RAS-3G UMTS GPRS EDGE IP Router - RAS - firewall _________________ USER GUIDE Document reference : 9020009-01 _________________
The RAS-3G router is manufactured by ETIC TELECOM 13 Chemin du vieux chêne 38240 MEYLAN FRANCE TEL : + 33 4-76-04-20-05 FAX : + 33 4-76-04-20-01 E-mail : hotline@etictelecom.com web : HUUwww.etictelecom.com Page 2 User guide ref 9020009-01 UMTS GPRS EDGE router ref.
CONTENT PRESENTATION 1 SECURITY RECOMMENDATIONS ..................................................................................................................................7 2 CERTIFICATE OF CONFORMITY....................................................................................................................................8 3 PRODUCTS IDENTIFICATION .........................................................................................................................................
CONTENT … SET UP 6 RESTRICTING ACCESS TO THE ADMINISTRATION SERVER ..................................................................................29 7 RECOVERING A FREE ACCESS TO THE ADMINISTRATION SERVER ....................................................................29 8 FACTORY CONFIGURATION ........................................................................................................................................29 9 LAN INTERFACE SET UP .......................................
CONTENT … SET UP 18 M2ME_CONNECT SERVICE ..........................................................................................................................................62 18.1 Overview.............................................................................................................................................................62 18.2 Configuring a M2Me_Connect connection .....................................................................................................
PRODUCT OVERVIEW 1 Security recommendations The RAS-3G is a low power radio transmission and reception device. It conforms to rules imposed to UMTS or GSM-GPRS-EDGE terminals. Check that using such a device is authorized at the location where you wish to install the router. Do not use the RAS-3G router in locations with a potentially explosive atmosphere like, for instance, petrol stations or areas where the atmosphere contains chemicals or particles.
PRODUCT OVERVIEW 2 CERTIFICATE OF CONFORMITY The manufacturer, ETIC Telecom – 13 chemin du vieux chêne – 38240 Meylan – France, Hereby declares that the listed products Type of device : UMTS & GSM - GPRS – EDGE router Models: RAS-3G router family conforms to the Council Directive 1999/5/EC related to radio and telecommunication terminal equipments.
PRODUCT OVERVIEW 3 Products identification RAS-3G -1400 -1201 Frequency band UMTS 850 / 900 / 1800 / 1900 MHz RJ45 10/100 BT • • • • 4 RS232 - • • • • • 2 - RS485 - - USB host - Port forwarding • • • • • • 1 • • • • • 1 • • • • • • 1 • • • • • Remote access server PPTP or TLS - 25 users Firewall SPI Serial gateway USB gateway 25 IPSEC or SSL client or server VPNs Source IP address translation (NAT) SNMP DHCP client or server over the LAN interface DHCP client 3G interface RIP LAN & WAN
PRODUCT OVERVIEW Page 10 User guide ref 9020009-01 UMTS GPRS EDGE router ref.
PRODUCT OVERVIEW 4 Data-sheet General characteristics Dimensions 137 x 48 x 116 mm (h, l, p) Electrical safety EN 60950- UL 1950 ESD : EN61000-4-2 : Discharge 6 KV RF field : EN61000-4-3 : 10V/m < 2 GHz EMC Fast transient : EN61000-4-4 Surge voltage : EN61000-4-5 : 4KV line / earth RoHS 2002/95/CE (RoHS) RAS-3G-1220 : 10 to 30 VDC - 125 mA / 24 VDC RAS-3G-1201 : 10 to 60 VDC - 125 mA / 24 VDC Supply voltage RAS-3G-1230 : 10 to 60 VDC - 125 mA / 24 VDC RAS-3G-1400 : 10 to 60 VDC - 210mA / 24 VDC Operating
PRODUCT OVERVIEW Remote access server (RAS) User list 25 users Connection VPN PPTP / L2TP-IPSec / TLS Open VPN Login & password Certificate X509 M2Me (*) VPN Compliant with the M2Me_Secure VPN client Compliant with the M2Me_Connect mediation service Alarms 3 inputs : emails Serial interface (*) RS232 1200 – 115200 kb/s parity N / E / O RS232 or RS485 (2 wires) USB USB host interface Modbus master and slave Serial Raw TCP client and server asynchronous to IP Telnet gateways RAW UDP “multicast” u
PRODUCT OVERVIEW 5 5.1 Product overview Functions overview The RAS- 3G router is designed to interconnect safely automated devices over the UMTS 3G or the GPRS-EDGE service The connection can be set with devices connected to the Internet or with devices connected to a private IP network or between RAS-3G routers. VPN can be set between routers to provide safe and full communication between the devices connected to the routers.
PRODUCT OVERVIEW Due to its functions and its worldwide 3G module, the RAS-3G provides to authorized users a remote access to remote industrial devices or industrial networks around the world through the 3G or GSM-GPRS network. If the IP address assigned to the RAS-3G router by the wireless service provider is not fixed, It is possible to use either the DynDNS service, or the M2Me_Connect service provided by ETIC TELECOM.
PRODUCT OVERVIEW 5.2 Main features The RAS-3G router provides the functions hereafter. Remark : Some features are provided only on particular models. IP router The RAS-3G firewall-router provides powerful, flexible and comprehensive solutions to route IP packets between the LAN and the 3G interface. VPNs client or server The RAS-3G router is able to establish safe VPN tunnels.
PRODUCT OVERVIEW Html and DIP switches configuration The RAS-3G is configured with a web server . Two DIP switches allow to assign an IP address to the RAS-3G over the LAN interface : DHCP client or server, factory IP address or stored IP address. EticFinder ™ software The ETICFinder software is delivered with the product. It detects the ETIC products connected to an Ethernet interface and displays the MAC address and the iP address of each product.
INSTALLATION 1 Dimensions Dimensions 2 Connectors RAS-3G-1220 RAS-3G-1230 RAS-3G-1400 UMTS GPRS EDGE router ref. RAS-3G User guide ref.
INSTALLATION 8 positions screw terminal : Supply voltage and digital input / output Position Name Description 1 Power 1+ RAS-3G-1220 : 10 to 30 VDC All other models : 10 to 60 VDC 2 Power 1- GND 3 Power 2+ RAS-3G-1220 : 10 to 30 VDC All other models : 10 to 60 VDC 4 Power 23V3 In F+ F- GND 5 6 7 8 3 V DC provided by the RAS router Digital input Digital output + (max 50Vdc - 0,6A) Digital output RJ45 connector : Ethernet Position 1 2 3 4 5 6 7 8 Name Tx + Tx Rx + N.C N.C Rx N.C. N.C.
INSTALLATION RS232 RJ45 connector port 2 (To connect to a DCE to the RS232 port) Positio n 1 2 3 4 5 6 7 8 Circuit Function TD - 103 RD - 104 OUT IN SG - 102 - UMTS GPRS EDGE router ref. RAS-3G Not used Data Emission Data Reception Not used Ground Not used Not used Not used User guide ref.
INSTALLATION 3 Led indicators Indicator Status Description All models Line / Flashing green until connection to the 3G network After power-on, and during 30 seconds, the reception signal strength is indicated by the number of flashes. See the table below. Green Remark : The diagnostic menu reports the value (dBm) of the reception signal. Then , when the router is connected to the 3G network, this led is lit.
INSTALLATION 4 DIP switches DIP switches SW 1 SW 2 Management OFF OFF The current IP@ of the product is the stored IP @ ON OFF The active IP@ of the product is the factory IP@ : 192.168.0.128 No login and password are required to access to the html server 5 OFF ON The active IP@ is provided by the BOOTP or DHCP server. ON ON Reserved SW 3, SW 4 Not used Factory default push-button A push-button is located under the lid at the top of the product.
INSTALLATION 7 Cooling To avoid obstructing the airflow around the unit, the spacing must be at least 25 mm above and below, and 10 mm left and right. 8 RS232 interface The RS232 data rate can be set from 1200 to 115200 b/s with parity (even / odd) or no parity. The data terminal must be less than 10 meters far from the modem.
INSTALLATION 9 RS485 interface The RS485 serial interface is provided on the front panel 2 pins screw-block. Polarisation resistors 1 Kohm bus polarisation resistors are included inside the product. + 1K 1K SW1 B(+) RS485 - A(-) RS485 line adaptation For a several meters long connection over the RS485 local interface, it is not necessary to adapt the RS485 line. For a longer distance, connect a 120 Ohm resistor at each end of the line. 10 Digital input and output Digital output : Max.
INSTALLATION 12 Installing the SIM card Before installing the SIM card into the router, its PIN code must have been cleared. The PIN code can be cleared using a usual telephone or a smart phone. Step 1 : Install the SIM card • Power off the router. • Remove the anti-steal lid at the top of the product • Press the SIM card eject button and remove the SIM card drawer. • Insert the SIM card SIM card drawer. • Slid the drawer back into the unit and make sure it locks into place.
SET UP 1 Set up steps To configure the router, we advise to proceed as follows : • Connecting a PC to the router • Setting up the LAN interface • Setting up the WAN interface • Setting up the DynDNS service • Setting up VPNs • Setting up routing and IP address translation functions • Setting up address translation and port forwarding • Setting up remote users connections and the M2Me_Connect service • Setting up the remote users list • Setting up the serial gateway or the USB gateway
SET UP 2 2.1 Connecting a PC to the router for configuration Overview Administration server address : The administration html server is located at the LAN IP address of the router. The default factory address is192.168.0.128. First setup : For the first configuration, we advise to connect the PC directly to the LAN interface of the RAS-3G router.
SET UP 2.3 • Modifying the configuration from the LAN If the IP @ of the RAS-3G on the LAN interface is fixed Step 1 : Ensure the DIP switch SW1 and SW2 are OFF to select the stored IP @. Step 2 : Launch the html browser and enter the IP address assigned to the router. Or, launch the ETICFINDER utility to detect the RAS-3G address. Remark : If the home page cannot be displayed, refer below.
SET UP 2.4 Modifying the configuration remotely Coming from the factory, the firewall rejects all the IP frames coming from the 3G network. To modify remotely the configuration, one can use one of the methods described hereafter : Set a remote user PPTP, TLS, L2TP/IPSec connection towards the antenna iP address of the RAS-3G router. Connect a PC to the RAS-3G through a VPN set between the RAS-3G t and another router.
SET UP Remark : The stored configuration will be lost; the factory IP address 192.168.0.128 will be restored. 6 Restricting access to the administration server When the RAS-3G comes from factory, the html server is not protected by a password. It is advised to protect the access to the administration server with a login and a password. To protect access to the administration server, • Select the “Setup” menu, the “Security” menu and then the “Administration menu”.
SET UP 9 LAN interface set up The LAN interface is made of 4 Ethernet switched ports or of 2 Ethernet switched ports and 2 serial ports or 2 serial port and 1 USB port. On that interface, the following IP addresses must be entered : The router IP address on the LAN interface *. The IP address pool assigned to the remote users when they connect. * The administration server is located at that address. On the LAN interface, the RAS-3G can behave like a DHCP server.
SET UP 9.1 • IP protocol Click the « Configuration» menu and then « LAN interface» and then “IP protocol”. “IP address” parameter : Enter the IP address assigned to the router over the LAN interface. That IP address will have to be entered to display the administration server of the router.
SET UP 10 UMTS – GSM-GPRS-3GDGE interface set up The RAS-3G router’s UMTS – GSM-GPRS-EDGE interface is configured through the WAN interface menu : The 3G modem interface is configured through the « Modem » page. The PPP interface to the provider is configured through the « Connection » page. The conditions at which the 3G connection can be reset is configured through the « Control » page. Remark : Once that operations will have been carried out, check the Reception indicator permanently ON.
SET UP 10.3 “Control” menu The RAS-3G router may not detect that the 3G connection has been cleared ; it is why, the router can send a periodical PING to a particular address. If one that PING does not receive an answer, and after several retries, the 3G connection is reset by the RAS-3G router. • To set-up that function, select the « Configuration» menu and then « WAN interface» and then “Control”. “Enable the ping control” checkbox : select that checkbox.
SET UP 11 Setting up the DynDNS service Remark : The DynDNS service is free; but the dyndns domain name can be cancelled if it is not periodically used. The DynDNS service cannot be used to reach the antenna of the RAS-3G router if the IP address assigned to the RAS-3G router is not a public IP address.
SET UP 12 Creating VPN connections between routers 12.1 Principles A VPN tunnel is a safe link set between two end-points routers over an IP network : Both routers authenticate, data are encrypted and each device of a LAN can exchange data with each device f the other one. To get more explanations about how VPNs work, refer to appendix 1. 25 VPNs can be set on the WAN interface of the RAS-3G router. Two types of VPN can be set : TLS VPN and IPSec VPN. IPSec has the advantage to be a standard solution.
SET UP To create VPN connections between routers, • select the « Setup» menu and then « Network» and then “VPN connections”. Page 36 User guide ref 9020009-01 UMTS GPRS EDGE router ref.
SET UP 12.2 IPSec VPN connections 12.2.1 Configuring the IPSec protocol • Select the “Setup” menu, the “network” menu and then ‘VPN connections”. • Select the “Ipsec” type of VPN, • Click “Properties” . “ Protocol ” parameter : AH ((RFC2402) provides integrity, authentication, replay resistance and non-repudiation but not encryption. select AH, if no encryption is required or if NAT traversal is required. ESP provides the same services plus encryption.
SET UP “Encryption and hash algorithm phase 1” & “Encryption and hash algorithm phase 2” parameters : That parameters allow to define the encryption and hash algorithms in use during the phase 1 of the exchanges between the end-points (VPN set-up) and during the phase 2 (data exchange). The default value is Auto; in that case both end-points will negotiate a common algorithm.
SET UP 12.2.2 Configuring an outgoing IPSec connection LAN IP addr. Outgoing connection 3G GPRS Remote LAN IP address INTERNET VPN WAN IP addr. IP network Remote WAN IP address Router Remote router To set an outgoing VPN connection, • Come back to the “VPN connections” screen, • Click the “add a connection” button. Give a name to the connection and select the “Outgoing” option.
SET UP “PSK value” parameter : Enter the value of the PSK. ”My WAN address” parameter : Enter the IP address of the router on the WAN interface. • Certificate “My subjectAlt name” & “Remote subjectAlt name” parameters : Paste the field "SubjectAltName" of the active certificate of the router you are configuring and the one the remote router. Attention : For ETIC certificates, this field is the Email field Page 40 User guide ref 9020009-01 UMTS GPRS EDGE router ref.
SET UP 12.2.3 .3 Configuring an ingoing IPSec connection LAN IP addr. Ingoing connection 3G GPRS Remote LAN IP address INTERNET VPN IP network WAN IP addr. Router Remote WAN IP address Remote router To set an ingoing VPN connection, • • Come back to the “VPN connections” screen, Click the “add a connection” button. Give a name to the connection and select the “ingoing” connection direction option.
SET UP “Use a specific key for this connection” parameter : If that option is not selected, the preshared key entered in the VPN configuration screen will be used by the router. If that option is selected, enter the specific key. “My WAN address & Remote WAN address” parameters : Enter the WAN IP address of the router and the WAN IP address of the remote router.
SET UP 12.3 TLS VPN connections 12.3.1 Configuring the TLS-SSL protocol • Select the “Setup” menu, the “network” menu and then the ‘VPN connections” menu. • Select the “TLS” VPN type and click “Properties” . “Port number” & “protocol” parameters : Select the port Nr and the type of level 3 protocol used to transport the TLS VPN; UDP will be preferred. Attention : The port number value must be different from the one used by remote users.
SET UP “Connection death time-out” parameter : This parameter defines the maximum amount of time (in seconds) a VPN connection will stay established before being cleared if no response to the VPN control message has been received from the remote router. “Packet retransmit time-out” parameter: A control message (also called Keepalive message) is sent periodically by the VPN server router to make sure that the VPN must be left active.
SET UP 12.3.2 Configuring an outgoing TLS connection LAN IP addr. Outgoing connection 3G GPRS Remote LAN IP address INTERNET VPN WAN IP addr. IP network Remote WAN IP address Router Remote router • Select the “Setup” menu, the “network” menu and then the ‘VPN connections” menu. • Click the “add a connection” button. • Give a name to the connection and select the “Outgoing” connection direction option.
SET UP 12.3.3 Configuring an ingoing TLS connection LAN IP addr. Ingoing connection 3G INTERNET GPRS WAN IP addr. Remote LAN IP address VPN IP network Remote WAN IP address Router Remote router • Select the “Setup” menu, the “network” menu and then the ‘VPN connections” menu. • Click the “add a connection” button. Give a name to the connection and select the “ingoing” connection direction option.
SET UP 13 Routing functions 13.1 Basic routing function Once an iP address has been assigned to the R2 router on the LAN interface and another one on the WAN interface (see drawing hereafter), the RAS-3G R2 router is ready to route frames … … between devices connected to the remote LAN network like RL1, and devices connected to the LAN network like L1 through a VPN; … between devices connected to the WAN network like W1, and devices connected to the LAN network like L1 192.168.5.128 192.168.3.
SET UP 13.2 Static routes However, the router R2 is not able to route frames between a device like L1 belonging to the LAN network and a device connected to “network 6” (see the drawing hereafter). network 1 192.168.1.0 Network 6 192.168.6.0 192.168.6.24 192.168.1.24 R4 router R1 router 192.168.4.128 192.168.3.128 192.168.2.128 192.168.5.1 VPN Remote LAN Remote WAN 192.168.5.0/24 RL1 192.168.2.1 192.168.4.0/24 R3 router 192.168.5.128 LAN WAN 192.168.2.0/24 192.168.3.
SET UP 13.3 RIP protocol RIP (Routing Information Protocol) is a routing protocol which enables each router belonging to a network to acquire the routes to any subnet. The principle is as follows : Routing table Each router holds a routing table. Each entry of the table consists in the destination subnet address and the adjacent router address leading to that subnet. Routing table broadcasting : Each router broadcasts its table.
SET UP 14 Address and port translation The RAS-3G provides the capability to replace the original source IP address and the destination port and IP address in particular situations. 14.1 Port forwarding Port forwarding consists in transferring the IP frames addressed to the RAS-3G antenna IP address (WAN IP address) at a particular port number, to a particular device connected to the LAN interface. The transfer criteria is the port number; the port number is used as an additional address field.
SET UP To set the Port forwarding function, • • select the “network” menu and then the “Port forwarding” menu. Click “Add a DNAT” rule. 14.2 14.2.1 Advanced network address and port translation Principle This function is available in RAS-3G-1400, RAS-3G-1201, RAS-3G-1220, RAS-3G-1230 routers only. That function consists in replacing the source port and IP address or the destination port and IP address of particular frames received by the router on its interfaces according to configured rules.
SET UP 14.2.2 Configuration To set the advanced address translation functions, • select the “Setup” menu, “Network” , and then the “Advanced NAT” menu. To create a new DNAT rule • Click “Add a DNAT” rule. • Select “Yes” to enable the rule. • Enter the replacement criterion : Source IP address & Destination IP address. Protocol (TCP, UDP, …) Source port & Destination port • Enter the new destination port number and IP address. Page 52 User guide ref 9020009-01 UMTS GPRS EDGE router ref.
SET UP UMTS GPRS EDGE router ref. RAS-3G User guide ref.
SET UP To replace the source IP address & destination port • • Click “Add a SNAT” rule. Select “Yes” to enable the rule. • Enter the replacement criterions : Source & Destination IP address. Protocol (TCP, UDP, …) Source & Destination port • Enter the new source IP address. Page 54 User guide ref 9020009-01 UMTS GPRS EDGE router ref.
SET UP 15 VRRP redundancy That function is available only in RAS-3G-1400, RAS-3G-1201, RAS-3G-1220, RAS-3G-1230 routers 15.1 Principle VRRP is a protocol designed to increase the availability of the default gateway of a subnet. Thanks to VRRP, a group of two or more routers can service the hosts of one subnet instead of only one usually; only one router of that group actually routes frames; if it fails another one of the group takes its place.
SET UP «Use a virtual MAC address» parameter : A virtual MAC address can be associated to the virtual IP address. If that option is selected, the elected master router will answer to ARP requests by using that virtual MAC address. That MAC address is 00-00-5E-00-01-XX, where XX is the VRRP Id of the group coded in hexadecimal. 15.3 Configuring VRRP on the WAN interface To enable and configure VRRP, • select the “Setup” menu, the “network” menu and then the “VRRP” menu.
SET UP 16 Remote users connections service The RAS-3G provides a full remote user connection function called RAS : • The remote user authenticates using the login, password and eventually a certificate; the router accepts the connection only if the remote user belongs to the user list. • Individual access rights are automatically allocated to the remote user. • An IP address belonging to the LAN network is automatically assigned to the remote PC. • Data are encrypted (TLS and L2TP / IPSec only).
SET UP 17 Remote users connections 17.1 Principles A remote user connection is a tunnel set between a remote PC and a router providing the RAS function (Remote Access Service), like the RAS-3G. A remote user connection provides security and simplicity advantages : • The remote user is identified with a login in and password or eventually a certificate. • The data is encrypted (TLS or L2TP). • An IP address belonging to the local network is automatically assigned to the remote user’s PC.
SET UP 17.2 Configuring a TLS connection The M2Me_Secure software provided by ETIC TELECOM is a Windows TLS client software. Installed on a PC running Windows XP or Seven, M2Me_Secure makes TLS connections from a remote PC to the RAS-3G easy; moreover it includes a connection book in such a way one just need a click to connect to a remote site. We describe hereafter how to configure the router and the M2Me_Secure software to set a TLS VPN between both.
SET UP ”Port number” & “Protocol” : Select the port Nr and the type of level 3 protocol used to transport the TLS VPN; UDP will be preferred. Attention : The selected port number assigned to the remote users connections must be different from the one used for VPN connections between routers if such VPN connections have been configured. “Remote Users authentication” parameters : Authentication an encryption can be carried-out with a pre-shared key or a certificate.
SET UP 17.3 Configuring a PPTP connection We describe hereafter how to configure the router and the PC to set a PPTP remote user connection between them. Step 1 : Router configuration • select the “Setup” menu, the “Remote users” menu and then the “User list” menu. • Select the VPN type “ PPTP”. Remark : The “properties” button allows to modify the authentication protocol; leave the default configuration if the PPTP client is a PC running Windows. Step 2 : Set up a PPTP connection on the PC side.
SET UP 18 M2Me_Connect service This function is available in RAS-3G-1400, RAS-3G-1201, RAS-3G-1220, RAS-3G-1230 routers only. 18.1 Overview The M2Me_Connect service simplifies the connection of a remote PC to a machine through the Internet. It provides a solution when a direct PPTP or TLS connection described before shows itself impossible in particular when the IP address assigned by the provider to the RAS-3G antenna (WAN interface) is not a public IP address.
SET UP 18.2 Configuring a M2Me_Connect connection Step 1 : Router configuration • Select the « Setup» menu, the « Remote users » menu, the “M2Me_Connect” menu, and then the “Connection” menu. « Activate » parameter: Select the checkbox “TCP ports” and “UDP ports” parameters : Select the protocol (UDP and or TCP) and the ports numbers the router must check to set a connection to the M2Me_Connect service.
SET UP 19 Users list Storing at least an authorized user in the users list is necessary if a remote user wishes to connect to the RAS-3G with a PPTP or a TLS or a L2TP/IPSec remote user connection. The users list registers 25 authorised remote users forms. Each user form stores the identity of the user (Login and password), his email address to send alarm emails and the filter assigned to him. To display the user list, • select the “Setup” menu, the “Remote users” menu and then the “User list” menu.
SET UP To add a user form • Click the “add a user ” button “ Active (value Yes or NO)” : Select “No” if you want to prevent the user to access the network. Select “yes” to authorize the user to access the network. Full name : It is the name displayed in the user list. Login & password The login and the password will have to be entered by each user at the beginning of the remote connection.
SET UP 20 20.1 Firewall Overview The firewall filters IP packets between the WAN and the LAN interface of the RAS-3G router. It is divided in 3 particular filters : • The remote users filters The function of the remote users filters is to limit the IP domain an authenticated remote user can reach when he connects to the RAS-3G router through the Internet.
SET UP 20.2 Main filter The main filter applies to all the IP packets except to the ones included in remote users connections. To recognize a TLS remote user connection, the router detects the port number. 20.2.1 • Main filter Overview Main filter structure For a better organisation, the main filter is divided in two tables; both having the same structure. The “VPN” filter : It filter the packets transmitted inside the VPNs.
SET UP 20.2.2 Configuring the main filter Select the “Security” menu and then “Firewall” and “Main filter”. The “Main filter” page is divided in two parts : WAN traffic rules : The first part, entitled “WAN” traffic rules, is made to define how the IP packets not carried in a VPN, have to be filtered. VPN traffic rules : The second part, entitled “VPN traffic rules” allows to define how the IP packets carried inside the VPNs have to be filtered.
SET UP The cautious default policy is to choose the value “Drop”; at the opposite, if the value “Accept” is selected, a frame which does not match any of the rules of the filter is transmitted. Step 2 : Add a rule to the filter Click the “add a rule” button. “Direction” parameter : Select the direction of the data flow to which the rule applies. “Action” parameter : Select the value “Accept” if the IP packet has to be transmitted in the selected direction.
SET UP Step 1 : Complete, if necessary, the list of services Remark : The main services (html, ftp, modbus) are available from factory; for that reason, most of the time, that step can be skipped. • Select the menu “system” and then “service list” The list of TCP ports is displayed. • Click « add a service ». • Enter the label of that the new service, assign a protocol (udp, tcp, icmp) and a port number. • Save. The list is updated.
SET UP Step 3 : Build a remote user filter • Select the « security» menu, then « firewall» and then «Filter list» The users filters list is displayed. • Click « add a new filter ». UMTS GPRS EDGE router ref. RAS-3G User guide ref.
SET UP • Assign a name to the new filter. • Choose the policy ; « All is forbidden except what we specify » is the advised policy. • Click « add a new rule to the list ». • Select a device among the ones which have been stored and a service (also called port). • Add other rules if necessary. • Click OK when the filter is complete ; the updated filter list is displayed. Step 4 : Assign a filter to each user • Select the « Remote user» and then « User list ».
SET UP 21 Serial to IP gateway That function is available in RAS-3G-1220 or RAS-3G-1230 The RAS-3G features two serial asynchronous ports RS232 or RS485 (see the product identification table). A serial gateway can be assigned to each port . If the same type of gateway is assigned to both serial ports, the UDP or TCP port numbers must be different. The gateways listed below are provided : Modbus client or server (i.e. master or slave) To connect several serial modbus slaves to several IP modbus clients.
SET UP 21.1 21.1.1 Modbus menu Modbus server gateway This gateway allows to connect asynchronous modbus slaves to the serial interface of the IPRS. • Select the modbus menu and then modbus server and enable the modbus server gateway and set the parameters as follows : “Port selection” parameter : Select the serial port COM 1 or COM2. If the modbus server gateway is assigned to one serial COM port, it cannot be assigned to the other one.
SET UP “TCP port number” parameter : Set the port number the gateway has to use. If the Raw TCP client gateway is assigned to both serial COM ports, the TCP port numbers must be different on each port. 21.1.2 Modbus client gateway This gateway allows to connect a serial modbus master to the serial interface of the IPRS.
SET UP 21.2 21.2.1 RAW TCP gateway Raw client gateway The RAW client gateway can be used if a serial “master” device has to send requests to one slave device (also called server) located on the IP network. The server can be either an ETIC gateway or a PC including a software TCP server. • Select the “transparent” and then the “raw client COM1” or the “raw client COM2” menu .
SET UP 21.2.2 Raw server gateway That gateway can be used if a serial slave device has to answer requests coming from devices located on the IP network and acting like a master (also called TCP client). • Select the “transparent” and then the “raw server COM1” or the “raw server COM2” menu.
SET UP 21.3 RAW UDP gateway 21.3.1 Overview The RAW UDP gateway enables you to connect together a group of serial or IP devices through an IP network. The group can include IP devices if they have the software pieces able to receive or transmit serial data inside UDP. Serial data transmitted by each device is transmitted to all other serial devices through the IP network. A table of IP destination gateways is stored in each RAS-3G belonging to the group.
SET UP 22 USB to IP gateway 22.1 Principles The RAS-3G-1201 provides a USB to IP gateway. It is able to forward IP traffic from devices connected to the Ethernet network to a USB device. On the USB interface, the RAS-3G-1201 behaves like a USB host and a PPP client. The USB device connected to the RAS-3G-1201 USB interface must behave like a PPP server.
SET UP 23 Advanced functions 23.1 Adding a certificate Coming from the factory, the RAS-3G router includes a certificate delivered by ETIC TELECOOMUNICATIONS acting as a certification authority. That certificate can be used to set a VPN between two routers. Two RAS-3G routers can set a VPN with one another using certificates only if the certificates have been provided by the same authority. Additional X509 certificates, provided by ETIC Telecommunications or not, can be downloaded into the router.
SET UP Alarm launched on event : If the option OPEN is selected, the alarm will be sent each time the digital input will be opened. If the option CLOSED is selected, the alarm will be sent each time the digital input will be opened. If the option BOTH is selected, the alarm will be sent each time the digital input will be opened or closed. Hold time : Select the time the input has to stay in its alarm state to be taken into account. Alarm destination : Select the user to whom the email must be sent.
SET UP 23.4 Configuring the DNS server For domain names resolution, the RAS-3G can behave like a domain name server or a domain name relay. DNS server : A domain name server is a networking device which is able to associate a label (etictelecom.com for instance) with an IP address. That function allows a client device to send a request to a network equipment referring to a domain name as if it was the actual IP address of the destination device.
DIAGNOSTIC & MAINTENANCE 1 Diagnostic menu The html server provides extended diagnostic functions. Select the Diagnostic menu and then the appropriate sub-menu. • Log sub-menu: The log displays the last 300 dated events : 3G, VPN and users connections and disconnections, power on, Serial gateway events.
DIAGNOSTIC & MAINTENANCE • Serial gateway : That page displays the current status of the serial gateways : Type of the gateway(Modbus, RAW, Telnet …), serial port set-up (data rate etc…), number of characters received or sent, Number of TCP frames or UDP datagrams received or sent, Number of TCP connections enabled. The View link displays a window which shows the hexadecimal received and transmitted traffic over each serial COM port. It can be a great help for trouble shooting. .
DIAGNOSTIC & MAINTENANCE 2 Saving the configuration to a file Once a product has been configured, the parameters file can be stored and restored when necessary. To save the parameters into a file, Select the “System” menu and then “Save restore”, Click the ”Save” button Select the location to store the configuration and give a name to the file. The file suffix is “.bin”.
DIAGNOSTIC & MAINTENANCE 3 Updating the firmware Step 1 : Before starting, you need, A PC with a Web browser. An Ethernet cable or a switch The FTP server software which can be downloaded from the « firmware page » of the ETIC « download area » web server. Step 2 : Download the release of the firmware from our download area to your PC Step 3 : Prepare the PC Check the Ip address of the PC is compatible with the one of the router. Connect the router to the PC. Launch the TFTP server (tftp32.
APPENDIX 1 Management web server 1/ Setup menu Remote users To assign an ID and PWD to each authorized user and set their rights To set the M2Me service LAN interface To enter the IP @ of the router on the LAN interface. To enter the IP @ assigned to the remote users To set up the Ethernet interfaces To set up the DHCP server on the LAN interface WAN interface To enter the IP @ of the router over the WAN interface.
13, Chemin du Vieux Chêne 38240 Meylan - France Tel : 33 4 76 04 20 00 Fax : 33 4 76 04 20 01 E-mail : contact@etictelecom.com Web : www.etictelecom.
