manualshive.com logo in svg

Eurogard ServiceRouterV3, Manual, Page: 39 / 74

Share
Download
Eurogard ServiceRouterV3 Manual Download Page 39

Configuration options

of the ServiceRouterV3

Since the eurogard ServiceRouterV3 und ServiceServer mask all data via NAT prior to the forwarding to the WAN
interface via NAT and since the devices, in some cases, are operated behind NAT Gateways, packets will exceed
the maximum size. It therefore has to be limited.

If the value chosen is too low, it will affect the throughput, if chosen too high, the connection will 'freeze'. The
best compromise between throughput and general accessibility results in the following

Default: 1400

8.3.6. Activate mobile access

This option determines if the TUN access to the VPN server is activated. Via the TUN interface, a secure VPN
connection may also be set up by mobile devices with IOS or Android operating systems, without having to be
rooted. The port of this TUN-VPN process is always the one entered under Abschnitt 8.3.3, „Port“ + 1. In this
case, for example UDP 1194 + 1 = 1195.

Default: off

8.3.7. Enable log file

This determines if the OpenVPN processes keep a log file. Depending on the level of detail, log-ins, log-offs and
log-in attempts are logged, and the negotiated connection parameters are displayed.

The log files can be downloaded under Status-Logs 

 Logs.

Default: on

8.3.8. Log verbosity

The higher the level, the more detailed the logs. Level 1 logs every connection set-up and close down. Level 2
displays additional information regarding certificates in use and encryption and HMAC algorithms.

The highest level 5 logs every packet sent with a ‘w’ and every packet received with an ‘r’.

Default: 1

8.3.9. Maximum log size

In this box, the maximum size for the log file of each VPN process is determined. If this value is exceeded, the
log is saved and a new empty one is created.

Default: 512 kilobyte

8.3.10. Time interval for keep-alive pakets in seconds

Since the VPN software uses the connectionless UDP protocol for the transmission of data, neither the server nor
the participant is able to directly determine if the VPN tunnel is still established. For this reason, test datagrams
are sent at defined intervals.

These intervals may be configured at this point. After n missing replies (to be configured in the next step), the
connection is reset.

This option is also transmitted and applied to the clients on their log in. This is of particular importance if the
server is connected to the Internet via a dynamic IP.

The display of the connected VPN clients also uses this value. If a ServiceRouter is disconnected from the power
supply, its status remains displayed as connected until the timeout to the next ping has run out.

Default: 60 seconds

33

Summary of Contents for ServiceRouterV3

Page 1: ...eurogard ServiceRouterV3 Manual Maike Symior maike symior eurogard de Mario Cappello mario cappello eurogard de Oliver Kosmann oliver kosmann eurogard de ...

Page 2: ...eurogard ServiceRouterV3 Manual von Maike Symior Mario Cappello und Oliver Kosmann Copyright 2019 eurogard GmbH ...

Page 3: ... of the device 8 1 2 1 WAN connector 8 1 2 2 LAN connectors 8 1 2 3 USB connectors 9 2 Establishing first contact 9 3 Operating concept 9 4 Installation quick set up guide 10 4 1 ServiceRouterV3 Preparation 11 4 2 Connection to the Internet 12 4 3 Time 12 4 4 Router as VPN Client 13 4 5 Router as VPN Server 13 3 Information about the ServiceRouterV3 15 1 Contact 15 2 System 15 3 Test 16 4 Configur...

Page 4: ...Transport protocol 32 8 3 3 Port 32 8 3 4 Enable client to client connections 32 8 3 5 Limit VPN packet size 32 8 3 6 Activate mobile access 33 8 3 7 Enable log file 33 8 3 8 Log verbosity 33 8 3 9 Maximum log size 33 8 3 10 Time interval for keep alive pakets in seconds 33 8 3 11 Restart VPN connection after loss of how many keep alive pakets 34 8 3 12 Cryptoalgorithm 34 9 Accounts 34 9 1 Refresh...

Page 5: ...el 53 6 Messaging 54 1 Email 54 1 1 Emailing 54 1 2 Email address 54 1 3 Server Port 54 1 4 Username Password 54 1 5 Transport encryption 54 1 6 Allow certificates of unknown origin 55 1 7 Email address of recipient 55 1 8 Test configuration 55 2 SMS Gateway 55 3 Reports 57 7 Status Logs 58 1 Network 58 1 1 IP Addresses 58 1 2 Interfaces 58 1 3 DHCP 58 1 4 VPN Status 58 1 5 LTE Status 59 2 Logs 59...

Page 6: ...Liste der Beispiele 4 1 Host and Domain name 18 4 2 URL with HTTPS on changed port 19 vi ...

Page 7: ... networks via a fast Internet connection Wired communication with DSL or wireless communication via WiFi or LTE are optional The ServiceRouterV3 can act as VPN Server as well as VPN Client This allows for easy implementation of different network structures For the operation of larger service networks eurogard offers different portal servers These solutions offer suffici ent bandwidth for up to 100...

Page 8: ...y an IP with Internet access is required Wireless connection to plants via LTE offers sufficient bandwidth uncomplicated and for world wide use Reasonably priced start with ServiceServer as central VPN server Complex structures may be implemented at any point in time through the portal server MAGNUM 3 Legacy version Router as VPN Server The ServiceRouter at the remote plant is VPN server This requ...

Page 9: ... modem It makes little sense to operate the ServiceRouterV3 as a server via LTE since the mobile phone providers block external access to the mobile phone networks via firewalls The eurogard VPN Client Software EurogardSRConnect makes the connection setup clear and straightforward 4 Functional overview and concept The following overview screen shows the structure of the firmware 3 ...

Page 10: ...munication drivers Up to 5 controls with an adjustable log cycle of 1 999 seconds may be logged at the same time This means that optimization production data acquisition and fault diagnostics are directly integrated into the remote access concept The alarm messaging function sends configurable messages via email Web SMS and or SMS via SIM card with the LTE version Changes of status are detected by...

Page 11: ...updating of its IP via DynDNS All ports described may be configured UDP 1194 for tunneled connection to the PLC network VPN TCP 443 for access to the configuration interface SSL Only temporarily TCP 22 for emergency support through manufacturer eurogard The ports 443 and 22 in the Router may be blocked after initial start up and no longer have to be forwarded Since as a standard the public IP of o...

Page 12: ...12TC SOC 2 GB DDR3 RAM 4 GB optional 4 x 1 GHz core with 64 bit 2 MB L2 cache 3 x Gigabit Ethernet 16 GB SSD RAID1 with 2 SSDs optional USB 3 0 RS232 VPN switch Supply voltage 12 30V 6 10W Ambient temperature 5 50 C non condensing DIN rail mounting Robust metal housing Dimensions H 178 W 50 D 168 mm 1 1 Connection and control elements The supply terminal the Reset button the Setup button as well v...

Page 13: ...unction is available 15 seconds after power up of the device indicated by flashing of the Error LED 1 1 3 Setup button After pressing the Setup button for at least 10 seconds the restore procedure is initiated when the button is released Providing a restore point on the Router has previously been generated or has been uploaded via the web interface the status is restored during this procedure This...

Page 14: ...ashing of the LED Subsequently the system is restarted again 1 1 5 Status LED The green Status LED indicates the status of the VPN connection If the device is parameterized as VPN client or VPN server the Status LED starts flashing As soon as a VPN tunnel has been set up the LED switches from flashing to a continuous light 1 1 6 LTE LEDs The LTE LEDs indicate the status of the LTE modem as well as...

Page 15: ... address Log in as user eurogard with password euro gard default Go through the configuration menu in the order described below Please change the password under Admin accounts at a later point in time Click on the Test button in order to test the router configuration s Abschnitt 3 Test The following parameters are set as default on initial power up WAN Internet Connection Ethernet DHCP client wait...

Page 16: ...y This manual can also be found in the device in browser form The help link in the submenu bar connects to the relevant chapter of this context sensitive manual In this process the browser opens a new window or a new tab Where no help pages are displayed after clicking the help link please check to see if a new tab has appeared in the background or if you have received notification from a popup bl...

Page 17: ...erV3 Preparation Open the main menu item Router Configuration and the submenu item Basic Settings LAN Settings which should be altered in all cases are the host and domain names These names will reappear in the certificates which have to be generated as one of the next steps in case the Router is to be configured as VPN server On the LAN side the ServiceRouter has been set to IP 192 168 155 1 Plea...

Page 18: ... 192 168 1 100 Subnetzmaske 255 255 255 0 Standardgateway 192 168 1 1 Adjust the entry in the address bar of your browser to the newly configured IP of the Router 4 2 Connection to the Internet You can set your preferred access to the Internet under the menu item Router Configuration Web Access WAN You can choose between Ethernet via DHCP or static IP as well as PPPoE DSL WiFi client or LTE Select...

Page 19: ... connected to the server This is indicated by the continuous light of the status LED Achtung Please note that the network settings for the LAN side have to correspond to the service network settings on the server If for example the service network 192 168 0 0 has been parameterized the Router has to obtain a fixed and unique address from this network 4 5 Router as VPN Server Certificates As previo...

Page 20: ...tificates Initiate the generation of the certificates for the ServiceRouterV3 by pressing generate new certificates Since this utilizes random values the duration of this process may vary from time to time Please be patient as this may take several minutes OpenVPN Call up the menu item Router Configuration OpenVPN Set the select field to Server and press save There is a wide range of options but s...

Page 21: ...r suggestions please feel free to contact us 2 System The menu item System describes the most important configurations and settings of the ServiceRouterV3 such as the LAN IP or the WAN IP or whether service access is enabled or not You can also view board temperature CPU history and network traffic graphs The interval to be viewed can be set 15 ...

Page 22: ...stem checks if the Router has an Internet connection or if the VPN server can be reached and the VPN channel can be established Click on the Test button in order to start the tests The tests also check whether the customer s firewall is blocking the VPN connection to the VPN server The status view shows the progress of the tests If the tests are successful the bar turns green If an error occurs it...

Page 23: ... change the configuration or the operating parameters of the ServiceRouterV3 it is necessary to login to your admin account on the server For the initial start up or reconfiguration after a reset please use username password eurogard After successful login the Login link changes to Logout link 2 Basic Settings LAN Under this menu item you set the basic operating parameters 2 1 Host name The host n...

Page 24: ... may have to access also has to be explicitly specified Default 192 168 155 1 2 4 Netmask Enter the netmask for the LAN interface at this point Default 255 255 255 0 2 5 DHCP Server for the LAN Network settings can be dynamically assigned to network subscribers by means of DHCP Default enabled 2 6 DHCP Pool The pool of available IPs can be configured This means an address range can be created from...

Page 25: ... Internet connection for the ServiceRouterV3 3 1 WAN media Please select the type of connection at this point Depending on the type of device you can choose between Ethernet WiFi LTE or DSL per PPPoE 3 1 1 Ethernet Select the configuration of the Internet connection of the device You can choose between DHCP and manual specification of network parameters Please note that for DSL access at this poin...

Page 26: ...Select the encryption type WPA WPA2 or disabled are available 3 1 3 4 Passphrase Enter the password for the network encryption 3 1 3 5 MTU This value should only be altered if your device is running behind a NAT cascade and Path MTU Discovery by means of filtering of ICMP Typ 3 Code 4 packets does not work Default 1500 3 1 4 LTE Routers with LTE option can set up an Internet connection via the mob...

Page 27: ... the Router Each com mand must be on a separate line of the SMS It may take up to 60 seconds until the commands are processed in the Router Tipp Control via SMS commands is deactivated as soon as the WAN Fallback function is used 4 WAN Fallback Configuration Here you have the possibility to configure an additional WAN This allows you to maintain the connection in the event of a power failure by au...

Page 28: ...ess via port 123 UDP The time set on the device can be viewed in the upper right hand corner below the Adminlogin link If the battery buffered real time clock has been reset the time indicated flashes red All changed settings also changes in the table have to be saved by clicking the save button bottom right 5 1 Time source Here you can select if the device is to receive its time settings via the ...

Page 29: ...ction with changing IP addresses a provider is required who changes the reference of host domain names to your IP as soon as your Internet IP changes At this point the eurogard remote service products only support the service of DynDNS Achtung This service is only required if you are connected to the Internet via a regularly changing IP address This applies for example in the case of basic DSL con...

Page 30: ...rviceRouterV3 Tipp A server certificate only has to be generated if the Router is to be operated as VPN server The Router itself and every VPN access have their own key and the relevant certificate The keys ensure security of communication the certificates establish the reference between the keys and their owners This makes a certificate a digital passport In this manual the term certificate is al...

Page 31: ...and thus avoid warning messages Achtung Ensure that your certificates do not fall into the wrong hands Whoever is in possession of your server certificates can issue client certificates As a standard certificates have a limited validity Please ensure that the device has the correct current time before generating new certificates This is essential for the whole system to function The host or domain...

Page 32: ...LAN IP Achtung If there are clients in action while re generating the server certificates these clients will no longer be able to connect unless new certificates are loaded to the clients or the old server certificates are restored Press the button generate in order to generate new server certificates Since random values are created here the length of this process may vary on occasion The new cert...

Page 33: ...erviceRouterV3 The certificate wizard is started Click Next The next dialog specifies the storage location Click Browse in order to select a location manually From the list displayed select Trusted root certification authorities 27 ...

Page 34: ...Confirm the two following safety warnings and the certificate is installed 7 4 1 2 Remove root certificate Click the menu item Extras in the top right hand corner of the browser and select Internet options Click the tab Content and Certificates 28 ...

Page 35: ...ertificate authority and click Remove Confirm the safety instructions and the certificate is removed from the computer 7 5 Show server certificates This menu item shows the list of server certificates The most important safety feature is the fingerprint displayed It is the check sum of the keys used in the certificate 29 ...

Page 36: ...in a reset of all VPN net works All connected clients will consequently be disconnected and cannot be accessed for approximately 2 minutes if default has not been changed 8 1 OpenVPN Mode Here you can choose between OpenVPN Mode Server or Client Valid certificates are required in order to activate the OpenVPN server A warning message is displayed if no valid certificates are available Since no val...

Page 37: ...s permitting In order to delete a VPN access or activate a different one click the corresponding buttons in the list Achtung For a successful connection set up it is mandatory that at least the target port of the server is accessible and not blocked by a firewall and that a DNS server can be reached which resolves the target server s name to an IP address In our example the target port UDP 1300 at...

Page 38: ...mode otherwise the fields of a certificate are filled automatically during upload 8 3 OpenVPN Server 8 3 1 DHCP range for VPN clients Since the OpenVPN software in the server allocates an IP to each client and since IPs can never be double allocated the IP range must be customised in accordance with your requirements Please note that the server also allocates IP addresses via the LAN The areas fro...

Page 39: ... Logs Default on 8 3 8 Log verbosity The higher the level the more detailed the logs Level 1 logs every connection set up and close down Level 2 displays additional information regarding certificates in use and encryption and HMAC algorithms The highest level 5 logs every packet sent with a w and every packet received with an r Default 1 8 3 9 Maximum log size In this box the maximum size for the ...

Page 40: ... is displayed if the default administrator account is still active You should create a new account at this stage and delete the eurogard account The existing accounts are organized in an overview chart Again you have the possibility to filter browse and set the maximum number of lines displayed The table has the following columns Account name Account type admin or user Certificate created not crea...

Page 41: ...n created a security warning has to be acknowledged In this case the existing certificate is revoked Achtung A revoked certificate can no longer be used by a client for access to the server Make sure not to block the only way of access to a client router in this way for example to an LTE router 9 4 Download Press download in order to download an archive file with all certificates keys and an OpenV...

Page 42: ...ccount is deleted and the certificate is revoked 10 WLAN only with WLAN option 10 1 WLAN interface The WLAN adapter is enabled or disabled at this point 10 2 Wireless mode At this point operation of the Router as LAN access point or WAN client is selected In access point mode WLAN clients can connect to the Router and have access to the LAN side of the Router In WAN mode the Router connects to an ...

Page 43: ... Logs This menu provides a complete overview of all log files while the logs for the individual services can also be handled in the relevant menu The maximum size of the logs can also be set at this point 12 Firewall The integrated firewall is part of the security concept With a few exceptions all settings of the firewall are auto matically parameterized by the ServiceRouterV3 As a general rule al...

Page 44: ...ssed from the WAN side this option can be blocked with this button If reachability of the HTTPS protocol has been directed to a different port from port 443 the chosen port is opened or closed at this point Default allow 12 3 Allow LAN devices access to WAN Access of LAN devices to the Internet may be blocked here Default allow 12 4 Parameterized firewall rules incoming connections In this section...

Page 45: ...ssuing the request eg a PC while the destination IP stands for a device from the plant network or the Router itself Action specifies what happens to data packets that match this rule Press the save button to save the new rule it is then listed in the overview All rules are displayed in the overview 39 ...

Page 46: ...ndard the Router redirects all requests from the LAN side to other networks to the WAN interface Under Routing however routes may be determined for routers or gateways This may be done for individual hosts as well as for entire networks Additionally the interface for access to the Gateway LAN or WAN may be determined 14 Ports The Router supports the port forwarding function Incoming requests on a ...

Page 47: ...he device with the IP 192 168 155 1 is to be reached choose configuration according to Rule2 The webserver is now accessible via the WAN IP or the hostname via port 8080 http 10 0 0 1 8080 Achtung Please note that data traffic may be unsecured and that authentication can only be carried out by the device inside the LAN itself 41 ...

Page 48: ...ss data logger communicates with connected devices such as PLCs or Modbus subscribers and stores up to 16 million values in an internal SQL database It allows for optimization production data acquisition and fault diagnosis 2 1 Set up connection to a device As default the logger function of the Router is deactivated Activate the data logger via the drop down menu The logger is started as soon as y...

Page 49: ...7 400 Rack 0 Slot 2 Modbus on TCP Slave ID of Modbus RTU Slave can be parameterized Press the button test in order to test the connection This test checks the device s reachability and its compatibility to the configured protocol The results of the test are shown in a message screen Anmerkung The log cycle of a connection may be set between 1 999 seconds A configured connection can be activated or...

Page 50: ...alog values of S7 compatible controls The logger is able to read out and store analog values from data blocks and Modbus registers of a control In case further sources such as input words or flag words are to be read they previously have to be saved in a data block in the PLC The logger can administer up to 100 analog measured values per connection Achtung There is no verification if the selected ...

Page 51: ...process for this value is initiated Analog values are configured as described above All configured values are displayed in a chart For processing reasons configured values cannot be changed In case changes are required the value has to be removed by pressing the delete button and then has to be reconfigured Press the button test in order to check the actual values of all configured data Due to the...

Page 52: ...e logging process for this value is initiated Analog values are configured as described above All configured values are displayed in a chart For processing reasons configured values cannot be changed In case changes are required the value has to be removed by pressing the delete button and then has to be reconfigured Press the test button in order to check the actual values of all configured data ...

Page 53: ... g for fault messages are assigned 5 byte of operating messages for example will be assigned the message numbe rs 1 40 If the third byte is deleted the message numbers 17 24 are deleted If a new byte for operating messages is created this free area 17 24 is reassigned to the new byte It is therefore advisable to carefully plan the range of message numbers beforehand 2 3 4 Digital Digital values wi...

Page 54: ... of status In case of changes a message is immediately sent to the parameterized recipient s As precondition at least one communication channel email or Web SMS has to be configured under the menu item Messaging This is also indicated by a special message screen 3 1 Configure message trigger A connection to a device is configured corresponding to the settings of the data logger Press generate Ente...

Page 55: ...l routers This also avoids data gaps caused by limited storage space on the Router Synchronisation is carried out every hour providing the server is accessible Data records are synchronized but only deviations are transferred from router to server Any changes and modifications such as adding or deleting values are recognized and integrated into the server database 4 1 Setting up a server connectio...

Page 56: ...ver with the IP 192 168 1 100 synchronized every hour Additionally the required templates with the ID 1 would be set up on the server Please note Existing ID 1 templates on the server would be overwritten without prior warning Press deactivate in order to deactivate synchronization The button text will switch to activate and allow for con tinuation of the synchronization 5 Node RED The Router can ...

Page 57: ...Devices After reloading the router website Node RED is operational Now you can assign a new secure password to the admin account via Change password 51 ...

Page 58: ...ust then be restarted via Restart service You can now log in with the user name admin and the password you entered previously After successful registration the Node RED service is available and your Router is IIoT ready 52 ...

Page 59: ... client PC connected via VPN may be used by means of the licensed software USB Redirector Devices are handled as if they were directly connected to a USB port of the PC The use of USB hubs is supported as well so that more than two devices may be connected They should however have a seperate external power supply since the Router only provides a limited supply of voltage per USB port For this reas...

Page 60: ...MTP Server and the corresponding port of your email account 1 4 Username Password If authentication is required by your chosen SMTP Server the relevant user data can be entered here 1 5 Transport encryption If the SMTP server chosen supports encrypted communication the encryption method may be chosen at this point Please note that depending on the method chosen the ports to be used may vary on one...

Page 61: ...er messages 1 8 Test configuration Clicking the test button generates a status report of the device Please note that any changes in the configuration have to be saved before testing During the test a window opens which displays the messages of the mail software and the mail server 2 SMS Gateway The ServiceRouterV3 can send texts to different recipients A web SMS service is used so that this functi...

Page 62: ...bsite under Interfaces After generation this key is shown in plain text and may be copied to the clipboard Paste the key from the clipboard into the corresponding field on the Router website The sender ID identifies the sender of an SMS in the receiving device The field may contain letters or numbers Since each router is given its own identifier it allows the SMS recipient to immediately determine...

Page 63: ...he SMS service with the fault messenger please see menu item Devices Fault mes senger as described in chapter Devices 3 Reports The device can send status reports at pre determined intervals This function and the intervals can be set here The report includes the network parameters in use connected VPN clients and sensor data of the hardware such as for example the CPU temperature 57 ...

Page 64: ...e is plugged into one of the interfaces and connection to another network device is set up This allows you to remotely check if a device is connected to the Router 1 3 DHCP Leases to DHCP clients are displayed here if the DHCP Server of the Router has been activated for the LAN side 1 4 VPN Status Information about the Router s VPN is displayed here Among other settings this includes the mode sele...

Page 65: ...el log dDNS log Log of the update client for dynamic DNS OpenVPN log Logs of the individual OpenVPN processes Netzwork interfaces Node RED optional Please note that the available logs files vary depending on the configuration of the system OpenVPN Log for example is only available after OpenVPN has been started and logging has been activated in the configuration 3 dDNS This site provides informati...

Page 66: ...can identify the google com IP by means of a PC with Internet connection and ping this IP If this works it means that the ServiceRouterV3 has been allocated an incorrect or no DNS server In order to identify for example the google com IP proceed as follows Open Start Run and enter cmd This opens the Windows command prompt Enter nslookup google com and press the return key C Users klaus nslookup go...

Page 67: ...Status Logs H Host route to individual host G Gateway 61 ...

Page 68: ...n when a new one is created If you upload a restore point into the device the point is saved but the configuration is not restored This has to be triggered separately As soon as a restore point has been generated the button download is activated Press the button in order to load previously set restore points on to your PC Select the file settings bak bin via the button select file in order to load...

Page 69: ...le is required In order to prevent unauthorized access a file called auth has to be created which includes a valid username password combination for router access The first line must contain the user name and the second line the password in plain text The file log txt which is saved to the stick during each configuration process must NOT be included otherwise the Router will acknowledge the attemp...

Page 70: ...fundamental problems causing for example inaccessibility of the web interface can be fixed If this option is to be used the operator of the device has to ensure that the Server is accessible via Internet through Port 22 TCP Firewall or port forwarding options have to be adjusted accordingly When activating the service access this port is opened in the firewall for the LAN and for the WAN side If t...

Page 71: ...outerV3 ER1501 ER 1501 WLAN ER 1501 LTE and ER 1501 W LTE are in compliance with the essential requirements and other relevant provisions of the Direc tives 1999 5 EC and 2011 65 EC The declarations of conformity can be found and downloaded at the following address http www eurogard de CE 65 ...

Page 72: ...n this manual only apply to the current version The online documentation regarding the Router is intended for technically qualified personnel either those project planning personnel familiar with security concepts in the area of automation and network technology or those trained as operating personnel dealing with automation equipment and network technology and familiar with the terms used in this...

Page 73: ...Domain Name System servers to determine the IP address behind a host and domain name This will happen with every use of this type of name as for example the URL input in the browser email NTP Therefore the ServiceRouterV3 has to recognise a DNS server Domain Domain names serve to identify Internet resources such as computers net works and services with a text based label that is easier to memorize...

Page 74: ...s visible from outside NTP NTP Network Time Protocol is a protocol to obtain the current time of a computer via the Internet Since the exact time is important for VPN operation synchronization via NTP is the default setting in the ServiceServer Port forwarding If a device such as the ServiceRouterV3 is not directly connected to the Inter net but via a gateway using NAT this device cannot be access...

Reviews:

No comments