Weidmuller IE-SR-2GT-LAN Скачать руководство пользователя страница 59 | Manualshive

Страница: 59 / 103

background image

Copyright © 2013 Weidmüller Interface GmbH & Co. KG

59 / 103

All rights reserved. Reproduction without permission is prohibited.

A3 - Configuring the Router to connect 2 networks with different IP ad-

dress ranges and additional firewall rules

This Technical Note applies to the Weidmüller Industrial Router IE-SR-2GT-LAN and IE-SR-2GT-UMTS/3G

Application requirements:

There are 2 industrial Ethernet networks which are connected by a Router. Each network has its own IP address range.
All Ethernet nodes in both networks shall have the possibility to communicate with each other except that devices B and
C of network 1 cannot be accessed by a ping request (ICMP protocol).

Solution:

Configure firewall rules to prohibit ping requests from devices of network 2 to devices B and C of network 1.

In this example the IP address ranges are set to

192.168.

10

.0 / 255.255.255.0 for Network 1 and

192.168.

20

.0 / 255.255.255.0 for Network 2

The Router interfaces will be set to

192.168.

10

.254 / 255.255.255.0

for LAN interface and

192.168.

20

.254 / 255.255.255.0

for WAN interface

Network diagram of below described application scenario

Network 1: 192.168.10.0 / 24

(Class C)

LAN-Port

192.168.

10.254

255.255.255.0

Device A

192.168

.10.100

255.255.255.0

GW 192.168.

10

.254

Device B

192.168

.10.101

255.255.255.0

GW 192.168.

10

.254

Device C

192.168

.10.102

255.255.255.0

GW 192.168.

10

.254

Network 2: 192.168.20.0 / 24

(Class C)

Device E

192.168

.20.100

255.255.255.0

GW 192.168.

20

.254

Device F

192.168

.20.101

255.255.255.0

GW 192.168.

20

.254

Device G

192.168

.20.102

255.255.255.0

GW 192.168.

20

.254

WAN-Port

192.168.

20.254

255.255.255.0

Configuration PC

S

w

it

c

h

S

w

it

c

h

Ping

prohibited

to Device B

Ping

prohibited

to Device C

Ping

allowed to

Device A

Communication between

devices of network 1 and 2

allowed, but ping requests from

network 2 to devices B and C

of network 1 are prohibited

«
...
57
58
59
60
61
...
»

Содержание IE-SR-2GT-LAN

Страница 1: ...l be updated and completed step by step This version refers to Router firmware version 2 3 1 and above You may download a new version from the Weidm ller web site using the following path 1 Open http...

Страница 2: ...or implied includ ing but not limited to its particular purpose Weidm ller reserves the right to make improvements and or changes to this manual or to the products and or the programs described in thi...

Страница 3: ...arting the Web interface 15 8 Reset to factory default settings by external push button 17 Default factory settings of the Router 17 9 Using the Weidm ller Router Search Utility 18 10 Basic descriptio...

Страница 4: ...by using a public OpenVPN Server as Meeting Point 85 B2 Configuring an OpenVPN remote access scenario using a Weidm ller Router as OpenVPN Server 85 B3 Configuring an IPsec scenario between 2 Routers...

Страница 5: ...when needed The Router can be configured on site using an IP network on both Ethernet ports LAN or WAN The Router has implemented extensive security standards to enable different networks to work toge...

Страница 6: ...The Security Router does not have an on off switch The operating voltage must be switched on by the facility in which the device is integrated Caution You should activate and synchronise the time serv...

Страница 7: ...artition The Router is designed to be mounted on a top hat rail that is compliant with the EN 50022 standard This Router will not have a secure mount if any other type of rail is used Use a top hat ra...

Страница 8: ...OSPF protocol Transparent Bridge 2 Port Switch with additional Layer 2 fil ter Network Services DHCPServer DHCPRelay DNS Relay NTP Client DynDNS DHCP Client nach RFC 2136 Firewall IPv4 Stateful inspe...

Страница 9: ...CP The Modbus TCP interface enables the con trol of the Router by a PLC Following func tions are imaged in the registers Cut Alarm status request acknowl edgment IPsec on off switchable generally Open...

Страница 10: ...mm with 3G antenna Mounting TS35 DIN rail Environmental conditions Operating Temperature 20 C to 70 C Storage Temperature 20 C to 85 C Ambient Humidity 6 to 90 noncondensing DSL and 3G HSDPA DSL DSL...

Страница 11: ...d on the boot process is running green Device is turned on and ready to run Status off The device is not powered red Error after boot process or recovering an image Cut off CUT Input is not powered re...

Страница 12: ...VDC input for initiating a VPN tunnel Predefined OpenVPN tunnel 24 VDC output for signaling an active VPN tunnel Note Corresponding socket connector is included RJ45 Connector WAN 10 100 1000BaseTX RJ...

Страница 13: ...NAME MDI 10 100Base T x 1000Base T 1 TX BI_DA 2 TX BI_DA 3 RX BI_DB 4 NC BI_DC 5 NC BI_DC 6 RX BI_DB 7 NC BI_DD 8 NC BI_DD Pin assignment of 4 pin connector for VPN initiate and VPN active Pin number...

Страница 14: ...data 7 Initial start up Getting Started Configuration of the Router by using an Internet browser Note The configuration of the device can be done either via LAN or WAN RJ45 ports Connect the unit to...

Страница 15: ...mportant note The Router s Web server partly is using Java script for parameter settings e g if you want to apply or deleting a configured Open VPN session Please ensure that the Web browser your a us...

Страница 16: ...Note If the login prompt does not appear please check the network LED s if the devices are connected to the network correctly If problems still persist please check the proxy and firewall settings of...

Страница 17: ...he Router is ready to run with factory default settings Default factory settings of the Router Language Englisch user interface Operation mode IP Router IP address LAN port 192 168 1 110 static value...

Страница 18: ...r and displaying parameters like Device name MAC address and IP address with Subnet mask Change the IP address of a detected Router Open the web interface of a detected Router You may download the Wei...

Страница 19: ...Default gateway Setting of firewall rules Packet filter and an additional auto learning feature called SecureNow to assist the creation of packet filtering rules Configuration of general system data n...

Страница 20: ...s prohibited 11 Explanation of the menu items of web interface in chronological order Figure 1 Diagnostics Systemstatus Startup screen of the web interface after login Displays current configuration a...

Страница 21: ...n is prohibited Figure 3 Diagnostics Eventlog Tab Configuration Event and error messages can be sent to a syslog server PC on the network and also sent as emails Figure 4 Diagnostics WAN Display of th...

Страница 22: ...e 6 Diagnostics 3G Displays the current status of the 3G mobile connection Figure 7 Diagnostics Ping Test Allows sending of ICMP packets ping to test network connections between the Router and other E...

Страница 23: ...iver of the diagnostic data is a PC which must have installed the tool Wireshark How to use please refer to application note in Appendix C3 Figure 9 Configuration IP Configuration This is the basic co...

Страница 24: ...rding of data traffic By pressing the button Start Analysis button the Router begins to analyze the network traffic ports LAN WAN and possibly UMTS 3G As a result the Router will provide a table showi...

Страница 25: ...ally so that e g wrong filter rules can be removed by a Router restart Then previous filter rules would be valid again Figure 13 Configuration Packet filter Tab Layer 3 This is the window for the manu...

Страница 26: ...all settings as delivered with the 2 default rules Allow_L2 and ARP Address resolution protocol The rule Allow_L2 allows transmitting any Ethernet frame type and any traffic regardless the direction s...

Страница 27: ...more information please refer to Appendix C2 Method 2 Figure 17 Configuration Cut Alarm Tab State Displays the current status of the events Internal Cut triggered eg by a special firewall rule Externa...

Страница 28: ...nfiguration General settings Date time Tab Configuration Setting of date time and time zone Alternatively the date time setting can be configured via using the Net work Time Protocol and accessing an...

Страница 29: ...configuration changes will be immediately activated but not saved If you chose the entry Save only and do not apply then the button named Apply in the configuration windows will be changed to a button...

Страница 30: ...ation of the Router for online access to certificates which are stored on a centralized online certifica te server SCEP Simple Certification Enrollment Protocol When setting up certificate based VPN c...

Страница 31: ...dividual rights for the created user accounts Note The Administrator account always has full access It cannot be deleted Figure 25 Configuration Access control Web access Tab Configuration Select the...

Страница 32: ...nfiguration Registration of up to 3 DNS servers for name resolution The Router acts as a DNS relay server Figure 27 Configuration Network IP Routing Tab Configuration Registration of static IP routes...

Страница 33: ...rding the feature SNAT Source network address translation can be activated to hide the original source IP address forwarding can be configured using an IP address and a wildcard port number instead of...

Страница 34: ...rmation please refer to Appendix A2 Figure 32 Configuration Network Network groups Tab Configuration Creating groups with speaking names for ranges of IP addresses Layer 3 A network group always conta...

Страница 35: ...s based on MAC addresses layer 2 A hardware group can contain any number of MAC addresses for example 00 15 7E D9 09 00 Hardware groups can be used for better readability than individual MAC addresses...

Страница 36: ...um of 10 OpenVPN connections either as client or as server can be configured and started at the same time Each VPN connection can be configured individually at Tab s VPN1 VPN10 Note OpenVPN connection...

Страница 37: ...penVPN Client session L3 VPN1 currently dis connected and an OpenVPN Server session L3 VPN2 currently no connected remote clients Figure 39 Configuration VPN OpenVPN Tab Configuration After configurat...

Страница 38: ...hared key using user name and password as well as certificate based encryption Implemented IPsec features Key exchange IKE Internet Key Exchange basedon ISAKMP Internet Security Association and Key Ma...

Страница 39: ...sed for allocating IP addresses on both LAN side and WAN side By default factory settings the DHCP server is switched off Note The range of the IP addresses which will be allocated to connecting DHCP...

Страница 40: ...NS Tab Configuration This feature allows the Router if connected to the Internet using dynamic IP address allocation to be accessed by a speaking name via the public Dynamic DNS service of provider Dy...

Страница 41: ...be requested using Standard MIB II Note Currently no SNMP traps are implemented Figure 45 Configuration Services Modbus TCP Tab Configuration Activation deactivation of the integrated ModbusTCP Serve...

Страница 42: ...le an Alarm or a Cut event can be triggered Additionally the connection to a mail server and a target mail address can be configured to send the information about a lost connection of a monitored devi...

Страница 43: ...can be configured on both Layer 2 based on MAC addresses and at Layer 3 IP addresses and protocols Figure 49 Configuration Prioritization 3G Tab Configuration With this feature outgoing traffic on the...

Страница 44: ...h memory will be used Please save the configuration to Flash memory before creating a backup file Figure 51 System Software update Tab System With this menu item a firmware update can be carried out T...

Страница 45: ...s LAN port 192 168 1 110 IP address WAN port 192 168 2 110 User name admin Password Detmold Figure 53 System Save Tab System Screenshot of Router with inserted SIM memory card Save the configuration i...

Страница 46: ...ed Reproduction without permission is prohibited Figure 54 System Save Tab System Screenshot of Router without SIM memory card Figure 55 System Reboot Tab System Forcing a reboot of the Router The sta...

Страница 47: ...xample the IP address ranges are set to 192 168 10 0 255 255 255 0 for Network 1 and 192 168 20 0 255 255 255 0 for Network 2 The Router interfaces will be set to 192 168 10 254 255 255 255 0 for LAN...

Страница 48: ...er using the LAN Port this port will be used in the example Note Use autonegotiation on the Ethernet Interface of the PC 2 Change the IP address of the PC to one of the range 192 168 1 0 24 e g IP add...

Страница 49: ...meters LAN Port static 192 168 10 254 255 255 255 0 Class C NAT masquerading not set leave checkbox empty Default gateway Can be left blank because there exists no further target network Click button...

Страница 50: ...4 To reconnect to the Router now set the IP address of the PC to the new values IP address 192 168 10 99 Subnet mask 255 255 255 0 Standard Gateway 192 168 10 254 Again login into the Web interface of...

Страница 51: ...ation Select menu System Save or Click on the Disk icon in the upper left corner of the web interface Figure A1 6 Menu System Save before saving the configuration Click on button Save settings to save...

Страница 52: ...s members of network 2 ping 192 168 20 100 ping 192 168 20 101 ping 192 168 20 102 Result All sent pings should be answered by the requested IP addresses correctly 2 Run 3 Ping commands from a device...

Страница 53: ...AN to WAN but does NOT block the access to this LAN IP address from WAN network This explicitly has to be done by a firewall rule In this example the IP address ranges are set to 192 168 10 0 255 255...

Страница 54: ...nnect the configuration PC to the Router using the LAN Port this port will be used in the example Note Use autonegotiation on the Ethernet Interface of the PC 2 Change the IP address of the PC to one...

Страница 55: ...ameters WAN Port static 192 168 20 254 255 255 255 0 Class C Click and Set the checkbox NAT masquerading IP address parameters LAN Port static 192 168 10 254 255 255 255 0 Class C NAT masquerading not...

Страница 56: ...ss of the configuration PC according to the connected network 192 168 10 0 24 To reconnect to the Router now set the IP address of the PC to the new values IP address 192 168 10 99 Subnet mask 255 255...

Страница 57: ...rwarding table of menu Forwarding Click icon to add a new line to enter IP forwarding values Select or fill the values as shown in the upper entry of figure 6 Ensure that each input will be completed...

Страница 58: ...ults showing in the Wireshark window The original sender of the ping request with IP address 192 168 10 100 is displayed as IP address 192 168 20 254 which is translated masqueraded by the Router If y...

Страница 59: ...re set to 192 168 10 0 255 255 255 0 for Network 1 and 192 168 20 0 255 255 255 0 for Network 2 The Router interfaces will be set to 192 168 10 254 255 255 255 0 for LAN interface and 192 168 20 254 2...

Страница 60: ...LAN Port this port will be used in the example Note Use autonegotiation on the Ethernet Interface of the PC 2 Change the IP address of the PC to one of the range 192 168 1 0 24 e g IP address 192 168...

Страница 61: ...meters LAN Port static 192 168 10 254 255 255 255 0 Class C NAT masquerading not set leave checkbox empty Default gateway Can be left blank because there exists no further target network Click button...

Страница 62: ...4 To reconnect to the Router now set the IP address of the PC to the new values IP address 192 168 10 99 Subnet mask 255 255 255 0 Standard Gateway 192 168 10 254 Again login into the Web interface of...

Страница 63: ...ayed By default the Router contains 1 rule set called Allow_L3 which is acting as a general permission to allow inbound and outbound traffic without any limitation Application method of defined rule s...

Страница 64: ...Co KG 64 103 All rights reserved Reproduction without permission is prohibited Figure A3 6 Define a new rule set according described steps 1 to 4 Figure A3 7 Define additional parameters of the new r...

Страница 65: ...ithout permission is prohibited Figure A3 8 Define the first rule according described steps 8 to 12 Figure A3 9 Define additional parameters of the first rule according described steps 13 to 15 Figure...

Страница 66: ...eserved Reproduction without permission is prohibited Figure A3 11 Creation of first rule completed Figure A3 12 Define of second rule according described steps 24 to 28 Figure A3 13 Define additional...

Страница 67: ...served Reproduction without permission is prohibited Figure A3 14 Define additional parameters of the second rule according described steps 32 to 38 Figure A3 15 Creation of second rule completed Figu...

Страница 68: ...reserved Reproduction without permission is prohibited Figure A3 17 Creation of new rule set is completed and added to the rule set list Move the new rule set to top position Figure A3 18 Activate the...

Страница 69: ...92 168 10 101 Device B ping 192 168 10 102 Device C Results 1 Sent Ping to IP address 192 168 10 100 should be answered by the requested IP addresses correctly 2 Sent Ping to IP addresses 192 168 10 1...

Страница 70: ...16 Class B WAN Port 172 16 1 252 255 255 0 0 GW 172 16 1 254 Router 1 Switched Corporate network 10 1 1 0 16 Class B Machine network 2 192 168 1 0 24 Class C LAN Port 172 16 1 254 255 255 0 0 These s...

Страница 71: ...is defined as local network IP range for devices connected to the LAN port 1 1 NAT means that for each communication between devices of LAN and WAN network the public IP addresses of LAN devices have...

Страница 72: ...his document in chapter A5 Starting situation All Routers have the factory default configuration and can be accessed either using the LAN port by IP address 192 168 1 110 or using the WAN port by IP a...

Страница 73: ...2 255 255 0 0 Class B NAT masquerading not set leave checkbox empty IP address parameters LAN Port static 192 168 20 254 255 255 255 0 Class C NAT masquerading not set leave checkbox empty Default gat...

Страница 74: ...y in this example Click button Apply settings to activate the new settings Now the configured parameters will be activated but not saved After a few seconds the web interface displays the new IP addre...

Страница 75: ...ou have to use an IP address of the WAN port range 10 1 0 0 Again login into the web interface of the Router using a web browser Only for Router 1 Use IP address 172 16 1 252 http 172 16 1 252 on WAN...

Страница 76: ...permission is prohibited Figure A4 5 New values of menu IP configuration 6 Configuring 1 1 NAT address translation Do this only for Routers 1 and 2 Select menu Configuration Network 1 1 NAT Figure A4...

Страница 77: ...with subnet mask 255 255 255 0 The 1 1 NAT address translation is working in that way that every address of the private Class C network will be changed to the corresponding public address Exemplary re...

Страница 78: ...behind LAN port of Routers 1 and 2 can get access to each other Select menu Configuration Network IP routing Tab Configuration Figure A4 8 Default values of menu IP routing Tab Configuration Configur...

Страница 79: ...Metric Can be left blank only one route therefore no need for prioritization Interface LAN Router 2 can be reached by LAN port Click button Add entry to add the new static route to the routing table...

Страница 80: ...he SIM memory card Figure A4 12 Menu System Save after saving the configuration Additionally the configuration can be stored on the file system of the PC Select menu System Backup settings Figure A4 1...

Страница 81: ...1 20 to machine 1 192 168 1 100 of network 1 by using the public IP address 192 168 20 100 Result Machine 1 of network 2 should reply the ping request with reply IP address 192 168 20 100 due to conf...

Страница 82: ...s and the production network should participate this can be done by assigning additionally a password to the used Router information protocol RIP or OSPF The result is that only the Routers with the s...

Страница 83: ...other Routers WAN Type Select RIP Simple password see explanation above Active interface Activate the checkbox if the Router shall send the routing table to the WAN port to other Routers Note You shou...

Страница 84: ...m 192 168 1 100 to from 192 168 21 100 1 Send a ping request from Machine 1 of Network 2 to Machine 1 of Network 1 Send ping 192 168 20 100 this ist the public IP address of Machine 1 of Network 1 tra...

Страница 85: ...down to section Technical Notes 4 Download the file TechNote RemoteAccess_via_Router_and_MeetingPoint_V1_ pdf B2 Configuring an OpenVPN remote access scenario using a Weid m ller Router as OpenVPN Se...

Страница 86: ...3 Disable Clear checkbox Permanent connection Now the OpenVPN Client configuration will not automatically try to connect an OpenVPN Server but it will start a connection by external 24 VDC input conn...

Страница 87: ...permission is prohibited C1 6 Click Apply settings C1 7 To activate the not permanent configured OpenVPN connection provide 2 pins of the 4 pin con nector named VPN initiate VPN active with 24 VDC If...

Страница 88: ...sconnection Cut by external digital input Method 2 Software based disconnection by a Firewall rule Method 3 Software based disconnection by feature Client monitoring Method 1 Hardware based disconnect...

Страница 89: ...rule it can be configured that the WAN port will be disconnected if this Firewall rule matches As an example below we create a Firewall rule which will deactivate the WAN port if a device is sending a...

Страница 90: ...C2 4 Click button Next C2 5 Select Inbound Interface WAN C2 6 Click button Add to create the first rule of the rule set Disconnect_WAN C2 7 Enter in both fields Source IP address and Destination IP a...

Страница 91: ...s Log and Alarm to signalize a CUT in the Event Log and to switch on the Alarm LED at frontside of the Router C2 14 Enter the name of the rule max 15 characters C2 15 Click button Next Now the rule Li...

Страница 92: ...rule set creation Now the new rule set Disconnect_WAN will be displayed in the Layer3 Filter table We need to change the position of the new rule set to top most cause the Packet filter Firewall chec...

Страница 93: ...have to determine how to re activate a disconnected WAN port This has to be done in the menu Cut Alarm C2 21 Select menu Configuration Cut Alarm By default a triggered CUT or Alarm event has to be re...

Страница 94: ...eature Client monitoring The Router has a builtin feature named Client monitoring which can be used to test if a connected device is still alive This will be done by periodically sending a block of 5...

Страница 95: ...ote The behaviour of re setting a triggered CUT or Alarm depends on the configuration of the menu Configuration Cut Alarm Additionally if the parameter Enable automatic client monitoring recovery ackn...

Страница 96: ...f the Router Step by step guidance C3 1 Activate the Remote capture feature of the Router as shown below Menu Diagnostics Remote Capture Note Only one Wireshark Client PC here 172 16 1 10 can be used...

Страница 97: ...2013 Weidm ller Interface GmbH Co KG 97 103 All rights reserved Reproduction without permission is prohibited C3 4 Click button Options C3 5 Click button Manage Interfaces and change to tab Remote In...

Страница 98: ...her the IP address of LAN or WAN port The import fact is that the Routers IP ad dress is accessible by the Wireshark PC C3 8 Enter into field Port the value 2002 will be filled automatically if you en...

Страница 99: ...rohibited In this example we want to capture the traffic at WAN port C3 11 Double Click the line rpcap 172 16 1 20 2002 WAN C3 12 Click button Remote Settings C3 13 Clear the checkbox Do not capture o...

Страница 100: ...Interface GmbH Co KG 100 103 All rights reserved Reproduction without permission is prohibited C3 16 Activate the checkbox in line rpcap 172 16 1 20 2002 WAN C3 17 Click button Start to record the tr...

Страница 101: ...C4 2 Change the IP address of the PC to one out of the range 192 168 1 0 e g IP address 192 168 1 88 Subnet mask 255 255 255 0 Standardgateway 192 168 1 110 Preferred DNS Server 192 168 1 110 Do not...

Страница 102: ...3G connection according to the data provided by Internet provider normally PIN and APN Note In many cases you don t need to fill values into fields username and password If your provider does not use...

Страница 103: ...signed dynamically by the Internet provider If you use standard SIM cards with Internet flatrate like typically used in smart phones then no one of these diplayed IP addresses can be used to access th...

Отзывы:

Нет отзывов

Похожие инструкции для IE-SR-2GT-LAN

Express Ethernetwork DI-704P

Бренд: D-Link Страницы: 17

Бренд: E-Lins Страницы: 59

Бренд: E-Lins Страницы: 11

Бренд: E-Lins Страницы: 9

Бренд: E-Lins Страницы: 5

Network Video Recorders

Бренд: e-Line Technology Страницы: 34

Бренд: Macsense Страницы: 39

Бренд: Patton electronics Страницы: 145

Бренд: Hama Страницы: 25

Бренд: Infoblox Страницы: 16

Бренд: Zoom Страницы: 2

Бренд: SainSmart Страницы: 12

VAR-SOM-MX8M-PLUS

Бренд: Variscite Страницы: 2

Бренд: Firetide Страницы: 32

Modular Fast Fiber Switch Converter MT-RJ

Бренд: Lindy Страницы: 3

Бренд: Idis Страницы: 28

Cyclades CS4008

Бренд: Avocent Страницы: 2

FiberTwist XGS2420

Бренд: Genexis Страницы: 7

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды