing value (config)> where value is one of: none: Only the user that opened the port can change the port settings. All other users are rejected.

  • Page 305: Configure The Realport Service

    Serial port Advanced RealPort configuration without using the Digi Navigator (config)>serial port1 logging size value (config)> where value is the size of the log file in bytes. The default is 65536. d. Specify the data type: (config)>serial port1 logging type value (config)>...
  • Page 306 Serial port Advanced RealPort configuration without using the Digi Navigator 8. Enable Encryption to enable encryption of data. This is enabled by default. 9. (Optional) Configure the authentication method the RealPort server uses to authenticate clients. a. From the Authentication Method list box, select the Shared Secret - SHA256 option.
  • Page 307 Serial port Advanced RealPort configuration without using the Digi Navigator 6. Data encryption is enabled by default. To disable: (config)> service realport encryption false (config)> 7. (Optional) Configure authentication. (config)> service realport auth value (config)> where value is one of: none: Do not use authentication.

  • Page 308: Show Serial Status And Statistics

    Serial port Show serial status and statistics Show serial status and statistics To show the status and statistics for the serial port:  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the main menu, click Status 2.
  • Page 309 Serial port Review the serial port message log 4. Review the messages in the window. Click Refresh to refresh the log display. Click Download to download the serial port log to your local device. The log file is saved to the /opt/serial directory. Because this is being save to the device's memory, you should use serial logging for diagnostic purposes, rather than having it permanently enabled.
  • Page 310 Wi-Fi This chapter applies to the IX20WWi-Fi enabled model only. This chapter contains the following topics: Wi-Fi configuration Configure the Wi-Fi radio's channel Configure the Wi-Fi radio to support DFS channels in client mode Configure the Wi-Fi radio's band and protocol Configure the Wi-Fi radio's transmit power Configure an open Wi-Fi access point Configure a Wi-Fi access point with personal security...

  • Page 311: Wi-Fi

    2.4 GHz TX power percentage Access point mode 802.11b/g/n Channel Automatic Channel width 20/40 MHz Beacon interval Access point Default setting Name Digi AP Enabled or disabled Enabled SSID Digi-IX20W-serial_number SSID broadcast Enabled Encyrption WAP2 Personal (PSK) IX20 User Guide...
  • Page 312 Wi-Fi Wi-Fi configuration Default setting Pre-shared key The unique password printed on the bottom label of the device. Group rekey interval 10 minutes Client mode connections None. IX20 User Guide...

  • Page 313: Configure The Wi-Fi Radio's Channel

    Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 314 Wi-Fi Configure the Wi-Fi radio's channel 4. For Channel, select the channel. Only channels appropriate for the band are displayed. 5. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.

  • Page 315: Configure The Wi-Fi Radio To Support Dfs Channels In Client Mode

    Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 316 Wi-Fi Configure the Wi-Fi radio to support DFSchannels in client mode c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi. 4.

  • Page 317: Configure The Wi-Fi Radio's Band And Protocol

    Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 318 Wi-Fi Configure the Wi-Fi radio's band and protocol 3. Click Network > WiFi. 4. For Frequency band, select either 2.4 GHz or 5 GHz. 5. For Access point mode, select the appropriate mode. Only modes appropriate for the selected band are displayed. 6.

  • Page 319: Configure The Wi-Fi Radio's Transmit Power

    100 percent. You can configure the Wi-Fi radio to transmit at a lower power.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 320 Wi-Fi Configure the Wi-Fi radio's transmit power 3. Click Network > WiFi. 4. For Tx power percentage, type or select the appropriate percentage for the Wi-Fi radio's transmit power. 5. Click Apply to save the configuration and apply the change. ...

  • Page 321: Configure An Open Wi-Fi Access Point

    The amount of time to wait before changing the group key. To configure a Wi-Fi access point with no security:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 322 Wi-Fi Configure an open Wi-Fi access point a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi > Access points. 4. Create a new access point or modify an existing access point: To create a new access point, for Add WiFi access point:, type a name for the access point and click .
  • Page 323 Wi-Fi Configure an open Wi-Fi access point 8. For Encryption, select one of the following: Open (Unencrypted) No encryption is used. WPA3 Enhanced Open (OWE) Uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection.
  • Page 324 Wi-Fi Configure an open Wi-Fi access point 4. Set the SSID for the Wi-Fi access point. Up to 32 characters are allowed. (config network wifi ap new_AP)> ssid my_SSID (config network wifi ap new_AP)> SSID broadcasting is enabled by default for new access points. 5.
  • Page 325 (config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID broadcasting is disabled: (config)>...
  • Page 326 Wi-Fi Configure an open Wi-Fi access point none: No encryption is used. owe: Uses WPA3 Enhanced Open, which uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection. Note Only select owe if you know that all Wi-Fi clients connecting to this device will have WPA3 capabilities.

  • Page 327: Configure A Wi-Fi Access Point With Personal Security

    The amount of time to wait before changing the group key. To configure a Wi-Fi access point to use personal security:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 328 Wi-Fi Configure a Wi-Fi access point with personal security a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi > Access points. 4. Create a new access point or modify an existing access point: To create a new access point, for Add WiFi access point:, type a name for the access point and click .
  • Page 329 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre-shared key. The wpa_ passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
  • Page 330 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
  • Page 331 Wi-Fi Configure a Wi-Fi access point with personal security psk2sae: Uses WPA2-PSK/WPA3-AES mixed mode. Wi-Fi clients that support WPA2 and WPA3 are able to authenticate. sae: Uses WPA3 Personal mode. All Wi-Fi clients must support WPA3 to be able to authenticate.
  • Page 332 (config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID...
  • Page 333 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.

  • Page 334: Configure A Wi-Fi Access Point With Enterprise Security

    RADIUS server, rather than using preshared key on the IX20 device. By default, the IX20Wdevice comes with one preconfigured access point, Digi AP. You cannot delete default access points, but you can modify them or you can create your own access points.
  • Page 335 The amount of time to wait before changing the group key. To configure a Wi-Fi access point with WPA2 enterprise security:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 336 Wi-Fi Configure a Wi-Fi access point with enterprise security 3. Click Network > WiFi > Access points. 4. Create a new access point or modify an existing access point: To create a new access point, for Add WiFi access point:, type a name for the access point and click .
  • Page 337 Wi-Fi Configure a Wi-Fi access point with enterprise security e. For RADIUS secret key, type the secret key as configured on the RADIUS server. f. To add additional RADIUS servers, click  10. (Optional) For Group rekey interval, type the amount of time to wait before changing the group key.
  • Page 338 Wi-Fi Configure a Wi-Fi access point with enterprise security 3. Create a new access point: (config)> add network wifi ap new_AP (config network wifi ap new_AP)> New access points are enabled by default. 4. Set the SSID for the Wi-Fi access point. Up to 32 characters are allowed. (config network wifi ap new_AP)>...
  • Page 339 Wi-Fi Configure a Wi-Fi access point with enterprise security (config network wifi ap new_AP encryption radius_servers 1)> host IP_address (config network wifi ap new_AP encryption radius_servers 1)> iii. Repeat for additional radius servers. 8. (Optional) Set the amount of time to wait before changing the group key. The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is changed.
  • Page 340 (config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID broadcasting is disabled: (config)>...

  • Page 341: Isolate Wi-Fi Clients

    This section provides instructions for both mechanisms. Isolate clients connected to the same access point  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
  • Page 342 Wi-Fi Isolate Wi-Fi clients Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.

  • Page 343: Isolate Clients Connected To Different Access Points

    3. Assign those LAN interfaces to separate firewall zones. 4. Create firewall filters to prevent traffic between the two firewall zones.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 344 3. Create a new access point. By default, the IX20Wcomes with one preconfigured access point, named Digi AP. In these instructions, we will use the existing Digi AP access point and create another new access point, named new_AP. a. Click Network > WiFi > Access points.
  • Page 345 Wi-Fi Isolate Wi-Fi clients d. Create a firewall filter to drop traffic from the Internal zone (used by the LAN1 interface) to the LAN2_isolation_zone: i. Click Firewall > Packet filtering. ii. For Add packet filter, click . iii. For Label, type Drop traffic from Internal to LAN2_isolation_zone. iv.
  • Page 346 Wi-Fi Isolate Wi-Fi clients a. Click Configuration > Network > Interfaces. b. For Add interface, type a name for the LAN and click . c. For Zone, select LAN2_isolation_zone. d. For Device, select the new Wi-Fi access point. e. Click to expand IPv4. f.
  • Page 347 Wi-Fi Isolate Wi-Fi clients psk2 wpa2: d. Complete other encryption-related fields as appropriate based on the type of encryption. Configure an open Wi-Fi access point, Configure a Wi-Fi access point with personal security, or Configure a Wi-Fi access point with enterprise security for details.
  • Page 348 Wi-Fi Isolate Wi-Fi clients i. Add the new packet filter: (config firewall filter 2)> add .. 0 (config firewall filter 0)> ii. Set the label for the filter: (config firewall filter 0)> label "Drop traffic from Internal to LAN2_isolation_zone" (config firewall filter 0> iii.

  • Page 349: Configure A Wi-Fi Client And Add Client Networks

    Wi-Fi Configure a Wi-Fi client and add client networks e. Set the IP address and subnet mask of the LAN: (config network interface LAN2)> ipv4 address address/mask (config network interface LAN2)> f. Enable the DHCP server: (config network interface LAN2)> ipv4 dhcp_server enable true (config network interface LAN2)>...
  • Page 350 The IX20Wdevice supports a maximum of ten enabled Wi-Fi clients, regardless of the number of enabled access points. To configure a Wi-Fi client:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 351 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
  • Page 352 Wi-Fi Configure a Wi-Fi client and add client networks The Username. The CA certificate in PEM format. The Client certificate in PEM format. The Private key in PEM format. (Optional) The Private key passphrase. PEAP: Username/password authentication. If PEAP is selected, identify the Username and Password. SCEP certificates: Simple Certificate Enrollment Protocol (SCEP) certificate management.
  • Page 353 Wi-Fi Configure a Wi-Fi client and add client networks e. For Long interval, type the number of seconds to wait between scans for access points, when the signal strength from the access point to which the client is currently connected is stronger than the Scan threshold.
  • Page 354 If you need to configure a Wi-Fi passphrase with any non-printable ASCII characters, you can use the wpa_passphrase tool to generate the appropriate pre- shared key. The wpa_passphrase command is available in the shell console of a DAL OS Digi device. For details about the command, see the wpa_passphrase Linux command.
  • Page 355 Wi-Fi Configure a Wi-Fi client and add client networks ii. Set the password: (config network wifi client new_client)> ssid 0 encryption password_wpa2 password (config network wifi client new_client)> scep: Simple Certificate Enrollment Protocol (SCEP) certificate management. If scep is set: i.
  • Page 356 Wi-Fi Configure a Wi-Fi client and add client networks (config network wifi client new_client)> ssid 0 encryption ca_cert certificate (config network wifi client new_client)> iii. Set the client certificate by using the client_cert paramater and pasting the certificte in PEM format: (config network wifi client new_client)>...
  • Page 357 Wi-Fi Configure a Wi-Fi client and add client networks If bgscan_short_interval and bgscan_long_interval are set to the same value, bgscan_strength is ignored. For example, the default configuration has both bgscan_short_interval and bgscan_long_interval set to 1 second, which means that the device will scan for access points once per second regardless of the value of bgscan_strength.

  • Page 358: Show Wi-Fi Access Point Status And Statistics

    Wi-Fi Show Wi-Fi access point status and statistics (config network wifi client new_client)> background_scanning scan_ freq 1 Scan frequency: Enable this frequency in the background scan. Format: 2412 2417 2422 2427 2432 2437 2442 2447 2452 2457 2462 Current value: 2437 ii.
  • Page 359 Wi-Fi Show Wi-Fi access point status and statistics To show the status and statistics for Wi-Fi access points, use the show wifi ap command. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.

  • Page 360: Show Wi-Fi Client Status And Statistics

    Wi-Fi Show Wi-Fi client status and statistics Radio : wifi BSSID : 01:41:D1:14:36:37 Client Signal RX Bytes TX Bytes Uptime ----------------- ------ -__----- -------- ------ cc:c0:78:34:d5:a2 260997 279481 > Show Wi-Fi client status and statistics You can show summary status for all Wi-Fi clients, and detailed status and statistics for individual Wi- Fi clients.
  • Page 361 Wi-Fi Show Wi-Fi client status and statistics To show a detailed status and statistics of a Wi-Fi client, use the show wifi client name name command. 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.

  • Page 362: Hotspot

    Hotspot Hotspot is available for Wi-Fi-enabled models (IX20W), and offers the ability to create a publicly available hotspot, which allows you to provide internet access to users while restricting their ability to access other functionality on the IX20 device, as well as applying bandwidth limits, authenticating users, and other features.

  • Page 363: Hotspot Authentication Modes

    Hotspot Hotspot authentication modes During hotspot configuration, you select one the following authentication modes for the hotspot: Click-through: Requires each user to accept the terms and conditions. The sample HTML page included with your IX20 device for click-through authentication is terms.html. Create a new hotspot for information about configuring hotspot for click-through authentication.

  • Page 364: Hotspot Dhcp Server

    Hotspot Hotspot DHCP server When the hotspot is enabled on the IX20 device, it automatically enables a DHCP server. During hotspot configuration, you assign an IPv4 address to the hotspot, and the DHCP server then uses the subnet of the hotspot's IP address, along with the hotspot's subnet mask, to assign IPv4 addresses to clients that connect to the hotspot.

  • Page 365: Hotspot Configuration

    Hotspot Hotspot configuration This section provides information about enabling and configuring the default hotspot that is provided with your IX20 installation, as well as creating a new hotspot and configuring the type of authentication mode you select for your hotspot. This section contains the following topics: IX20 User Guide...
  • Page 366 Bandwidth limits: Maximum download speed: 10000 Kbps Maximum upload speed: 10000 Kbps Bridge Name: hotspot_bridge Disabled 2.4 GHz Wi-Fi access point: Digi Hotspot AP (Wi- Access points Name: Digi Hotspot AP (Wi-Fi) Disabled SSID: Digi Hotspot Encryption: Open (unencrypted) Hotspot access points should be set to open (unencrypted).
  • Page 367 See Edit sample hotspot HTML pages for information.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 368 Click Network > Hotspots > hotspot. b. Click Enable hotspot. 4. Enable the hotspot access points: a. Click Network > Wi-Fi > Access points > Digi Hotspot AP (Wi-Fi). b. Click Enable. 5. Enable the hotspot bridge: a. Click Network > Bridges > hotspot_bridge.
  • Page 369 Hotspot 6. Enable the hotspot LAN: a. Click Network > Interface > LAN > LAN hotspot. b. Click Enable. 7. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 370 Enable hotspot using the default configuration instructions. An SSID for the hotspot.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 371 Hotspot 4. Change the default SSID, Digi Hotspot, to your preferred value. 5. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 372 Lease range start and end. To change the default hotspot IP address and subnet:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 373 Hotspot 5. For Address, enter a new IP address and subnet mask. 6. (Optional) Change the default DHCP server configuration. Note The hotspot DHCP server is automatically enabled and cannot be disabled. a. Click to expand DHCP server. b. For Lease time, type the amount of time that a client DHCP lease is valid. The default is 10 minutes.
  • Page 374 Hotspot 2. At the command line, type config to enter configuration mode: > config (config)> 3. Change the default hotspot IP address and subnet mask: (config)> network hotspot hotspot ipv4 address ip_address/mask (config)> 4. (Optional) Change the default DHCP server configuration. Note The hotspot DHCP server is automatically enabled and cannot be disabled.
  • Page 375 Maximum upload speed, in Kbps. To change the default hotspot IP address and subnet:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 376 Hotspot 4. For Maximum download speed, type the maximum download speed in kilobytes per second (Kbps). Note Setting the Maximum download speed to 0 means that the bandwidth is unlimited. This can have an adverse effect on performance. 5. For Maximum upload speed, type the maximum upload speed in kilobytes per second (Kbps). Note Setting the Maximum upload speed to 0 means that the bandwidth is unlimited.
  • Page 377 Ethernet port to be added to the hotspot. To add an Ethernet port to the default hotspot:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 378 Hotspot a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Bridges > hotspot_bridge > Devices. 4. Click the  to add a new device. 5. By default, For Device, select the appropriate Ethernet port. By default, the ETH1 device is configured as the device for the ETH1 interface, and ETH2 configured as device in the LAN bridge, which is used by the ETH2 interface.
  • Page 379 Hotspot a. Click Network > Bridges > LAN > Devices. b. Click the ... menu icon next to the Ethernet: device entry and select Delete. 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 380 Hotspot b. Use the index number, 0, to remove the device from the LAN bridge: (config)> del network bridge lan1 device 0 (config)> 5. Save the configuration and apply the change (config)> save Configuration saved. > 6. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 381 Maximum download speed, in Kbps. Maximum upload speed, in Kbps. Enable verbose logging. To create a new hotspot:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
  • Page 382 Hotspot 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a.
  • Page 383 Hotspot a. Click Network > Bridges. b. For Add Bridge:, type a name for the bridge and click . c. Add devices to the bridge: i. Click to expand Devices. ii. For Add device, click . iii. Select the Device. iv.
  • Page 384 Hotspot 8. For Zone, leave at the default setting of hotspot. The hotspot firewall zone provides the necessary firewall rules for hotspot functionality. 9. For Device, select an access point, and Ethernet port, or a bridge. 10. For Authentication Mode, select one of the following: Click-through: Requires each user to accept the terms and conditions.
  • Page 385 Hotspot 15. If Remote is selected for Login page source, click to expand Remote web server. a. For FQDN, type the IP address or fully-qualified domain name or the remote web server that will be used for client authentication. b. (Optional) For Secret, type the shared secret that the remote server and the hotspot. Used with cloud-based hotspot providers.
  • Page 386 Hotspot c. For Subnet, type an IPv4 address and optional subnet mask, using the format IPv4_ address[/netmask], or the keyword any. d. Repeat to add additional subnets. 17. (Optional) For Maximum download speed, type the maximum download speed in kilobytes per second (Kbps).
  • Page 387 Hotspot a. Create a new access point: (config)> add network wifi ap new_hotspot_AP1 (config network wifi ap new_hotspot_AP1)> New access points are enabled by default. b. Set the SSID: (config network wifi ap new_hotspot_AP1)> ssid my_SSID (config network wifi ap new_hotspot_AP1)> This will be the SSID used by clients to connect to the hotspot.
  • Page 388 /network/wireless/ap/digi_hotspot_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge new_hotspot_bridge)> ii. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge new_hotspot_bridge)> add device end /network/wireless/ap/digi_ap (config)> c. Type ... to return to the config prompt: (config network bridge new_hotspot_bridge)>...
  • Page 389 /network/wireless/ap/digi_hotspot_ap Default value: /network/bridge/lan Current value: /network/bridge/lan (config network bridge new_hotspot_bridge)> b. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge new_hotspot_bridge)> add device end /network/wireless/ap/digi_ap (config)> 7. Set an access point, and Ethernet port, or a bridge for the hotspot's device: a.
  • Page 390 Hotspot /network/wifi/ap/digi_hotspot_ap /network/wifi/ap/new_hotspot_ap Current value: (config network hotspot new_hotspot)> b. Add the device: (config network hotspot new_hotspot)> device /network/bridge/new_ hotspot_bridge (config network hotspot new_hotspot)> 8. Set the authentication mode: (config network hotspot new_hotspot)> auth value (config network hotspot new_hotspot)> where value is one of: click_through: Requires each user to accept the terms and conditions.
  • Page 391 Hotspot 10. (Optional) If local is selected for login, set the name of the local HTML file used for authentication. (This option is not available if auth is set to hotspotsystem.) (config network hotspot new_hotspot)> local_page HTML_filename (config network hotspot new_hotspot)> Normally, this parameter should be left blank, and the device will use the default authentication HTML page.
  • Page 392 Hotspot (config network hotspot new_hotspot)> ipv4 dhcp_server lease_time 600s (config network hotspot new_hotspot)> The default is 10 minutes. b. Set the lowest IP address in the range to assign to hotspot clients. This value represents the low order byte of the IP address, and is combined with the subnet of the hotspot's static IP address.
  • Page 393 Hotspot Note Setting the maximum download speed to 0 means that the bandwidth is unlimited. This can have an adverse effect on performance. 17. (Optional) Change the default maximum upload speed: (config network hotspot new_hotspot)> bandwidth_max_up value (config network hotspot new_hotspot)> where value is an integer between 1 and 100000 and represents the maximum upload speed in Kbps.
  • Page 394 Hotspot  Configure hotspot for local shared password authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 395 Hotspot 2. At the command line, type config to enter configuration mode: > config (config)> Create a new hotspot Enable hotspot using the default configuration. 4. Set the authentication mode to local-shared-password: (config)> network hotspot hotspot_name auth local-shared-password (config)> 5. Set the password that all users will be required to enter to authentication with the hotspot: (config)>...
  • Page 396 Hotspot LAN configuration:  Configure hotspot for RADIUS shared password authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 397 Hotspot b. (Optional) For Secondary server name, enter the IP address or fully-qualified domain name of the backup RADIUS server to use to authenticate hotspot users if the primary RADIUS server is not available. c. (Optional) For Port, type the port number to use for RADIUS authentication requests. The default is 1812.
  • Page 398 Hotspot 4. Set the authentication mode to radius-shared-password: (config)> network hotspot hotspot_name auth radius-shared-password (config)> 5. Configure the RADIUS server: a. Set the fully qualified domain name or IP address of the primary RADIUS server: (config)> network hotspot hotspot_name radius primary_radius_server address (config)>...
  • Page 399 Hotspot 6. Set walled garden settings. Walled garden settings define the "white list" of domains and subnets that unauthenticated clients are able to access. Include the domain or subnet of the RADIUS server(s) that are being used for authentication. Add domains that can be accessed by the client prior to authentication: (config network hotspot new_hotspot)>...
  • Page 400 Hotspot LAN configuration:  Configure hotspot for RADIUS users authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 401 Hotspot 5. Click to expand Radius. a. For Primary server name, enter the IP address or fully-qualified domain name of the primary RADIUS server to use to authenticate hotspot users. b. (Optional) For Secondary server name, enter the IP address or fully-qualified domain name of the backup RADIUS server to use to authenticate hotspot users if the primary RADIUS server is not available.
  • Page 402 Hotspot Create a new hotspot Enable hotspot using the default configuration. 4. Set the authentication mode to radius-users: (config)> network hotspot hotspot_name auth radius-users (config)> 5. Configure the RADIUS server: a. Set the fully qualified domain name or IP address of the primary RADIUS server: (config)>...
  • Page 403 Hotspot 6. Set walled garden settings. Walled garden settings define the "white list" of domains and subnets that unauthenticated clients are able to access. Include the domain or subnet of the RADIUS server(s) that are being used for authentication. Add domains that can be accessed by the client prior to authentication: (config network hotspot new_hotspot)>...
  • Page 404  Configure hotspot for HotspotSystem authentication from the WebUI 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 405 Hotspot c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. Create a new hotspot Enable hotspot using the default configuration. 4. During hotspot configuration, for Authentication mode, select HotspotSystem. 5.
  • Page 406 Hotspot c. For Subnet, type an IPv4 address and optional subnet mask, using the format IPv4_ address[/netmask], or the keyword any. d. Repeat to add additional subnets. 8. Click Apply to save the configuration and apply the change.  Configure hotspot for HotspotSystem authentication from the Command line 1.

  • Page 407: Show Hotspot Status And Statistics

    Hotspot 7. Set walled garden settings. Walled garden settings define the "white list" of domains and subnets that unauthenticated clients are able to access. Include the domain or subnet of supporting servers for payment or other external login and authentication (such as social media sites). Add domains that can be accessed by the client prior to authentication: (config network hotspot new_hotspot)>...
  • Page 408 Hotspot  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 409: Customize The Hotspot Login Page

    Hotspot > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Customize the hotspot login page The IX20 device provides three sample HTML webpages for use with the hotspot feature. When hotspot is enabled for the first time, the sample webpages are installed to the /etc/config/hotspot folder on the device's filesystem.
  • Page 410 Hotspot Edit sample hotspot HTML pages To edit the sample HTML pages, download the files and edit the files on your local machine. After they have been edited, upload the edited files to the IX20 device. The edited HTML page should call the same JavaScript functions that the sample HTML pages do. Additional pages and assets can be uploaded to the hotspot folder, and additional subfolders can be created as needed.
  • Page 411 Hotspot Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Download the file to your local machine. For example: > scp host 192.168.4.1 user admin remote /home/admin/temp/ local /etc/config/hotspot/login.html to remote admin@192.168.4.1's password: adminpwd login.html...
  • Page 412 Hotspot b. Highlight the hotspot directory and click  to open the directory. c. Click  (upload). d. Browse to the location of the HTML file on your local machine. Select the file and click Open to upload the file. 2.
  • Page 413 Hotspot e. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Restore hotspot default sample pages If you have customized the sample HTML pages without making a backup of the samples, you may wish to restore the original version of the HTML pages without doing a factory reset.

  • Page 414: Hotspot Radius Attributes

    Hotspot g. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Hotspot RADIUS attributes The RADIUS server may send attributes to the hotspot to affect the operation of a client session. For example, here are some of the RADIUS attributes that the hotspot handles: Session-Timeout Idle-Timeout...

  • Page 415: Routing

    Routing This chapter contains the following topics: IP routing Show the routing table Dynamic DNS Virtual Router Redundancy Protocol (VRRP) IX20 User Guide...

  • Page 416: Ip Routing

    Routing IP routing IP routing The IX20 device uses IP routes to decide where to send a packet it receives for a remote network. The process for deciding on a route to send the packet is as follows: 1. The device examines the destination IP address in the IP packet, and looks through the IP routing table to find a match for it.

  • Page 417: Configure A Static Route

    The Maximum Transmission Units (MTU) of network packets using this route. To configure a static route:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 418 Routing IP routing 3. Click Network > Routes > Static routes. 4. Click the  to add a new static route. The new static route configuration page is displayed: New static route configurations are enabled by default. To disable, toggle off Enable. 5.
  • Page 419 Routing IP routing Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a new static route: (config)>...

  • Page 420: Delete A Static Route

    Type quit to disconnect from the device. Delete a static route  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 421 Routing IP routing a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Static routes. 4. Click the menu icon (...) for a static route and select Delete. 5.

  • Page 422: Policy-Based Routing

    Routing IP routing enable true gateway 192.168.5.1 interface /network/interface/lan2 label new_static_route_1 metric 0 mtu 0 (config)> 4. Use the index number to delete the static route: (config)> del network route static 0 (config)> 5. Save the configuration and apply the change (config)>...

  • Page 423: Configure A Routing Policy

    To configure a routing policy:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 424 Routing IP routing 3. Click Network > Routes > Policy-based routing. 4. Click the  to add a new route policy. The new route policy page is displayed: New route policies are enabled by default. To disable, toggle off Enable. 5.
  • Page 425 Routing IP routing IPv6 address: Matches the source IP address to the specified IP address or network. Use the format IPv6_address[/prefix_length], or use any to match any IPv6 address. MAC address: Matches the source MACaddress to the specified MACaddress. 12. Configure the destination address information: a.
  • Page 426 Routing IP routing New route policies are enabled by default. To disable: (config network route policy 0)> enable false (config network route policy 0)> 4. (Optional) Set the label that will be used to identify this route policy: (config network route policy 0)> label "New route policy" (config network route policy 0)>...
  • Page 427 Routing IP routing any: All protocols are matched. tcp: Source and destination ports are matched: a. Set the source port: (config network route policy 0)> src_port value (config network route policy 0)> where value is the port number, or the keyword any to match any port as the source port.
  • Page 428 Routing IP routing Zone: Match the IP address to the specified firewall zone. Format: dynamic_routes edge external hotspot internal ipsec loopback setup Default value: any Current value: any (config network route policy 0)> src zone b. Set the zone. For example: (config network route policy 0)>...
  • Page 429 Routing IP routing (config network route policy 0)> src address value (config network route policy 0)> where value uses the format IPv4_address[/netmask], or any to match any IPv4 address. address6: Matches the source IPv6 address to the specified IP address or network. Set the address that will be matched: (config network route policy 0)>...
  • Page 430 Routing IP routing b. Set the zone. For example: (config network route policy 0)> dst zone external (config network route policy 0)> Firewall configuration for more information about firewall zones. interface: Matches the destination IP address to the selected interface's network address.

  • Page 431: Example: Dual Wan Policy-Based Routing

    This example routes traffic to a specific IP address to go through the cellular WWAN interface, while all other traffic uses the Ethernet WAN interface.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 432 Routing IP routing 3. Click Network > Routes > Policy-based routing. 4. Click the  to add a new route policy. 5. For Label, type Route through cellular. 6. For Interface, select Modem. 7. Configure the source address: a. Click to expand Source address. b.
  • Page 433 Routing IP routing 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 434: Example: Domain-Based Routing With Dual Wan

    This example routes traffic destined for a specific domain to the WAN Ethernet port, and never through the cellular modem.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 435 Routing IP routing 3. Click Network > Routes > Policy-based routing. 4. Click the  to add a new route policy. 5. For Label, type Domain-based policy. 6. For Interface, select ETH1. 7. Configure the source address: a. Click to expand Source address. b.
  • Page 436 Routing IP routing 9. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 437: Example: Route Traffic To A Specific Wan Interface Based On The Client Mac Address

    This example routes all data from a certain client device through a cellular WAN based on the device's MACaddress, while all other client devices are routed through the Ethernet WAN.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 438 Routing IP routing a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Create new firewall zones: a. Create a firewall zone named CellularWAN with Source NAT enabled: i. Click Firewall > Zones. ii.
  • Page 439 Routing IP routing b. Configure the Ethernet WAN interface: i. Click Network > Interfaces > ETH1. ii. For Zone, select EthernetWAN. 5. Configure the policy-based route for traffic from the client device that will be sent over the cellular WAN: a.
  • Page 440 Routing IP routing 6. Create a packet filtering rule that rejects all other LAN packets on the cellular WAN interface. a. Click Firewall > Packet filtering. b. Click the  to add a new packet filtering rule. c. For Label, type Reject LAN traffic to cellular WAN. d.
  • Page 441 Routing IP routing b. Create second firewall zone named EthernetWAN with Source NAT enabled: i. Type .. to move back one node in the configuration: (config firewall zone CellularWAN)> .. (config firewall zone)> ii. Create the firewall zone: (config firewall zone)> add EthernetWAN (config firewall zone EthernetWAN)>...
  • Page 442 Routing IP routing d. Configure the source as the MACaddress of the VoIP phone: i. Set the source type to mac: (config network route policy 0)> src type mac (config network route policy 0)> ii. Set the MAC address to the MACaddress of the VoIP phone: (config network route policy 0)>...

  • Page 443: Routing Services

    Enable routing services. Enable and configure the types of routing services that will be used.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
  • Page 444 Routing IP routing 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
  • Page 445 Routing IP routing 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 446: Show The Routing Table

    Type quit to disconnect from the device. Show the routing table To display the routing table:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 447 Routing Show the routing table The Configuration window is displayed. 3. Click Status > Routes. The Network Routing window is displayed. 4. Click IPv4 Load Balance to view IPv4 load balancing. 5. Click IPv6 Load Balance to view IPv6 load balancing. ...

  • Page 448: Dynamic Dns

    Routing Dynamic DNS IPv4 Route Load Balance (%) ---------- ---------------- eth1 75.0 modem 25.0 IPv6 Route Load Balance (%) ---------- ---------------- eth1 75.0 modem 25.0 > You can limit the display to only IPv4 entries by using show route ipv4, or to IPv6 entries by using show route ipv6.
  • Page 449 The amount of time to wait for an IP address update to succeed before retrying the update. The number of times to retry a failed IP address update.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 450 Routing Dynamic DNS New Dynamic DNS configurations are enabled by default. To disable, toggle off Enable. 5. For Interface, select the interface that has its IP address registered with the Dynamic DNS provider. 6. For Service, select the Dynamic DNS provider, or select custom to enter a custom URL for the Dynamic DNS provider.
  • Page 451 Routing Dynamic DNS Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a new Dynamic DNS instance. For example, to add an instance named new_ddns_ instance: (config)>...
  • Page 452 Routing Dynamic DNS dnsdynamic.org Default value: custom Current value: custom (config network ddns new_ddns_instance)> service b. Set the service: (config network ddns new_ddns_instance)> service service_name (config network ddns new_ddns_instance)> 6. If custom is configured for service, set the custom URL that should be used to update the IP address with the Dynamic DNS provider: (config network ddns new_ddns_instance)>...

  • Page 453: Virtual Router Redundancy Protocol (Vrrp)

    Routing Virtual Router Redundancy Protocol (VRRP) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set force_interval to ten minutes, enter either 10m or 600s: (config network ddns new_ddns_instance)> force_interval 600s (config network ddns new_ddns_instance)>...

  • Page 454: Vrrp

    VRRP-enabled devices and dynamically change the VRRP priorty of devices based on the status of their network connectivity.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 455 Routing Virtual Router Redundancy Protocol (VRRP) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP. 4. For Add VRRP instance, type a name for the VRRP instance and click . The new VRRP instance configuration is displayed.
  • Page 456 Routing Virtual Router Redundancy Protocol (VRRP) 9. (Optional) For Password, type a password that will be used to authenticate this VRRP router with VRRP peers. If the password length exceeds 8 characters, it will be truncated to 8 characters. 10. Configure the virtual IP addresses associated with this VRRP instance: a.
  • Page 457 Routing Virtual Router Redundancy Protocol (VRRP) Current value: (config network vrrp VRRP_test)> interface b. Set the interface, for example: (config network vrrp VRRP_test)> interface /network/interface/eth2 (config network vrrp VRRP_test)> c. Repeat for additional interfaces. 6. Set the router ID. The Router ID must be the same on all VRRP devices that participate in the same VRRP device pool.

  • Page 458: Configure Vrrp

    For backup VRRP devices, enable the ability to monitor the VRRP master, so that a backup device can increase its priority when the master device fails SureLink tests.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 459 Routing Virtual Router Redundancy Protocol (VRRP) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP. 4. Create a new VRRP instance, or click to expand an existing VRRP instance. Configure VRRP for information about creating a new VRRP instance.
  • Page 460 Routing Virtual Router Redundancy Protocol (VRRP) 9. For Priority modifier, type or select the amount that the device's priority should be decreased due to SureLink connectivity failure, and increased when SureLink succeeds again. Along with the priority settings for devices in this VRRP pool, the amount entered here should be large enough to automatically demote a master device when SureLink connectivity fails.
  • Page 461 Click to expand Test targets > Test target. v. Configure the test target. For example, to configure SureLink to verify internet connectivity on the LAN by pinging https://remotemanager.digi.com: i. For Test Type, select Ping test. ii. For Ping host, type https://remotemanager.digi.com.
  • Page 462 Routing Virtual Router Redundancy Protocol (VRRP) 3. Create a new VRRP instance, or edit an existing one. See Configure VRRP for information about creating a new VRRP instance. 4. Enable VRRP+: (config)> network vrrp VRRP_test vrrp_plus enable true (config)> 5. Add interfaces to monitor. Generally, this will be a cellular or WAN interface. a.
  • Page 463 Routing Virtual Router Redundancy Protocol (VRRP) 8. Configure the VRRP interface: a. Configure the VRRP interface's DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses: i. Set the DHCP server gateway type to custom: (config)>...
  • Page 464 Routing Virtual Router Redundancy Protocol (VRRP) (config)> network interface eth2 ipv4 surelink interval 5s (config)> iv. Create a SureLink test target: (config)> add network interface eth2 ipv4 surelink target end (config network interface eth2 ipv4 surelink target 0)> v. Configure the type of test for the test target: (config network interface eth2 ipv4 surelink target 0)>...

  • Page 465: Example: Vrrp/Vrrp+ Configuration

    Routing Virtual Router Redundancy Protocol (VRRP) (Optional) Set the amount of time that the interface can be down before this test is considered to have failed: (config network interface eth2 ipv4 surelink target 0)> interface_down_time value (config network interface eth2 ipv4 surelink target 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.

  • Page 466: Configure Device One (Master Device)

    Configure device one (master device)  Task 1: Configure VRRP on device one 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 467 Routing Virtual Router Redundancy Protocol (VRRP) 3. Click Network > VRRP. 4. For Add VRRP instance, type a name for the VRRP instance and click . The new VRRP instance configuration is displayed. 5. Click Enable. 6. For Interface, select Interface: ETH2. 7.
  • Page 468 Routing Virtual Router Redundancy Protocol (VRRP) 4. Click  to add an interface for monitoring. 5. Select Interface: Modem. 6. For Priority modifier, type 30. Task 3: Configure the IP address for the VRRP interface, ETH2, on device one 1. Click Network > Interfaces > ETH2 > IPv4 2.
  • Page 469 Routing Virtual Router Redundancy Protocol (VRRP) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Create the VRRP instance: (config)> add network vrrp VRRP_test (config network vrrp VRRP_test)> 4. Enable the VRRP instance: (config network vrrp VRRP_test)> enable true (config network vrrp VRRP_test)>...

  • Page 470: Configure Device Two (Backup Device)

    Configure device two (backup device)  Task 1: Configure VRRP on device two 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 471 Routing Virtual Router Redundancy Protocol (VRRP) b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP. 4.
  • Page 472 Routing Virtual Router Redundancy Protocol (VRRP) 10. Click  to add a virtual IP address. 11. For Virtual IP, type 192.168.3.3. Task 2: Configure VRRP+ on device two 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. 4.
  • Page 473 Routing Virtual Router Redundancy Protocol (VRRP) 6. For Ping host, type https://remotemanager.digi.com. Task 5: Configure the DHCP server for ETH2 on device two 1. Click to expand Network > Interfaces > ETH2 > IPv4 > DHCP Server 2. For Lease range start, type 200.
  • Page 474 Routing Virtual Router Redundancy Protocol (VRRP) 3. Create the VRRP instance: (config)> add network vrrp VRRP_test (config network vrrp VRRP_test)> 4. Enable the VRRP instance: (config network vrrp VRRP_test)> enable true (config network vrrp VRRP_test)> 5. Set the VRRP interface to ETH2: (config network vrrp VRRP_test)>...
  • Page 475 (config network interface eth2 ipv4 surelink target 0)> test ping (config network interface eth2 ipv4 surelink target 0)> 4. Set https://remotemanager.digi.com as the hostname to ping: (config network interface eth2 ipv4 surelink target 0)> ping_host https://remotemanager.digi.com(config network interface eth2 ipv4 surelink target 0)>...

  • Page 476: Show Vrrp Status And Statistics

    This section describes how to display VRRP status and statistics for a IX20 device. VRRP status is available from the Web UI only.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 477 Routing Virtual Router Redundancy Protocol (VRRP) 3. Click Status > VRRP. The Virtual Router Redundancy Protocol window is displayed.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 478 Routing Virtual Router Redundancy Protocol (VRRP) ---- Virtual IP address(es) : 10.10.10.1, 100.100.100.1 Current State : Master Current Priority : 100 Last Transition : Tue Jan 1 00:00:39 2019 Became Master Released Master Adverts Sent : 71 Adverts Received Priority Zero Sent Priority zero Received : 0 >...
  • Page 479 Virtual Private Networks (VPN) Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices can connect from one network to the other using secure channels. This chapter contains the following topics: IPsec OpenVPN Generic Routing Encapsulation (GRE) Dynamic Multipoint VPN (DMVPN) L2TP L2TPv3 Ethernet...

  • Page 480: Ipsec

    Virtual Private Networks (VPN) IPsec IPsec IPsec is a suite of protocols for creating a secure communication link—an IPsec tunnel—between a host and a remote IP network or between two IP networks across a public network such as the Internet. IPsec data protection IPsec protects the data being sent across a public network by providing the following: Data origin authentication...

  • Page 481: Authentication

    Virtual Private Networks (VPN) IPsec Main mode Main mode is the default mode. It is slower than aggressive mode, but more secure, in that all sensitive information sent between the device and its peer is encrypted. Aggressive mode Aggressive mode is faster than main mode, but is not as secure as main mode, because the device and its peer exchange their IDs and hash information in clear text instead of being encrypted.
  • Page 482 Virtual Private Networks (VPN) IPsec Required configuration items IPsec tunnel configuration items: A name for the tunnel. Note If the tunnel name is more than eight characters, the name will be truncated in the underlying network interface to the first six characters followed by three digits, incrementing from 000.
  • Page 483 Configure a static route for information about configuring a static route.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 484 Virtual Private Networks (VPN) IPsec 3. Click VPN > IPsec. 4. Click to expand Tunnels. 5. For Add IPsec tunnel, type a name for the tunnel and click . The new IPsec tunnel configuration is displayed. 6. The IPsec tunnel is enabled by default. To disable, toggle off Enable. 7.
  • Page 485 Virtual Private Networks (VPN) IPsec a. Click to expand Firewall > Packet filtering. b. For Add packet filter, click . c. For Label, type Allow incoming IPsec traffic. d. For Source zone, select IPsec. Leave all other fields at their default settings. 10.
  • Page 486 Virtual Private Networks (VPN) IPsec ii. For Remote key, type the remote pre-shared key. This must be the same as the local key on the remote host. RSA signature: Uses a private RSA key to authenticate with the remote peer. i.
  • Page 487 Virtual Private Networks (VPN) IPsec 19. Click to expand Local endpoint. a. For Type, select either: Default route: Uses the same network interface as the default route. Interface: Select the Interface to be used as the local endpoint. b. Click to expand ID. i.
  • Page 488 Virtual Private Networks (VPN) IPsec i. Click  next to Add Hostname. ii. For Hostname, type a hostname or IPv4 address. If your device is not configured to initiate the IPsec connection (see IKE > Initiate connection), you can also use the keyword any, which means that the hostname is dynamic or unknown.
  • Page 489 Virtual Private Networks (VPN) IPsec b. Click to expand Local traffic selector. c. For Type, select one of the following: Address: The address of a local network interface. For Address, select the appropriate interface. Network: The subnet of a local network interface. For Address, select the appropriate interface.
  • Page 490 Virtual Private Networks (VPN) IPsec i. For Port, type the port matching criteria. Allowed values are a port number, a range of port numbers, or any. 22. Click to expand IKE. a. For IKE version, select either IKEv1 or IKEv2. This setting must match the peer's IKE version.
  • Page 491 Virtual Private Networks (VPN) IPsec h. For Lifetime margin, enter a randomizing amount of time before the IPsec tunnel is renegotiated. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Lifetime margin to ten minutes, enter 10m or 600s. i.
  • Page 492 Virtual Private Networks (VPN) IPsec Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3.
  • Page 493 Virtual Private Networks (VPN) IPsec Note Depending on your network configuration, you may need to add a packet filtering rule to allow incoming traffic. For example, for the IPsec zone: a. Type ... to move to the root of the configuration: (config vpn ipsec tunnel ipsec_example)>...
  • Page 494 Virtual Private Networks (VPN) IPsec esp (Encapsulating Security Payload): Provides encryption as well as authentication and integrity. ah (Authentication Header): Provides authentication and integrity only. The default is esp. 9. (Optional) Set the management priority for this IPsec tunnel: (config vpn ipsec tunnel ipsec_example)> mgmt value (config vpn ipsec tunnel ipsec_example)>...
  • Page 495 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> auth peer_public_key (config vpn ipsec tunnel ipsec_example)> x509: Uses private key and X.509 certificates to authenticate with the remote peer. a. For the private_key parameter, paste the device's private RSA key in PEM format: (config vpn ipsec tunnel ipsec_example)>...
  • Page 496 Virtual Private Networks (VPN) IPsec b. Set the XAUTH client username: (config vpn ipsec tunnel ipsec_example)> xauth_client username name (config vpn ipsec tunnel ipsec_example)> c. Set the XAUTH client password: (config vpn ipsec tunnel ipsec_example)> xauth_client password pwd (config vpn ipsec tunnel ipsec_example)> 12.
  • Page 497 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> local id type ipv4_id (config vpn ipsec tunnel ipsec_example)> ipv6: The ID will be interpreted as an IPv6 address and sent as an ID_IPV6_ADDR IKE identity. Set an IPv6 formatted ID. This can be a fully-qualified domain name or an IPv6 address.
  • Page 498 Virtual Private Networks (VPN) IPsec round_robin: Attempts to connect to hostnames sequentially based on the list order. random: Randomly selects an IPsec peer to connect to from the hostname list. priority: Selects the first hostname in the list that is resolvable. c.
  • Page 499 Virtual Private Networks (VPN) IPsec keyid: The ID will be interpreted as a Key ID and sent as an ID_KEY_ID IKE identity. Set the key ID: (config vpn ipsec tunnel ipsec_example)> remote id type keyid_id (config vpn ipsec tunnel ipsec_example)> mac_address: The device's MAC address will be used for the Key ID and sent as an ID_KEY_ID IKE identity.
  • Page 500 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> ike pad false (config vpn ipsec tunnel ipsec_example)> f. Set the amount of time that the IKE security association expires after a successful negotiation and must be re-authenticated: (config vpn ipsec tunnel ipsec_example)> ike phase1_lifetime value (config vpn ipsec tunnel ipsec_example)>...
  • Page 501 Virtual Private Networks (VPN) IPsec ii. Set the type of encryption to use during phase 1: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> cipher value (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> where value is one of: 3des aes128 aes128gcm128 aes128gcm64...
  • Page 502 Virtual Private Networks (VPN) IPsec ecp224 (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> ii. Set the Diffie-Hellman group type: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> dh_group value (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> The default is modp2048. v.
  • Page 503 Virtual Private Networks (VPN) IPsec aes128gcm64 aes128gcm96 aes192 aes192gcm128 aes192gcm64 aes192gcm96 aes256 aes256gcm128 aes256gcm64 aes256gcm96 null The default is 3des. iv. Set the type of hash to use during phase 2 to verify communication integrity: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> hash value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>...
  • Page 504 Virtual Private Networks (VPN) IPsec i. Move back one level in the schema: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> (config vpn ipsec tunnel ipsec_example ike phase2_proposal)> ii. Add an additional proposal: (config vpn ipsec tunnel ipsec_example ike phase2_proposal)> add end (config vpn ipsec tunnel ipsec_example ike phase2_proposal 1)>...
  • Page 505 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example nat 0)> dst value (config vpn ipsec tunnel ipsec_example nat 0)> 18. Configure policies that define the network traffic that will be encapsulated by this tunnel: a. Change to the root of the configuration schema: (config vpn ipsec tunnel ipsec_example nat 0)>...
  • Page 506 Virtual Private Networks (VPN) IPsec network: The subnet of a local network interface. Set the network: i. Use the ? to determine available interfaces: (config vpn ipsec tunnel ipsec_example policy 0)> local network ? Interface: The network interface. Format: defaultip defaultlinklocal eth1 eth2...
  • Page 507 Virtual Private Networks (VPN) IPsec udp: Matches UDP protocol only. icmp: Matches ICMP requests only. other: Matches an unlisted protocol. If other is used, set the number of the protocol: (config vpn ipsec tunnel ipsec_example policy 0)> local protocol_other int (config vpn ipsec tunnel ipsec_example policy 0)>...
  • Page 508 Virtual Private Networks (VPN) IPsec b. Use the ? to determine available options: (config)> vpn ipsec advanced ? Advanced: Advanced configuration that applies to all IPsec tunnels. Parameters Current Value --------------------------------------------------------------------- --------- debug none Debug level ike_fragment_size 1280 Maximum IKE fragment size ike_retransmit_tries IKE retransmit tries keep_alive...

  • Page 509: Configure Ipsec Failover

    Virtual Private Networks (VPN) IPsec Configure IPsec failover There are two methods to configure the IX20 device to fail over from a primary IPsec tunnel to a backup tunnel: SureLink active recovery—You can use SureLink along with the IPsec tunnel's metric to configure two or more tunnels so that when the primary tunnel is determined to be inactive by SureLink, a secondary tunnel can begin serving traffic that the primary tunnel was serving.
  • Page 510 Virtual Private Networks (VPN) IPsec Metric: 20 Local endpoint > Interface: ETH2 Remote endpoint > Hostname: 192.168.10.1 In this configuration: 1. Tunnel_1 will normally be used for traffic destined for the 192.168.10.1 endpoint. 2. If pings to 192.168.10.2 fail, SureLink will shut down the tunnel and renegotiate its IPsec connection.
  • Page 511 Virtual Private Networks (VPN) IPsec 1. Configure the primary IPsec tunnel. See Configure an IPsec tunnel for instructions. During configuration of the IPsec tunnel, set the metric to a low value (for example, 10): (config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)> metric 10 (config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)>...

  • Page 512: Configure Surelink Active Recovery For Ipsec

    To configure the IX20 device to regularly probe the IPsec connection:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
  • Page 513 Virtual Private Networks (VPN) IPsec a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
  • Page 514 Virtual Private Networks (VPN) IPsec 7. (Optional) Change the Test interval between connectivity tests. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Interval to ten minutes, enter 10m or 600s. The default is 15 minutes.
  • Page 515 Virtual Private Networks (VPN) IPsec The Interface address. The Interface DNS server. Ping payload size: The number of bytes to send as part of the ping payload. DNS test: Performs a DNS query to the named DNS server. If DNS test is selected, complete the following: DNS server: The IP address of the DNS server.
  • Page 516 Virtual Private Networks (VPN) IPsec Test interface: The interface to test. IP version: The type of IP connection, one of: Any: Either the IPv4 or IPv6 connection must be up. Both: Both the IPv4 or IPv6 connection must be up. IPv4: The IPv4 connection must be up.
  • Page 517 Virtual Private Networks (VPN) IPsec SureLink test failures: The number of failures for this recovery action to perform, before moving to the next recovery action. Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used.
  • Page 518 Virtual Private Networks (VPN) IPsec Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. f. Repeat for each additional recovery action. 13.
  • Page 519 Virtual Private Networks (VPN) IPsec 4. Enable SureLink: (config vpn ipsec tunnel ipsec_example)> surelink enable true (config vpn ipsec tunnel ipsec_example)> 5. By default, the Test DNS servers configured for this interface test is automatically configured and enabled. This tests communication with DNS servers that are either provided by DHCP, or statically configured for this interface.
  • Page 520 Virtual Private Networks (VPN) IPsec interface_gateway. If set, an initial traceroute is sent to the hostname or IP address configured in the SureLink advanced settings, and then the first hop in that route is used for the ping test. interface_address. interface_dns: The interface's DNS server.
  • Page 521 Virtual Private Networks (VPN) IPsec Set the amount of time to wait for the interface to connect for the first time before the test is considered to have failed. (config vpn ipsec tunnel ipsec_example surelink tests 1)> interface_timeout value (config vpn ipsec tunnel ipsec_example surelink tests 1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
  • Page 522 Virtual Private Networks (VPN) IPsec /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config vpn ipsec tunnel ipsec_example surelink tests 1)> other_interface ii. Set the interface. For example: (config vpn ipsec tunnel ipsec_example surelink tests 1)> other_interface /network/interface/eth1 (config vpn ipsec tunnel ipsec_example surelink tests 1)> Set the type of IP connection: (config vpn ipsec tunnel ipsec_example surelink tests 1)>...
  • Page 523 Virtual Private Networks (VPN) IPsec c. New actions are enabled by default. To disable: (config vpn ipsec tunnel ipsec_example surelink actions 0)> enable false (config vpn ipsec tunnel ipsec_example surelink actions 0)> d. Create a label for the action: (config vpn ipsec tunnel ipsec_example surelink actions 0)> label string (config vpn ipsec tunnel ipsec_example surelink actions 0)>...
  • Page 524 Virtual Private Networks (VPN) IPsec where value is one of: update_routing_table: Increases the interface's metric to change the default gateway. If update_routing_table is selected, complete the following: Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn ipsec tunnel ipsec_example surelink actions 0)>...
  • Page 525 Virtual Private Networks (VPN) IPsec Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn ipsec tunnel ipsec_example surelink actions 0)> test_failures int (config vpn ipsec tunnel ipsec_example surelink actions 0)> The default is 3.
  • Page 526 Virtual Private Networks (VPN) IPsec reboot_device. If reboot_device is selected, complete the following: Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn ipsec tunnel ipsec_example surelink actions 0)> test_failures int (config vpn ipsec tunnel ipsec_example surelink actions 0)>...
  • Page 527 Virtual Private Networks (VPN) IPsec b. Set the test interval between connectivity tests: (config)> vpn ipsec tunnel ipsec_example surelink interval value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interval to ten minutes, enter either 10m or 600s: (config)>...

  • Page 528: Show Ipsec Status And Statistics

    Virtual Private Networks (VPN) IPsec where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set delayed_start to ten minutes, enter either 10m or 600s: (config)> vpn ipsec tunnel ipsec_example surelink advanced delayed_ start 600s (config)>...

  • Page 529: Debug An Ipsec Configuration

    Virtual Private Networks (VPN) IPsec Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, select Status > IPsec. The IPsec page appears. 2. To view configuration details about an IPsec tunnel, click the  (configuration) icon in the upper right of the tunnel's status pane.
  • Page 530 Virtual Private Networks (VPN) IPsec 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.

  • Page 531: Configure A Simple Certificate Enrollment Protocol Client

    Virtual Private Networks (VPN) IPsec Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3.
  • Page 532 Virtual Private Networks (VPN) IPsec  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 533 Virtual Private Networks (VPN) IPsec 5. Click Enable to enable the SCEP client. 6. For Maximum Polling Time, type the maximum time that the device will poll the SCEP server, when operating in manual mode. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
  • Page 534 Virtual Private Networks (VPN) IPsec 14. For Path, Type the HTTP URL path required for accessing the certificate authority. You should leave this option at the default of /cgi-bin/pkiclient.exe unless directed by the CA to use another path. 15. For Password, type the challenge password as configured on the SCEP server. 16.
  • Page 535 Virtual Private Networks (VPN) IPsec 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 536 Virtual Private Networks (VPN) IPsec (config network scep_client scep_client_name)> distinguished_name c value (config network scep_client scep_client_name)> c. Set the State or Province: (config network scep_client scep_client_name)> distinguished_name st value (config network scep_clientscep_client_name )> d. Set the Locality: (config network scep_client scep_client_name)> distinguished_name l value (config network scep_client scep_client_name)>...
  • Page 537 Virtual Private Networks (VPN) IPsec c. If type is set to url, set the URL that should be used: (config network scep_client scep_client_name)> crl url value (config network scep_client scep_client_name)> 11. Configure certificate renewal: a. To enable the creation of a new private key for renewal requests: (config network scep_client scep_client_name)>...

  • Page 538: Example: Scep Client Configuration With Fortinet Scep Server

    Virtual Private Networks (VPN) IPsec 15. Set the number of days that the certificate enrollment can be renewed, prior to the request expiring. This value is configured on the SCEP server, and is used by the IX20 device to determine when to start attempting to auto-renew an existing certificate. The default is 7. (config network scep_client scep_client_name)>...
  • Page 539 Click OK. IX20 configuration On the IX20 device:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 540 Virtual Private Networks (VPN) IPsec The Configuration window is displayed. 3. Click Network > SCEP Client. 4. For Add clients, enter a name for the SCEP client and click . The new SCEP client configuration is displayed. 5. Click Enable to enable the SCEP client. 6.
  • Page 541 Virtual Private Networks (VPN) IPsec 10. For Password, type the challenge password. This corresponds to the Default enrollment password on the Fortinet server. 11. Click to expand Distinguished Name. 12. Type the value for each appropriate Distinguished Name attribute. The values entered here must correspond to the DN attributes in the Enrollment Request on the Fortinet server.
  • Page 542 Virtual Private Networks (VPN) IPsec (config network scep_client Fortinet_SCEP_client)> server password challenge_password (config network scep_client Fortinet_SCEP_client)> 7. Set Distinguished Name attributes. The values entered here must correspond to the DN attributes in the Enrollment Request on the Fortinet server. a. Set the Domain Component: (config network scep_client Fortinet_SCEP_client)>...

  • Page 543: Show Scep Client Status And Information

    Virtual Private Networks (VPN) IPsec (config network scep_client Fortinet_SCEP_client)> renewable_time integer (config network scep_client Fortinet_SCEP_client)> 9. (Optional) Enable verbose logging in /var/log/scep_client: (config network scep_client Fortinet_SCEP_client)> debug true (config network scep_client Fortinet_SCEP_client)> 10. Save the configuration and apply the change (config network scep_client Fortinet_SCEP_client)>...
  • Page 544 Virtual Private Networks (VPN) IPsec Enabled : true Client Certificate ------------------ Subject : C=US,ST=MA,L=BOS,O=Digi,OU=IT1,CN=dummy Issuer : CN=TA-SCEP-1-CA Serial : 1100000017A30C8EDD3805EB52000000000017 Expiry : Jun 4 19:05:25 2022 GMT Certificate Authority Certificate {1} ------------------------------------- Subject : C=US,CN=TA-SCEP-1-MSCEP-RA Issuer : CN=TA-SCEP-1-CA Serial : 1100000002A1E755981C0C3F34000000000002...

  • Page 545: Openvpn

    Virtual Private Networks (VPN) OpenVPN OpenVPN OpenVPN is an open-source Virtual Private Network (VPN) technology that creates secure point-to- point or site-to-site connections in routed or bridged configurations. OpenVPN uses a custom security protocol that is Secure Socket Layer (SSL) / Transport Layer Security (TLS) for key exchange. It uses standard encryption and authentication algorithms for data privacy and authentication over TCP or UDP.

  • Page 546: Configure An Openvpn Server

    Virtual Private Networks (VPN) OpenVPN OpenVPN managed—The IX20 device creates the interface and then uses its standard configuration to set up the connection (for example, its standard DHCP server configuration). Device only—IP addressing is controlled by the system, not by OpenVPN. Additional OpenVPN information For more information on OpenVPN, see these resources: Bridging vs.
  • Page 547 Access control list configuration to restrict access to the OpenVPN server through the firewall. Additional OpenVPN parameters.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 548 Virtual Private Networks (VPN) OpenVPN 4. For Add, type a name for the OpenVPN server and click . The new OpenVPN server configuration is displayed. The OpenVPN server is enabled by default. To disable, toggle off Enable. 5. For Device type, select the mode used by the OpenVPN server, either: TUN (OpenVPN managed) TAP - OpenVPN managed TAP - Device only...
  • Page 549 Virtual Private Networks (VPN) OpenVPN Username/password only: Uses a username and password for client authentication. You must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions. Certificate and username/password: Uses both certificates and a username and password for client authentication.
  • Page 550 Virtual Private Networks (VPN) OpenVPN 11. (Optional) Click to expand Advanced Options to manually set additional OpenVPN parameters. a. Click Enable to enable the use of additional OpenVPN parameters. b. Click Override if the additional OpenVPN parameters should override default options. c.
  • Page 551 Virtual Private Networks (VPN) OpenVPN 5. If tap or tun are set for device_type: a. Set the IP address and subnet mask of the OpenVPN server. (config vpn openvpn server name)> address ip_address/netmask (config vpn openvpn server name)> b. Set the firewall zone for the OpenVPN server. For TUN device types, this should be set to internal to treat clients as LAN devices.
  • Page 552 Virtual Private Networks (VPN) OpenVPN ii. Set the last address in the range limit: (config vpn openvpn server name)> server_last_ip value (config vpn openvpn server name)> where value is a number between 1 and 255. The number entered here will represent the last client IP address.
  • Page 553 Virtual Private Networks (VPN) OpenVPN iii. Paste the contents of the public key (for example, server.crt) into the value of the server_cert parameter: (config vpn openvpn server name)> server_cert value (config vpn openvpn server name)> iv. Paste the contents of the private key (for example, server.key) into the value of the server_key parameter: (config vpn openvpn server name)>...
  • Page 554 Virtual Private Networks (VPN) OpenVPN Use ... network interface ? to display interface information: (config vpn openvpn server name)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config vpn openvpn server name)>...

  • Page 555: Configure An Openvpn Authentication Group And User

    IX20 user authentication for more information about creating authentication groups and users.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 556 Virtual Private Networks (VPN) OpenVPN a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Add an OpenVPN authentication group: a. Click Authentication > Groups. b. For Add Group, type a name for the group (for example, OpenVPN_Group) and click . The new authentication group configuration is displayed.
  • Page 557 Virtual Private Networks (VPN) OpenVPN f. For Tunnel, select an OpenVPN tunnel to which users of this group will have access. g. Repeat to add additional OpenVPN tunnels. 4. Add an OpenVPN authentication user: a. Click Authentication > Users. b. For Add, type a name for the user (for example, OpenVPN_User) and click . c.
  • Page 558 Virtual Private Networks (VPN) OpenVPN  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 559: Configure An Openvpn Client By Using An .Ovpn File

    Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 560 Virtual Private Networks (VPN) OpenVPN 4. For Add, type a name for the OpenVPN client and click . The new OpenVPN client configuration is displayed. 5. The OpenVPN client is enabled by default. To disable, toggle off Enable. 6. The default behavior is to use an OVPN file for client configuration. To disable this behavior and configure the client manually, click Use .ovpn file to disable.
  • Page 561 Virtual Private Networks (VPN) OpenVPN 3. At the config prompt, type: (config)> add vpn openvpn client name (config vpn openvpn client name)> where name is the name of the OpenVPN server. The OpenVPN client is enabled by default. To disable the client, type: (config vpn openvpn client name)>...

  • Page 562: Configure An Openvpn Client Without Using An .Ovpn File

    Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 563 Virtual Private Networks (VPN) OpenVPN a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Clients. 4. For Add, type a name for the OpenVPN client and click . The new OpenVPN client configuration is displayed.
  • Page 564 Virtual Private Networks (VPN) OpenVPN 6. The default behavior is to use an OVPN file for client configuration. To disable this behavior and configure the client manually, click Use .ovpn file to disable. 7. For Device type, select the mode used by the OpenVPN server, either TUN or TAP. 8.
  • Page 565 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client name)> use_file false (config vpn openvpn client name)> 5. Set the mode used by the OpenVPN server: (config vpn openvpn client name)> device_type value (config vpn openvpn client name)> where value is either tun or tap. The default is tun. 6.

  • Page 566: Configure Surelink Active Recovery For Openvpn

    Virtual Private Networks (VPN) OpenVPN 10. (Optional) Set the port used by the OpenVPN server: (config vpn openvpn client name)> port port (config vpn openvpn client name)> The default is 1194. 11. Paste the contents of the CA certificate (usually in a ca.crt file) into the value of the cacert parameter: (config vpn openvpn client name)>...
  • Page 567 To configure the IX20 device to regularly probe the OpenVPN connection:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 568 Virtual Private Networks (VPN) OpenVPN 3. Click VPN > OpenVPN > Clients. 4. Create a new OpenVPN client or select an existing one: To create a new OpenVPN client, see Configure an OpenVPN client by using an .ovpn file Configure an OpenVPN client without using an .ovpn file.
  • Page 569 Virtual Private Networks (VPN) OpenVPN 10. (Optional) For Response timeout, type the amount of time that the device should wait for a response to a test failure before considering it to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
  • Page 570 Virtual Private Networks (VPN) OpenVPN Test the interface status: Tests the current status of the interface. The test fails if the interface is down. Failing this test infers that all other tests fail. If Test the interface status is selected, complete the following: Down time: The amount of time that the interface is down before the test can be considered to have failed.
  • Page 571 Virtual Private Networks (VPN) OpenVPN Update routing: Uses the Change default gateway action, which increases the interface's metric by 100 to change the default gateway. Restart interface. b. Click . New recovery actions are enabled by default. To disable, click to toggle off Enable. c.
  • Page 572 Virtual Private Networks (VPN) OpenVPN SureLink test failures: The number of failures for this recovery action to perform, before moving to the next recovery action. Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used.
  • Page 573 Virtual Private Networks (VPN) OpenVPN For example, to set Backoff interval to ten minutes, enter 10m or 600s. The default is 300 seconds. d. Test interface gateway by pinging is used by the Interface gateway Ping test as the endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8, and should only be changed if this IP address is not accessible due to networking issues.
  • Page 574 Virtual Private Networks (VPN) OpenVPN c. Create a label for the test: (config vpn openvpn client openvpn_client1 surelink tests 1)> label string (config vpn openvpn client openvpn_client1 surelink tests 1)> d. if the test should apply to both IPv6 rather than IPv4, enable IPv6: (config vpn openvpn client openvpn_client1 surelink tests 1)>...
  • Page 575 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink tests 1)> dns_server IP_address (config vpn openvpn client openvpn_client1 surelink tests 1)> http: Uses HTTP(s) GET requests to determine connectivity to the configured web server. If http is set, set the URL of the web server. (config vpn openvpn client openvpn_client1 surelink tests 1)>...
  • Page 576 Virtual Private Networks (VPN) OpenVPN custom_test: Tests the interface with custom commands. If custom_test is set, set the commands to run to perform the test: (config vpn openvpn client openvpn_client1 surelink tests 1)> custom_test_commands "string" (config vpn openvpn client openvpn_client1 surelink tests 1)> tcp_connection: Tests that the interface can reach a destination port on the configured host.
  • Page 577 Virtual Private Networks (VPN) OpenVPN Set the type of IP connection: (config vpn openvpn client openvpn_client1 surelink tests 1)> other_ip_version value (config vpn openvpn client openvpn_client1 surelink tests 1)> where value is one of: any: Either the IPv4 or IPv6 connection must be up. both: Both the IPv4 or IPv6 connection must be up.
  • Page 578 Virtual Private Networks (VPN) OpenVPN e. Set the type of recovery action to reboot_device: (config vpn openvpn client openvpn_client1 surelink actions 0)> action reboot_device (config vpn openvpn client openvpn_client1 surelink actions 0)> Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn openvpn client openvpn_client1 surelink actions 0)>...
  • Page 579 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink actions 0)> The default is 3. Set the amount that the interface's metric should be increased. This should be set to a number large enough to change the routing table to use another default gateway.
  • Page 580 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink actions 0)> The default is 3. Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config vpn openvpn client openvpn_client1 surelink actions 0)>...
  • Page 581 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink actions 0)> reboot_device. If reboot_device is selected, complete the following: Set the number of failures for this recovery action to perform, before moving to the next recovery action: (config vpn openvpn client openvpn_client1 surelink actions 0)>...
  • Page 582 Virtual Private Networks (VPN) OpenVPN a. Type ... to return to the root of the configuration: (config vpn openvpn client openvpn_client1 surelink actions 0)> ... (config)> b. Set the test interval between connectivity tests: (config)> vpn openvpn client openvpn_client1 surelink interval value (config)>...
  • Page 583 Virtual Private Networks (VPN) OpenVPN (config)> vpn openvpn client openvpn_client1 surelink advanced delayed_start value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set delayed_start to ten minutes, enter either 10m or 600s: (config)>...

  • Page 584: Show Openvpn Server Status And Statistics

    Virtual Private Networks (VPN) OpenVPN Show OpenVPN server status and statistics You can view status and statistics for OpenVPN servers from either the web interface or the command line:  Log into the IX20 WebUI as a user with full Admin access rights. 1.

  • Page 585: Show Openvpn Client Status And Statistics

    Virtual Private Networks (VPN) OpenVPN Show OpenVPN client status and statistics You can view status and statistics for OpenVPN clients from either web interface or the command line:  Log into the IX20 WebUI as a user with full Admin access rights. 1.
  • Page 586 Virtual Private Networks (VPN) OpenVPN 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...

  • Page 587: Generic Routing Encapsulation (Gre)

    Enable the device to respond to keepalive packets. Task One: Create a GRE loopback endpoint interface  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 588 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. For Add Interface, type a name for the GRE loopback endpoint interface and click . 5.
  • Page 589 Type quit to disconnect from the device. Task Two: Configure the GRE tunnel  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 590 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Click VPN > IP Tunnels. 4. For Add IP tunnel, type a name for the GRE tunnel and click . 5. Enable the tunnel. New tunnels are enabled by default. To disable, toggle off Enable. 6.
  • Page 591 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) GRE tunnels are enabled by default. To disable: (config vpn iptunnel gre_example)> enable false (config vpn iptunnel gre_example)> 4. Set the mode: (config vpn iptunnel gre_example)> type value (config vpn iptunnel gre_example)> where value is either: gre: Standard GRE point-to-point protocol.

  • Page 592: Show Gre Tunnels

    Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Show GRE tunnels To view information about currently configured GRE tunnels:  Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click Status > IP tunnels. The IP Tunnelspage appears.

  • Page 593: Example: Gre Tunnel Over An Ipsec Tunnel

    Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Example: GRE tunnel over an IPSec tunnel The IX20 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel. The example configuration provides instructions for configuring the IX20 device with a GRE tunnel through IPsec.
  • Page 594 Configuration procedures Configure the IX20-1 device Task one: Create an IPsec tunnel  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 595 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Click VPN > IPsec > Tunnels. 4. For Add IPsec Tunnel, type ipsec_gre1 and click . 5. Click to expand Authentication. 6. For Pre-shared key, type testkey. 7. Click to expand Remote endpoint. 8.
  • Page 596 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 597 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Task two: Create an IPsec endpoint interface  1. Click Network > Interface. 2. For Add Interface, type ipsec_endpoint1 and click . 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5.
  • Page 598 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Set the zone to internal: (config network interface ipsec_endpoint1)> zone internal (config network interface ipsec_endpoint1)> 4. Set the device to /network/device/loopback: (config network interface ipsec_endpoint1)> device /network/device/loopback (config network interface ipsec_endpoint1)> 5.
  • Page 599 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 2. Add a GRE tunnel named gre_tunnel1: (config)> add vpn iptunnel gre_tunnel1 (config vpn iptunnel gre_tunnel1)> 3. Set the local endpoint to the IPsec endpoint interface created in Task two (/network/interface/ipsec_endpoint1): (config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_ endpoint1 (config vpn iptunnel gre_tunnel1)>...
  • Page 600 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 6. For Address, type 172.31.0.1/30 for a virtual IP address on the GRE tunnel. 7. Click Apply to save the configuration and apply the change.  Command line 1. At the command line, type config to enter configuration mode: >...
  • Page 601 Generic Routing Encapsulation (GRE) Configure the IX20-2 device Task one: Create an IPsec tunnel  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 602 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 7. Click to expand Remote endpoint. 8. For Hostname, type public IP address of the IX20-1 device. 9. Click to expand Policies. 10. For Add Policy, click  to add a new policy. 11.
  • Page 603 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) (config vpn ipsec tunnel ipsec_gre2)> auth secret testkey (config vpn ipsec tunnel ipsec_gre2)> 5. Set the remote endpoint to public IP address of the IX20-1 device: (config vpn ipsec tunnel ipsec_gre2)> remote hostname 192.168.100.1 (config vpn ipsec tunnel ipsec_gre2)>...
  • Page 604 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5. Click to expand IPv4. 6. For Address, type the IP address of the local GRE tunnel, 172.30.0.2/32. 7. Click Apply to save the configuration and apply the change. ...
  • Page 605 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 6. Save the configuration and apply the change (config vpn ipsec tunnel ipsec_endpoint2)> save Configuration saved. > Task three: Create a GRE tunnel  1. Click VPN > IP Tunnels. 2. For Add IP Tunnel, type gre_tunnel2 and click . 3.
  • Page 606 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 4. Set the remote endpoint to the IP address of the GRE tunnel on IX20-1, 172.30.0.1: (config vpn iptunnel gre_tunnel2)> remote 172.30.0.1 (config vpn iptunnel gre_tunnel2)> 5. Save the configuration and apply the change (config vpn iptunnel gre_tunnel2)>...

  • Page 607: Dynamic Multipoint Vpn (Dmvpn)

    Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN)  Command line 1. At the command line, type config to enter configuration mode: > config (config)> 2. Add an interface named gre_interface2: (config)> add network interface gre_interface2 (config network interface gre_interface2)> 3.

  • Page 608: Configure A Dmvpn Spoke

    Dynamic Multipoint VPN (DMVPN) Configure a DMVPN spoke To configure a DMVPN spoke:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 609 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) e. For Key, type a four-octet value that matches the key on the remote endpoint. f. (Optional) Enable keep-alive reply to enable the device to reply to Cisco GRE keep-alive packets. g. (Optional) Enable open routing to enable packets destined for an address which is not explicitly in the routing table to exit the IP tunnel.
  • Page 610 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) 5. Configure NHRP: a. Click Network > Routing Services. b. Enable routing services. c. Click to expand NHRP. d. Enable NHRP. e. Click to expand Network. f. Click  to add a network. g.
  • Page 611 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) 7. Configure the overlay connection: a. Click Network > Routing services > BGP. b. Enable BGP. c. For AS number, type the autonomous system number for this device. d. For Best path criteria, select Multipath. e.
  • Page 612 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) b. Set the type to multipoint: (config vpn iptunnel dmvpn_tunnel)> type multipoint (config vpn iptunnel dmvpn_tunnel)> c. Set the local interface: i. Use the ? to determine available interfaces: (config vpn iptunnel dmvpn_tunnel)> local ? Interface: The network interface.
  • Page 613 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) b. And a network interface. For example, to add an interface named dmvpn_tunnel_interface: (config)> add network interface dmvpn_tunnel_interface (config network interface dmvpn_tunnel_interface)> c. Set the zone to internal: (config network interface dmvpn_tunnel_interface)> zone internal (config network interface dmvpn_tunnel_interface)>...
  • Page 614 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) f. Set the tunnel to the IP tunnel created above: (config network route service nhrp network 0)> tunnel /vpn/iptunnel/dmvpn_tunnel (config network route service nhrp network 0)> g. Add a net hop server: (config network route service nhrp network 0)>...

  • Page 615: L2Tp

    Virtual Private Networks (VPN) L2TP g. Enable eBGP multihop: (config network route service bgp neighbour 0)> ebgp_multihop true (config network route service bgp neighbour 0)> 9. Repeat to add additional spokes. 10. Save the configuration and apply the change (config)> save Configuration saved.
  • Page 616 Whether to override the default configuration and only use the custom options. Optional configuration data in the format of a pppd options file.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 617 Virtual Private Networks (VPN) L2TP c. For Address, enter the IPv4 address or network that can access the device's service-type. Allowed values are: A single IP address or host name. A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the service-type. d.
  • Page 618 Virtual Private Networks (VPN) L2TP i. Enable custom PPP configuration. ii. Enable Override if the custom configuration should override the default configuration and only use the custom options. iii. For Configuration file, paste or type the configuration data in the format of a pppd options file.
  • Page 619 Virtual Private Networks (VPN) L2TP i. Enable custom PPP configuration. ii. Enable Override if the custom configuration should override the default configuration and only use the custom options. iii. For Configuration file, paste or type the configuration data in the format of a pppd options file.
  • Page 620 Virtual Private Networks (VPN) L2TP To limit access to hosts connected through a specified interface on the IX20 device: (config)> add vpn l2tp acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
  • Page 621 Virtual Private Networks (VPN) L2TP ipsec loopback setup (config)> Repeat this step to include additional firewall zones. 5. To add an L2TP access concentrator: a. Add an LAC: (config)> add vpn l2tp lac name (config add vpn l2tp lac name)> where name is the name of the LAC.
  • Page 622 Virtual Private Networks (VPN) L2TP i. Use the ? to determine available zones: (config vpn l2tp lac lac_tunnel)> zone ? Zone: The firewall zone assigned to this tunnel. This can be used by packet filtering rules and access control lists to restrict network traffic on this tunnel.
  • Page 623 Virtual Private Networks (VPN) L2TP (config)> add vpn l2tp lns lns_server (config vpn l2tp lns lns_server)> LACs are enabled by default. To disable: (config vpn l2tp lns lns_server)> enable false (config vpn l2tp lns lns_server)> b. Set the IP address of the L2TP access concentrator that this server will allow connections from: (config vpn l2tp lns lns_server)>...
  • Page 624 Virtual Private Networks (VPN) L2TP f. (Optional) Set the metric for the tunnel: (config vpn l2tp lns lns_server)> metric int (config vpn l2tp lns lns_server)> where int is an integer between 0 and 65535. The default is 1. g. Set the firewall zone for the tunnel. This is used by packet filtering rules and access control lists to restrict network traffic on the tunnel.

  • Page 625: L2Tp With Ipsec

    Virtual Private Networks (VPN) L2TP iii. Paste or type the configuration data in the format of a pppd options file: (config vpn l2tp lns lns_server)> custom config_file data (config vpn l2tp lns lns_server)> 7. Save the configuration and apply the change (config)>...
  • Page 626 Virtual Private Networks (VPN) L2TP  Command line Show the status of L2TP access connectors from the Admin CLI 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 627: L2Tpv3 Ethernet

    Virtual Private Networks (VPN) L2TPv3 Ethernet > 3. To display details about a specific tunnel: > show l2tp lns name lns_test2 lns_test2 L2TP Access Concentrator Status ------------------------------------ Enabled : true Status : pending > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 628 Virtual Private Networks (VPN) L2TPv3 Ethernet  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 629 Virtual Private Networks (VPN) L2TPv3 Ethernet 10. Click to expand Sessions. a. For Add Sesssion, type a name for a session carried by the parent tunnel and click . b. For Session ID, type the session identifier for this session. This must match the value for Peer session ID on the remote peer.
  • Page 630 Virtual Private Networks (VPN) L2TPv3 Ethernet 5. Set the interface of the local endpoint: i. Use the ? to determine available interfaces: (config vpn l2tpeth L2TPv3_example)> local ? Local endpoint: The local network interface to connect to peer device. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1...
  • Page 631 Virtual Private Networks (VPN) L2TPv3 Ethernet c. (Optional) To calculate and check the UDP checksum: (config vpn l2tpeth L2TPv3_example)> udp_checksum true (config vpn l2tpeth L2TPv3_example)> 9. Add a session carried by the parent tunnel: (config vpn l2tpeth L2TPv3_example)> add session session_example (config vpn l2tpeth L2TPv3_example session_example)>...

  • Page 632: Show L2Tpv3 Tunnel Status

    Virtual Private Networks (VPN) L2TPv3 Ethernet both: Add a sequence number to each outgoing packet, and reorder packets if they are received out of order. The default is none. 16. Save the configuration and apply the change (config)> save Configuration saved. >...

  • Page 633: Macsec

    Virtual Private Networks (VPN) MACsec Local IP : 4.3.2.1 Remote IP : 10.10.10.1 Tunnel ID : modem Peer Tunnel ID : 10.10.10.1 === 4.3.2.1 Session ID : 255 Peer Session ID : 1476 Lifetime (Actual) : 600 Device : le_test_test RX Packets : 2,102 RX Bytes...
  • Page 634 Virtual Private Networks (VPN) MACsec 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 635 Virtual Private Networks (VPN) MACsec 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 636: Nemo

    Virtual Private Networks (VPN) NEMO 8. Save the configuration and apply the change (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. NEMO Network Mobility (NEMO) is a mobile networking technology that provides access to one or more Local Area Networks (LANs) on your device.
  • Page 637 If the local network is set to Interface, identify the local interface to be used.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 638 Virtual Private Networks (VPN) NEMO 5. For Zone, select Internal. The Internal firewall zone configures the IX20 device to trust traffic going to the tunnel and allows it through the network. 6. For Home agent server IP address, type the IPv4 address of the NEMO home agent. This is provided by your cellular carrier.
  • Page 639 Virtual Private Networks (VPN) NEMO 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 640 Virtual Private Networks (VPN) NEMO Allowed values are any integer between 68 and 1476. 9. Set the Security Parameter Index (SPI) value, which is used in the authentication extension when registering. This should be normally left at the default setting of 256 unless your service provider indicates a different value.
  • Page 641 Virtual Private Networks (VPN) NEMO (config vpn nemo nemo_example)> coaddress address IP_address (config vpn nemo nemo_example)> The default is defaultroute. 12. Set the GRE tunnel local endpoint: a. Set the method to determine the GRE tunnel local endpoint: (config vpn nemo nemo_example)> tun_local type value (config vpn nemo nemo_example)>...

  • Page 642: Show Nemo Status

    Virtual Private Networks (VPN) NEMO 15. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show NEMO status  Log into the IX20 WebUI as a user with full Admin access rights. 1.
  • Page 643 Virtual Private Networks (VPN) NEMO lan1 192.168.2.1/24 Advertized LAN2 192.168.3.1/24 Advertized > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
  • Page 644 Services This chapter contains the following topics: Allow remote access for web administration and SSH Configure the web administration service Configure SSH access Use SSH with key authentication Configure telnet access Configure DNS WAN bonding Simple Network Management Protocol (SNMP) Location information Modbus gateway System time...

  • Page 645: Allow Remote Access For Web Administration And Ssh

    To allow web administration or SSH for the External firewall zone: Add the External firewall zone to the web administration service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 646 Services Allow remote access for web administration and SSH 4. For Add Zone, click . 5. Select External. 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 647 Services Allow remote access for web administration and SSH  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 648 Services Allow remote access for web administration and SSH 5. Select External. 6. Click Apply to save the configuration and apply the change. IX20 User Guide...

  • Page 649: Configure The Web Administration Service

    Services Configure the web administration service  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 650 The web administration service is enabled by default. To disable the service, or enable it if it has been disabled:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 651 Type quit to disconnect from the device. Configure the service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 652 Services Configure the web administration service 3. Click Services > Web administration. 4. (Optional) For Port, enter the port number for the service. Normally this should not be changed. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a.
  • Page 653 Services Configure the web administration service 6. Multicast DNS (mDNS) is enabled by default. mDNS is a protocol that resolves host names in small networks that do not have a DNS server. To disable mDNS, or enable it if it has been disabled, click Enable mDNS.
  • Page 654 Services Configure the web administration service 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 655 Services Configure the web administration service eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add service web_admin acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
  • Page 656 Services Configure the web administration service The private key can use one of the following algorithms: ECDSA ECDH Note Password-protected certificate keys are not supported. Example a. Generate the SSL certificate and private key, for example: # openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem b.
  • Page 657 Services Configure the web administration service Ktx72wurpnr2JYf1v3Vx+S9T9WvN52pGuBPJQla3YdWbSf18wr5iHm9NXIeMTsFc esdjEW07JRnxQEMZ1GPWT+YtH1+FzQ3+W9rFsFFzt0vcp5Lh1RGg0huzL2NQ5EcF 3brzIZjNAavMsdBFzdc2hcbYnbv7o1uGLujbtZ7WurNy7+Tc54gu2Ds25J0/0mgf OxmqFevIqVkqp2wOmeLtI4o77y6uCbhfA6I+GWTZEYECgYEA/uDzlbPMRcWuUig0 CymOKlhEpx9qxid2Ike0G57ykFaEsKxVMKHkv/yvAEHwazIEzlc2kcQrbLWnDQYx oKmXf87Y1T5AXs+ml1PlepXgveKpKrWwORsdDBd+OS34lyNJ0KCqqIzwAaf8lcSW tyShAZzvuH9GW9WlCc8g3ifp9WUCgYEA4WSSfqFkQLA09sI76VLvUqMbb31bNgOk ZuPg7uxuDk3yNY58LGQCoV8tUZuHtBJdrBDCtcJa5sasJZQrWUlZ8y/5zgCZmqQn MzTD062xaqTenL0jKgKQrWig4DpUUhfc4BFJmHyeitosDPG98oCxuh6HfuMOeM1v Xag6Z391VcsCgYBgBnpfFU1JoC+L7m+lIPPZykWbPT/qBeYBBki5+0lhzebR9Stn VicrmROjojQk/sRGxR7fDixaGZolUwcRg7N7SH/y3zA7SDp4WvhjFeKFR8b6O1d4 PFnWO2envUUiE/50ZoPFWsv1o8eK2XT67Qbn56t9NB5a7QPvzSSR7jG77QKBgD/w BrqTT9wl4DBrsxEiLK+1g0/iMKCm8dkaJbHBMgsuw1m7/K+fAzwBwtpWk21alGX+ Ly3eX2j9zNGwMYfXjgO1hViRxQEgNdqJyk9fA2gsMtYltTbymVYHyzMweMD88fRC Ey2FlHfxIfPeE7MaHNCeXnN5N56/MCtSUJcRihh3AoGAey0BGi4xLqSJESqZZ58p e71JHg4M46rLlrxi+4FXaop64LCxM8kPpROfasJJu5nlPpYHye959BBQnYcAheZZ 0siGswIauBd8BrZMIWf8JBUIC5EGkMiIyNpLJqPbGEImMUXk4Zane/cL7e06U8ft BUtOtMefbBDDxpP+E+iIiuM= -----END PRIVATE KEY-----" (config)> 5. (Optional) Configure Multicast DNS (mDNS): mDNS is a protocol that resolves host names in small networks that do not have a DNS server. mDNS is enabled by default.
  • Page 658 Services Configure the web administration service The default is TLS-1_2. 8. (Optional) Disable legacy port redirection. Legacy port redirection is used to redirect client HTTP requests to the HTTPS service. Legacy port redirection is enabled by default, and normally these settings should not be changed. To disable legacy port redirection: (config)>...

  • Page 659: Configure Ssh Access

    The SSH service is enabled by default. To disable the service, or enable it if it has been disabled:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights.
  • Page 660 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure the service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
  • Page 661 Configure SSH access 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
  • Page 662 Services Configure SSH access A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the SSH service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a.
  • Page 663 Services Configure SSH access Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. Configure access control: To limit access to specified IPv4 addresses and networks: (config)>...
  • Page 664 Services Configure SSH access loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add service ssh acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
  • Page 665 Services Configure SSH access To enable the mDNS protocol: (config)> service ssh mdns enable true (config> To disable the mDNS protocl: (config)> service ssh mdns enable false (config)> 6. (Optional) Set the port number for this service. The default setting of 22 normally should not be changed. (config)>...
  • Page 666 Services Configure SSH access 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...

  • Page 667: Use Ssh With Key Authentication

    SSH service to allow SSH access for the External firewall zone.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 668 Services Use SSH with key authentication Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users. 4. Select an existing user or create a new user. See User authentication for information about creating a new user.
  • Page 669 Services Use SSH with key authentication key_name is a name for the key. key is a public SSH key, which you can enter by pasting or typing a public encryption key that this user can use for passwordless SSH login 4.

  • Page 670: Configure Telnet Access

    Enable the telnet service The telnet service is disabled by default. To enable the service:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 671 Type quit to disconnect from the device. Configure the service  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 672 Services Configure telnet access b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > telnet. 4.
  • Page 673 Services Configure telnet access To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces. b. For Add Interface, click . c. For Interface, select the appropriate interface from the dropdown. d. Click  again to allow access through additional interfaces. To limit access based on firewall zones: a.
  • Page 674 Services Configure telnet access Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service telnet acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...

  • Page 675: Configure Dns

    Services Configure DNS internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones. 4. (Optional) Configure Multicast DNS (mDNS) mDNS is a protocol that resolves host names in small networks that do not have a DNS server. mDNS is disabled by default.
  • Page 676 The device is configured by default with the hostname digi.device, which corresponds to the 192.168.210.1 IP address. To configure the DNS server:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 677 Services Configure DNS A single IP address or host name. A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the DNS service. d. Click  again to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: a.
  • Page 678 Services Configure DNS e. Domain restricts the device's use of this DNS server based on the domain. If no domain are listed, then all queries may be sent to this server. 11. (Optional) To add host names and their IP addresses that the device's DNS server will resolve: a.
  • Page 679 Services Configure DNS Display a list of available interfaces: Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)>...
  • Page 680 Services Configure DNS 4. (Optional) Cache negative responses By default, the device's DNS server caches negative responses. Disabling this option may improve performance on networks with transient DNS results, when one or more DNS servers may have positive results. To disable: (config)>...

  • Page 681: Show Dns Server

    Services Configure DNS (config service dns server 0)> domain domain (config service dns server 0)> d. (Optional) Set a label for this DNS server: (config service dns server 0)> label label (config service dns server 0)> 10. (Optional) Add host names and their IP addresses that the device's DNS server will resolve a.

  • Page 682: Wan Bonding

    WAN bonding also provides seamless failover by automatically using multiple pipes within the bonded tunnel. The WAN bonding service for your IX20 device must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. This section contains the following topics:...

  • Page 683: Use Digi Remote Manager To Enable And Configure Wan Bonding On Multiple Devices

    Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
  • Page 684 Services WAN bonding iii. Select for Tunnel password. iv. From the Common value menu, select Require override: e. Configure the device's WAN interfaces that will be bonded: i. ClickNetwork > SD-WAN > WAN bonding > Bonding interfaces. ii. Click  to add an interface. iii.
  • Page 685 Services WAN bonding v. You can change the Mode that the interface will use: Automatic: Automatically sets the mode to Cellular Optimized for Speed-mode for cellular, and Ethernet for non-cellular. This is the default mode. Cellular Optimized for Speed: A general-purpose configuration suitable for most lines (4G, DSL, etc), with a fair tolerance for packet loss and latency.

  • Page 686: Configure Wan Bonding On Your Local Device

    Configure WAN bonding on your local device Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
  • Page 687 Additional configuration items The firewall zone for the new bonded interface, if other than External.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 688 4. Toggle on Enable. Note The WAN bonding service must be enabled for this device in Digi Remote Manager. Contact your Digi sales representative for information. 5. For Hostname, type the hostname or IPv4 address of the external server hosting the WAN bonding server.
  • Page 689 > config (config)> 3. Enable the WAN bonding service: (config)> network sdwan wan_bonding enable true (config)> Note The WAN bonding service must be enabled for this device in Digi Remote Manager. Contact your Digi sales representative for information. IX20 User Guide...
  • Page 690 Services WAN bonding 4. Set the hostname or IPv4 address of the external server hosting the WAN bonding service: (config)> network sdwan wan_bonding hostname hostname-or-IPv4-address (config)> 5. (Optional) Set the port number that the external server uses for the WAN bonding connection: (config)>...
  • Page 691 Services WAN bonding i. Set the interface: i. Use the ? to determine available interfaces: (config network sdwan wan_bonding interfaces 0)> interface ? Interface: The network interface. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config network sdwan wan_bonding interfaces 0)> interface ii.

  • Page 692: Show Wan Bonding Status And Statistics

    Services WAN bonding The WAN bonding web interface can be used to view detailed WAN bonding statistics and to fine-tune the WAN bonding process, and is accessed via a web browser at http://ip- address:8088, where ip-address is the IP address of the local IX20 device. (config)>...
  • Page 693 Services WAN bonding Channel #0: : eth1 (eth1) Channel #1: : modem (wwan0.1) > 3. Use the show wan-bonding command to view additional status and statistics: > show wan-bonding verbose WAN Bonding Status ------------------ Tunnel Info ---------------- Status connected Endpoint 133.183.203.237:443 (#0) Network 146.78.40.226/255.255.255.0 gw 146.78.40.1...

  • Page 694: Simple Network Management Protocol (Snmp)

    Services Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) Simple Network Management Protocol (SNMP) is a protocol for remotely managing and monitoring network devices. Network administrators can use the SNMP architecture to manage nodes, including servers, workstations, routers, switches, hubs, and other equipment on an IP network, manage network performance, find and solve network problems, and plan for network growth.
  • Page 695 Services Simple Network Management Protocol (SNMP) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 696 Services Simple Network Management Protocol (SNMP) c. For Address, enter the IPv6 address or network that can access the device's SNMP agent. Allowed values are: A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the SNMP agent.
  • Page 697 Services Simple Network Management Protocol (SNMP) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Enable the SNMP agent: (config)> service snmp enable true (config)> 4. Configure access control: To limit access to specified IPv4 addresses and networks: (config)>...
  • Page 698 Services Simple Network Management Protocol (SNMP) eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add service snmp acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...

  • Page 699: Download Mibs

    Services Simple Network Management Protocol (SNMP) (config)> service snmp port port (config)> 8. (Optional) Configure Multicast DNS (mDNS) mDNS is a protocol that resolves host names in small networks that do not have a DNS server. For the SNMP agent, mDNS is disabled by default. To enable: (config)>...
  • Page 700 Services Simple Network Management Protocol (SNMP) Required configuration items Enable SNMP. To download a .zip archive of the SNMP MIBs supported by this device:  Log into the IX20 WebUI as a user with full Admin access rights. 1. Enable SNMP. Configure Simple Network Management Protocol (SNMP) for information about enabling and configuring SNMP support on the IX20 device.

  • Page 701: Location Information

    Services Location information Location information Your IX20 device can be configured to use the following location sources: In conjunction with the with the CM07 CORE modem, the modem's internal Global Navigation Satellite System (GNSS) module that provides information about the current location of the device.

  • Page 702: Configure The Location Service

    The location service is enabled by default. You can disable it, or you can enable it if it has been disabled.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 703 Services Location information Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Location update interval to ten minutes, enter 10m or 600s. 6. For information about configuring Location sources, see the following: a.

  • Page 704: Enable Or Disable Modem Gnss Support

    To disable support for the modem's GNSS receiver, or enable it if it has been disabled:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 705 Services Location information 3. Click Services > Location > Location sources > modem. 4. (Optional) Type a Label for the Modem GNSS location source. 5. For Type of location source, leave the selection at Modem GNSS. 6. Click Enable the location source to disable the GNSS receiver, or to enable it if it has been disabled.

  • Page 706: Configure The Device To Use A User-Defined Static Location

    Configure the device to use a user-defined static location You can configured your IX20 device to use a user-defined static location.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 707 Services Location information Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Location sources. 4. Click  to add a location source. 5. (Optional) Type a Label for this location source. 6.

  • Page 708: Configure The Device To Accept Location Messages From External Sources

    Services Location information The location source is enabled by default. To disable: (config service location source 1)> enable false (config service location source 1)> 4. (Optional) Set a label for this location source: (config service location source 1)> label "label" (config)>...
  • Page 709 Access control list configuration to provide access to the port through the firewall. To configure the device to accept location messages from external sources:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 710 Services Location information To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c. For Address, enter the IPv4 address or network that can access the device's location server UDP port. Allowed values are: A single IP address or host name.
  • Page 711 Services Location information (config)> add service location source end (config service location source 1)> 4. (Optional) Set a label for this location source: (config service location source 1)> label "label" (config service location source 1)> 5. Set the type of location source to server: (config service location source 1)>...
  • Page 712 Services Location information Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)>...

  • Page 713: Forward Location Information To A Remote Host

    A vehicle ID that is used in the TAIP ID message and can also be prepended to the forwarded message. Configure the IX20 device to forward location information:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 714 Services Location information c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Destination servers. 4. For Add destination server, click . 5.
  • Page 715 Services Location information RMC: Reports position, velocity, and time. VTG: Reports direction and speed over ground. 11. For TAIP filters, select the filters that represent the types of messages that will be forwarded. By default, all message types are forwarded. To remove a filter: a.
  • Page 716 Services Location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 717 Services Location information all remote sources, and all forwarded sentences from remote sources will use the configured Format: Default Default value: Default Current value: Default (config service location forward 0)> ii. Set the talker ID: (config service location forward 0)> talker_id value (config service location forward 0)>...
  • Page 718 Services Location information (config service location forward 0)> label "Remote host 1" (config service location forward 0)> 12. (Optional) Specify types of messages that will be forwarded. Allowed values vary depending on the message protocol type. By default, all message types are forwarded. If the message protocol type is NMEA: Allowed values are: gga: Reports time, position, and fix related data.

  • Page 719: Configure Geofencing

    Services Location information id: Reports the vehicle ID. ln: Long navigation: reports the latitude, longitude, and altitude, the horizontal and vertical speed, and heading. pv: Position/velocity: reports the latitude, longitude, and heading. To remove a message type: a. Use the show command to determine the index number of the message type to be deleted: (config service location forward 0)>...
  • Page 720 Update interval, which determines the amount of time that the geofence should wait between polling for updated location data.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 721 Services Location information d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Geofence. 4. For Add Geofence, type a name for the geofence and click . The geofence is enabled by default.
  • Page 722 Click  again to add an additional point, and continue adding points to create the desired polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: This defines a square-shaped polygon equivalent to the following: 7.
  • Page 723 Services Location information a. Click to expand On entry. b. (Optional) Enable Bootup action to configure the device to perform the On entry actions if the device is inside the geofence when it boots. c. For Number of intervals, type or select the number of Update Intervals that must take place prior to performing the On entry actions.
  • Page 724 Services Location information a. Click to expand On exit. b. (Optional) Enable Bootup action to configure the device to perform the On exit actions if the device is inside the geofence when it boots. c. For Number of intervals, type or select the number of Update Intervals that must take place prior to performing the On exit actions.
  • Page 725 Services Location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 726 Services Location information longitude int (config service location geofence test_geofence)> where int is: For latitude, any integer between -90 and 90, with up to six decimal places. For longitude, any integer between -180 and 180, with up to six decimal places.
  • Page 727 For longitude, any integer between -180 and 180, with up to six decimal places. Repeat for each vortex of the polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: (config service location geofence test_geofence)> add...
  • Page 728 Services Location information 6. Define actions to be taken when the device's location triggers a geofence event: To define actions that will be taken when the device enters the geofence, or is inside the geofence when it boots: a. (Optional) Configure the device to preform the actions if the device is inside the geofence when it boots: (config)>...
  • Page 729 Services Location information (config service location geofence test_geofence on_entry action 0)> where value is either: factory_erase— Erases the device configuration when the action is triggered. script—Executes a custom script when the action is triggered. factory_erase or script. If type is set to script: i.
  • Page 730 Services Location information v. A sandbox is enabled by default to prevent the script from adversely affecting the system. To disable the sandbox: (config service location geofence test_geofence on_entry action 0)> sandbox false (config service location geofence test_geofence on_entry action 0)> If you disable the sandbox, the script may render the system unusable.
  • Page 731 Services Location information where value is either: factory_erase— Erases the device configuration when the action is triggered. script—Executes a custom script when the action is triggered. factory_erase or script. If type is set to script: i. Type or paste the script, closed in quote marks: (config service location geofence test_geofence on_exit action 0)>...

  • Page 732: Show Location Information

    Services Location information (config service location geofence test_geofence on_exit action 0)> sandbox false (config service location geofence test_geofence on_exit action 0)> If you disable the sandbox, the script may render the system unusable. vi. Repeat for any additional actions. 7. Save the configuration and apply the change (config)>...

  • Page 733: Modbus Gateway

    Services Modbus gateway Velocity : 0 meters per second Direction : None Quality : Standard GNSS (2D/3D) UTC Date and Time : Fri, Jan 12, 2024 12:10:00 03 No. of Satellites : 7 > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 734: Configure The Modbus Gateway

    Services Modbus gateway Configure the Modbus gateway Required configuration items Server configuration: Enable the server. Connection type, either socket or serial. If the connection type is socket, the IP protocol to be used. If the connection type is serial, the serial port to be used. Client configuration: Enable the client.
  • Page 735 Whether packets should be delivered to a fixed Modbus address. Whether packets should have their Modbus address adjusted downward before to delivery.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 736 Services Modbus gateway Configure gateway servers 1. Click to expand Gateway Servers. 2. For Add Modbus server, type a name for the server and click . The new Modbus gateway server configuration is displayed. 3. The new Modbus gateway server is enabled by default. Toggle off Enable the server to disable.
  • Page 737 Services Modbus gateway To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c. For Address, enter the IPv4 address or network that can access the device's web administration service. Allowed values are: A single IP address or host name.
  • Page 738 Services Modbus gateway 3. The new Modbus gateway client is enabled by default. Toggle off Enable the client to disable. 4. For Connection type, select Socket or Serial. Available options in the gateway server configuration vary depending on this setting. If Socket is selected for Connection type: a.
  • Page 739 Services Modbus gateway A single IP address or host name. A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: a.
  • Page 740 Services Modbus gateway 14. For Fixed Modbus server address, if request messages handled by this client should always be forwarded to a specific device, type the device's Modbus address. Leave at the default setting of 0 to allow messages that match the Modbus address filter to be forwarded to devices based on the Modbuss address in the message.
  • Page 741 Services Modbus gateway 4. Configure servers: a. Add a server: (config)> add service modbus_gateway server name (config service modbus_gateway server name)> where name is a name for the server, for example: (config)> add service modbus_gateway server test_modbus_server (config service modbus_gateway server test_modbus_server)> The Modbus server is enabled by default.
  • Page 742 Services Modbus gateway where value is any number between 10 milliseconds and one second, and take the format number{ms|s}. For example, to set idle_gap to 20 milliseconds, enter 20ms. v. Set the amount of time to wait before disconnecting the socket when it has become inactive: (config service modbus_gateway server test_modbus_server)>...
  • Page 743 Services Modbus gateway iii. Set the maximum allowable time between bytes in a packet: (config service modbus_gateway server test_modbus_server)> serial idle_gap value (config service modbus_gateway server test_modbus_server)> where value is any number between 10 milliseconds and one second, and take the format number{ms|s}.
  • Page 744 Services Modbus gateway where value is either tcp or udp. ii. Set the port: (config service modbus_gateway client test_modbus_client)> socket port (config service modbus_gateway client test_modbus_client)> where port is an integer between 1 and 65535. The default is 502. iii. Set the packet mode: (config service modbus_gateway client test_modbus_client)>...
  • Page 745 Services Modbus gateway If connection_type is set to serial: i. Set the serial port: i. Use the ? to determine available serial ports: (config service modbus_gateway client test_modbus_ client)> ... serial port ? Serial Additional Configuration ------------------------------------------------------- ------------------------ port1 Port 1 (config service modbus_gateway client test_modbus_ client)>...
  • Page 746 Services Modbus gateway (config service modbus_gateway client test_modbus_client)> broadcast true (config service modbus_gateway client test_modbus_client)> e. Set the maximum time to wait for a response to a message: (config service modbus_gateway client test_modbus_client)> response_ timeout value (config service modbus_gateway client test_modbus_client)> Allowed values are between 1 millisecond and 700 milliseconds, and take the format numberms.

  • Page 747: Show Modbus Gateway Status And Statistics

    Services Modbus gateway (config service modbus_gateway client test_modbus_client)> fixed_ server_address value (config service modbus_gateway client test_modbus_client)> Leave at the default setting of 0 to allow messages that match the Modbus address filter to be forwarded to devices based on the Modbuss address in the message. h.
  • Page 748 Services Modbus gateway Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, select Status > Modbus Gateway. The Modbus Gateway page appears. Statistics related to the Modbus gateway server are displayed. If the message Server connections not available is displayed, this indicates that there are no connected clients.
  • Page 749 Services Modbus gateway Configuration Updates Client Configuration Failure Server Configuration Failure Configuration Load Failure Incoming Connections Internal Error Resource Shortages Servers ------- modbus_socket ------------- Client Lookup Errors Incoming Connections Packet Errors RX Broadcasts RX Requests : 12 TX Exceptions TX Responses : 12 Clients -------...
  • Page 750 Services Modbus gateway RX Timeouts TX Broadcasts TX Requests > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...

  • Page 751: System Time

    If t least one upstream NTP server for synchronization. Additional Configuration Options Additional upstream NTP servers.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 752 Services System time d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Time 4. (Optional) For Timezone, select either UTC or select the location nearest to your current location to set the timezone for your IX20 device.
  • Page 753 Services System time Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. (Optional) Set the timezone for the location of your IX20 device. The default is UTC. (config)>...
  • Page 754 Services System time Note This list is synchronized with the list of servers included with NTP server configuration, and changes made to one will be reflected in the other. See Configure the device as an NTP server for more information about NTP server configuration. 5.

  • Page 755: Manually Set The System Date And Time

    Services Network Time Protocol 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 756: Configure The Device As An Ntp Server

    The time zone setting, if the default setting of UTCis not appropriate. To configure the IX20 device's NTP service:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 757 Services Network Time Protocol 3. Click Services > NTP. 4. Enable the IX20 device's NTP service by clicking Enable. 5. (Optional) Configure the access control list to limit downstream access to the IX20 device's NTP service. To limit access to specified IPv4 addresses and networks: a.
  • Page 758 Services Network Time Protocol Note By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX20 device can use the NTP service. 6. Enable Fall back to local clock to allow the device's local system clock to be used as backup time source.
  • Page 759 Services Network Time Protocol To delete the default NTP server, time.devicecloud.com: (config)> del service ntp server 0 (config)> To add the NTP server to the beginning of the list, use the index value of 0 to indicate that it should be added as the first server: (config)>...
  • Page 760 Services Network Time Protocol A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the NTP server agent. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)>...

  • Page 761: Show Status And Statistics Of The Ntp Server

    Services Network Time Protocol dynamic_routes edge external hotspot internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones. Note By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX20 device can use the NTP service. 7.

  • Page 762: Configure A Multicast Route

    To configure a multicast route:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
  • Page 763 Services Configure a multicast route Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a.
  • Page 764 Services Configure a multicast route 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add the multicast route. For example, to add a route named test: (config)> add service multicast test (config service multicast test)> 4.

  • Page 765: Ethernet Network Bonding

    Create a new network interface for the bonded Ethernet devices, and disable the any interfaces associated with those Ethernet devices..  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
  • Page 766 Services Ethernet network bonding a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
  • Page 767 Services Ethernet network bonding 7. Add Ethernet devices: a. For Add device, click . b. For Device, select an Ethernet device to participate in the bond pool. c. Repeat for each appropriate Ethernet device. 8. Create a new network interface that is linked to the Ethernet bond: a.
  • Page 768 Services Ethernet network bonding In some cases, the device may be a part of a bridge, in which case you should remove the device from the bridge. Configure a bridge for more information. 9. Click Apply to save the configuration and apply the change. ...
  • Page 769 Services Ethernet network bonding round-robin: Alternates between bonded devices to provide load balancing as well as fault tolerance. 6. Add Ethernet devices: a. Use the ? to determine available devices: (config network bond eth_bond)> ... network device ? Additional Configuration --------------------------------------------------------------------- ------- eth1...

  • Page 770: Enable Service Discovery (Mdns)

    Multicast DNS mDNS is a protocol that resolves host names in small networks that do not have a DNS server. You can enable the IX20 device to use mDNS.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 771 Services Enable service discovery (mDNS) 3. Click Services > Service Discovery (mDNS). 4. Enable the mDNS service. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c.
  • Page 772 Services Enable service discovery (mDNS) 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 773 Services Enable service discovery (mDNS) Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)>...

  • Page 774: Use The Mqtt Broker Service

    Whether to allow clients that have no client ID to connect. Whether replace the client's ID with its username.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 775 Services Use the MQTT broker service Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > MQTT broker. 4. Click Enable. 5. (Optional) For Port, type the port number for the MQTT broker to listen for incoming connections.
  • Page 776 Services Use the MQTT broker service To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces. b. For Add Interface, click . c. For Interface, select the appropriate interface from the dropdown. d. Click  again to allow access through additional interfaces. To limit access based on firewall zones: a.
  • Page 777 Services Use the MQTT broker service Deny v. Click  again to add additional topics. e. Click  again to add additional clients. 12. Click to expand Encryption. 13. For Type, select either None or PSK. If PSK is selected: a.
  • Page 778 Services Use the MQTT broker service Read/write Deny e. Click  again to add additional topics. 15. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 779 Services Use the MQTT broker service To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service mqtt acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
  • Page 780 Services Use the MQTT broker service ipsec loopback setup (config)> Repeat this step to include additional firewall zones. 6. Enable the system to write MQTT debug messages to the system log: (config)> service mqtt debug true (config)> 7. Enable connections from clients that do not provide a username: (config)>...
  • Page 781 Services Use the MQTT broker service The topic. The signal level wildcard, +. The multi-level wildcard, #. iii. Set the access type to apply to the topic: (config service mqtt client 0 topic_acl 0)> access value (config service mqtt client 0 topic_acl 0)> where value is one of: deny read...
  • Page 782 Services Use the MQTT broker service c. Set the pre-shared keys: i. Add a pre-shared key: (config)> add service mqtt encryption psk end (config service mqtt encryption psk 0)> ii. Set the identity sent to the client: (config service mqtt encryption psk 0)> indentity value (config service mqtt encryption psk 0)>...
  • Page 783 Services Use the MQTT broker service d. Set the access type to apply to the topic: (config service mqtt topic_acl anonymous 0)> access value (config service mqtt topic_acl anonymous 0)> where value is one of: deny read readwrite write The default is readwrite. e.

  • Page 784: Show Mqtt Broker Information

    Services Use the MQTT broker service readwrite write The default is readwrite. e. Add additional topics: (config service mqtt topic_acl pattern 0)> add ..pattern end (config service mqtt topic_acl pattern 1)> f. Repeat the above steps to set the topic and access type. 13.

  • Page 785: Use The Iperf Service

    Services Use the iPerf service Totals ------ Bytes sent : 158400 Bytes received : 4500 Messages sent Messages received : 0 Clients ------- Total Maximum Connected Disconnected Expired Subscriptions ------------- Total Shared Message Store ------------- Bytes : 151 Messages : 35 Retained messages : 40 PUBLISH Messages ----------------...
  • Page 786 To enable the iPerf3 server:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 787 Services Use the iPerf service 3. Click Services > iPerf. 4. Click Enable. 5. (Optional) For IPerf Server Port, type the appropriate port number for the iPerf server listening port. 6. (Optional) Click to expand Access control list to restrict access to the iPerf server: To limit access to specified IPv4 addresses and networks: a.
  • Page 788 Services Use the iPerf service d. Click  again to allow access through additional firewall zones. 7. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 789 Services Use the iPerf service Where value is an interface defined on your device. Display a list of available interfaces: Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1...

  • Page 790: Example Performance Test Using Iperf3

    IP address, interfaces, and/or zones. To enable the iPerf3 server:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
  • Page 791 Configure the ping responder service 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
  • Page 792 Services Configure the ping responder service A single IP address or host name. A network designation in CIDRnotation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the ping responder. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a.
  • Page 793 Services Configure the ping responder service A single IP address or host name. A network designation in CIDRnotation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: (config)>...

  • Page 794: Example Performance Test Using Iperf3

    Services Configure the ping responder service Type ... firewall zone ? at the config prompt: (config)> ... firewall zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration -------------------------------------------------------- -----------------------...
  • Page 795 Services Configure the ping responder service 8.00-9.00 33.5 MBytes 281 Mbits/sec 1.60 MBytes 9.00-10.00 33.2 MBytes 279 Mbits/sec 1.60 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth...
  • Page 796 Applications The IX20 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. You can also specify Python applications and other scripts to be run each time the device system restarts, at specific intervals, or at a specified time. This chapter contains the following topics: Develop Python applications The use(led) function...

  • Page 797: Develop Python Applications

    The IX20 features a standard Python 3.6 distribution. Python is a dynamic, object-oriented language for developing software applications, from simple programs to complex embedded applications. Digi offers the Digi IoT PyCharm Plugin to help you while writing, building, and testing your application. Create and test a Python application.

  • Page 798: Set Up The Ix20 For Python Development

    Applications Develop Python applications Set up the IX20 for Python development 1. Access the IX20 local web interface a. Use an Ethernet cable to connect the IX20 to your local laptop or PC. The factory default IP address is 192.168.2.1 b.
  • Page 799 Develop Python applications Develop an application in PyCharm The Digi IoT PyCharm Plugin allows you to write, build and run Python applications for Digi devices in a quick and easy way. See the Digi XBee PyCharm IDE Plugin User Guide for details.
  • Page 800 Applications Develop Python applications Example: Configure a custom port to listen for incoming socket connections The following example Python script configures a custom port, port 9999, to accept incoming socket connections. You will also need to add a custom firewall rule to accept the incoming traffic on this port. Example script import socket import socketserver...
  • Page 801 Create a custom firewall rule  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.

  • Page 802: Python Modules

    Applications Develop Python applications 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 803 Applications Develop Python applications LEDs: digidevice.led SMS: digidevice.sms GPS: digidevice.location Digi Remote Manager: digidevice.datapoint digidevice.device_request digidevice.name Device configuration: digidevice.config Command line interface: digidevice.cli Access runtime database: digidevice.runt Set the maintenance window: digidevice.maintenance Use the Python serial module—pySerial— to access the serial ports.
  • Page 804 4. Execute a CLI command using the cli.execute(command) function. For example, to print the system status and statistics to stdout using the show system command: >>> response = cli.execute("show system") >>> >>> print (response) Model : Digi IX20 Serial Number : IX20xxxxxxxxyyyyxx : IX20 Hostname : IX20...
  • Page 805 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice.datapoint to upload custom datapoints to Digi Remote Manager Use the datapoint Python module to upload custom datapoints to Digi Remote Manager. The following characteristics can be defined for a datapoint:...
  • Page 806 Applications Develop Python applications Tuple of latitude, longitude and altitude Description (optional) Quality (optional) An integer describing the quality of the data point For example, to use an interactive Python session to upload datapoints related to velocity, temperature, and the state of the emergency door: 1.
  • Page 807 Help for using Python to upload custom datapoints to Remote Manager Get help for uploading datapoints to your Digi Remote Manager account by accessing help for datapoint.upload and datapoint.upload_multiple: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions >...
  • Page 808 Applications Develop Python applications upload(stream_id:str, data, *, description:str=None, timestamp:float=None, units:str=None, geo_location:Tuple[float, float, float]=None, quality:int=None, data_type:digidevice.datapoint.DataType=None, timeout:float=None) 5. Use the help command with datapoint.upload_multiple: >>> help(datapoint.upload_multiple) Help on function upload_multiple in module digidevice.datapoint: upload_multiple(datapoints:List[digidevice.datapoint.DataPoint], timeout:float=None) 6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice.config for device configuration Use the config Python module to access and modify the device configuration.
  • Page 809 Applications Develop Python applications network.interface.lan1.enable=true network.interface.lan1.ipv4.address=192.168.2.1/24 network.interface.lan1.ipv4.connection_monitor.attempts=3 b. Print a list of available interfaces: >>> cfg = config.load() >>> interfaces = cfg.get("network.interface") >>> print(interfaces.keys()) This returns the following: ['defaultip', 'defaultlinklocal', 'lan1', 'loopback', 'wan1', 'wwan1', 'wwan2'] c. Print the IPv4 address of the LAN interface: >>>...
  • Page 810 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use Python to respond to Digi Remote Manager SCI requests The device_request Python module allows you to interact with Digi Remote Manager by using Remote Manager's Server Command Interface (SCI), a web service that allows users to access information and perform commands that relate to their devices.
  • Page 811 Ctrl-D. You can also exit the session using exit() or quit(). Task two: Create and send an SCI request from Digi Remote Manager The second step in using the device_request module is to create an SCI request that Remote Manager will forward to the device.
  • Page 812 Applications Develop Python applications d. Click Add. e. Click OK. 3. Click Examples > SCI > Data Service > Send Request. Code similar to the following will be displayed in the HTTP message body text box: <sci_request version="1.0"> <data_service> <targets> <device id="00000000-00000000-0000FFFF-A83CF6A3"/>...
  • Page 813 This can be done from either the WebUI or the command line:  i. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. ii. Access the device configuration: Remote Manager: i.
  • Page 814 Applications Develop Python applications The Configuration window is displayed. iii. Click System > Scheduled tasks > Custom scripts. iv. Click  to add a custom script. v. For Label, type Show system application. vi. For Run mode, select On boot. vii.
  • Page 815 Applications Develop Python applications iii. Add an application entry: (config)> add system schedule script end (config system schedule script 0)> Scheduled scripts are enabled by default. To disable: (config system schedule script 0)> enable false (config system schedule script 0)> iv.
  • Page 816 Applications Develop Python applications Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell. ii. Type the following at the shell prompt: # python /etc/config/scripts/showsystem.py & iii. Exit the shell: # exit 4.
  • Page 817 Applications Develop Python applications : Digi IX20 Serial Number : IX20-000068 Hostname : IX20 : 00:40:D0:13:35:36 Hardware Version : 50001959-01 A Firmware Version : 23.12.1.56 Bootloader Version Firmware Build Date : Fri, Jan 12, 2024 12:10:00 Schema Version : 461...
  • Page 818 </sci_request> Help for using Python to respond to Digi Remote Manager SCI requests Get help for respond to Digi Remote Manager Server Command Interface (SCI) requests by accessing help for digidevice.device_request: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions >...
  • Page 819 Applications Develop Python applications encoding:str='UTF-8') Use the help command with device_request.unregister: >>> help(device_request.unregister) Help on function unregister in module digidevice.device_request: unregister(target:str) -> bool 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice runtime to access the runtime database Use the runt submodule to access and modify the device runtime database.
  • Page 820 Applications Develop Python applications b. Print available keys for the system key: >>> print(runt.keys("system")) This will return the following: ['boot_count', 'chassis', 'cpu_temp', 'cpu_usage', 'disk', 'load_avg', 'local_time', 'mac', 'mcu', 'model', 'ram', 'serial', 'uptime'] c. Use the get() method to print the device's MACaddress: >>>...
  • Page 821 Use Python to upload the device name to Digi Remote Manager The name submodule can be used to upload a custom name for your device to Digi Remote Manager. When you use the name submodule to upload a custom device name to Remote Manager, the...
  • Page 822 As a result, support for this functionality is disabled by default on Remote Manager. Enable support on Digi Remote Manager for uploading custom device names 1. In Remote Manager, click API Explorer. 2. For the HTTP method, select PUT.
  • Page 823 Develop Python applications Help for uploading the device name to Digi Remote Manager Get help for uploading the device name to Digi Remote Managerby accessing help for digidevice.name: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions >...
  • Page 824 Applications Develop Python applications Type "help", "copyright", "credits" or "license" for more information. >>> 3. Import the location submodule: >>> from digidevice import location 4. Use the valid_fix object to determine if the device has a valid fix: >>> loc = location.Location() >>>...
  • Page 825 Applications Develop Python applications Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell. 2. At the shell prompt, use the python command with no parameters to enter an interactive Python session: # python Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux...
  • Page 826 Applications Develop Python applications 5. Print the location data in json format: >>> geojson_data = location.Location().geojson >>> print(json.dumps(geojson_data, indent=4)) "type": "Feature", "geometry": { "type": "Point", "coordinates" [ 44.926195299999998, -93.397084499999999, 273.20001200000002 "properties": { "direction": "None", "horizontal_velocity": "0.0", "latitude.deg_min_sec": "44* 54' 45.586\" N", "longitude.deg_min_sec": "93* 33' 52.334\"...
  • Page 827 Applications Develop Python applications Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell. 2. At the shell prompt, use the python command with no parameters to enter an interactive Python session: # python Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux...
  • Page 828 Applications Develop Python applications 4. To determine the current service state of the device: >>> maintenance.state() 'IN_SERVICE' >>> 5. To set the device to out of service: >>> maintenance.out_of_service() >>> maintenance.state() 'OUT_OF_SERVICE' >>> 6. To set the device to in service: >>>...
  • Page 829 Applications Develop Python applications DESCRIPTION API for setting the device's service state. The service state is stored in runt. 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). The digidevice led submodule Use the led submodule to redefine the purpose of any front-panel LED on the IX20 device.

  • Page 830: The Use(Led) Function

    Applications The use(led) function Available LED states State Attribute name Solid on State.ON State.OFF Flash State.FLASH Use Python to set the state of LEDs The following example uses an interactive Python session to set the state of all LEDs to flashing: 1.

  • Page 831: Releasing The Leds To System Control

    Applications Releasing the LEDs to system control Releasing the LEDs to system control During a Python interactive session, or from within a Python script, you can release control of the LED from Python to system control using the led.release() method. If the Python script or session terminates prior to releasing control to the system, the LEDs will continue to have the state that Python set to them, until the device is rebooted.
  • Page 832 Applications Use Python to control the color of multi-colored LEDs LED attribute name Color State Led.COM Blue flashing Led.ETH Led.ONLINE FLASH Led.COM White Led.ETH Led.ONLINE Led.COM White flashing FLASH Led.ETH FLASH Led.ONLINE FLASH Led.COM Yellow Led.ETH Led.ONLINE Led.COM Yellow flashing FLASH Led.ETH FLASH...

  • Page 833: Example: Set The Lte Connection Indicator To Flashing Purple

    SMS scripting. Enable the ability to schedule SMS scripting  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
  • Page 834 Applications Use Python to control the color of multi-colored LEDs a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
  • Page 835 Applications Use Python to control the color of multi-colored LEDs 2. At the command line, type config to enter configuration mode: > config (config)> 3. At the config prompt, type: (config)> system schedule sms_script_handling true (config)> 4. Save the configuration and apply the change (config)>...
  • Page 836 Applications Use Python to control the color of multi-colored LEDs passed.") # acquire the semaphore and wait until a callback occurs COND.acquire() try: COND.wait(60.0) except Exception as err: print("exception occured while waiting") print(err) COND.release() my_callback.unregister_callback() Example script using digidevice.sms to send CLI commands The following example script listens for an incoming SMS message from a specific phone number (2223334444) and then executes the SMS message as a CLI command.
  • Page 837 Applications Use Python to control the color of multi-colored LEDs if len(sys.argv) > 1: dest = sys.argv[1] else: dest = allowed_incoming_phone_number my_callback = Callback(sms_test_callback, metadata=True) #send_sms(dest, 'Ready to receive incoming SMS message') print("Waiting up to 60 seconds for incoming SMS message") # acquire the semaphore and wait until a callback occurs COND.acquire() try:...
  • Page 838 Applications Use Python to control the color of multi-colored LEDs >>> s = serial.Serial("/dev/serial/port1", 115200) >>> s.write(b"Hello from serial port") >>> 6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use the Paho MQTT python library Your IX20 device includes support for the Paho MQTT python library.
  • Page 839 Applications Use Python to control the color of multi-colored LEDs try: urllib.request.urlretrieve(fw_uri, fname) except: print("Failed to download FW file from URI {}".format(fw_uri)) return HTTPStatus.NOT_FOUND try: ret = cli.execute("system firmware update file " + fname, 60) except: print("Failed to run firmware update command") return HTTPStatus.INTERNAL_SERVER_ERROR if not "Firmware update completed"...
  • Page 840 Applications Use Python to control the color of multi-colored LEDs Supported commands: - "fw-update" params: - "uri": "<firmware_file_URL>" - "reboot" params: """ try: m = json.loads(msg.payload) cid = m["cid"] cmd = m["cmd"] try: payload = m["params"] except: payload = None except: print("Invalid command format: {}".format(msg.payload)) if not cid:...

  • Page 841: Set Up The Ix20 To Automatically Run Your Applications

    Applications Set up the IX20 to automatically run your applications "disk_usage": { "/opt": disk_opt, "/etc/config:": disk_config, "ram": ram_used client.publish(PREFIX_EVENT + "/system", json.dumps(msg)) runt.start() serial = runt.get("system.serial") PREFIX = "router/" + serial PREFIX_EVENT = "event/" + PREFIX PREFIX_CMD = "cmd/" + PREFIX PREFIX_RSP = "rsp/"...
  • Page 842 Applications Set up the IX20 to automatically run your applications Select whether the script should run: When the device boots. At a specified time. At a specified interval. During system maintenance. Additional configuration items If the script is a Python application, include the full path to the script. A label used to identify the script.
  • Page 843 Applications Set up the IX20 to automatically run your applications 4. Browse to the location of the script on your local machine. Select the file and click Open to upload the file. The uploaded file is uploaded to the /etc/config/scripts directory. ...
  • Page 844 Applications Set up the IX20 to automatically run your applications 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 845 Applications Set up the IX20 to automatically run your applications Custom scripts are enabled by default. To disable, toggle off Enable to toggle off. 5. (Optional) For Label, provide a label for the script. 6. For Run mode, select the mode that will be used to run the script. Available options are: On boot: The script will run once each time the device boots.
  • Page 846 Applications Set up the IX20 to automatically run your applications 9. For Maximum memory, enter the maximum amount of memory available to be used by the script and its subprocesses, using the format number{b|bytes|KB|k|MB|MB|M|GB|G|TB|T}. 10. Sandbox is enabled by default, which restricts access to the file system and available commands that can be used by the script.
  • Page 847 Applications Set up the IX20 to automatically run your applications boot: The script will run once each time the device boots. If boot is selected, set the action that will be taken when the script completes: (config system schedule script 0)> exit_action action (config system schedule script 0)>...
  • Page 848 Applications Set up the IX20 to automatically run your applications (config system schedule script 0)> commands python "/etc/config/scripts/test.py" (config system schedule script 0)> If the script begins with #!, then the script will be invoked in the location specified by the path for the script command.

  • Page 849: Show Script Information

    Applications Set up the IX20 to automatically run your applications 12. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show script information You can view status and statistics about location information from either the WebUI or the command line.
  • Page 850 Applications Set up the IX20 to automatically run your applications  Log into the IX20 WebUI as a user with full Admin access rights. 1. At the Status page, click Scripts. The Scripts page displays: 2. For scripts that are currently running, click Stop Script to stop the script. ...

  • Page 851: Start An Interactive Python Session

    >>> help("digidevice") Help on package digidevice: NAME digidevice - Digi device python extensions DESCRIPTION This module includes various extensions that allow Python to interact with additional features offered by the device. 4. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit().
  • Page 852 Applications Run a Python application at the shell prompt 1. Upload the Python application to the IX20 device:  Log into the IX20 WebUI as a user with full Admin access rights. a. On the menu, click System. Under Administration, click File System. The File System page appears.

  • Page 853: Configure Scripts To Run Manually

    Applications Configure scripts to run manually For example: To upload a script from a remote host with an IP address of 192.168.4.1 to the /etc/config/scripts directory on the IX20 device, issue the following command: > scp host 192.168.4.1 user admin remote /home/admin/bin/test.py local /etc/config/scripts/ to local admin@192.168.4.1's password: adminpwd test.py...
  • Page 854 Applications Configure scripts to run manually Log into the IX20 WebUI as a user with full Admin access rights. 1. On the menu, click System. Under Administration, click File System. The File System page appears. 2. Highlight the scripts directory and click  to open the directory. 3.

  • Page 855: Task Two: Configure The Application To Run Automatically

    This feature does not provide syntax or error checking. Certain commands can render the device inoperable. Use with care.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 856 Applications Configure scripts to run manually 3. Click System > Scheduled tasks > Custom scripts. 4. For Add Script, click . The script configuration window is displayed. Custom scripts are enabled by default. To disable, toggle off Enable to toggle off. 5.
  • Page 857 Applications Configure scripts to run manually 10. Sandbox is enabled by default, which restricts access to the file system and available commands that can be used by the script. This option protects the script from accidentally destroying the system it is running on. 11.
  • Page 858 Applications Configure scripts to run manually If a Python script is being used, include the full path to the Python script and enclose in quotation marks. For example: (config system schedule script 0)> commands python "/etc/config/scripts/test.py" (config system schedule script 0)> If the script begins with #!, then the script will be invoked in the location specified by the path for the script command.

  • Page 859: Start A Manual Script

    Applications Start a manual script 12. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Start a manual script You can start a script that is enabled and configured to have a run mode of Manual. ...
  • Page 860 Applications Start a manual script 4. Save the configuration and apply the change (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
  • Page 861 User authentication This chapter contains the following topics: IX20 user authentication User authentication methods Authentication groups Local users Terminal Access Controller Access-Control System Plus (TACACS+) Remote Authentication Dial-In User Service (RADIUS) LDAP Configure serial authentication Disable shell access Set the idle timeout for IX20 users Example user configuration IX20 User Guide...

  • Page 862: Ix20 User Authentication

    User authentication IX20 user authentication IX20 user authentication User authentication on the IX20 has the following features and default configuration: Default Feature Description configuration Idle timeout 10 minutes Determines how long a user session can be idle before the system automatically disconnects. Allow shell If disabled, prevents all authentication prohibits access to Enabled...
  • Page 863 User authentication User authentication methods Local users: User are authenticated on the local device. RADIUS: Users authenticated by using a remote RADIUS server for authentication. Remote Authentication Dial-In User Service (RADIUS) for information about configuring RADIUS authentication. TACACS+: Users authenticated by using a remote TACACS+ server for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) for information about configuring TACACS+ authentication.

  • Page 864: Add A New Authentication Method

    The types of authentication method to be used: To add an authentication method:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 865 User authentication User authentication methods 4. For Add Method, click . 5. Select the appropriate authentication type for the new method from the Method drop-down. Note Authentication methods are attempted in the order they are listed until the first successful authentication result is returned. See Rearrange the position of authentication methods for information about how to reorder the authentication methods.

  • Page 866: Delete An Authentication Method

    Type quit to disconnect from the device. Delete an authentication method  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
  • Page 867 User authentication User authentication methods a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.

  • Page 868: Rearrange The Position Of Authentication Methods

    To reorder these so that RADIUS is first and Local users is second: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 869 User authentication User authentication methods Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click to expand the first Method. 4. In the Method drop-down, select RADIUS. 5. Click to expand the second Method. 6.

  • Page 870: Authentication Groups

    User authentication Authentication groups 1 radius (config)> 4. Use the move command to rearrange the methods: (config)> move auth method 1 0 (config)> 5. Use the show command again to verify the change: (config)> show auth method 0 radius 1 local (config)>...
  • Page 871 User authentication Authentication groups The preconfigured authentication groups cannot be deleted, but the access rights defined for the group are configurable. This section contains the following topics: Change the access rights for a predefined group Add an authentication group Delete an authentication group IX20 User Guide...

  • Page 872: Change The Access Rights For A Predefined Group

    By default, two authentication groups are predefined: admin and serial. To change the access rights of the predefined groups:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 873 User authentication Authentication groups Read-only access provides users of this group with read-only access to the WebUI and Admin CLI. The default is Full access. Serial access Interactive shell access Shell access is not available if the Allow shell parameter has been disabled. See Disable shell access for more information about the Allow shell parameter.

  • Page 874: Add An Authentication Group

    Access rights to captive portals, and the portals to which they have access. Access rights to query the device for Nagios monitoring. To add an authentication group:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
  • Page 875 User authentication Authentication groups 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
  • Page 876 User authentication Authentication groups 5. Click the following options, as appropriate, to enable or disable access rights for each: Admin access For groups assigned Admin access, you can also determine whether the Access level should be Full access or Read-only access. where value is either: Full access full: provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI.
  • Page 877 User authentication Authentication groups 10. (Optional) Enable users that belong to this group to query the device for Nagios monitoring by checking the box next to Nagios access. 11. (Optional) Enable users that belong to this group to access the Wi-Fi scanning service by checking the box next to Wi-Fi scanner access.
  • Page 878 User authentication Authentication groups Serial access: (config auth group test)> acl serial enable true (config)> 5. (Optional) Configure captive portal access: a. Return to the config prompt by typing three periods (...): (config auth group test)> ... (config)> b. Enable captive portal access rights for users of this group: (config)>...

  • Page 879: Delete An Authentication Group

    To delete an authentication group that you have created:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 880 User authentication Authentication groups 5. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 881: Local Users

    User authentication Local users Local users Local users are authenticated on the device without using an external authentication mechanism such as TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default user. Default user At manufacturing time, each IX20 device comes with a default user configured as follows: Username: admin.

  • Page 882: Change A Local User's Password

    Local users Change a local user's password To change a user's password:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 883 User authentication Local users If the admin user's password has been changed from the default and the configuration saved, if you then clear the password field for the admin user, this will result in the device device's configuration being erased and reset to the default configuration. You can also change the password for the active user by clicking the user name in the menu bar: The active user must have full Admin access rights to be able to change the password.

  • Page 884: Configure A Local User

    User authentication Local users 4. Save the configuration and apply the change (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure a local user Required configuration items A username.
  • Page 885 User authentication Local users  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 886 User authentication Local users The user is enabled by default. To disable, toggle off Enable. 5. (Optional) For Username alias, type an alias for the user. Because the name used to create the user and cannot contain special characters such as hyphens (-) or periods (.), an alias allows the user to log in using a name that contains special characters.
  • Page 887 User authentication Local users Note Every user must be configured with at least one group. You can add multiple groups to a user by clicking Add again and selecting the next group. 9. (Optional) Add SSH keys for the user to use passwordless SSH login: a.
  • Page 888 User authentication Local users i. Click Scratch codes. ii. For Add Code, click . iii. For Code, enter the scratch code. The code must be eight digits, with a minimum of 10000000. iv. Click  again to add additional scratch codes. 11.
  • Page 889 User authentication Local users b. Set the amount of time that the user is locked out after the number of unsuccessful login attempts defined in lockout tries: (config auth user new_user> lockout duration value (config auth user new_user)> where value is any number of minutes, or seconds, and takes the format number{m|s}. For example, to set duration to ten minutes, enter either 10m or 600s: (config auth user new_user)>...
  • Page 890 User authentication Local users a. Change to the user's ssh_key node: (config auth user new_user)> ssh_key (config auth user new_user ssh_key)> b. Add the key by using the ssh_key command and pasting or typing a public encryption key that this user can use for passwordless SSH login: (config auth user new_user ssh_key)>...
  • Page 891 User authentication Local users For example, to set refresh_interval to ten minutes, enter either 10m or 600s: (config auth user name 2fa)> refresh_interval 600s (config auth user name 2fa)> The default is 30s. g. Configure the valid code window size. This represents the allowed number of concurrently valid codes.

  • Page 892: Delete A Local User

    Delete a local user To delete a user from your IX20:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 893 User authentication Local users 4. Click the menu icon (...) next to the name of the user to be deleted and select Delete. 5. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.

  • Page 894: Terminal Access Controller Access-Control System Plus (Tacacs+)

    User authentication Terminal Access Controller Access-Control System Plus (TACACS+) Terminal Access Controller Access-Control System Plus (TACACS+) Your IX20 device supports Terminal Access Controller Access-Control System Plus (TACACS+), a networking protocol that provides centralized authentication and authorization management for users who connect to the device. With TACACS+ support, the IX20 device acts as a TACACS+ client, which sends user credentials and connection parameters to a TACACS+ server over TCP.

  • Page 895: Tacacs+ User Configuration

    User authentication Terminal Access Controller Access-Control System Plus (TACACS+) TACACS+ user configuration When configured to use TACACS+ support, the IX20 device uses a remote TACACS+ server for user authentication (password verification) and authorization (assigning the access level of the user). Additional TACACS+ servers can be configured as backup servers for user authentication.

  • Page 896: Tacacs+ Server Failover And Fallback To Local Authentication

    User authentication Terminal Access Controller Access-Control System Plus (TACACS+) Error: Unrecognised token on line 1 5. Restart the TACACS+ server: $ sudo /etc/init.d/tacacs_plus restart TACACS+ server failover and fallback to local authentication In addition to the primary TACACS+ server, you can also configure your IX20 device to use backup TACACS+ servers.
  • Page 897 The TACACS+ server port. It is configured to 49 by default. Add additional TACACS+ servers in case the first TACACS+ server is unavailable.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 898 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) c. (Optional) Change the default Port setting to the appropriate port. Normally this should be left at the default setting of port 49. d. For Secret, type the TACACS+ server's shared secret. This is configured in the key parameter of the TACACS+ server's tac_plus.conf file, for example: key = testing123 Note...
  • Page 899 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) 11. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
  • Page 900 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) 8. Add a TACACS+ server: a. Add the server: (config)> add auth tacacs+ server end (config auth tacacs+ server 0)> b. Enter the TACACS+ server's IP address or hostname: (config auth tacacs+ server 0)> hostname hostname|ip-address (config auth tacacs+ server 0)>...

  • Page 901: Remote Authentication Dial-In User Service (Radius)

    User authentication Remote Authentication Dial-In User Service (RADIUS) Remote Authentication Dial-In User Service (RADIUS) Your IX20 device supports Remote Authentication Dial-In User Service (RADIUS), a networking protocol that provides centralized authentication and authorization management for users who connect to the device.

  • Page 902: Radius User Configuration

    User authentication Remote Authentication Dial-In User Service (RADIUS) RADIUS user configuration When configured to use RADIUS support, the IX20 device uses a remote RADIUS server for user authentication (password verification) and authorization (assigning the access level of the user). Additional RADIUS servers can be configured as backup servers for user authentication. This section outlines how to configure a RADIUS server to be used for user authentication on your IX20 device.

  • Page 903: Configure Your Ix20 Device To Use A Radius Server

    60 seconds. Enable additional debug messages from the RADIUS client.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 904 User authentication Remote Authentication Dial-In User Service (RADIUS) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > RADIUS > Servers. 4. Add RADIUS servers: a. For Add server, click . b.
  • Page 905 User authentication Remote Authentication Dial-In User Service (RADIUS) value is used: If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd. 8.

  • Page 906: Ldap

    User authentication LDAP default value is used: If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd. (config)>...
  • Page 907 User authentication LDAP authentication and authorization management for users who connect to the device. With LDAP support, the IX20 device acts as an LDAP client, which sends user credentials and connection parameters to an LDAP server. The LDAP server then authenticates the LDAP client requests and sends back a response message to the device.

  • Page 908: Ldap User Configuration

    User authentication LDAP LDAP user configuration When configured to use LDAP support, the IX20 device uses a remote LDAP server for user authentication (password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication. This section outlines how to configure a LDAP server to be used for user authentication on your IX20 device.

  • Page 909: Ldap Server Failover And Fallback To Local Configuration

    User authentication LDAP cn: John Smith sn: Smith uid: john ou: admin serial LDAP server failover and fallback to local configuration In addition to the primary LDAP server, you can also configure your IX20 device to use backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary LDAP server is unavailable.
  • Page 910 User authentication LDAP 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 911 User authentication LDAP c. (Optional) Change the default Port setting to the appropriate port. Normally this should be left at the default setting of port 389 for non-TLS and 636 for TLS. d. (Optional) Click  again to add additional LDAP servers. 5.
  • Page 912 User authentication LDAP c. Select LDAP for the new method from the Method drop-down. Authentication methods are attempted in the order they are listed until an authentication response, either pass or fail, is received. If Authoritative is enabled (see above), non- authoritative methods are not attempted.
  • Page 913 User authentication LDAP The default is true. 6. Set the distinguished name (DN) that is used to bind to the LDAP server and search for users. Leave this option unset if the server allows anonymous connections. (config)> auth ldap bind_dn dn_value (config)>...

  • Page 914: Configure Serial Authentication

    Configure serial authentication This section describes how to configure authentication for serial access.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 915 User authentication Configure serial authentication Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Serial. 4. (Optional) For TLS identity certificate, paste a TLS certificate and private key in PEM format. If empty, the certificate for the web administration service is used.
  • Page 916 User authentication Configure serial authentication 2. At the command line, type config to enter configuration mode: > config (config)> 3. (Optional) Paste a TLS certificate and private key in PEM format: (config)> auth serial identiy "cert-and-private-key" (config)> 4. Set the method used to verify the certificate of a remote peer: (config)>...

  • Page 917: Disable Shell Access

    If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.

  • Page 918: Set The Idle Timeout For Ix20 Users

    User authentication Set the idle timeout for IX20 users 4. Click to disable Allow shell. Note If shell access is disabled, re-enabling it will erase the device's configuration and perform a factory reset. 5. Click Apply to save the configuration and apply the change. ...
  • Page 919 User authentication Set the idle timeout for IX20 users 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 920 User authentication Set the idle timeout for IX20 users 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.

  • Page 921: Example User Configuration

    Goal: To create a user with administrator rights who is authenticated locally on the device.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 922 User authentication Example user configuration 4. In Add User: enter a name for the user and click . The user configuration window is displayed. 5. Enter a Password for the user. 6. Assign the user to the admin group: a. Click Groups. b.
  • Page 923 User authentication Example user configuration 2. At the command line, type config to enter configuration mode: > config (config)> 3. Verify that the admin group has full administrator rights: (config)> show auth group admin acl admin enable true level full (config)>...

  • Page 924: Example 2: Radius, Tacacs+, And Local Authentication For One User

    User authentication Example user configuration (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Example 2: RADIUS, TACACS+, and local authentication for one user Goal: To create a user with administrator rights who is authenticated by using all three authentication methods.
  • Page 925 The authentication group on the IX20 device, admin, is identified in the groupname parameter. c. Save and close the tac_plus.conf file. 3. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 4. Access the device configuration:...
  • Page 926 User authentication Example user configuration a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
  • Page 927 User authentication Example user configuration 6. Create the local user: a. Click Authentication > Users. b. In Add User:, type admin1 and click . c. For password, type password1. d. Assign the user to the admin group: i. Click Groups. ii.
  • Page 928 User authentication Example user configuration In this example: The user's username is admin1. The user's password is password1. The authentication group on the IX20 device, admin, is identified in the Unix-FTP- Group-Names parameter. c. Save and close the users file. 2.
  • Page 929 User authentication Example user configuration b. Add RADIUS authentication to the beginning of the list: (config)> add auth method 0 radius (config)> c. Add TACACS+ authentication second place in the list: (config)> add auth method 1 tacacs+(config)> d. Verify that authentication will occur in the correct order: (config)>...
  • Page 930 User authentication Example user configuration 8. Save the configuration and apply the change (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 931 Firewall This chapter contains the following topics: Firewall configuration Port forwarding rules Packet filtering Configure custom firewall rules Configure captive portals Configure Quality of Service options Web filtering IX20 User Guide...

  • Page 932: Firewall Configuration

    To create a zone:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 933 Firewall Firewall configuration c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Zones. 4. In Add Zone, enter a name for the zone and click . The firewall configuration window is displayed.

  • Page 934: Configure The Firewall Zone For A Network Interface

    This example procedure uses an existing network interface named ETH2 and changes the firewall zone from the default zone, Internal, to External.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 935 Firewall Firewall configuration a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > ETH2. 4. For Zone, select External. 5. Click Apply to save the configuration and apply the change. ...

  • Page 936: Delete A Custom Firewall Zone

    Delete a custom firewall zone You cannot delete preconfigured firewall zones. To delete a custom firewall zone:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.

  • Page 937: Port Forwarding Rules

    Firewall Port forwarding rules 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 938 A white list of devices, based on either IP address or firewall zone, that are authorized to leverage this forwarding rule. To configure a port forwarding rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 939 Firewall Port forwarding rules Port forwarding rules are enabled by default. To disable, toggle off Enable. 5. (Optional) Type a Label that will be used to identify the rule. 6. For Interface, select the network interface for the rule. Network connections will only be forwarded if their destination address matches the IP address of the selected network interface.
  • Page 940 Firewall Port forwarding rules 2. At the command line, type config to enter configuration mode: > config (config)> 3. At the config prompt, type: (config)> add firewall dnat end (config firewall dnat 0)> Port forwarding rules are enabled by default. To disable the rule: (config firewall dnat 0)>...
  • Page 941 Firewall Port forwarding rules (config firewall dnat 0)> port port (config firewall dnat 0)> 7. Set the type of internet protocol . (config firewall dnat 0)> protocol value (config firewall dnat 0)> Network connections will only be forwarded if they match the selected protocol. Allowed values are custom, tcp, tcpudp, or upd.

  • Page 942: Delete A Port Forwarding Rule

    Delete a port forwarding rule To delete a port forwarding rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 943 Firewall Port forwarding rules d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Port forwarding. 4. Click the menu icon (...) next to the appropriate port forwarding rule and select Delete. 5.
  • Page 944 Firewall Port forwarding rules label IPv4 port forwarding rule port 10000 protocol tcp to_address6 10.10.10.10 to_port 10001 no address6 no zone enable false interface ip_version ipv6 label IPv6 port forwarding rule port 10002 protocol tcp to_address6 c097:4533:bd63:bb12:9a6f:5569:4b53:c29a to_port 10003 (config)> 4.

  • Page 945: Packet Filtering

    ICMP ICMP6 To configure a packet filtering rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 946 Firewall Packet filtering d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Packet filtering. To create a new packet filtering rule, for Add packet filter, click . To edit the default packet filtering rule or another existing packet filtering rule, click to expand the rule.
  • Page 947 Firewall Packet filtering 8. For Source zone, select the firewall zone that will be monitored by this rule for incoming connections from network interfaces that are a member of this zone. Firewall configuration for more information about firewall zones. 9. For Destination zone, select the firewall zone. Packets destined for network interfaces that are members of this zone will either be accepted, rejected or dropped by this rule.
  • Page 948 Firewall Packet filtering Packet filtering rules are enabled by default. To disable the rule: (config firewall filter 1)> enable false (config firewall filter 1)> 3. (Optional) Set the label for the rule. (config firewall filter 1)> label "My filter rule" (config firewall filter 1)>...

  • Page 949: Enable Or Disable A Packet Filtering Rule

    Enable or disable a packet filtering rule To enable or disable a packet filtering rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 950 Firewall Packet filtering 3. Click Firewall > Packet filtering. 4. Click the appropriate packet filtering rule. 5. Click Enable to toggle the rule between enabled and disabled. 6. Click Apply to save the configuration and apply the change.  Command line 1.

  • Page 951: Delete A Packet Filtering Rule

    Delete a packet filtering rule To delete a packet filtering rule:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 952 Firewall Packet filtering 3. Click Firewall > Packet filtering. 4. Click the menu icon (...) next to the appropriate packet filtering rule and select Delete. 5. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.

  • Page 953: Configure Custom Firewall Rules

    To configure custom firewall rules:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 954 Firewall Configure custom firewall rules 3. Click Firewall > Custom rules. 4. Enable the custom rules. 5. (Optional) Enable Override to override all preconfigured firewall behavior and rely solely on the custom firewall rules. 6. For Rules, type the shell command that will execute the custom firewall rules script. 7.
  • Page 955 Firewall Configure custom firewall rules 6. Save the configuration and apply the change (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...

  • Page 956: Configure Captive Portals

    Captive portals are available on the IX20WWi-Fi enabled model only. To configure captive portals:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 957 Firewall Configure captive portals 4. For Add captive portal:, enter a name for the portal and click . The captive portal configuration window is displayed. The captive portal is enabled by default. To disable, toggle off Enable. 5. For Interface, select the network interface for the portal. Traffic received on this interface's network device will not be forwarded unless the client has been granted access.
  • Page 958 Firewall Configure captive portals 13. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 959 Firewall Configure captive portals (config firewall portal portal1)> timeout value (config firewall portal portal1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set Session timeout to ten minutes, enter either 10m or 600s: (config firewall portal portal1)>...

  • Page 960: Delete Captive Portals

    Type quit to disconnect from the device. Delete captive portals To delete captive portals:  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.

  • Page 961: Configure Quality Of Service Options

    Firewall Configure Quality of Service options 3. Click Firewall > Captive portals. 4. Click the down caret () next to the appropriate captive portal and select Delete. 5. Click Apply to save the configuration and apply the change.  Command line 1.
  • Page 962 These example bindings are disabled by default. Enable the preconfigured bindings  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 963 Firewall Configure Quality of Service options 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
  • Page 964 Type quit to disconnect from the device. Create a new binding  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 965 Firewall Configure Quality of Service options 5. Enable the binding. 6. (Optional) Type a Label for the binding. 7. Select an Interface to queue egress packets on. The binding will only match traffic that is being sent out on this interface. 8.
  • Page 966 Firewall Configure Quality of Service options f. Select Default to identify this policy as a fall-back policy. The fall-back policy will be used for traffic that is not matched by any other policy. If there is no default policy associated with this binding, packets that do not match any policy rules will be dropped.
  • Page 967 Firewall Configure Quality of Service options IPv4 address: Only traffic destined for the IP address typed in IPv4 address will be matched. Use the format IPv4_address[/netmask], or use any to match any IPv4 address. IPv6 address: Only traffic destined for the IP address typed in IPv6 address will be matched.
  • Page 968 Firewall Configure Quality of Service options (config firewall qos 2)> interface b. Set the interface. For example: (config firewall qos 2)> interface /network/interface/eth1 (config firewall qos 2)> 6. (Optional) Set the maximum egress bandwidth of the interface, in megabits, allocated to this binding.
  • Page 969 Firewall Configure Quality of Service options (config firewall qos 2 policy 0)> latency int (config firewall qos 2 policy 0)> where int is any integer, 1 or greater. The default is 100. f. To identify this policy as a fall-back policy: (config firewall qos 2 policy 0)>...
  • Page 970 Firewall Configure Quality of Service options vi. Set the source port to define a source traffic matching criteria: (config firewall qos 2 policy 0 rule 0)> srcport value (config firewall qos 2 policy 0 rule 0)> where value is the IP port number, a range of port numbers using the format IP_port- IP_port, or any.
  • Page 971 Firewall Configure Quality of Service options (config network qos 2 policy 0 rule 0)> src address value (config network qos 2 policy 0 rule 0)> where value uses the format IPv4_address[/netmask], or any to match any IPv4 address. address6: Only traffic from the IP address typed in IPv6 address will be matched.

  • Page 972: Web Filtering

    Firewall Web filtering (config network qos 2 policy 0 rule 0)> dst interface /network/interface/eth1 (config network qos 2 policy 0 rule 0)> address: Only traffic destined for the IP address typed in IPv4 address will be matched. Set the address that will be matched: (config network qos 2 policy 0 rule 0)>...

  • Page 973: Configure Web Filtering With Cisco Umbrella

    5. Click Create. 6. Copy the token. Task two: Configure web filtering  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 974 Firewall Web filtering 3. Click Firewall > Web filtering service. 4. Click Enable web filtering to enable. 5. For Web filtering service, select Cisco Umbrella. 6. Paste the API token that was generated in Task one: Generate a Cisco Umbrella API token.

  • Page 975: Configure Web Filtering With Manual Dns Servers

    Firewall Web filtering 6. Save the configuration and apply the change (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Clear the Cisco Umbrella device ID If the Cisco Umbrella device ID being used by your IX20 is invalid, you can clear the device ID.
  • Page 976 Firewall Web filtering 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
  • Page 977 Firewall Web filtering 8. For IP address, enter the IP address of the DNS server. 9. (Optional) Repeat for additional DNS servers. 10. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.

  • Page 978: Verify Your Web Filtering Configuration

    Firewall Web filtering b. Set the web filter service type to manual: (config)> firewall web-filter service manual (config)> c. Add the first DNS server: i. Add the server: (config)> add firewall web-filter server end (config firewall web-filter server 0)> ii. Set the server's IP address: (config firewall web-filter server 0)>...
  • Page 979 Configure web filtering with manual DNS servers for information about configuring web filtering to use Cisco open DNS servers. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 980 Firewall Web filtering 5. Return to the IX20 WebUI and enable web filtering: a. Click Firewall > Web filtering service. b. Click Enable web filtering to enable. c. Click Apply to save the configuration and apply the change. 6. From your browser, attempt to connect to http://www.internetbadguys.com again.

  • Page 981: Show Web Filter Service Information

    Firewall Web filtering 5. Attempt to connect to http://www.internetbadguys.com again: $ curl -I www.internetbadguys.com HTTP/1.1 403 Forbidden Server: openresty/1.9.7.3 Date: Thu, Jan 11, 2024 12:10:00 Content-Type: text/html Connection: keep-alive You should receive an "HTTP/1.1 403 Forbidden" message, as highlighted above. Show web filter service information To view information about the web filter service: ...
  • Page 982 Linux instances on a the same host using the host's Linux kernal. Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. This chapter contains the following topics:...

  • Page 983: Use Digi Remote Manager To Deploy And Run Containers

    Use Digi Remote Manager to deploy and run containers Use Digi Remote Manager to deploy and run containers Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. 1. In Remote Manager, create a Configuration template. See the Remote Manager User Guide instructions.
  • Page 984 Containers Use Digi Remote Manager to deploy and run containers i. Click Browse and select the container file. ii. Type the Name of the container. The Name entered here must be the same name as the container .tgz file. This is absolutely necessary, otherwise the container file will not be properly configured on the local devices.
  • Page 985 Containers Use Digi Remote Manager to deploy and run containers c. For the Automation step: i. Click to toggle on Enable Scanning. ii. Click to toggle on Remediate. Run a manual configuration scan to apply the container and configuration settings to all applicable devices.

  • Page 986: Use An Automation To Start The Container

    Containers Use Digi Remote Manager to deploy and run containers vi. Click the Stream ID to view container status. To verify by using the show containers command on the local device: a. From the Remote Manager main menu, click  Management >  Devices.

  • Page 987: Upload A New Lxccontainer

    Containers Upload a new LXCcontainer Run the automation manually. Include the automation in a Configuration template as a post-remediation or post-scan step. When creating or editing a Configuration template, at the Automation page: 1. For Post Remediation Options, click Run Automation and select the automation. 2.

  • Page 988: Configure A Container

    The network gateway. Serial ports on the device that the container will have access to.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 989 Containers Configure a container b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Containers. 4.
  • Page 990 Containers Configure a container 7. Enable Start on boot to configure the container to start when the system boots. a. For Restart timeout, set the amount of time to wait before restarting the container, if the container ever stops. The default timeout of 0s means that if the container stops, it will not be restarted.
  • Page 991 Containers Configure a container 5. By default, the container will use the device's system libraries. To disable: (config system container name)> dal false (config system container name)> 6. If the device will use virtual networking: a. Enable virtual networking: (config system container name)> network true (config system container name)>...
  • Page 992 Containers Configure a container (config system container name)> restart_timeout 600s (config system container name)> The default timeout of 0s means that if the container stops, it will not be restarted. 8. Type any optional parameters for the container: (config system container name)> args parameters (config system container name)>...

  • Page 993: Starting And Stopping The Container

    Authentication groups for information about configuring authentication groups that include shell access. Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. Starting the container There are two methods to start containers: Non-persistent: Changes made to the container file system will be lost when the container is stopped.

  • Page 994: Stopping The Container

    Containers View the status of containers 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.

  • Page 995: Show Status Of All Containers

    Containers View the status of containers  Command line Show status of all containers Use the show containers command with no additional arguments to show the status of all containers on the system: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.

  • Page 996: Schedule A Script To Run In The Container

    1. Start the container in non-persistent mode. 2. Execute a ping command every ten seconds from inside the container.  1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
  • Page 997 Containers Schedule a script to run in the container 4. For Add Script, click . The script configuration window is displayed. 5. (Optional) For Label, type container_script. 6. For Run mode, select Interval. 7. For Interval, type 10s. 8. For Commands, type the following: lxc container_name /bin/ping -c 1 IP_address For example: lxc test_lxc /bin/ping -c 1 192.168.1.146...

  • Page 998: Create A Custom Container

    In this example, we will use a simple container file named test_lxc.tgz. You can download test_lxc.tgz from the Digi website. At the command line of a Linux host, we will unpack the file, add a simple python script, and create a new container file that includes the python script.

  • Page 999: Create The Custom Container File

    Click Upload New Container. c. From your local file system, select the container file. You can download a simple example container file, test_lxc.tgz, from the Digi website. d. Create Configuration is selected by default. This will create a configuration on the device for the container when it is installed.
  • Page 1000 Containers Create a custom container configuration manually. e. Click Apply. 2. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.

This manual is also suitable for:

Ix20Ix20wIx20-pr

Table of Contents