Digi IX2127G User Manual

page of 1120

/ 1120
Bookmarks

Quick Links

Download this manual

IX20

User Guide

Firmware version 23.3

Need help?

Do you have a question about the IX2127G and is the answer not in the manual?

Questions and answers

Summary of Contents for Digi IX2127G

Page 1 IX20 User Guide Firmware version 23.3...
Page 2 Revision history—90002381 Revision Date Description Release of Digi IX20 firmware version 22.2: March 2022 VPN enhancements: Renamed VPN > IPsec > Tunnels > Policies > Local network setting to Local traffic selector and added Remote traffic selector. Added a Dynamic option to the Local traffic...
Page 3 Revision Date Description type for the 5G modems. Added WAN Bonding as an add-on feature via Digi Remote Manager for bonding multiple outbound Internet connections together for increased maximum throughput or data redundancy. Surelink enhancements: Enabled Surelink reset_modem action by default on cellular interfaces and set fail count to three.
Page 4 Release of Digi IX20 firmware version 22.11: December 2022 Updated the Linux kernel to version 5.19. The intelliFlow feature now integrates with Digi Remote Manager to provide aggregated insights and analytics for all Digi devices in your environment. IX20 User Guide...
Page 5 Removed options in the local web UI and Admin CLI for manually starting, stopping, and clearing serial logs. These actions are now controlled under the data logging configuration settings. Release of Digi IX20 firmware version 23.3: May 2023 Surelink: Redesigned Surelink configuration settings.
Page 6 Dashboard. Trademarks and copyright Digi, Digi International, and the Digi logo are trademarks or registered trademarks in the United States and other countries worldwide. All other trademarks mentioned in this document are the property of their respective owners.
Page 7  Trace (if possible)  Description of issue  Steps to reproduce Contact Digi technical support: Digi offers multiple technical support plans and service packages. Contact us at +1 952.912.3444 or visit us at www.digi.com/support. Feedback To provide feedback on this document, email your comments to techcomm@digi.com...
Page 8 Digi IX20 Quick Start Step 1: Connect your device Apply Dielectric Grease over SIM Contacts Step 2: Connect DC power Step 3: Set up access to Digi Remote Manager Step 4: Register your device Step 5: Complete setup Step 6: Configure cellular APN...
Page 9 Enable event log upload to Digi Remote Manager Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Digi Remote Manager Configure multiple IX20 devices by using Digi Remote Manager configurations...
Page 10 Configure RealPort mode using the Digi Navigator Installation and configuration process Digi Navigator features Install the Digi Navigator Configure RealPort on a Digi device from the Digi Navigator Digi Navigator application features Advanced RealPort configuration without using the Digi Navigator Windows Operating System...
Page 11 Show serial status and statistics Review the serial port message log Wi-Fi Wi-Fi configuration Default access point SSID and password Default Wi-Fi configuration Configure the Wi-Fi radio's channel Configure the Wi-Fi radio to support DFS channels in client mode Required configuration items Configure the Wi-Fi radio's band and protocol Configure the Wi-Fi radio's transmit power Configure an open Wi-Fi access point...
Page 12 Configure telnet access Configure DNS Show DNS server WAN bonding Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Configure WAN bonding on your local device Show WAN bonding status and statistics Simple Network Management Protocol (SNMP) SNMP Security...
Page 13 Enable or disable modem GNSS support Configure the device to use a user-defined static location Configure the device to accept location messages from external sources Forward location information to a remote host Configure geofencing Show location information Modbus gateway Configure the Modbus gateway Show Modbus gateway status and statistics System time Configure the system time...
Page 14 Configure web filtering with manual DNS servers Verify your web filtering configuration Show web filter service information Containers Use Digi Remote Manager to deploy and run containers Use an automation to start the container Upload a new LXC container IX20 User Guide...
Page 15 Test the custom container file System administration Review device status Configure system information Update system firmware Manage firmware updates using Digi Remote Manager Certificate management for firmware images Downgrading Dual boot behavior Update cellular module firmware Update modem firmware over the air (OTA)
Page 16 Ping to check internet connection 1040 Stop ping commands 1040 Use the traceroute command to diagnose IP routing problems 1040 Digi IX20 regulatory and safety statements RF exposure statement 1042 Federal Communication (FCC) Part 15 Class B 1042 Radio Frequency Interference (RFI) (FCC 15.105)
Page 17 Safety warnings English 1048 Bulgarian--бъ л га рс ки 1049 Croatian--Hrvatski 1050 French--Français 1051 Greek--Ε λλην ικά 1052 Hungarian--Magyar 1053 Italian--Italiano 1054 Latvian--Latvietis 1055 Lithuanian--Lietuvis 1056 Polish--Polskie 1057 Portuguese--Português 1058 Slovak--Slovák 1059 Slovenian--Esloveno 1060 Spanish--Español 1061 DigiIX20 Certifications International EMC (Electromagnetic Compatibility) and safety standards 1061 Command line interface Access the command line interface...
Page 18 Command line reference 1089 analyzer clear 1091 analyzer save 1091 analyzer start 1091 analyzer stop 1091 clear dhcp-lease ip-address 1092 clear dhcp-lease mac 1092 container create 1092 container delete 1092 1092 grep 1093 help 1093 1094 mkdir 1095 modem at 1095 modem at-interactive 1095...
Page 19 show l2tpeth 1106 show location 1106 show log 1106 show manufacture 1106 show modbus-gateway 1107 show modem 1107 show mqtt 1107 show nemo 1107 show network 1108 show ntp 1108 show openvpn client 1108 show openvpn server 1108 show route 1109 show scep-client 1109...
Page 20 telnet 1119 traceroute 1119 IX20 User Guide...
Page 21 What's new in Digi IX20 version 23.3 Release of Digi IX20 firmware version 23.3: Surelink: Redesigned Surelink configuration settings. Added show surelink state Admin CLI command to display the overall pass/fail status of enabled Surelink tests. WAN bonding Added options for WAN bonding configuration to set modes for the bonded tunnel and for each bonded interface.
Page 22 If the IX20 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.
Page 23 Apply Dielectric Grease over SIM Contacts Note Digi recommends using either …the Loctite® LB 8423 Dielectric Grease or Synco Lube® Silicone Dielectric Grease. a. Use a sheet of paper or cardboard over the area where you intend to work.
Page 24 Digi IX20 Quick Start Apply Dielectric Grease over SIM Contacts 2. Attach cellular antennas. Securely finger tighten each antenna to the threaded barrel using the nut at the base of the antenna. 3. Use an Ethernet cable connect the IX20's WAN/ETH1 port to the internet, such as a home internet router or LAN Ethernet port in an office environment.
Page 25 Step 2: Connect DC power Step 2: Connect DC power Step 3: Set up access to Digi Remote Manager If you already have a Digi Remote Manager account, skip to Register your device. If you prefer to configure the device locally rather than using Remote Manager, see...
Page 26 Digi IX20 Quick Start Step 6: Configure cellular APN 3. Click Done when the firmware update is complete. Step 6: Configure cellular APN If you installed a SIM in step 3, the device will attempt to setup the APN automatically. However, if your SIM was setup with a custom APN, you will need to configure it manually: 1.
Page 27 Digi IX20 hardware reference Digi IX20 features and specifications The Digi IX20 key features include: Industrial grade components. Operating temperatures: IX20W (Wi-Fi enabled version): -20C to +70C/-4F to +158F. IX20 (non-Wi-Fi version): -40C to +70C/-40F to +158F. Plug-in LTE modem (1002-CM).
Page 28 Ethernet port, WAN-enabled by default. ETH2 Ethernet port, LAN-enabled by default Serial port Digi IX20 serial connector pinout for information about the serial port pin-out. SIM button The SIM button is used to manually toggle between the two SIM slots included in the CM module.
Page 29 Digi IX20 hardware reference IX20 LEDs Power No power. Solid green Device has power The WAN/ETH1 Ethernet port not connected. Flashing green The WAN/ETH1 Ethernet port is connecting. Solid green The WAN/ETH1 Ethernet port is connected and has activity. Wi-Fi Service (IX20W model only) No Wi-Fi access points or Wi-Fi clients are enabled.
Page 30 Digi IX20 hardware reference IX20 LEDs SIM1 Indicates that SIM1 is in use. SIM1 not in use. Solid green SIM1 is in use. SIM2 Indicates that SIM2 is in use. SIM2 not in use. Solid green SIM2 is in use.
Page 31 Digi IX20 hardware reference IX20 LEDs Alternating Red/yellow (or orange) Upgrading firmware. WARNING! DO NOT POWER OFF DURING FIRMWARE UPGRADE. 1. Or an unknown type of cellular network. Signal quality indicators LEDs labeled 1 through 5 Indicate the cellular service quality level.
Page 32 Solid green: 10/100 Mbps link detected. Signal quality bars explained The signal status bars for the Digi IX20 measure more than simply signal strength. The value reported by the signal bars is calculated using an algorithm that takes into consideration the Reference Signals Received Power (RSRP), the Signal-to-noise ratio (SNR), and the Received Signal Strength Indication (RSSI) to provide an accurate indicator of the quality of the signal that the device is receiving.
Page 33 Use the included power supply (part number 24000154). If you are providing the DC power source with a non-Digi power supply, you must use a certified LPS power supply rated at either 12 VDC/0.75 A or 24 VDC/0.375 A minimum. The voltage tolerance supports +/- 10% (9 VDC to 30 VDC) at 9 Watts minimum.
Page 34 Digi IX20 hardware reference Configuration for extreme thermal conditions 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 35 Digi IX20 hardware reference QR code definition  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 36 Digi IX20 hardware reference QR code definition QR code items Semicolon separated list of: ProductName;DeviceID;Password;SerialNumber;SKUPartNumber-SKUPartRevision Example IX20;00000000-00000000-112233FF-FF445566;PW1234567890;50001001-00 IX20 User Guide...
Page 37 Hardware setup This chapter contains the following topics: Install SIM cards in the Plug-in LTE modem Connect data cables Mount the IX20 device IX20 User Guide...
Page 38 If the IX20 device is used in an environment with high vibration levels, SIM card contact fretting may cause unexpected SIM card failures. To protect the SIM cards, Digi strongly recommends that you apply a thin layer of dielectric grease to the SIM contacts prior to installing the SIM cards.
Page 39 8. Affix the cellular antennas to the two connectors protruding from the device. Apply Dielectric Grease over SIM Contacts Note Digi recommends using either …the Loctite® LB 8423 Dielectric Grease or Synco Lube® Silicone Dielectric Grease. 1. Use a sheet of paper or cardboard over the area where you intend to work.
Page 40 Hardware setup Connect data cables Move the device to another location. Try connecting a different set of antennas, if available. Purchase a Digi Antenna Extender Kit: Antenna Extender Kit, Connect data cables The IX20 provides two types of data ports: Ethernet (RJ-45): Use a Cat 5e or Cat 6 Ethernet cable.
Page 41 Hardware setup Mount the IX20 device 1. Attach the DIN rail clip to the bottom of the device with the screws provided. 2. Set the IX20 device onto a DIN rail and gently press until the clip snaps into the rail. Attach to DIN rail with bracket 1.
Page 42 3. Set the bracket with the clip onto a DIN rail and gently press until the clip snaps into the rail. WARNING! If being installed above head height on a wall or ceiling, ensure the device is fitted securely to avoid the risk of personal injury. Digi recommends that this device be installed by an accredited contractor.
Page 43 Change the default password for the admin user Change the default SSID and pre-shared key for the preconfigured Wi-Fi access point Configuration methods Using Digi Remote Manager Using the local web interface Use the local REST API to configure the IX20 device...
Page 44 Firmware configuration Review IX20 default settings Review IX20 default settings You can review the default settings for your IX20 device by using the local WebUI or Digi Remote Manager: Local WebUI 1. Log into the IX20 WebUI as a user with Admin access. See Using the local web interface details.
Page 45 ETH2 model Wi-Fi access interface only) point: Digi Other default configuration settings Feature Configuration Digi Remote Manager enabled as the central management service. Central management Packet filtering allows all outbound traffic. Security policies SSH and web administration: IX20 User Guide...
Page 46 To change the default password for the admin user:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 47 Firmware configuration Change the default password for the admin user 3. Click Authentication > Users > admin. 4. Enter a new password for the admin user. The password must be at least eight characters long and must contain at least one uppercase letter, one lowercase letter, one number, and one special character.
Page 48 Pre-shared key: The unique password printed on the bottom label of the device.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 49 Firmware configuration Change the default SSID and pre-shared key for the preconfigured Wi-Fi access point 3. Click Network > Wi-Fi > Digi AP. 4. Enter a new SSID and Pre-shared key. 5. Click Apply to save the configuration and apply the change.
Page 50 Shows how to perform a task by using the command line interface. Using Digi Remote Manager By default, your IX20 device is configured to use Digi Remote Manager as its central management server. Devices must be registered with Remote Manager, either: As part of the getting started process.
Page 51 Summarizes network statistics: the total number of bytes sent and received over all Network configured bridges and Ethernet devices. activity Digi Remote Displays the device connection status for Digi Remote Manager, the amount of time Manager the connection has been up, and the Digi Remote Manager device ID. Using Digi Remote Manager.
Page 52 Firmware configuration Use the local REST API to configure the IX20 device Use the local REST API to configure the IX20 device Your IX20 device includes a REST API that can be used to return information about the device's configuration and to make modifications to the configuration. You can view the REST API specification from your web browser by opening the URL: https://ip-address/cgi-bin/config.cgi For example:...
Page 53 Firmware configuration Use the local REST API to configure the IX20 device (config> service ? Services Additional Configuration ------------------------------------------------------------------- ------------ iperf IPerf location Location mdns Service Discovery (mDNS) modbus_gateway Modbus Gateway multicast Multicast ping Ping responder snmp SNMP telnet Telnet web_admin Web administration (config)>...
Page 54 Firmware configuration Use the local REST API to configure the IX20 device You can also use the GET method to return the configuration parameters associated with an item: curl -k -u admin https://192.168.210.1/cgi-bin/config.cgi/keys/service/ssh -X Enter host password for user 'admin': { "ok": true, "result": [ "acl", "custom", "enable", "key", "mdns", "port", "protocol"...
Page 55 Firmware configuration Use the local REST API to configure the IX20 device $ curl -g -k -u admin "https://192.168.210.1/cgi- bin/config.cgi/value?path=network.route.static&append=true&collapsed [dst]=1.2.4.0/24&collapsed[interface]=/network/interface/wan" -X POST Enter host password for user 'admin': { "ok": true, "result": "network.route.static.1" } Use the DELETE method to remove items from a list array To remove items from a list array, use the DELETE method.
Page 56 You can use an open-source terminal software, such as PuTTY or TeraTerm, to access the device through one of these mechanisms. You can also access the command line interface in the WebUI by using the Terminal, or the Digi Remote Manager by using the Console.
Page 57 Firmware configuration Using the command line Access selection menu: a: Admin CLI s: Shell q: Quit Select access or quit [admin] : Type a or admin to access the IX20 command line. You will now be connected to the Admin CLI: Connecting now...
Page 58 Configure your device for Digi Remote Manager support Log into Digi Remote Manager Use Digi Remote Manager to view and manage your device Add a device to Digi Remote Manager Configure multiple IX20 devices by using Digi Remote Manager configurations...
Page 59 This URL is required to utilize the client-side certificate support. Prior to release 22.2.9.x, the default URL was my.devicecloud.com. If your Digi device is configured to use a non-default URL to connect to Remote Manager, updating the firmware will not change your configuration. However, if you erase the device's configuration, the Remote Manager URL will change to the default of edp12.devicecloud.com.
Page 60 HTTP proxy server support. To configure your device's Digi Remote Manager support:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 61 Configure your device for Digi Remote Manager support 3. Click Central management. The Central management configuration window is displayed. Digi Remote Manager support is enabled by default. To disable, toggle off Enable central management. 4. For Service, select Digi Remote Manager.
Page 62 Central management Configure your device for Digi Remote Manager support Allowed values are any number of hours, minutes, or seconds, and take the format number {h|m|s}. For example, to set Cellular keep-alive interval to ten minutes, enter 10m or 600s.
Page 63 2. At the command line, type config to enter configuration mode: > config (config)> 3. Digi Remote Manager support is enabled by default. To disable Remote Manager support: (config)> cloud enable false (config)> 4. (Optional) Set the URL for the central management server.
Page 64 7. (Optional) Set the amount of time that the IX20 device should wait between sending keep-alive messages to the Digi Remote Manager when using a cellular interface. Allowed values are from 30 seconds to two hours. The default is 290 seconds.
Page 65 14. (Optional) Configure the IX20 device to communicate with remote cloud services by using SMS: a. Enable SMS messaging: (config)> cloud drm sms enable true (config)> b. Set the phone number for Digi Remote Manager: (config)> cloud drm sms destination value (config)> where value is either:...
Page 66 To disable the collection of device health data or enable it if it has been disabled, or to change the health sample interval:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 67 3. Click Monitoring > Device Health. 4. (Optional) Click to expand Data point tuning. Data point tuning options allow to you configure what data are uploaded to the Digi Remote Manager. All options are enabled by default. 5. Only report changed values to Digi Remote Manager is enabled by default.
Page 68 1, 5, 15, 30, or 60, and represents the number of minutes between uploads of health sample data. 5. By default, the device will only report health metrics values to Digi Remote Manager that have changed health metrics were last uploaded. This is useful to reduce the bandwidth used to report health metrics.
Page 69 To enable the event log upload, or disable it if it has been disabled, and to change the upload interval:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: IX20 User Guide...
Page 70 Central management Configure your device for Digi Remote Manager support Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 71 1. If you have not already done so, click here to sign up for a Digi Remote Manager account. 2. Check your email for Digi Remote Manager login instructions. 3. Go to remotemanager.digi.com. 4. Log into your Digi Remote Manager account.
Page 72 Use Digi Remote Manager to view and manage your device To view and manage your device: 1. If you have not already done so, connect to your Digi Remote Manager account. 2. From the menu, click Devices to display a list of your devices.
Page 73 Configure multiple IX20 devices by using Digi Remote Manager configurations Digi recommends you take advantage of Remote Manager configurations to manage multiple IX20 devices. A Remote Manager configuration is a named set of device firmware, settings, and file system options. You use the configuration to automatically update multiple devices and to periodically scan devices to check for compliance with the configuration.
Page 74 You can also include site-specific settings with a profile to override settings on a device-by-device basis. View Digi Remote Manager connection status To view the current Digi Remote Manager connection status from the local device:  Web 1. Log into the IX20 WebUI as a user with Admin access.
Page 75 Central management Learn more Learn more To learn more about Digi Remote Manager features and functions, see the Digi Remote Manager User Guide. IX20 User Guide...
Page 76 Interfaces IX20 devices have several physical communications interfaces. These interfaces can be bridged in a Local Area Network (LAN) or assigned to a Wide Area Network (WAN). This chapter contains the following topics: Wide Area Networks (WANs) Local Area Networks (LANs) Virtual LANs (VLANs) Bridging Show SureLink status and statistics...
Page 77 Preconfigured interfaces Devices configuration Wide Area ETH1 Ethernet: Firewall Network (WAN) ETH1 zone: External WAN priority: Metric=1 IP Address: DHCP client Digi SureLink enabled for IPv4 Wireless Wide Modem Modem Firewall Area Network zone: (WWAN) External WAN priority: Metric=3 SIM failover...
Page 78 The metric for each WAN.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 79 Interfaces Wide Area Networks (WANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Set the metrics for Modem: a. Click Network > Interfaces > Modem > IPv4. b. For Metric, type 1. c.
Page 80 Interfaces Wide Area Networks (WANs) 5. Click Apply to save the configuration and apply the change. The IX20 device is now configured to use the cellular modem WWAN, Modem, as its highest priority WAN, and its Ethernet WAN, ETH1, as its secondary WAN. ...
Page 81 If your device is operating on a private APN or on wired network with firewall restrictions, ensure that the DNS servers on your private network allow DNS lookups for https://remotemanager.digi.com; otherwise, the SureLink DNS query test will fail and the IX20 device will determine that the interface is down.
Page 82 WAN has failed, because the connection continues to work while the core problem exists somewhere else in the network. Using Digi SureLink, you can configure the IX20 device to regularly probe connections through the WAN to determine if the WAN has failed, and to perform recovery actions, such as changing the interface metric to use a new default gateway.
Page 83 Otherwise, the device will reboot and all recovery actions listed after the Reboot Device action will be ignored.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 84 Interfaces Wide Area Networks (WANs) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Create a new WAN or WWAN or select an existing one: To create a new WAN or WWAN, see Configure a Wide Area Network (WAN) Configure a Wireless Wide Area Network...
Page 85 Interfaces Wide Area Networks (WANs) 7. (Optional) If more than one test target is configured, for Success condition, select either: One test passes: Only one test needs to pass for Surelink to consider an interface to be All test pass: All tests need to pass for SureLink to consider the interface to be up. 8.
Page 86 Interfaces Wide Area Networks (WANs) HTTP test: Uses HTTP(s) GET requests to determine connectivity to the configured web server. If HTTP test is selected, complete the following: Web server: The URL of the web server. Test DNS servers configured for this interface: Tests communication with DNS servers that are either provided by DHCP, or statically configured for this interface.
Page 87 Interfaces Wide Area Networks (WANs) Down: The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable). e. Repeat for each additional test. 11. Add recovery actions: a. Click to expand Recovery actions. By default, there are two preconfigured recovery actions: Update routing: Uses the Change default gateway action, which increases the interface's metric by 100 to change the default gateway.
Page 88 Interfaces Wide Area Networks (WANs) Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. Switch to alternate SIM: Switches to an alternate SIM. This recovery action is available for WWAN interfaces only.
Page 89 Interfaces Wide Area Networks (WANs) For example, to set Delayed start to ten minutes, enter 10m or 600s. The default is 300 seconds. c. For Backoff interval, type the time to add to the test interval when restarting the list of actions.
Page 90 Interfaces Wide Area Networks (WANs) To add additional tests: a. Add a test: (config network interface my_wan)> add surelink tests end (config network interface my_wan surelink tests 1)> b. New tests are enabled by default. To disable: (config network interface my_wan surelink tests 1)> enable false (config network interface my_wan surelink tests 1)>...
Page 91 Interfaces Wide Area Networks (WANs) Set the number of bytes to send as part of the ping payload: (config network interface my_wan ipsec tunnel ipsec_example surelink tests 1)> ping_size int (config network interface my_wan surelink tests 1)> dns: Performs a DNS query to the named DNS server. If dns is set, set the IPv4 or IPv6 address of the DNS server: (config network interface my_wan surelink tests 1)>...
Page 92 Interfaces Wide Area Networks (WANs) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config network interface my_wan surelink tests 1)> interface_timeout 600s (config)>...
Page 93 Interfaces Wide Area Networks (WANs) (config network interface my_wan surelink tests 1)> other_ interface ii. Set the interface. For example: (config network interface my_wan surelink tests 1)> other_ interface /network/interface/eth1 (config network interface my_wan surelink tests 1)> Set the type of IP connection: (config network interface my_wan surelink tests 1)>...
Page 94 Interfaces Wide Area Networks (WANs) d. Create a label for the action: (config network interface my_wan surelink actions 0)> label string (config network interface my_wan surelink actions 0)> e. Set the type of recovery action. If multiple recovery actions are configured, they are performed in the order that they are listed.
Page 95 Interfaces Wide Area Networks (WANs) Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config network interface my_wan surelink actions 0)> max_ attempts int (config network interface my_wan surelink actions 0)> The default is 3.
Page 96 Interfaces Wide Area Networks (WANs) modem_power_cycle: This recovery action is available for WWAN interfaces only. If modem_power_cycle is selected, complete the following: Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config network interface my_wan surelink actions 0)>...
Page 97 Interfaces Wide Area Networks (WANs) (config network interface my_wan surelink actions 0)> custom_ action_commands_modem "string" (config network interface my_wan surelink actions 0)> Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used.
Page 98 Interfaces Wide Area Networks (WANs) (config)> network interface my_wan surelink timeout value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set timeout to ten minutes, enter either 10m or 600s: (config)>...
Page 99 Interfaces Wide Area Networks (WANs) (config)> network interface my_wan surelink advanced interface_gateway hostname/IP_address (config)> 8. Save the configuration and apply the change: (config network interface my_wan ipv4 surelink)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 100 To configure the IX20 device to reboot when an interface has failed:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 101 Interfaces Wide Area Networks (WANs) 5. After creating or selecting the interface, click SureLink. By default, SureLink is enabled for the preconfigured WAN (ETH1) and WWAN (Modem). The default configuration tests the DNS servers configured for the interface. When SureLink is configured for Wireless WANs, SureLink tests are only run if the cellular modem is connected and has an IP address.
Page 102 Interfaces Wide Area Networks (WANs) New tests are enabled by default. To disable, click to toggle off Enable. b. Type a Label for the test. c. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4. d.
Page 103 Interfaces Wide Area Networks (WANs) If Custom test is selected, complete the following: The Commands to run to test. TCP connection test: Tests that the interface can reach a destination port on the configured host. If TCP connection test is selected, complete the following: TCP connect host: The hostname or IP address of the host to create a TCP connection to.
Page 104 Interfaces Wide Area Networks (WANs) Attempts: The number of attempts for this recovery action to perform, before moving to the next recovery action. Increase metric to change active default gateway: Increase the interface's metric by this amount. This should be set to a number large enough to change the routing table to use another default gateway.
Page 105 Interfaces Wide Area Networks (WANs) Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. Powercycle the modem. This recovery action is available for WWAN interfaces only.
Page 106 Interfaces Wide Area Networks (WANs) 3. Create a new interface, or edit an existing one: To create a new interface, see Configure a Local Area Network (LAN), Configure a Wide Area Network (WAN), or Configure a Wide Area Network (WAN) Configure a Wireless Wide Area Network (WWAN).
Page 107 Interfaces Wide Area Networks (WANs) where value is one of: ping: Uses ICMP to determine connectivity. If ping is selected, complete the following: Set the ping_method: (config network interface my_wan surelink tests 1)> ping_ method value (config network interface my_wan surelink tests 1)> where value is one of: hostname: The hostname or IP address of an external server.
Page 108 Interfaces Wide Area Networks (WANs) Set the amount of time that the interface is down before the test can be considered to have failed. (config network interface my_wan surelink tests 1)> interface_down_time value (config network interface my_wan surelink tests 1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 109 Interfaces Wide Area Networks (WANs) Set the TCP port to create a TCP connection to. (config network interface my_wan surelink tests 1)> tcp_port port (config network interface my_wan surelink tests 1)> other: Tests the status of another interface. If other is selected, complete the following: Set the interface to test.
Page 110 Interfaces Wide Area Networks (WANs) up: The test will pass only if the referenced interface is up and passing its own SureLink tests (if applicable). down: The test will pass only if the referenced interface is down or failing its own SureLink tests (if applicable).
Page 111 Interfaces Wide Area Networks (WANs) a. Type ... to return to the root of the configuration: (config network interface my_wan surelink actions 0)> ... (config)> b. Set the test interval between connectivity tests: (config)> network interface my_wan surelink interval value (config)>...
Page 112 Interfaces Wide Area Networks (WANs) (config)> network interface my_wan surelink advanced delayed_start value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set delayed_start to ten minutes, enter either 10m or 600s: (config)>...
Page 113 SureLink to disable the DNS test and use one or more other tests.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 114 WAN connections that do not allow DNS resolution, and configure alternate test.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 115 Interfaces Wide Area Networks (WANs) c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Select the appropriate WAN or WWAN on which the default DNS test should be disabled.. 5.
Page 116 Interfaces Wide Area Networks (WANs) 9. Click  to add a new test. 10. Type a Label for the test. 11. Click to toggle on IPv6 if the test should apply to both IPv6 rather than IPv4. 12. Select the Test type. Available test types: Ping test: Uses ICMP to determine connectivity.
Page 117 Interfaces Wide Area Networks (WANs) Initial connection time: The amount of time to wait for the interface to connect for the first time before the test is considered to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
Page 118 Interfaces Wide Area Networks (WANs) (config)> network interface my_wan (config network interface my_wan)> 4. Disable the default DNS test: (config network interface my_wan)> surelink tests 0 enable false (config network interface my_wan)> 5. Add a new test: a. Add a test: (config network interface my_wan)>...
Page 119 Interfaces Wide Area Networks (WANs) Set the number of bytes to send as part of the ping payload: (config network interface my_wan ipsec tunnel ipsec_example surelink tests 1)> ping_size int (config network interface my_wan surelink tests 1)> dns: Performs a DNS query to the named DNS server. If dns is set, set the IPv4 or IPv6 address of the DNS server: (config network interface my_wan surelink tests 1)>...
Page 120 Interfaces Wide Area Networks (WANs) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interface_timeout to ten minutes, enter either 10m or 600s: (config network interface my_wan surelink tests 1)> interface_timeout 600s (config)>...
Page 121 Interfaces Wide Area Networks (WANs) (config network interface my_wan surelink tests 1)> other_ interface ii. Set the interface. For example: (config network interface my_wan surelink tests 1)> other_ interface /network/interface/eth1 (config network interface my_wan surelink tests 1)> Set the type of IP connection: (config network interface my_wan surelink tests 1)>...
Page 122 To achieve this WAN failover from the ETH1 to the Modem interface, the WAN failover configuration is:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 123 Interfaces Wide Area Networks (WANs) 3. Configure active recovery on ETH1: a. Click Network > Interface > ETH1 > SureLink. b. For Test interval, type 10s. c. Click to expand Tests. d. Disable the default DNS test: i. Click to expand the default DNS configured test. ii.
Page 124 Interfaces Wide Area Networks (WANs) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Configure SureLink on ETH1: a. Set the interval to ten seconds: (config)> network interface eth1 surelink interval 10s (config)> b. Disable the default DNS test: (config)>...
Page 125 Interfaces Wide Area Networks (WANs) By default, the WAN/ETH1 Ethernet device is configured as a WAN, named ETH1, with both DHCP and NAT enabled and using the External firewall zone. This means you should be able to connect to the Internet by connecting the WAN/ETH1 Ethernet port to another device that already has an internet connection.
Page 126 Interfaces Wide Area Networks (WANs) 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 127 Interfaces Wide Area Networks (WANs) Any modem: Applies this configuration to any modem that is attached. IMEI: Applies this configuration only to a modem that matches the identified IMEI. If IMEI is selected, for Match IMEI, type the IMEI of the modem that this configuration should be applied to.
Page 128 Interfaces Wide Area Networks (WANs) 4. Set the matching criteria used to determine if this modem configuration applies to the currently attached modem: (config)> network modem modem match value (config)> where value is one of the following: any: Applies this configuration to any modem that is attached. imei: Applies this configuration only to a modem that matches the identified IMEI.
Page 129 Interfaces Wide Area Networks (WANs) (config)> network modem modem sim_slot_preference value (config)> where value is one of the following: none: Does not consider either SIM slot to be the preferred slot. 1: Configures the first SIM slot as the preferred SIM slot. 2.
Page 130 APN. To configure the APN:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 131 Interfaces Wide Area Networks (WANs) d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > Modem > APN list > APN. 4.
Page 132 Interfaces Wide Area Networks (WANs) 7. AT&T LWM2M support is enabled by default. Disable if you are using an AT&T SIM that does not support AT&T lightweight M2M. 8. To add additional APNs, for Add APN, click  and repeat the preceding instructions. 9.
Page 133 Interfaces Wide Area Networks (WANs) where version is one of the following: auto: Requests both IPv4 and IPv6 address. ipv4: Requests only an IPv4 address. ipv6: Requests only an IPv6 address. The default is auto. 6. (Optional) Set the authentication method: (config)>...
Page 134 Using an AT&T SIM with the Telit LE910-NAv2 module is supported. The Telit LE910-NAv2 module is used in the 1002-CM04 CORE modem.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 135 Interfaces Wide Area Networks (WANs) 3. Increase the maximum number of interfaces allowed for the modem: a. Click Network > Modems > Modem. b. For Maximum number of interfaces, type 2. 4. Create the WWAN interfaces: In this example, we will create two interfaces named WWAN_Public and WWAN_Private. a.
Page 136 Interfaces Wide Area Networks (WANs) g. For Add Interface, type WWAN_Private and click . h. For Interface type, select Modem. i. For Zone, select External. j. For Device, select Modem . This should be the same modem selected for the WWAN_Public WWAN. k.
Page 137 Interfaces Wide Area Networks (WANs) a. Click Network > Routes > Policy-based routing. b. Click the  to add a new route policy. c. For Label, enter Route through public APN. d. For Interface, select Interface: WWAN_Public. e. Configure the source address: i.
Page 138 Interfaces Wide Area Networks (WANs) iii. For Interface, select Interface: WWAN_Private. 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 139 Interfaces Wide Area Networks (WANs) e. Use to periods (..) to move back one level in the configuration: (config network interface WWANPublic)> .. (config network interface)> f. Create the WWANPrivate interface: (config network interface)> add WWANPrivate (config network interface WWANPrivate)> g.
Page 140 Interfaces Wide Area Networks (WANs) ii. Set the interface to LAN1: (config network route policy 0)> src interface LAN1 (config network route policy 0)> e. Configure the destination address: i. Set the type to interface: (config network route policy 0)> dst type interface (config network route policy 0)>...
Page 141 Select Manual or Manual/Automatic carrier selection mode. The Network PLMN ID.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 142 Interfaces Wide Area Networks (WANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > Modem. 4. For Carrier selection mode, select one of the following: Automatic—The device automatically selects the carrier based on your SIM and cellular network status.
Page 143 Interfaces Wide Area Networks (WANs) 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 144 Interfaces Wide Area Networks (WANs)  Web 1. Log into the IX20 WebUI as a user with Admin access. 2. From the main menu, click Status > Modems. 3. Scroll to the Connection Status section and click SCAN. The Carrier Scan window opens. 4.
Page 145 Interfaces Wide Area Networks (WANs) Note If Manual is selected, your modem must support the Network technology or the modem will lose cellular connectivity. If you are using a cellular connection to perform this procedure, you may lose your connection and the device will no longer be accessible.
Page 146 Interfaces Wide Area Networks (WANs) 2. Use the show modem command: To view a status summary for the modem: > show modem Modem Status Signal Strength ----- ------------- --------- --------- -------------------- modem 1 (ready) connected 1234 Good (-84 dBm) > To view detailed status and statistics, use the show modem name name command:...
Page 147 Interfaces Wide Area Networks (WANs) SIM Slot SIM Status : ready IMSI : 61582122197895 ICCID : 26587628655003992180 SIM Provider : AT&T RSRQ : Good (-11.0 dB) RSRP : Good (-93.0 dBm) RSSI : Excellent (-64.0 dBm) : Good (6.4 dB) >...
Page 148 Move the IX20 device to another location. Try connecting a different set of antennas, if available. Purchase a Digi Antenna Extender Kit: Antenna Extender Kit, 1m AT command access To run AT commands from the IX20 command line: ...
Page 149 Interfaces Wide Area Networks (WANs) > modem at-interactive Do you want exclusive access to the modem? (y/n) [y]: 4. Type n if you do not want exclusive access. This allows you to send AT commands to the device while still allowing the device to connect, disconnect, and/or reconnect to the cellular network.
Page 150 Interfaces Wide Area Networks (WANs) Configure a Wide Area Network (WAN) Configuring a Wide Area Network (WAN) involves configuring the following items: Required configuration items A name for the interface. Note If the interface name is more than eight characters, the name will be truncated in the underlying network interface to the first six characters followed by three digits, incrementing from 000.
Page 151 Interfaces Wide Area Networks (WANs)  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 152 Interfaces Wide Area Networks (WANs) New WANs are enabled by default. To disable, toggle off Enable. 5. For Interface type, leave at the default setting of Ethernet. 6. For Zone, select External. 7. For Device, select an Ethernet device, a Wi-Fi client, or a bridge. See Bridging for more information about bridging.
Page 153 Interfaces Wide Area Networks (WANs) RFC4702 for further information about DHCP server support for the Client FQDN option. Configure system information for information about setting the IX20 device's system name. 10. (Optional) Configure IPv6 settings: a. Click to expand IPv6. b. Enable IPv6 support. c.
Page 154 Interfaces Wide Area Networks (WANs) If allowlist entries are specified, incoming packets will only be accepted from the listed MAC addresses. a. Click to expand MAC address allowlist. b. For Add MAC address, click . c. Type the MAC address. 1. See Configure SureLink active recovery to detect WAN/WWAN failures for information about configuring SureLink.
Page 155 Interfaces Wide Area Networks (WANs) /network/bridge/lan /network/wireless/ap/digi_ap Current value: (config network interface my_wan)> device b. Set the device for the LAN: (config network interface my_wan)> device device (config network interface my_wan)> 6. Configure IPv4 settings: IPv4 support is enabled by default. To disable: (config network interface my_wan)>...
Page 156 Interfaces Wide Area Networks (WANs) v. Configure how to use DNS: (config network interface my_wan)> ipv4 use_dns value (config network interface my_wan)> where value is one of: always: DNS will always be used for this WAN; when multiple interfaces have the same DNS server, the interface with the lowest metric will be used for DNS requests.
Page 157 Interfaces Wide Area Networks (WANs) type dhcpv6 Type use_dns always Use DNS weight Weight Additional Configuration --------------------------------------------------------------------- ---------- connection_monitor Active recovery (config network interface my_wan)> d. Modify any of the remaining default settings as appropriate. For example, to change the metric: (config network interface my_wan)>...
Page 158 Interfaces Wide Area Networks (WANs) If allowlist entries are specified, incoming packets will only be accepted from the listed MAC addresses. a. Add a MAC address to the allowlist: (config network interface my_wan)> add mac_allowlist end mac_address (config network interface my_wan)> where mac_address is a hyphen-separated MAC address, for example, 32-A6-84-2E-81-58.
Page 159 WAN/WWAN failures for further information.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 160 Interfaces Wide Area Networks (WANs) 3. Click Network > Interfaces. 4. Create the WWAN or select an existing WWAN: To create a new WWAN: a. For Add interface, type a name for the WWAN and click . b. For Interface type, select Modem. New WWANs are enabled by default.
Page 161 Interfaces Wide Area Networks (WANs) If IMSI is selected, for Match IMSI, type the International Mobile Subscriber Identity (IMSI) that must be in active for this WWAN to be used. If ICCID is selected, for Match ICCID, type the unique SIM card ICCID that must be in active for this WWAN to be used.
Page 162 Interfaces Wide Area Networks (WANs) a. Click Custom gateway to expand. b. Click Enable. c. For Gateway/Netmask, enter the IP address and netmask of the custom gateway. To override only the gateway netmask, but not the gateway IP address, use all zeros for the IP address.
Page 163 Interfaces Wide Area Networks (WANs) When primary default route: Only use the DNS servers provided for this WWAN when the WWAN is the primary route. Never: Never use DNS servers for this WWAN. The default setting is When primary default route. 1.
Page 164 Interfaces Wide Area Networks (WANs) b. Set the device: (config network interface my_wwan)> modem device modem (config network interface my_wwan)> 6. Set theSIM matching criteria to determine when this WWAN should be used: (config network interface my_wwan)> modem match value (config network interface my_wwan)>...
Page 165 Interfaces Wide Area Networks (WANs) (config network interface my_wwan)> modem imsi IMSI (config network interface my_wwan)> plmn_id Set the PLMN id that must be in active for this WWAN to be used: (config network interface my_wwan)> modem plmn_id PLMN_ID (config network interface my_wwan)> sim_slot Set which SIM slot must be in active for this WWAN to be used: (config network interface my_wwan)>...
Page 166 Interfaces Wide Area Networks (WANs) b. Set the cellular network technology: (config network interface my_wwan)> modem operator_technology value (config network interface my_wwan)> where value is one of: all: The best available technology will be used. 2G: Only 2G technology will be used. 3G: Only 3G technology will be used.
Page 167 Interfaces Wide Area Networks (WANs) 13. (Optional) To configure the IP address of a custom gateway or a custom netmask: a. Enable the custom gateway: (config network interface my_wwan)> modem custom_gw enable true (config network interface my_wwan)> b. Set the IP address and netmask of the custom gateway: (config network interface my_wwan)>...
Page 168 Interfaces Wide Area Networks (WANs) always: DNS will always be used for this WWAN; when multiple interfaces have the same DNS server, the interface with the lowest metric will be used for DNS requests. never: Never use DNS servers for this WWAN. primary: Only use the DNS servers provided for this WWAN when the WWAN is the primary route.
Page 169 Interfaces Wide Area Networks (WANs) The default setting is primary. 16. See Configure SureLink active recovery to detect WAN/WWAN failures for information about configuring active recovery. 17. Save the configuration and apply the change: (config network interface my_wan)> save Configuration saved. >...
Page 170 Interfaces Wide Area Networks (WANs) 3. Additional information can be displayed by using the show network verbose command: > show network verbose Interface Proto Status Type Zone Device Metric Weight ---------------- ----- ------- ------ -------- -------- ------ ---- defaultip IPv4 static setup eth2...
Page 171 WAN, ETH1, or the preconfigured WWAN, Modem.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 172 The following table lists the default outbound network communications for IX20 WAN/WWAN interfaces: Port Description TCP/UDP number Digi Remote Manager connection to edp12.devicecloud.com . 3199 NTP date/time sync to time.devicecloud.com . DNS resolution using WAN-provided DNS servers. HTTPS for modem firmware downloads from firmware.devicecloud.com .
Page 173 Interfaces Local Area Networks (LANs) Local Area Networks (LANs) The IX20 device is preconfigured with the following Local Area Networks (LANs): Interface type Preconfigured interfaces Devices Default configuration Local Area ETH2 Ethernet: Firewall zone: Network ETH2 (non- Internal (LAN) IP address: Wi-Fi 192.168.2.1/24 models)
Page 174 A Local Area Network (LAN) connects network devices together, such as Ethernet or Wi-Fi, in a logical Layer-2 network. The following diagram shows a LAN connected to the ETH2 Ethernet device and the Digi AP access point (available for Wi-Fi enabled models only). Once the LAN is configured and enabled, the devices connected to the network interfaces can communicate with each other, as demonstrated by the ping commands.
Page 175 To create a new LAN or edit an existing LAN:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 176 Interfaces Local Area Networks (LANs) 3. Click Network > Interfaces. 4. Create the LAN or select an existing LAN: To create a new LAN, for Add interface, type a name for the LAN and click . To edit an existing LAN, click to expand the LAN. The Interface configuration window is displayed.
Page 177 Interfaces Local Area Networks (LANs) c. For Address, type the IP address and subnet of the LAN interface. Use the format IPv4_ address/netmask, for example, 192.168.2.1/24. d. Optional IPv4 configuration items: i. Set the Metric. ii. For Weight, type the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, Weight is used to load balance traffic to the interfaces.
Page 178 Interfaces Local Area Networks (LANs) a. Click to expand MAC address allowlist. b. For Add MAC address, click . c. Type the MAC address. 14. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 179 Interfaces Local Area Networks (LANs) b. Set the device for the LAN: (config network interface my_lan)> device device (config network interface my_lan)> 6. Configure IPv4 settings: IPv4 support is enabled by default. To disable: (config network interface my_lan)> ipv4 enable false (config network interface my_lan)>...
Page 180 Interfaces Local Area Networks (LANs) DHCP servers for information about configuring the DHCP server. 7. (Optional) Configure IPv6 settings: a. Enable IPv6 support: (config network interface my_lan)> ipv6 enable true (config network interface my_lan)> b. Set the IPv6 type to DHCP: (config network interface my_lan)>...
Page 181 Interfaces Local Area Networks (LANs) d. Modify any of the remaining default settings as appropriate. For example, to change the minimum length of the prefix: (config network interface my_lan)> ipv6 prefix_length 60 (config network interface my_lan)> If the minimum length is not available, then a longer prefix will be used. Configure WAN/WWAN priority and default route metrics for further information about metrics.
Page 182 Interfaces Local Area Networks (LANs) 11. Save the configuration and apply the change: (config network interface my_lan)> save Configuration saved. > 12. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 183 To configure the WAN/ETH1 Ethernet port as a LAN:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 184 Interfaces Local Area Networks (LANs) 4. For Zone, select Internal. 5. Configure IPv4 settings: a. Click to expand IPv4. b. For Type, select Static IP address. c. For Address, type the IPv4 address and netmask, using the format IPv4_address/netmask, for example, 192.168.3.1/24. d.
Page 185 To add the WAN/ETH1 port to the LAN bridge:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
Page 186 Interfaces Local Area Networks (LANs) a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 187 To create a new bridge, and bridge the IX20 device's WAN/ETH1 Ethernet port with or Wi-Fi access points:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 188 Interfaces Local Area Networks (LANs) 3. Create the bridge and add devices: a. Click Network > Bridges. b. For Add Bridge, type a name for the bridge and click . c. Click to expand Devices. d. Click Add Device . e.
Page 189 Interfaces Local Area Networks (LANs) 4. Create a LAN interface for the bridge: a. Click Network > Interfaces. b. For Add Interface, type a name for the interface and click . c. For Zone, select Internal. d. For Device, select the new bridge. e.
Page 190 Interfaces Local Area Networks (LANs) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Create the bridge and add devices: a. Create the bridge: (config)> add network bridge bridge_name (config network bridge bridge_name)> where bridge_name is the name of the new bridge. For example, to create a bridge named LAN_bridge: (config)>...
Page 191 Interfaces Local Area Networks (LANs) To disable the bridge: (config network bridge LAN_bridge)> .. lan1 enable false (config network bridge LAN_bridge)> To remove a port or access point from the bridge: i. Use the show keyword to display the devices: (config network bridge LAN_bridge)>...
Page 192 DHCP server range will also change to the range of the LAN subnet. To change the LAN subnet:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 193 Interfaces Local Area Networks (LANs) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > LAN > IPv4. 4. For Address, change the IP address to an alternate private IP. You must also specify the subnet mask.
Page 194 Interfaces Local Area Networks (LANs) 1. Log into the IX20 WebUI as a user with Admin access. 2. From the menu, click Status. 3. Under Networking, click Interfaces.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 195 Follow this procedure to delete any LANs that have been added to the system. You cannot delete the preconfigured LAN, LAN1.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 196 Interfaces Local Area Networks (LANs) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Click the menu icon (...) next to the name of the LAN to be deleted and select Delete. 5.
Page 197 Map static IP addresses to hosts for information about static leases.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 198 Interfaces Local Area Networks (LANs) b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4.
Page 199 Interfaces Local Area Networks (LANs) a. Click Network > Advanced. b. Click to enable Sequential DHCP address allocation. Because sequential mode does not use a hash based on the client's MAC address, when DHCP lease expires, the client is not likely to get the same IP address assigned to it. Therefore, sentential DHCP address allocation generally should not be used.
Page 200 Interfaces Local Area Networks (LANs) (config)> network interface my_lan ipv4 dhcp_server enable true (config)> Configure a Local Area Network (LAN) for information about creating a LAN. 4. (Optional) Set the amount of time that a DHCP lease is valid: (config)> network interface my_lan ipv4 dhcp_server lease_time value (config)>...
Page 201 Interfaces Local Area Networks (LANs) a. Click to expand Advanced settings. b. Determine how the DHCP server should broadcast the gateway server: (config)> network interface my_lan ipv4 dhcp_server advanced gateway value (config)> where value is one of: none: No gateway is broadcast by the DHCP server. Client destinations must be resolvable without a gateway.
Page 202 Interfaces Local Area Networks (LANs) secondary_ntp value (config)> network interface my_lan ipv4 dhcp_server advanced primary_ wins value (config)> network interface my_lan ipv4 dhcp_server advanced secondary_wins value (config)> where value is one of: none: No server is broadcast. auto: Broadcasts the IX20 device's server. custom: Allows you to identify the IP address of the server.
Page 203 A label for this instance of the static lease. To map static IP addresses:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 204 Interfaces Local Area Networks (LANs) 9. (Optional) For Hostname, type a label for the static lease. This does not have to be the device's actual hostname. 10. Repeat for each additional DHCP static lease. 11. Click Apply to save the configuration and apply the change. ...
Page 205 Interfaces Local Area Networks (LANs) 7. Save the configuration and apply the change: (config network interface my_lan ipv4 dhcp_server advanced static_lease 0)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 206 Delete static IP mapping entries To delete a static IP entry:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 207 Interfaces Local Area Networks (LANs)  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 208 Force the option to be sent to the DHCP clients. A label for the custom option.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 209 Interfaces Local Area Networks (LANs) 6. For Add Custom option, click . Custom options are enabled by default. To disable, toggle off Enable. 7. For Option number, type the DHCP option number. 8. For Value, type the value of the DHCP option. 9.
Page 210 Interfaces Local Area Networks (LANs) (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)> value_str value (network interface my_lan ipv4 dhcp_server advanced custom_option 0)> 7. (Optional) Set a label for this custom option: (config network interface my_lan ipv4 dhcp_server advanced custom_option 0)>...
Page 211 Additional configuration items IP address of additional DHCP relay servers.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 212 Interfaces Local Area Networks (LANs) 3. Click Network > Interfaces. 4. Click to expand an existing LAN, or create a new LAN. See Configure a Local Area Network (LAN). 5. Disable the DHCP server, if it is enabled: a. Click to expand IPv4 > DHCP server. b.
Page 213 Interfaces Local Area Networks (LANs) c. Set the IP address of the DHCP relay server: (config network interface my_lan ipv4 dhcp_relay 1)> address 10.10.10.11 (config network interface my_lan ipv4 dhcp_relay 1)> d. Repeat for each additional relay server. 1. Disable the DHCP server, if it is enabled: (config network interface my_lan ipv4 dhcp_relay 1)>...
Page 214 IP address assigned to it on a WAN or cellular modem interface, to a client connected to a LAN interface.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 215 Interfaces Local Area Networks (LANs) d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. Create the interface or select an existing interface: To create a new interface, for Add interface, type a name for the interface and click .
Page 216 Interfaces Local Area Networks (LANs) c. Select the appropriate Interface. d. Repeat for additional interfaces. 9. (Optional) Packet filtering is disabled by default. Toggle on to enable. If packet filtering is disabled, traffic is allowed in both directions and it is the responsibility of the external device to provide its own firewall.
Page 217 Interfaces Local Area Networks (LANs) 15. Configure IPv4 settings: a. Click to expand IPv4. IPv4 support is enabled by default. b. Set the Metric. c. For Weight, type the relative weight for default routes associated with this interface. For multiple active interfaces with the same metric, Weight is used to load balance traffic to the interfaces.
Page 218 Interfaces Local Area Networks (LANs) Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3.
Page 219 Interfaces Local Area Networks (LANs) 8. Configure IPv4 settings: IPv4 support is enabled by default. To disable: (config network interface ip_passthrough_interface)> ipv4 enable false (config network interface ip_passthrough_interface)> a. Set the IP metric: (config network interface ip_passthrough_interface)> ipv4 metric num (config network interface ip_passthrough_interface)>...
Page 220 Interfaces Virtual LANs (VLANs) b. Generally, the default settings for IPv6 support are sufficient. You can view the default IPv6 settings by using the question mark (?): (config network interface ip_passthrough_interface)> ipv6 ? IPv6 Parameters Current Value ---------------------------------------------------------------------- --------- enable true Enable metric...
Page 221 Interfaces Virtual LANs (VLANs) Your IX20 device supports two VLANs modes: Trunking: Supports multiple VLANs per Ethernet port, which enables you to extend your VLAN across multiple switches through your entire network. Switichport: Each Ethernet port can have one or more VLAN IDs associated to it. Any un-tagged VLAN packets that come into a network interface are automatically tagged with the primary VLAN ID for that switchport.
Page 222 The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 223 Interfaces Virtual LANs (VLANs) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 224 The VLAN ID. The TCP header uses the VLAN ID to identify the destination VLAN for the packet. To create a VLAN using switchport mode:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 225 Interfaces Virtual LANs (VLANs) a. Click STP. b. Click Enable. c. For Forwarding delay, enter the number of seconds that the device will spend in each of the listening and learning states before the bridge begins forwarding data. The default is 2 seconds.
Page 226 Interfaces Virtual LANs (VLANs) b. Add the device: (config network vlan vlan1)> device /network/device/ (config network vlan vlan1)> 5. Set the VLAN ID: (config network vlan vlan1)> id value where value is an integer between 1 and 4095. 6. Save the configuration and apply the change: (config network vlan vlan1)>...
Page 227 Ethernet: Enabled Used by the model only) ETH2 Wi-Fi access ETH1 interface point: Digi Default Interface type Preconfigured interfaces Devices configuration You can modify configuration settings for the existing bridge, and you can create new bridges. This section contains the following topics:...
Page 228 Enable Spanning Tree Protocol (STP). To edit the preconfigured LAN bridge:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 229 5. Modify the list of devices that are a part of the bridge. By default, the LAN bridge includes the following devices: Ethernet: ETH2 Wi-Fi access point: Digi AP Note The MAC address of the bridge is taken from the first available device in the list.
Page 230 0 /network/device/eth2 1 /network/wireless/ap/digi_ap (config)> ii. Use the index number to delete the appropriate device. For example, to delete the Digi AP Wi-Fi access point from the bridge: (config)> del network bridge lan device 1 (config)> Note If you are deleting multiple devices from the bridge, the device index may be reordered after each deletion.
Page 231 Enable Spanning Tree Protocol (STP). To create a bridge:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: IX20 User Guide...
Page 232 Interfaces Bridging Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 233 Interfaces Bridging 9. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 234 Interfaces Show SureLink status and statistics b. Add the appropriate device. For example, to add the Digi AP Wi-Fi access point: (config network bridge my_bridge)> add device end /network/wireless/ap/digi_ap (config)> Note The MAC address of the bridge is taken from the first available device in the list.
Page 235 Interfaces Show SureLink status and statistics 2. At the Admin CLI prompt, type: > show surelink state Test on network.interface.eth1.ipv6 with condition: one dns_configured (n); network.interface.eth1.ipv6; -> update_routing_table ACTION ATTEMPTS STATUS restart_interface 00/01 [FAILED] update_routing_table 00/01 Test on network.interface.modem.ipv4 with condition: all dns_configured (n);...
Page 236 Interfaces Show SureLink status and statistics Show SureLink status for a specific interface To show the SureLink status a specific interface, use the show surelink interface name name command: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 237 Interfaces Show SureLink status and statistics 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show SureLink status for a specific IPsec tunnel To show the SureLink status a specific IPsec tunnel, use the show surelink ipsec tunnel name command:...
Page 238 Interfaces Show SureLink status and statistics 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show SureLink status for a specific OpenVPN client To show the SureLink status a specific OpenVPN client, use the show surelink openvpn client name command:...
Page 239 Access: Provides socket level access to ports. Application: Provides access to the serial device from Python applications. RealPort: Used in conjunction with the Digi RealPort driver. serial: Provides access to the serial port using UDP. Modbus: Allows the device to function as a Modbus protocol gateway.
Page 240 Serial port Configure Login mode Stop bits: 1 Flow control: None Configure Login mode Login mode allows the user to log into the device through the serial port. To change the configuration to match the serial configuration of the device to which you want to connect: ...
Page 241 Serial port Configure Login mode b. Data bits: For Data bits, select the number of data bits used by the device to which you want to connect. The default is 8. c. Parity: For Parity, select the type of parity used by the device to which you want to connect.
Page 242 Serial port Configure Login mode 4. Set the mode: (config)> serial port1 mode login (config)> 5. (Optional) Set a label that will be used when referring to this port. (config)>path-paramlabel label (config)> 6. Set the baud rate used by the device to which you want to connect: (config)>serial port1 baudrate rate (config)>...
Page 243 Serial port Configure Remote Access mode (config)>serial port1 logging filename string (config)> c. Set the maximum allowed log size for the serial port log when starting the log: (config)>serial port1 logging size value (config)> where value is the size of the log file in bytes. The default is 65536. d.
Page 244 Serial port Configure Remote Access mode 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click System. Under Configuration, click Serial Configuration. The Serial Configuration page is displayed. Note You can also configure the serial port by using Device Configuration > Serial. Changes made by using either Device Configuration or Serial Configuration will be reflected in both.
Page 245 Serial port Configure Remote Access mode 7. Click to expand Data Framing. a. Click Enable to enable the data framing feature. b. For Maximum Frame Count, enter the maximum size of the packet. The default is 1024. c. For Idle Time, enter the length of time the device should wait before sending the packet. d.
Page 246 Serial port Configure Remote Access mode To limit access to specified IPv4 addresses and networks: i. Click IPv4 Addresses. ii. For Add Address, click . iii. For Address, enter the IPv4 address or network that can access the device's service-type. Allowed values are: A single IP address or host name.
Page 247 Serial port Configure Remote Access mode To limit access based on firewall zones: i. Click Zones. ii. For Add Zone, click . iii. For Zone, select the appropriate firewall zone from the dropdown. Firewall configuration for information about firewall zones. iv.
Page 248 Serial port Configure Remote Access mode 12. Expand Logging Settings to configure logging for this serial port. a. To enable logging, click to toggle on Enable. b. In the Log file name field, enter a descriptive name for the log file. c.
Page 249 Serial port Configure Remote Access mode 6. Set the baud rate used by the device to which you want to connect: (config)>serial port baudrate rate (config)> 7. Set the number of data bits used by the device to which you want to connect: (config)>serial port databits bits (config)>...
Page 250 Serial port Configure Remote Access mode (config)>serial port1 history bytes (config) The default is 4000 bytes. d. Set the amount of time to wait before disconnecting due to user inactivity: (config)>serial port1 idle_timeout value (config) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 251 Serial port Configure Remote Access mode i. Set the string that, when received, will trigger the connection: (config)>serial port1 autoconnect match_string string (config)> ii. flush_string is enabled by default, which will discard the matched string from data sent to the server. To disable: (config)>serial port1 autoconnect flush_string false (config)>...
Page 252 Serial port Configure Remote Access mode h. Set the text to be transmitted to the remote server when the socket connects: (config)>serial port1 socketid string (config)> 14. (Optional) Configure data framing: a. Enable data framing: (config)>serial port1 framing enable true (config) b.
Page 253 Serial port Configure Remote Access mode (config)>serial port1 service ssh nodelay true (config)> v. (Optional) Configure access control: To limit access to specified IPv4 addresses and networks: (config)> add serial port1 service ssh acl address end value (config)> Where value can be: A single IP address or host name.
Page 254 Serial port Configure Remote Access mode (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add serial port1 service ssh acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
Page 255 Serial port Configure Remote Access mode iii. Enable TCP keep-alive messages: (config)>serial port1 service tcp keepalive true (config)> iv. Set the option that initiates the connection: (config)>serial port1 service tcp conn_type value (config)> where value is one of: tls_auth The default is tls. v.
Page 256 Serial port Configure Remote Access mode Where value is an interface defined on your device. Display a list of available interfaces: Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP...
Page 257 Serial port Configure Remote Access mode Repeat this step to include additional firewall zones. vii. (Optional) Enable Multicast DNS (mDNS): (config)>serial port1 service tcp mdns enable true (config)> c. Configure telnet settings: i. Enable SSH: (config)>serial port1 service telnet enable true (config)>...
Page 258 Serial port Configure Remote Access mode Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 service telnet acl interface end value (config)>...
Page 259 Serial port Configure Remote Access mode edge external internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones. vi. (Optional) Enable Multicast DNS (mDNS): (config)>serial port1 service telnet mdns enable true (config)> 16. Configure serial port logging: a.
Page 260 Serial port Configure Application mode (config)>serial port1 logging timestamp true (config)> 17. Save the configuration and apply the change: (config)> save Configuration saved. > 18. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 261 To change the configuration to match the serial configuration of the device to which you want to connect:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: IX20 User Guide...
Page 262 Serial port Configure PPP dial-in mode Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a.
Page 263 Serial port Configure PPP dial-in mode Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Idle timeout to ten minutes, enter 10m or 600s. 9. Click to expand PPP dial-in. 10.
Page 264 Serial port Configure PPP dial-in mode and phone # number 123. # The shell's 'read' builtin breaks on newline, so translate incoming carriage- # return to newline, and outgoing newline to carriage-return-newline. stty icrnl onlcr opost # Read input from the serial port, one line at a time. while read -r line;...
Page 265 Serial port Configure PPP dial-in mode 6. Set the baud rate used by the device to which you want to connect: (config)> serial port1 baudrate rate (config)> 7. Set the type of flow control used by the device to which you want to connect: (config)>...
Page 266 Serial port Configure PPP dial-in mode (config)> serial port1 ppp_dialin username username (config)> serial port1 ppp_dialin password password (config)> 12. Set the priority of routes associated with this interface. If there are multiple active routes that match a destination, then the route with the lowest metric will be used. (config)>...
Page 267 Serial port Configure PPP dial-in mode (config)> serial port1 ppp_dialin custom override true (config)> If override is not enabled, the custom PPP configuration file is used in addition to the default configuration. c. Paste or type the configuration data in the format of a pppd options file: (config)>...
Page 268 Serial port Configure UDP serial mode ATDT123) echo "CONNECT" # instruct the peer to start PPP exit 0 # start up the local PPP session AT*) echo "OK" # passively accept any other AT command esac done 16. Save the configuration and apply the change: (config)>...
Page 269 Serial port Configure UDP serial mode 3. Click to expand the port that you want to configure for UDP serial mode. The serial port is enabled by default. To disable, toggle off Enable. 4. For Mode, select UDP serial. The default is Remote. 5.
Page 270 Serial port Configure UDP serial mode iv. For End Pattern, enter the end pattern. The packet is sent when this pattern is received from the serial port. v. Click Strip End Pattern if you want to remove the end pattern from the packet before it is sent.
Page 271 Serial port Configure UDP serial mode To limit access to specified IPv4 addresses and networks: i. Click IPv4 Addresses. ii. For Add Address, click . iii. For Address, enter the IPv4 address or network that can access the device's service-type. Allowed values are: A single IP address or host name.
Page 272 Serial port Configure UDP serial mode A single IP address or host name. A network designation in CIDR notation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the service-type. iv. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: i.
Page 273 Serial port Configure UDP serial mode 2. At the command line, type config to enter configuration mode: > config (config)> 3. The serial port is enabled by default. To disable: (config)> serial port1 enable false (config)> 4. Set the mode: (config)>...
Page 274 Serial port Configure UDP serial mode Allowed values are: none rts/cts xon/xoff The default is none. 11. (Optional) Configure data framing: a. Enable data framing: (config)>serial port1 framing enable true (config) b. Set the maximum size of the packet: (config)>serial port1 framing max_count int (config) The default is 1024.
Page 275 Serial port Configure UDP serial mode i. Add a destination: (config)> add serial port1 upd destination end (config serial port1 udp destination 0)> ii. (Optional) Enter a description of the destination: (config serial port1 udp destination 0)> description string (config serial port1 udp destination 0)> iii.
Page 276 Serial port Configure UDP serial mode To limit access to hosts connected through a specified interface on the IX20 device: (config)> add serial port1 udp acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 277 Serial port Configure UDP serial mode loopback setup (config)> Repeat this step to include additional firewall zones. To limit access to specified IPv4 addresses and networks: (config)> add serial port1 udp acl address end value (config)> Where value can be: A single IP address or host name.
Page 278 Serial port Configure UDP serial mode (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add serial port1 udp acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
Page 279 Serial port Configure Modbus mode d. Specify the data type: (config)>serial port1 logging type value (config)> where value is one of: received transmitted both arrows. This is the default. e. Log the time at which date was received or transmitted: (config)>serial port1 logging hex true (config)>...
Page 280 Serial port Configure Modbus mode Note You can also configure the serial port by using Device Configuration > Serial. Changes made by using either Device Configuration or Serial Configuration will be reflected in both. 3. Click the name of the port that you want to configure. The serial port is enabled by default.
Page 281 Serial port Configure Modbus mode 2. At the command line, type config to enter configuration mode: > config (config)> 3. The serial port is enabled by default. To disable: (config)> serial port1 enable false (config)> 4. Set the mode: (config)> serial port1 mode modbus (config)>...
Page 282 Digi Navigator on your computer, the RealPort application is automatically installed as well. With Digi Navigator, you can set all serial ports on the device to RealPort mode, and then also enable the RealPort service. The COM ports on your laptop are also configured. These processes ensure that RealPort is configured on the device and on your computer.
Page 283 5. When the download is complete, click on the downloaded .exe file. The Digi Navigator Setup wizard displays. 6. Select which user(s) should be able to launch the Digi Navigator from this computer after it has been installed: Anyone who uses this computer (all users): Any user who logs into this computer can launch the Digi Navigator.
Page 284 Enter the user name and password for the device in the User name and Password fields. v. Click Submit. vi. The device you just added displays at the bottom of the Digi Navigator screen. You can click Refresh to update the screen until the device appears. 5. Configure RealPort on the device.
Page 285 RealPort from within the Digi Navigator. 1. Launch the Digi Navigator if it is not currently open. A list of devices that have RealPort enabled and configured displays in the RealPort Devices section at the bottom of the application screen.
Page 286 Item Description Filters Click Filters to display the types of filters that can be applied to Digi devices, services, and IP types. Device Filters: A list of the Digi device types displays. All types are disabled by default, and when all are disabled, all types are displayed.
Page 287 After you have enabled and configured RealPort on at least one Digi device, a list of configured devices displays at the bottom of the Digi Navigator. You can refresh the list and easily access the COM port configuration on your computer.
Page 288 Click Login. Filter devices for display in the Digi Navigator You can use the Digi Navigator filters to determine the types of Digi devices you want to display. Only the devices that are powered on and are discoverable are included.
Page 289 Advanced RealPort configuration without using the Digi Navigator Access Digi Remote Manager from the Digi Navigator You can access Digi Remote Manager from the Digi Navigator. Within the Remote Manager, you can configure and monitor your Digi devices. For information about using Digi Remote Manager, refer to the Digi Remote Manager User Guide.
Page 290 1. Navigate to the downloaded Realport .zip file. 2. Open the .zip file. 3. Click on setup.exe to launch the RealPort wizard. The Welcome to the Digi RealPort Setup Wizard screen displays. 4. If this is not the first time you have run the wizard, select the Add a New Device option. If this is the first time running the wizard, no options are available on the screen.
Page 291 Serial port Advanced RealPort configuration without using the Digi Navigator Step 2: Configure a RealPort connection on your laptop for your device 1. Follow the standard Windows process to access the Device Manager from your computer's operating system. 2. Select Multi-port Serial Adapters.
Page 292 Serial port Advanced RealPort configuration without using the Digi Navigator Configure the serial port for RealPort mode RealPort mode allows you to use Realport. To change the configuration to match the serial configuration of the device to which you want to connect: ...
Page 293 Serial port Advanced RealPort configuration without using the Digi Navigator a. To enable logging, click to toggle on Enable. b. In the Log file name field, enter a descriptive name for the log file. c. For Log file size, type the size of the log file. When the log file reaches the size limit, the current file is saved and a new file is created.
Page 294 Serial port Advanced RealPort configuration without using the Digi Navigator The default is rs-232. 5. Set a label that will be used when referring to this port. (config)> serial port1 label label (config)> 6. (Optional) Set a label that will be used when referring to this port.
Page 295 Serial port Show serial status and statistics 8. Save the configuration and apply the change: (config)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 296 Serial port Review the serial port message log 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 297 Serial port Review the serial port message log 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 298 Wi-Fi This chapter applies to the IX20W Wi-Fi enabled model only. This chapter contains the following topics: Wi-Fi configuration Configure the Wi-Fi radio's channel Configure the Wi-Fi radio to support DFS channels in client mode Configure the Wi-Fi radio's band and protocol Configure the Wi-Fi radio's transmit power Configure an open Wi-Fi access point Configure a Wi-Fi access point with personal security...
Page 299 Default access point SSID and password By default, the IX20W device has one access point enabled. The default SSID for the access points is: Digi-IX20W-serial_number The password for the default access point is the unique password as found on the device's label. See...
Page 300 Access point mode 802.11b/g/n Channel Automatic Channel width 20/40 MHz Beacon interval Access point: Default setting Name Digi AP Enabled or disabled Enabled SSID Digi-IX20W-serial_number SSID broadcast Enabled Encyrption WAP2 Personal (PSK) Pre-shared key The unique password printed on the bottom label of the device.
Page 301 Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 302 Wi-Fi Configure the Wi-Fi radio's channel 4. For Channel, select the channel. Only channels appropriate for the band are displayed. 5. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 303 Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 304 Wi-Fi Configure the Wi-Fi radio to support DFS channels in client mode d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi. 4.
Page 305 Not all Digi devices currently support 5 GHz. Before you try to use this feature, verify that your device supports 5 GHz.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 306 Wi-Fi Configure the Wi-Fi radio's band and protocol 3. Click Network > WiFi. 4. For Frequency band, select either 2.4 GHz or 5 GHz. 5. For Access point mode, select the appropriate mode. Only modes appropriate for the selected band are displayed. 6.
Page 307 100 percent. You can configure the Wi-Fi radio to transmit at a lower power.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 308 Wi-Fi Configure the Wi-Fi radio's transmit power 3. Click Network > WiFi. 4. For Tx power percentage, type or select the appropriate percentage for the Wi-Fi radio's transmit power. 5. Click Apply to save the configuration and apply the change. ...
Page 309 The amount of time to wait before changing the group key. To configure a Wi-Fi access point with no security:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 310 Wi-Fi Configure an open Wi-Fi access point a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi > Access points. 4. Create a new access point or modify an existing access point: To create a new access point, for Add WiFi access point:, type a name for the access point and click .
Page 311 Wi-Fi Configure an open Wi-Fi access point 8. For Encryption, select one of the following: Open (Unencrypted) No encryption is used. WPA3 Enhanced Open (OWE) Uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection.
Page 312 Wi-Fi Configure an open Wi-Fi access point 4. Set the SSID for the Wi-Fi access point. Up to 32 characters are allowed. (config network wifi ap new_AP)> ssid my_SSID (config network wifi ap new_AP)> SSID broadcasting is enabled by default for new access points. 5.
Page 313 (config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID broadcasting is disabled: (config)>...
Page 314 Wi-Fi Configure an open Wi-Fi access point none: No encryption is used. owe: Uses WPA3 Enhanced Open, which uses Opportunistic Wireless Encryption (OWE) technology to provide encryption for Wi-Fi networks that do not use password protection. Note Only select owe if you know that all Wi-Fi clients connecting to this device will have WPA3 capabilities.
Page 315 To configure a Wi-Fi access point to use personal security:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 316 Wi-Fi Configure a Wi-Fi access point with personal security a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > WiFi > Access points. 4. Create a new access point or modify an existing access point: To create a new access point, for Add WiFi access point:, type a name for the access point and click .
Page 317 Wi-Fi Configure a Wi-Fi access point with personal security 8. For Encryption, select one of the following: WPA Personal (PSK): All Wi-Fi clients must support WPA to be able to authenticate. WPA/WPA2 Personal (PSK): Wi-Fi clients that support WPA and WPA2 are able to authenticate.
Page 318 Wi-Fi Configure a Wi-Fi access point with personal security 3. Create a new access point: (config)> add network wifi ap new_AP (config network wifi ap new_AP)> New access points are enabled by default. 4. Set the SSID for the Wi-Fi access point. Up to 32 characters are allowed. (config network wifi ap new_AP)>...
Page 319 Wi-Fi Configure a Wi-Fi access point with personal security If type is set to psk2sae, key_type is key_psk2sae. If type is set to sae, key_type is key_sae. For example, if type is set to psk2sae, set key_psk2sae to the appropriate password: (config network wifi ap new_AP)>...
Page 320 (config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID broadcasting is disabled: (config)>...
Page 321 Wi-Fi Configure a Wi-Fi access point with enterprise security (config)> network wifi ap digi_ap isolate_client true (config)> Isolate Wi-Fi clients for information about how to prevent clients connected to different access points from communicating with each other. 8. Set the password that clients will use when connecting to the access point: (config)>...
Page 322 To configure a Wi-Fi access point with WPA2 enterprise security:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 323 Wi-Fi Configure a Wi-Fi access point with enterprise security The Configuration window is displayed. 3. Click Network > WiFi > Access points. 4. Create a new access point or modify an existing access point: To create a new access point, for Add WiFi access point:, type a name for the access point and click .
Page 324 Wi-Fi Configure a Wi-Fi access point with enterprise security e. For RADIUS secret key, type the secret key as configured on the RADIUS server. f. To add additional RADIUS servers, click  10. (Optional) For Group rekey interval, type the amount of time to wait before changing the group key.
Page 325 Wi-Fi Configure a Wi-Fi access point with enterprise security 3. Create a new access point: (config)> add network wifi ap new_AP (config network wifi ap new_AP)> New access points are enabled by default. 4. Set the SSID for the Wi-Fi access point. Up to 32 characters are allowed. (config network wifi ap new_AP)>...
Page 326 Wi-Fi Configure a Wi-Fi access point with enterprise security (config network wifi ap new_AP encryption radius_servers 1)> host IP_address (config network wifi ap new_AP encryption radius_servers 1)> iii. Repeat for additional radius servers. 8. (Optional) Set the amount of time to wait before changing the group key. The group key is shared by all in clients of the access point, and after a client has disconnected, it will be able to use the group key to decrypt broadcast packets until the key is changed.
Page 327 (config)> network wifi ap ? Additional Configuration ------------------------------------------------------------------------ ------- digi_ap Digi AP (config)> 4. Set the SSID for the appropriate access point: (config)> network wifi ap digi_ap ssid my_SSID (config)> 5. SSID broadcasting is enabled by default for the preconfigured access points. If SSID broadcasting is disabled: (config)>...
Page 328 This section provides instructions for both mechanisms. Isolate clients connected to the same access point  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: IX20 User Guide...
Page 329 Wi-Fi Isolate Wi-Fi clients Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 330 4. Create firewall filters to prevent traffic between the two firewall zones.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 331 3. Create a new access point. By default, the IX20W comes with one preconfigured access point, named Digi AP. In these instructions, we will use the existing Digi AP access point and create another new access point, named new_AP. a. Click Network > WiFi > Access points.
Page 332 Wi-Fi Isolate Wi-Fi clients d. Create a firewall filter to drop traffic from the Internal zone (used by the LAN1 interface) to the LAN2_isolation_zone: i. Click Firewall > Packet filtering. ii. For Add packet filter, click . iii. For Label, type Drop traffic from Internal to LAN2_isolation_zone. iv.
Page 333 Wi-Fi Isolate Wi-Fi clients a. Click Configuration > Network > Interfaces. b. For Add interface, type a name for the LAN and click . c. For Zone, select LAN2_isolation_zone. d. For Device, select the new Wi-Fi access point. e. Click to expand IPv4. f.
Page 334 Wi-Fi Isolate Wi-Fi clients psk2 wpa2: d. Complete other encryption-related fields as appropriate based on the type of encryption. Configure an open Wi-Fi access point, Configure a Wi-Fi access point with personal security, or Configure a Wi-Fi access point with enterprise security for details.
Page 335 Wi-Fi Isolate Wi-Fi clients i. Add the new packet filter: (config firewall filter 1)> add .. 0 (config firewall filter 0)> ii. Set the label for the filter: (config firewall filter 0)> label "Drop traffic from Internal to LAN2_isolation_zone" (config firewall filter 0> iii.
Page 336 Wi-Fi Configure a Wi-Fi client and add client networks e. Set the IP address and subnet mask of the LAN: (config network interface LAN2)> ipv4 address address/mask (config network interface LAN2)> f. Enable the DHCP server: (config network interface LAN2)> ipv4 dhcp_server enable true (config network interface LAN2)>...
Page 337 To configure a Wi-Fi client:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 338 Wi-Fi Configure a Wi-Fi client and add client networks 3. Click Network > WiFi > Client mode connections. 4. For Add WiFi client:, type the name of the client and click . The Wi-Fi client configuration window is displayed. New Wi-Fi clients are enabled by default. To disable, toggle off Enable. 5.
Page 339 Wi-Fi Configure a Wi-Fi client and add client networks If PEAP is selected, identify the Username and Password. SCEP certificates: Simple Certificate Enrollment Protocol (SCEP) certificate management. If SCEP certificates is selected: Identify the Username. Select the SCEP Client. See Configure a Simple Certificate Enrollment Protocol client for information about SCEP clients.
Page 340 Wi-Fi Configure a Wi-Fi client and add client networks g. To add a channel, click Add Scan frequency and select the appropriate channel. 7. Click Apply to save the configuration and apply the change. After you configure a Wi-Fi client, you must assign the Wi-Fi client to a WAN. See Wide Area Networks (WANs) and Wireless Wide Area Networks (WWANs) for further information.
Page 341 Wi-Fi Configure a Wi-Fi client and add client networks sae: Uses WPA3 Personal mode. wpa2: WPA2 enterprise encryption. c. If the type of encryption is set to: psk, mixedpsk, psk2, psk2sae, or sae, set the password that the client will use to connect to the access point: (config network wifi client new_client)>...
Page 342 Wi-Fi Configure a Wi-Fi client and add client networks Format: SCEP_test_client SCEP_test_client1 Current value: (config network wifi client new_client)> ii. Set the SCEP client, for example: (config network wifi client new_client)> ssid 0 encryption scep_client SCEP_test_client (config network wifi client new_client)> Configure a Simple Certificate Enrollment Protocol client information about SCEP clients.
Page 343 Wi-Fi Configure a Wi-Fi client and add client networks Background scanning allows the device to scan for nearby access points and to move between access points that have the same SSID that is configured for the client connection, based on the signal strength of the access points.
Page 344 Wi-Fi Configure a Wi-Fi client and add client networks 2412 MHz 2437 MHz 2462 MHz You can delete the preconfigured frequencies and add additional frequencies. At least one frequencies is required. f. To delete a preconfigured frequencies: i. Use the show command to determine the index number of the channel to be deleted: (config network wifi client new_client)>...
Page 345 Wi-Fi Show Wi-Fi access point status and statistics (config network wifi client new_client)> add background_scanning scan_freq end 2457 (config network wifi client new_client)> 6. Save the configuration and apply the change: (config network wireless client new_client)> save Configuration saved. > 7.
Page 346 Wi-Fi Show Wi-Fi client status and statistics 3. To view information about both active and inactive access points, include the all parameter: > show wifi ap all Enabled Status SSID BSSID -------- ------- ------ ------------- ----------------- my_AP true my_SSID 01:41:D1:14:36:37 digi_ap true Digi2...
Page 347 Wi-Fi Show Wi-Fi client status and statistics 1. Log into the IX20 WebUI as a user with Admin access. 2. On the main menu, click Status. 3. Under Connections, click Wi-Fi > Clients.  Command line Show summary of Wi-Fi clients To show the status and statistics for Wi-Fi client, use the show wifi client command.
Page 348 Wi-Fi Show Wi-Fi client status and statistics Channel : 48 Radio : wifi1 TX Power : 23 Link Quality : 67/70 BSSID : 6D:B9:DD:BD:EE:C4 > IX20 User Guide...
Page 349 Routing This chapter contains the following topics: IP routing Show the routing table Dynamic DNS Virtual Router Redundancy Protocol (VRRP) IX20 User Guide...
Page 350 Routing IP routing IP routing The IX20 device uses IP routes to decide where to send a packet it receives for a remote network. The process for deciding on a route to send the packet is as follows: 1. The device examines the destination IP address in the IP packet, and looks through the IP routing table to find a match for it.
Page 351 The Maximum Transmission Units (MTU) of network packets using this route. To configure a static route:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 352 Routing IP routing 3. Click Network > Routes > Static routes. 4. Click the  to add a new static route. The new static route configuration page is displayed: New static route configurations are enabled by default. To disable, toggle off Enable. 5.
Page 353 Routing IP routing Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a new static route: (config)>...
Page 354 Type quit to disconnect from the device. Delete a static route  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 355 Routing IP routing a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Routes > Static routes. 4. Click the menu icon (...) for a static route and select Delete. 5.
Page 356 Routing IP routing enable true gateway 192.168.5.1 interface /network/interface/lan2 label new_static_route_1 metric 0 mtu 0 (config)> 4. Use the index number to delete the static route: (config)> del network route static 0 (config)> 5. Save the configuration and apply the change: (config)>...
Page 357 To configure a routing policy:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 358 Routing IP routing 3. Click Network > Routes > Policy-based routing. 4. Click the  to add a new route policy. The new route policy page is displayed: New route policies are enabled by default. To disable, toggle off Enable. 5.
Page 359 Routing IP routing IPv6 address: Matches the source IP address to the specified IP address or network. Use the format IPv6_address[/prefix_length], or use any to match any IPv6 address. MAC address: Matches the source MAC address to the specified MAC address. 12.
Page 360 Routing IP routing New route policies are enabled by default. To disable: (config network route policy 0)> enable false (config network route policy 0)> 4. (Optional) Set the label that will be used to identify this route policy: (config network route policy 0)> label "New route policy" (config network route policy 0)>...
Page 361 Routing IP routing any: All protocols are matched. tcp: Source and destination ports are matched: a. Set the source port: (config network route policy 0)> src_port value (config network route policy 0)> where value is the port number, or the keyword any to match any port as the source port.
Page 362 Routing IP routing Zone: Match the IP address to the specified firewall zone. Format: dynamic_routes edge external internal ipsec loopback setup Default value: any Current value: any (config network route policy 0)> src zone b. Set the zone. For example: (config network route policy 0)>...
Page 363 Routing IP routing where value uses the format IPv4_address[/netmask], or any to match any IPv4 address. address6: Matches the source IPv6 address to the specified IP address or network. Set the address that will be matched: (config network route policy 0)> src address6 value (config network route policy 0)>...
Page 364 Routing IP routing a. Use the ? to determine available interfaces: (config network route policy 0)> dst interface ? Interface: The network interface. Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config network route policy 0)> dst interface b. Set the interface. For example: (config network route policy 0)>...
Page 365 This example routes traffic to a specific IP address to go through the cellular WWAN interface, while all other traffic uses the Ethernet WAN interface.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 366 Routing IP routing 4. Click the  to add a new route policy. 5. For Label, type Route through cellular. 6. For Interface, select Modem. 7. Configure the source address: a. Click to expand Source address. b. For Type, select Zone. c.
Page 367 Routing IP routing 3. Create the route policy: a. Add a new routing policy: (config)> add network route policy end (config network route policy 0)> b. Set the label that will be used to identify this route policy: (config network route policy 0)> label "Route through cellular" (config network route policy 0)>...
Page 368 Routing IP routing  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 369 Routing IP routing 4. Click the  to add a new route policy. 5. For Label, type Domain-based policy. 6. For Interface, select ETH1. 7. Configure the source address: a. Click to expand Source address. b. For Type, select Zone. c.
Page 370 Routing IP routing 9. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 371 MAC address, while all other client devices are routed through the Ethernet WAN.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 372 Routing IP routing a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Create new firewall zones: a. Create a firewall zone named CellularWAN with Source NAT enabled: i. Click Firewall > Zones. ii.
Page 373 Routing IP routing b. Configure the Ethernet WAN interface: i. Click Network > Interfaces > ETH1. ii. For Zone, select EthernetWAN. 5. Configure the policy-based route for traffic from the client device that will be sent over the cellular WAN: a.
Page 374 Routing IP routing 6. Create a packet filtering rule that rejects all other LAN packets on the cellular WAN interface. a. Click Firewall > Packet filtering. b. Click the  to add a new packet filtering rule. c. For Label, type Reject LAN traffic to cellular WAN. d.
Page 375 Routing IP routing b. Create second firewall zone named EthernetWAN with Source NAT enabled: i. Type .. to move back one node in the configuration: (config firewall zone CellularWAN)> .. (config firewall zone)> ii. Create the firewall zone: (config firewall zone)> add EthernetWAN (config firewall zone EthernetWAN)>...
Page 376 Routing IP routing d. Configure the source as the MAC address of the VoIP phone: i. Set the source type to mac: (config network route policy 0)> src type mac (config network route policy 0)> ii. Set the MAC address to the MAC address of the VoIP phone: (config network route policy 0)>...
Page 377 Enable routing services. Enable and configure the types of routing services that will be used.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 378 Routing IP routing 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 379 Routing IP routing 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 380 Show the routing table To display the routing table:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 381 Routing Show the routing table The Configuration window is displayed. 3. Click Status > Routes. The Network Routing window is displayed. 4. Click IPv4 Load Balance to view IPv4 load balancing. 5. Click IPv6 Load Balance to view IPv6 load balancing. ...
Page 382 Routing Dynamic DNS IPv4 Route Load Balance (%) ---------- ---------------- eth1 75.0 modem 25.0 IPv6 Route Load Balance (%) ---------- ---------------- eth1 75.0 modem 25.0 > You can limit the display to only IPv4 entries by using show route ipv4, or to IPv6 entries by using show route ipv6.
Page 383 The number of times to retry a failed IP address update.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 384 Routing Dynamic DNS New Dynamic DNS configurations are enabled by default. To disable, toggle off Enable. 5. For Interface, select the interface that has its IP address registered with the Dynamic DNS provider. 6. For Service, select the Dynamic DNS provider, or select custom to enter a custom URL for the Dynamic DNS provider.
Page 385 Routing Dynamic DNS Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a new Dynamic DNS instance. For example, to add an instance named new_ddns_ instance: (config)>...
Page 386 Routing Dynamic DNS dnsdynamic.org Default value: custom Current value: custom (config network ddns new_ddns_instance)> service b. Set the service: (config network ddns new_ddns_instance)> service service_name (config network ddns new_ddns_instance)> 6. If custom is configured for service, set the custom URL that should be used to update the IP address with the Dynamic DNS provider: (config network ddns new_ddns_instance)>...
Page 387 Routing Virtual Router Redundancy Protocol (VRRP) where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set force_interval to ten minutes, enter either 10m or 600s: (config network ddns new_ddns_instance)> force_interval 600s (config network ddns new_ddns_instance)>...
Page 388 VRRP priorty of devices based on the status of their network connectivity.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 389 Routing Virtual Router Redundancy Protocol (VRRP) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP. 4. For Add VRRP instance, type a name for the VRRP instance and click . The new VRRP instance configuration is displayed.
Page 390 Routing Virtual Router Redundancy Protocol (VRRP) 9. (Optional) For Password, type a password that will be used to authenticate this VRRP router with VRRP peers. If the password length exceeds 8 characters, it will be truncated to 8 characters. 10. Configure the virtual IP addresses associated with this VRRP instance: a.
Page 391 Routing Virtual Router Redundancy Protocol (VRRP) Current value: (config network vrrp VRRP_test)> interface b. Set the interface, for example: (config network vrrp VRRP_test)> interface /network/interface/eth2 (config network vrrp VRRP_test)> c. Repeat for additional interfaces. 6. Set the router ID. The Router ID must be the same on all VRRP devices that participate in the same VRRP device pool.
Page 392 SureLink tests.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 393 Routing Virtual Router Redundancy Protocol (VRRP) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP. 4. Create a new VRRP instance, or click to expand an existing VRRP instance. Configure VRRP for information about creating a new VRRP instance.
Page 394 Routing Virtual Router Redundancy Protocol (VRRP) 9. For Priority modifier, type or select the amount that the device's priority should be decreased due to SureLink connectivity failure, and increased when SureLink succeeds again. Along with the priority settings for devices in this VRRP pool, the amount entered here should be large enough to automatically demote a master device when SureLink connectivity fails.
Page 395 Click to expand Test targets > Test target. v. Configure the test target. For example, to configure SureLink to verify internet connectivity on the LAN by pinging https://remotemanager.digi.com: i. For Test Type, select Ping test. ii. For Ping host, type https://remotemanager.digi.com.
Page 396 Routing Virtual Router Redundancy Protocol (VRRP) 3. Create a new VRRP instance, or edit an existing one. See Configure VRRP for information about creating a new VRRP instance. 4. Enable VRRP+: (config)> network vrrp VRRP_test vrrp_plus enable true (config)> 5. Add interfaces to monitor. Generally, this will be a cellular or WAN interface. a.
Page 397 Routing Virtual Router Redundancy Protocol (VRRP) 8. Configure the VRRP interface: a. Configure the VRRP interface's DHCP server to use a custom gateway that corresponds to one of the VRRP virtual IP addresses: i. Set the DHCP server gateway type to custom: (config)>...
Page 398 Routing Virtual Router Redundancy Protocol (VRRP) (config)> network interface eth2 ipv4 surelink interval 5s (config)> iv. Create a SureLink test target: (config)> add network interface eth2 ipv4 surelink target end (config network interface eth2 ipv4 surelink target 0)> v. Configure the type of test for the test target: (config network interface eth2 ipv4 surelink target 0)>...
Page 399 Routing Virtual Router Redundancy Protocol (VRRP) (Optional) Set the amount of time that the interface can be down before this test is considered to have failed: (config network interface eth2 ipv4 surelink target 0)> interface_down_time value (config network interface eth2 ipv4 surelink target 0)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 400 Configure device one (master device)  Web Task 1: Configure VRRP on device one 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 401 Routing Virtual Router Redundancy Protocol (VRRP) 3. Click Network > VRRP. 4. For Add VRRP instance, type a name for the VRRP instance and click . The new VRRP instance configuration is displayed. 5. Click Enable. 6. For Interface, select Interface: ETH2. 7.
Page 402 Routing Virtual Router Redundancy Protocol (VRRP) 4. Click  to add an interface for monitoring. 5. Select Interface: Modem. 6. For Priority modifier, type 30. Task 3: Configure the IP address for the VRRP interface, ETH2, on device one 1. Click Network > Interfaces > ETH2 > IPv4 2.
Page 403 Routing Virtual Router Redundancy Protocol (VRRP) 2. At the command line, type config to enter configuration mode: > config (config)> 3. Create the VRRP instance: (config)> add network vrrp VRRP_test (config network vrrp VRRP_test)> 4. Enable the VRRP instance: (config network vrrp VRRP_test)> enable true (config network vrrp VRRP_test)>...
Page 404 Configure device two (backup device)  Web Task 1: Configure VRRP on device two 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 405 Routing Virtual Router Redundancy Protocol (VRRP) b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > VRRP. 4.
Page 406 Routing Virtual Router Redundancy Protocol (VRRP) 10. Click  to add a virtual IP address. 11. For Virtual IP, type 192.168.3.3. Task 2: Configure VRRP+ on device two 1. Click to expand VRRP+. 2. Click Enable. 3. Click to expand Monitor interfaces. 4.
Page 407 Routing Virtual Router Redundancy Protocol (VRRP) 6. For Ping host, type https://remotemanager.digi.com. Task 5: Configure the DHCP server for ETH2 on device two 1. Click to expand Network > Interfaces > ETH2 > IPv4 > DHCP Server 2. For Lease range start, type 200.
Page 408 Routing Virtual Router Redundancy Protocol (VRRP) 3. Create the VRRP instance: (config)> add network vrrp VRRP_test (config network vrrp VRRP_test)> 4. Enable the VRRP instance: (config network vrrp VRRP_test)> enable true (config network vrrp VRRP_test)> 5. Set the VRRP interface to ETH2: (config network vrrp VRRP_test)>...
Page 409 (config network interface eth2 ipv4 surelink target 0)> test ping (config network interface eth2 ipv4 surelink target 0)> 4. Set https://remotemanager.digi.com as the hostname to ping: (config network interface eth2 ipv4 surelink target 0)> ping_host https://remotemanager.digi.com(config network interface eth2 ipv4 surelink target 0)>...
Page 410 This section describes how to display VRRP status and statistics for a IX20 device. VRRP status is available from the Web UI only.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 411 Routing Virtual Router Redundancy Protocol (VRRP) 3. Click Status > VRRP. The Virtual Router Redundancy Protocol window is displayed.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 412 Routing Virtual Router Redundancy Protocol (VRRP) ---- Virtual IP address(es) : 10.10.10.1, 100.100.100.1 Current State : Master Current Priority : 100 Last Transition : Tue Jan 1 00:00:39 2019 Became Master Released Master Adverts Sent : 71 Adverts Received Priority Zero Sent Priority zero Received : 0 >...
Page 413 Virtual Private Networks (VPN) Virtual Private Networks (VPNs) are used to securely connect two private networks together so that devices can connect from one network to the other using secure channels. This chapter contains the following topics: IPsec OpenVPN Generic Routing Encapsulation (GRE) Dynamic Multipoint VPN (DMVPN) L2TP L2TPv3 Ethernet...
Page 414 Virtual Private Networks (VPN) IPsec IPsec IPsec is a suite of protocols for creating a secure communication link—an IPsec tunnel—between a host and a remote IP network or between two IP networks across a public network such as the Internet. IPsec data protection IPsec protects the data being sent across a public network by providing the following: Data origin authentication...
Page 415 Virtual Private Networks (VPN) IPsec Main mode Main mode is the default mode. It is slower than aggressive mode, but more secure, in that all sensitive information sent between the device and its peer is encrypted. Aggressive mode Aggressive mode is faster than main mode, but is not as secure as main mode, because the device and its peer exchange their IDs and hash information in clear text instead of being encrypted.
Page 416 Virtual Private Networks (VPN) IPsec Required configuration items IPsec tunnel configuration items: A name for the tunnel. Note If the tunnel name is more than eight characters, the name will be truncated in the underlying network interface to the first six characters followed by three digits, incrementing from 000.
Page 417  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 418 Virtual Private Networks (VPN) IPsec 3. Click VPN > IPsec. 4. Click to expand Tunnels. 5. For Add IPsec tunnel, type a name for the tunnel and click . The new IPsec tunnel configuration is displayed. 6. The IPsec tunnel is enabled by default. To disable, toggle off Enable. 7.
Page 419 Virtual Private Networks (VPN) IPsec a. Click to expand Firewall > Packet filtering. b. For Add packet filter, click . c. For Label, type Allow incoming IPsec traffic. d. For Source zone, select IPsec. Leave all other fields at their default settings. 10.
Page 420 Virtual Private Networks (VPN) IPsec ii. For Remote key, type the remote pre-shared key. This must be the same as the local key on the remote host. RSA signature: Uses a private RSA key to authenticate with the remote peer. i. For Private key, paste the device's private RSA key in PEM format. ii.
Page 421 Virtual Private Networks (VPN) IPsec 19. Click to expand Local endpoint. a. For Type, select either: Default route: Uses the same network interface as the default route. Interface: Select the Interface to be used as the local endpoint. b. Click to expand ID. i.
Page 422 Virtual Private Networks (VPN) IPsec i. Click  next to Add Hostname. ii. For Hostname, type a hostname or IPv4 address. If your device is not configured to initiate the IPsec connection (see IKE > Initiate connection), you can also use the keyword any, which means that the hostname is dynamic or unknown.
Page 423 Virtual Private Networks (VPN) IPsec b. Click to expand Local traffic selector. c. For Type, select one of the following: Address: The address of a local network interface. For Address, select the appropriate interface. Network: The subnet of a local network interface. For Address, select the appropriate interface.
Page 424 Virtual Private Networks (VPN) IPsec i. For Port, type the port matching criteria. Allowed values are a port number, a range of port numbers, or any. 22. Click to expand IKE. a. For IKE version, select either IKEv1 or IKEv2. This setting must match the peer's IKE version.
Page 425 Virtual Private Networks (VPN) IPsec h. For Lifetime margin, enter a randomizing amount of time before the IPsec tunnel is renegotiated. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Lifetime margin to ten minutes, enter 10m or 600s. i.
Page 426 Virtual Private Networks (VPN) IPsec Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3.
Page 427 Virtual Private Networks (VPN) IPsec a. Type ... to move to the root of the configuration: (config vpn ipsec tunnel ipsec_example)> ... (config)> b. Add a packet filter: (config)> add firewall filter end (config firewall filter 2)> c. Set the label to Allow incoming IPsec traffic: (config config firewall filter 2)>...
Page 428 Virtual Private Networks (VPN) IPsec 9. (Optional) Set the management priority for this IPsec tunnel: (config vpn ipsec tunnel ipsec_example)> mgmt value (config vpn ipsec tunnel ipsec_example)> where value is any interger between 0 and 1000. 10. Set the authentication type: (config vpn ipsec tunnel ipsec_example)>...
Page 429 Virtual Private Networks (VPN) IPsec x509: Uses private key and X.509 certificates to authenticate with the remote peer. a. For the private_key parameter, paste the device's private RSA key in PEM format: (config vpn ipsec tunnel ipsec_example)> auth private_key key (config vpn ipsec tunnel ipsec_example)> b.
Page 430 Virtual Private Networks (VPN) IPsec c. Set the XAUTH client password: (config vpn ipsec tunnel ipsec_example)> xauth_client password pwd (config vpn ipsec tunnel ipsec_example)> 12. (Optional) Enable MODECFG client functionality: MODECFG client functionality configures the device to receive configuration information, such as the private IP address, from the remote peer.
Page 431 Virtual Private Networks (VPN) IPsec Set an IPv6 formatted ID. This can be a fully-qualified domain name or an IPv6 address. (config vpn ipsec tunnel ipsec_example)> local id type ipv6_id (config vpn ipsec tunnel ipsec_example)> rfc822: The ID will be interpreted as an RFC822 (email address). Set the ID in internet email address format: (config vpn ipsec tunnel ipsec_example)>...
Page 432 Virtual Private Networks (VPN) IPsec c. Set the ID type: (config vpn ipsec tunnel ipsec_example)> remote id type value (config vpn ipsec tunnel ipsec_example)> where value is one of: auto: The ID will be automatically determined from the value of the tunnels endpoints.
Page 433 Virtual Private Networks (VPN) IPsec mac_address: The device's MAC address will be used for the Key ID and sent as an ID_KEY_ID IKE identity. serial_number: The ID device's serial number will be used for the Key ID and sent as an ID_KEY_ID IKE identity. 15.
Page 434 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example)> ike phase1_lifetime value (config vpn ipsec tunnel ipsec_example)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set phase1_lifetime to ten minutes, enter either 10m or 600s: (config vpn ipsec tunnel ipsec_example)>...
Page 435 Virtual Private Networks (VPN) IPsec where value is one of: 3des aes128 aes128gcm128 aes128gcm64 aes128gcm96 aes192 aes192gcm128 aes192gcm64 aes192gcm96 aes256 aes256gcm128 aes256gcm64 aes256gcm96 null The default is 3des. iii. Set the type of hash to use during phase 1 to verify communication integrity: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>...
Page 436 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> dh_group value (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)> The default is modp2048. v. (Optional) Add additional phase 1 proposals: i. Move back one level in the schema: (config vpn ipsec tunnel ipsec_example ike phase1_proposal 0)>...
Page 437 Virtual Private Networks (VPN) IPsec aes192gcm96 aes256 aes256gcm128 aes256gcm64 aes256gcm96 null The default is 3des. iv. Set the type of hash to use during phase 2 to verify communication integrity: (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)> hash value (config vpn ipsec tunnel ipsec_example ike phase2_proposal 0)>...
Page 438 Virtual Private Networks (VPN) IPsec (config vpn ipsec tunnel ipsec_example ike phase2_proposal)> add end (config vpn ipsec tunnel ipsec_example ike phase2_proposal 1)> Repeat the above steps to set the type of encryption, hash, and Diffie-Hellman group for the additional proposal. iii.
Page 439 Virtual Private Networks (VPN) IPsec 18. Configure policies that define the network traffic that will be encapsulated by this tunnel: a. Change to the root of the configuration schema: (config vpn ipsec tunnel ipsec_example nat 0)> ... (config)> b. Add a policy: (config)>...
Page 440 Virtual Private Networks (VPN) IPsec Format: defaultip defaultlinklocal eth1 eth2 loopback Current value: (config vpn ipsec tunnel ipsec_example policy 0)> local network ii. Set the interface. For example: (config vpn ipsec tunnel ipsec_example policy 0)> local network eth1 (config vpn ipsec tunnel ipsec_example policy 0)> custom: A user-defined network.
Page 441 Virtual Private Networks (VPN) IPsec other: Matches an unlisted protocol. If other is used, set the number of the protocol: (config vpn ipsec tunnel ipsec_example policy 0)> local protocol_other int (config vpn ipsec tunnel ipsec_example policy 0)> Allowed values are an integer between 1 and 255. f.
Page 442 Virtual Private Networks (VPN) IPsec Parameters Current Value --------------------------------------------------------------------- --------- debug none Debug level ike_fragment_size 1280 Maximum IKE fragment size ike_retransmit_tries IKE retransmit tries keep_alive NAT keep alive time Additional Configuration --------------------------------------------------------------------- ---------- connection_retry_timeout Connection retry timeout connection_try_interval Connection try interval ike_timeout IKE timeout (config)>...
Page 443 Virtual Private Networks (VPN) IPsec Configure IPsec failover There are two methods to configure the IX20 device to fail over from a primary IPsec tunnel to a backup tunnel: SureLink active recovery—You can use SureLink along with the IPsec tunnel's metric to configure two or more tunnels so that when the primary tunnel is determined to be inactive by SureLink, a secondary tunnel can begin serving traffic that the primary tunnel was serving.
Page 444 Virtual Private Networks (VPN) IPsec Metric: 20 Local endpoint > Interface: ETH2 Remote endpoint > Hostname: 192.168.10.1 In this configuration: 1. Tunnel_1 will normally be used for traffic destined for the 192.168.10.1 endpoint. 2. If pings to 192.168.10.2 fail, SureLink will shut down the tunnel and renegotiate its IPsec connection.
Page 445 Virtual Private Networks (VPN) IPsec 1. Configure the primary IPsec tunnel. See Configure an IPsec tunnel for instructions. During configuration of the IPsec tunnel, set the metric to a low value (for example, 10): (config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)> metric 10 (config vpn ipsec tunnel IPsecFailoverPrimaryTunnel)>...
Page 446 To configure the IX20 device to regularly probe the IPsec connection:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
Page 447 Virtual Private Networks (VPN) IPsec a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 448 Virtual Private Networks (VPN) IPsec 7. (Optional) Change the Test interval between connectivity tests. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Interval to ten minutes, enter 10m or 600s. The default is 15 minutes.
Page 449 Virtual Private Networks (VPN) IPsec The Interface address. The Interface DNS server. Ping payload size: The number of bytes to send as part of the ping payload. DNS test: Performs a DNS query to the named DNS server. If DNS test is selected, complete the following: DNS server: The IP address of the DNS server.
Page 450 Virtual Private Networks (VPN) IPsec Test interface: The interface to test. IP version: The type of IP connection, one of: Any: Either the IPv4 or IPv6 connection must be up. Both: Both the IPv4 or IPv6 connection must be up. IPv4: The IPv4 connection must be up.
Page 451 Virtual Private Networks (VPN) IPsec Attempts: The number of attempts for this recovery action to perform, before moving to the next recovery action. Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used.
Page 452 Virtual Private Networks (VPN) IPsec Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used. f. Repeat for each additional recovery action. 13.
Page 453 Virtual Private Networks (VPN) IPsec 4. Enable SureLink: (config vpn ipsec tunnel ipsec_example)> surelink enable true (config vpn ipsec tunnel ipsec_example)> 5. By default, the Test DNS servers configured for this interface test is automatically configured and enabled. This tests communication with DNS servers that are either provided by DHCP, or statically configured for this interface.
Page 454 Virtual Private Networks (VPN) IPsec interface_gateway. If set, an initial traceroute is sent to the hostname or IP address configured in the SureLink advanced settings, and then the first hop in that route is used for the ping test. interface_address. interface_dns: The interface's DNS server.
Page 455 Virtual Private Networks (VPN) IPsec Set the amount of time to wait for the interface to connect for the first time before the test is considered to have failed. (config vpn ipsec tunnel ipsec_example surelink tests 1)> interface_timeout value (config vpn ipsec tunnel ipsec_example surelink tests 1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}.
Page 456 Virtual Private Networks (VPN) IPsec /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config vpn ipsec tunnel ipsec_example surelink tests 1)> other_interface ii. Set the interface. For example: (config vpn ipsec tunnel ipsec_example surelink tests 1)> other_interface /network/interface/eth1 (config vpn ipsec tunnel ipsec_example surelink tests 1)> Set the type of IP connection: (config vpn ipsec tunnel ipsec_example surelink tests 1)>...
Page 457 Virtual Private Networks (VPN) IPsec c. New actions are enabled by default. To disable: (config vpn ipsec tunnel ipsec_example surelink actions 0)> enable false (config vpn ipsec tunnel ipsec_example surelink actions 0)> d. Create a label for the action: (config vpn ipsec tunnel ipsec_example surelink actions 0)> label string (config vpn ipsec tunnel ipsec_example surelink actions 0)>...
Page 458 Virtual Private Networks (VPN) IPsec where value is one of: update_routing_table: Increases the interface's metric to change the default gateway. If update_routing_table is selected, complete the following: Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config vpn ipsec tunnel ipsec_example surelink actions 0)>...
Page 459 Virtual Private Networks (VPN) IPsec Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config vpn ipsec tunnel ipsec_example surelink actions 0)> max_attempts int (config vpn ipsec tunnel ipsec_example surelink actions 0)> The default is 3.
Page 460 Virtual Private Networks (VPN) IPsec reboot_device. If reboot_device is selected, complete the following: Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config vpn ipsec tunnel ipsec_example surelink actions 0)> max_attempts int (config vpn ipsec tunnel ipsec_example surelink actions 0)>...
Page 461 Virtual Private Networks (VPN) IPsec b. Set the test interval between connectivity tests: (config)> vpn ipsec tunnel ipsec_example surelink interval value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set interval to ten minutes, enter either 10m or 600s: (config)>...
Page 462 Virtual Private Networks (VPN) IPsec where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set delayed_start to ten minutes, enter either 10m or 600s: (config)> vpn ipsec tunnel ipsec_example surelink advanced delayed_ start 600s (config)>...
Page 463 Virtual Private Networks (VPN) IPsec 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, select Status > IPsec. The IPsec page appears. 3. To view configuration details about an IPsec tunnel, click the  (configuration) icon in the upper right of the tunnel's status pane.
Page 464 Virtual Private Networks (VPN) IPsec 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 465 Virtual Private Networks (VPN) IPsec Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3.
Page 466 Virtual Private Networks (VPN) IPsec  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 467 Virtual Private Networks (VPN) IPsec 5. Click Enable to enable the SCEP client. 6. For Maximum Polling Time, type the maximum time that the device will poll the SCEP server, when operating in manual mode. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
Page 468 Virtual Private Networks (VPN) IPsec 14. For Path, Type the HTTP URL path required for accessing the certificate authority. You should leave this option at the default of /cgi-bin/pkiclient.exe unless directed by the CA to use another path. 15. For Password, type the challenge password as configured on the SCEP server. 16.
Page 469 Virtual Private Networks (VPN) IPsec 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 470 Virtual Private Networks (VPN) IPsec (config network scep_client scep_client_name)> distinguished_name c value (config network scep_client scep_client_name)> c. Set the State or Province: (config network scep_client scep_client_name)> distinguished_name st value (config network scep_clientscep_client_name )> d. Set the Locality: (config network scep_client scep_client_name)> distinguished_name l value (config network scep_client scep_client_name)>...
Page 471 Virtual Private Networks (VPN) IPsec c. If type is set to url, set the URL that should be used: (config network scep_client scep_client_name)> crl url value (config network scep_client scep_client_name)> 11. Configure certificate renewal: a. To enable the creation of a new private key for renewal requests: (config network scep_client scep_client_name)>...
Page 472 Virtual Private Networks (VPN) IPsec 15. Set the number of days that the certificate enrollment can be renewed, prior to the request expiring. This value is configured on the SCEP server, and is used by the IX20 device to determine when to start attempting to auto-renew an existing certificate. The default is 7. (config network scep_client scep_client_name)>...
Page 473 IX20 configuration On the IX20 device:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 474 Virtual Private Networks (VPN) IPsec The Configuration window is displayed. 3. Click Network > SCEP Client. 4. For Add clients, enter a name for the SCEP client and click . The new SCEP client configuration is displayed. 5. Click Enable to enable the SCEP client. 6.
Page 475 Virtual Private Networks (VPN) IPsec 10. For Password, type the challenge password. This corresponds to the Default enrollment password on the Fortinet server. 11. Click to expand Distinguished Name. 12. Type the value for each appropriate Distinguished Name attribute. The values entered here must correspond to the DN attributes in the Enrollment Request on the Fortinet server.
Page 476 Virtual Private Networks (VPN) IPsec (config network scep_client Fortinet_SCEP_client)> server password challenge_password (config network scep_client Fortinet_SCEP_client)> 7. Set Distinguished Name attributes. The values entered here must correspond to the DN attributes in the Enrollment Request on the Fortinet server. a. Set the Domain Component: (config network scep_client Fortinet_SCEP_client)>...
Page 477 Virtual Private Networks (VPN) IPsec (config network scep_client Fortinet_SCEP_client)> renewable_time integer (config network scep_client Fortinet_SCEP_client)> 9. (Optional) Enable verbose logging in /var/log/scep_client: (config network scep_client Fortinet_SCEP_client)> debug true (config network scep_client Fortinet_SCEP_client)> 10. Save the configuration and apply the change: (config network scep_client Fortinet_SCEP_client)>...
Page 478 Virtual Private Networks (VPN) IPsec Enabled : true Client Certificate ------------------ Subject : C=US,ST=MA,L=BOS,O=Digi,OU=IT1,CN=dummy Issuer : CN=TA-SCEP-1-CA Serial : 1100000017A30C8EDD3805EB52000000000017 Expiry : Jun 4 19:05:25 2022 GMT Certificate Authority Certificate {1} ------------------------------------- Subject : C=US,CN=TA-SCEP-1-MSCEP-RA Issuer : CN=TA-SCEP-1-CA Serial : 1100000002A1E755981C0C3F34000000000002...
Page 479 Virtual Private Networks (VPN) OpenVPN OpenVPN OpenVPN is an open-source Virtual Private Network (VPN) technology that creates secure point-to- point or site-to-site connections in routed or bridged configurations. OpenVPN uses a custom security protocol that is Secure Socket Layer (SSL) / Transport Layer Security (TLS) for key exchange. It uses standard encryption and authentication algorithms for data privacy and authentication over TCP or UDP.
Page 480 Virtual Private Networks (VPN) OpenVPN OpenVPN managed—The IX20 device creates the interface and then uses its standard configuration to set up the connection (for example, its standard DHCP server configuration). Device only—IP addressing is controlled by the system, not by OpenVPN. Additional OpenVPN information For more information on OpenVPN, see these resources: Bridging vs.
Page 481 Access control list configuration to restrict access to the OpenVPN server through the firewall. Additional OpenVPN parameters.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 482 Virtual Private Networks (VPN) OpenVPN 4. For Add, type a name for the OpenVPN server and click . The new OpenVPN server configuration is displayed. The OpenVPN server is enabled by default. To disable, toggle off Enable. 5. For Device type, select the mode used by the OpenVPN server, either: TUN (OpenVPN managed) TAP - OpenVPN managed TAP - Device only...
Page 483 Virtual Private Networks (VPN) OpenVPN Username/password only: Uses a username and password for client authentication. You must create an OpenVPN authentication group and user. See Configure an OpenVPN Authentication Group and User for instructions. Certificate and username/password: Uses both certificates and a username and password for client authentication.
Page 484 Virtual Private Networks (VPN) OpenVPN 11. (Optional) Click to expand Advanced Options to manually set additional OpenVPN parameters. a. Click Enable to enable the use of additional OpenVPN parameters. b. Click Override if the additional OpenVPN parameters should override default options. c.
Page 485 Virtual Private Networks (VPN) OpenVPN 5. If tap or tun are set for device_type: a. Set the IP address and subnet mask of the OpenVPN server. (config vpn openvpn server name)> address ip_address/netmask (config vpn openvpn server name)> b. Set the firewall zone for the OpenVPN server. For TUN device types, this should be set to internal to treat clients as LAN devices.
Page 486 Virtual Private Networks (VPN) OpenVPN ii. Set the last address in the range limit: (config vpn openvpn server name)> server_last_ip value (config vpn openvpn server name)> where value is a number between 1 and 255. The number entered here will represent the last client IP address.
Page 487 Virtual Private Networks (VPN) OpenVPN iii. Paste the contents of the public key (for example, server.crt) into the value of the server_cert parameter: (config vpn openvpn server name)> server_cert value (config vpn openvpn server name)> iv. Paste the contents of the private key (for example, server.key) into the value of the server_key parameter: (config vpn openvpn server name)>...
Page 488 Virtual Private Networks (VPN) OpenVPN Use ... network interface ? to display interface information: (config vpn openvpn server name)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config vpn openvpn server name)>...
Page 489  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 490 Virtual Private Networks (VPN) OpenVPN a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Add an OpenVPN authentication group: a. Click Authentication > Groups. b. For Add Group, type a name for the group (for example, OpenVPN_Group) and click . The new authentication group configuration is displayed.
Page 491 Virtual Private Networks (VPN) OpenVPN f. For Tunnel, select an OpenVPN tunnel to which users of this group will have access. g. Repeat to add additional OpenVPN tunnels. 4. Add an OpenVPN authentication user: a. Click Authentication > Users. b. For Add, type a name for the user (for example, OpenVPN_User) and click . c.
Page 492 Virtual Private Networks (VPN) OpenVPN  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 493 Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 494 Virtual Private Networks (VPN) OpenVPN 4. For Add, type a name for the OpenVPN client and click . The new OpenVPN client configuration is displayed. 5. The OpenVPN client is enabled by default. To disable, toggle off Enable. 6. The default behavior is to use an OVPN file for client configuration. To disable this behavior and configure the client manually, click Use .ovpn file to disable.
Page 495 Virtual Private Networks (VPN) OpenVPN 3. At the config prompt, type: (config)> add vpn openvpn client name (config vpn openvpn client name)> where name is the name of the OpenVPN server. The OpenVPN client is enabled by default. To disable the client, type: (config vpn openvpn client name)>...
Page 496 Configure SureLink active recovery for OpenVPN for information about OpenVPN active recovery.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 497 Virtual Private Networks (VPN) OpenVPN a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > OpenVPN > Clients. 4. For Add, type a name for the OpenVPN client and click . The new OpenVPN client configuration is displayed.
Page 498 Virtual Private Networks (VPN) OpenVPN 6. The default behavior is to use an OVPN file for client configuration. To disable this behavior and configure the client manually, click Use .ovpn file to disable. 7. For Device type, select the mode used by the OpenVPN server, either TUN or TAP. 8.
Page 499 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client name)> use_file false (config vpn openvpn client name)> 5. Set the mode used by the OpenVPN server: (config vpn openvpn client name)> device_type value (config vpn openvpn client name)> where value is either tun or tap. The default is tun. 6.
Page 500 Virtual Private Networks (VPN) OpenVPN 10. (Optional) Set the port used by the OpenVPN server: (config vpn openvpn client name)> port port (config vpn openvpn client name)> The default is 1194. 11. Paste the contents of the CA certificate (usually in a ca.crt file) into the value of the cacert parameter: (config vpn openvpn client name)>...
Page 501 To configure the IX20 device to regularly probe the OpenVPN connection:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 502 Virtual Private Networks (VPN) OpenVPN 3. Click VPN > OpenVPN > Clients. 4. Create a new OpenVPN client or select an existing one: To create a new OpenVPN client, see Configure an OpenVPN client by using an .ovpn file Configure an OpenVPN client without using an .ovpn file.
Page 503 Virtual Private Networks (VPN) OpenVPN 10. (Optional) For Response timeout, type the amount of time that the device should wait for a response to a test attempt before considering it to have failed. Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}.
Page 504 Virtual Private Networks (VPN) OpenVPN Test the interface status: Tests the current status of the interface. The test fails if the interface is down. Failing this test infers that all other tests fail. If Test the interface status is selected, complete the following: Down time: The amount of time that the interface is down before the test can be considered to have failed.
Page 505 Virtual Private Networks (VPN) OpenVPN Update routing: Uses the Change default gateway action, which increases the interface's metric by 100 to change the default gateway. Restart interface. b. Click . New recovery actions are enabled by default. To disable, click to toggle off Enable. c.
Page 506 Virtual Private Networks (VPN) OpenVPN Attempts: The number of attempts for this recovery action to perform, before moving to the next recovery action. Override wait interval before performing the next recovery action: The time to wait before the next test is run. If set to the default value of 0s, the Test interval is used.
Page 507 Virtual Private Networks (VPN) OpenVPN For example, to set Backoff interval to ten minutes, enter 10m or 600s. The default is 300 seconds. d. Test interface gateway by pinging is used by the Interface gateway Ping test as the endpoint for traceroute to use to determine the interface gateway. The default is 8.8.8.8, and should only be changed if this IP address is not accessible due to networking issues.
Page 508 Virtual Private Networks (VPN) OpenVPN c. Create a label for the test: (config vpn openvpn client openvpn_client1 surelink tests 1)> label string (config vpn openvpn client openvpn_client1 surelink tests 1)> d. if the test should apply to both IPv6 rather than IPv4, enable IPv6: (config vpn openvpn client openvpn_client1 surelink tests 1)>...
Page 509 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink tests 1)> dns_server IP_address (config vpn openvpn client openvpn_client1 surelink tests 1)> http: Uses HTTP(s) GET requests to determine connectivity to the configured web server. If http is set, set the URL of the web server. (config vpn openvpn client openvpn_client1 surelink tests 1)>...
Page 510 Virtual Private Networks (VPN) OpenVPN custom_test: Tests the interface with custom commands. If custom_test is set, set the commands to run to perform the test: (config vpn openvpn client openvpn_client1 surelink tests 1)> custom_test_commands "string" (config vpn openvpn client openvpn_client1 surelink tests 1)> tcp_connection: Tests that the interface can reach a destination port on the configured host.
Page 511 Virtual Private Networks (VPN) OpenVPN Set the type of IP connection: (config vpn openvpn client openvpn_client1 surelink tests 1)> other_ip_version value (config vpn openvpn client openvpn_client1 surelink tests 1)> where value is one of: any: Either the IPv4 or IPv6 connection must be up. both: Both the IPv4 or IPv6 connection must be up.
Page 512 Virtual Private Networks (VPN) OpenVPN e. Set the type of recovery action to reboot_device: (config vpn openvpn client openvpn_client1 surelink actions 0)> action reboot_device (config vpn openvpn client openvpn_client1 surelink actions 0)> Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config vpn openvpn client openvpn_client1 surelink actions 0)>...
Page 513 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink actions 0)> The default is 3. Set the amount that the interface's metric should be increased. This should be set to a number large enough to change the routing table to use another default gateway.
Page 514 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink actions 0)> The default is 3. Set the time to wait before the next test is run. If set to the default value of 0s, the test interval is used. (config vpn openvpn client openvpn_client1 surelink actions 0)>...
Page 515 Virtual Private Networks (VPN) OpenVPN (config vpn openvpn client openvpn_client1 surelink actions 0)> reboot_device. If reboot_device is selected, complete the following: Set the number of attempts for this recovery action to perform, before moving to the next recovery action: (config vpn openvpn client openvpn_client1 surelink actions 0)>...
Page 516 Virtual Private Networks (VPN) OpenVPN a. Type ... to return to the root of the configuration: (config vpn openvpn client openvpn_client1 surelink actions 0)> ... (config)> b. Set the test interval between connectivity tests: (config)> vpn openvpn client openvpn_client1 surelink interval value (config)>...
Page 517 Virtual Private Networks (VPN) OpenVPN (config)> vpn openvpn client openvpn_client1 surelink advanced delayed_start value (config)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set delayed_start to ten minutes, enter either 10m or 600s: (config)>...
Page 518 Virtual Private Networks (VPN) OpenVPN Show OpenVPN server status and statistics You can view status and statistics for OpenVPN servers from either the web interface or the command line:  Web 1. Log into the IX20 WebUI as a user with Admin access. 2.
Page 519 Virtual Private Networks (VPN) OpenVPN Show OpenVPN client status and statistics You can view status and statistics for OpenVPN clients from either web interface or the command line:  Web 1. Log into the IX20 WebUI as a user with Admin access. 2.
Page 520 Virtual Private Networks (VPN) OpenVPN 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 521 Enable the device to respond to keepalive packets. Task One: Create a GRE loopback endpoint interface  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 522 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces. 4. For Add Interface, type a name for the GRE loopback endpoint interface and click . 5.
Page 523 Type quit to disconnect from the device. Task Two: Configure the GRE tunnel  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 524 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Click VPN > IP Tunnels. 4. For Add IP tunnel, type a name for the GRE tunnel and click . 5. Enable the tunnel. New tunnels are enabled by default. To disable, toggle off Enable. 6.
Page 525 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 4. Set the mode: (config vpn iptunnel gre_example)> type value (config vpn iptunnel gre_example)> where value is either: gre: Standard GRE point-to-point protocol. mgre: multipoint GRE protocol. 5. Set the local endpoint to the GRE endpoint interface created in Task One, for example: (config vpn iptunnel gre_example)>...
Page 526 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Show GRE tunnels To view information about currently configured GRE tunnels:  Web 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click Status > IP tunnels. The IP Tunnelspage appears.
Page 527 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Example: GRE tunnel over an IPSec tunnel The IX20 device can be configured as an advertised set of routes through an IPSec tunnel. This allows you to leverage the dynamic route advertisement of GRE tunnels through a secured IPSec tunnel. The example configuration provides instructions for configuring the IX20 device with a GRE tunnel through IPsec.
Page 528 Configure the IX20-1 device Task one: Create an IPsec tunnel  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 529 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Click VPN > IPsec > Tunnels. 4. For Add IPsec Tunnel, type ipsec_gre1 and click . 5. Click to expand Authentication. 6. For Pre-shared key, type testkey. 7. Click to expand Remote endpoint. 8.
Page 530 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE)  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 531 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) Task two: Create an IPsec endpoint interface  Web 1. Click Network > Interface. 2. For Add Interface, type ipsec_endpoint1 and click . 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5.
Page 532 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. Set the zone to internal: (config network interface ipsec_endpoint1)> zone internal (config network interface ipsec_endpoint1)> 4. Set the device to /network/device/loopback: (config network interface ipsec_endpoint1)> device /network/device/loopback (config network interface ipsec_endpoint1)> 5.
Page 533 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 2. Add a GRE tunnel named gre_tunnel1: (config)> add vpn iptunnel gre_tunnel1 (config vpn iptunnel gre_tunnel1)> 3. Set the local endpoint to the IPsec endpoint interface created in Task two (/network/interface/ipsec_endpoint1): (config vpn iptunnel gre_tunnel1)> local /network/interface/ipsec_ endpoint1 (config vpn iptunnel gre_tunnel1)>...
Page 534 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 6. For Address, type 172.31.0.1/30 for a virtual IP address on the GRE tunnel. 7. Click Apply to save the configuration and apply the change.  Command line 1. At the command line, type config to enter configuration mode: >...
Page 535 Configure the IX20-2 device Task one: Create an IPsec tunnel  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 536 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 7. Click to expand Remote endpoint. 8. For Hostname, type public IP address of the IX20-1 device. 9. Click to expand Policies. 10. For Add Policy, click  to add a new policy. 11.
Page 537 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) (config vpn ipsec tunnel ipsec_gre2)> auth secret testkey (config vpn ipsec tunnel ipsec_gre2)> 5. Set the remote endpoint to public IP address of the IX20-1 device: (config vpn ipsec tunnel ipsec_gre2)> remote hostname 192.168.100.1 (config vpn ipsec tunnel ipsec_gre2)>...
Page 538 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 3. For Zone, select Internal. 4. For Device, select Ethernet: loopback. 5. Click to expand IPv4. 6. For Address, type the IP address of the local GRE tunnel, 172.30.0.2/32. 7. Click Apply to save the configuration and apply the change. ...
Page 539 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 6. Save the configuration and apply the change: (config vpn ipsec tunnel ipsec_endpoint2)> save Configuration saved. > Task three: Create a GRE tunnel  Web 1. Click VPN > IP Tunnels. 2. For Add IP Tunnel, type gre_tunnel2 and click . 3.
Page 540 Virtual Private Networks (VPN) Generic Routing Encapsulation (GRE) 4. Set the remote endpoint to the IP address of the GRE tunnel on IX20-1, 172.30.0.1: (config vpn iptunnel gre_tunnel2)> remote 172.30.0.1 (config vpn iptunnel gre_tunnel2)> 5. Save the configuration and apply the change: (config vpn iptunnel gre_tunnel2)>...
Page 541 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN)  Command line 1. At the command line, type config to enter configuration mode: > config (config)> 2. Add an interface named gre_interface2: (config)> add network interface gre_interface2 (config network interface gre_interface2)> 3.
Page 542 Configure a DMVPN spoke To configure a DMVPN spoke:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 543 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) e. For Key, type a four-octet value that matches the key on the remote endpoint. 4. Assign an IP address to the IP tunnel: a. Click Network > Interfaces. b. For Add Interface, type a name for the interface and click . c.
Page 544 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) c. Click to expand NHRP. d. Enable NHRP. e. Click to expand Network. f. Click  to add a network. g. For Interface, select the interface created above. h. For Tunnel, select the IP tunnel created above. i.
Page 545 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) h. Click to toggle on eBGP multihop. 7. Repeat to add additional spokes. 8. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 546 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config vpn iptunnel dmvpn_tunnel)> local ii. Set the interface. For example: (config vpn iptunnel dmvpn_tunnel)> local /network/interface/eth1 (config vpn iptunnel dmvpn_tunnel)> d. Set the key to a four-octet value that matches the key on the remote endpoint. For example: (config vpn iptunnel dmvpn_tunnel)>...
Page 547 Virtual Private Networks (VPN) Dynamic Multipoint VPN (DMVPN) 5. Configure NHRP: a. Type ... to return to the top level of the configuration schema: (config network interface dmvpn_tunnel_interface)> ... (config)> b. Enable routing services: (config)> network route service enable true (config)>...
Page 548 Virtual Private Networks (VPN) L2TP b. Enable BGP: (config)> network route service bgp enable true (config)> c. Set the autonomous system number for this device. For example, to set the autonomous system number to 66007: (config)> network route service bgp asn 66007 (config)>...
Page 549 Optional configuration data in the format of a pppd options file.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 550 Virtual Private Networks (VPN) L2TP a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click VPN > L2TP. 4. (Optional) Type the UDP listening port that L2TP servers will listen on, if other than the default of 1701.
Page 551 Virtual Private Networks (VPN) L2TP To limit access based on firewall zones: a. Click Zones. b. For Add Zone, click . c. For Zone, select the appropriate firewall zone from the dropdown. Firewall configuration for information about firewall zones. d. Click  again to allow access through additional firewall zones. 6.
Page 552 Virtual Private Networks (VPN) L2TP PAP: Uses the Password Authentication Profile (PAP) to authenticate. If Automatic, CHAP, or PAP is selected, enter the Username and Password required to authenticate. The default is None. h. (Optional) For Authentication method, select the authentication method, one of: None: No authentication is required.
Page 553 Virtual Private Networks (VPN) L2TP To limit access to specified IPv4 addresses and networks: (config)> add vpn l2tp acl address end value (config)> Where value can be: A single IP address or host name. A network designation in CIDR notation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the service-type.
Page 554 Virtual Private Networks (VPN) L2TP To limit access based on firewall zones: (config)> add vpn l2tp acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
Page 555 Virtual Private Networks (VPN) L2TP c. (Optional) Set the UDP port to use to connect to the L2TP network server: (config vpn l2tp lac lac_tunnel)> port int (config vpn l2tp lac lac_tunnel)> where int is an integer between 1 and 65535. The default is 1701. d.
Page 556 Virtual Private Networks (VPN) L2TP i. Enable custom PPP configuration: (config vpn l2tp lac lac_tunnel)> custom enable true (config vpn l2tp lac lac_tunnel)> ii. Enable overriding, if the custom configuration should override the default configuration and only use the custom options: (config vpn l2tp lac lac_tunnel)>...
Page 557 Virtual Private Networks (VPN) L2TP e. (Optional) Set the authentication method: (config vpn l2tp lns lns_server)> auth method (config)> where method is one of the following: none: No authentication is required. auto: The device will attempt to connect using CHAP first, and then PAP. chap: Uses the Challenge Handshake Authentication Profile (CHAP) to authenticate.
Page 558 Virtual Private Networks (VPN) L2TP (config vpn l2tp lns lns_server)> ii. Set the zone: (config vpn l2tp lns lns_server)> zone zone (config vpn l2tp lns lns_server)> h. (Optional): Custom PPP configuration: i. Enable custom PPP configuration: (config vpn l2tp lac lns lns_server)> custom enable true (config vpn l2tp lns lns_server)>...
Page 559 Virtual Private Networks (VPN) L2TP Show the status of L2TP access connectors from the WebUI 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, select Status. Under VPN, select L2TP > Access Connectors. The L2TP Access Connectors page appears.
Page 560 Virtual Private Networks (VPN) L2TPv3 Ethernet Show the status of L2TP network servers from the Admin CLI 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 561 The Layer2SpecificHeader type. The Sequence numbering control.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 562 Virtual Private Networks (VPN) L2TPv3 Ethernet 4. For Add L2TPv3 ethernet tunnel, type a name for the tunnel and click . 5. For Remote endpoint, type the IPv4 address of the remote endpoint. 6. For Local endpoint, select the interface that will be the local endpoint. 7.
Page 563 Virtual Private Networks (VPN) L2TPv3 Ethernet 3. Add a L2TPv3 Ethernet tunnel. For example, to add a tunnel named L2TPv3_example: (config)> add vpn l2tpv3 L2TPv3_example (config vpn l2tpeth L2TPv3_example)> The tunnel is enabled by default. To disable: (config vpn l2tpeth L2TPv3_example)> enable false (config vpn l2tpeth L2TPv3_example)>...
Page 564 Virtual Private Networks (VPN) L2TPv3 Ethernet 8. (Optional) Set the encapsulation type: (config vpn l2tpeth L2TPv3_example)> encapsulation value (config vpn l2tpeth L2TPv3_example)> where value is either udp or ip. The default is upd. If udp is set: a. Set the source UDP port to be used for the tunnel: (config vpn l2tpeth L2TPv3_example)>...
Page 565 Virtual Private Networks (VPN) L2TPv3 Ethernet 14. Set the Layer2Specific header type. This must match what is configured on the remote peer. (config vpn l2tpeth L2TPv3_example session_example)> l2spec_type value (config vpn l2tpeth L2TPv3_example session_example)> where value is either none or default. The default is default. 15.
Page 566 Virtual Private Networks (VPN) NEMO > show l2tpeth Tunnel Session Enabled Device Status ----------------- ------- ------------ ------ test/session/test true le_test_test > 3. To display details about a specific tunnel: > show l2tpeth name /vpn/l2tpeth/test/session/test test/session/test Tunnel Session Status --------------------------------------- Enabled : true Status : up...
Page 567 If the local network is set to Interface, identify the local interface to be used.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration:...
Page 568 Virtual Private Networks (VPN) NEMO Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a.
Page 569 Virtual Private Networks (VPN) NEMO 11. Click to expand Care of address to configure the local WAN interface of the internet facing network. a. For Type, select the method to determine the local network interface that is used to communicate with the peer. If Default route is selected, the network interface that is used will be the same as the default route.
Page 570 Virtual Private Networks (VPN) NEMO 4. Set the IPv4 address of the NEMO virtual network interface: (config vpn nemo nemo_example)> home_address IPv4_address (config vpn nemo nemo_example)> 5. Set the IPv4 address of the NEMO home agent. This is provided by your cellular carrier. (config vpn nemo nemo_example)>...
Page 571 Virtual Private Networks (VPN) NEMO 11. Configure the Care-of-Address, the local WAN interface of the internet facing network. a. Set the method to determine the Care-of-Address: (config vpn nemo nemo_example)> coaddress type value (config vpn nemo nemo_example)> where value is one of: defaultroute: Uses the same network interface as the default route.
Page 572 Virtual Private Networks (VPN) NEMO i. Use the ? to determine available interfaces: (config vpn nemo nemo_example)> tun_local interface ? Interface: The network interface to use to communicate with the peer. Set this field to blank if using the default route. Format: defaultip defaultlinklocal...
Page 573 Virtual Private Networks (VPN) NEMO  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 574 Services This chapter contains the following topics: Allow remote access for web administration and SSH Configure the web administration service Configure SSH access Use SSH with key authentication Configure telnet access Configure DNS WAN bonding Simple Network Management Protocol (SNMP) Location information Modbus gateway System time Network Time Protocol...
Page 575 Add the External firewall zone to the web administration service  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 576 Services Allow remote access for web administration and SSH 4. For Add Zone, click . 5. Select External. 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 577 Services Allow remote access for web administration and SSH  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 578 Services Allow remote access for web administration and SSH 5. Select External. 6. Click Apply to save the configuration and apply the change. IX20 User Guide...
Page 579 Services Configure the web administration service  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 580 The web administration service is enabled by default. To disable the service, or enable it if it has been disabled:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 581 Type quit to disconnect from the device. Configure the service  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 582 Services Configure the web administration service 3. Click Services > Web administration. 4. (Optional) For Port, enter the port number for the service. Normally this should not be changed. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a.
Page 583 Services Configure the web administration service 6. Multicast DNS (mDNS) is enabled by default. mDNS is a protocol that resolves host names in small networks that do not have a DNS server. To disable mDNS, or enable it if it has been disabled, click Enable mDNS.
Page 584 Services Configure the web administration service 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 585 Services Configure the web administration service eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add service web_admin acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
Page 586 Services Configure the web administration service The private key can use one of the following algorithms: ECDSA ECDH Note Password-protected certificate keys are not supported. Example a. Generate the SSL certificate and private key, for example: # openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem b.
Page 587 Services Configure the web administration service Ktx72wurpnr2JYf1v3Vx+S9T9WvN52pGuBPJQla3YdWbSf18wr5iHm9NXIeMTsFc esdjEW07JRnxQEMZ1GPWT+YtH1+FzQ3+W9rFsFFzt0vcp5Lh1RGg0huzL2NQ5EcF 3brzIZjNAavMsdBFzdc2hcbYnbv7o1uGLujbtZ7WurNy7+Tc54gu2Ds25J0/0mgf OxmqFevIqVkqp2wOmeLtI4o77y6uCbhfA6I+GWTZEYECgYEA/uDzlbPMRcWuUig0 CymOKlhEpx9qxid2Ike0G57ykFaEsKxVMKHkv/yvAEHwazIEzlc2kcQrbLWnDQYx oKmXf87Y1T5AXs+ml1PlepXgveKpKrWwORsdDBd+OS34lyNJ0KCqqIzwAaf8lcSW tyShAZzvuH9GW9WlCc8g3ifp9WUCgYEA4WSSfqFkQLA09sI76VLvUqMbb31bNgOk ZuPg7uxuDk3yNY58LGQCoV8tUZuHtBJdrBDCtcJa5sasJZQrWUlZ8y/5zgCZmqQn MzTD062xaqTenL0jKgKQrWig4DpUUhfc4BFJmHyeitosDPG98oCxuh6HfuMOeM1v Xag6Z391VcsCgYBgBnpfFU1JoC+L7m+lIPPZykWbPT/qBeYBBki5+0lhzebR9Stn VicrmROjojQk/sRGxR7fDixaGZolUwcRg7N7SH/y3zA7SDp4WvhjFeKFR8b6O1d4 PFnWO2envUUiE/50ZoPFWsv1o8eK2XT67Qbn56t9NB5a7QPvzSSR7jG77QKBgD/w BrqTT9wl4DBrsxEiLK+1g0/iMKCm8dkaJbHBMgsuw1m7/K+fAzwBwtpWk21alGX+ Ly3eX2j9zNGwMYfXjgO1hViRxQEgNdqJyk9fA2gsMtYltTbymVYHyzMweMD88fRC Ey2FlHfxIfPeE7MaHNCeXnN5N56/MCtSUJcRihh3AoGAey0BGi4xLqSJESqZZ58p e71JHg4M46rLlrxi+4FXaop64LCxM8kPpROfasJJu5nlPpYHye959BBQnYcAheZZ 0siGswIauBd8BrZMIWf8JBUIC5EGkMiIyNpLJqPbGEImMUXk4Zane/cL7e06U8ft BUtOtMefbBDDxpP+E+iIiuM= -----END PRIVATE KEY-----" (config)> 5. (Optional) Configure Multicast DNS (mDNS): mDNS is a protocol that resolves host names in small networks that do not have a DNS server. mDNS is enabled by default.
Page 588 Services Configure the web administration service The default is TLS-1_2. 8. (Optional) Disable legacy port redirection. Legacy port redirection is used to redirect client HTTP requests to the HTTPS service. Legacy port redirection is enabled by default, and normally these settings should not be changed. To disable legacy port redirection: (config)>...
Page 589 The SSH service is enabled by default. To disable the service, or enable it if it has been disabled:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 590 Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Configure the service  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 591 Services Configure SSH access 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 592 Services Configure SSH access A single IP address or host name. A network designation in CIDR notation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the SSH service. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a.
Page 593 Services Configure SSH access Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. Configure access control: To limit access to specified IPv4 addresses and networks: (config)>...
Page 594 Services Configure SSH access loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add service ssh acl zone end value (config)> Where value is a firewall zone defined on your device, or the any keyword. Display a list of available firewall zones: Type ...
Page 595 Services Configure SSH access To disable the mDNS protocl: (config)> service ssh mdns enable false (config)> 6. (Optional) Set the port number for this service. The default setting of 22 normally should not be changed. (config)> service ssh port 24 (config)> 7.
Page 596 SSH service to allow SSH access for the External firewall zone.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 597 Services Use SSH with key authentication Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Users. 4. Select an existing user or create a new user. See User authentication for information about creating a new user.
Page 598 Services Use SSH with key authentication key_name is a name for the key. key is a public SSH key, which you can enter by pasting or typing a public encryption key that this user can use for passwordless SSH login 4.
Page 599 The telnet service is disabled by default. To enable the service:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 600 Type quit to disconnect from the device. Configure the service  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 601 Services Configure telnet access b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > telnet. 4.
Page 602 Services Configure telnet access To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces. b. For Add Interface, click . c. For Interface, select the appropriate interface from the dropdown. d. Click  again to allow access through additional interfaces. To limit access based on firewall zones: a.
Page 603 Services Configure telnet access Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service telnet acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 604 Additional DNS servers, in addition to the ones associated with the device's network interfaces. Specific host names and their IP addresses. The device is configured by default with the hostname digi.device, which corresponds to the 192.168.210.1 IP address. IX20 User Guide...
Page 605 Configure DNS To configure the DNS server:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 606 Services Configure DNS To limit access to specified IPv6 addresses and networks: a. Click IPv6 Addresses. b. For Add Address, click . c. For Address, enter the IPv6 address or network that can access the device's DNS service. Allowed values are: A single IP address or host name.
Page 607 Services Configure DNS 11. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 608 Services Configure DNS Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)> add service dns acl zone end value (config)>...
Page 609 Services Configure DNS 5. (Optional) Query all servers By default, the device's DNS server queries all available DNS servers. Disabling this option may improve performance on networks with transient DNS results, when one or more DNS servers may have positive results. To disable: (config)>...
Page 610 Services Configure DNS b. Set the IP address of the host: (config service dns host 0)> address ip-addr (config service dns host 0)> c. Set the host name: (config service dns host 0)> name host-name (config service dns host 0)> 10.
Page 611 WAN bonding also provides seamless failover by automatically using multiple pipes within the bonded tunnel. The WAN bonding service for your IX20 device must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. This section contains the following topics: Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Configure WAN bonding on your local device...
Page 612 Use Digi Remote Manager to enable and configure WAN bonding on multiple devices Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
Page 613 Services WAN bonding iii. Select for Tunnel password. iv. From the Common value menu, select Require override: e. Configure the device's WAN interfaces that will be bonded: i. ClickNetwork > SD-WAN > WAN bonding > Bonding interfaces. ii. Click  to add an interface. iii.
Page 614 Services WAN bonding Cellular Optimized for Latency: Another preset for mobile connections with an even higher focus on latency. Ethernet: A preset for direct Ethernet connections, very sensitive to latency and packet loss. Low Latency: Similar to Ethernet preset, but with higher tolerance for packet loss.
Page 615 Configure WAN bonding on your local device Note WAN bonding support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. You must also set up the WAN bonding server. This can be done using one of three mechanisms: Set up a WAN bonding server on physical hardware or a Virtual Private Server (VPS) in your local environment.
Page 616 The firewall zone for the new bonded interface, if other than External.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 617 4. Toggle on Enable. Note The WAN bonding service must be enabled for this device in Digi Remote Manager. Contact your Digi sales representative for information. 5. For Hostname, type the hostname or IPv4 address of the external server hosting the WAN bonding server.
Page 618 (config)> network sdwan wan_bonding enable true (config)> Note The WAN bonding service must be enabled for this device in Digi Remote Manager. Contact your Digi sales representative for information. 4. Set the hostname or IPv4 address of the external server hosting the WAN bonding service: (config)>...
Page 619 Services WAN bonding 5. (Optional) Set the port number that the external server uses for the WAN bonding connection: (config)> network sdwan wan_bonding host_port port (config)> Allowed values are any port number, or the keyword any. The default is 443. 6. Set the username and password to authenticate with the WAN bonding service: (config)>...
Page 620 Services WAN bonding Format: /network/interface/defaultip /network/interface/defaultlinklocal /network/interface/eth1 /network/interface/eth2 /network/interface/loopback Current value: (config network sdwan wan_bonding interfaces 0)> interface ii. Set the interface. For example: (config network sdwan wan_bonding interfaces 0)> interface /network/interface/eth1 (config network sdwan wan_bonding interfaces 0)> ii. (Optional) Set the mode for the interface: (config network sdwan wan_bonding interfaces 0)>...
Page 621 Services WAN bonding 11. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Show WAN bonding status and statistics You can display status and statistics for WAN bonding. This command is available only at the Admin CLI.
Page 622 Services WAN bonding Status connected Endpoint 133.183.203.237:443 (#0) Network 146.78.40.226/255.255.255.0 gw 146.78.40.1 Total Bytes 0 in, 427 out Channel Online Channel #0 (eth1) ---------------- Enabled Status "connected" Uptime 5 sec Latency 41ms (current) / 41ms (idle) In Transit Last Error null Current (1sec) RX 4 sent, 0 lost;...
Page 623 Enable Multicast DNS (mDNS) support. To configure the SNMP agent on your IX20 device:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 624 Services Simple Network Management Protocol (SNMP) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > SNMP. 4. Click Enable. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a.
Page 625 Services Simple Network Management Protocol (SNMP) c. For Interface, select the appropriate interface from the dropdown. d. Click  again to allow access through additional interfaces. To limit access based on firewall zones: a. Click Zones. b. For Add Zone, click . c.
Page 626 Services Simple Network Management Protocol (SNMP) Repeat this step to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: (config)> add service snmp acl address6 end value (config)> Where value can be: A single IP address or host name. A network designation in CIDR notation, for example, 2001:db8::/48.
Page 627 Services Simple Network Management Protocol (SNMP) Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration -------------------------------------------------------- ----------------------- dynamic_routes edge external internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones. 5.
Page 628 Services Simple Network Management Protocol (SNMP) (config)> service snmp privacy_protocol AES (config)> 12. (Optional) Enable read-only access to to SNMP version 2c. (config)> service snmp enable 2c true (config)> 13. Save the configuration and apply the change: (config)> save Configuration saved. >...
Page 629 Services Simple Network Management Protocol (SNMP) 4. Click Download. IX20 User Guide...
Page 630 Services Location information Location information Your IX20 device can be configured to use the following location sources: In conjunction with the with the CM07 CORE modem, the modem's internal Global Navigation Satellite System (GNSS) module that provides information about the current location of the device.
Page 631 The location service is enabled by default. You can disable it, or you can enable it if it has been disabled.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 632 Services Location information Allowed values are any number of weeks, days, hours, minutes, or seconds, and take the format number{w|d|h|m|s}. For example, to set Location update interval to ten minutes, enter 10m or 600s. 6. For information about configuring Location sources, see the following: a.
Page 633 To disable support for the modem's GNSS receiver, or enable it if it has been disabled:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 634 Services Location information 3. Click Services > Location > Location sources > modem. 4. (Optional) Type a Label for the Modem GNSS location source. 5. For Type of location source, leave the selection at Modem GNSS. 6. Click Enable the location source to disable the GNSS receiver, or to enable it if it has been disabled.
Page 635 You can configured your IX20 device to use a user-defined static location.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 636 Services Location information Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Location sources. 4. Click  to add a location source. 5. (Optional) Type a Label for this location source. 6.
Page 637 Services Location information The location source is enabled by default. To disable: (config service location source 1)> enable false (config service location source 1)> 4. (Optional) Set a label for this location source: (config service location source 1)> label "label" (config)>...
Page 638 To configure the device to accept location messages from external sources:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 639 Services Location information To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c. For Address, enter the IPv4 address or network that can access the device's location server UDP port. Allowed values are: A single IP address or host name.
Page 640 Services Location information (config)> add service location source end (config service location source 1)> 4. (Optional) Set a label for this location source: (config service location source 1)> label "label" (config service location source 1)> 5. Set the type of location source to server: (config service location source 1)>...
Page 641 Services Location information Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)>...
Page 642 Configure the IX20 device to forward location information:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 643 Services Location information c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Destination servers. 4. For Add destination server, click . 5.
Page 644 Services Location information RMC: Reports position, velocity, and time. VTG: Reports direction and speed over ground. 11. For TAIP filters, select the filters that represent the types of messages that will be forwarded. By default, all message types are forwarded. To remove a filter: a.
Page 645 Services Location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 646 Services Location information all remote sources, and all forwarded sentences from remote sources will use the configured Format: Default Default value: Default Current value: Default (config service location forward 0)> ii. Set the talker ID: (config service location forward 0)> talker_id value (config service location forward 0)>...
Page 647 Services Location information (config service location forward 0)> label "Remote host 1" (config service location forward 0)> 12. (Optional) Specify types of messages that will be forwarded. Allowed values vary depending on the message protocol type. By default, all message types are forwarded. If the message protocol type is NMEA: Allowed values are: gga: Reports time, position, and fix related data.
Page 648 Services Location information id: Reports the vehicle ID. ln: Long navigation: reports the latitude, longitude, and altitude, the horizontal and vertical speed, and heading. pv: Position/velocity: reports the latitude, longitude, and heading. To remove a message type: a. Use the show command to determine the index number of the message type to be deleted: (config service location forward 0)>...
Page 649 Update interval, which determines the amount of time that the geofence should wait between polling for updated location data.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 650 Services Location information d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > Location > Geofence. 4. For Add Geofence, type a name for the geofence and click . The geofence is enabled by default.
Page 651 Click  again to add an additional point, and continue adding points to create the desired polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: This defines a square-shaped polygon equivalent to the following: 7.
Page 652 Services Location information a. Click to expand On entry. b. (Optional) Enable Bootup action to configure the device to perform the On entry actions if the device is inside the geofence when it boots. c. For Number of intervals, type or select the number of Update Intervals that must take place prior to performing the On entry actions.
Page 653 Services Location information a. Click to expand On exit. b. (Optional) Enable Bootup action to configure the device to perform the On exit actions if the device is inside the geofence when it boots. c. For Number of intervals, type or select the number of Update Intervals that must take place prior to performing the On exit actions.
Page 654 Services Location information 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 655 Services Location information longitude int (config service location geofence test_geofence)> where int is: For latitude, any integer between -90 and 90, with up to six decimal places. For longitude, any integer between -180 and 180, with up to six decimal places.
Page 656 For longitude, any integer between -180 and 180, with up to six decimal places. Repeat for each vortex of the polygon. For example, to configure a square polygon around the Digi headquarters, configure a polygon with four points: (config service location geofence test_geofence)> add...
Page 657 Services Location information 6. Define actions to be taken when the device's location triggers a geofence event: To define actions that will be taken when the device enters the geofence, or is inside the geofence when it boots: a. (Optional) Configure the device to preform the actions if the device is inside the geofence when it boots: (config)>...
Page 658 Services Location information (config service location geofence test_geofence on_entry action 0)> where value is either: factory_erase—Erases the device configuration when the action is triggered. script—Executes a custom script when the action is triggered. factory_erase or script. If type is set to script: i.
Page 659 Services Location information v. A sandbox is enabled by default to prevent the script from adversely affecting the system. To disable the sandbox: (config service location geofence test_geofence on_entry action 0)> sandbox false (config service location geofence test_geofence on_entry action 0)> If you disable the sandbox, the script may render the system unusable.
Page 660 Services Location information where value is either: factory_erase—Erases the device configuration when the action is triggered. script—Executes a custom script when the action is triggered. factory_erase or script. If type is set to script: i. Type or paste the script, closed in quote marks: (config service location geofence test_geofence on_exit action 0)>...
Page 661 Services Location information (config service location geofence test_geofence on_exit action 0)> sandbox false (config service location geofence test_geofence on_exit action 0)> If you disable the sandbox, the script may render the system unusable. vi. Repeat for any additional actions. 7. Save the configuration and apply the change: (config)>...
Page 662 Services Modbus gateway Velocity : 0 meters per second Direction : None Quality : Standard GNSS (2D/3D) UTC Date and Time : Wed, May 3, 2023 21:24:00 03 No. of Satellites : 7 > 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 663 Services Modbus gateway Configure the Modbus gateway Required configuration items Server configuration: Enable the server. Connection type, either socket or serial. If the connection type is socket, the IP protocol to be used. If the connection type is serial, the serial port to be used. Client configuration: Enable the client.
Page 664 Whether packets should have their Modbus address adjusted downward before to delivery.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 665 Services Modbus gateway Configure gateway servers 1. Click to expand Gateway Servers. 2. For Add Modbus server, type a name for the server and click . The new Modbus gateway server configuration is displayed. 3. The new Modbus gateway server is enabled by default. Toggle off Enable the server to disable.
Page 666 Services Modbus gateway To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c. For Address, enter the IPv4 address or network that can access the device's web administration service. Allowed values are: A single IP address or host name.
Page 667 Services Modbus gateway 3. The new Modbus gateway client is enabled by default. Toggle off Enable the client to disable. 4. For Connection type, select Socket or Serial. Available options in the gateway server configuration vary depending on this setting. If Socket is selected for Connection type: a.
Page 668 Services Modbus gateway A single IP address or host name. A network designation in CIDR notation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the web administration service. d. Click  again to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: a.
Page 669 Services Modbus gateway 14. For Fixed Modbus server address, if request messages handled by this client should always be forwarded to a specific device, type the device's Modbus address. Leave at the default setting of 0 to allow messages that match the Modbus address filter to be forwarded to devices based on the Modbuss address in the message.
Page 670 Services Modbus gateway 4. Configure servers: a. Add a server: (config)> add service modbus_gateway server name (config service modbus_gateway server name)> where name is a name for the server, for example: (config)> add service modbus_gateway server test_modbus_server (config service modbus_gateway server test_modbus_server)> The Modbus server is enabled by default.
Page 671 Services Modbus gateway where value is any number between 10 milliseconds and one second, and take the format number{ms|s}. For example, to set idle_gap to 20 milliseconds, enter 20ms. v. Set the amount of time to wait before disconnecting the socket when it has become inactive: (config service modbus_gateway server test_modbus_server)>...
Page 672 Services Modbus gateway iii. Set the maximum allowable time between bytes in a packet: (config service modbus_gateway server test_modbus_server)> serial idle_gap value (config service modbus_gateway server test_modbus_server)> where value is any number between 10 milliseconds and one second, and take the format number{ms|s}.
Page 673 Services Modbus gateway where value is either tcp or udp. ii. Set the port: (config service modbus_gateway client test_modbus_client)> socket port (config service modbus_gateway client test_modbus_client)> where port is an integer between 1 and 65535. The default is 502. iii. Set the packet mode: (config service modbus_gateway client test_modbus_client)>...
Page 674 Services Modbus gateway If connection_type is set to serial: i. Set the serial port: i. Use the ? to determine available serial ports: (config service modbus_gateway client test_modbus_ client)> ... serial port ? Serial Additional Configuration ------------------------------------------------------- ------------------------ port1 Port 1 (config service modbus_gateway client test_modbus_ client)>...
Page 675 Services Modbus gateway (config service modbus_gateway client test_modbus_client)> broadcast true (config service modbus_gateway client test_modbus_client)> e. Set the maximum time to wait for a response to a message: (config service modbus_gateway client test_modbus_client)> response_ timeout value (config service modbus_gateway client test_modbus_client)> Allowed values are between 1 millisecond and 700 milliseconds, and take the format numberms.
Page 676 Services Modbus gateway (config service modbus_gateway client test_modbus_client)> fixed_ server_address value (config service modbus_gateway client test_modbus_client)> Leave at the default setting of 0 to allow messages that match the Modbus address filter to be forwarded to devices based on the Modbuss address in the message. h.
Page 677 Services Modbus gateway 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, select Status > Modbus Gateway. The Modbus Gateway page appears. Statistics related to the Modbus gateway server are displayed. If the message Server connections not available is displayed, this indicates that there are no connected clients.
Page 678 Services Modbus gateway Configuration Updates Client Configuration Failure Server Configuration Failure Configuration Load Failure Incoming Connections Internal Error Resource Shortages Servers ------- modbus_socket ------------- Client Lookup Errors Incoming Connections Packet Errors RX Broadcasts RX Requests : 12 TX Exceptions TX Responses : 12 Clients -------...
Page 679 Services Modbus gateway RX Timeouts TX Broadcasts TX Requests > 4. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 680 Additional Configuration Options Additional upstream NTP servers.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 681 Services System time d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Time 4. (Optional) For Timezone, select either UTC or select the location nearest to your current location to set the timezone for your IX20 device.
Page 682 Services System time Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. (Optional) Set the timezone for the location of your IX20 device. The default is UTC. (config)>...
Page 683 Services System time Note This list is synchronized with the list of servers included with NTP server configuration, and changes made to one will be reflected in the other. See Configure the device as an NTP server for more information about NTP server configuration. 5.
Page 684 Services Network Time Protocol 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 685 The time zone setting, if the default setting of UTC is not appropriate. To configure the IX20 device's NTP service:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 686 Services Network Time Protocol 3. Click Services > NTP. 4. Enable the IX20 device's NTP service by clicking Enable. 5. (Optional) Configure the access control list to limit downstream access to the IX20 device's NTP service. To limit access to specified IPv4 addresses and networks: a.
Page 687 Services Network Time Protocol Note By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX20 device can use the NTP service. 6. Enable Fall back to local clock to allow the device's local system clock to be used as backup time source.
Page 688 Services Network Time Protocol To delete the default NTP server, time.devicecloud.com: (config)> del service ntp server 0 (config)> To add the NTP server to the beginning of the list, use the index value of 0 to indicate that it should be added as the first server: (config)>...
Page 689 Services Network Time Protocol A single IP address or host name. A network designation in CIDR notation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the NTP server agent. Repeat this step to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: (config)>...
Page 690 Services Network Time Protocol dynamic_routes edge external internal ipsec loopback setup (config)> Repeat this step to include additional firewall zones. Note By default, the access control list for the NTP service is empty, which means that all downstream hosts connected to the IX20 device can use the NTP service. 7.
Page 691 To configure a multicast route:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. IX20 User Guide...
Page 692 Configure a multicast route 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config.
Page 693 Services Configure a multicast route 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add the multicast route. For example, to add a route named test: (config)> add service multicast test (config service multicast test)> 4.
Page 694 Create a new network interface for the bonded Ethernet devices, and disable the any interfaces associated with those Ethernet devices..  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
Page 695 Services Ethernet network bonding a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 696 Services Ethernet network bonding 7. Add Ethernet devices: a. For Add device, click . b. For Device, select an Ethernet device to participate in the bond pool. c. Repeat for each appropriate Ethernet device. 8. Create a new network interface that is linked to the Ethernet bond: a.
Page 697 Services Ethernet network bonding In some cases, the device may be a part of a bridge, in which case you should remove the device from the bridge. Configure a bridge for more information. 9. Click Apply to save the configuration and apply the change. ...
Page 698 Services Ethernet network bonding round-robin: Alternates between bonded devices to provide load balancing as well as fault tolerance. 6. Add Ethernet devices: a. Use the ? to determine available devices: (config network bond eth_bond)> ... network device ? Additional Configuration --------------------------------------------------------------------- ------- eth1...
Page 699 You can enable the IX20 device to use mDNS.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 700 Services Enable service discovery (mDNS) 3. Click Services > Service Discovery (mDNS). 4. Enable the mDNS service. 5. Click Access control list to configure access control: To limit access to specified IPv4 addresses and networks: a. Click IPv4 Addresses. b. For Add Address, click . c.
Page 701 Services Enable service discovery (mDNS) 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 702 Services Enable service discovery (mDNS) Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1 ETH1 eth2 ETH2 loopback Loopback modem Modem (config)> Repeat this step to list additional interfaces. To limit access based on firewall zones: (config)>...
Page 703 Whether to allow clients that have no client ID to connect. Whether replace the client's ID with its username.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 704 Services Use the MQTT broker service Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Services > MQTT broker. 4. Click Enable. 5. (Optional) For Port, type the port number for the MQTT broker to listen for incoming connections.
Page 705 Services Use the MQTT broker service To limit access to hosts connected through a specified interface on the IX20 device: a. Click Interfaces. b. For Add Interface, click . c. For Interface, select the appropriate interface from the dropdown. d. Click  again to allow access through additional interfaces. To limit access based on firewall zones: a.
Page 706 Services Use the MQTT broker service Deny v. Click  again to add additional topics. e. Click  again to add additional clients. 12. Click to expand Encryption. 13. For Type, select either None or PSK. If PSK is selected: a. Click to enable Use PSK identity as username to use the PSK identity sent by the client as its username.
Page 707 Services Use the MQTT broker service Read/write Deny e. Click  again to add additional topics. 15. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 708 Services Use the MQTT broker service To limit access to hosts connected through a specified interface on the IX20 device: (config)> add service mqtt acl interface end value (config)> Where value is an interface defined on your device. Display a list of available interfaces: Use ...
Page 709 Services Use the MQTT broker service loopback setup (config)> Repeat this step to include additional firewall zones. 6. Enable the system to write MQTT debug messages to the system log: (config)> service mqtt debug true (config)> 7. Enable connections from clients that do not provide a username: (config)>...
Page 710 Services Use the MQTT broker service The topic. The signal level wildcard, +. The multi-level wildcard, #. iii. Set the access type to apply to the topic: (config service mqtt client 0 topic_acl 0)> access value (config service mqtt client 0 topic_acl 0)> where value is one of: deny read...
Page 711 Services Use the MQTT broker service c. Set the pre-shared keys: i. Add a pre-shared key: (config)> add service mqtt encryption psk end (config service mqtt encryption psk 0)> ii. Set the identity sent to the client: (config service mqtt encryption psk 0)> indentity value (config service mqtt encryption psk 0)>...
Page 712 Services Use the MQTT broker service d. Set the access type to apply to the topic: (config service mqtt topic_acl anonymous 0)> access value (config service mqtt topic_acl anonymous 0)> where value is one of: deny read readwrite write The default is readwrite. e.
Page 713 Services Use the MQTT broker service readwrite write The default is readwrite. e. Add additional topics: (config service mqtt topic_acl pattern 0)> add ..pattern end (config service mqtt topic_acl pattern 1)> f. Repeat the above steps to set the topic and access type. 13.
Page 714 Services Use the iPerf service Totals ------ Bytes sent : 158400 Bytes received : 4500 Messages sent Messages received : 0 Clients ------- Total Maximum Connected Disconnected Expired Subscriptions ------------- Total Shared Message Store ------------- Bytes : 151 Messages : 35 Retained messages : 40 PUBLISH Messages ----------------...
Page 715 To enable the iPerf3 server:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 716 Services Use the iPerf service 3. Click Services > iPerf. 4. Click Enable. 5. (Optional) For IPerf Server Port, type the appropriate port number for the iPerf server listening port. 6. (Optional) Click to expand Access control list to restrict access to the iPerf server: To limit access to specified IPv4 addresses and networks: a.
Page 717 Services Use the iPerf service d. Click  again to allow access through additional firewall zones. 7. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 718 Services Use the iPerf service Where value is an interface defined on your device. Display a list of available interfaces: Use ... network interface ? to display interface information: (config)> ... network interface ? Interfaces Additional Configuration ------------------------------------------- defaultip Default IP defaultlinklocal Default Link-local IP eth1...
Page 719 IP address, interfaces, and/or zones. To enable the iPerf3 server:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: IX20 User Guide...
Page 720 Services Configure the ping responder service Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a.
Page 721 Services Configure the ping responder service A single IP address or host name. A network designation in CIDR notation, for example, 2001:db8::/48. any: No limit to IPv6 addresses that can access the ping responder. d. Click  again to list additional IP addresses or networks. To limit access to hosts connected through a specified interface on the IX20 device: a.
Page 722 Services Configure the ping responder service A single IP address or host name. A network designation in CIDR notation, for example, 192.168.1.0/24. any: No limit to IPv4 addresses that can access the service-type. Repeat this step to list additional IP addresses or networks. To limit access to specified IPv6 addresses and networks: (config)>...
Page 723 Services Configure the ping responder service Type ... firewall zone ? at the config prompt: (config)> ... firewall zone ? Zones: A list of groups of network interfaces that can be referred to by packet filtering rules and access control lists. Additional Configuration -------------------------------------------------------- -----------------------...
Page 724 Services Configure the ping responder service 9.00-10.00 33.2 MBytes 279 Mbits/sec 1.60 MBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bandwidth Retr...
Page 725 Applications The IX20 supports Python 3.6 and provides you with the ability to run Python applications on the device interactively or from a file. You can also specify Python applications and other scripts to be run each time the device system restarts, at specific intervals, or at a specified time. This chapter contains the following topics: Develop Python applications The use(led) function...
Page 726 The IX20 features a standard Python 3.6 distribution. Python is a dynamic, object-oriented language for developing software applications, from simple programs to complex embedded applications. Digi offers the Digi IoT PyCharm Plugin to help you while writing, building, and testing your application. Create and test a Python application.
Page 727 Applications Develop Python applications Set up the IX20 for Python development 1. Access the IX20 local web interface a. Use an Ethernet cable to connect the IX20 to your local laptop or PC. The factory default IP address is 192.168.2.1 b.
Page 728 Develop Python applications Develop an application in PyCharm The Digi IoT PyCharm Plugin allows you to write, build and run Python applications for Digi devices in a quick and easy way. See the Digi XBee PyCharm IDE Plugin User Guide for details.
Page 729 Applications Develop Python applications Example: Configure a custom port to listen for incoming socket connections The following example Python script configures a custom port, port 9999, to accept incoming socket connections. You will also need to add a custom firewall rule to accept the incoming traffic on this port. Example script import socket import socketserver...
Page 730 Create a custom firewall rule  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 731 Applications Develop Python applications 6. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 732 Applications Develop Python applications LEDs: digidevice.led SMS: digidevice.sms GPS: digidevice.location Digi Remote Manager: digidevice.datapoint digidevice.device_request digidevice.name Device configuration: digidevice.config Command line interface: digidevice.cli Access runtime database: digidevice.runt Set the maintenance window: digidevice.maintenance Use the Python serial module—pySerial—to access the serial ports.
Page 733 4. Execute a CLI command using the cli.execute(command) function. For example, to print the system status and statistics to stdout using the show system command: >>> response = cli.execute("show system") >>> >>> print (response) Model : Digi IX20 Serial Number : IX20-000065 : IX20 Hostname : IX20...
Page 734 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice.datapoint to upload custom datapoints to Digi Remote Manager Use the datapoint Python module to upload custom datapoints to Digi Remote Manager. The following characteristics can be defined for a datapoint:...
Page 735 Applications Develop Python applications Tuple of latitude, longitude and altitude Description (optional) Quality (optional) An integer describing the quality of the data point For example, to use an interactive Python session to upload datapoints related to velocity, temperature, and the state of the emergency door: 1.
Page 736 Help for using Python to upload custom datapoints to Remote Manager Get help for uploading datapoints to your Digi Remote Manager account by accessing help for datapoint.upload and datapoint.upload_multiple: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions >...
Page 737 Applications Develop Python applications upload(stream_id:str, data, *, description:str=None, timestamp:float=None, units:str=None, geo_location:Tuple[float, float, float]=None, quality:int=None, data_type:digidevice.datapoint.DataType=None, timeout:float=None) 5. Use the help command with datapoint.upload_multiple: >>> help(datapoint.upload_multiple) Help on function upload_multiple in module digidevice.datapoint: upload_multiple(datapoints:List[digidevice.datapoint.DataPoint], timeout:float=None) 6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Use digidevice.config for device configuration Use the config Python module to access and modify the device configuration.
Page 738 Applications Develop Python applications network.interface.lan1.device=/network/bridge/lan1 network.interface.lan1.enable=true network.interface.lan1.ipv4.address=192.168.2.1/24 network.interface.lan1.ipv4.connection_monitor.attempts=3 b. Print a list of available interfaces: >>> cfg = config.load() >>> interfaces = cfg.get("network.interface") >>> print(interfaces.keys()) This returns the following: ['defaultip', 'defaultlinklocal', 'lan1', 'loopback', 'wan1', 'wwan1', 'wwan2'] c. Print the IPv4 address of the LAN interface: >>>...
Page 739 Applications Develop Python applications 4. Use config.load(writable=True) to enable write mode for the configuration: >>> cfg = config.load(writable=True) >>> 5. Use the set() method to make changes to the configuration: >>> cfg.set("system.name", "New-Name") >>> 6. Use the commit() method to save the changes: >>>...
Page 740 Develop Python applications Use Python to respond to Digi Remote Manager SCI requests The device_request Python module allows you to interact with Digi Remote Manager by using Remote Manager's Server Command Interface (SCI), a web service that allows users to access information and perform commands that relate to their devices.
Page 741 Applications Develop Python applications 1. In Remote Manager, click Documentation > API Explorer. 2. Select the device to use as the SCI target: a. Click SCI Targets. b. Click Add Targets. c. Enter or select the device ID of the device. d.
Page 742 This can be done from either the WebUI or the command line:  Web i. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. ii. Access the device configuration: Remote Manager: i.
Page 743 Applications Develop Python applications i. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. iii. Click System > Scheduled tasks > Custom scripts. iv. Click  to add a custom script. v. For Label, type Show system application. vi.
Page 744 Applications Develop Python applications Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. ii. At the command line, type config to enter configuration mode: > config (config)> iii. Add an application entry: (config)>...
Page 745 Applications Develop Python applications i. From the command line, at the Admin CLI prompt, type: > reboot To run the application from the shell prompt: i. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions >...
Page 746 Develop Python applications 8. Click Send. You should receive a response similar to the following: <sci_reply version="1.0"> <data_service> <device id="00000000-00000000-0000FFFF-A83CF6A3"/> <requests> <device_request target_name="showSystem" status="0">Model : Digi IX20 Serial Number : IX20-000068 Hostname : IX20 : 00:40:D0:13:35:36 Hardware Version : 50001959-01 A Firmware Version : 23.3.31.129...
Page 747 </sci_request> Help for using Python to respond to Digi Remote Manager SCI requests Get help for respond to Digi Remote Manager Server Command Interface (SCI) requests by accessing help for digidevice.device_request: 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions >...
Page 748 Applications Develop Python applications You can also use the help command with available device_request functions: Use the help command with device_request.register: >>> help(device_request.register) Help on function register in module digidevice.device_request: register(target:str, response_callback:Callable[[str, str], str], status_callback:Callable[[int, str], NoneType]=None, xml_ encoding:str='UTF-8') Use the help command with device_request.unregister: >>>...
Page 749 Applications Develop Python applications a. Print available keys: >>> print(runt.keys("")) This returns available keys: ['advanced', 'drm', 'firmware', 'location', 'manufacture', 'metrics', 'mm', 'network', 'pam', 'serial', 'system'] b. Print available keys for the system key: >>> print(runt.keys("system")) This will return the following: ['boot_count', 'chassis', 'cpu_temp', 'cpu_usage', 'disk', 'load_avg', 'local_time', 'mac', 'mcu', 'model', 'ram', 'serial', 'uptime'] c.
Page 750 Applications Develop Python applications 4. Use start() method to open the runtime database: >>> runt.start() >>> 5. Use the set() method to make changes to the runtime database: >>> runt.set("my-variable", "my-value") >>> 6. Use the get() method to verify the change: >>>...
Page 751 Use Python to upload the device name to Digi Remote Manager The name submodule can be used to upload a custom name for your device to Digi Remote Manager. When you use the name submodule to upload a custom device name to Remote Manager, the...
Page 752 5. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Help for uploading the device name to Digi Remote Manager Get help for uploading the device name to Digi Remote Managerby accessing help for digidevice.name: 1.
Page 753 Applications Develop Python applications Determine if the device's location 1. Select a device in Remote Manager that is configured to allow shell access to the admin user, and click Actions > Open Console. Alternatively, log into the IX20 local command line as a user with shell access.
Page 754 Applications Develop Python applications Use the altitude object to return the altitude, in meters: >>> loc.altitude 292.39999399999999 >>> 7. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Update the location data The location submodule takes a snapshot of the current location and stores it in the runtime database.
Page 755 Applications Develop Python applications # python Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>> 3. Import the json submodule: >>> import json 4. Import the location submodule: >>>...
Page 756 Applications Develop Python applications "utc_date_time": "May-03-2023 21:24:00", "vertical_velocity": "0.0" >>> 6. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Help for the digidevice location module Get help for the digidevice location module: 1.
Page 757 Applications Develop Python applications 2. At the shell prompt, use the python command with no parameters to enter an interactive Python session: # python Python 3.10.1 (main, Mar 30 2023, 23:47:13) [GCC 11.2.0] on linux Type "help", "copyright", "credits" or "license" for more information. >>>...
Page 758 Applications Develop Python applications Type "help", "copyright", "credits" or "license" for more information. >>> 3. Import the maintenance submodule: >>> from digidevice import maintenance >>> 4. Use the help command with maintenance : >>> help(maintenance ) Help on module digidevice.maintenance in digidevice: NAME digidevice.maintenance DESCRIPTION...
Page 759 Applications Develop Python applications Attribute name Color LTE connection indicator Led.COM Led.ETH Green Led.ONLINE Blue Signal strength indicators Led.RSS1 Green Led.RSS2 Led.RSS3 Led.RSS4 Led.RSS5 Available LED states State Attribute name Solid on State.ON State.OFF Flash State.FLASH Use Python to set the state of LEDs The following example uses an interactive Python session to set the state of all LEDs to flashing: 1.
Page 760 Applications The use(led) function 6. (Optional) Use led.release() to release the LEDs to system control: >>> led.release(Led.ALL) 7. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). The use(led) function The use(led) function can be used to acquire control of LEDs and then release them back to system control.
Page 761 Applications Use Python to control the color of multi-colored LEDs LED attribute name Color State Led.COM Green Led.ETH Led.ONLINE Led.COM Green flashing Led.ETH FLASH Led.ONLINE Led.COM Blue Led.ETH Led.ONLINE Led.COM Blue flashing Led.ETH Led.ONLINE FLASH Led.COM White Led.ETH Led.ONLINE Led.COM White flashing FLASH Led.ETH...
Page 762 Applications Use Python to control the color of multi-colored LEDs LED attribute name Color State Led.COM Purple flashing FLASH Led.ETH Led.ONLINE FLASH Led.COM Cyan Led.ETH Led.ONLINE Led.COM Cyan flashing Led.ETH FLASH Led.ONLINE FLASH The digidevice led submodule for a definition of the IX20's LEDs, including RGB leds, and the names of the attributes for each LED that will be used by the digidevice.led module.
Page 763 SMS scripting. Enable the ability to schedule SMS scripting  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 764 Applications Use Python to control the color of multi-colored LEDs 4. Click to enable Allow scheduled scripts to handle SMS. 5. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 765 Applications Use Python to control the color of multi-colored LEDs def sms_test_callback(sms, info): print(f"SMS message from {info['content.number']} received") print(sms) print(info) COND.acquire() COND.notify() COND.release() def send_sms(destination, msg): print("sending SMS message", msg) if len(destination) == 10: destination = "+1" + destination send(destination, msg) if __name__ == '__main__': if len(sys.argv) >...
Page 766 Applications Use Python to control the color of multi-colored LEDs print(sms) print(info) #if sms == "Reboot": send_sms(dest, 'Reboot message received, rebooting device...') response = cli.execute("reboot") print (response) send_sms(dest, 'Message received (' + sms + '). Performing as CLI command...') response = cli.execute(sms) if not response: response = 'OK' send_sms(dest, 'CLI results: ' + response)
Page 767 Applications Use Python to control the color of multi-colored LEDs Depending on your device configuration, you may be presented with an Access selection menu. Type shell to access the device shell. 2. Determine the path to the serial port: # ls /dev/serial/ by-id by-path by-usb...
Page 768 Applications Use Python to control the color of multi-colored LEDs from digidevice import cli POLL_TIME = 60 def cmd_reboot(params): print("Rebooting unit...") try: cli.execute("reboot", 10) except: print("Failed to run 'reboot' command") return HTTPStatus.INTERNAL_SERVER_ERROR return HTTPStatus.OK def cmd_fwupdate(params): try: fw_uri = params["uri"] except: print("Firmware file URI not passed") return HTTPStatus.BAD_REQUEST...
Page 769 Applications Use Python to control the color of multi-colored LEDs else: print("Invalid command path ({}), cannot send reply".format(cmd_path)) return reply = { "cmd": cmd, "status": status client.publish(PREFIX_RSP + path + "/" + cid, json.dumps(reply, separators= (',',':'))) def on_connect(client, userdata, flags, rc): print("Connected to MQTT server") client.subscribe(PREFIX_CMD + "/system") def on_message(client, userdata, msg):...
Page 770 Applications Use Python to control the color of multi-colored LEDs leases = [] try: with open('/etc/config/dhcp.leases', 'r') as f: for line in f: elems = line.split() if len(elems) != 5: continue leases.append({"mac": elems[1], "ip": elems[2], "host": elems [3]}) if leases: client.publish(PREFIX_EVENT + "/leases", json.dumps(leases, separators=(',',':'))) except:...
Page 771 Applications Set up the IX20 to automatically run your applications Set up the IX20 to automatically run your applications This section contains the following topics: Configure scripts to run automatically Show script information Stop a script that is currently running Configure scripts to run automatically You can configure a script or a python application to run automatically when the system restarts, at specific intervals, or at a specified time.
Page 772 Applications Set up the IX20 to automatically run your applications 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click File System. The File System page appears. 3. Highlight the scripts directory and click  to open the directory. 4.
Page 773 This feature does not provide syntax or error checking. Certain commands can render the device inoperable. Use with care.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 774 Applications Set up the IX20 to automatically run your applications 3. Click System > Scheduled tasks > Custom scripts. 4. For Add Script, click . The script configuration window is displayed. Custom scripts are enabled by default. To disable, toggle off Enable to toggle off. 5.
Page 775 Applications Set up the IX20 to automatically run your applications Click to enable Run single to run only a single instance of the script at a time. If Run single is not enabled, a new instance of the script will be started at every interval, regardless of whether the script is still running from a previous interval.
Page 776 Applications Set up the IX20 to automatically run your applications 3. Add a script: (config)> add system schedule script end (config system schedule script 0)> Scheduled scripts are enabled by default. To disable: (config system schedule script 0)> enable false (config system schedule script 0)>...
Page 777 Applications Set up the IX20 to automatically run your applications If once is set to false, a new instance of the script will be started at every interval, regardless of whether the script is still running from a previous interval. set_time: Runs the script at a specified time of the day.
Page 778 Applications Set up the IX20 to automatically run your applications If once is enabled, rebooting the device will cause the script to run again. The only way to re- run the script is to: Remove the script from the device and add it again. Make a change to the script.
Page 779 Applications Set up the IX20 to automatically run your applications 2. Use the show scripts command at the system prompt: > show scripts Index Label Enabled Status Run time ----- ----------- ------- ------ -------- script1 true active script2 true idle 01:00 >...
Page 780 3. Type Python commands at the Python prompt. For example, to view help for the digidevice module, type: >>> help("digidevice") Help on package digidevice: NAME digidevice - Digi device python extensions DESCRIPTION This module includes various extensions that allow Python IX20 User Guide...
Page 781 Applications Run a Python application at the shell prompt to interact with additional features offered by the device. 4. Use Ctrl-D to exit the Python session. You can also exit the session using exit() or quit(). Run a Python application at the shell prompt Python applications can be run from a file at the shell prompt.
Page 782 Applications Configure scripts to run manually Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. b. At the command line, use the command to upload the Python application script to the IX20 device: >...
Page 783 Applications Configure scripts to run manually Set the script to run manually. Additional configuration items A label used to identify the script. The arguments for the script. Whether to write the script output and errors to the system log. The memory available to be used by the script. Whether the script should run one time only.
Page 784 This feature does not provide syntax or error checking. Certain commands can render the device inoperable. Use with care.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 785 Applications Configure scripts to run manually Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Scheduled tasks > Custom scripts. 4. For Add Script, click . The script configuration window is displayed.
Page 786 Applications Configure scripts to run manually the path for the script command. Otherwise, the default shell will be used (equivalent to #!/bin/sh). 8. Script logging options: a. Click to enable Log script output to log the script's output to the system log. b.
Page 787 Applications Configure scripts to run manually 5. Set the run mode to manual: (config system schedule script 0)> when manual (config system schedule script 0)> 6. Set the commands that will execute the script: (config system schedule script 0)> commands filename (config system schedule script 0)>...
Page 788 Applications Start a manual script 10. Sandbox is enabled by default. This option protects the script from accidentally destroying the system it is running on. (config system schedule script 0)> sandbox true (config system schedule script 0)> 11. Save the configuration and apply the change: (config)>...
Page 789 Applications Start a manual script Index Label Enabled Status Run time ----- ----------- ------- ------ -------- script1 true active script2 true idle 01:00 > 3. Start the script: )> system script start script1 > 4. Save the configuration and apply the change: (config)>...
Page 790 User authentication This chapter contains the following topics: IX20 user authentication User authentication methods Authentication groups Local users Terminal Access Controller Access-Control System Plus (TACACS+) Remote Authentication Dial-In User Service (RADIUS) LDAP Configure serial authentication Disable shell access Set the idle timeout for IX20 users Example user configuration IX20 User Guide...
Page 791 User authentication IX20 user authentication IX20 user authentication User authentication on the IX20 has the following features and default configuration: Default Feature Description configuration Idle timeout 10 minutes. Determines how long a user session can be idle before the system automatically disconnects. Allow shell If disabled, prevents all authentication prohibits access to Enabled.
Page 792 User authentication User authentication methods Local users: User are authenticated on the local device. RADIUS: Users authenticated by using a remote RADIUS server for authentication. Remote Authentication Dial-In User Service (RADIUS) for information about configuring RADIUS authentication. TACACS+: Users authenticated by using a remote TACACS+ server for authentication. Terminal Access Controller Access-Control System Plus (TACACS+) for information about configuring TACACS+ authentication.
Page 793 The types of authentication method to be used: To add an authentication method:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 794 User authentication User authentication methods 4. For Add Method, click . 5. Select the appropriate authentication type for the new method from the Method drop-down. Note Authentication methods are attempted in the order they are listed until the first successful authentication result is returned. See Rearrange the position of authentication methods for information about how to reorder the authentication methods.
Page 795 Type quit to disconnect from the device. Delete an authentication method  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
Page 796 User authentication User authentication methods a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 797 For example, the following configuration has Local users as the first method, and RADIUS as the second. To reorder these so that RADIUS is first and Local users is second: 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 798 User authentication User authentication methods Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click to expand the first Method. 4. In the Method drop-down, select RADIUS. 5. Click to expand the second Method. 6.
Page 799 User authentication Authentication groups 1 radius (config)> 4. Use the move command to rearrange the methods: (config)> move auth method 1 0 (config)> 5. Use the show command again to verify the change: (config)> show auth method 0 radius 1 local (config)>...
Page 800 By default, two authentication groups are predefined: admin and serial. To change the access rights of the predefined groups:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 801 User authentication Authentication groups Full access provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI. Read-only access provides users of this group with read-only access to the WebUI and Admin CLI.
Page 802 User authentication Authentication groups full: provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI. read-only: provides users of this group with read-only access to the WebUI and Admin CLI. The default is full.
Page 803 User authentication Authentication groups 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 804 User authentication Authentication groups 5. Click the following options, as appropriate, to enable or disable access rights for each: Admin access For groups assigned Admin access, you can also determine whether the Access level should be Full access or Read-only access. where value is either: Full access full: provides users of this group with the ability to manage the IX20 device by using the WebUI or the Admin CLI.
Page 805 User authentication Authentication groups 10. (Optional) Enable users that belong to this group to query the device for Nagios monitoring by checking the box next to Nagios access. 11. (Optional) Enable users that belong to this group to access the Wi-Fi scanning service by checking the box next to Wi-Fi scanner access.
Page 806 User authentication Authentication groups Serial access: (config auth group test)> acl serial enable true (config)> 5. (Optional) Configure captive portal access: a. Return to the config prompt by typing three periods (...): (config auth group test)> ... (config)> b. Enable captive portal access rights for users of this group: (config)>...
Page 807 To delete an authentication group that you have created:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 808 User authentication Authentication groups 5. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 809 User authentication Local users Local users Local users are authenticated on the device without using an external authentication mechanism such as TACACS+ or RADIUS. Local user authentication is enabled by default, with one preconfiged default user. Default user At manufacturing time, each IX20 device comes with a default user configured as follows: Username: admin.
Page 810 Change a local user's password To change a user's password:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 811 User authentication Local users You can also change the password for the active user by clicking the user name in the menu bar: The active user must have full Admin access rights to be able to change the password. 6. Click Apply to save the configuration and apply the change. ...
Page 812 One-time use eight-digit emergency scratch codes. To configure a local user:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager:...
Page 813 User authentication Local users a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 814 User authentication Local users Because the name used to create the user and cannot contain special characters such as hyphens (-) or periods (.), an alias allows the user to log in using a name that contains special characters. For security purposes, if two users have the same alias, the alias will be disabled. 6.
Page 815 User authentication Local users c. Select the Verification type: Time-based (TOTP): Time-based One-Time Password (TOTP) authentication uses the current time to generate a one-time password. Counter-based (HOTP): HMAC-based One-Time Password (HOTP) uses a counter to validate a one-time password. d. Generate a Secret key: i.
Page 816 User authentication Local users Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. At the command line, type config to enter configuration mode: > config (config)> 3. Add a user. For example, to create a user named new_user: (config)>...
Page 817 User authentication Local users (config auth user new_user)> lockout duration 600s (config auth user new_user)> The minimum value is 1 second, and the maximum is 15 minutes. The default is 15 minutes. 7. Add groups for the user. Groups define user access rights. See Authentication groups for information about configuring groups.
Page 818 User authentication Local users 9. (Optional) Configure two-factor authentication for SSH, telnet, and serial console login: a. Change to the user's two-factor authentication node: (config auth user new_user)> 2fa (config auth user new_user 2fa)> b. Enable two-factor authentication for this user: (config auth user new_user 2fa)>...
Page 819 User authentication Local users (config auth user new_user 2fa)> window_size 3 (config auth user new_user 2fa)> h. Configure the login limit. This represents the number of times that the user is allowed to attempt to log in during the Login limit period. Set to 0 to allow an unlimited number of login attempts during the Login limit period (config auth user new_user 2fa)>...
Page 820 User authentication Local users 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 821 User authentication Local users 3. At the config prompt, type: (config)> del auth user username 4. Save the configuration and apply the change: (config)> save Configuration saved. > 5. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 822 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) Terminal Access Controller Access-Control System Plus (TACACS+) Your IX20 device supports Terminal Access Controller Access-Control System Plus (TACACS+), a networking protocol that provides centralized authentication and authorization management for users who connect to the device. With TACACS+ support, the IX20 device acts as a TACACS+ client, which sends user credentials and connection parameters to a TACACS+ server over TCP.
Page 823 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) TACACS+ user configuration When configured to use TACACS+ support, the IX20 device uses a remote TACACS+ server for user authentication (password verification) and authorization (assigning the access level of the user). Additional TACACS+ servers can be configured as backup servers for user authentication.
Page 824 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) Error: Unrecognised token on line 1 5. Restart the TACACS+ server: $ sudo /etc/init.d/tacacs_plus restart TACACS+ server failover and fallback to local authentication In addition to the primary TACACS+ server, you can also configure your IX20 device to use backup TACACS+ servers.
Page 825 Add additional TACACS+ servers in case the first TACACS+ server is unavailable.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 826 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) c. (Optional) Change the default Port setting to the appropriate port. Normally this should be left at the default setting of port 49. d. For Secret, type the TACACS+ server's shared secret. This is configured in the key parameter of the TACACS+ server's tac_plus.conf file, for example: key = testing123 e.
Page 827 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 828 User authentication Terminal Access Controller Access-Control System Plus (TACACS+) b. Enter the TACACS+ server's IP address or hostname: (config auth tacacs+ server 0)> hostname hostname|ip-address (config auth tacacs+ server 0)> c. (Optional) Change the default port setting to the appropriate port: (config auth tacacs+ server 0)>...
Page 829 User authentication Remote Authentication Dial-In User Service (RADIUS) Remote Authentication Dial-In User Service (RADIUS) Your IX20 device supports Remote Authentication Dial-In User Service (RADIUS), a networking protocol that provides centralized authentication and authorization management for users who connect to the device.
Page 830 User authentication Remote Authentication Dial-In User Service (RADIUS) RADIUS user configuration When configured to use RADIUS support, the IX20 device uses a remote RADIUS server for user authentication (password verification) and authorization (assigning the access level of the user). Additional RADIUS servers can be configured as backup servers for user authentication. This section outlines how to configure a RADIUS server to be used for user authentication on your IX20 device.
Page 831 60 seconds. Enable additional debug messages from the RADIUS client.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 832 User authentication Remote Authentication Dial-In User Service (RADIUS) Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > RADIUS > Servers. 4. Add RADIUS servers: a. For Add server, click . b.
Page 833 User authentication Remote Authentication Dial-In User Service (RADIUS) value is used: If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd. 8.
Page 834 User authentication LDAP default value is used: If you are accessing the IX20 device by using the WebUI, the default value is for NAS ID is httpd. If you are accessing the IX20 device by using ssh, the default value is sshd. (config)>...
Page 835 User authentication LDAP authentication and authorization management for users who connect to the device. With LDAP support, the IX20 device acts as an LDAP client, which sends user credentials and connection parameters to an LDAP server. The LDAP server then authenticates the LDAP client requests and sends back a response message to the device.
Page 836 User authentication LDAP LDAP user configuration When configured to use LDAP support, the IX20 device uses a remote LDAP server for user authentication (password verification) and authorization (assigning the access level of the user). Additional LDAP servers can be configured as backup servers for user authentication. This section outlines how to configure a LDAP server to be used for user authentication on your IX20 device.
Page 837 User authentication LDAP cn: John Smith sn: Smith uid: john ou: admin serial LDAP server failover and fallback to local configuration In addition to the primary LDAP server, you can also configure your IX20 device to use backup LDAP servers. Backup LDAP servers are used for authentication requests when the primary LDAP server is unavailable.
Page 838 User authentication LDAP 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 839 User authentication LDAP c. (Optional) Change the default Port setting to the appropriate port. Normally this should be left at the default setting of port 389 for non-TLS and 636 for TLS. d. (Optional) Click  again to add additional LDAP servers. 5.
Page 840 User authentication LDAP c. Select LDAP for the new method from the Method drop-down. Authentication methods are attempted in the order they are listed until an authentication response, either pass or fail, is received. If Authoritative is enabled (see above), non- authoritative methods are not attempted.
Page 841 User authentication LDAP The default is true. 6. Set the distinguished name (DN) that is used to bind to the LDAP server and search for users. Leave this option unset if the server allows anonymous connections. (config)> auth ldap bind_dn dn_value (config)>...
Page 842 This section describes how to configure authentication for serial access.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 843 User authentication Configure serial authentication Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication > Serial. 4. (Optional) For TLS identity certificate, paste a TLS certificate and private key in PEM format. If empty, the certificate for the web administration service is used.
Page 844 User authentication Disable shell access 3. (Optional) Paste a TLS certificate and private key in PEM format: (config)> auth serial identiy "cert-and-private-key" (config)> 4. Set the method used to verify the certificate of a remote peer: (config)> auth serial verify value (config)>...
Page 845 User authentication Disable shell access 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 846 By default, the Idle timeout is set to 10 minutes.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 847 User authentication Set the idle timeout for IX20 users a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Authentication. 4. For Idle timeout, enter the amount of time that the active session can be idle before the user is automatically logged out.
Page 848 User authentication Set the idle timeout for IX20 users where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set idle_timeout to ten minutes, enter either 10m or 600s: (config)> auth idle_timeout 600s (config)>...
Page 849 Goal: To create a user with administrator rights who is authenticated locally on the device.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 850 User authentication Example user configuration 4. In Add User: enter a name for the user and click . The user configuration window is displayed. 5. Enter a Password for the user. 6. Assign the user to the admin group: a. Click Groups. b.
Page 851 User authentication Example user configuration 2. At the command line, type config to enter configuration mode: > config (config)> 3. Verify that the admin group has full administrator rights: (config)> show auth group admin acl admin enable true level full (config)>...
Page 852 User authentication Example user configuration (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Example 2: RADIUS, TACACS+, and local authentication for one user Goal: To create a user with administrator rights who is authenticated by using all three authentication methods.
Page 853 The authentication group on the IX20 device, admin, is identified in the groupname parameter. c. Save and close the tac_plus.conf file. 3. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 4. Access the device configuration:...
Page 854 User authentication Example user configuration a. Locate your device as described in Use Digi Remote Manager to view and manage your device. b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration.
Page 855 User authentication Example user configuration 6. Create the local user: a. Click Authentication > Users. b. In Add User:, type admin1 and click . c. For password, type password1. d. Assign the user to the admin group: i. Click Groups. ii.
Page 856 User authentication Example user configuration In this example: The user's username is admin1. The user's password is password1. The authentication group on the IX20 device, admin, is identified in the Unix-FTP- Group-Names parameter. c. Save and close the users file. 2.
Page 857 User authentication Example user configuration b. Add RADIUS authentication to the beginning of the list: (config)> add auth method 0 radius (config)> c. Add TACACS+ authentication second place in the list: (config)> add auth method 1 tacacs+(config)> d. Verify that authentication will occur in the correct order: (config)>...
Page 858 User authentication Example user configuration 8. Save the configuration and apply the change: (config auth user adminuser)> save Configuration saved. > 9. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 859 Firewall This chapter contains the following topics: Firewall configuration Port forwarding rules Packet filtering Configure custom firewall rules Configure captive portals Configure Quality of Service options Web filtering IX20 User Guide...
Page 860 To create a zone:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 861 Firewall Firewall configuration c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Zones. 4. In Add Zone, enter a name for the zone and click . The firewall configuration window is displayed.
Page 862 This example procedure uses an existing network interface named ETH2 and changes the firewall zone from the default zone, Internal, to External.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 863 Firewall Firewall configuration a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Network > Interfaces > ETH2. 4. For Zone, select External. 5. Click Apply to save the configuration and apply the change. ...
Page 864 You cannot delete preconfigured firewall zones. To delete a custom firewall zone:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 865 Firewall Port forwarding rules 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 866 To configure a port forwarding rule:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 867 Firewall Port forwarding rules Port forwarding rules are enabled by default. To disable, toggle off Enable. 5. (Optional) Type a Label that will be used to identify the rule. 6. For Interface, select the network interface for the rule. Network connections will only be forwarded if their destination address matches the IP address of the selected network interface.
Page 868 Firewall Port forwarding rules 2. At the command line, type config to enter configuration mode: > config (config)> 3. At the config prompt, type: (config)> add firewall dnat end (config firewall dnat 0)> Port forwarding rules are enabled by default. To disable the rule: (config firewall dnat 0)>...
Page 869 Firewall Port forwarding rules (config firewall dnat 0)> port port (config firewall dnat 0)> 7. Set the type of internet protocol . (config firewall dnat 0)> protocol value (config firewall dnat 0)> Network connections will only be forwarded if they match the selected protocol. Allowed values are custom, tcp, tcpudp, or upd.
Page 870 Delete a port forwarding rule To delete a port forwarding rule:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 871 Firewall Port forwarding rules Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Port forwarding. 4. Click the menu icon (...) next to the appropriate port forwarding rule and select Delete. 5.
Page 872 Firewall Port forwarding rules port 10000 protocol tcp to_address6 10.10.10.10 to_port 10001 no address6 no zone enable false interface ip_version ipv6 label IPv6 port forwarding rule port 10002 protocol tcp to_address6 c097:4533:bd63:bb12:9a6f:5569:4b53:c29a to_port 10003 (config)> 4. To delete the rule, use the index number with the del command. For example: (config)>...
Page 873 ICMP6 To configure a packet filtering rule:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 874 Firewall Packet filtering Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Firewall > Packet filtering. To create a new packet filtering rule, for Add packet filter, click . To edit the default packet filtering rule or another existing packet filtering rule, click to expand the rule.
Page 875 Firewall Packet filtering Firewall configuration for more information about firewall zones. 9. For Destination zone, select the firewall zone. Packets destined for network interfaces that are members of this zone will either be accepted, rejected or dropped by this rule. Firewall configuration for more information about firewall zones.
Page 876 Firewall Packet filtering Packet filtering rules are enabled by default. To disable the rule: (config firewall filter 1)> enable false (config firewall filter 1)> 3. (Optional) Set the label for the rule. (config firewall filter 1)> label "My filter rule" (config firewall filter 1)>...
Page 877 Enable or disable a packet filtering rule To enable or disable a packet filtering rule:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 878 Firewall Packet filtering 3. Click Firewall > Packet filtering. 4. Click the appropriate packet filtering rule. 5. Click Enable to toggle the rule between enabled and disabled. 6. Click Apply to save the configuration and apply the change.  Command line 1.
Page 879 Delete a packet filtering rule To delete a packet filtering rule:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 880 Firewall Packet filtering 3. Click Firewall > Packet filtering. 4. Click the menu icon (...) next to the appropriate packet filtering rule and select Delete. 5. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 881 To configure custom firewall rules:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 882 Firewall Configure custom firewall rules 3. Click Firewall > Custom rules. 4. Enable the custom rules. 5. (Optional) Enable Override to override all preconfigured firewall behavior and rely solely on the custom firewall rules. 6. For Rules, type the shell command that will execute the custom firewall rules script. 7.
Page 883 Firewall Configure custom firewall rules 6. Save the configuration and apply the change: (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. IX20 User Guide...
Page 884 Captive portals are available on the IX20W Wi-Fi enabled model only. To configure captive portals:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 885 Firewall Configure captive portals 4. For Add captive portal:, enter a name for the portal and click . The captive portal configuration window is displayed. The captive portal is enabled by default. To disable, toggle off Enable. 5. For Interface, select the network interface for the portal. Traffic received on this interface's network device will not be forwarded unless the client has been granted access.
Page 886 Firewall Configure captive portals 13. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 887 Firewall Configure captive portals (config firewall portal portal1)> timeout value (config firewall portal portal1)> where value is any number of weeks, days, hours, minutes, or seconds, and takes the format number{w|d|h|m|s}. For example, to set Session timeout to ten minutes, enter either 10m or 600s: (config firewall portal portal1)>...
Page 888 Delete captive portals To delete captive portals:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 889 Firewall Configure Quality of Service options 3. Click Firewall > Captive portals. 4. Click the down caret () next to the appropriate captive portal and select Delete. 5. Click Apply to save the configuration and apply the change.  Command line 1.
Page 890 These example bindings are disabled by default. Enable the preconfigured bindings  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 891 Firewall Configure Quality of Service options 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 892 Type quit to disconnect from the device. Create a new binding  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 893 Firewall Configure Quality of Service options 5. Enable the binding. 6. (Optional) Type a Label for the binding. 7. Select an Interface to queue egress packets on. The binding will only match traffic that is being sent out on this interface. 8.
Page 894 Firewall Configure Quality of Service options f. Select Default to identify this policy as a fall-back policy. The fall-back policy will be used for traffic that is not matched by any other policy. If there is no default policy associated with this binding, packets that do not match any policy rules will be dropped.
Page 895 Firewall Configure Quality of Service options IPv4 address: Only traffic destined for the IP address typed in IPv4 address will be matched. Use the format IPv4_address[/netmask], or use any to match any IPv4 address. IPv6 address: Only traffic destined for the IP address typed in IPv6 address will be matched.
Page 896 Firewall Configure Quality of Service options (config firewall qos 2)> interface b. Set the interface. For example: (config firewall qos 2)> interface /network/interface/eth1 (config firewall qos 2)> 6. (Optional) Set the maximum egress bandwidth of the interface, in megabits, allocated to this binding.
Page 897 Firewall Configure Quality of Service options (config firewall qos 2 policy 0)> latency int (config firewall qos 2 policy 0)> where int is any integer, 1 or greater. The default is 100. f. To identify this policy as a fall-back policy: (config firewall qos 2 policy 0)>...
Page 898 Firewall Configure Quality of Service options vi. Set the source port to define a source traffic matching criteria: (config firewall qos 2 policy 0 rule 0)> srcport value (config firewall qos 2 policy 0 rule 0)> where value is the IP port number, a range of port numbers using the format IP_port- IP_port, or any.
Page 899 Firewall Configure Quality of Service options (config network qos 2 policy 0 rule 0)> src address value (config network qos 2 policy 0 rule 0)> where value uses the format IPv4_address[/netmask], or any to match any IPv4 address. address6: Only traffic from the IP address typed in IPv6 address will be matched.
Page 900 Firewall Web filtering (config network qos 2 policy 0 rule 0)> dst interface /network/interface/eth1 (config network qos 2 policy 0 rule 0)> address: Only traffic destined for the IP address typed in IPv4 address will be matched. Set the address that will be matched: (config network qos 2 policy 0 rule 0)>...
Page 901 6. Copy the token. Task two: Configure web filtering  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 902 Firewall Web filtering 3. Click Firewall > Web filtering service. 4. Click Enable web filtering to enable. 5. For Web filtering service, select Cisco Umbrella. 6. Paste the API token that was generated in Task one: Generate a Cisco Umbrella API token.
Page 903 Firewall Web filtering 6. Save the configuration and apply the change: (config)> save Configuration saved. > 7. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Clear the Cisco Umbrella device ID If the Cisco Umbrella device ID being used by your IX20 is invalid, you can clear the device ID.
Page 904 Firewall Web filtering 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 905 Firewall Web filtering 8. For IP address, enter the IP address of the DNS server. 9. (Optional) Repeat for additional DNS servers. 10. Click Apply to save the configuration and apply the change.  Command line 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 906 Firewall Web filtering b. Set the web filter service type to manual: (config)> firewall web-filter service manual (config)> c. Add the first DNS server: i. Add the server: (config)> add firewall web-filter server end (config firewall web-filter server 0)> ii. Set the server's IP address: (config firewall web-filter server 0)>...
Page 907 Configure web filtering with manual DNS servers for information about configuring web filtering to use Cisco open DNS servers. 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 908 Firewall Web filtering 5. Return to the IX20 WebUI and enable web filtering: a. Click Firewall > Web filtering service. b. Click Enable web filtering to enable. c. Click Apply to save the configuration and apply the change. 6. From your browser, attempt to connect to http://www.internetbadguys.com again.
Page 909 Firewall Web filtering 5. Attempt to connect to http://www.internetbadguys.com again: $ curl -I www.internetbadguys.com HTTP/1.1 403 Forbidden Server: openresty/1.9.7.3 Date: Wed, May 3, 2023 21:24:00 Content-Type: text/html Connection: keep-alive You should receive an "HTTP/1.1 403 Forbidden" message, as highlighted above. Show web filter service information To view information about the web filter service: ...
Page 910 Linux instances on a the same host using the host's Linux kernal. Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. This chapter contains the following topics:...
Page 911 Use Digi Remote Manager to deploy and run containers Use Digi Remote Manager to deploy and run containers Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. 1. In Remote Manager, create a Configuration template. See the Remote Manager User Guide instructions.
Page 912 Containers Use Digi Remote Manager to deploy and run containers i. Click Browse and select the container file. ii. Type the Name of the container. The Name entered here must be the same name as the container .tgz file. This is absolutely necessary, otherwise the container file will not be properly configured on the local devices.
Page 913 Containers Use Digi Remote Manager to deploy and run containers c. For the Automation step: i. Click to toggle on Enable Scanning. ii. Click to toggle on Remediate. Run a manual configuration scan to apply the container and configuration settings to all applicable devices.
Page 914 Containers Use Digi Remote Manager to deploy and run containers vi. Click the Stream ID to view container status. To verify by using the show containers command on the local device: a. From the Remote Manager main menu, click  Management >  Devices.
Page 915 Containers Upload a new LXC container Run the automation manually. Include the automation in a Configuration template as a post-remediation or post-scan step. When creating or editing a Configuration template, at the Automation page: 1. For Post Remediation Options, click Run Automation and select the automation. 2.
Page 916 Serial ports on the device that the container will have access to.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 917 Containers Configure a container b. Click the Device ID. c. Click Settings. d. Click to expand Config. Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Containers. 4.
Page 918 Containers Configure a container For example, to set Restart timeout to ten minutes, enter 10m or 600s. 8. (Optional) Type any Optional parameters for the container. Parameters are in the format accepted by the lxc utility. 9. (Optional) Click to expand Mounted directories to configure system directories that will be mounted inside the container.
Page 919 Containers Configure a container b. Set the network bridge device that will be used to provide network access: i. Use the ? to determine the available bridges: (config system container name)> bridge ? Network Bridge Device: Containers require a bridge to access the network.
Page 920 Containers Starting and stopping the container Parameters are in the format accepted by the lxc utility. 9. (Optional) Set any system directories that should be mounted inside the container. Any mounted directories need to be accessible to a non-privileged user. a.
Page 921 Containers Starting and stopping the container Note Container support must be enabled in Digi Remote Manager. Contact your Digi sales representative for information. Starting the container There are two methods to start containers: Non-persistent: Changes made to the container file system will be lost when the container is stopped.
Page 922 Containers View the status of containers Starting a container by including an executable You can supply an executable to run when you start the container, along with any parameters. If you don't supply a parameter, the default behavior is to run the executable by using /bin/sh -l, which runs the shell and loads the shell profile.
Page 923 Containers Schedule a script to run in the container Show status of all containers Use the show containers command with no additional arguments to show the status of all containers on the system: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 924 Containers Schedule a script to run in the container  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 925 Containers Schedule a script to run in the container 5. (Optional) For Label, type container_script. 6. For Run mode, select Interval. 7. For Interval, type 10s. 8. For Commands, type the following: lxc container_name /bin/ping -c 1 IP_address For example: lxc test_lxc /bin/ping -c 1 192.168.1.146 9.
Page 926 In this example, we will use a simple container file named test_lxc.tgz. You can download test_lxc.tgz from the Digi website. At the command line of a Linux host, we will unpack the file, add a simple python script, and create a new container file that includes the python script.
Page 927 Click Upload New Container. d. From your local file system, select the container file. You can download a simple example container file, test_lxc.tgz, from the Digi website. e. Create Configuration is selected by default. This will create a configuration on the device for the container when it is installed.
Page 928 Containers Create a custom container 3. At the shell prompt, type: # lxc python_lxc lxc # 4. Execute the python command: lxc # python /etc/test.py Hello world. lxc # IX20 User Guide...
Page 929 System administration This chapter contains the following topics: Review device status Configure system information Update system firmware Update cellular module firmware Reboot your IX20 device Erase device configuration and reset to factory defaults Locate the device by using the Find Me feature Configure a power profile Configuration files Schedule system maintenance tasks...
Page 930 Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Enter show system at the prompt: > show system Model : Digi IX20 Serial Number : IX20-000065 : IX20 Hostname...
Page 931 Depending on your device configuration, you may be presented with an Access selection menu. Type admin to access the Admin CLI. 2. Enter show system verbose at the prompt: > show system verbose Model : Digi IX20 Serial Number : IX20-000065 : IX20 Hostname...
Page 932 A banner that will be displayed when users access terminal services on the device. To enter system information:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 933 Hopkins, MN" 192.168.3.1(config)> 6. Set the banner for the device. This is displayed when users access terminal services on the device. 192.168.3.1(config)> system banner "Welcome to the Digi IX20." 192.168.3.1(config)> 7. Save the configuration and apply the change: 192.168.3.1(config)> save Configuration saved.
Page 934 For example, IX20-23.3.31.129.bin. Manage firmware updates using Digi Remote Manager If you have a network of many devices, you can use Digi Remote Manager Profiles to manage firmware updates. Profiles ensure all your devices are running the correct firmware version and that all newly installed devices are updated to that same version.
Page 935 Newest firmware version available to download is '23.3.31.129' Device firmware update from '22.11.48.10' to '23.3.31.129' is needed > 3. Use the modem firmware ota list command to list available firmware on the Digi firmware repository. > system firmware ota list 22.11.48.10...
Page 936 Update firmware from a local file  Web 1. Download the IX20 operating system firmware from the Digi Support FTP site to your local machine. 2. Log into the IX20 WebUI as a user with Admin access. 3. On the main menu, click System. Under Administration, click Firmware Update.
Page 937 6. Click Update Firmware.  Command line 1. Download the IX20 operating system firmware from the Digi Support FTP site to your local machine. 2. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 938 > show system Hostname : IX20 FW Version : 23.3.31.129 : 0040FF800120 Model : Digi IX20 Current Time : Wed, May 3, 2023 21:24:00 +0000 Uptime : 42 seconds (42s) > Dual boot behavior By default, the IX20 device stores two copies of firmware in two flash memory banks: The current firmware version that is used to boot the device.
Page 939 > system duplicate-firmware > Update cellular module firmware You can update modem firmware by downloading firmware from the Digi firmware repository, or by uploading firmware from your local storage onto the device. You can also schedule modem firmware updates. See Schedule system maintenance tasks for details.
Page 940 Command line Update modem firmware over the air (OTA) You can update your modem firmware by querying the Digi firmware repository to determine if there is new firmware available for your modem and performing an OTA modem firmware update: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights.
Page 941 Newest firmware version available to download is '24.01.5x4_ATT' Modem firmware update from '24.01.544_ATT' to '24.01.5x4_ATT' is needed 24.01.5x4_ATT 24.01.544_ATT > 3. Use the modem firmware ota list command to list available firmware on the Digi firmware repository. > modem firmware ota list Retrieving modem firmware list ...
Page 942 Firmware should be uploaded to /opt/MODEM_MODEL/Custom_Firmware, for example, /opt/LM940/Custom_Firmware. Modem firmware can be downloaded from Digi here. Follow instructions on this page to determine the cellular module used by your device. After downloading, use tar or a similar unzipping tool to extract the firmware prior to uploading to the device.
Page 943 System administration Reboot your IX20 device > 4. To perform an firmware update by using a local file, use the version parameter to identify the appropriate firmware version as determined using the modem firmware check or modem firmware list command. For example:: >...
Page 944 > reboot Schedule reboots of your device  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 945 System administration Reboot your IX20 device configuring NTP servers. If Reboot window is set, the reboot will occur during a random time within the reboot window. 5. For Reboot window, enter the maximum random delay that will be added to Reboot Time. Allowed values are any number of hours, minutes, or seconds, and take the format number {h|m|s}.
Page 946 With firmware release 22.2.9.x and newer, erases the client-side certificate used for communication with Digi Remote Manager. If you are using Digi Remote Manager with firmware release 22.2.9.x and newer, by default the device uses a client-side certificate for communication with Remote Manager. If the client-side certificate is erased, you must use the Remote Manager interface to reset the certificate.
Page 947 System administration Erase device configuration and reset to factory defaults 3. In the Erase configuration section, click ERASE. 4. Click CONFIRM. 5. After resetting the device: a. Connect to the IX20 by using the serial port or by using an Ethernet cable to connect the IX20 ETH2 port to your PC.
Page 948 System administration Erase device configuration and reset to factory defaults 1. Locate the ERASE button on your device. 2. Press the ERASE button perform a device reset. The ERASE button has the following modes: Configuration reset: Press and release the ERASE button . The device reboots automatically and resets to factory defaults.
Page 949 System administration Erase device configuration and reset to factory defaults 3. At the config prompt, enter revert: (config)> revert (config)> 4. Set the password for the admin user prior to saving the changes: (config)> auth user admin password pwd (config)> 5.
Page 950 System administration Erase device configuration and reset to factory defaults 4. In the Configuration backup section, click SAVE. Do not set a Passphrase for the configuration backup. The file will be downloaded using your browser's standard download process. 5. After the configuration backup file has been downloaded, rename the file to: custom-default-config.bin 6.
Page 951 System administration Locate the device by using the Find Me feature 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 952 System administration Configure a power profile 1. Log into the IX20 WebUI as a user with Admin access. 2. On the menu, click System. Under Administration, click Find Me. A notification message appears, noting that the LED is flashing on the device. Click the x in the message to close it.
Page 953 System administration Configure a power profile  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 954 System administration Configure a power profile Manual: Allows you to manually set the working frequency of the CPU. When this option is selected, the setting Custom frequency is available to set the CPU working frequency manually: 198 MHz 396 MHz 528 MHz 792 MHz 5.
Page 955 System administration Configure a power profile 528000 792000 The default is 792000. 5. Set leds_enabled to false to disable all LEDs on the device except for the Power LED, which will remain lit green, indicating that the device has power: (config)>...
Page 956 If you do not save configuration changes, the system discards the changes.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 957 System administration Configuration files 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 958 System administration Configuration files 3. In the Configuration backup section: a. (Optional) To encrypt the configuration using a passphrase, for Passphrase (save/restore), enter the passphrase. b. Click SAVE. The file will be downloaded using your browser's standard download process.  Command line 1.
Page 959 System administration Configuration files 1. Log into the IX20 WebUI as a user with Admin access. 2. On the main menu, click System. Under Configuration, click Configuration Maintenance. The Configuration Maintenance windows is displayed. 3. In the Configuration Restore section: a.
Page 960 System administration Configuration files to the IX20 device. local-path is the location on the IX20 device where the copied file will be placed. For example: > scp host 192.168.4.1 user admin remote /home/admin/bin/backup-archive- 0040FF800120-23.3.31.129-19.23.42.bin local /opt to local 3. Enter the following: >...
Page 961 The frequency (daily, weekly, or monthly) that checks for firmware updates will run.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 962 System administration Schedule system maintenance tasks 3. Click System > Scheduled tasks > System maintenance. 4. Click to expand Maintenance window triggers. 5. Click  to add a maintenance window trigger. 6. For Maintenance window trigger type, select one of the following: Check if interface is up, for Test Interface, select the interface.
Page 963 System administration Schedule system maintenance tasks If Duration window is set to one or more hours, the minutes field in Start time is ignored and the duration window will begin at the beginning of the specified hour. c. For Duration window, select the amount of time that the maintenance tasks will be run.
Page 964 System administration Schedule system maintenance tasks 3. Configure a system maintenance trigger: a. Add a trigger: (config)> add system schedule maintenance trigger end (config)> b. Set the type of trigger: (config add system schedule maintenance trigger)> type value (config)> where value is one of: interface_up: If interface_up is set: i.
Page 965 System administration Schedule system maintenance tasks (config system schedule maintenance trigger 0)> time from HH:MM (config system schedule maintenance trigger 0)> The behavior of the start time varies depending on the setting of the duration length, which is configured in the next step. If the duration length is set to 0, all scheduled tasks will begin at the exact time specified in the start time.
Page 966 System administration Schedule system maintenance tasks This options is only available if Central Management is disabled; see Central management more information. (config)> system schedule maintenance modem_fw_update true (config)> 6. (Optional) Configure automated checking for device firmware updates: a. Device firmware update check is enabled by default. This enables to automated checking for device firmware updates.
Page 967 System administration Disable device encryption Disable device encryption You can disable the cryptography on your IX20 device. This can be used to ship unused devices from overseas without needing export licenses from the country from which the device is being shipped. When device encryption is disabled, the following occurs: The device is reset to the default configuration and rebooted.
Page 968 System administration Disable device encryption a. Select the Properties of the relevant network connection on the Windows PC. b. Click the Internet Protocol Version 4 (TCP/IPv4) parameter. c. Click Properties. The Internet Protocol Version 4 (TCP/IPv4) Properties dialog appears. d. Configure with the following details: IP address for PC: 192.168.210.2 Subnet: 255.255.255.0 Gateway: 192.168.210.1...
Page 969 System administration Configure the speed of your Ethernet ports 2. Connect the PC's Ethernet port to the ETH1 Ethernet port on your IX20 device. 3. Open a telnet session and connect to the IX20 device at the IP address of 192.168.210.1. 4.
Page 970 System administration Configure the speed of your Ethernet ports 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 971 You can configure your IX20 device's advanced watchdog to test the system for problems, and to reboot the device when problems are encountered.  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 972 System administration Configure the system watchdog a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click System > Advanced Watchdog. 4. The watchdog is enabled by default. To disable, click to toggle off Enable. 5.
Page 973 System administration Configure the system watchdog 2. At the command line, type config to enter configuration mode: > config (config)> 3. The watchdog is enabled by default. To disable: (config)> system watchdog enable false (config)> 4. Set the amount of time between running system tests: (config)>...
Page 974 System administration Configure the system watchdog 7. Save the configuration and apply the change: (config)> save Configuration saved. > 8. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu.
Page 975 Monitoring This chapter contains the following topics: intelliFlow Configure NetFlow Probe IX20 User Guide...
Page 976 Digi intelliFlow is a reporting and graphical presentation tool for visualizing your network’s data usage and network traffic information. intelliFlow can be enabled on Digi Remote Manager to provide a full analysis of all Digi devices on your network. Contact your Digi sales representative for information about enabling intelliFlow on Remote Manager.
Page 977 The firewall zone for internal clients being monitored by intelliFlow. To enable intelliFlow:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 978 Monitoring intelliFlow 4. Click Enable intelliFlow. 5. For Zone, select the firewall zone. Internal clients that are being monitored by IntelliFlow should be present on the specified zone. 6. Click Apply to save the configuration and apply the change.  Command line 1.
Page 979 For example, to define a service type called "MyService" using ports 9000 and 9001:  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a.
Page 980 Monitoring intelliFlow Local Web UI: a. On the menu, click System. Under Configuration, click Device Configuration. The Configuration window is displayed. 3. Click Monitoring > intelliFlow. 4. Click to expand Ports. 5. At the bottom of the list of ports, click  to add a port. 6.
Page 981 Type quit to disconnect from the device. Configure domain name groups Domain name groups are used to categorize serveral domains names in one group. For example, digi.com and devicecloud.com could be grouped together in an intelliFlow group called Digi.  Web...
Page 982 Monitoring intelliFlow 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 983 (config)> add monitoring intelliflow groups end (config monitoring intelliflow groups 1)> 4. Set the domain name: (config monitoring intelliflow groups 1)> domian digi.com (config monitoring intelliflow groups 1)> 5. Set the group name: (config monitoring intelliflow groups 1)> group Digi (config monitoring intelliflow groups 1)>...
Page 984 Monitoring intelliFlow Use intelliFlow to display average CPU and RAM usage This procedure is only available from the WebUI. To display display average CPU and RAM usage:  Web 1. Log into the IX20 WebUI as a user with Admin access. 2. If you have not already done so, enable intelliFlow. See Enable intelliFlow.
Page 985 Monitoring intelliFlow 3. Click Reset zoom to return to the original display: Change the time period displayed by the chart. By default, the System utilisation chart displays the average CPU and RAM usage over the last minute. You can change this to display the average CPU and RAM usage: Over the last hour.
Page 986 Monitoring intelliFlow 4. Display a data usage chart: To display the Top Data Usage by Host chart, click Top Data Usage by Host. To display the Top Data Usage by Server chart, click Top Data Usage by Server. To display the Top Data Usage by Service chart, click Top Data Usage by Service. 5.
Page 987 Monitoring intelliFlow a. Click the menu icon (). b. Select the number of top users to displayed. 7. Save or print the chart. a. Click the menu icon (). b. To save the chart to your local filesystem, select Export to PNG. c.
Page 988 Monitoring Configure NetFlow Probe b. Release to display the selected portion of the chart: c. Click Reset zoom to return to the original display: Save or print the chart. a. Click the menu icon (). b. To save the chart to your local filesystem, select Export to PNG. c.
Page 989 Monitoring Configure NetFlow Probe  Web 1. Log into Digi Remote Manager, or log into the local Web UI as a user with full Admin access rights. 2. Access the device configuration: Remote Manager: a. Locate your device as described in Use Digi Remote Manager to view and manage your device.
Page 990 Monitoring Configure NetFlow Probe The default is NetFlow v10 (IPFIX). 6. Enable Flow sampler by selecting a sampling technique. Flow sampling can reduce flow processing and transmission overhead by providing a representative subset of all flows. Available options are: None—No flow sampling method is used. Each flow is accounted. Deterministic—Selects every nth flow, where n is the value of Flow sampler population.
Page 991 Monitoring Configure NetFlow Probe 4. Set the protocol version: (config)> monitoring netflow protocol version (config)> where version is one of: v5—NetFlow v5 supports IPv4 only. v9—NetFlow v9 supports IPv4 and IPv6. v10—NetFlow v10 (IPFIX) supports both IPv4 and IPv6 and includes IP Flow Information Export (IPFIX).
Page 992 Monitoring Configure NetFlow Probe 9. Add collectors: a. Add a collector: (config)> add monitoring netflow collector end (config monitoring netflow collector 0)> b. Set the IP address of the collector: (config monitoring netflow collector 0)> address ip_address (config monitoring netflow collector 0)> c.
Page 993 File system This chapter contains the following topics: The IX20 local file system Display directory contents Create a directory Display file contents Copy a file or directory Move or rename a file or directory Delete a file or directory Upload and download files IX20 User Guide...
Page 994 File system The IX20 local file system The IX20 local file system The IX20 local file system has approximately 150 MB of space available for storing files, such as Python programs, alternative configuration files and firmware versions, and release files, such as cellular module images.
Page 995 File system Create a directory 2. At the Admin CLI prompt, type ls /path/dir_name. For example, to display the contents of the /etc/config directory: > ls /etc/config -rw-r--r-- 1 root root 856 Nov 20 20:12 accns.json drw------- 2 root root 160 Sep 23 04:02 analyzer drwxr-xr-x 3 root...
Page 996 File system Display file contents Display file contents This procedure is not available through the WebUI. To display the contents of a file by using the Admin CLI, , use the more command, specifying the name of the directory. For example: ...
Page 997 File system Move or rename a file or directory 2. At the Admin CLI prompt, type cp /path/filename|dir_name /path[filename]|dir_name. For example: To copy the file /etc/config/accns.json to a file named backup_cfg.json in a directory named /etc/config/test, enter the following: > cp /etc/config/accns.json /etc/config/test/backup_cfg.json >...
Page 998 File system Delete a file or directory 3. Type exit to exit the Admin CLI. Depending on your device configuration, you may be presented with an Access selection menu. Type quit to disconnect from the device. Delete a file or directory To delete a file or directory by using the WebUI or the Admin CLI: ...
Page 999 File system Upload and download files To delete a directory named temp from /opt: 1. Select the device in Remote Manager and click Actions > Open Console, or log into the IX20 local command line as a user with full Admin access rights. Depending on your device configuration, you may be presented with an Access selection menu.
Page 1000 File system Upload and download files 5. Browse to the location of the file on your local machine. Select the file and click Open to upload the file. Download files 1. Log into the IX20 WebUI as a user with Admin access. 2.

This manual is also suitable for:

Ix20 Ix2120btr Ix20-wap4 Ix20-00m1 Ix2113-eval

Digi IX2127G User Manual

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Digi IX2127G

Summary of Contents for Digi IX2127G

This manual is also suitable for: