RuggedRouter ® RX1000/RX1100 User Guide RuggedCom Inc. 30 Whitmore Road, Woodbridge, Ontario, Canada L4L 7Z4 Web: www.ruggedcom.
RUGGEDROUTER® USER GUIDE FOR USE WITH RX1000/RX1100 PRODUCTS Version 1.13.1 – August 6, 2008 RuggedCom Disclaimer 30 Whitmore Road RuggedCom Inc. makes no warranty of any kind with regard to this material. Woodbridge, Ontario Canada L4L7Z4 Tel: (905) 856-5288 Fax: (905) 856-1995 RuggedCom shall not be liable for errors contained herein or for consequential damages in connection with the furnishing, performance, or use of this material.
About this User Guide About this User Guide This guide is concerned with aiding the user in the configuration and operation of the RuggedRouter® using the RuggedCom command line, setup menu and web management interfaces. Specifically, this guide details aspects of: Accessing the User Interfaces Security Configuring the router Status determination Performance measurement Uploading and downloading files Dealing with alarms This guide also details operation of the RX1100 Gauntlet security appliance.
RuggedRouter® User Guide Document Conventions This publication uses the following conventions: Note: Means reader take note. Notes contain helpful suggestions or references to materials not contained in this guide. Helpful Hint This type of note often indicates useful shortcuts or methods employed by other RuggedCom customers.
About this User Guide 10. All further configuration is accomplished through the web management interface. Attach the configuring host to one of the Ethernet ports configured above. Point your web browser at the address for that port, use https and specify a port number of 10000, e.g. https://192.168.1.1:10000 (or otherwise if configured in step 4). Login with the root user and password (configured above). If RADIUS authentication is configured and a server is available, you may also login via a RADIUS user.
RuggedRouter® User Guide 22. If your router is equipped with an embedded modem, the Networking menu, Modem sub-menu will allow you to configure it with PPP or incoming console connections. See the chapter “Configuring PPP And Modem” for more details. 23. If your router is equipped with Serial Interfaces, the Servers menu, Serial Protocols sub-menu will allow you to configure them with an operating protocol. See the chapter “Configuring Serial Protocols” for more details. 24.
About this User Guide 35. When your routers configuration is stable, it is recommended that the configuration should be uploaded from the router and stored as a backup. The Maintenance menu Backup And Restore sub-menu will be useful. 36. Should you need to transfer files to or from the router, the Maintenance menu Upload/Download Files sub-menu will be useful. 37. Further concerns such as ensuring robustness, measuring and optimizing performance are dealt with by reading the guide fully.
RuggedRouter® User Guide Table Of Contents About this User Guide............................................................................................................................1 Applicable Firmware Revision..........................................................................................................1 Who Should Use This User Guide.....................................................................................................1 How To Use This User Guide..........................
Table Of Contents Webmin User and Group Fundamentals..........................................................................................39 RADIUS User Access Control Fundamentals.................................................................................39 Webmin Users Menu.......................................................................................................................40 Edit Webmin User menu....................................................................................
RuggedRouter® User Guide Chapter 7 - Configuring Frame Relay/PPP And T1/E1.......................................................................65 Introduction......................................................................................................................................65 T1/E1 Fundamentals....................................................................................................................65 Frame Relay...................................................................
Table Of Contents Editing A Logical Interface (PPP) ...............................................................................................86 DDS Statistics..............................................................................................................................86 Link Statistics...........................................................................................................................86 Frame Relay And PPP Interface Statistics......................................
RuggedRouter® User Guide Modem Status............................................................................................................................105 Modem PPP Client Connections................................................................................................106 Modem PPP Client ....................................................................................................................106 PPP Logs, PPP Connection Logs.....................................................
Table Of Contents IPsec Modes...........................................................................................................................137 Policy Vs Route Based VPNs................................................................................................138 Supported Encryption Protocols ...........................................................................................138 Public Key And Pre-shared Keys..........................................................................
RuggedRouter® User Guide Dynamic Routing Configuration....................................................................................................157 Enable Protocols........................................................................................................................157 Core............................................................................................................................................158 Core Global Parameters............................................
Table Of Contents TOS Prioritization..................................................................................................................182 Prioritization Example...............................................................................................................183 Configuring Traffic Prioritization..................................................................................................184 Traffic Prioritization Main Menu.....................................................
RuggedRouter® User Guide ModBus Exception Handling.................................................................................................201 TcpModbus Performance Determinants................................................................................202 A Worked Example................................................................................................................203 DNP (Distributed Network Protocol).............................................................................
Table Of Contents The NTP Sanity Limit ...........................................................................................................232 NTP And The Precision Time Protocol Card........................................................................232 Included With NTP ...............................................................................................................232 NTP Configuration................................................................................................
RuggedRouter® User Guide Snort IDS Main Menu................................................................................................................249 Global Configuration.............................................................................................................249 Interfaces................................................................................................................................249 Rulesets.....................................................................
Table Of Contents Syslog Factory Defaults.............................................................................................................284 Remote Logging.........................................................................................................................285 Upgrade System.............................................................................................................................286 RuggedRouter Software Fundamentals..........................................
RuggedRouter® User Guide This page intentionally blank 18 RuggedCom
Table Of Figures Table Of Figures Figure 1: RuggedRouter Setup Main Menu.....................................................................................26 Figure 2: RuggedRouter Setup Password Change Menu.................................................................27 Figure 3: RuggedRouter Interfaces Setup Menu..............................................................................27 Figure 4: RuggedRouter DNS Client Menu.......................................................................
RuggedRouter® User Guide Figure 50: Editing a Boot Time Interface........................................................................................61 Figure 51: List PPPoE Interfaces.....................................................................................................62 Figure 52: Editing a PPPoE Interface..............................................................................................63 Figure 53: Display PPP Logs............................................................
Table Of Figures Figure 101: Firewall Network Interfaces.......................................................................................121 Figure 102: Editing a Firewall Network Interfaces........................................................................122 Figure 103: Firewall Zone Hosts....................................................................................................123 Figure 104: Firewall Default Policies....................................................................
RuggedRouter® User Guide Figure 152: VRRP Group Example...............................................................................................177 Figure 153: VRRP Main Menu......................................................................................................178 Figure 154: VRRP Configuration Menu........................................................................................178 Figure 155: VRRP Instance..........................................................................
Table Of Figures Figure 203: GPS Log.....................................................................................................................236 Figure 204: SSH Server.................................................................................................................237 Figure 205: SSH Server Authentication Menu..............................................................................238 Figure 206: SSH Server Networking...........................................................
RuggedRouter® User Guide Figure 254: RADIUS Authentication Server Parameters..............................................................278 Figure 255: RADIUS Authentication Main Menu.........................................................................280 Figure 256: Chassis Parameters Menu...........................................................................................281 Figure 257: PoE pinout on 10/100BaseT ports.............................................................................
Chapter 1 - Setting Up And Administering The Router Chapter 1 - Setting Up And Administering The Router Introduction This chapter familiarizes the user with the RuggedCom Serial Console interface, the RuggedRouter Setup script and signing on to the Web interface.
RuggedRouter® User Guide Accessing The RuggedRouter Command Prompt From the Console Port Attach a terminal (or PC running terminal emulation software) to the RS232 port on the rear of the chassis. The terminal should be configured for 8 bits, no parity operation at 38.4 Kbps. Hardware and software flow control must be disabled. Select a terminal type of VT100. Once the terminal is connected, pressing will prompt for the user to login as and that user's password.
Chapter 1 - Setting Up And Administering The Router Configuring Passwords The Change Passwords command changes the rrsetup and root account passwords. These passwords should be changed before installing the router on the network. Figure 2: RuggedRouter Setup Password Change Menu Configuring IP Address Information The Change Port IP Address command configures port IP addresses and gateways. Figure 3: RuggedRouter Interfaces Setup Menu Each port number X has a default address of 192.168.X.
RuggedRouter® User Guide Setting The Hostname The Set Hostname command sets the hostname, shown in shell prompts and Web Management. Configuring RADIUS Authentication The Set RADIUS Authentication command configures the address of a RADIUS server, if available. Figure 5: RADIUS Server Configuration menu The Hostname/IP and Port Number fields configures the server location. The Shared Secret field configures the unique password used by this server.
Chapter 1 - Setting Up And Administering The Router Configuring The Date, Time And Timezone The Set The Date, Time And Timezone command allows these parameters to be set. Figure 7: RuggedRouter Date/Time/Timezone Menu Once set, the router will account for Daylight Savings time. Displaying Hardware Information The Display Hardware Information command describes commissioned hardware.
RuggedRouter® User Guide Restoring A Configuration The Restore A Previous Configuration command provides a means to restore a previously taken snapshot of the configuration of the router. Note: The router will reboot immediately after restoring configuration. The user is first prompted to select either the factory default configuration or a previously made archive. Note: Restoring the factory defaults will reset IP addresses and may make the router impossible to reach from the network.
Chapter 1 - Setting Up And Administering The Router The RuggedRouter Web Interface The RuggedCom Web interface is provided by an enhanced version of the popular Webmin interface. Using a Web Browser to Access the Web Interface Start a web browser session and open a connection to the router by entering a URL that specifies its hostname or IP address (e.g. https://179.1.0.45:10000). Once the router is contacted, start the login process by clicking on the “Login” link.
RuggedRouter® User Guide The Structure of the Web Interface The Web interface presents an web page with two frames. The leftmost or index frame selects subsystems to configure and is always displayed. The rightmost or configuration frame presents the configuration for the currently selected subsystem, or in the case of signing-on, the home page window. The home page window presents an annotated view of the front of the chassis as well as a number of important system parameters.
Chapter 1 - Setting Up And Administering The Router The Webmin Menu provides the ability to: • Configure the sign-on password, • Specify session timeouts, • Restrict the Subnet of IP addresses that can login, • Configure and view Webmin event logs, The System Menu provides the ability to: • Change the router password, • Enable and disable applications from running, • Reboot the router, • Schedule one time and periodic tasks to run, • Change the router's name (hostname), • Change the time and date.
RuggedRouter® User Guide Figure 13: LED Status Panel The LEDs are organized into three primary groups; the port group, GPS/PPP group and the Alarm/Power Supply group.
Chapter 2 - Webmin Configuration Chapter 2 - Webmin Configuration Introduction This chapter familiarizes the user with configuring the router through the Webmin menu and describes the following procedures: • Configuring the IP Address and Subnet Mask • Configuring the Gateway Address • Viewing the Webmin Log Webmin Configuration Menu Figure 15: Webmin Configuration Menu IP Access Control Figure 16: Webmin Configuration Menu, IP Access Control Webmin uses a secure communications method called Secure So
RuggedRouter® User Guide If your router is being used on a completely private network, or IP access control is being provided by the firewall you may leave IP Access Control disabled. Select the Allow from all addresses field and Save. If you wish to restrict access to a single address or subnet, select the Only allow from listed addresses field. Enter a single IP address or a subnetted address. If you wish to deny access to a specific subnet, select the Deny from listed addresses field.
Chapter 2 - Webmin Configuration The Web management package provides context sensitive help in each of its menus. When a help link is selected the router instructs the browser to open the help text from a help server. In this way the router does not waste large amounts of disk space storing help text and network bandwidth sending large web pages. By default, the router directs the browser to the same server used to upgrade the router.
RuggedRouter® User Guide The Log changes made to files by each action field causes verbose logging and should be left enabled. Authentication Figure 20: Webmin Configuration Menu, Authentication This menu allows you to configure what Webmin will do when a number of failed logins from the same IP address occur. If the Enable password timeouts field is selected, the host will be blocked for the specified period of time.
Chapter 3 - Configure Webmin Users Chapter 3 - Configure Webmin Users Introduction This chapter familiarizes the user with: • Configuring Webmin users • Displaying and removing existing login sessions • Setting up password restrictions Webmin User and Group Fundamentals When the Webmin package is installed for the first time, an account for the user: “root” exists on the router. Besides the root account, three groups, or privilege levels, are defined: “administrator”, “operator”, and “guest”.
RuggedRouter® User Guide Notes: A Webmin user will only be authenticated locally if a user account of that name has already been created in Webmin. The Change Password Command can only be accessed via a locally defined user account. Webmin Users Menu Figure 22: Webmin users menu This menu allows you to create, change or delete a Webmin user, to view and remove current login sessions, and to set password restrictions. Click the Select all link to select all manually created users.
Chapter 3 - Configure Webmin Users Edit Webmin User menu Figure 23: Edit Webmin User Menu This menu allows you to change the user name, group membership, password, and real name for a user account. The Username field sets the user name for the Webmin user. This user name will be used in the login. The Member of group field determines which group the user belongs to. Recall that the group is equivalent to the privilege level, which determines the user's access level for the Webmin system.
RuggedRouter® User Guide Password Restrictions Menu Figure 25: Password Restrictions Menu This menu allows you to set restrictions for password selection in order to prevent the use of trivial, or machine-guessable passwords. The Minimum password length field sets the minimum length for password. The Regular expression passwords must match field sets the regular expression that a new password must match.
Chapter 4 - Configuring The System Chapter 4 - Configuring The System Introduction This chapter familiarizes the user with: • • • • • • • Enabling and disabling processes such as SSH and Web Management Changing the system password Shutting down and rebooting the system Scheduling one-off and periodic commands Examining system logs Changing the hostname Changing the system time and timezone Bootup And Shutdown Figure 26: Bootup and Shutdown, Part 1 This menu allows you to enable/disable services and to
RuggedRouter® User Guide The second part of the menu allows you to program specific actions at boot time. The script will be run after all regular boot actions have completed. Figure 27: Bootup and Shutdown, Part 2 The actions may be a series of commands that can be executed at the command line. Each entered line is executed independently of the previous line, so change directory commands will not be effective. Always specify the absolute path of files used in commands.
Chapter 4 - Configuring The System Begin by selecting the time and date you wish to run the command at using the Run on date and Run at time fields. Use the Run in directory field to enter a directory to run the command in, or simply use “/”. Finally, enter the command to execute in the Commands to execute field. Note that the command will remain scheduled after reboot. After the command is entered, the Scheduled Commands menu will display any commands and allow you cancel them.
RuggedRouter® User Guide Scheduled Cron Jobs A Cron job is a combination of a command to run, and a definition of the times at which to run it. The Scheduled Cron Jobs allows you to create, delete and edit these jobs. Figure 31: Webmin Scheduled Cron Jobs Initially, there will be no scheduled jobs. Follow the “create” link to create one. Figure 32: Creating a Cron Job Begin the construction of the job by selecting a “user” to execute as. For most purposes, “root” will suffice.
Chapter 4 - Configuring The System Figure 33: Scheduled Cron Jobs menu displaying cron jobs Follow the link of a specific job in order to delete the job, edit it, or test the command part of the job by running it immediately. If you have multiple jobs, the arrows in the Move column will alter the order in which they are presented. System Hostname Figure 34: System Hostname The Hostname field modifies the hostname as presented in the web server and shell sessions.
RuggedRouter® User Guide This page intentionally blank 48 RuggedCom
Chapter 5 - Configuring Networking Chapter 5 - Configuring Networking Introduction This chapter familiarizes the user with: • • • • • Configuring routing and gateways Configuring DNS (Dynamic Name Service) Entering host addresses Configuring a pair of End To End Backup interfaces Viewing routing tables Network Configuration Figure 36: Network Configuration Menu This menu allows you to configure IP networking parameters.
RuggedRouter® User Guide Core Settings Figure 37: Core Networking Settings This menu allows you to configure core networking settings. The IPV6 Support field determines where IPV6 interfaces are created and supported at boot time. Set this option to yes if you need these interfaces. Disabling these interfaces removes them from interface displays and OSPF/RIP. A change will take effect at the next boot. The Antispoofing field corresponds to the kernel rp_filter setting.
Chapter 5 - Configuring Networking Dummy Interface Figure 38: Dummy Interface This menu allows you to configure a dummy interface. Normally the router is reachable on any of its interface addresses, whether the interface is active or not. When OSPF and link detection is used, inactive interfaces are not advertised to the network and thus not reachable. A dummy interface is always advertised and thus reachable.
RuggedRouter® User Guide If the default gateway is configured but the actual default gateway in use is different, the menu will display a warning accompanied by the actual gateway. Use the Save button below the table to change the default gateway setting. Configured Static Routes This table configures static and host routes. The Network/Host and Netmask fields describe the remote network the static route will reach. If the netmask field is not entered (or a netmask of 255.255.
Chapter 5 - Configuring Networking Static Multicast Routing Figure 40: Static Multicast Routing This menu allows you to configure static multicast routing. The Configured Static Multicast Routes table shows configured multicast routes. New routings may be added by completing the bottom row of the table and selecting the Save button. Routings may be deleted by clearing the routings Multicast IP Address field and selecting the Save button.
RuggedRouter® User Guide DNS Client Figure 41: DNS Client This menu allows you to display and configure various DNS client fields. The Resolution Order selector determines the order of sources for resolving domain names into IP addresses. The Hosts file /etc/hosts can be populated with frequently used, but unchanging addresses. DNS refers to any configured DNS servers. The DNS servers fields allow you to specify, in order, the serves to resolve from.
Chapter 5 - Configuring Networking End To End Backup End To end backup is method of using two interfaces to ensure a reliable end to end connection between two routers using alternate routing, without the need to configure routing protocols. The two interfaces are assigned as a primary:secondary backup pair. The primary interface serves as the gateway. If connectivity to the target is lost from the primary interface, traffic is migrated to the secondary interface.
RuggedRouter® User Guide Configuring End To End Backup Figure 44: End To End Backup This menu allows you to display and configure end to end backup. In order to start end to end backup at each and every boot, you must enable it via the System folder, Bootup And Shutdown menu. The menu will remind you if the feature is not enabled. The Primary Interface field determines the primary interface. The interface selected should be configured to supply the default gateway.
Chapter 6 - Configuring Ethernet Interfaces Chapter 6 - Configuring Ethernet Interfaces Introduction This chapter familiarizes the user with: • • • • Reading the Ethernet LEDs Configuring Ethernet Network Interfaces Configuring VLANs Configuring PPPoE Ethernet Interface Fundamentals RuggedCom manufactures dual Ethernet Interface boards in a variety of formats. Some (most notably the optical interfaces) have the same outward appearance but different order numbers.
RuggedRouter® User Guide RuggedRouter Functions Supporting VLANs Functions Supported ? Static Route and Default Route Y Static Multicast Routing Y End To End backup Y PPPoE N Shorewall Firewall Y IPSec N Comments Netkey (policy based VPNs) supports VLAN Klips (route based VLANs) do not support VLAN VRRP Y Traffic Prioritization Y Dynamic Routing Both OSPF and RIP support VLAN GRE Tunnel Y DHCP Server Y PPPoE On Native Ethernet Interfaces Fundamentals The RuggedRouter supports PPPoE
Chapter 6 - Configuring Ethernet Interfaces Ethernet Configuration Figure 45: Ethernet Menu This menu allows you to configure Ethernet interface parameters as well as display the routes and status of all network interfaces. Select the Ethernet Interfaces icon to configure Ethernet interfaces. The Network Interfaces menu lets you edit the permanent configuration of Ethernet interfaces, or simply try out changes.
RuggedRouter® User Guide The Network Configuration menu Apply Configuration button applies permanent changes and restart Ethernet networking. If only temporary changes have been made, the permanent configuration will be re-applied. In either table, edit the desired interface by clicking on its link under the Name column. Editing Currently Active Interfaces Figure 47: Editing a Network Interface This menu allows you to make changes to the currently active interfaces.
Chapter 6 - Configuring Ethernet Interfaces Virtual Interfaces Use virtual interfaces when you have an Ethernet port that has multiple "real" IP addresses assigned to it, e.g. as with a port provided by an an Internet Service Provider. Figure 48: Creating a Virtual Interface The only new parameter is the virtual interface descriptor, which must be a numeric value. As an example a virtual interface numbered 0 on eth1 appears as eth1:0 in interface descriptions and routing tables.
RuggedRouter® User Guide The Netmask, Broadcast, MTU, Virtual Interfaces, Proxy ARP and Media Type controls are as described above. The IP Address fields allow you to manually specify an IP address for this interface, or to obtain the address from DHCP or from BOOTP. The Activate at boot fields allow you permanently disable the interface without actually deleting it. The Save and Apply button applies any changes after they have been saved.
Chapter 6 - Configuring Ethernet Interfaces Edit PPPoE Interface Figure 52: Editing a PPPoE Interface This menus allows you to edit a PPPoE interface. The PPPoE Username field determines the username to use when connecting to the PPPoE server as specified by your provider. The Password field determines the password provided to the PPPoE server. The Default Route checkbox enables automatically setting a default route using this interface whenever it connects.
RuggedRouter® User Guide This menu displays the native Ethernet and internal ADSL interface PPPoE connection messages. This is mainly useful when trying to debug a PPP connection problem. Current Routes & Interface Table The table provided by this command is as described in the Networking menu, Network Utilities sub-menu. It is also provided here as a convenience.
Chapter 7 - Configuring Frame Relay/PPP And T1/E1 Chapter 7 - Configuring Frame Relay/PPP And T1/E1 Introduction This chapter familiarizes the user with: • • • • Frame Relay and PPP Terminology and Issues Configuring Frame Relay and PPP Links Viewing status and statistics Upgrading Firmware T1/E1 Fundamentals A T1 is a communications circuit upon which has been imposed a digital signal 1 (DS1) signaling scheme.
RuggedRouter® User Guide Unlike PPP, a Frame Relay link can provide multiple (up to 990) connections. Each connection is identified by a Data Link Connection Identifier (DLCI) and must match at the DCE and DTE. The use of multiple connections can support meshed network interconnections and disaster recovery.
Chapter 7 - Configuring Frame Relay/PPP And T1/E1 T1/E1 Configuration Figure 54: T1/E1 Trunks And Interfaces This menu allows you to display and configure T1 or E1 Trunks as well as display the routes and status of the network interfaces. T1/E1 Network Interfaces Figure 55: T1/E1 Network Interfaces Initial Configuration This menu allows you to display and configure T1/E1 Trunk parameters, Channels and the logical interfaces that run on them. A table is presented for each interface.
RuggedRouter® User Guide Once all timeslots have been assigned to channels, the “Timeslots..” link will no longer appear. Note that you do not have to assign all timeslots. Assign Frame Relay or PPP to the channels by following the “Assign .. Protocol” links. The resultant menus will allow you select the desired channel. If you are assigning multiple DLCIs, assign the first DLCI used by that interface and configure the Frame Relay Link Parameters and that DLCIs network parameters.
Chapter 7 - Configuring Frame Relay/PPP And T1/E1 Note: Once a channel is created, and an interface is constructed on it, the name of the interface will never change. This will remain true even if the number of timeslots on the channel is changed. This property is desirable since interface names used by features such as OSPF, RIP and the firewall can rely on the interface name. Channel re-assignments can, however, lead to a non-intuitive relationship between channels and timeslots.
RuggedRouter® User Guide Editing A Logical Interface (Frame Relay) Figure 59: Edit Logical Interface (Frame Relay) This menu allows you to configure Frame Relay link and logical interface fields. Frame Relay Link Parameters The first table presents the link parameters and applies to all logical interfaces. The Station Type field determines whether the router acts as a customer premises equipment or as a frame relay switch. When a Frame Relay network provider is used, the CPE interface should be chosen.
Chapter 7 - Configuring Frame Relay/PPP And T1/E1 Frame Relay DLCIs The second table provides a listing of all DLCIs available on the channel. Only the DLCI selected from the main menu can be edited, although another DLCI can be added by following the Add another DLCI to this channel link. The DLCI Number refers to the Data Link Connection Identifier. This number should be provided to you by your provider. The Local IP Address field defines the IP address for this interface.
RuggedRouter® User Guide T1/E1 Statistics When at least one logical interface is configured, T1/E1 Link and logical interface statistics will be available. These statistics are available from links on the T1/E1 WAN Interfaces menu. Link Statistics are provided through the “View Link Statistics” link at the bottom of each interface table. Frame Relay and PPP statistics are available through “(Statistics)” links under the interface name column of each interface table.
Chapter 7 - Configuring Frame Relay/PPP And T1/E1 Frame Relay Interface Statistics Figure 62: Frame Relay Statistics Note that the Frame Relay Trunk Statistics and Frame Relay Trunk Communications Errors tables are common to all Frame Relay DLCIs on the trunk.
RuggedRouter® User Guide PPP Interface Statistics Figure 63: PPP Link Statistics 74 RuggedCom
Chapter 7 - Configuring Frame Relay/PPP And T1/E1 T1/E1 Loopback When at least one logical interface is configured, a T1/E1 Loopback tests can be performed. This menu can be reached from a link on the T1/E1 WAN Interfaces menu. Figure 64: T1/E1 Loopback Menu The loopback test provides a means to test the digital and analog hardware of your T1/ E1 hardware and the T1/E1 line. The sender transmits a number of frames which are looped back to it. The returning frames are verified for correctness.
RuggedRouter® User Guide Running a loop test on an active interface will immediately cause it to go down. The loop test automatically initializes the trunk after completing the test. Current Routes & Interface Table The table provided by this command is as described in the Networking menu, Network Utilities sub-menu. It is also provided here as a convenience. Upgrading Software For some customers, access to remote sites in accomplished solely by a T1 or E1 connection.
Chapter 8 - Configuring Frame Relay/PPP And T3 Chapter 8 - Configuring Frame Relay/PPP And T3 Introduction This chapter familiarizes the user with: • Configuring Frame Relay and PPP Links • Viewing status and statistics • Upgrading Firmware T3 Fundamentals A T3 is a communications circuit upon which has been imposed a digital signal 3 (DS3) signaling scheme. The scheme allows 672 “timeslots” of 64 Kbps DS0 information to be multiplexed to a 44.736 Mbps circuit.
RuggedRouter® User Guide T3 Configuration Figure 66: T3 Trunks And Interfaces This menu allows you to display and configure T3 Trunks as well as display the routes and status of the network interfaces. T3 Network Interfaces Figure 67: T3 Network Interfaces Initial Configuration This menu allows you to display and configure T3 Trunk parameters. A table is presented for each interface. Interface numbers are as described by the “WAN” labels as shown in the home page chassis diagram.
Chapter 8 - Configuring Frame Relay/PPP And T3 Editing A T3 Interface Figure 69: Edit T3 Interface This menu allows you to display and configure T3 Trunk parameters. The Framing field determines the framing format used. Your line provider will indicate the correct format. The Line Decoding field reflects the line encoding/decoding scheme. Almost all T3s now use B3ZS. The Clocking field selects whether to accept or provide clocks.
RuggedRouter® User Guide Figure 71: Edit Logical Interface (Frame Relay) The fields and buttons in this menu are the same as those described in the Editing A Logical Interface (Frame Relay) section of the Configuring Frame Relay/PPP And T1/E1 chapter. Editing A Logical Interface (PPP) Figure 72: Edit Logical Interface (PPP) The Local Address, Netmask, Remote Address, Default Gateway and Description fields are as described in the previous section.
Chapter 8 - Configuring Frame Relay/PPP And T3 Upgrading Software For some customers, access to remote sites in accomplished solely by a T3 connection. Usually a software upgrade will stop the system being upgraded, perform the upgrade and then restart it. If T3 port was upgraded in this way, the upgrade would fail as the T3 link was taken down. Instead, T3 software upgrades modify only the software on the disk. You must schedule a reboot in order to run the new version of T3 software.
RuggedRouter® User Guide This page intentionally blank 82 RuggedCom
Chapter 9 - Configuring Frame Relay/PPP And DDS Chapter 9 - Configuring Frame Relay/PPP And DDS Introduction This chapter familiarizes the user with: • Configuring Frame Relay and PPP Links • Viewing status and statistics • Upgrading software DDS Fundamentals A Digital Data Services (DDS) line is a North American digital transmission method that operates at 56 Kbps synchronously over an unloaded, 4-Wire metallic-pair circuit.
RuggedRouter® User Guide DDS Configuration Figure 73: DDS Trunks And Interfaces This menu allows you to display and configure DDS Trunks. The Current Routes menu will display the routes and status of the network interfaces. DDS Network Interfaces Figure 74: DDS WAN Interfaces This menu allows you to display DDS trunks and configure the logical interfaces that run on them. A table is presented for each interface.
Chapter 9 - Configuring Frame Relay/PPP And DDS Naming Of Logical Interfaces Webmin names the logical interfaces for you (but allows you to provide a description). All interfaces start with a “w” to identify them as wan interfaces, followed by the interface number. The next part of the identifier is either “ppp” or “fr” and the frame relay DLCI number.
RuggedRouter® User Guide Editing A Logical Interface (PPP) Figure 78: Edit Logical Interface (PPP) The fields and buttons in this menu are the same as those described in the Editing A Logical Interface (PPP) section of the previous chapter. DDS Statistics When at least one logical interface is configured, DDS Link and logical interface statistics will be available. These statistics are available from links on the DDS WAN Interfaces menu.
Chapter 9 - Configuring Frame Relay/PPP And DDS Frame Relay And PPP Interface Statistics Frame Relay And PPP Interface Statistics are as described in the Configuring Frame Relay/PPP And T1/E1 chapter. DDS Loopback When at least one logical interface is configured and that interface is active, a DDS Loopback test can be performed. This menu can be reached from a link on the DDS WAN Interfaces menu. The remote equipment must be able to loop, allowing the entire entire line to be verified.
RuggedRouter® User Guide This page intentionally blank 88 RuggedCom
Chapter 10 - Configuring PPPoE/Bridged Mode On ADSL Chapter 10 - Configuring PPPoE/Bridged Mode On ADSL Introduction This chapter familiarizes the user with: • Configuring PPPoE and Bridged Mode Links • Viewing status ADSL Fundamentals An ADSL (Asymmetric Digital Subscriber Line) line is a communications link running over regular POTS telephone service. The link is asymmetric, supporting data transfer at up to 8 Mbps from the network and up to 1 Mbps to the network.
RuggedRouter® User Guide Authentication, Addresses and DNS Servers PPP authentication utilizes PAP or CHAP. Your ISP will provide you with a user-ID and password which you will enter in the GUI. The authentication process will assign a local IP address and addresses of the ISPs DNS servers to the router. You should use these DNS servers unless you wish to provide your own. You will obtain either a dynamic or static IP from your ISP. Firewall configuration should be performed as is appropriate.
Chapter 10 - Configuring PPPoE/Bridged Mode On ADSL TX (Red) indicates when data is being transmitted over DSL. RX (Red) indicates when data is being received over DSL. While connecting the LEDs are flashing sequentially. The RuggedRouter also indicates information about ADSL ports on the LED Panel. A pair of LEDs will indicate traffic and link status of the port. Consult the section “Using The LED Status Panel” to determine which LEDs correspond to the port.
RuggedRouter® User Guide Editing A Logical Interface (PPPoE) Figure 82: Edit Logical Interface (PPPoE) This menu allows you to display and configure logical interface fields for PPPoE and to convert the interface to Bridged Mode. By default, interfaces are created with PPPoE. If you want the interface to be Bridged Mode, click on the Convert this interface to bridged link. The Description field attaches a description to the logical interface viewable from the network interfaces menu.
Chapter 10 - Configuring PPPoE/Bridged Mode On ADSL Editing A Logical Interface (Bridged) Figure 83: Edit Logical Interface (Bridged) The Description field attaches a description to the logical interface viewable from the network interfaces menu. The VPI field determines the VPI number the connection uses. The default of 0 is correct for most providers. The Attempt ATM Autoconfiguration option causes the router to attempt to automatically determine the VPI and VCI used on the connection.
RuggedRouter® User Guide ADSL Statistics Figure 84: ADSL Link Statistics When at least one logical interface is configured, ADSL Link statistics will be available. These statistics are available from links on the DDS WAN Interfaces menu. The Local SNR Ratio is an effective indicator of line quality. SNR values above 40 db correspond to excellent line quality while values below 10 db result in marginal operation or failure.
Chapter 11 - Configuring PPP and Modem Chapter 11 - Configuring PPP and Modem Introduction This chapter familiarizes the user with: • • • • Configuring PPP Client Configuring PPP Server Configuring Dial in console Viewing status PPP and Modem Fundamentals RuggedRouter may be equipped with an internal modem or with a serial card, which will allow connection to an external modem. A modem allows connections to be made over standard telephone lines.
RuggedRouter® User Guide PPP Modem Configuration Figure 85: Modem Configuration Main Menu This menu allows you to display and configure the modem interface, PPP client and server connections. Modem Configuration Figure 86: Edit Internal Modem Configuration Figure 87: Edit External Modem Configuration These menus allow you to configure modem settings and usage features.
Chapter 11 - Configuring PPP and Modem The Dial-in console field allows the modem to answer incoming calls and present a login screen in the same way that the console serial port does. The login used for the Dial-in console is the same as that used for SSH and serial console logins. Note If RADIUS authentication is enabled, the Dial-In Console login will be in the LOGIN group and not in the PPP group. See the section:RADIUS Authentication for details.
RuggedRouter® User Guide %C1 - Enable MNP5 compression negotiation. %C2 - Enable V.42bis compression negotiation. %C3 - Enable MNP5 and V.42bis compression negotiation. (default) Line quality monitoring control %E0 - Disable line quality monitor and auto-retrain. %E1 - Enable line quality monitor and auto-retrain. %E2 - Enable line quality monitor and fallback/fallforward.
Chapter 11 - Configuring PPP and Modem Modem PPP Client Figure 89: Configure Modem PPP Client The Connection Name field determines the name that will be used to refer to this connection when choosing which connection to dial automatically at boot, or which connection to use as a backup for another link. The PPP Username field determines the user name to use when connecting to the PPP server as specified by its operator. The Password field determines the password to use when connecting to the PPP server.
RuggedRouter® User Guide Modem PPP Server The Server IP address field specifies the IP address that the router will use for the PPP interface. The Client IP address field specifies the IP address to assign to an incoming PPP client connecton. Figure 90: Configure Modem PPP Server The Client Nameserver field controls which nameserver (if any) the client should use for DNS lookups. The Proxy ARP option makes the router attempt to proxy ARP the remote IP onto a local ethernet subnet.
Chapter 11 - Configuring PPP and Modem Modem Incoming Call Logs Figure 91: Incoming Call Logs This page shows the latest log entries for incoming calls. This is mainly useful when trying to debug a problem with establishing incoming connections. Modem PPP Logs Figure 92: PPP Logs This page shows the PPP logs. This is mainly useful when trying to debug a PPP connection problem.
RuggedRouter® User Guide Modem PPP Connection Logs Figure 93: PPP Connection Logs This page shows a list of PPP connections. It shows who connected, when they connected and disconnected, the connection speed, and session traffic. Current Routes & Interface Table The table provided by this command is as described in the Networking menu, Network Utilities sub-menu. It is also provided here as a convenience.
Chapter 12 - Configuring PPP and Cellular Modem Chapter 12 - Configuring PPP and Cellular Modem Introduction This chapter familiarizes the user with: • Configuring Cellular modem • Configuring PPP Client • Viewing status PPP and Cellular Modem Fundamentals The RuggedRouter may be equipped with a internal cellular modem instead of the land-line modem or the serial card described in the preceding chapter. The cellular modem allows connections to be made over cellular radio telephone link.
RuggedRouter® User Guide • Off indicates that the cellular modem is active but a connection to the wireless network has not yet been established. • RED indicates that cellular modem is not currently operating. The leftmost LED of second bottom row (LED #25) is the cellular modem's Activity LED: • Off means that there is no data traffic on the cellular modem. • Flashing means that there is data traffic on the cellular modem connection.
Chapter 12 - Configuring PPP and Cellular Modem The Access Point Name is the APN of your wireless network. This information will be provided by the wireless network when you register for data service. The Dial string is special command to be sent by the cellular modem to the wireless network to establish a data connection. For GSM/GPRS network, normally it is the string: “*99***1#”. This command might vary depending on the wireless network.
RuggedRouter® User Guide Modem PPP Client Connections Figure 96: Modem PPP Client Connections To edit an existing connection, click the “Edit” link for that connection. To create a new connection click “Add new” link. To have the router automatically dial a connection at boot time and keep it always active, select which connection should be used from the drop down list of available connection profiles in the Connect at boot list.
Chapter 12 - Configuring PPP and Cellular Modem The Use peer DNS checkbox enables automatically setting the DNS server entries that the PPP server recommends. Enable this option unless you provide your own name servers. The Maximum Dial Attempts field specifies number of consecutive connection attempts the modem dial the phone number before it stops. If the number is 0, it will never stop and dial until the connection is established.
RuggedRouter® User Guide This page intentionally blank 108 RuggedCom
Chapter 13 - Configuring The Firewall Chapter 13 - Configuring The Firewall Introduction This chapter familiarizes the user with: • • • • Enabling/Disabling The Firewall Elements of Firewall design How to configure the Firewall Checking Firewall configuration Firewall Fundamentals Firewalls are software systems designed to prevent unauthorized access to or from private networks.
RuggedRouter® User Guide In practice an iptables rule file and a script are all that are needed to load the netfilter system with rules on upon router start up. The iptables rules, however, are somewhat difficult to configure and manage. The Shoreline Firewall, often known as shorewall, offers a more convenient approach. Shorewall is really just a front end to netfilter, maintaining the information used to generate the iptables rules in a less complicated form.
Chapter 13 - Configuring The Firewall Port Forwarding Port forwarding (also known as redirection) allows traffic coming from the Internet to be sent to a host behind the NAT gateway. Previous examples have described the NAT process when connections are made from the intranet to the Internet. In those examples, addresses and ports were unambiguous. When connections are attempted from the Internet to the intranet, the NAT gateway will have multiple hosts on the intranet that could accept the connection.
RuggedRouter® User Guide 7) If your hosts must accept sessions from the Internet configure the rules file to support Destination Network address Translation (DNAT). Which hosts need to accept connections, from whom and on which ports? 8) Configure the rules file to override the default policies. Have external connections been limited to approved IP address ranges. Have all but the required protocols been blocked? 9) If you are supporting a VPN, add additional rules.
Chapter 13 - Configuring The Firewall ShoreWall Terminology And Concepts This section provides background on various Shorewall terms and concepts. References are made to the section where configuration applies.
RuggedRouter® User Guide Hosts Shorewall hosts are used to assign zones to individual hosts or subnets, on an interface which handles multiple subnets. This allows the firewall to manage traffic being forwarded back out the interface it arrived on, but destined for another subnet. This is often useful for VPN setups to handle the VPN traffic separately from the other traffic on the interface which carries the VPN traffic. An example follows: Zone local guests Interface eth3 eth3 IP Address or Network 10.
Chapter 13 - Configuring The Firewall Masquerading And SNAT Masquerading and Source NAT (SNAT) are forms of dynamic NAT. Masquerading substitutes a single IP address for an entire internal network. Use masquerading when your ISP assigns you an IP address dynamically at connection time. SNAT substitutes a single address or range of addresses that you been assigned by your ISP. Use SNAT when your ISP assigns you one or more static IP addresses that you wish to one or more internal hosts.
RuggedRouter® User Guide 5) This example is much the same as the previous one excepting that only smtp from eth1 will be allowed. Masquerading and SNAT rules are defined in the file /etc/shorewall/masq and are modified from the Masquerading menu. Rules The default policies can completely configure traffic based upon zones. But the default policies cannot take into account criteria such as the type of protocol, IP source/destination addresses and the need to perform special actions such as port forwarding.
Chapter 13 - Configuring The Firewall Some examples will illustrate the power of the rules file: Rule Action 1 2 3 4 5 Source-Zone Destination-Zone Protocol Dest- Source- OriginalPort Port Destination-IP ACCEPT net:204.18.45.0/24 fw DNAT net loc:192.168.1.3 tcp ssh, http DNAT net:204.18.45.0/24 loc:192.168.1.3 tcp http 130.252.100.69 ACCEPT fw net icmp ACCEPT net:204.18.45.0/24 fw icmp 8 1) This rule accepts traffic to the firewall itself from the 204.18.45.0/24 subnet.
RuggedRouter® User Guide Policy Based Virtual Private Networking Begin configuration by creating local, network and vpn zones. Identify the network interface that carries the encrypted IPsec traffic and make this interface part of zone “ANY” in the interfaces menu as it will be carrying both traffic for both zones. Visit the Zone Hosts menu and, for the network interface that carries the encrypted IPsec traffic, create a zone host with zone VPN, the correct subnet and the IPsec zone option checked.
Chapter 13 - Configuring The Firewall Firewall Configuration Figure 98: Starting Shorewall Firewall Menu The above figure shows the firewall menu prior to configuration. Configure the firewall through the provided menus. The “Check Firewall” button can be selected after each menu configuration to check the existing configuration and provide notice of items still to be configured. When the firewall is fully configured, the “Start Firewall” button may be selected.
RuggedRouter® User Guide Figure 99: Shorewall Firewall Menu The “Apply Configuration” button must be used after making configuration changes. It is recommended that the “Check Firewall” button be used first to verify that any changes made are valid. The “Refresh Configuration” button can be used to activate changes to the blacklisted host and traffic shaping configurations. The “Clear Configuration” button will remove the firewall rules completely and eliminate any protection they offer.
Chapter 13 - Configuring The Firewall Network Zones Figure 100: Firewall Network Zones This menu allows you to add, delete and configure zones. Add a new zone by selecting the “Add a new network zone” link or by clicking on the add-above or addbelow images in the Add field. The Zone Type field controls the type of traffic carried in the zone. The Firewall system zone type is built in to the fw zone. A zone type of IPSEC is used with policy based VPNs.
RuggedRouter® User Guide This menu allows you to add, delete and configure network interfaces. Add a new interface by selecting the “Add a new network interface” link or by clicking on the add-above or add-below images in the Add field. Reorder the interfaces by clicking on the arrows under the Move field. Clicking on a link under the Interface field will allow you to edit or delete the interface. Note that if you delete an interface you should remove any rules that reference it.
Chapter 13 - Configuring The Firewall The norfc1918 option causes packets arriving on this interface and that have a source or destination address that is reserved in RFC 1918 to be dropped after being optionally logged. The nobogons option causes packets arriving on this interface that have a source address reserved by the IANA or by other RFCs (other than 1918) to be dropped after being optionally logged.
RuggedRouter® User Guide Default Policies Figure 104: Firewall Default Policies This menu allows you to add, delete and configure default policies. Add a new policy by selecting the “Add a new default policy” link or by clicking on the add-above or add-below images in the Add field. Reorder the policies by clicking on the arrows under the Move field. Clicking on a link under the Source zone field will allow you to edit or delete the policy, as shown below.
Chapter 13 - Configuring The Firewall Masquerading Figure 106: Firewall Masquerading And SNAT This menu allows you to add, delete and configure masquerading and SNAT rules. Add a new rule by selecting the “Add a new masquerading rule” link or by clicking on the add-above or add-below images in the Add field. Reorder the policies by clicking on the arrows under the Move field. Clicking on a link under the Outgoing interface field will allow you to edit or delete the rule, as shown below.
RuggedRouter® User Guide Firewall Rules Figure 108: Firewall Rules This menu allows you to add, delete and configure firewall rules. These rules are inspected and applied before the default policies are used. Add a new rule by selecting the “Add a new firewall rule” link or by clicking on the add-above or addbelow images in the Add field. Reorder the policies by clicking on the arrows under the Move field.
Chapter 13 - Configuring The Firewall The Original destination address field matches the requests destination IP address. Note: If you use are using DNAT to port forward, enter the original destination address here and the forwarded address in the Destination zone or port fields Only hosts in zone with address sub-field. The Rate limit expression fields specifies a rate limit control of the form “X/sec” or “X/min” where X is the number of allowed requests in the time period.
RuggedRouter® User Guide The Active for all hosts field is used to specify whether access to the external IP from all firewall interfaces should undergo NAT (Yes or yes) or if only access from the interface in the INTERFACE column should undergo NAT. The Active for firewall system field is used to specify whether packets originating from the firewall itself and destined for the EXTERNAL address are redirected to the internal ADDRESS.
Chapter 14 - Traffic Control Chapter 14 - Traffic Control Traffic Control (TC) Fundamentals Traffic Control is a subsystem of the firewall that allows management of the amount of bandwidth per network interface that different types of traffic are permitted to use. Each interface to be managed is assigned a total bandwidth that it should allow for incoming and outgoing traffic. Classes are then defined for each interface, each with its own minimum assured bandwidth and a maximum permitted bandwidth.
RuggedRouter® User Guide TC Classes Interface Mark Minimum Maximum Priority Options eth1 1 full/2 full 0 eth1 2 1kbit full 1 eth1 3 full/5 full*5/10 2 eth1 4 1kbit full*5/10 3 Mark Source Destination Protocol Source Port Dest Port Test Length TOS 2 Any Any ICMP Any Any Any Any Any RESTORE Any Any Any Any Any 0 Any Any CONTINUE Any Any Any Any Any !0 Any Any 1 Any Any UDP 20000 Any Any Any Any 3 Any Any TCP Any 80 Any Any Any 4
Chapter 14 - Traffic Control Traffic Control Configuration Note Traffic Control is mutually exclusive of Traffic Prioritization. Do not enable both of these features at once. TC Interfaces (tcdevices) Figure 113: TC Interfaces This Menu allows you to add, edit or remove traffic classification interfaces, and to assign the maximum inbound and outbound bandwidths that the interface can handle.
RuggedRouter® User Guide TC Classes Figure 115: TC Classes This menu allows you to add, edit, or remove a traffic classification class. Please note that each class is associated with exactly one network interface. Exactly one class for each interface must be designated as default. Unmarked traffic (packets which have not been assigned a mark value in the TC Rules menu or via VLAN 802.1p) will be handled by the default class. Classes can match packets either by their assigned mark or by their ToS field.
Chapter 14 - Traffic Control Bandwidth is specified in megabytes per second (mbps), megabits per second (mbit), kilobytes per second (kbps), kilobits per second (kbit), or bytes per second (bps). Alternately it can be specified as a fraction of the full port speed defined in the TC Interfaces menu. The Priority field specifies the priority with which this class is serviced. Please note that lower value priority classes will be serviced first (and hence with lower latency).
RuggedRouter® User Guide TC Rules This menu allows you to add, edit or remove a traffic classification rule. Add a new rule by selecting the Add a new traffic classification rule link or by clicking on the add-above or add-below images in the Add column. Reorder rules by clicking on the arrows in the Move column. Figure 117: TC Rules Clicking on a link in the Mark column will allow you to edit or delete a traffic classification rule, as shown below.
Chapter 14 - Traffic Control Figure 118: Edit TC Rule The Mark row determines how the mark value will be assigned for a packet or a connection: • The Set field determines whether the packet or the connection is assigned the mark. The mark to field specifies the mark value for the rule and the / field specifies the mask for the mark value (if the / field is empty, the mark value will be the value set in the mark to field). The in field specifies the chain in which the rule will be processed.
RuggedRouter® User Guide The TOS field specifies the packet TOS value to match. The field may be decimal or hex. Hints on optimizing the TC Rule table Every rule is processed in table order for every packet, unless a CONTINUE rule is matched, in which case processing stops. This can be used to improve efficiency in combination with the SAVE and RESTORE rules.
Chapter 15 - Configuring IPsec VPN Chapter 15 - Configuring IPsec VPN Introduction This chapter familiarizes the user with: • • • • Configuring IPsec VPN Global Options Creating VPN Connections Enabling And Starting IPsec Obtaining VPN Status VPN Fundamentals IPsec (Internet Protocol SECurity) uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the right sender and have not been altered in transit.
RuggedRouter® User Guide Policy Vs Route Based VPNs The RuggedRouter supports two main modes of VPN: policy and route based VPN.
Chapter 15 - Configuring IPsec VPN Public Key And Pre-shared Keys In public key cryptography, keys are created in matched pairs (called public and private keys). The public key is made public while the private key is kept secret. Messages can then be sent by anyone who knows the public key to the holder of the private key. Only the owner of the private key can decrypt the message.
RuggedRouter® User Guide • protocol 51, IPSEC-AH Authentication Header (RFC2402), • protocol 50, IPSEC-ESP Encapsulating Security Payload (RFC2046), • UDP port 500. You must configure the firewall to accept connections on these ports and protocols. See the Configuring The Firewall chapter, Configuring The Firewall And VPN section for details. The Openswan Configuration Process Each VPN connection has two ends, in the local router and the remote router.
Chapter 15 - Configuring IPsec VPN Ipsec VPN Configuration VPN Main Menu Before Key Generation Figure 119: IPsec VPN Configuration Menu Before Key Generation Upon the first entry to this menu you will prompted to generate a VPN host key. Key generation will require about 30 seconds to complete after which the menu appearance will change. VPN Main Menu The new menu appearance will resemble that of the following menu with the exception that you will be warned that VPN networking is not enabled.
RuggedRouter® User Guide Select the Show Public Keys icon to display the server's public key. Select the IPsec Status icon to display information about the server's capabilities and any current connections. After a VPN connection is created this menu will include a “Start Connection” button that can start or restart VPN connections. This button is shown in the next view of the VPN Configuration menu.
Chapter 15 - Configuring IPsec VPN If the Default route interface field is selected, Openswan will use the real interface owning the default route to associate the named ipsec interface with. If the Default field is selected, Openswan will use its current default (Default route interface at the time of writing) to associate the named ipsec interface with. If the Listed below.. field is selected, Openswan will establish the real to ipsec interfaces listed.
RuggedRouter® User Guide List Certificates Figure 125: List Certificates This menu lists available certificate files, their corresponding key files and details whether a public key for the certificate is configured. VPN Connections The IPsec main menu “Add a new IPsec VPN connection” link leads to the “Create Connection” menu, creating a new connection and its icon. Selecting the connection's icon from the IPsec main menu displays the same menu, allowing editing and deletion.
Chapter 15 - Configuring IPsec VPN IPsec VPN Connection Details Figure 126: Editing A VPN Connection, Part 1 The Connection name field associates a name with the connection. Do not embed whitespace in the name. The At IPsec startup field determines what happens to the connection after Openswan starts and includes the options “Ignore”, “Add connection”, “Start Connection”, “Route” and “Default”. A value of “Ignore” will cause the connection to be ignored.
RuggedRouter® User Guide Left/Right System's Settings Figure 127: Editing A VPN Connection, Part 2 The Public IP address fields determine the IP address of the side of the connection being edited. Check the Address or hostname.. field and provide a fixed IP address or hostname. If this side reflects a remote client whose IP address changes, select Automatic (%any). Use From default route if the host's IP is dynamically assigned.
Chapter 15 - Configuring IPsec VPN Showing IPsec Status 1 2 3 4 5 6 interface lo/lo 127.0.0.1 interface eth1/eth1 10.0.0.253 interface eth2/eth2 204.50.190.89 interface w1ppp/w1ppp 206.186.238.
RuggedRouter® User Guide The fourth group (lines 30-39) describe connection describe VPN connections (here “openswantest”). The first line is particularly useful since it indicates the connection addresses, subnets and that the connection is active (“erouted”). If there are no entries, then the VPN hasn't been established at all. If there are entries, but no STATE_QUICK_R2 (IPsec SA established) lines then the IPSec parameters are configured, but the tunnel hasn't been established.
Chapter 15 - Configuring IPsec VPN Generate X.509 Certificates Use the authority to produce a certificate authority public certification (cacert) and a certificate for each of the clients and a certificate for the router. The certificate authority will require some information that is shared by all certificates (e.g. a Country Name (C), a State Or Province Name (S), an Organization name (O)) and some per-client information (e.g. a Common Name (CN) and an Email address (E)).
RuggedRouter® User Guide Parameters At IPsec Startup Value Add connection Authenticate by Connection Type Encryption Protocols Compress Data Perfect Forwarding Secrecy NAT Traversal rsasig Tunnel As desired As desired As desired No Comments We wish to add the connection when the client starts it. X.509 certificates provide RSA Recommend “yes” Required when the router acts as a client and is behind a NAT firewall.
Chapter 16 - Configuring Dynamic Routing Chapter 16 - Configuring Dynamic Routing Introduction This chapter familiarizes the user with: • • • • • Enabling The Dynamic Routing Suite Enabling And Starting OSPF and RIP Configuring OSPF and RIP Obtaining OSPF and RIP Status OSPF and VRRP Quagga, RIP and OSPF Dynamic routing is provided by the Quagga suite of routing protocol daemons. Quagga provides three daemons for managing routing, the core, ripd and ospfd.
RuggedRouter® User Guide OSPF Fundamentals The Open Path Shortest First (OSPF) protocol routing determines the best path for routing IP traffic over a TCP/IP network based on link cost and quality. Unlike static routing, OSPF takes link failures and other network topology changes into account. Unlike the RIP routing protocol, OSPF provides less router to router update traffic. RuggedRouter routing protocols are supplied by the Quagga routing package.
Chapter 16 - Configuring Dynamic Routing A router can be part of multiple areas and function as a gateway between areas. When multiple areas are used on a network, area 0 is the backbone area. All areas must have a router connecting them to area 0. Router-ID Defines the ID of the router. By default this is the highest IP assigned to the router. It is often a good idea to configure this value manually to avoid the router-id changing if interfaces are added or deleted from the router.
RuggedRouter® User Guide Link Detect When link detect is enabled for an OSPF/RIP active interface, OSPF or RIP will be notified when the interface goes down and will stop advertising subnets associated with that interface. OSPF and RIP will resume advertising the subnet when the link is restored. This allows OSPF and RIP to detect link failures more rapidly (as the router does not have to wait a dead interval to time out).
Chapter 16 - Configuring Dynamic Routing Note: Ensure that Antispoofing is disabled if you are constructing the above described type of OSPF network. Antispoofing can be disabled in the Network Configuration menu, Core Settings sub-menu. Administrative Distances The router may work with different routing protocols at the same time, as well as employing local interface and statically assigned routes.
RuggedRouter® User Guide The point-to-point T1/E1 interfaces and Ethernet interfaces on Router 1 and 2 must be made active. The Ethernet interface on Router 3 can be left passive since it does not participate in OSPF advertisements. Router 1 and 2 must enable link-detect, to stop advertising 1.1.1.0/24 in the event of a link failure. VRRP Operation Router 1 and 2 have VRRP setup on their Ethernet connection so that they can both function as the gateway for the clients on their network segment.
Chapter 16 - Configuring Dynamic Routing Dynamic Routing Configuration Figure 131: Dynamic Routing Menu Before dynamic routing protocols can be used, quagga must be enabled in the Bootup and Shutdown menu. After quagga is enabled, RIP or OSPF itself must be enabled in the Enable Protocols menu of Dynamic Routing. The Core menu configures link related items such as link-detect and link cost. The RIP and OSPF menu configure these protocols for each interface.
RuggedRouter® User Guide Core Figure 133: Core Menu The Core routing daemon handles communications between the kernel of the router and the other dynamic routing protocols. Core handles link detection and monitoring static routes and routes for directly connected interfaces on the router. It also manages adding routes to the kernel routing table based on the routes discovered by other dynamic routing protocols.
Chapter 16 - Configuring Dynamic Routing Core Interface Parameters Parameters specific to one interface are configured here. Figure 135: Core Interface Parameters Each interface on the router is listed. Clicking on settings displays a menu of configuration options for that interface. Clicking on status displays the current status of the interface, including link state, IP address and traffic counts.
RuggedRouter® User Guide OSPF Global Parameters Figure 137: OSPF Global Parameters The Enable Password field sets the password to be used for the enable command of ospfd. This is used by the telnet interface of ospfd to control access to the configuration. The Telnet Password field sets the password to be used for telnet access to ospfd. This is used as the login password of ospfd when locally telnetting to port 2604 of the router.
Chapter 16 - Configuring Dynamic Routing The Auto Cost Reference Bandwidth field sets the reference bandwidth used to calculate auto costs for OSPF interfaces. The auto cost is the reference bandwidth divided by the interface bandwidth. By default this is 100Mbit/10Mbit = auto cost of 10. The interface cost is set in the Core Interface configuration for each interface. The cost for each interface can also be set in the OSPF Interface configuration to override the auto cost calculation.
RuggedRouter® User Guide OSPF Interfaces Figure 138: OSPF Interfaces Parameters specific to one interface are configured here. Each interface on the router is listed. Clicking on settings displays a menu of configuration options for that interface. Clicking on status displays the current status of the interface, including link state and current OSPF status on the interface. If an interface is not part of an area it will show up as OSPF not enabled on interface.
Chapter 16 - Configuring Dynamic Routing OSPF Network Areas Figure 139: Network Areas OSPF uses areas to control which routes are distributed between routers. To add a network to an area, enter the area id and the network address and netmask and click Add. To delete an entry click the Delete button beside the entry. All networks routes that are part of the same area will be distributed to other routers in the same area.
RuggedRouter® User Guide RIP Figure 140: RIP Menu This menu contains the configuration and status of RIP on the router. The RIP Global Parameters and RIP Interfaces configure RIP. The Status and View RIP Configuration menu display the actual status and configuration file contents of RIP. RIP Global Parameters Figure 141: RIP Global Parameters The Enable Password field sets the password to be used for the enable command of ripd.
Chapter 16 - Configuring Dynamic Routing The Hostname field sets the hostname for the rip daemon. This value is only used as a a reference for convenience. The telnet interface prompt will contain this hostname. The router's system wide hostname is used if this field is left blank. The Default-Information Originate field, when enabled, causes the router to advertise its default route to the RIP network.
RuggedRouter® User Guide RIP Interfaces Figure 142: RIP Interfaces Parameters specific to one interface are configured here. Each interface on the router is listed. Clicking on settings displays a menu of configuration options for that interface. Clicking “Remove inactive interfaces” purges the list of any interfaces which are no longer configured on the router. The Passive Interface option controls if an interface is active or passive. Passive interfaces do not send RIP updates to other routers.
Chapter 16 - Configuring Dynamic Routing RIP Networks Figure 143: RIP Networks Neighbors are specific routers with which to exchange routes using the RIP protocol. This can be used when you want to explicitly control which routers are part of your RIP network. Networks are used when you want to add any router that is part of a specific subnet, or connected to a specific network interface to be part of your RIP network. Both neighbors and networks can be used at the same time.
RuggedRouter® User Guide This page intentionally blank 168 RuggedCom
Chapter 17 - Link Backup Chapter 17 - Link Backup Introduction This chapter familiarizes the user with: • Configuring link backup • Obtaining system status • Testing link backup Link Backup Fundamentals Link backup provides an easily configured means of raising a backup link upon the failure of a designated main link. The main and backup links can be Ethernet, CDMA or Dial Modem, TE1, DDS, ADSL or T3. The only requirement is that the main link be a “permanent” link raised at boot time.
RuggedRouter® User Guide The daemon will construe the main link as having failed (even if its link status is “up”) if the remote host fails to respond to configurable number of pings after waiting a configurable timeout for each ping. Use Of Routing Protocols And The Default Route If the main trunk is on a private network, employ a routing protocol to ensure that an alternate route to end network is learned after the backup trunk is raised.
Chapter 17 - Link Backup Edit Link Backup Configuration Figure 147: Edit Link Backup Configuration Set the Name field to supply an identification of the pair. This field initially defaults to the “main_link_name->backup_link_name”. The Enable this configuration field enables this backup. The Transfer default gateway field causes the gateway to be transferred to the backup link upon failure of the main link path.
RuggedRouter® User Guide You may delete a link backup configuration through the Delete button. Note: If you delete a link backup configuration that has failed over (or is failing over) to its backup trunk the link daemon will stop attempting the link backup and restore the main trunk, even if the main trunk is still down. Link Backup Logs Figure 148: Link Backup Log The link backup log displays the log of recent backup events.
Chapter 17 - Link Backup The Test Duration field controls the amount of time to run before restoring service to the main trunk. Please note that this duration must take into account the timing parameters of the backup configuration: The duration should comfortably exceed the Ping Interval plus the Ping Timeout multiplied by the Ping retry count plus the Main path down timeout. In the case of a dial backup configuration, also be sure to take into account the call setup and modem connection times.
RuggedRouter® User Guide This page intentionally blank 174 RuggedCom
Chapter 18 - Configuring VRRP Chapter 18 - Configuring VRRP Introduction This chapter familiarizes the user with: • Configuring VRRP • Enabling And Starting VRRP • Obtaining VRRP Status VRRP Fundamentals The Virtual Router Redundancy Protocol (VRRP) eliminates a single point of failure associated with statically routed networks by providing automatic failover using alternate routers. The RuggedRouter VRRP daemon (keepalived) is an RFC 2338 version 2 compliant implementation of VRRP.
RuggedRouter® User Guide Each Virtual Router has a user-configured Virtual Router Identifier (VRID) and an Virtual IP address or set of IP addresses on the shared LAN. Hosts on the shared LAN are configured to use these addresses as the default gateway. One router in the Virtual Router Group will be elected as the Master, all other routers in the group will be Backups. Each router in the group will run at a specific Priority. The router with the highest priority is elected Master.
Chapter 18 - Configuring VRRP In the following network, both host 1 and host 2 use a gateway of 192.168.3.10. The external side can access the internal side by gateway 192.168.2.10. The VRID_20 and VRID_21 are grouped together. Normally the Router 1 will provide both internal and external access gateway as its priority is higher than those on Router 2. When either internal or external side of Router 1 becomes inoperative, it will remove the control of both VRIP 192.168.2.10 and 192.168.3.
RuggedRouter® User Guide VRRP Configuration VRRP Main Menu Figure 153: VRRP Main Menu Note that VRRP is disabled by default and may be enabled via the System folder, Bootup And Shutdown menu. VRRP can be configured through the VRRP Configuration link before the daemon is started. When enabled, any configuration changes may be made to take effect by selecting the Restart VRRP daemon button. The VRRP Instances Status link presents the status VRRP instances existing as of the last restart of keepalived.
Chapter 18 - Configuring VRRP Editing A VRRP Instance Figure 155: VRRP Instance The Name field is purely for informational purposes. The Interface field configures the interface that VRRP packets are sent upon. The Virtual Router ID field determines the VRID number. Ensure that all routers supplying the same VRIP have the same VRID. The value of the VRID varies from 1 to 255. The Advert Interval field configures the time between VRRP advertisements.
RuggedRouter® User Guide Editing A VRRP Group Figure 156: VRRP Group The Group Name field is only for information purpose. The Group Members field determines the group members in this VRRP group. At least two members are needed in order to establish a group. Viewing VRRP Instances Status Figure 157: VRRP Instances Status The VRRP Instances Status menu displays the current status of VRRP instances. This menu does not update status in real time.
Chapter 19 - Configuring Traffic Prioritization Chapter 19 - Configuring Traffic Prioritization Introduction This chapter familiarizes the user with: • Enabling/Disabling Traffic Prioritization • Viewing Traffic Prioritization Statistics Traffic Prioritization Fundamentals The RuggedRouter is able to prioritize traffic transmitted on network interfaces (including Ethernet, T1E1, DSL and PPP ports), giving preferential treatment to certain classes of traffic.
RuggedRouter® User Guide Protocols that can be matched upon include tcp, udp, icmp, ospf, vrrp and ipsec. TOS Prioritization The priority of an IP packet can be derived from its Type of Service field.
Chapter 19 - Configuring Traffic Prioritization Prioritization Example A remote site router connects to a private network via a T1 line. The router uses OSPF to manage an alternate routing, but its primary purpose is to allow access to a switched network of RuggedServers implementing TcpModbus gateways (TCP/UDP port 502). The router and switches are managed through their Web interfaces, but can me managed through SSH as well. The RuggedServers are managed through Telnet.
RuggedRouter® User Guide Configuring Traffic Prioritization Note Traffic Prioritization is mutually exclusive of Traffic Control. Do not enable both of these features at once. Traffic Prioritization Main Menu Figure 158: Traffic Prioritization Main Menu This menu displays network interfaces for which prioritization may be activated. Prioritization may be configured by following the Interface column link.
Chapter 19 - Configuring Traffic Prioritization Reorder the queues and filters by clicking on the arrows in the Move field. Some restrictions apply with queues. You are not allowed to reorder queues in a way that violates the priority implicit in their name. The Transmit Queue Length Selector allows you to make a tradeoff between latency and performance. Remove prioritization by selecting the Delete and Apply button.
RuggedRouter® User Guide Prioritization Transmit Queue Length The WAN protocols supplied by the RuggedRouter rely upon transmit queues to ensure their efficiency. Even as a packet is starting to be transmitted, other packets can be lining up behind it. Normally there is only one queue, the transmit queue, and packets are transmitted from it in the order in which they arrived. The transmit queue is a means of enhancing performance.
Chapter 20 – Configuring Generic Routing Encapsulation Chapter 20 – Configuring Generic Routing Encapsulation Introduction This chapter familiarizes the user with: • Enabling/Disabling GRE • Viewing GRE Status GRE Fundamentals The RuggedRouter is able to encapsulate multicast traffic and IPv6 packets and transport them through an IPv4 network tunnel. The GRE tunnel can transport the traffic through any number of intermediate networks.
RuggedRouter® User Guide GRE Configuration GRE Main Menu Figure 164: GRE Main Menu This menu displays configured GRE tunnels. The tunnel status will be “active” if the tunnel was successfully created. GRE Configuration Menu Figure 165: GRE Tunnel Configuration Menu This menu allows you to add or edit a tunnel. The Tunnel Name field will be presented if the tunnel is being created. The tunnel name is purely for informational purposes. A network routing device with this name will be created.
Chapter 20 – Configuring Generic Routing Encapsulation The Local Egress Port configures a port to bind the tunnel to. If set, tunneled packets will only be routed via this port and will not be able to escape to another device when the route the to endpoint changes.
RuggedRouter® User Guide This page intentionally blank 190 RuggedCom
Chapter 21 - Network Utilities Chapter 21 - Network Utilities Introduction This chapter familiarizes the user with: • • • • • Pinging hosts, Running a traceroute, Performing a host lookup, Tracing line activity, Showing interface statistics. Network Utilities Main Menu Figure 166: Network Utilities Main Menu The lower part of the menu provides quick pinging, tracerouting and lookup of hosts. The upper part leads to menus providing more configurable options for these commands.
RuggedRouter® User Guide Ping Menu Figure 167: Ping Menu The Hostname field accepts the host name or IP address to ping. The Verbose Output? field causes ping to present the maximum of output. The Lookup Addresses? field causes ping to resolve IP addresses to domain names. This can make ping behave very slowly if DNS is not properly configured. The Packet Size? field specifies the size of the data in the ping packet. The true length of the packet is 28 bytes larger due to IP/ICMP overhead.
Chapter 21 - Network Utilities The Packet Length? field specifies the size of the data in the traceroute packet. The Interface? field specifies the network interface to obtain the source IP address for outgoing probe packets. Otherwise the router will manually set the address based on the actual interface taken. Host Menu Figure 169: Host Menu The Hostname field accepts the host name or IP address to ping. The Type? field selects the type of information to capture.
RuggedRouter® User Guide The Maximum packets captured and Maximum capture time fields limits the amount of traffic captured. The Lookup Addresses? field causes ping to resolve IP addresses to domain names. This can make ping behave very slowly if DNS is not properly configured. The Display link level header field causes this header to be displyed. The Perform HEX/ASCII dump field will cause the data content of the captured packets to be displayed. This option generates a large amount of data.
Chapter 21 - Network Utilities The Message RX/TX and Incoming/Outgoing Connections fields causes data packets and Connection activity to be included in the trace. The Hex dump field causes the content of data packets to be displayed. The Maximum packets captured and Maximum capture time fields limits the amount of traffic captured. Interface Statistics Menu Figure 173: Interface Statistics Menu This menu provides basic statistics for all network interfaces.
RuggedRouter® User Guide This menu displays the current routing table and the state of the router's interfaces. Select the Refresh link in order to refresh the display. The entries under the Destination field reflect the network or host which can be reached through this route. The “default” entry matches any packet which has not already matched another route. The entries under the Via field reflect the address of the gateway to route packets through to reach the target network.
Chapter 22 - Configuring Serial Protocols Chapter 22 - Configuring Serial Protocols Introduction This chapter familiarizes the user with: • • • • • • • RawSockets Applications TCP Modbus Server Applications DNP (Distributed Network Protocol) Configuring Serial ports for RawSocket Viewing Serial Port and TCP Connection status and statistics Resetting Serial ports Tracing Serial Port activity Serial IP Port Features RuggedCom Serial IP provides the following features: • Raw Socket Protocol -A means to tran
RuggedRouter® User Guide Serial Protocols Applications Character Encapsulation Character encapsulation is used any time a stream of characters must be reliably transported across a network. The character streams can be created by any serial device. The baud rates supported at either server need not be the same. If configured, the router will obey XON/XOFF flow control from the end devices. One of the routers is configured to listen to TCP connection requests on a specific TCP port number.
Chapter 22 - Configuring Serial Protocols Serial Protocols Concepts And Issues Host And Remote Roles RuggedRouter can either initiate or accept a TCP connection for serial encapsulation. It can establish a connection from field (“remote”) equipment to the central site (“host”) equipment, vice versa, or bi-directionally. Configure RuggedRouter at the host end to connect to the remote when: • The host end uses a port redirector that must make the connection.
RuggedRouter® User Guide Use of Turnaround Delays Some RTU protocols (such as ModBus) use the concept of a turnaround delay. When the host sends a message (such as a broadcast) that does not invoke an RTU response, it waits a turnaround delay time. This delay ensures that the RTU has time to process the broadcast message before it has to receive the next poll. When polling is performed, network delays may cause the broadcast and next poll to arrive at the remote server at the same time.
Chapter 22 - Configuring Serial Protocols Port Numbers The TCP port number dedicated to Modbus use is port 502. The Server Gateway can also be configured to accept a connection on a configurable port number. This “auxiliary” port can be used by masters that do not support port 502. Retransmissions The Server Gateway offers the ability to resend a request to an RTU should the RTU receive the request in error or the Server Gateway receives the RTU response in error.
RuggedRouter® User Guide TcpModbus Performance Determinants The following description provides some insight into the possible sources of delay and error in an end-to-end TcpModbus exchange.
Chapter 22 - Configuring Serial Protocols Steps 5-8 represent the case where the request is responded to by the RTU and is forwarded successfully to the master. It includes the “think time” for the RTU to process the request and build the response. Step 9a represents the possibility that the RTU is offline, the RTU receives the request in error or that the Server Gateway receives the RTU response in error. If the Server Gateway does not retry the request, it will issue an exception to the originator.
RuggedRouter® User Guide DNP (Distributed Network Protocol) RuggedRouter supports DNP 3.0, commonly used by utilities in process automation systems. DNP3 protocol messages specify source and destination addresses. A destination address specifies which device should process the data, and the source address specifies which device sent the message. Having both destination and source addresses satisfies at least one requirement for peer-to-peer communication since the receiver knows where to direct a response.
Chapter 22 - Configuring Serial Protocols Serial Protocols Configuration Serial Protocols Main Menu Figure 176: Serial Protocols Server Main Menu Note that the Serial Protocols server is disabled by default and may be enabled via the System folder, Bootup And Shutdown menu. The Assign Protocols menu assigns a serial protocol to one of your serial ports. The Port Settings menu configures the serial port and its electrical protocol.
RuggedRouter® User Guide Assign Protocols Menu Figure 177: Assign Protocols Menu This menu associates a protocol with a serial port. Unused ports should be left associated with “none”. Changing an association will immediately close the calls of the old protocol. Port Settings Menu Figure 178: Port Settings Menu This menu configures the serial settings and electrical protocol associated with a serial port. Changes are made immediately.
Chapter 22 - Configuring Serial Protocols The Pack Char field configures the numeric value of the ASCII character which will force forwarding of accumulated data to the network. The Pack Char must be between 0 and 255 inclusive or the value off. If configured off, accumulated data will be forwarded based upon the packetization timeout parameter. The Pack Timer field configures the delay from the last received character until when data is forwarded.
RuggedRouter® User Guide The Turnaround field configures the amount of delay (if any) to insert after the transmissions of Modbus broadcast messages out the serial port. The Turnaround must be between 1 and 1000 milliseconds inclusive, of off. The Retransmits field configures the number of times to retransmit the request to the RTU before giving up, should the original attempt fail. The Max Conns field configures the maximum number of incoming connections.
Chapter 22 - Configuring Serial Protocols Figure 182: DNP Device Table Settings The Rem IP field configures the IP address of the remote host that provides a connection to the DNP device with the configured address. The Port field configures the serial port to which the DNP device is attached. If the entry is for a remote DNP device, i.e. the DNP device is attached to the serial port of remote IP host, the value of this parameter is 'Unknown'.
RuggedRouter® User Guide Serial Protocols Statistics Menu Figure 183: Serial Protocols Statistics Menu This menu presents statistics of serial port activity and established connections. The menu also allows you to reset a port, forcing call hang-up and re-establishment. The Port Statistics table provides a record for each active serial port. The number of historical received and transmitted characters as well as errors will be displayed.
Chapter 22 - Configuring Serial Protocols Serial Protocols Trace Menu Figure 184: Serial Protocols Trace Menu This menu displays decoded serial port and network activity. The desired traffic sources, number of messages and length of time to capture are entered and the Start Trace button is pressed. The menu will display up to the provided number of messages waiting up to the specified number of seconds. The Trace on ports: selections feature a list of serial ports with unused entries greyed out.
RuggedRouter® User Guide Serial Protocols Sertrace Utility The command line sertrace utility offers the ability to trace the activity of serial ports in real time. A port range may be specified to limit the output to specific ports. The level of traffic to trace and the type of decoding may be specified. The tool may also be used to force the port to transmit an output test message.
Chapter 23 - Configuring GOOSE Tunnels Chapter 23 - Configuring GOOSE Tunnels Introduction This chapter familiarizes the user with: • Configuring GOOSE Tunnels • Viewing GOOSE Tunnel status and statistics • Tracing GOOSE activity IEC61850 GOOSE Fundamentals IEC61850 is an international standard for substation automation. It is a part of the International Electrotechnical Commission’s (IEC) Technical Committee 57 (TC57) architecture for electric power systems.
RuggedRouter® User Guide GOOSE Packets received from the network are stripped of their network headers and forwarded to Ethernet ports configured for the same multicast address. The forwarded frames contain the MAC source address or the originating device, and not that of the transmitting interface. The VLAN used will be that programmed locally for the interface and may differ from the original VLAN. The frame will be transmitted with the highest 802.1p priority level (p4).
Chapter 23 - Configuring GOOSE Tunnels General Configuration Menu Figure 186: General Configuration Menu This menu configures the daemon settings. The Daemon UDP Listen Port field configures port used by the daemon to communicate with other daemons. Note: All Layer 2 Tunnel daemons in the network must use the same port number. If the router employs a firewall, ensure that a hole is opened for each of the remote daemons using on this port number.
RuggedRouter® User Guide The Multicast Address field configures the address to listen for. The Remote Daemon and Add a new Daemon fields specify the IP addresses of remote daemons. GOOSE Statistics Menu Figure 189: GOOSE Statistics Menu This menu presents statistics of GOOSE activity at the Ethernet and Network Layers. The Ethernet Statistics table provides a record for each GOOSE tunnel. The number of historical received and transmitted characters as well as errors will be displayed.
Chapter 23 - Configuring GOOSE Tunnels Activity Trace Menu Figure 190: Activity Trace Menu This menu displays decoded GOOSE activity. The desired traffic sources, number of messages and length of time to capture are entered and the Start Trace button is pressed. The menu will display up to the provided number of messages waiting up to the specified number of seconds. The Trace on protocols: selections feature a (all to short) list of protocols with unused entries greyed out. The default is All Protocols.
RuggedRouter® User Guide This page intentionally blank 218 RuggedCom
Chapter 24 - Configuring The DHCP server Chapter 24 - Configuring The DHCP server Introduction This chapter familiarizes the user with: • DHCP Server Configuration • Use of Option 82 DHCP Fundamentals Dynamic Host Configuration Protocol (DHCP) is a method for centrally and consistently managing IP addresses and settings for clients, offering a variety of assignment methods.
RuggedRouter® User Guide In DHCP, settings at a more specific level overrides higher levels. For example you can configure a DNS server for all clients, the create a group that overrides the setting. This allows defaults to be set at a high level to apply to most clients, while exceptions can be places just where they are needed. Many settings are only supported by certain specific types of clients, and are ignored by the majority of clients.
Chapter 24 - Configuring The DHCP server • Lease end for BOOTP clients: Cut off date for all BOOTP client leases. • Dynamic DNS enabled: Should DNS information be updated on the DNS server when a client receives an IP address. • Dynamic DNS domain name: The domain name to update dynamic DNS information in. • Dynamic DNS hostname: Use the specified hostname for clients, or use the hostname supplied by the client.
RuggedRouter® User Guide 6) Restart the DHCP server or apply changes. Single Network With Static IP Assignment In this example the eth1 interface is provided with IP address 192.168.1.1/24. Assign address 192.168.1.101 to a DHCP client with MAC 00:11:22:33:44:01. Assign address 192.168.1.102 to a DHCP client with MAC 00:11:22:33:44:02. Assign address 192.168.1.103 to a DHCP client with MAC 00:11:22:33:44:03. The router serves as the default gateway. 1) Enable eth1 in the 'Edit Network Interfaces' menu.
Chapter 24 - Configuring The DHCP server 5) Set default routers to 192.168.1.1 and save it. 6) Click 'add an address pool' to the subnet. 7) Set the address range to 192.168.1.102 to 192.168.1.102. 8) Click 'Create'. 9) Edit the pool by clicking on the link for the pool with address range 192.168.1.102 - 192.168.1.102. 10) Click 'add an option82 client'. 11) Give the client a unique alpha numeric name (for example client0102). 12) Set the remote id to the switch MAC address (00:0A:DC:11:22:00 in this case).
RuggedRouter® User Guide 6) Save it. 7) Edit the shared network again. 8) Add a new subnet, and configure it for network address 192.168.2.0 with netmask 255.255.255.0 9) Save the new subnet and then save the shared network settings. 10) Edit the subnet just created and click 'Edit Client Options'. 11) Set default routers to 192.168.2.1 and save it. 12) Click 'add an address pool' to the subnet. 13) Set the address range to 192.168.2.101 to 192.168.2.200. 14) Click 'Create'.
Chapter 24 - Configuring The DHCP server DHCP Configuration DHCP Server Main Menu Figure 191: DHCP Server Menu The DHCP Server main menu shows the subnets configured for DHCP, as well as any groups and hosts. New subnets, groups and hosts can be added, and existing entries can be edited (and optionally deleted). The Edit Client Options button allows you to set global client settings for the DHCP server. Settings made here apply to all clients unless overridden at a lower level in the configuration.
RuggedRouter® User Guide DHCP Shared Network Configuration Figure 192: DHCP Shared Network Configuration The settings specific to the Shared network menu are the Shared network description and Network name. The Shared network description field is used to describe the shared network as desired. The Network name field is a unique name to assign to the shared network. It could be the name of the interface the shared network is on, for example.
Chapter 24 - Configuring The DHCP server DHCP Subnet Configuration Figure 193: DHCP Subnet Configuration The settings specific to the Subnet menu are the subnet description, Network address and mask. The Subnet description field is used to describe the subnet as desired. The Network address and Netmask fields of the subnet help to specify the span of assigned addresses. Within a subnet you can great hosts, groups of hosts, and address pools.
RuggedRouter® User Guide DHCP Group Configuration Figure 194: DHCP Group Configuration The settings specific to the Group menu are the group description and Use name as client hostname fields. The Group description field is used to describe the group as desired. The Use name as client hostname field determines whether host entries should use the hosts entry name as the client hostname to provide to the client. Within a group you can create hosts.
Chapter 24 - Configuring The DHCP server The Hardware address field is the Ethernet MAC of the client associated with the host entry. The Fixed IP address field is the IP to assign to the matching client. DHCP Pool Configuration Figure 196: DHCP Pool Configuration The settings specific to the Address Pool menu are the Failover peer and Clients to allow/deny. The Failover peer field is the IP address of a DHCP peer server if a fail over pool is created.
RuggedRouter® User Guide This page intentionally blank 230 RuggedCom
Chapter 25 - Configuring NTP Chapter 25 - Configuring NTP Introduction This chapter familiarizes the user with: • • • • Enabling/Disabling NTP Setting servers and peers Setting generic NTP options NTP Tools NTP Fundamentals NTP (Network Time Protocol) is an Internet protocol used to synchronize the clocks of computers to some time reference. Variants of NTP such as SNTP (Simple NTP, a reduced functionality NTP) and XNTP (Experimental NTP) exist.
RuggedRouter® User Guide The NTP Sanity Limit NTP changes the system through “stepping” and “drifting”. Stepping is a sudden change of time whereas drifting is a slow gradual time change. NTP will step the system time when its starts. This is almost always at boot time. Stepping the time afterwards can cause protocols (such as OSPF) that rely upon accurate real time to fail. The router deals with this problem by restarting these protocols if they are running when NTP restarts.
Chapter 25 - Configuring NTP NTP Configuration NTP Server Main Menu Figure 197: NTP Server Note that the NTP server is disabled by default and may be enabled via the System folder, Bootup And Shutdown menu. When enabled, any configuration changes may be made to take effect by selecting the Restart ntpd daemon button. The View GPS Status and View GPS log sub-menus appear if the router is equipped with a Precision Time Protocol card.
RuggedRouter® User Guide Servers Configuration Figure 199: NTP Server List The servers under the IP address column are used as primary synchronization devices. Clicking on a link will allow you to edit that server. By default the router includes the links 0.debian.pool.ntp.org. The 0.debian.pool.ntp.org address selects a random low stratum server from a pool of ntp servers on the Internet.
Chapter 25 - Configuring NTP Viewing The NTP Log Figure 201: NTP Log The NTP Log menu displays the log of recent NTP events.
RuggedRouter® User Guide Viewing GPS Status Figure 202: GPS Status If the router is equipped with a Precision Time Protocol card, this page will shows the status of the GPS module. The Latitude and Longitude fields show the current position of the GPS antenna. The GPS Lock field show the GPS lock status. The Number of Satellites shows how many satellites are currently being tracked by the GPS module. The Tracked Satellite Status table shows the ID and signal strength of tracked satellites.
Chapter 26 - Configuring SSH Chapter 26 - Configuring SSH Introduction This chapter familiarizes the user with: • Configuring SSH Authentication • SSH Networking And Access Control • Setting SSH Client Options SSH Fundamentals Secure Shell is a program to allow logging into another host, to remotely execute commands, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels.
RuggedRouter® User Guide Authentication Figure 205: SSH Server Authentication Menu The Allow authentication by password field determines whether to allow clear text tunneled passwords. If set to Yes, the user will be allowed to enter a password for authentication if validation cannot be done using a public key. The Permit logins with empty passwords field (when password authentication is allowed) specifies whether the server allows login to accounts with empty passwords.
Chapter 26 - Configuring SSH The Allow connection to forwarded ports field specifies whether remote hosts on the client network are allowed to connect to ports forwarded for the client. Access Control Figure 207: SSH Server Access Control The Only allow users field specifies the users allowed to connect by SSH. The specification can be a list of user name patterns, separated by spaces. Login is allowed only for user names that match one of the patterns.
RuggedRouter® User Guide This page intentionally blank 240 RuggedCom
Chapter 27 - Configuring IRIGB And IEEE1588 Chapter 27 - Configuring IRIGB And IEEE1588 Introduction This chapter familiarizes the user with: • IEEE 1588 Configuration • IRIGB Configuration • Viewing IRIGB and IEEE1588 Status IEEE1588 Fundamentals The IEEE 1588 working group Precise Timing Protocol (PTP) standard details a method of synchronizing a clocks over networks, including Ethernet. The RuggedRouter provides a special hardware assisted PTP capability as provided by the RuggedCom PTP card.
RuggedRouter® User Guide PTP Master Election PTP clocks exchange SYNC messages containing information which is used by the PTP Best Master Clock (BMC) algorithm. Several factors will affect the choice of best master clock, including the preferred master clock setting, the clock identifier, grandmaster settings and clock stability.
Chapter 27 - Configuring IRIGB And IEEE1588 IRIGB Output Formats The router provides three ports by which the signal is distributed, namely: • An Amplitude Modulated (AM) sinusoidal output port (PTP1), • Two TTL voltage level output ports (PTP2 and PTP3) which may be configured as either pulse per second (PPS) or pulse width modulated (PWM). The signal can be used to synchronize intelligent devices to a high quality time source, called the reference clock.
RuggedRouter® User Guide The RuggedRouter provides a method to account for this delay. The table below gives some examples of the delay that can be expected for a given dielectric type. Please note that cable characteristics varies from one manufacturer to the other. Dielectric Type Solid Polyethylene Foam Polyethylene (FE) Foam Polystyrene (FS) Air Space Polyethylene (ASP) Solid Teflon (ST) Air Space Teflon (AST) Time Delay in ns/m (ns/ft) 4.62 (1.54) 3.81 (1.27) 3.36 (1.12) 3.45-3.63 (1.15-1.21) 4.38 (1.
Chapter 27 - Configuring IRIGB And IEEE1588 IRIGB Configuration Figure 210: IRIGB Configuration menu This menu allow you to configure IRIGB parameters. The save button will save the changes of configuration permanently. The AM Port 1 (PTP1) Output field enables or disables the amplitude modulated output of this port. The TTL Port 2 (PTP2) Output and TTL Port 3 (PTP3) Output fields sets the output formats of these ports to PPS, PWM and OFF.
RuggedRouter® User Guide IRIGB Status Figure 212: IRIGB GPS Status This page shows whether GPS is locked, and the source of the current reference clock. IEEE1588 Status Figure 213: IEEE1588 Status This page shows the historical status of IEEE1588 on the router. The line above the table provides the local clock IP address, MAC address and the time quality information. The table will contain entries made when the clock source or status changes.
Chapter 28 - Configuring the Intrusion Detection System Chapter 28 - Configuring the Intrusion Detection System Introduction This chapter familiarizes the user with: • Configuration of Snort as an Intrusion Detection System. • Generating a daily snort analysis email. Snort Fundamentals The Snort Intrusion Detection System (IDS) provides a type of security management system for the router.
RuggedRouter® User Guide When the local syslog method is chosen, the destination log file may be selected. When the alert file method is chosen, a daily analysis of the file can be emailed. The SIDs referenced in alerts can be used to quickly locate the rule via the main Sort IDS menu. The rule itself often contains HTML links to Internet resources such as www.securityfocus.com and cve.mitre.org. These provide more in depth descriptions of the vulnerability.
Chapter 28 - Configuring the Intrusion Detection System IDS Configuration Snort IDS Main Menu This menu configures the snort IDS and is composed of three sections. Note that snort is disabled by default and may be enabled via the System folder, Bootup And Shutdown menu. If snort is running, configuration changes must be made active by restarting it. The Restart Snort button will restart snort, listing the interfaces it is active upon.
RuggedRouter® User Guide Rulesets Figure 217: Snort Main Menu part 3 The Rulesets section selects the rules to apply on monitored interfaces. Each “ruleset” reflects a collection of rules that are related. The link under the Action field will disable or enable all of the rules in a ruleset. Individual rules in a ruleset may be modified by following the set name link under the Rule Set field, resulting in a menu such as the following.
Chapter 28 - Configuring the Intrusion Detection System Network Settings Figure 219: Snort Network Settings This menu allows you to configure the IP addresses and ports of servers in the local and external network. The Home Net field defaults to “ANY” and designates the IP subnet of any local ports on the router. Configuring a specific subnet can reduce the number of alerts generated. PreProcessors Figure 220: Snort Preprocessors Preprocessors are plug-in modules that operate on the captured packets.
RuggedRouter® User Guide Alerts & Logging Figure 221: Snort Alerts Alerts generated by snort are stored by one of three methods; as local syslog messages, remotely sylogged messages and in an alert file. When the Local syslogging method is chosen, the destination log file may be selected. When the Remote syslogging method is chosen, the IP address of the remote syslog host must be identified. Modifying the Facility field will determine how the alert is logged on the remote host.
Chapter 29 - Maintaining The Router Chapter 29 - Maintaining The Router Introduction This chapter familiarizes the user with: • • • • • • • • • • • • Viewing Alerts Configuring and monitoring the Gauntlet Security Appliance Backing up and restoring configurations Configuring SNMP Configuring RADIUS Authentication Configuring Outgoing Mail Chassis Parameters Power over Ethernet Using System Logs Upgrading Software Using Pre-upgrade/Post-upgrade scripts Uploading and downloading files Alert System The aler
RuggedRouter® User Guide This menu displays active alerts and allows you to change alert system configuration and alert definitions. Follow the All Alerts link to show all alerts. Follow the severity links (Emergency .. Debug) or the category links (chassis .. daemon) to to limit the alert view. Note that active alerts are volatile and will be regenerated after reboot. If you clear an alert manually, it will appear if the condition occurs again.
Chapter 29 - Maintaining The Router Alert Filter Configuration Figure 224: Alert Filter Configuration Menu This menu configures an alert filter, which defines the forwarder destination for active alerts matching with defined filter level. The Forward Destination Type configures the type of filter. Currently only type Email is supported. The Forward Destination configures the destination matching with the Forwarder Destination Type. Note that multiple email addresses should be separated by comma.
RuggedRouter® User Guide Change Alert Definition Figure 226: Change Alert Definition Menu This menu allows you to change an existing alert definition entry. The Codepoint is the key part of the alert definition entry and does not allow to be changed. The Category configures which category the alert definition entry belongs to. The Name configures the name of the alert definition which will be displayed by Webmin, login or email forwarder when an active alert exists.
Chapter 29 - Maintaining The Router The Comparator configures how to compare with the shell command result. The Threshold configures the threshold to compare with the shell command result to see whether the condition is true or false. The And Repeats configures how many times the condition must be true before the alert is generated. The And Until configures how many seconds the condition should be true before an alert is generated.
RuggedRouter® User Guide Industrial Defender RX1100 owners can use the Industrial Defender security appliance for central monitoring. The central monitoring facility is called a Security Event Management (SEM) unit. This section details how to activate the Industrial Defender Agent on a RuggedRouter so that it can periodically report to an SEM unit. Details and recommendations on using the Industrial Defender system can be found in the Industrial Defender documentation.
Chapter 29 - Maintaining The Router Configuring Industrial Defender Addresses Figure 228: Industrial Defender Configuration – IP addresses saved The Appliance Address is the IP address of the SEM unit. The IP address of the RuggedRouter must also be specified as Source Address. Once this is done, save these addresses by clicking on the Save Changes button. Retrieving an Industrial Defender Key Once the addresses are saved, a key can be retrieved from the SEM unit.
RuggedRouter® User Guide Configuring remote syslogging Once a key is successfully obtained from an SEM unit, then remote syslogging to the SEM can be enabled by clicking on Add remote system logging to the SEM unit. This will add an entry in the syslog configuration file to transmit system logs to the configured SEM.
Chapter 29 - Maintaining The Router Gauntlet Security RX1100 owners can use the Gauntlet security appliance to restrict access to critical assets. This section details how to activate Gauntlet and determine currently negotiated sessions. Details and recommendations on applying the Gauntlet system to networking may be found in texts referenced in the About This Guide section of the user guide.
RuggedRouter® User Guide Note The order of rules is significant. Rules inserted before this set will not be protected by Gauntlet. Any rule appearing after the gauntlet chain rules will automatically be ignored. Consult with RuggedCom support for assistance. If you want to grant SSH access to the router, replace "10000" in the last rule with "22,10000". • Ensure that the firewall is enabled in the Bootup and Shutdown Menu and apply the firewall configuration to effect the changes.
Chapter 29 - Maintaining The Router Backup And Restore Figure 231: System Backup And Restore The Backup And Restore system provides the following features: • All configuration settings are saved in a configuration archive, • Webmin configuration settings are saved in a Webmin configuration archive, • Archives can be used to “clone” routers, replicate a damaged resource or unwind a change, • Archives can be created manually (including user comments) or by the Automatic nightly backup, which captures all c
RuggedRouter® User Guide General Configuration Figure 232: Backup and Restore General Configuration This menu configures the backup system. The Automatic Nightly Backup field specifies when the nightly backup is scheduled. The automatic export to a server will start (if enabled) immediately after the backup completes. The Archive Name Includes field selects text fields (Date-Time, Hostname, Router Version) included in archive name.
Chapter 29 - Maintaining The Router Configuration Rollback Figure 233: Configuration Rollback menu The Configuration Rollback menu enables the user to define a period of time in which configuration changes can be made and subsequently accepted. If the user does not explicitly accept the changes being made, then the unit will revert to a configuration snapshot that was taken when the user started the configuration rollback. In reverting to this configuration, the unit will reboot.
RuggedRouter® User Guide Archive History Figure 236: Archive History The Archive History menu displays current system configuration archives (including all configurations) and Webmin configuration archives (only includes Webmin configurations), sorted by date (most recent first). Following the link of an archives under the Archive Name field upload a copy of it. Selecting an under the Archive Name field and applying the Remove Selected Archives button will delete the archive.
Chapter 29 - Maintaining The Router Figure 237: Archive Backup This menu allows the user to manually create a configuration archive or Webmin archive. The Backup Type field determines which type (configuration archive or Webmin archive) of archive you want to backup. The Archive Comment field sets a comment which will be included in the archive file. The Backup archive file name field allows you to input the candidate archive file name. Starting the backup results in the following display.
RuggedRouter® User Guide Figure 239: Archive Restore Menu Note: Some manually (and even automatically) created archives are not possible to restore. If the router was upgraded after the archive was created, the archive will have old, confusing and possible missing configurations. The Version field indicates this. The latestarchive and factorydefault archives always have the current release version (and are always able to be restored). If an archive has a lower version number, it will not be restorable.
Chapter 29 - Maintaining The Router Archive Difference Tool Figure 241: Archive Differences Menu The Archive Difference menu shows the difference between two targets. The first target must be an archive while the second target can be either another archive or the current configuration. Choose two and only two targets and click the Show Differences button. Figure 242: Archive Differences List The resulting menu shows the differences between the two selected targets.
RuggedRouter® User Guide The difference will also be shown in a window that shows differing lines. Figure 243: Show Difference for selected file between two targets The Copy This File to Current Configuration button will be present when the destination archive is the Current Configuration. It allows user to copy the selected file from the old archive to current configuration.
Chapter 29 - Maintaining The Router SNMP Configuration The SNMP menus provide the following configuration features: • System information • agent network addresses • Community access to the agent • SNMP trap delivery The SNMP (the Simple Network Management Protocol) protocol is used by network management systems and the devices they manage. SNMP is used to manage items on the device to be managed, as well as by the device itself, to report alarm conditions and other events.
RuggedRouter® User Guide System Configuration Figure 245: System Configuration Menu The System name, System location, System contact, and System description fields configure descriptive parameters for the router. Network Addressing Configuration For reference, the set of currently configured and active IP addresses is listed near the the top of the page.
Chapter 29 - Maintaining The Router Snmpd will use these addresses providing they are active at the time it starts. By default, snmpd listens on all interfaces. Access Control Figure 248: Access Control Menu, SNMP V1 and V2c The first part of the Access control page allows the creation and deletion of SNMP V1 and V2c community names. The Community Name field selects the name of the community. The Access field determines whether the community is read-only or read/write.
RuggedRouter® User Guide The Minimum Security field selects the level of security used by this user. It may be No Authentication (no authentication or encryption), Authentication Only (authentication by MD5 or SHA1 authentication methods, no encryption) or Authentication with Privacy ( authentication by MD5 or SHA1, encryption by DES or AES ciphers). The OID field further restricts access to an Object Identifier (OID) tree at or below a specified OID.
Chapter 29 - Maintaining The Router Figure 252: Trap Destinations V3 The SNMP V3 Trap Destinations part of the menu allows the creation and deletion of V3 trap destinations. The Type field specifies the exchange used with this destination, either V3 trap or V3 inform. The IP address and Trap Community fields specifies the receivers IP address and user name.
RuggedRouter® User Guide MIB Support The RuggedRouter supports the following MIBs. MIB Name MIB Description IF-MIB The MIB module to describe generic objects for network interface sub-layers. SNMPv2-MIB The MIB module for SNMPv2 entities. TCP-MIB The MIB module for managing TCP implementations. IP-MIB The MIB module for managing IP and ICMP implementations. UDP-MIB The MIB module for managing UDP implementations. SNMP-VIEW-BASED-ACM-MIB View-based Access Control Model for SNMP.
Chapter 29 - Maintaining The Router RADIUS Authentication RADIUS (Remote Authentication Dial In User Service), described in RFC 2865, is a protocol designed to allow the centralization of authentication, authorization, and configuration of various types of services. The goal of RADIUS authentication is typically to restrict the distribution of account information and to avoid the replication of security management effort.
RuggedRouter® User Guide The RADIUS server providing the WEBMIN service must also be configured to supply a “privilege-level” field which is used to allow different levels of access to different users of the web management interface. See Appendix E - RADIUS Server Configuration for more information on configuring the RADIUS server, and .Webmin User and Group Fundamentals for more information about the privilege levels themselves.
Chapter 29 - Maintaining The Router The Shared Secret field configures the unique password used by this server. The time Timeout field selects the maximal time to wait before trying the next server. The Service field configures whether the server authenticates LOGIN, WEBMIN, PPP LOGIN or any combination of these types.
RuggedRouter® User Guide Outgoing Mail Figure 255: RADIUS Authentication Main Menu Outgoing Mail is configured from within the the Maintenance menu Miscellaneous sub-menu. This menu controls where emails originated by the router are forwarded to. The Forward to Mail Hub field specifies an IP address or domain name of a host that accept mail from the router. The Belongs to Domain field specifies the email domain the router is part of. This information is written into the email header upon transmission.
Chapter 29 - Maintaining The Router Chassis Parameters Figure 256: Chassis Parameters Menu This menu displays the chassis temperature and, if hardware version 2, the voltage levels of chassis power supplies and a record of the last power down time. The system will highlight red any out-of-range value. The monitored values are described below: Parameter temp VcoreA, VCoreB +3.3 PS1, +3.3 PS2 +5V +12V VBat Description Motherboard temperature Redundant 3.3V power supply voltages Redundant 3.
RuggedRouter® User Guide Power over Ethernet The IEEE 802.3af standard describes a method known commonly as PoE (Power over Ethernet), for providing electrical power over the twisted pair wiring most commonly used in Ethernet networks. The obvious benefit is the ability to take advantage of previously unused copper in the 10/100Base-T wiring configuration to provide power without requiring that new wiring be installed. RuggedRouter can be provisioned to supply power according to IEEE standard 802.3af.
Chapter 29 - Maintaining The Router Power over Ethernet Menu Figure 258: Power over Ethernet Menu This menu allows you to enable/disable the Power over Ethernet function and set the power limitation on available Ethernet ports. It also displays the current status on each port. The Port Name column identifies the Ethernet port number. The Enabled column allows you to enable or disable the Power over Ethernet function on this port.
RuggedRouter® User Guide System Logs Figure 259: System Logs System logs are records of activities that have occurred on the router, sorted into specific categories. System logs can be invaluable when debugging configuration changes. As such, most of your use of the logs will be simply in viewing them.
Chapter 29 - Maintaining The Router Left unrestricted, the logging system would consume all available disk space, causing the router to fail. The router limits the memory used by the logging system by storing logs in a volatile (i.e. lost after a reboot) file system which is limited in size. Such a system will lose logging information when a power failure occurs, too much logging is generated or as the result of a user commanded reboot.
RuggedRouter® User Guide Upgrade System Figure 261: Software Upgrade System The Software Upgrade system provides the following features: • Upgrading from either HTTP or FTP servers, • Upgrade traffic bandwidth limiting to prevent disruption to mission critical applications, • Automatic daily upgrades from a central server at a scheduled time, • Manually initiated upgrades from a central server, • Manually initiated upgrades of new versions for testing purposes, • Manually initiated installs of new packag
Chapter 29 - Maintaining The Router The actual software of the RuggedRouter is composed of a number of “packages”. Each package contains all of the files necessary to implement a set of related commands or features, such as a firewall or ssh client. A router upgrade involves replacing some of these packages with newer versions and with adding new packages. The upgrade system handles all this for you.
RuggedRouter® User Guide Upgrade to RX1100 Figure 262: Upgrade to RX1100 This menu allows you to upgrade your router. The display usefully provides a description of the current hardware in the router inventory. Change Repository Server Figure 263: Change Repository Server This menu defines the server used to upgrade software. The Repository server field accepts a URL containing the domain name or IP address of an http or ftp server along with the directory on the server containing the upgrades.
Chapter 29 - Maintaining The Router Automatic Upgrading Figure 264: Automatic Upgrade Check the Upgrades enabled field to activate daily upgrades. Use the Upgrade Time fields to select the time to upgrade. Selecting different times on each router can be used to even out traffic flows in the network.
RuggedRouter® User Guide Select the From local file option if you have already moved the package to the router through http, ftp or scp. You may either enter the full path from the root directory to the package or use the file selector ( ) to identify the package. Select the From uploaded file option if you have the file locally on your workstation. You may either enter the location of the file on your local file system browse selector ( ) to identify the package.
Chapter 29 - Maintaining The Router Uploading And Downloading Files Figure 267: Upload/Download menu The Upload/Download Files menu provides a means to transfer files to and from the router. The Download files from the specified URLs to this router part of the menu allows you to have the router download files from ftp and http servers. You need to specify (at least) the file URL and the directory to download it to.
RuggedRouter® User Guide This page intentionally blank 292 RuggedCom
Chapter 30 - Security Considerations Chapter 30 - Security Considerations Introduction This chapter describes actions to take to secure the RuggedRouter. Security Actions 1. Change the root and rrsetup passwords from the rrsetup shell, before attaching the router to the network. 2. If RADIUS authentication is being employed, configure authentication servers. 3. Restrict the IP addresses which Web management will accept connections from. See the Webmin menu, IP Access Control sub-menu.
RuggedRouter® User Guide Appendix A - Setting Up A Repository The RuggedCom software upgrade mechanism requires a repository of software to available. The following instructions detail: • • • • • • Requirements for a repository server, Initial set up of a repository, Upgrading the repository to the latest release, Maintain separate releases streams for different groups of routers, Setting up one router to test new releases Configuring the network routers.
Appendix A - Setting Up A Repository Upgrading The Repository RuggedRouter releases are obtained from the RuggedCom web site as ZIP files. Download the ZIP file to your regular and/or test release directories and unzip them. You may delete the original ZIP file if desired. The ZIP file name will be in the form rrX.Y.zip. The major release number X is changed when major new functionality (often hardware related) is offered.
RuggedRouter® User Guide Upgrading Considerations The RuggedRouter offers you the ability to perform automatic daily upgrades, specify the download time and limit the download bandwidth. These tools automate the upgrade process and minimize the impact of upgrading on the network. When automatic daily upgrades are used, you may wish to stagger the upgrade time of the routers. If your network has a natural “ebb flow” period of traffic activity, schedule the upgrades during this time.
Appendix B - Re-Flashing Router Software Appendix B - Re-Flashing Router Software Re-flashing refers to a complete re-initialization of the unique storage space of a router, the Flash card. It replaces all the contents of the Flash card with a provided image file. There is an option to thereafter apply a saved configuration archive, provided that the version of the new image is the same as the one it replaces.
RuggedRouter® User Guide Appendix C - Installing Apache Web Server On Windows A number of customers have asked for advice and instructions on setting up a web server on Windows. RuggedCom recommends the Apache web server, because it is secure, robust, easy to install and configure as well as being able to be installed on a wide variety of Windows platforms. Begin by identifying a host computer and its physical and logical location on the network.
Appendix C - Installing Apache Web Server On Windows Return to the web browser used earlier to verify Apache and refresh the screen. It should now reflect the contents of your RuggedRouter release directory. You should now be able to perform an upgrade from a router.
RuggedRouter® User Guide Appendix D - Installing IIS Web Server On Windows A number of customers have asked for advice and instructions on setting up an IIS web server on Windows. Begin by identifying a host computer that has IIS and its physical and logical location on the network. The Repository Server Requirements of the appendix “Setting Up A Repository” provide some guidance on host requirements.
Appendix E - RADIUS Server Configuration Appendix E - RADIUS Server Configuration This section describes how to configure popular RADIUS servers to supply a VendorSpecific field, “privilege-level”, which is used by Webmin to assign assign specific capabilities to Webmin users on a per user basis. Currently, the only privilege-level is that of “root”, but RuggedCom will be introducing additional levels in upcoming releases.
RuggedRouter® User Guide Permission: Grant remote access permission 3. Double click the policy name you created, In the popup window, click Edit Profile... button. Figure 270: IAS Window - Edit Remote Access Policy 4. In Edit Profile window, Click Add... button Figure 271: IAS Window - Edit Profile 5. In Add Attribute window, select Vendor-Specific line, and click Add button.
Appendix E - RADIUS Server Configuration 6. In the Multivalued Attribute Information window, click the Add button Figure 273: IAS Window – Multivalued Attribute Information 7. In the Vendor-Specific Attribute Information window, select radio button Enter Vendor Code, and input 15004 to the editbox. Select the radio button Yes, It conforms and click the button Configure Attribute... Figure 274: IAS Window – Vendor-Specific Attribute Information 8.
RuggedRouter® User Guide Appendix F - VPN/L2TP Configuration in Windows This section describes how to set up a VPN/L2TP connection on Windows XP/2000. There are two ways to establish a connection in Windows: using a pre-shared key (in the case of Windows XP) or using a certificate (for either Windows XP or Windows 2000). Here are the steps to establish a connection with a pre-shared key: 1. Start the “New Connection Wizard” (accessed via the Start -> All Programs -> Accessories -> Communications menus). 2.
Index Index Accounts............................................................................................................................................... root................................................................................................................................................25 rrsetup...........................................................................................................................................25 ADSL Interfaces................................
RuggedRouter® User Guide N393..............................................................................................................................................70 Signaling type...............................................................................................................................70 Station Type..................................................................................................................................70 T391.............................................
Index LED Panel ....................................................................................................................................33 Modem Ports.................................................................................................................................95 T1E1 Ports..............................................................................................................................66, 77 T3 Ports...................................................................
RuggedRouter® User Guide Operation With VRRP................................................................................................................156 Redistributing Routes..................................................................................................................153 Passwords.............................................................................................................................................. Changing from Webmin.........................................
Index Shell, Accessing through....................................................................................................................... Console port..................................................................................................................................26 SSH ..............................................................................................................................................26 Shutdown............................................................
RuggedRouter® User Guide Policy Vs Route Based................................................................................................................138 Preshared Keys............................................................................................................................143 Public Key ..................................................................................................................................143 Server Configuration...........................................
