RuggedRouter RX1000/RX1100 User Guide RuggedCom Inc. 30 Whitmore Road, Woodbridge, Ontario, Canada L4L 7Z4 Web: www.ruggedcom.
RUGGEDROUTER USER GUIDE FOR USE WITH RX1000/RX1100 PRODUCTS Version 1.12.6 – May 14th , 2008 RuggedCom Disclaimer 30 Whitmore Road RuggedCom Inc. makes no warranty of any kind with regard to this material. Woodbridge, Ontario Canada L4L7Z4 Tel: (905) 856-5288 Fax: (905) 856-1995 Toll Free: (888) 264-0006 support@ruggedcom.com RuggedCom shall not be liable for errors contained herein or for consequential damages in connection with the furnishing, performance, or use of this material.
About this User Guide About this User Guide This guide is concerned with aiding the user in the configuration and operation of the RuggedRouter using the RuggedCom command line, setup menu and web management interfaces.
RuggedRouter User Guide Document Conventions This publication uses the following conventions: Note: Means reader take note. Notes contain helpful suggestions or references to materials not contained in this guide. Helpful Hint This type of note often indicates useful shortcuts or methods employed by other RuggedCom customers.
About this User Guide 10. All further configuration is accomplished through the web management interface. Attach the configuring host to one of the Ethernet ports configured above. Point your web browser at the address for that port, use https and specify a port number of 10000, e.g. https://192.168.1.1:10000 (or otherwise if configured in step 4). Login with the root user and password (configured above). If radius authentication is configured and a server is available, you may also login via a radius user.
RuggedRouter User Guide 22. If your router is equipped with an embedded modem, the Networking menu, Modem sub-menu will allow you to configure it with PPP or incoming console connections. See the chapter “Configuring PPP And Modem” for more details. 23. If your router is equipped with Serial Interfaces, the Servers menu, Serial Protocols sub-menu will allow you to configure them with an operating protocol. See the chapter “Configuring Serial Protocols” for more details. 24.
About this User Guide 35. When your routers configuration is stable, it is recommended that the configuration should be uploaded from the router and stored as a backup. The Maintenance menu Backup And Restore sub-menu will be useful. 36. Should you need to transfer files to or from the router, the Maintenance menu Upload/Download Files sub-menu will be useful. 37. Further concerns such as ensuring robustness, measuring and optimizing performance are dealt with by reading the guide fully.
RuggedRouter User Guide Table Of Contents About this User Guide...........................................................................................................................1 Applicable Firmware Revision..........................................................................................................1 Who Should Use This User Guide.....................................................................................................1 How To Use This User Guide...........................
Table Of Contents Bootup And Shutdown ....................................................................................................................45 Change Password Command ........................................................................................................46 Scheduled Commands .....................................................................................................................46 Scheduled Cron Jobs .................................................................
RuggedRouter User Guide Strategy For Creating Interfaces..............................................................................................69 Naming Of Logical Interfaces..................................................................................................70 Editing A T1/E1 Interface ...........................................................................................................71 T1 Settings .................................................................................
Table Of Contents Introduction......................................................................................................................................91 ADSL Fundamentals....................................................................................................................91 PPPoE/Bridged Mode Fundamentals...........................................................................................91 Authentication, Addresses and DNS Servers ..........................................
RuggedRouter User Guide Virtual Private Networking To A DMZ.................................................................................114 Firewall Main Menu......................................................................................................................114 Network Zones...........................................................................................................................116 Network Interfaces.....................................................................
Table Of Contents Router-ID...............................................................................................................................143 Hello Interval and Dead Interval............................................................................................143 Active/Passive Interface Default...........................................................................................143 Redistributing Routes..............................................................................
RuggedRouter User Guide VRRP Main Menu.........................................................................................................................168 VRRP Configuration..................................................................................................................168 Editing A VRRP Instance..........................................................................................................169 Viewing VRRP Instances Status .................................................
Table Of Contents Message Packetization...........................................................................................................191 Use of Turnaround Delays.....................................................................................................192 Serial Protocols Main Menu..........................................................................................................192 Assign Protocols Menu............................................................................
RuggedRouter User Guide Viewing The GPS Status...........................................................................................................222 Viewing The GPS Log ..............................................................................................................222 Chapter 23 – Configuring SSH .........................................................................................................223 Introduction......................................................................
Table Of Contents Alert Menu.................................................................................................................................240 Alert Configuration....................................................................................................................241 Alert Filter Configuration .........................................................................................................242 Alert Definition Configuration..............................................
RuggedRouter User Guide Setting Up The Routers..................................................................................................................275 An Alternate Approach..............................................................................................................275 Upgrading Considerations .........................................................................................................276 Appendix B – Downgrading Router Software .....................................
Table Of Figures Table Of Figures Figure 1: RuggedRouter Setup Main Menu.........................................................................................29 Figure 2: RuggedRouter Setup Password Change Menu....................................................................30 Figure 3: RuggedRouter Interfaces Setup Menu.................................................................................30 Figure 4: RuggedRouter DNS Client Menu.............................................................
RuggedRouter User Guide Figure 26: Scheduled Commands Displaying a Command.................................................................47 Figure 27: Webmin Scheduled Cron Jobs............................................................................................48 Figure 28: Creating a Cron Job............................................................................................................48 Figure 29: Scheduled Cron Jobs menu displaying cron jobs........................................
Table Of Figures Figure 53: T1/E1 Network Interfaces After Interface Creation...........................................................70 Figure 54: Edit T1 Interface.................................................................................................................71 Figure 55: Edit Logical Interface (Frame Relay).................................................................................72 Figure 56: Edit Logical Interface (PPP)...........................................................
RuggedRouter User Guide Figure 80: ADSL Link Statistics..........................................................................................................96 Figure 81: Modem Interface................................................................................................................98 Figure 82: Edit Modem Configuration................................................................................................98 Figure 83: Configure Modem PPP Client...................................
Table Of Figures Figure 107: Server Configuration......................................................................................................130 Figure 108: Show Public Key............................................................................................................131 Figure 109: Preshared Keys...............................................................................................................131 Figure 110: List Certificates................................................
RuggedRouter User Guide Figure 134: Link Backup Status........................................................................................................162 Figure 135: Test Link Backup...........................................................................................................162 Figure 136: VRRP Example..............................................................................................................166 Figure 137: VRRP Main Menu..............................................
Table Of Figures Figure 161: Raw Socket Menu..........................................................................................................194 Figure 162: Serial Protocols Statistics Menu.....................................................................................195 Figure 163: Serial Protocols Trace Menu..........................................................................................196 Figure 164: Layer 2 Tunnels Main Menu.......................................................
RuggedRouter User Guide Figure 188: IRIGB/IEEE1588 General Configuration menu...........................................................230 Figure 189: IRIGB Configuration menu...........................................................................................231 Figure 190: IEEE1588 Configuration Menu....................................................................................231 Figure 191: IRIGB GPS Status.....................................................................................
Table Of Figures Figure 215: Archive Differences List................................................................................................251 Figure 216: Show Difference for selected file between two targets..................................................252 Figure 217: SNMP Main Configuration page....................................................................................253 Figure 218: System Configuration page...........................................................................
RuggedRouter User Guide Figure 242: IAS Window - Edit Profile.............................................................................................282 Figure 243: IAS Window – Add Attribute.........................................................................................283 Figure 244: IAS Window – Multivalued Attribute Information........................................................283 Figure 245: IAS Window – Vendor-Specific Attribute Information..........................................
Chapter 1 – Setting Up And Administering The Router Chapter 1 – Setting Up And Administering The Router Introduction This chapter familiarizes the user with the RuggedCom Serial Console interface, the RuggedRouter Setup script and signing on to the Web interface.
RuggedRouter User Guide End Backup Server, VPN Server, NFS, OSPF/RIP protocol and firewall) are disabled by default. Accessing The RuggedRouter Command Prompt From the Console Port Attach a terminal (or PC running terminal emulation software) to the RS232 port on the rear of the chassis. The terminal should be configured for 8 bits, no parity operation at 38.4 Kbps. Hardware and software flow control must be disabled. Select a terminal type of VT100.
Chapter 1 – Setting Up And Administering The Router Figure 2: RuggedRouter Setup Password Change Menu Configuring IP Address Information The Change Port IP Address command configures port IP addresses and gateways. Figure 3: RuggedRouter Interfaces Setup Menu Each port number X has a default address of 192.168.X.1 and a mask of 255.255.255.0. The Configure Default Gateway Settings command configures the default gateway. The Configure DNS Client Settings command configures the DNS server address.
RuggedRouter User Guide Figure 5: Radius Server Configuration menu The Hostname/IP and Port Number fields configures the server location. The Shared Secret field configures the unique password used by this server. The time Timeout field selects the maximal time to wait before trying the next server. The entry, created for both LOGIN and PPP Login, can be changed from the web interface. Enabling And Disabling The SSH and Web Server By default SSH and Web Management are enabled.
Chapter 1 – Setting Up And Administering The Router Enabling And Disabling The Gauntlet Security Appliance The Gauntlet security Appliance requires a pass phrase unique to your network. This menu will configure it. Figure 6: Gauntlet Setup Menu Configuring The Date, Time And Timezone The Set The Date, Time And Timezone command allows these parameters to be set. Figure 7: RuggedRouter Date/Time/Timezone Menu Once set, the router will account for Daylight Savings time.
RuggedRouter User Guide Displaying Hardware Information The Display Hardware Information command describes commissioned hardware.
Chapter 1 – Setting Up And Administering The Router Restoring A Configuration The Restore A Previous Configuration command provides a means to restore a previously taken snapshot of the configuration of the router. Note: The router will reboot immediately after restoring configuration. The user is first prompted to select either the factory default configuration or a previously made archive.
RuggedRouter User Guide The RuggedRouter Web Interface The RuggedCom Web interface is provided by an enhanced version of the popular Webmin interface. Using a Web Browser to Access the Web Interface Start a web browser session and open a connection to the router by entering a URL that specifies its hostname or IP address (e.g. https://179.1.0.45:10000). Once the router is contacted, start the login process by clicking on the “Login” link. The resulting page should be similar to that presented below.
Chapter 1 – Setting Up And Administering The Router The rightmost or configuration frame presents the configuration for the currently selected subsystem, or in the case of signing-on, the home page window. The home page window presents an annotated view of the front of the chassis as well as a number of important system parameters. These parameters include: • • • • • The router uptime and load averages for the past 1, 5 and 15 minutes. Under normal operation the load average should be less than 2.0.
RuggedRouter User Guide • • • • Configure the sign-on password, Specify session timeouts, Restrict the Subnet of IP addresses that can login, Configure and view Webmin event logs, The System Menu provides the ability to: • • • • • • Change the router password, Enable and disable applications from running, Reboot the router, Schedule one time and periodic tasks to run, Change the router's name (hostname), Change the time and date.
Chapter 1 – Setting Up And Administering The Router The LED status Panel provides the console port, indicates the status of hardware/software and can initiate a controlled reboot. The LEDs are organized into three primary groups; the port group, GPS/PPP group and the Alarm/Power Supply group.
RuggedRouter User Guide Chapter 2 – Webmin Configuration Introduction This chapter familiarizes the user with configuring the router through the Webmin menu and describes the following procedures: • • • Configuring the IP Address and Subnet Mask Configuring the Gateway Address Viewing the Webmin Log Webmin Configuration Menu Figure 15: Webmin Configuration Menu IP Access Control Figure 16: Webmin Configuration Menu, IP Access Control Webmin uses a secure communications method called Secure Sockets L
Chapter 2 – Webmin Configuration If your router is being used on a completely private network, or IP access control is being provided by the firewall you may leave IP Access Control disabled. Select the Allow from all addresses field and Save. If you wish to restrict access to a single address or subnet, select the Only allow from listed addresses field. Enter a single IP address or a subnetted address. If you wish to deny access to a specific subnet, select the Deny from listed addresses field.
RuggedRouter User Guide The Web management package provides context sensitive help in each of its menus. When a help link is selected the router instructs the browser to open the help text from a help server. In this way the router does not waste large amounts of disk space storing help text and network bandwidth sending large web pages. By default, the router directs the browser to the same server used to upgrade the router.
Chapter 2 – Webmin Configuration Authentication Figure 20: Webmin Configuration Menu, Authentication This menu allows you to configure what Webmin will do when a number of failed logins from the same IP address occur. If the Enable password timeouts field is selected, the host will be blocked for the specified period of time. If the Log blocked hosts, logins and authentication failures to syslog field is selected, warning messages will be added to the syslog.
RuggedRouter User Guide Webmin Events Log Figure 21: Webmin Events Log This menu allows you to search the Webmin log for changes made by yourself or other administrators.
Chapter 2 – Webmin Configuration This page intentionally blank RuggedCom 43
RuggedRouter User Guide Chapter 3 – Configuring The System Introduction This chapter familiarizes the user with: • • • • • • • Enabling and disabling processes such as SSH and Web Management Changing The Password Shutting down and Rebooting the system Scheduling one-off and periodic commands Examining system logs Changing the hostname Changing the system time and timezone Bootup And Shutdown Figure 22: Bootup and Shutdown, Part 1 This menu allows you to enable/disable services and to perform actions a
Chapter 3 – Configuring The System The second part of the menu allows you to program specific actions at boot time. The script will be run after all regular boot actions have completed. Figure 23: Bootup and Shutdown, Part 2 The actions may be a series of commands that can be executed at the command line. Each entered line is executed independently of the previous line, so change directory commands will not be effective. Always specify the absolute path of files used in commands.
RuggedRouter User Guide Begin by selecting the time and date you wish to run the command at using the Run on date and Run at time fields. Use the Run in directory field to enter a directory to run the command in, or simply use “/”. Finally, enter the command to execute in the Commands to execute field. Note that the command will remain scheduled after reboot. After the command is entered, the Scheduled Commands menu will display any commands and allow you cancel them.
Chapter 3 – Configuring The System Scheduled Cron Jobs A Cron job is a combination of a command to run, and a definition of the times at which to run it. The Scheduled Cron Jobs allows you to create, delete and edit these jobs. Figure 27: Webmin Scheduled Cron Jobs Initially, there will be no scheduled jobs. Follow the “create” link to create one. Figure 28: Creating a Cron Job Begin the construction of the job by selecting a “user” to execute as. For most purposes, “root” will suffice.
RuggedRouter User Guide Follow the link of a specific job in order to delete the job, edit it, or test the command part of the job by running it immediately. If you have multiple jobs, the arrows in the Move column will alter the order in which they are presented. System Hostname Figure 30: System Hostname The Hostname field modifies the hostname as presented in the web server and shell sessions. Note that the new hostname will only appear in new sessions.
Chapter 4 – Configuring Networking Chapter 4 – Configuring Networking Introduction This chapter familiarizes the user with: • • • • • Configuring Routing and Gateways Configuring DNS Entering host addresses Configuring a pair of End To End Backup Interfaces Viewing Routing Tables Network Configuration Figure 32: Network Configuration Menu This menu allows you to configure IP networking parameters.
RuggedRouter User Guide Core Settings Figure 33: Core Networking Settings This menu allows you to configure core networking settings. The IPV6 Support field determines where IPV6 interfaces are created and supported at boot time. Set this option to yes if you need these interfaces. Disabling these interfaces removes them from interface displays and OSPF/RIP. A change will take effect at the next boot. The Antispoofing field corresponds to the kernel rp_filter setting.
Chapter 4 – Configuring Networking This menu allows you to configure a dummy interface. Normally the router is reachable on any of its interface addresses, whether the interface is active or not. When OSPF and link detection is used, inactive interfaces are not advertised to the network and thus not reachable. A dummy interface is always advertised and thus reachable. Routing And Gateways Figure 35: Routing And Gateways This menu allows you to configure the default gateway address and static routes.
RuggedRouter User Guide The Network/Host and Netmask fields describe the remote network the static route will reach. If the netmask field is not entered (or a netmask of 255.255.255 is entered) the routing will define a host route. Any other netmask will define a network route. If the network field is cleared the route will be deleted upon the next save. The Gateway field describes an address that is used as the next hop to forward traffic to.
Chapter 4 – Configuring Networking Static Multicast Routing Figure 36: Static Multicast Routing This menu allows you to configure static multicast routing. The Configured Static Multicast Routes table shows configured multicast routes. New routings may be added by completing the bottom row of the table and selecting the Save button. Routings may be deleted by clearing the routings Multicast IP Address field and selecting the Save button.
RuggedRouter User Guide DNS Client Figure 37: DNS Client This menu allows you to display and configure various DNS client fields. The Resolution Order selector determines the order of sources for resolving domain names into IP addresses. The Hosts file /etc/hosts can be populated with frequently used, but unchanging addresses. DNS refers to any configured DNS servers. The DNS servers fields allow you to specify, in order, the serves to resolve from.
Chapter 4 – Configuring Networking The backup is “end to end” because connectivity is determined by the availability of an interface on the target system, and not a local link. In the above figure, interface w1ppp acts as the primary interface and eth1 acts as the secondary interface. The router tests the primary path by probing 192.168.16.2 on router 2. A failure of the either w1ppp, network A or the remote link on router2 will render the primary path as “failed”.
RuggedRouter User Guide Configuring End To End Backup Figure 40: End To End Backup This menu allows you to display and configure end to end backup. In order to start end to end backup at each and every boot, you must enable it via the System folder, Bootup And Shutdown menu. The menu will remind you if the feature is not enabled. The Primary Interface field determines the primary interface. The interface selected should be configured to supply the default gateway.
Chapter 5 – Configuring Ethernet Interfaces Chapter 5 – Configuring Ethernet Interfaces Introduction This chapter familiarizes the user with: • • • • Reading the Ethernet LEDs Configuring Ethernet Network Interfaces Configuring VLANs Configuring PPPoE Ethernet Interface Fundamentals RuggedCom manufactures dual Ethernet Interface boards in a variety of formats. Some (most notably the optical interfaces) have the same outward appearance but different order numbers.
RuggedRouter User Guide The last 2-bytes of the VLAN tag contain the following information: the first 3-bits are a User Priority Field that may be used to assign a priority level to the Ethernet frame. The next 1-bit is a Canonical Format Indicator (CFI) used in Ethernet frames to indicate the presence of a Routing Information Field (RIF). The last 12-bits are the VLAN Identifier (VID) which uniquely identifies the VLAN to which the Ethernet frame belongs.
Chapter 5 – Configuring Ethernet Interfaces Ethernet Figure 41: Ethernet Menu This menu allows you to configure Ethernet interface parameters as well as display the routes and status of all network interfaces. Select the Ethernet Interfaces icon to configure Ethernet interfaces. The Network Interfaces menu lets you edit the permanent configuration of Ethernet interfaces, or simply try out changes.
RuggedRouter User Guide The Network Configuration menu Apply Configuration button applies permanent changes and restart Ethernet networking. If only temporary changes have been made, the permanent configuration will be re-applied. In either table, edit the desired interface by clicking on its link under the Name column. Editing Currently Active Interfaces Figure 43: Editing a Network Interface This menu allows you to make changes to the currently active interfaces.
Chapter 5 – Configuring Ethernet Interfaces Virtual Interfaces Use virtual interfaces when you have an Ethernet port that has multiple "real" IP addresses assigned to it, e.g. as with a port provided by an an Internet Service Provider. Figure 44: Creating an Virtual Interface The only new parameter is the virtual interface descriptor, which must be a numeric value. As an example a virtual interface numbered 0 on eth1 appears as eth1:0 in interface descriptions and routing tables.
RuggedRouter User Guide This menu allows you to make permanent changes to interfaces and to immediately apply those changes if desired. The Save button will save changes to the permanent configuration. The Netmask, Broadcast, MTU, Virtual Interfaces, Proxy ARP and Media Type controls are as described above. The IP Address fields allow you to manually specify an IP address for this interface, or to obtain the address from DHCP or from BOOTP.
Chapter 5 – Configuring Ethernet Interfaces Edit PPPoE Interface Figure 48: Editing a PPPoE Interface This menus allows you to edit a PPPoE interface. The PPPoE Username field determines the username to use when connecting to the PPPoE server as specified by your provider. The Password field determines the password provided to the PPPoE server. The Default Route checkbox enables automatically setting a default route using this interface whenever it connects.
RuggedRouter User Guide PPP Logs Figure 49: Display PPP Logs This menu displays the native Ethernet and internal ADSL interface PPPoE connection messages. This is mainly useful when trying to debug a PPP connection problem. Current Routes & Interface Table The table provided by this command is as described in the Networking menu, Network Utilities sub-menu. It is also provided here as a convenience.
Chapter 6 – Configuring Frame Relay/PPP And T1/E1 Chapter 6 – Configuring Frame Relay/PPP And T1/E1 Introduction This chapter familiarizes the user with: • • • • Frame Relay and PPP Terminology and Issues Configuring Frame Relay and PPP Links Viewing status and statistics Upgrading Firmware T1/E1 Fundamentals A T1 is a communications circuit upon which has been imposed a digital signal 1 (DS1) signaling scheme.
RuggedRouter User Guide Unlike PPP, a Frame Relay link can provide multiple (up to 990) connections. Each connection is identified by a Data Link Connection Identifier (DLCI) and must match at the DCE and DTE. The use of multiple connections can support meshed network interconnections and disaster recovery.
Chapter 6 – Configuring Frame Relay/PPP And T1/E1 T1/E1 Network Interfaces Figure 51: T1/E1 Network Interfaces Initial Configuration This menu allows you to display and configure T1/E1 Trunk parameters, Channels and the logical interfaces that run on them. A table is presented for each interface. Note that the interface number is the same regardless of whether it is a T1 or E1 interface. Interface numbers are as described by the “WAN” labels as shown in the home page chassis diagram.
RuggedRouter User Guide After assigning the first DLCI, you may revisit the interface through the link under the Name field and add additional DLCIs. Once all channels have been assigned, the “Assign” links will no longer appear, as shown below. Note that any of the Frame Relay interfaces on a channel (in this case w1c4fr16 and w1c4fr17) may be used to edit the Frame Relay Link Parameters.
Chapter 6 – Configuring Frame Relay/PPP And T1/E1 This menu allows you to display and configure T1 or E1 Trunk parameters. By default the interface is set for T1 operation. The Convert this interface to E1 link will set the interface for E1 operation and allow you to configure its settings. If logical interfaces use a channel above 24 and an attempt to convert from E1 to T1 will prompt to delete the logical interface first. T1 Settings The Framing field determines the framing format used.
RuggedRouter User Guide Editing A Logical Interface (Frame Relay) Figure 55: Edit Logical Interface (Frame Relay) This menu allows you to configure Frame Relay link and logical interface fields. Frame Relay Link Parameters The first table presents the link parameters and applies to all logical interfaces. The Station Type field determines whether the router acts as a customer premises equipment or as a frame relay switch. When a Frame Relay network provider is used, the CPE interface should be chosen.
Chapter 6 – Configuring Frame Relay/PPP And T1/E1 Frame Relay DLCIs The second table provides a listing of all DLCIs available on the channel. Only the DLCI selected from the main menu can be edited, although another DLCI can be added by following the Add another DLCI to this channel link. The DLCI Number refers to the Data Link Connection Identifier. This number should be provided to you by your provider. The Local IP Address field defines the IP address for this interface.
RuggedRouter User Guide T1/E1 Statistics When at least one logical interface is configured, T1/E1 Link and logical interface statistics will be available. These statistics are available from links on the T1/E1 WAN Interfaces menu. Link Statistics are provided through the “View Link Statistics” link at the bottom of each interface table. Frame Relay and PPP statistics are available through “(Statistics)” links under the interface name column of each interface table.
Chapter 6 – Configuring Frame Relay/PPP And T1/E1 Frame Relay Interface Statistics Figure 58: Frame Relay Statistics Note that the Frame Relay Trunk Statistics and Frame Relay Trunk Communications Errors tables are common to all Frame Relay DLCIs on the trunk.
RuggedRouter User Guide PPP Interface Statistics Figure 59: PPP Link Statistics 74 RuggedCom
Chapter 6 – Configuring Frame Relay/PPP And T1/E1 T1/E1 Loopback When at least one logical interface is configured, a T1/E1 Loopback tests can be performed. This menu can be reached from a link on the T1/E1 WAN Interfaces menu. Figure 60: T1/E1 Loopback Menu The loopback test provides a means to test the digital and analog hardware of your T1/E1 hardware and the T1/E1 line. The sender transmits a number of frames which are looped back to it. The returning frames are verified for correctness.
RuggedRouter User Guide Running a loop test on an active interface will immediately cause it to go down. The loop test automatically initializes the trunk after completing the test. Current Routes & Interface Table The table provided by this command is as described in the Networking menu, Network Utilities sub-menu. It is also provided here as a convenience. Upgrading Software For some customers, access to remote sites in accomplished solely by a T1 or E1 connection.
Chapter 7 – Configuring Frame Relay/PPP And T3 Chapter 7 – Configuring Frame Relay/PPP And T3 Introduction This chapter familiarizes the user with: • • • Configuring Frame Relay and PPP Links Viewing status and statistics Upgrading Firmware T3 Fundamentals A T3 is a communications circuit upon which has been imposed a digital signal 3 (DS3) signaling scheme. The scheme allows 672 “timeslots” of 64 Kbps DS0 information to be multiplexed to a 44.736 Mbps circuit.
RuggedRouter User Guide T3 Configuration Figure 62: T3 Trunks And Interfaces This menu allows you to display and configure T3 Trunks as well as display the routes and status of the network interfaces. T3 Network Interfaces Figure 63: T3 Network Interfaces Initial Configuration This menu allows you to display and configure T3 Trunk parameters. A table is presented for each interface. Interface numbers are as described by the “WAN” labels as shown in the home page chassis diagram.
Chapter 7 – Configuring Frame Relay/PPP And T3 Editing A T3 Interface Figure 65: Edit T3 Interface This menu allows you to display and configure T3 Trunk parameters. The Framing field determines the framing format used. Your line provider will indicate the correct format. The Line Decoding field reflects the line encoding/decoding scheme. Almost all T3s now use B3ZS. The Clocking field selects whether to accept or provide clocks.
RuggedRouter User Guide Figure 67: Edit Logical Interface (Frame Relay) The fields and buttons in this menu are the same as those described in the Editing A Logical Interface (Frame Relay) section of the Configuring Frame Relay/PPP And T1/E1 chapter. Editing A Logical Interface (PPP) Figure 68: Edit Logical Interface (PPP) The Local Address, Netmask, Remote Address, Default Gateway and Description fields are as described in the previous section.
Chapter 7 – Configuring Frame Relay/PPP And T3 Upgrading Software For some customers, access to remote sites in accomplished solely by a T3 connection. Usually a software upgrade will stop the system being upgraded, perform the upgrade and then restart it. If T3 port was upgraded in this way, the upgrade would fail as the T3 link was taken down. Instead, T3 software upgrades modify only the software on the disk. You must schedule a reboot in order to run the new version of T3 software.
RuggedRouter User Guide This page intentionally blank 82 RuggedCom
Chapter 8 – Configuring Frame Relay/PPP And DDS Chapter 8 – Configuring Frame Relay/PPP And DDS Introduction This chapter familiarizes the user with: • • • Configuring Frame Relay and PPP Links Viewing status and statistics Upgrading software DDS Fundamentals A Digital Data Services (DDS) line is a North American digital transmission method that operates at 56 Kbps synchronously over an unloaded, 4-Wire metallic-pair circuit.
RuggedRouter User Guide DDS Configuration Figure 69: DDS Trunks And Interfaces This menu allows you to display and configure DDS Trunks. The Current Routes menu will display the routes and status of the network interfaces. DDS Network Interfaces Figure 70: DDS WAN Interfaces This menu allows you to display DDS trunks and configure the logical interfaces that run on them. A table is presented for each interface.
Chapter 8 – Configuring Frame Relay/PPP And DDS Naming Of Logical Interfaces Webmin names the logical interfaces for you (but allows you to provide a description). All interfaces start with a “w” to identify them as wan interfaces, followed by the interface number. The next part of the identifier is either “ppp” or “fr” and the frame relay DLCI number.
RuggedRouter User Guide Editing A Logical Interface (PPP) Figure 74: Edit Logical Interface (PPP) The fields and buttons in this menu are the same as those described in the Editing A Logical Interface (PPP) section of the previous chapter. DDS Statistics When at least one logical interface is configured, DDS Link and logical interface statistics will be available. These statistics are available from links on the DDS WAN Interfaces menu.
Chapter 8 – Configuring Frame Relay/PPP And DDS Frame Relay And PPP Interface Statistics Frame Relay And PPP Interface Statistics are as described in the Configuring Frame Relay/PPP And T1/E1 chapter. DDS Loopback When at least one logical interface is configured and that interface is active, a DDS Loopback test can be performed. This menu can be reached from a link on the DDS WAN Interfaces menu. The remote equipment must be able to loop, allowing the entire entire line to be verified.
RuggedRouter User Guide This page intentionally blank 88 RuggedCom
Chapter 9 – Configuring PPPoE/Bridged Mode On ADSL Chapter 9 – Configuring PPPoE/Bridged Mode On ADSL Introduction This chapter familiarizes the user with: • • Configuring PPPoE and Bridged Mode Links Viewing status ADSL Fundamentals An ADSL (Asymmetric Digital Subscriber Line) line is a communications link running over regular POTS telephone service. The link is asymmetric, supporting data transfer at up to 8 Mbps from the network and up to 1 Mbps to the network.
RuggedRouter User Guide Authentication, Addresses and DNS Servers PPP authentication utilizes PAP or CHAP. Your ISP will provide you with a user-ID and password which you will enter in the GUI. The authentication process will assign a local IP address and addresses of the ISPs DNS servers to the router. You should use these DNS servers unless you wish to provide your own. You will obtain either a dynamic or static IP from your ISP. Firewall configuration should be performed as is appropriate.
Chapter 9 – Configuring PPPoE/Bridged Mode On ADSL TX (Red) indicates when data is being transmitted over DSL. RX (Red) indicates when data is being received over DSL. While connecting the LEDs are flashing sequentially. The RuggedRouter also indicates information about ADSL ports on the LED Panel. A pair of LEDs will indicate traffic and link status of the port. Consult the section “Using The LED Status Panel” to determine which LEDs correspond to the port.
RuggedRouter User Guide This menu allows you to display and configure logical interface fields for PPPoE and to convert the interface to Bridged Mode. By default, interfaces are created with PPPoE. If you want the interface to be Bridged Mode, click on the Convert this interface to bridged link. The Description field attaches a description to the logical interface viewable from the network interfaces menu. The VPI field determines the VPI number the connection uses.
Chapter 9 – Configuring PPPoE/Bridged Mode On ADSL The Description field attaches a description to the logical interface viewable from the network interfaces menu. The VPI field determines the VPI number the connection uses. The default of 0 is correct for most providers. The Attempt ATM Autoconfiguration option causes the router to attempt to automatically determine the VPI and VCI used on the connection.
RuggedRouter User Guide When at least one logical interface is configured, ADSL Link statistics will be available. These statistics are available from links on the DDS WAN Interfaces menu. The Local SNR Ratio is an effective indicator of line quality. SNR values above 40 db correspond to excellent line quality while values below 10 db result in marginal operation or failure.
Chapter 10 – Configuring PPP and Modem Chapter 10 – Configuring PPP and Modem Introduction This chapter familiarizes the user with: • • • • Configuring PPP Client Configuring PPP Server Configuring Dial in console Viewing status Modem Fundamentals The modem allows connections to be made over standard telephone lines. PPP is used to run network traffic over a modem link. PPP Mode Fundamentals PPP (Point-to-Point Protocol) is a protocol for linking two systems over a serial line.
RuggedRouter User Guide Modem Main Menu Figure 81: Modem Interface This menu allows you to display and configure the modem interface. Modem Configuration Figure 82: Edit Modem Configuration This menu allows you to configure the modem settings and features. The Dial-in console fields allows the modem to answer incoming calls and present a login just like the console serial port does. The same login is used for both.
Chapter 10 – Configuring PPP and Modem Rings before answer controls how many times to let the modem ring before answering the call, if Dial-in console or PPP Server is enabled. Additional Modem AT Init Codes allows extra AT codes to be entered if required. Permitted codes are: Blind dial X0 - Ignore dialtone/busy signal. Blind dial. X4 - Monitor and report dialtone/busy signal. (default) Guard tone control &G0 - Disable guard tone. (default) &G1 - Enable guard tone at 550Hz.
RuggedRouter User Guide Modem PPP Client Connections Figure 83: Configure Modem PPP Client To edit an existing connection, click the 'Edit' link for that connection. To create a new connection click 'Add new' link. To have the router automatically dial a connection at boot and keep it up all the time, select which connection should be used from the drop down list of available connection profiles in the 'Connect at boot' list.
Chapter 10 – Configuring PPP and Modem Modem PPP Server Figure 85: Configure Modem PPP Server The Server IP address field controls which IP the router will use for the PPP connection. The Client IP address field controls which IP to assign the to remote system which it connects. The Client Nameserver field controls which nameserver (if any) the client should use for DNS lookups. The Proxy ARP option makes the router attempt to proxy ARP the remote IP onto a local ethernet subnet.
RuggedRouter User Guide This page shows the latest log entries for incoming calls. This is mainly useful when trying to debug a problem with establishing incoming connections. Modem PPP Logs Figure 87: PPP Logs This page shows the PPP logs. This is mainly useful when trying to debug a PPP connection problem.
Chapter 10 – Configuring PPP and Modem Modem PPP Connection Logs Figure 88: PPP Connection Logs This page shows a list of PPP connections. It shows who connected, when they connected and disconnected, the connection speed, and session traffic. Current Routes & Interface Table The table provided by this command is as described in the Networking menu, Network Utilities sub-menu. It is also provided here as a convenience.
RuggedRouter User Guide This page intentionally blank 102 RuggedCom
Chapter 11 – Configuring The Firewall Chapter 11 – Configuring The Firewall Introduction This chapter familiarizes the user with: • • • • Enabling/Disabling The Firewall Elements of Firewall design How to configure the Firewall Checking Firewall configuration Firewall Fundamentals Firewalls are software systems designed to prevent unauthorized access to or from private networks.
RuggedRouter User Guide The netfilter system uses rulesets, collections of packet classification rules that determine the outcome of examination of a specific packet. The rules are defined by iptables, a generic table structure syntax and utility program for the configuration and control of netfilter. In practice an iptables rule file and a script are all that are needed to load the netfilter system with rules on upon router start up.
Chapter 11 – Configuring The Firewall Port Forwarding Port forwarding (also known as redirection) allows traffic coming from the Internet to be sent to a host behind the NAT gateway. Previous examples have described the NAT process when connections are made from the intranet to the Internet. In those examples, addresses and ports were unambiguous. When connections are attempted from the Internet to the intranet, the NAT gateway will have multiple hosts on the intranet that could accept the connection.
RuggedRouter User Guide 7) If your hosts must accept sessions from the Internet configure the rules file to support Destination Network address Translation (DNAT). Which hosts need to accept connections, from whom and on which ports? 8) Configure the rules file to override the default policies. Have external connections been limited to approved IP address ranges. Have all but the required protocols been blocked? 9) If you are supporting a VPN, add additional rules.
Chapter 11 – Configuring The Firewall Note: In order to improve security the router will create a zone “unusd” and unused interfaces to this zone when Shorewall starts. A policy is also installed that blocks access from “unusd” to all other zones. Interfaces are defined in the file /etc/shorewall/interfaces and are modified from the Network Interfaces menu. Hosts Shorewall hosts are used to assign zones to individual hosts or subnets, on an interface which handles multiple subnets.
RuggedRouter User Guide Note that a client on the Internet that is probing the RuggedRouter's TCP/UDP ports will receive no responses and will not be able to detect the presence of the router. A host in the local network, on the other hand, will fail to connect to the router but will receive a notification. Note that order of policies is important. If the last rule of this example were entered first then no connections at all would be allowed.
Chapter 11 – Configuring The Firewall 2) In this SNAT rule a static address of 66.11.180.161 is acquired from the ISP. Traffic from the subnet handled by eth2 should be translated to 66.11.180.161 as it sent to the Internet over ppp. The + at the end of “ppp+” causes Shorewall to match any ppp interface. 3) This example is much the same as the previous one only the subnet is explicitly described, and could include traffic from any of the Ethernet ports.
RuggedRouter User Guide Source-Port The tcp/udp port the connection originated from. OriginalDestination-IP The destination IP address in the connection request as it was received by the firewall. Rate-Limit A specification which allows the rate at which connections are made to be limited. User-Group A method of limiting outbound traffic from the firewall to a specific user, group of users and a specific application.
Chapter 11 – Configuring The Firewall IPSec traffic arriving at the firewall is directed to openswan, the IPSec daemon. Openswan then decrypts the traffic and forwards it back to shorewall on the assigned ipsecX interface. You will also need a rule to allow traffic to enter from this interface. For example, if openswan creates interface ipsec0 when its connections are established, and ipsec0 is in the zone vpn, you would need the following rule.
RuggedRouter User Guide Firewall Main Menu Figure 89: Starting Shorewall Firewall Menu The above figure shows the firewall menu prior to configuration. Configure the firewall through the provided menus. The “Check Firewall” button can be selected after each menu configuration to check the existing configuration and provide notice of items still to be configured. When the firewall is fully configured, the “Start Firewall” button may be selected.
Chapter 11 – Configuring The Firewall Figure 90: Shorewall Firewall Menu The “Apply Configuration” button must be used after making configuration changes. It is recommended that the “Check Firewall” button be used first to verify that any changes made are valid. The “Refresh Configuration” button can be used to activate changes to the blacklisted host and traffic shaping configurations. The “Clear Configuration” button will remove the firewall rules completely and eliminate any protection they offer.
RuggedRouter User Guide Network Zones Figure 91: Firewall Network Zones This menu allows you to add, delete and configure zones. Add a new zone by selecting the “Add a new network zone” link or by clicking on the add-above or addbelow images in the Add field. The Zone Type field controls the type of traffic carried in the zone. The Firewall system zone type is built in to the fw zone. A zone type of IPSEC is used with policy based VPNs.
Chapter 11 – Configuring The Firewall This menu allows you to add, delete and configure network interfaces. Add a new interface by selecting the “Add a new network interface” link or by clicking on the add-above or add-below images in the Add field. Reorder the interfaces by clicking on the arrows under the Move field. Clicking on a link under the Interface field will allow you to edit or delete the interface. Note that if you delete an interface you should remove any rules that reference it.
RuggedRouter User Guide The norfc1918 option causes packets arriving on this interface and that have a source or destination address that is reserved in RFC 1918 to be dropped after being optionally logged. The nobogons option causes packets arriving on this interface that have a source address reserved by the IANA or by other RFCs (other than 1918) to be dropped after being optionally logged. The routefilter option invokes the Kernel's route filtering (anti-spoofing) facility on this interface.
Chapter 11 – Configuring The Firewall Default Policies Figure 95: Firewall Default Policies This menu allows you to add, delete and configure default policies. Add a new policy by selecting the “Add a new default policy” link or by clicking on the add-above or add-below images in the Add field. Reorder the policies by clicking on the arrows under the Move field. Clicking on a link under the Source zone field will allow you to edit or delete the policy, as shown below.
RuggedRouter User Guide This menu allows you to add, delete and configure masquerading and SNAT rules. Add a new rule by selecting the “Add a new masquerading rule” link or by clicking on the add-above or add-below images in the Add field. Reorder the policies by clicking on the arrows under the Move field. Clicking on a link under the Outgoing interface field will allow you to edit or delete the rule, as shown below. You may also make changes by manually editing the rule file.
Chapter 11 – Configuring The Firewall The following fields describe the information to match against the incoming connection request in order to apply this rule. The Action field specifies the final action of the rule. The and log to syslog field determines whether logging will take place and at which logging level. The Source zone field specifies the zone the request originates from. The Destination zone or port field specifies the requests destination zone.
RuggedRouter User Guide This menu allows you to add, delete and static NAT translations. Add a new translations by selecting the “Add a new static NAT entry” link or by clicking on the add-above or add-below images in the Add field. Reorder the translations by clicking on the arrows under the Move field. Clicking on a link under the External Address field will allow you to edit or delete the rule, as shown below. You may also make changes by manually editing the rule file.
Chapter 11 – Configuring The Firewall This menu allows you to control which addresses the firewall will accept connections from after it has been stopped. Add a new translations by selecting the “Add a new stopped address” link or by clicking on the add-above or add-below images in the Add field. Reorder the translations by clicking on the arrows under the Move field. Clicking on a link under the Interface field will allow you to edit or delete the rule, as shown below.
RuggedRouter User Guide This page intentionally blank 122 RuggedCom
Chapter 12 – Configuring An IPsec VPN Chapter 12 – Configuring An IPsec VPN Introduction This chapter familiarizes the user with: • • • • Configuring IPsec VPN Global Options Creating VPN Connections Enabling And Starting IPsec Obtaining VPN Status VPN Fundamentals IPsec (Internet Protocol SECurity) uses strong cryptography to provide both authentication and encryption services. Authentication ensures that packets are from the right sender and have not been altered in transit.
RuggedRouter User Guide With route based VPNs: • • • • • • • Openswan generates an IPSEC interface for each VPN tunnel, As the tunnel is brought up a route for the subnet at the other end of the tunnel is created through that interface, Any traffic destined for tunnel's remote subnet is forwarded to the IPSEC interface and encoded and transmitted, The firewall is configured with a vpn zone (zone type IPV4), the IPSEC interface is included in the zone, As IPsec packets are received, openswan decodes them a
Chapter 12 – Configuring An IPsec VPN When you want to use this form of encryption, each router configures its VPN connection to use the RSA algorithm and includes the public signature of its peer. The RuggedRouter's public signature is available from the output of the Show Public Keys menu. In secret key cryptography, a single key known to both parties is used for both encryption and decryption.
RuggedRouter User Guide You must configure the firewall to accept connections on these ports and protocols. See the Configuring The Firewall chapter, Configuring The Firewall And VPN section for details. The Openswan Configuration Process Each VPN connection has two ends, in the local router and the remote router. The Openswan developers designed the configuration in such a way that the configuration record describing a VPN connection can be used without change at either end.
Chapter 12 – Configuring An IPsec VPN After a VPN connection is created this menu will display an icon for the connection, as shown in the next view of the VPN Configuration menu. The “Add defaults for all connections” link allows you to create a profile that will apply to all connections for items such as key type, encryption protocol and compression. These defaults can then be overridden on a per connection basis. The “Add a new IPsec VPN connection” link creates a new connection and its icon.
RuggedRouter User Guide The “Apply Configuration” button restarts the server to activate any configuration changes that have been made, restarting VPN connections. Figure 106: IPsec VPN Configuration After Connections Have Been Created Server Configuration Figure 107: Server Configuration The Protocol Stack field configures whether route based or policy based VPNs are used. Following the link will take the user to menu that requests a reconfirmation and then changes the style of VPN.
Chapter 12 – Configuring An IPsec VPN Note: When connections become active, Openswan assigns them to ipsec interfaces. You must plan on these interfaces being the source of incoming traffic in firewall rules. The NAT Traversal fields enable and disable this feature. Enable Nat Traversal if this router originates the VPN connection and the VPN connection passes through a firewall. The Syslog logging level fields determines the facility and priority of log messages generated by Openswan.
RuggedRouter User Guide List Certificates Figure 110: List Certificates This menu lists available certificate files, their corresponding key files and details whether a public key for the certificate is configured. VPN Connections The IPsec main menu “Add a new IPsec VPN connection” link leads to the “Create Connection” menu, creating a new connection and its icon. Selecting the connection's icon from the IPsec main menu displays the same menu, allowing editing and deletion.
Chapter 12 – Configuring An IPsec VPN The At IPsec startup field determines what happens to the connection after Openswan starts and includes the options “Ignore”, “Add connection”, “Start Connection”, “Route” and “Default”. A value of “Ignore” will cause the connection to be ignored. A value of “Add connection” will cause the connection to be established when explicitly started (via command line or the IPsec VPN Configuration menu “Start Connection” button).
RuggedRouter User Guide Left/Right System's Settings Figure 112: Editing A VPN Connection, Part 2 The Public IP address fields determine the IP address of the side of the connection being edited. Check the Address or hostname.. field and provide a fixed IP address or hostname. If this side reflects a remote client whose IP address changes, select Automatic (%any). Use From default route if the host's IP is dynamically assigned.
Chapter 12 – Configuring An IPsec VPN Showing IPsec Status 1 2 3 4 5 6 interface lo/lo 127.0.0.1 interface eth1/eth1 10.0.0.253 interface eth2/eth2 204.50.190.89 interface w1ppp/w1ppp 206.186.238.
RuggedRouter User Guide The fourth group (lines 30-39) describe connection describe VPN connections (here “openswantest”). The first line is particularly useful since it indicates the connection addresses, subnets and that the connection is active (“erouted”). If there are no entries, then the VPN hasn't been established at all. If there are entries, but no STATE_QUICK_R2 (IPsec SA established) lines then the IPSec parameters are configured, but the tunnel hasn't been established.
Chapter 12 – Configuring An IPsec VPN Generate X.509 Certificates Use the authority to produce a certificate authority public certification (cacert) and a certificate for each of the clients and a certificate for the router. The certificate authority will require some information that is shared by all certificates (e.g. a Country Name (C), a State Or Province Name (S), an Organization name (O)) and some per-client information (e.g. a Common Name (CN) and an Email address (E)).
RuggedRouter User Guide Parameters At IPsec Startup Value Add connection Authenticate by Connection Type Encryption Protocols Compress Data Perfect Forwarding Secrecy NAT Traversal rsasig Tunnel As desired As desired As desired No Comments We wish to add the connection when the client starts it. X.509 certificates provide RSA Recommend “yes” Required when the router acts as a client and is behind a NAT firewall.
Chapter 12 – Configuring An IPsec VPN This page intentionally blank RuggedCom 137
RuggedRouter User Guide Chapter 13 – Configuring Dynamic Routing Introduction This chapter familiarizes the user with: • • • • • Enabling The Dynamic Routing Suite Enabling And Starting OSPF and RIP Configuring OSPF and RIP Obtaining OSPF and RIP Status OSPF and VRRP Quagga, RIP and OSPF Dynamic routing is provided by the Quagga suite of routing protocol daemons. Quagga provides three daemons for managing routing, the core, ripd and ospfd.
Chapter 13 – Configuring Dynamic Routing OSPF Fundamentals The Open Path Shortest First (OSPF) protocol routing determines the best path for routing IP traffic over a TCP/IP network based on link cost and quality. Unlike static routing, OSPF takes link failures and other network topology changes into account. Unlike the RIP routing protocol, OSPF provides less router to router update traffic. RuggedRouter routing protocols are supplied by the Quaaga routing package.
RuggedRouter User Guide A router can be part of multiple areas and function as a gateway between areas. When multiple areas are used on a network, area 0 is the backbone area. All areas must have a router connecting them to area 0. Router-ID Defines the ID of the router. By default this is the highest IP assigned to the router. It is often a good idea to configure this value manually to avoid the router-id changing if interfaces are added or deleted from the router.
Chapter 13 – Configuring Dynamic Routing Link Detect When link detect is enabled for an OSPF/RIP active interface, OSPF or RIP will be notified when the interface goes down and will stop advertising subnets associated with that interface. OSPF and RIP will resume advertising the subnet when the link is restored. This allows OSPF and RIP to detect link failures more rapidly (as the router does not have to wait a dead interval to time out).
RuggedRouter User Guide Note: Ensure that Antispoofing is disabled if you are constructing the above described type of OSPF network. Antispoofing can be disabled in the Network Configuration menu, Core Settings sub-menu. Administrative Distances The router may work with different routing protocols at the same time, as well as employing local interface and statically assigned routes. An administrative distance, (from 0 to 255) is a rating of the trustworthiness of a routing information source.
Chapter 13 – Configuring Dynamic Routing OSPF And VRRP Example Network This network consists of three routers connected in a ring with T1/E1 links. Router 1 and 2 and the switched network represent a remote site in which the routers supply a redundant gateway to the hosts via VRRP and the T1/E1 links supply a redundant network connection to the rest of the network. Host 3 IP: 2.2.2.101 GW: 2.2.2.254 2.2.2.254 1.1.1.6 w2ppp 1.1.1.5 w1ppp Router 1 Router 3 1.1.1.3 w1ppp 1.1.1.4 w2ppp w1ppp w2ppp 1.1.1.
RuggedRouter User Guide If Router 1 or its Ethernet link fail, VRRP will detect the link being down and remove the direct route to the 1.1.2.0/24. VRRP on Router 2 will stop seeing messages from Router 1, elect itself master and will take over the gateway for the network. OSPF on router 1 will notice the link being down (and the route to 1.1.2.0/24 disappearing) and will use information from router 2 install a route to 1.1.2.0/24 via Router 2.
Chapter 13 – Configuring Dynamic Routing Core Figure 118: Core Menu The Core routing daemon handles communications between the kernel of the router and the other dynamic routing protocols. Core handles link detection and monitoring static routes and routes for directly connected interfaces on the router. It also manages adding routes to the kernel routing table based on the routes discovered by other dynamic routing protocols.
RuggedRouter User Guide Parameters specific to one interface are configured here. Each interface on the router is listed. Clicking on settings displays a menu of configuration options for that interface. Clicking on status displays the current status of the interface, including link state, IP address and traffic counts. Clicking “Remove inactive interfaces” purges the list of any interfaces which are no longer configured on the router.
Chapter 13 – Configuring Dynamic Routing OSPF Figure 121: OSPF Menu This menu contains the configuration and status of OSPF on the router. The OSPF Global Parameters, OSPF Interfaces and Network Areas menus configure OSPF. The Status and View OSPF Configuration menu display the actual status and configuration file contents of OSPF.
RuggedRouter User Guide The Enable Password field sets the password to be used for the enable command of ospfd. This is used by the telnet interface of ospfd to control access to the configuration. The Telnet Password field sets the password to be used for telnet access to ospfd. This is used as the login password of ospfd when locally telnetting to port 2604 of the router. The ABR-Type field select which method to use on area border routers to manage inter area routes.
Chapter 13 – Configuring Dynamic Routing The Redistribute Kernel fields control distribution of kernel routes. When enabled, OSPF will advertise routes from the kernel routing table, which includes static routes entered by the administrator, to other OSPF routers in the area. Normally only routes that fall within the scope of the network areas will be advertised. The Redistribute RIP fields control distribution of routes learned by RIP. When enabled, OSPF will advertise routes learned by RIP.
RuggedRouter User Guide The Transmit Delay field controls the estimated number of seconds to transmit a link state update packet. This should take into account transmission and propagation delays of the interface. The Passive Interface option controls if an interface is active or passive. Passive interfaces do not send LSAs to other routers and are not part of an OSPF area. The Authentication field controls the type of authentication to use when communicating with other routers.
Chapter 13 – Configuring Dynamic Routing The RIP Global Parameters and RIP Interfaces configure RIP. The Status and View RIP Configuration menu display the actual status and configuration file contents of RIP. RIP Global Parameters Figure 126: RIP Global Parameters The Enable Password field sets the password to be used for the enable command of ripd. This is used by the telnet interface of ripd to control access to the configuration.
RuggedRouter User Guide The Redistribute Connected fields control distribution of connected routes. When enabled, RIP will advertise routes to directly connected interfaces to other RIP routers in the area. Normally only routes that fall within the scope of the network areas will be advertised. The Redistribute Kernel fields control distribution of kernel routes.
Chapter 13 – Configuring Dynamic Routing Parameters specific to one interface are configured here. Each interface on the router is listed. Clicking on settings displays a menu of configuration options for that interface. Clicking “Remove inactive interfaces” purges the list of any interfaces which are no longer configured on the router. The Passive Interface option controls if an interface is active or passive. Passive interfaces do not send RIP updates to other routers.
RuggedRouter User Guide Networks are used when you want to add any router that is part of a specific subnet, or connected to a specific network interface to be part of your RIP network. Both neighbors and networks can be used at the same time. Note: For point to point links (T1/E1 links for example) one must use neighbor entries to add other routers to exchange routes with. Also note that RIP v1 does not send subnet mask information in its updates.
Chapter 13 – Configuring Dynamic Routing This page intentionally blank RuggedCom 155
RuggedRouter User Guide Chapter 14 – Configuring Link Backup Introduction This chapter familiarizes the user with: • • • Configuring link backup Obtaining system status Testing link backup Link Backup Fundamentals Link backup provides an easily configured means of raising a backup link upon the failure of a designated main link. The main and backup links can be Ethernet, CDMA or Dial Modem, TE1, DDS, ADSL or T3. The only requirement is that the main link be a “permanent” link raised at boot time.
Chapter 14 – Configuring Link Backup The daemon will construe the main link as having failed (even if its link status is “up”) if the remote host fails to respond to configurable number of pings after waiting a configurable timeout for each ping. Use Of Routing Protocols And The Default Route If the main trunk is on a private network, employ a routing protocol to ensure that an alternate route to end network is learned after the backup trunk is raised.
RuggedRouter User Guide Edit Link Backup Configuration Figure 132: Link Backup Configuration Set the Name field to supply an identification of the pair. This field initially defaults to the “main_link_name->backup_link_name”. The Enable this configuration field enables this backup. The Transfer default gateway field causes the gateway to be transferred to the backup link upon failure of the main link path.
Chapter 14 – Configuring Link Backup Note: If you delete a link backup configuration that has failed over (or is failing over) to its backup trunk the link daemon will stop attempting the link backup and restore the main trunk, even if the main trunk is still down. Link Backup Logs Figure 133: Link Backup Log The link backup log displays the log of recent backup events. Link Backup Status Figure 134: Link Backup Status The link backup status menu displays the status of links managed by the feature.
RuggedRouter User Guide The Test Duration field controls the amount of time to run before restoring service to the main trunk. Please note that this duration must take into account the timing parameters of the backup configuration: The duration should comfortably exceed the Ping Interval plus the Ping Timeout multiplied by the Ping retry count plus the Main path down timeout. In the case of a dial backup configuration, also be sure to take into account the call setup and modem connection times.
Chapter 14 – Configuring Link Backup This page intentionally blank RuggedCom 161
RuggedRouter User Guide Chapter 15 – Configuring VRRP Introduction This chapter familiarizes the user with: • • • Configuring VRRP Enabling And Starting VRRP Obtaining VRRP Status VRRP Fundamentals The Virtual Router Redundancy Protocol (VRRP) eliminates a single point of failure associated with statically routed networks by providing automatic failover using alternate routers. The RuggedRouter VRRP daemon (keepalived) is an RFC 2338 version 2 compliant implementation of VRRP.
Chapter 15 – Configuring VRRP Each Virtual Router has a user-configured Virtual Router Identifier (VRID) and an Virtual IP address or set of IP addresses on the shared LAN. Hosts on the shared LAN are configured to use these addresses as the default gateway. One router in the Virtual Router Group will be elected as the Master, all other routers in the group will be Backups. Each router in the group will run at a specific Priority. The router with the highest priority is elected Master.
RuggedRouter User Guide The router issues a set of gratuitous ARPs when moving between master and backup state. These unsolicited ARPs teach the hosts and switches in the network of the current MAC address and port associated with the VRIP. The router will issue a second set of ARPs after the time specified by the Gratuitous ARP delay.
Chapter 15 – Configuring VRRP VRRP Main Menu Figure 137: VRRP Main Menu Note that VRRP is disabled by default and may be enabled via the System folder, Bootup And Shutdown menu. VRRP can be configured through the VRRP Configuration link before the daemon is started. When enabled, any configuration changes may be made to take effect by selecting the Restart VRRP daemon button. The VRRP Instances Status link presents the status VRRP instances existing as of the last restart of keepalived.
RuggedRouter User Guide Editing A VRRP Instance Figure 139: VRRP Instance The Name field is purely for informational purposes. The Interface field configures the interface that VRRP packets are sent upon. The Virtual Router ID field determines the VRID number. Ensure that all routers supplying the same VRIP have the same VRID. The value of the VRID varies from 1 to 255. The Advert Interval field configures the time between VRRP advertisements.
Chapter 15 – Configuring VRRP Viewing VRRP Instances Status Figure 140: VRRP Instances Status The VRRP Instances Status menu displays the current status of VRRP instances. This menu does not update status in real time. Click on the Refresh Display button to update to the current status. The entries under the Instance column reflect the name of VRRP instances existing as of the last restart of keepalived. The entries under the Current State column reflect the state VRRP instances.
RuggedRouter User Guide Chapter 16 – Configuring Traffic Prioritization Introduction This chapter familiarizes the user with: • • Enabling/Disabling Traffic Prioritization Viewing Traffic Prioritization Statistics Traffic Prioritization Fundamentals The RuggedRouter is able to prioritize traffic transmitted on network interfaces (including Ethernet, T1E1, DSL and PPP ports), giving preferential treatment to certain classes of traffic.
Chapter 16 – Configuring Traffic Prioritization TOS Prioritization The priority of an IP packet can be derived from its Type of Service field.
RuggedRouter User Guide Prioritization Example A remote site router connects to a private network via a T1 line. The router uses OSPF to manage an alternate routing, but its primary purpose is to allow access to a switched network of RuggedServers implementing TcpModbus gateways (TCP/UDP port 502). The router and switches are managed through their Web interfaces, but can me managed through SSH as well. The RuggedServers are managed through Telnet.
Chapter 16 – Configuring Traffic Prioritization Traffic Prioritization Main Menu Figure 141: Traffic Prioritization Main Menu This menu displays network interfaces for which prioritization may be activated. Prioritization may be configured by following the Interface column link. The statistics of prioritized interfaces may be viewed by following the links in the Statistics column.
RuggedRouter User Guide Remove prioritization by selecting the Delete and Apply button. Prioritization Queues Figure 143: Prioritization Queue Configuration This menu allows you to edit the name of of a priority queue and to delete the queue. If you delete a queue referenced by filters, the filters will be adjusted to use the next lowest queue. Prioritization Filters Figure 144: Prioritization Filter Configuration This menu allows you to edit and delete traffic filters.
Chapter 16 – Configuring Traffic Prioritization Prioritization works by establishing queues at the required priority levels filling the transmit queue with them in priority order. The aim of establishing low latency for certain traffic is foiled when transmit queue lengths are large because multiple low priority packets may have queued before a high priority packet arrives at the router. RuggedCom recommends that the transmit queue length be left at its minimum default value of 1.
RuggedRouter User Guide Chapter 17 – Configuring Generic Routing Encapsulation Introduction This chapter familiarizes the user with: • • Enabling/Disabling GRE Viewing GRE Status GRE Fundamentals The RuggedRouter is able to encapsulate multicast traffic and IPv6 packets and transport them through an IPv4 network tunnel. The GRE tunnel can transport the traffic through any number of intermediate networks.
Chapter 17 – Configuring Generic Routing Encapsulation GRE Main Menu Figure 147: GRE Main Menu This menu displays configured GRE tunnels. The tunnel status will be “active” if the tunnel was successfully created. GRE Configuration Menu Figure 148: GRE Tunnel Configuration Menu This menu allows you to add or edit a tunnel. The Tunnel Name field will be presented if the tunnel is being created. The tunnel name is purely for informational purposes. A network routing device with this name will be created.
RuggedRouter User Guide This page intentionally blank 176 RuggedCom
Chapter 18 – Network Utilities Chapter 18 – Network Utilities Introduction This chapter familiarizes the user with: • • • • • Pinging hosts, Running a traceroute, Performing a host lookup, Tracing line activity, Showing interface statistics. Network Utilities Main Menu Figure 149: Network Utilities Main Menu The lower part of the menu provides quick pinging, tracerouting and lookup of hosts. The upper part leads to menus providing more configurable options for these commands.
RuggedRouter User Guide Ping Menu Figure 150: Ping Menu The Hostname field accepts the host name or IP address to ping. The Verbose Output? field causes ping to present the maximum of output. The Lookup Addresses? field causes ping to resolve IP addresses to domain names. This can make ping behave very slowly if DNS is not properly configured. The Packet Size? field specifies the size of the data in the ping packet. The true length of the packet is 28 bytes larger due to IP/ICMP overhead.
Chapter 18 – Network Utilities The Packet Length? field specifies the size of the data in the traceroute packet. The Interface? field specifies the network interface to obtain the source IP address for outgoing probe packets. Otherwise the router will manually set the address based on the actual interface taken. Host Menu Figure 152: Host Menu The Hostname field accepts the host name or IP address to ping. The Type? field selects the type of information to capture.
RuggedRouter User Guide The Maximum packets captured and Maximum capture time fields limits the amount of traffic captured. The Lookup Addresses? field causes ping to resolve IP addresses to domain names. This can make ping behave very slowly if DNS is not properly configured. The Display link level header field causes this header to be displyed. The Perform HEX/ASCII dump field will cause the data content of the captured packets to be displayed. This option generates a large amount of data.
Chapter 18 – Network Utilities The Message RX/TX and Incoming/Outgoing Connections fields causes data packets and Connection activity to be included in the trace. The Hex dump field causes the content of data packets to be displayed. The Maximum packets captured and Maximum capture time fields limits the amount of traffic captured. Interface Statistics Menu Figure 156: Interface Statistics Menu This menu provides basic statistics for all network interfaces.
RuggedRouter User Guide Current Routing & Interface Table Figure 157: Current Routing & Interface Table This menu displays the current routing table and the state of the router's interfaces. Select the Refresh link in order to refresh the display. The entries under the Destination field reflect the network or host which can be reached through this route. The “default” entry matches any packet which has not already matched another route.
Chapter 18 – Network Utilities Interface Status This menu also summarizes the interface status. The entries under the Device field reflect the name of the device. The entries under the Link up field reflect the current link state of interface. The entries under the Address field reflect the local address of interface. The entries under the Netmask field reflect the netmask applied to this interface.
RuggedRouter User Guide This page intentionally blank 184 RuggedCom
Chapter 19 – Configuring Serial Protocols Chapter 19 – Configuring Serial Protocols Introduction This chapter familiarizes the user with: • • • • • RawSockets Applications Configuring Serial ports for RawSocket Viewing Serial Port and TCP Connection status and statistics Resetting Serial ports Tracing Serial Port activity Serial IP Port Features RuggedCom Serial IP provides you with the following features: • • • • • • • • • • Raw Socket Protocol -A means to transport streams of characters from one seria
RuggedRouter User Guide Serial Protocols Applications Character Encapsulation Character encapsulation is used any time a stream of characters must be reliably transported across a network. The character streams can be created by any serial device. The baud rates supported at either server need not be the same. If configured, the router will obey XON/XOFF flow control from the end devices. One of the routers is configured to listen to TCP connection requests on a specific TCP port number.
Chapter 19 – Configuring Serial Protocols The host will sequentially poll each RTU. Each poll received by the host server is forwarded (i.e. broadcast) to all of the remote servers. All RTUs will receive the request and the appropriate RTU will issue a reply. The reply is returned to the host server, where it is forwarded to the host. Serial Protocols Concepts And Issues Host And Remote Roles RuggedRouter either places a TCP connection or accepts one.
RuggedRouter User Guide If configured to packetize on a timeout, the server will wait for a configurable time after receiving a character before packetizing and forwarding. If another character arrives during the waiting interval, the timer is restarted. This method allows characters transmitted as part of an entire message to be forwarded to network in a single packet, when the timer expires after receiving the very last character of the message.
Chapter 19 – Configuring Serial Protocols Assign Protocols Menu Figure 159: Assign Protocols Menu This menu associates a protocol with a serial port. Unused ports should be left associated with “none”. Changing an association will immediately close the calls of the old protocol. Port Settings Menu Figure 160: Port Settings Menu This menu configures the serial settings and electrical protocol associated with a serial port. Changes are made immediately.
RuggedRouter User Guide The Pack Char field configures the numeric value of the ASCII character which will force forwarding of accumulated data to the network. The Pack Char must be between 0 and 255 inclusive or the value off. If configured off, accumulated data will be forwarded based upon the packetization timeout parameter. The Pack Timer field configures the delay from the last received character until when data is forwarded. The Pack Timer must be between 5 and 1000 milliseconds inclusive.
Chapter 19 – Configuring Serial Protocols Serial Protocols Statistics Menu Figure 162: Serial Protocols Statistics Menu This menu presents statistics of serial port activity and established connections. The menu also allows you to reset a port, forcing call hang-up and re-establishment. The Port Statistics table provides a record for each active serial port. The number of historical received and transmitted characters as well as errors will be displayed.
RuggedRouter User Guide Serial Protocols Trace Menu Figure 163: Serial Protocols Trace Menu This menu displays decoded serial port and network activity. The desired traffic sources, number of messages and length of time to capture are entered and the Start Trace button is pressed. The menu will display up to the provided number of messages waiting up to the specified number of seconds. The Trace on ports: selections feature a list of serial ports with unused entries greyed out.
Chapter 19 – Configuring Serial Protocols Serial Protocols Sertrace Utility The command line sertrace utility offers the ability to trace the activity of serial ports in real time. A port range may be specified to limit the output to specific ports. The level of traffic to trace and the type of decoding may be specified. The tool may also be used to force the port to transmit an output test message.
RuggedRouter User Guide This page intentionally blank 194 RuggedCom
Chapter 20 – Configuring GOOSE Tunnels Chapter 20 – Configuring GOOSE Tunnels Introduction This chapter familiarizes the user with: • • • Configuring GOOSE Tunnels Viewing GOOSE Tunnel status and statistics Tracing GOOSE activity IEC61850 GOOSE Fundamentals IEC61850 is an international standard for substation automation. It is a part of the International Electrotechnical Commission’s (IEC) Technical Committee 57 (TC57) architecture for electric power systems.
RuggedRouter User Guide GOOSE Packets received from the network are stripped of their network headers and forwarded to Ethernet ports configured for the same multicast address. The forwarded frames contain the MAC source address or the originating device, and not that of the transmitting interface. The VLAN used will be that programmed locally for the interface and may differ from the original VLAN. The frame will be transmitted with the highest 802.1p priority level (p4).
Chapter 20 – Configuring GOOSE Tunnels General Configuration Menu Figure 165: General Configuration Menu This menu configures the daemon settings. The Daemon UDP Listen Port field configures port used by the daemon to communicate with other daemons. Note: All Layer 2 Tunnel daemons in the network must use the same port number. If the router employs a firewall, ensure that a hole is opened for each of the remote daemons using on this port number.
RuggedRouter User Guide The Multicast Address field configures the address to listen for. The Remote Daemon and Add a new Daemon fields specify the IP addresses of remote daemons. GOOSE Statistics Menu Figure 168: GOOSE Statistics Menu This menu presents statistics of GOOSE activity at the Ethernet and Network Layers. The Ethernet Statistics table provides a record for each GOOSE tunnel. The number of historical received and transmitted characters as well as errors will be displayed.
Chapter 20 – Configuring GOOSE Tunnels This menu displays decoded GOOSE activity. The desired traffic sources, number of messages and length of time to capture are entered and the Start Trace button is pressed. The menu will display up to the provided number of messages waiting up to the specified number of seconds. The Trace on protocols: selections feature a (all to short) list of protocols with unused entries greyed out. The default is All Protocols.
RuggedRouter User Guide This page intentionally blank 200 RuggedCom
Chapter 21 - Configuring The DHCP server Chapter 21 - Configuring The DHCP server Introduction This chapter familiarizes the user with: • • DHCP Server Configuration Use of Option 82 DHCP Fundamentals Dynamic Host Configuration Protocol (DHCP) is a method for centrally and consistently managing IP addresses and settings for clients, offering a variety of assignment methods.
RuggedRouter User Guide In DHCP settings at a more specific level overrides higher levels. For example you can configure a DNS server for all clients, the create a group that overrides the setting. This allows defaults to be set at a high level to apply to most clients, while exceptions can be places just where they are needed. Many settings are only supported by certain specific types of clients, and are ignored by the majority of clients.
Chapter 21 - Configuring The DHCP server • • • • • • • • • • Boot filename: The filename the client should request from a tftp server to boot from. This only applies to network booted clients. Boot file server: The IP address of the tftp server to boot from. This only applies to network booted clients. Server name: The hostname of the boot server. This only applies to network booted clients. Lease length for BOOTP clients: How long the IP assigned to a BOOTP client should be considered valid.
RuggedRouter User Guide Example DHCP Scenarios And Configurations Single Network With Dynamic IP Assignment In this example the eth1 interface is provided with IP address 192.168.1.1/24 while addresses 192.168.1.101 through 192.168.1.200 are assigned to the clients. The router serves as the default gateway. 1) Enable eth1 in the 'Edit Network Interfaces' menu. 2) Click 'add a subnet', and configure it for network address 192.168.1.0 with netmask 255.255.255.0. 3) Set the assigned address range to 192.168.
Chapter 21 - Configuring The DHCP server Assign a client at switch port 2 address 192.168.1.102. Assign a client at switch port 3 address 192.168.1.103. Assign multiple clients at switch port 4 dynamic addresses 192.168.1.151 through 192.168.1.200. The router serves as the default gateway. 1) Enable eth1 in the 'Edit Network Interfaces' menu. 2) Add a new subnet, and configure it for network address 192.168.1.0 with netmask 255.255.255.0.
RuggedRouter User Guide The switch port 2 is on vlan2 using subnet 192.168.2.0/24 and should assign addresses 192.168.2.101 to 192.168.2.200 and default gateway 192.168.2.1. The switch port 3 is on vlan3 using subnet 192.168.3.0/24 and should assign addresses 192.168.3.101 to 192.168.3.200 and default gateway 192.168.3.1. The switch port 4 is on vlan4 using subnet 192.168.4.0/24 and should assign addresses 192.168.4.101 to 192.168.4.200 and default gateway 192.168.4.1.
Chapter 21 - Configuring The DHCP server DHCP Server Main Menu Figure 170: DHCP Server Menu The DHCP Server main menu shows the subnets configured for DHCP, as well as any groups and hosts. New subnets, groups and hosts can be added, and existing entries can be edited (and optionally deleted). The Edit Client Options button allows you to set global client settings for the DHCP server. Settings made here apply to all clients unless overridden at a lower level in the configuration.
RuggedRouter User Guide DHCP Shared Network Configuration Figure 171: DHCP Shared Network Configuration The settings specific to the Shared network menu are the Shared network description and Network name. The Shared network description field is used to describe the shared network as desired. The Network name field is a unique name to assign to the shared network. It could be the name of the interface the shared network is on, for example.
Chapter 21 - Configuring The DHCP server DHCP Subnet Configuration Figure 172: DHCP Subnet Configuration The settings specific to the Subnet menu are the subnet description, Network address and mask. The Subnet description field is used to describe the subnet as desired. The Network address and Netmask fields of the subnet help to specify the span of assigned addresses. Within a subnet you can great hosts, groups of hosts, and address pools.
RuggedRouter User Guide DHCP Group Configuration Figure 173: DHCP Group Configuration The settings specific to the Group menu are the group description and Use name as client hostname fields. The Group description field is used to describe the group as desired. The Use name as client hostname field determines whether host entries should use the hosts entry name as the client hostname to provide to the client. Within a group you can create hosts.
Chapter 21 - Configuring The DHCP server The Hardware address field is the Ethernet MAC of the client associated with the host entry. The Fixed IP address field is the IP to assign to the matching client. DHCP Pool Configuration Figure 175: DHCP Pool Configuration The settings specific to the Address Pool menu are the Failover peer and Clients to allow/deny. The Failover peer field is the IP address of a DHCP peer server if a fail over pool is created.
RuggedRouter User Guide Chapter 22 – Configuring NTP Introduction This chapter familiarizes the user with: • • • • Enabling/Disabling NTP Setting servers and peers Setting generic NTP options NTP Tools NTP Fundamentals NTP (Network Time Protocol) is an Internet protocol used to synchronize the clocks of computers to some time reference. Variants of NTP such as SNTP (Simple NTP, a reduced functionality NTP) and XNTP (Experimental NTP) exist.
Chapter 22 – Configuring NTP The NTP Sanity Limit NTP changes the system through “stepping” and “drifting”. Stepping is a sudden change of time whereas drifting is a slow gradual time change. NTP will step the system time when its starts. This is almost always at boot time. Stepping the time afterwards can cause protocols (such as OSPF) that rely upon accurate real time to fail. The router deals with this problem by restarting these protocols if they are running when NTP restarts.
RuggedRouter User Guide NTP Server Main Menu Figure 176: NTP Server Note that the NTP server is disabled by default and may be enabled via the System folder, Bootup And Shutdown menu. When enabled, any configuration changes may be made to take effect by selecting the Restart ntpd daemon button. The View GPS Status and View GPS log sub-menus appear if the router is equipped with a Precision Time Protocol card.
Chapter 22 – Configuring NTP Servers Configuration Figure 178: NTP Server List The servers under the IP address column are used as primary synchronization devices. Clicking on a link will allow you to edit that server. By default the router includes the links pool.ntp.org and 127.127.1.0. The pool.ntp.org address selects a random low stratum server from a pool of ntp servers on the Internet. The 127.127.1.0 is known as a pseudo-address and points to the local hardware clock of the router.
RuggedRouter User Guide Viewing The NTP Status Figure 179: NTP Status The NTP Status menu displays possible sources and currently used reference clocks Viewing The NTP Log Figure 180: NTP Log The NTP Log menu displays the log of recent NTP events.
Chapter 22 – Configuring NTP Viewing The GPS Status Figure 181: GPS Status If the router is equipped with a Precision Time Protocol card, this page will shows the status of the GPS module. The Latitude and Longitude fields show the current position of the GPS antenna. The GPS Lock field show the GPS lock status. The Number of Satellites shows how many satellites are currently being tracked by the GPS module. The Tracked Satellite Status table shows the ID and signal strength of tracked satellites.
RuggedRouter User Guide Chapter 23 – Configuring SSH Introduction This chapter familiarizes the user with: • • • Configuring SSH Authentication SSH Networking And Access Control Setting SSH Client Options SSH Fundamentals Secure Shell is a program to allow logging into another host, to remotely execute commands, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels.
Chapter 23 – Configuring SSH SSH Main Menu Figure 183: SSH Server Note that the SSH server is enabled by default and may be disabled via the System folder, Bootup And Shutdown menu. When enabled, any configuration changes may be made to take effect by selecting the Apply Changes button. Authentication Figure 184: SSH Server Authentication Menu The Allow authentication by password field determines whether to allow clear text tunneled passwords.
RuggedRouter User Guide Networking Figure 185: SSH Server Networking The Listen on addresses fields determine an IP addresses and port upon which SSH will accept a connection. The Listen on port field determines the port number SSH will listen on, assuming Listen on addresses is set to “All addresses”. The Accept Protocols fields determine which versions of SSH will be allowed.
Chapter 23 – Configuring SSH The Only allow users field specifies the users allowed to connect by SSH. The specification can be a list of user name patterns, separated by spaces. Login is allowed only for user names that match one of the patterns. '*' and '?' can be used as wild cards in the patterns. Only user names are valid, a numerical user ID is not recognized. By default, login is allowed for all users.
RuggedRouter User Guide Chapter 24 – Configuring IRIGB And IEEE1588 Introduction This chapter familiarizes the user with: • • • IEEE 1588 Configuration IRIGB Configuration Viewing IRIGB and IEEE1588 Status IEEE1588 Fundamentals The IEEE 1588 working group Precise Timing Protocol (PTP) standard details a method of synchronizing a clocks over networks, including Ethernet. The RuggedRouter provides a special hardware assisted PTP capability as provided by the RuggedCom PTP card.
Chapter 24 – Configuring IRIGB And IEEE1588 NTP The PTP clock is a secondary reference standard reference clock. The router uses this identifier when it has synchronized with remote NTP server. DFLT After the router has power cycled but before any GPS or NTP locks have occurred. PTP favors preferred masters over normal masters, GPS over NTP over DFLT, higher clock stability over lower clock stability.
RuggedRouter User Guide Reference Clocks The GPS provides the highest quality reference clock. It will always be used when it is available, but may require some time after boot before becoming acquired (or “GPS locked”). Typically, GPS lock is usually acquired within five minutes of boot. When GPS is the reference clock, IRIG-B timestamps are accurate to within ns. If GPS has not yet locked and IEEE1588 is locked, the router will use IEEE1588 server as a reference clock.
Chapter 24 – Configuring IRIGB And IEEE1588 IRIGB/IEEE1588 Main Menu Figure 187: IRIGB/1588 Main Menu This menu allows you to configure IRIGB and IEEE1588, display its current status and review historical changes. General Configuration Figure 188: IRIGB/IEEE1588 General Configuration menu This menu allow you to configure general parameters. The Reference Clock Selection field selects the order in which to prefer reference clocks.
RuggedRouter User Guide IRIGB Configuration Figure 189: IRIGB Configuration menu This menu allow you to configure IRIGB parameters. The save button will save the changes of configuration permanently. The AM Port 1 (PTP1) Output field enables or disables the amplitude modulated output of this port. The TTL Port 2 (PTP2) Output and TTL Port 3 (PTP3) Output fields sets the output formats of these ports to PPS, PWM and OFF.
Chapter 24 – Configuring IRIGB And IEEE1588 IRIGB Status Figure 191: IRIGB GPS Status This page shows whether GPS is locked, and the source of the current reference clock. IEEE1588 Status Figure 192: IEEE1588 Status This page shows the historical status of IEEE1588 on the router. The line above the table provides the local clock IP address, MAC address and the time quality information. The table will contain entries made when the clock source or status changes.
RuggedRouter User Guide IRIGB Log Figure 193: IRIGB GPS Status This page reflects reference clock changes in IRIG-B.
Chapter 24 – Configuring IRIGB And IEEE1588 This page intentionally blank RuggedCom 229
RuggedRouter User Guide Chapter 25 – Configuring The Snort IDS Introduction This chapter familiarizes the user with: • • Configuration of Snort as an Intrusion Detection System. Generating a daily snort analysis email. Snort Fundamentals The snort Intrusion Detection System (IDS) provides a type of security management system for the router.
Chapter 25 – Configuring The Snort IDS When the alert file method is chosen, a daily analysis of the file can be emailed. The SIDs referenced in alerts can be used to quickly locate the rule via the main Sort IDS menu. The rule itself often contains HTML links to Internet resources such as www.securityfocus.com and cve.mitre.org. These provide more in depth descriptions of the vulnerability.
RuggedRouter User Guide Rulesets Figure 196: Snort Main Menu part 3 The Rulesets section selects the rules to apply on monitored interfaces. Each “ruleset” reflects a collection of rules that are related. The link under the Action field will disable or enable all of the rules in a ruleset. Individual rules in a ruleset may be modified by following the set name link under the Rule Set field, resulting in a menu such as the following.
Chapter 25 – Configuring The Snort IDS This menu allows you to configure the IP addresses and ports of servers in the local and external network. The Home Net field defaults to “ANY” and designates the IP subnet of any local ports on the router. Configuring a specific subnet can reduce the number of alerts generated. PreProcessors Figure 199: Snort Preprocessors Preprocessors are plug-in modules that operate on the captured packets.
RuggedRouter User Guide Alerts generated by snort are stored by one of three methods; as local syslog messages, remotely sylogged messages and in an alert file. When the Local syslogging method is chosen, the destination log file may be selected. When the Remote syslogging method is chosen, the IP address of the remote syslog host must be identified. Modifying the Facility field will determine how the alert is logged on the remote host.
Chapter 26 – Maintaining The Router Chapter 26 – Maintaining The Router Introduction This chapter familiarizes the user with: • • • • • • • • • • Viewing Alerts Configuring and monitoring the Gauntlet Security Appliance Backing up and restoring configurations Configuring SNMP Configuring Radius Authentication Configuring Outgoing Mail Using System Logs Upgrading Software Using Pre-upgrade/Post-upgrade scripts Uploading and downloading files Alert System The alert system provides the following features: ●
RuggedRouter User Guide This menu displays active alerts and allows you to change alert system configuration and alert definitions. Follow the All Alerts link to show all alerts. Follow the severity links (Emergency .. Debug) or the category links (chassis .. daemon) to to limit the alert view. Note that active alerts are volatile and will be regenerated after reboot. If you clear an alert manually, it will appear if the condition occurs again.
Chapter 26 – Maintaining The Router Alert Filter Configuration Figure 203: Alert Filter Configuration Menu This menu configures an alert filter, which defines the forwarder destination for active alerts matching with defined filter level. The Forward Destination Type configures the type of filter. Currently only type Email is supported. The Forward Destination configures the destination matching with the Forwarder Destination Type. Note that multiple email addresses should be separated by comma.
RuggedRouter User Guide Change Alert Definition Figure 205: Change Alert Definition Menu This menu allows you to change an existing alert definition entry. The Codepoint is the key part of the alert definition entry and does not allow to be changed. The Category configures which category the alert definition entry belongs to. The Name configures the name of the alert definition which will be displayed by webmin, login or email forwarder when an active alert exists.
Chapter 26 – Maintaining The Router The Threshold configures the threshold to compare with the shell command result to see whether the condition is true or false. The And Repeats configures how many times the condition must be true before the alert is generated. The And Until configures how many seconds the condition should be true before an alert is generated. The Not Cleared Repeats configures how many times the condition must be false before the alert is cleared.
RuggedRouter User Guide Gauntlet Security RX1100 owners can use the Gauntlet security appliance to restrict access to critical assets. This section details how to activate Gauntlet and determine currently negotiated sessions. Details and recommendations on applying the Gauntlet system to networking may be found in texts referenced in the About This Guide section of the user guide. What And How Gauntlet Protects Gauntlet protects against unauthorized access to critical assets, including the router itself.
Chapter 26 – Maintaining The Router Gauntlet net fw TCP any 10000 The order of rules is significant. Rules inserted before this set will not be protected by Gauntlet. Any rule appearing after the gauntlet chain rules will automatically be ignored. Consult with RuggedCom support for assistance. If you want to grant SSH access to the router, replace "10000" in the last rule with "22,10000".
RuggedRouter User Guide Backup And Restore Figure 207: System Backup And Restore The Backup And Restore system provides the following features: • • • • • • • • • All configuration settings are saved in a configuration archive, Archives can be used to “clone” routers, replicate a damaged resource or unwind a change, Archives can be created manually (including user comments) or by the Automatic nightly backup, which captures all changes over the previous 24 hours, The nightly backup archives can be auto
Chapter 26 – Maintaining The Router General Configuration Figure 208: General Configuration Setup This menu configures the backup system. The Automatic Nightly Backup field specifies when the nightly backup is scheduled. The automatic export to a server will start (if enabled) immediately after the backup completes. The Archive Name Includes field selects text fields (Date-Time, Hostname, Router Version) included in archive name.
RuggedRouter User Guide Archive History Figure 209: Archive History The Archive History menu displays current archives, sorted by date (most recent first). Following the link of an archives under the Archive Name field upload a copy of it. Selecting an under the Archive Name field and applying the Remove Selected Archives button will delete the archive. Note that only manually backup archives can be deleted. Automatic nightly backup archives will automatically aged out .
Chapter 26 – Maintaining The Router The created archive can be immediately uploaded if desired by following the “Upload A Copy Of This Archive..” link. Note: If you use the Internet Explorer web browser, you must “Right-click” the link and save the file manually. Otherwise Internet Explorer will rename the file after uploading, preventing its use in a subsequent archive restore. Archive Restore Figure 212: Archive Restore Menu The restore process begins by selecting an archive to restore from.
RuggedRouter User Guide The Archive Difference menu shows the difference between two targets. The first target must be an archive while the second target can be either another archive or the current configuration. Choose two and only two targets and click the Show Differences button. Figure 215: Archive Differences List The resulting menu shows the differences between the two selected targets. Files in this table are sorted by the change time (most recent changes first).
Chapter 26 – Maintaining The Router Figure 216: Show Difference for selected file between two targets The Copy This File to Current Configuration button will be present when the destination archive is the Current Configuration. It allows user to copy the selected file from the old archive to current configuration. Note: It is possible to damage your router through use of this feature! Ensure that the configuration file copied makes sense in the current version of the router.
RuggedRouter User Guide SNMP V1 and V2 transmit information in clear text (which may or may not be an issue depending the facilities the data is transmitted over) and are lacking in the ability to authenticate a user. SNMP V3 adds strong authentication and encryption. SNMP Configuration Main Menu Figure 217: SNMP Main Configuration page In order to enable snmpd (the snmp daemon) at each and every boot, use the System folder, Bootup And Shutdown menu. Note: Prior to ROX 1.10.
Chapter 26 – Maintaining The Router The Client address (Source IP) field specifies the address from which snmpd will send notifications. If the field is blank, the default behaviour will be to transmit the notification from the IP address of the interface from which the message leaves the router. Snmpd will return to this behavour if the configured address is not available when it starts.
RuggedRouter User Guide Figure 222: Access Control page, SNMP V3 The second part of the Access control menu allows creation and deletion of V3 users. The User Name field selects the name of the new user. The Access field determines whether the community is read-only or read/write. The Minimum Security field selects the level of security used by this user.
Chapter 26 – Maintaining The Router Trap Configuration Figure 223: Trap Configuration page, Trap Options The Trap Configuration page manages SNMP trap destinations. Under Trap Generation Options, you may enable the generation of notifications on authentication failures or IP interface link up/down events. Figure 224: Trap Destinations V1 and V2c The SNMP V1 and V2c Trap Destinations part of the menu allows the creation and deletion of trap destinations.
RuggedRouter User Guide The SNMP V3 Trap Destinations part of the menu allows the creation and deletion of V3 trap destinations. The Type field specifies the exchange used with this destination, either V3 trap or V3 inform. The IP address and Trap Community fields specifies the receivers IP address and user name. The Engine ID parameter is necessary for inform type notification destinations only, and must be configured by the trap receiver in order to receive these notifications.
Chapter 26 – Maintaining The Router Radius Authentication The Radius protocol described in RFC 2865 provides a means for carrying authentication, authorization, and configuration information between a client (the router) which desires to authenticate its links and a shared Authentication Server. Transactions between the router and RADIUS server are authenticated through the use of a shared secret, which is never sent over the network.
RuggedRouter User Guide Some users set the rrsetup and root account passwords to difficult to guess strings that are unique to each router, then employ a common password for all routers in radius. The router specific strings are restricted to a very few personnel. A larger set of expert users are granted the rights to SSH login using the radius root account passwords. Yet another set of users are granted access via Webmin user accounts. Radius authentication is logged to the authorization log (file auth.
Chapter 26 – Maintaining The Router Outgoing Mail Figure 228: Radius Authentication Main Menu Outgoing Mail is configured from within the the Maintenance menu Miscellaneous sub-menu. This menu controls where emails originated by the router are forwarded to. The Forward to Mail Hub field specifies an IP address or domain name of a host that accept mail from the router. The Belongs to Domain field specifies the email domain the router is part of.
RuggedRouter User Guide Chassis Parameters Figure 229: Chassis Parameters Menu This menu displays the chassis temperature and, if hardware version 2, the voltage levels of chassis power supplies and a record of the last power down time. The system will highlight red any out-of-range value. The monitored values are described below: Parameter temp VcoreA, VCoreB +3.3 PS1, +3.3 PS2 +5V +12V VBat Description Motherboard temperature Redundant 3.3V power supply voltages Redundant 3.
Chapter 26 – Maintaining The Router System Logs Figure 230: System Logs System logs are records of activities that have occurred on the router, sorted into specific categories. System logs can be invaluable when debugging configuration changes. As such, most of your use of the logs will be simply in viewing them.
RuggedRouter User Guide Left unrestricted the logging system would consume all available “disk” space, causing the router to fail. The router limits the memory used by the logging system by storing logs in a volatile (i.e. lost after a reboot) file system which is limited in size. Such a system will lose logging information when a power failure occurs, too much logging is generated or as the result of a user commanded reboot.
Chapter 26 – Maintaining The Router Upgrade System Figure 232: Software Upgrade System The Software Upgrade system provides the following features: • • • • • • Upgrading from either HTTP or FTP servers, Upgrade traffic bandwidth limiting to prevent disruption to mission critical applications, Automatic daily upgrades from a central server at a scheduled time, Manually initiated upgrades from a central server, Manually initiated upgrades of new versions for testing purposes, Manually initiated installs o
RuggedRouter User Guide Your RuggedRouter software is provided in releases of the form rrX.Y.Z. The platform release number X changes when new hardware platforms are released. The major release number Y is increased when important new features are added. This is called a “Major” release. The minor release number Z is increased when minor functionality is added or bug repairs are made. This is called a “Minor” release. The actual software of the RuggedRouter is composed of a number of “packages”.
Chapter 26 – Maintaining The Router Upgrade to RX1100 Figure 233: Upgrade to RX1100 This menu allows you to upgrade your router. The display usefully provides a description of the current hardware in the router inventory. Change Repository Server Figure 234: Change Repository Server This menu defines the server used to upgrade software.
RuggedRouter User Guide Automatic Upgrading Figure 235: Automatic Upgrade Check the Upgrades enabled field to activate daily upgrades. Use the Upgrade Time fields to select the time to upgrade. Selecting different times on each router can be used to even out traffic flows in the network.
Chapter 26 – Maintaining The Router Installing A New Package Figure 237: Installing A New Package The Install A New Packages feature uploads and installs packages to the router. Select the From local file option if you have already moved the package to the router through http, ftp or scp. You may either enter the full path from the root directory to the package or use the file selector ( ) to identify the package. Select the From uploaded file option if you have the file locally on your workstation.
RuggedRouter User Guide Uploading And Downloading Files Figure 238: Upload/Download menu The Upload/Download Files menu provides a means to transfer files to and from the router. The Download files from the specified URLs to this router part of the menu allows you to have the router download files from ftp and http servers. You need to specify (at least) the file URL and the directory to download it to.
Chapter 27 – Security Considerations Chapter 27 – Security Considerations Introduction This chapter describes actions to take to secure the RuggedRouter. Security Actions 1. Change the root and rrsetup passwords from the rrsetup shell, before attaching the router to the network. 2. If Radius authentication is being employed, configure authentication servers. 3. Restrict the IP addresses which Web management will accept connections from. See the Webmin menu, IP Access Control sub-menu.
RuggedRouter User Guide This page intentionally blank 266 RuggedCom
Appendix A – Setting Up A Repository Appendix A – Setting Up A Repository The RuggedCom software upgrade mechanism requires a repository of software to available. The following instructions detail: • • • • • • Requirements for a repository server, Initial set up of a repository, Upgrading the repository to the latest release, Maintain separate releases streams for different groups of routers, Setting up one router to test new releases Configuring the network routers.
RuggedRouter User Guide Upgrading The Repository RuggedRouter releases are obtained from the RuggedCom web site as ZIP files. Download the ZIP file to your regular and/or test release directories and unzip them. You may delete the original ZIP file if desired. The ZIP file name will be in the form rrX.Y.zip. The major release number X is changed when major new functionality (often hardware related) is offered.
Appendix A – Setting Up A Repository Upgrading Considerations The RuggedRouter offers you the ability to perform automatic daily upgrades, specify the download time and limit the download bandwidth. These tools automate the upgrade process and minimize the impact of upgrading on the network. When automatic daily upgrades are used, you may wish to stagger the upgrade time of the routers. If your network has a natural “ebb flow” period of traffic activity, schedule the upgrades during this time.
RuggedRouter User Guide Appendix B – Downgrading Router Software RuggedCom recognizes that customers may need to downgrade router software: • • • Routers being added to the network have more recent version than that standardized for the network. Network staff may wish to regain confidence in the software of an exposed router by downgrading it to its current version, essentially reloading its software. Network staff may wish to explore how features operated on a previous release.
Appendix C – Installing Apache Web Server On Windows Appendix C – Installing Apache Web Server On Windows A number of customers have asked for advice and instructions on setting up a web server on Windows. RuggedCom recommends the Apache web server, because it is secure, robust, easy to install and configure as well as being able to be installed on a wide variety of Windows platforms. Begin by identifying a host computer and its physical and logical location on the network.
RuggedRouter User Guide Return to the web browser used earlier to verify Apache and refresh the screen. It should now reflect the contents of your RuggedRouter release directory. You should now be able to perform an upgrade from a router.
Appendix D – Installing IIS Web Server On Windows Appendix D – Installing IIS Web Server On Windows A number of customers have asked for advice and instructions on setting up an IIS web server on Windows. Begin by identifying a host computer that has IIS and its physical and logical location on the network. The Repository Server Requirements of the appendix “Setting Up A Repository” provide some guidance on host requirements.
RuggedRouter User Guide Appendix E – Radius Server Configuration This section describes how to configure popular radius servers to supply a VendorSpecific field, “privilege-level”, which is used by Webmin to assign assign specific capabilities to Webmin users on a per user basis. Currently, the only privilege-level is that of “root”, but RuggedCom will be introducing additional levels in upcoming releases. FreeRadius The following steps to add Vendor-Specific attributes to the freeradius radius server. 1.
Appendix E – Radius Server Configuration Permission: Grant remote access permission 3. Double click the policy name you created, In the popup window, click Edit Profile... button. Figure 241: IAS Window - Edit Remote Access Policy 4. In Edit Profile window, Click Add...
RuggedRouter User Guide 5. In Add Attribute window, select Vendor-Specific line, and click Add button. Figure 243: IAS Window – Add Attribute 6. In the Multivalued Attribute Information window, click the Add button Figure 244: IAS Window – Multivalued Attribute Information 7. In the Vendor-Specific Attribute Information window, select radio button Enter Vendor Code, and input 15004 to the editbox. Select the radio button Yes, It conforms and click the button Configure Attribute...
Appendix E – Radius Server Configuration 8. In the Configure VSA (RFC compliant) window, in the vendor-assigned attribute number editbox, input 2; in the Attribute format listbox, select String, in the Attribute value editbox, input the desired privilege level (in the above case, it is operator, in your case, currently you should input root).
RuggedRouter User Guide Index Accounts................................................................................................................................................ root................................................................................................................................................28 rrsetup...........................................................................................................................................28 ADSL Interfaces............
Index N392..............................................................................................................................................72 N393..............................................................................................................................................72 Signaling type...............................................................................................................................72 Station Type....................................................
RuggedRouter User Guide Ethernet Ports........................................................................................................................59, 189 LED Panel ....................................................................................................................................37 Modem Ports.................................................................................................................................97 T1E1 Ports...............................................
Index On ADSL Interfaces......................................................................................................................91 On Native Ethernet Interfaces.......................................................................................................64 Precision Time Protocol Card............................................................................................................... IRIGB outputs...............................................................................
RuggedRouter User Guide Authentication ............................................................................................................................224 Configuring.................................................................................................................................223 Fundamentals..............................................................................................................................223 Listen on address ........................................
