Manual Redes Router Weidmuller
Manual Redes Router Weidmuller
Manual Redes Router Weidmuller
IE-SR-2GT-LAN
IE-SR-2GT-UMTS/3G
Manual
Version 1.2.4
September 2013
Important notes:
This document continously will be updated and completed step-by-step.
You may download a new version from the Weidmüller web site using the following path:
1. Open http://www.weidmueller.com/IE
2. Select section „Industrial Ethernet“ „Documents”
3. Select category „Manuals“
4. Download “ Manual_IE-SR-2GT-LAN-3G-UMTS_EN_Vx_yy.pdf
Industrial Security Router / Firewall
IE-SR-2GT-LAN
IE-SR-2GT-UMTS/3G
The software described in this manual is furnished under a license agreement and may be used only in ac-
cordance with the terms of that agreement.
Copyright Notice
Disclaimer
Information in this document is subject to change without notice and does not represent a commitment on
the part of Weidmüller.
Weidmüller provides this document "as is," without warranty of any kind, either expressed or implied, includ-
ing, but not limited to, its particular purpose. Weidmüller reserves the right to make improvements and/or
changes to this manual, or to the products and/or the programs described in this manual, at any time.
Information provided in this manual is intended to be accurate and reliable. However, Weidmüller assumes
no responsibility for its use, or for any infringements on the rights of third parties that may result from its use.
This product might include unintentional technical or typographical errors. Changes are periodically made to
the information herein to correct such errors, and these changes are incorporated into new editions of the
publication.
Contact Information
A. Application scenarios (Uses cases) for Routing, NAT and Firewalling ...............................................47
A1 - Configuring the Router to connect 2 networks with different IP address ranges ...........................47
A2 - Connecting 2 Ethernet networks with activated NAT masquerading and using IP address
forwarding ........................................................................................................................................53
A3 - Configuring the Router to connect 2 networks with different IP address ranges and additional
firewall rules ....................................................................................................................................59
A4 - Connecting 2 Ethernet networks with the same IP address range to another network using 1:1
NAT address translation .................................................................................................................70
A5 - Using dynamic IP routing as an alternative for manually configuring static routes .......................82
The Router has implemented extensive security standards to enable different networks to work together
smoothly
Additionally VPN (virtual private network) connections can be used to connect the Router as a VPN-Client or
a VPN-Server with other VPN devices.
2. Package Checklist
Models IE-SR-2GT-LAN and IE-SR-2GT-UMTS/3G
1 x Industrial Security Router (IE-SR-2GT-LAN or IE-SR-2GT-UMTS/3G)
1 x 3-pin connector for power supply
2 x 4-pin connectors for special digital inputs and output signals (Alarm, CUT, VPN)
1 x Ethernet cable ( Length 1 m, Color red)
1 x Hardware Installation Guide
If any of these items are missing or damaged, please contact your customer service representative for assis-
tance.
Warning
- Using the selected device for purposes other than those specified or failure to
observe the operating instructions and warning notes can lead to serious malfunc-
tions that may result in personal injury or damage to property.
- If this product malfunctions, it is no longer possible to predict the behaviour of
neighbouring networked facilities and their connected devices. Personal injury and
property damage can occur as a result of malfunctions. Only carry out changes to
the settings when you are certain of the consequences such changes will have on
all connected networks, facilities and devices.
- Personal injury and property damage can occur as a result if this product is used
improperly. Adjustments and setting changes to this product should only be carried
out by sufficiently qualified personnel.
Caution
- This device is designed only for an operating voltage range from 7 to 36 V DC. Do
not use a higher voltage; this could destroy the Router and other devices.
- The Security Router does not have an on/off switch. The operating voltage must
be switched on by the facility in which the device is integrated.
Caution
You should activate and synchronise the time server or set the system time manu-
ally if you are using certificates in virtual private networks (VPNs) or simple network
management protocol (SNMP). An inaccuracy in the system time can cause the
virtual private network (VPN) to malfunction.
You should synchronise the system time with a time server after each Router re-
boot and after you load the default settings. Or you can set the system time manu-
ally.
Caution
- The default system access information for the Security Router is included in this
document. Unauthorized individuals can use this access data to gain access to the
Router's web browser and cause damage. Be sure to change these system default
access settings.
- Some services may be blocked by a firewall. You may need to deactivate the
firewall. By deactivating the firewall, the PC is no longer protected against viruses
or other attacks. Only deactivate the firewall when your PC is sufficiently protected
by other measures.
- A single port can only properly execute one service. If multiple services are as-
signed to a port, the port can no longer execute any service. Be sure to assign only
one service to any port.
.
4. Mounting the device
Caution
- This device is designed only for a operating voltage range from +7 to 36 VDC. Do
not use a higher voltage; this could destroy the Router and other devices.
- Connecting plugs should never be connected or disconnected from electrical de-
vices if they are carrying a live load. Be sure to first disconnect all poles of the plug.
Remember to disconnect all plugs from the Router before it is installed or removed.
- Electrical devices should not be installed or removed during operations. Never
install or remove the Router while it is running.
Caution
- It is important to provide sufficient clearance between devices which cause strong
electromagnetic interference (such as frequency converters, transformers or motor
regulators). The clearance gap between such devices and the Router should be as
wide as possible. The Router can be further shielded by using a mu-metal partition.
- The Router is designed to be mounted on a top-hat rail that is compliant with the
EN 50022 standard. This Router will not have a secure mount if any other type of
rail is used. Use a top-hat rail that complies with the EN 50022 standard. Be sure to
observe the mounting information provided by the manufacturer.
Note
- A minimum of 2 inch (5 cm) gap should be kept between the Router and
neighbouring devices from the top and bottom. This will ensure that the Router is
sufficiently ventilated and prevent induction from developing.
- The top-hat rail should be located in a horizontal position along the vertical rear
wall of the electrical cabinet. This ensures that the Router can be adequately venti-
lated from below to above.
5. Technical data
Operation mode
VPN
Configurable as OpenVPN server or cli-
ent (Layer 2 and Layer 3)
Authentication with X.509 Certificates
OpenVPN Tunnel support via HTTP-Proxy
A maximum of 10 different server con-
figurations
Unlimited number of client connections in
server mode
Other features
The Modbus/TCP interface enables the con-
trol of the Router by a PLC. Following func-
tions are imaged in the registers:
Cut & Alarm, status request & acknowl-
Modbus/TCP edgment
IPsec, on/off switchable generally
OpenVPN, separate status request and
activation / deactivation of the 10 possi-
ble OpenVPN connections
„Remote Capture“- feature for network
Diagnosis diagnostics via a connected PC (Wire-
shark)
Client monitoring via ICMP protocol (ping
Monitoring request) with alarm function in case of er-
ror
Interfaces
RJ45-Ports 2 * 10/100/1000BaseT(X)
USB-Port option for future expansion
Save and restore the configuration using
SCM card Reader a smart card (SIM card without mobile
provider data, only the storage capacity
of the chip will be used)
Signaling the status for power, device
LED display status, Cut, Alarm, active VPN connec-
tion and an active 3G connection
Digital Outputs "Alarm" -> Indicates a configurable net-
work status or error (24V out)
Power
Input Voltage 1* 24 VDC (7 bis 36 Volt)
Current consumption max. 600mA @ 24 VDC
Environmental conditions
Operating Temperature -20°C to +70°C
Storage Temperature -20°C to + 85°C
Ambient Humidity 6 to 90% noncondensing
Approvals
Security cULus (UL508)
FCC Part 15 Class A, EN 55022 Class A
EN61000-4-2 (ESD)
EMC EN61000-4-3 (RS),
EN61000-4-4 (EFT)
EN61000-4-5 (Surge)
EN61000-4-6 (CS)
Warranty
Period of time 3 years
Connector for
Description of device UMTS / 3G
interfaces at rear side antenna of type
SMA female
Any external
antenna can be
used which is
compliant to
following parame-
ters:
3G slot / socket Diversity Support:
Slot for mobile SIM card (only 900/1900/2100
3G/UMTS model) MHz
Antenna Connec-
tor:50 Ohm
compatible
Note: Allowed input voltage range from 7 to 36 VDC (24 VDC typical)
Pin assignment of 4-pin connector for „VPN initiate“ and „VPN active“
Pin assignment of 4-pin connector for „Cut WAN port“ and „Signalize Alarm“
Note
The configuration of the device can be done either via LAN or WAN RJ45 ports.
Connect the unit to a 24V DC (3-pin plug) power source. The corresponding plug is included.
During the initial boot phase, the PWR LED is flashing. The Router is ready when the PWR LED is lit
constantly (after about 30 seconds).
Connect the Router to the Ethernet interface of a configuration PC using a RJ45 network cable.
It is possible to use a standard Ethernet patch cable or a crossed network cable. By default both Ethernet
ports are configured with autonegotiation.
When delivered, the Web interface of the Router can be achieved from both LAN and WAN port.
To access the Web interface of the Router the IP address of the connected PC has to be in the same logical
network (IP address range) as the Router.
The default IP addresses and net masks of the Router are:
LAN port : 192.168.1.110 / 255.255.255.0
WAN port : 192.168.2.110 / 255.255.255.0
Important note
The Router’s Web server partly is using Java script for parameter settings (e.g. if you
want to apply or deleting a configured Open VPN session).
Please ensure that the Web browser your a using is allowed to run Java script.
For Router configuration you do NOT need to install Java runtime software (for
executable Java applets) because only Java script will be used. Standard Web
browsers by default are able to run Java script code.
If some “Apply” buttons are not working (seems to be without function) and if you are
using Internet Explorer 10 please verify that you are using Bowser Mode IE10 to
ensure that Java script is running properly. To validate the browser mode press key
F12 and activate – if not set – mode Internet Explorer 10 as shown in the screenshot
below.
Start your Web browser and enter the IP address of the connected Router port into the browser’s address
line.
Note
If the login prompt does not appear, please check the network LED's, if the devices are
connected to the network correctly. If problems still persist, please check the proxy and
firewall settings of the local PC
Now the Router homepage is displayed. This page corresponds to the menu item "Diagnostic System
Status." On this page the most important configuration and status informations are summarized.
Note: Some fields are linked with a hyperlink to jump directly into the corresponding menu item.
Screenshot of
the Login page
By pressing the push button "Factory Default" the security Router can be reset at any time and regardless of
the configuration to the default settings (factory settings).
How to set the factory settings:
1. Power off the Router
2. Press the button „Factory Default“ and keep it hold down
3. Power on the Router and keeping button „Factory Default“ pressed while Router is booting
4. Release button „Factory Default“ when Power LED starts flashing fast (around 10 seconds after power on)
5. Wait until Power LED is glowing constantly green
The software tool Weidmüller Router- Search-Utility can be used to find Weidmüller Routers and detect
theirs IP addresses within a switched network. This software is very helpful if you don’t know the current IP
address of a Router. This can e.g. happen in cases that you have forgotten the current IP configuration or
you have lost the Router access in case of configuring an unintended IP address. The main features of the
software are
Detecting a Router and displaying parameters like Device name, MAC address and IP address with
Subnet mask
Change the IP address of a detected Router
Open the web interface of a detected Router
You may download the Weidmüller Router-Search-Utility from the Weidmüller web site using the following
path:
1. Open www.weidmueller.com/IE
2. Select section “Industrial Ethernet“ „Software”
3. Select category “Additional Software (Configuration utilities, Drivers and MIB-files)“
4. Select category “Industrial Security Router (IE-SR-2GT-LAN, …3G/UMTS)“
5. Download “ Weidmueller_Router_Search_Utility.zip”
Alternatively you can download this software from this web page:
1. Open www.weidmueller.com
2. Select Downloads
3. Select Software
4. Select Industrial Ethernet
5. Download from section Industrial Security Router (Firmware and Software for IE-SR-2GT-LAN/3G/UMTS)
The menu structure of the web Interface is divided into 4 main sections:
Section Diagnostics
► Displays system status data
► Feature for testing the data communication between the Router and other
Ethernet devices (Ping test)
Section Configuration
► Setting of operation mode (eg „IP Router“) and basic network parameters (IP addresses,
Default gateway)
► Setting of firewall rules (Packet filter and an additional auto learning feature called
„SecureNow“ to assist the creation of packet filtering rules)
► Configuration of general system data (name, location, contact person, date / time,
language interface, etc.)
Section System
► Backup and restore of device configuration, Update firmware, Reboot)
Section Informations
► Display of technical data and hardware information (eg serial number and MAC address)
Startup screen of the web interface after login. Displays current configuration and status data.
Figure 6: Diagnostics 3G
Allows sending of ICMP packets (ping) to test network connections between the Router and other Ethernet
devices.
By using the "remote capture" function data packets on both the LAN and the WAN port of the
Router can be recorded for diagnostic purposes. The receiver of the diagnostic data is a PC which
must have installed the tool "Wireshark".
How to use please refer to application note in Appendix C3.
This is the basic configuration window of the Router for assignment of IP addresses on the LAN and WAN
port. Each of the two interfaces can be configured with static or dynamic (DHCP) IP addresses. For models
of type IE-SR-3GT-UMTS/3G (as shown above) additionally a section „3G“ will be displayed to configure the
3G connection.
This is an auxiliary function for "independent learning" firewall rules based on temporary recording of data
traffic. By pressing the button "Start Analysis" button the Router begins to analyze the network traffic (ports
LAN, WAN and possibly UMTS/3G). As a result, the Router will provide a table showing the recorded TCP
packets and protocols as well as a proposal for the setting of firewall filtering rules.
Window screen after starting the network analysis displaying the current network traffic.
Window after exiting the network analysis with a proposed indication of firewall filtering rules. If you click the
button "apply rules", the firewall will be updated with the proposed rules and immediately activated. The
changes are not saved automatically, so that e.g. "wrong" filter rules can be removed by a Router restart.
Then previous filter rules would be valid again.
This is the window for the manual configuration of firewall filter rules based on Layer 3 (IP layer). The
screenshot shows the firewall settings as delivered with the default rule "Allow_L3*". This rule says that any
IP protocol (*) and any traffic regardless the direction (source and destination=*) is allowed. The result is that
- on delivery - the firewall is "open" on layer 3.
Fore more detailed information about using the packet filter please refer to Appendix A3.
This is the window for the manual configuration of firewall filter rules based on Layer 2 (MAC layer). The
screenshot shows the firewall settings as delivered with the 2 default rules "Allow_L2*" and „ARP*“ (Address
resolution protocol). The rule Allow_L2* allows transmitting any Ethernet frame type (*) and any traffic
regardless the direction (source and destination mac address =*). The result is that - on delivery - the firewall
is "open" for layer 2.
Overview of transmit and receive activities of the Ethernet interfaces. In addition, firewall-related information
is displayed under the heading "Filter Log".
In this menu it can be configured how the events "Cut" and "Alarm" - after they have occurred – will be reset
(either manually by clicking on a button on the tab “State” or automatically after an elapsed time).
For more information please refer to Appendix C2 (Method 2).
By clicking on the buttons „Reset Cut signal“ and „Reset alarm signal“ you can manually reset the events
„Internal Cut“ and „Alarm“. The "External Cut" will automatically be reset if the 24 VDC at the 4-pin connector
will be removed.
Note:
The Router has no battery-buffered, but
a capacity-buffered system clock. If the
Router is powered-off more than 30
minutes, the date and time values will
be reset to factory default settings (Date
= date of production e.g. 01/01/2012,
Time 00:00).
Figure 19: Configuration General settings Date & time Tab „Configuration“
Setting of date, time and time zone. Alternatively, the date/time setting can be configured via using the "Net-
work Time Protocol" and accessing an external NTP server.
Save and apply Setting the behaviour of the button "Activate" respectively „Save“ in the configuration
windows. If you chose the entry „Apply immediately and do not save“ then configuration changes will be
immediately activated but not saved. If you chose the entry „Save only and do not apply“ then the button
named „Apply“ in the configuration windows will be changed to a button named „Saved“. In this case all done
changes will be only saved and not activated. Saved changes come into effect after a restart.
Adding or deleting of certificates for VPN applications (used for both IPsec and OpenVPN).
How to use certificates (CA Root, Server, Client) please refer to Appendix B1 (Link to document
TechNote_Router_RemoteAccess_via_MeetingPoint_V1_??.pdf).
Configuration of the Router for online access to certificates which are stored on a centralized online certifica-
te server (SCEP Simple Certification Enrollment Protocol). When setting up certificate-based VPN connecti-
ons, the necessary certificates can be obtained directly from a SCEP server.
Select the possible access modes of the web interface (via http and / or https). For models of type IE-SR-
3GT-UMTS/3G additionally section „3G“ (as shown above) will be displayed to allow access to the Webinter-
face via 3G connection.
Registration of up to 3 DNS servers for name resolution. The Router acts as a DNS relay server.
Configuring standard port forwardings (IP address with port) and pure IP address forwardings. Additonally for
each forwarding the feature SNAT (Source network address translation) can be activated to hide the original
source.
„IP address forwarding“ can be configured using an IP address and a wildcard port number (*) instead of a
fixed port number. With this features it is possible to get access to an Ethernet device behind a masqueraded
interface only by IP address. From the behavior this fea-ture is similar to a virtual mapping giving an Ethernet
device a second public IP address.
Configuration of the mapping (assignment) of IP address ranges between LAN and WAN port, and vice-
versa.
For more detailed information please refer to Appendix A2.
Creating groups with "speaking" names for ranges of IP addresses (Layer 3). A network group always
contains a range of IP addresses with specified subnet (eg 192.168.1.0/24). A network group can contain a
set of single IP addresses and complete IP address ranges. Network groups can be used instead of IP
address ranges if you will create firewall filtering rules (See menu Configuration Packet filters Layer 3).
Creating groups with "speaking" names based on MAC addresses (layer 2). A hardware group can contain
any number of MAC addresses (for example, 00:15:7E:D9:09:00). Hardware groups can be used for better
readability than individual MAC addresses if you will create firewall filtering rules (See menu Configuration
Packet filters Layer 2).
The OpenVPN menu allows to create and establish virtual private network connections based on the
OpenVPN implementation. The Router can be configured both as OpenVPN client and OpenVPN server
either based on Layer 2 (Bridging) or on Layer 3 (Routing). A maximum of 10 OpenVPN connections (either
as client or as server) can be configured and started at the same time. Each VPN connection can be
configured individually at Tab’s VPN1…VPN10.
Note: OpenVPN connections can only be used with encryption based on certificates.
On each configured OpenVPN server connection theoretically any number of remote OpenVPN clients can
be connected (only limited by the hardware performance of the Router).
The IPsec menu allows to create and establish virtual private network connections based on the standard
IPsec implementation. The Router can be configured both as IPsec client and IPsec server.
IPsec allows the encryption of the complete communication flow between the Router and a remote site on IP
level. IPsec provides encryption of subnets, which are located behind the respective VPN peers.
IPsec connections can be used with both PSK encryption (pre-shared key using user name and password)
as well as certificate based encryption.
Implemented IPsec features:
Key exchange: IKE (Internet Key Exchange) basedon ISAKMP (Internet Security Association and Key
Management Protocol)
IKE-Phases: Main-Mode (Phase 1) and Quick-Mode (Phase 2)
Authentication: X.509-certificates or Pre-shared-key
DH groups: DH group 1 MODP 768, DH group 2 MODP 1024, DH group 5 MODP 1536
Data integrity: MD5 (128bit), SHA1 (160bit)
Encoding: DES (64bit), 3DES (192bit), AES (128bit), AES (192bit), AES (256bit)
Integrated hardware-based encoding
Ipsec mode: ESP tunnel
Maximum number of Ipsec connections: 64
NAT-Traversal: Yes
Dead-Peer-Detection: Yes
Note: By default the Router uses the parameters AES128, MD5, DH group 2 for Main-Mode and
AES128, SHA1 for Quick-Mode.
Authentication by „Aggressive-Mode is due to security reasons not supported!
In operating mode "IP Router", the built-in DHCP server can be used for allocating IP addresses on both
LAN-side and WAN side. By default (factory settings) the DHCP server is switched off.
Note:
The range of the IP addresses – which will be allocated to connecting DHCP clients - must be in the same
range as the IP address of the Router interface (LAN or WAN).
Alternatively, the Router can be configured as a DHCP relay. DHCP requests from clients which require an
IP address are then forwarded to the "real" DHCP server.
This feature allows the Router - if connected to the Internet using dynamic IP address allocation - to be
accessed by a „speaking“ name via the public Dynamic DNS service of provider „DynDNS.org“.
Via this menu item the access protocol to the Web interface (http or https) can be configured.
Activation / deactivation of the SNMP protocol (Simple Network Management Protocol). Versions
v1/v2/v3 are supported. Router data can be requested using Standard MIB-II.
Note: Currently no SNMP-traps are implemented.
Activation / deactivation of the integrated ModbusTCP-Server. Allows external Ethernet controllers that und-
erstand the ModbusTCP protocol to query Router states and control information. Using the ModbusTCP
protocol e.g. VPN connections (IPsec and OpenVPN) can be activated and deactivated. Additionally events
like „Cut“ or „Alarm“ can be monitored and reset (acknowledged).
Allows the monitoring (still alive?) of network devices via a cyclic query using the ICMP protocol (ping re-
quest). As an action if a monitored Ethernet device is no longer available an „Alarm“ or a „Cut“ event can be
triggered. Additionally the connection to a mail server and a target mail address can be configured to send
the information about a lost connection of a monitored device by mail.
Fore more detailed information please refer to Appendix C2 (Method 3).
With this feature outgoing traffic on the WAN interface can be classified and prioritized. The prioritization
("traffic shaping") can be configured on both Layer 2 (based on MAC addresses) and at Layer 3 (IP
addresses and protocols).
Note:
This option is only available for Router model IE-SR-2G-
UMTS/3G which is equipped with an integrated 3G modem.
With this menu item, the Router configuration can be stored or restored to/from the file system of the
connected computer. The exported configuration file is of extension type <name>.cf2 and encrypted.
Note: For creating a configuration backup file (.cf2) always the configuration currently stored in the Flash
memory will be used. Please save the configuration to Flash memory before creating a backup file.
The firmware update can be done via a FTP, TFTP or HTTP server or by a browser upload getting the firm-
ware file directly from the connected configuration PC.
The easiest way to update the Router with a new firmware is to use the function „Update by browser
upload“.
Additionally it can be determined whether the Router should be reset to factory default settings after the
firmware update. If not set then the Router will use current configuration after firmware update.
With this menu item the Router can be set to factory default settings.
Please note that doing a reset to factory values the IP addresses will be changed and the connection
between the Router and the configuration PC can be lost.
This icon (disk symbol) starts flashing if the configuration has been changed
and activated but not saved. Clicking on the icon the web interface jumps
into this menu item (regardless the window which currently is displayed)
Figure 53: System Save Tab „System“ (Screenshot of Router with inserted SIM memory
card)
Save the configuration into flash memory of the device. If a SIM memory card is inserted in the
memory card slot (SCM) at the rear side of the Router then additionally the device configuration
will be stored on the SIM memory card.
The status message indicates whether the current configuration is saved or not.
Application requirements:
There are 2 industrial Ethernet networks which shall be connected by the Router. Each network has its own IP address
range. Every Ethernet node in both networks shall have the possibility to communicate with each other.
No special firewall filter rules shall be configured.
Device A Device E
192.168.10.100 192.168.20.100
255.255.255.0 255.255.255.0
Switch
Switch
Device C Device G
192.168.10.102 192.168.20.102
255.255.255.0 255.255.255.0
GW 192.168.10.254 GW 192.168.20.254
Configuration PC
Starting situation
The Router is set with factory default values and can be accessed either using the LAN port by IP address 192.168.1.110
or using the WAN port by IP address 192.168.2.110.
1. Connect the configuration PC to the Router using the LAN Port (this port will be used in the example).
Note: Use autonegotiation on the Ethernet Interface of the PC
3. Start a web browser and login into the web Interface of Router (http://192.168.1.110)
User: admin
Password: Detmold
Figure A1-1: Login page of the Router (equivalent with menu Diagnostics System State)
Default gateway Can be left blank because there exists no further target network
Now the configured parameters will be activated (but not saved). After a few seconds the web interface displays the
new IP addresses as shown in Figure 3. Please keep in mind that you now have lost the Router connection due to
changing the IP address range of your connected LAN port.
Figure A1-3: Display of activated new IP addresses of LAN and WAN port
4. Change the IP address of the configuration PC according to the connected network 192.168.10.0 / 24
► To reconnect to the Router now set the IP address of the PC to the new values
IP address: 192.168.10.99
Subnet mask: 255.255.255.0
Standard-Gateway: 192.168.10.254
► Again login into the Web interface of the Router using a Web browser
Use IP address 192.168.10.254 (http://192.10.1.254) on LAN port
User: admin
Password: Detmold
Figure A1-5: Menu IP routing (Tab State) showing the new active routing table
► Click on button “Save settings” to save the current configuration to the non-volatile flash memory of the
Router. If a SIM memory card is installed the configuration automatically willbe stored on the SIM memory card.
Additionally the configuration can be stored on the file system of the PC.
► Select menu System Backup settings
► Click on button “Download settings” to write the configuration file to the PC hard disk (Backup file has the default
extension *.cf2”)
1. Run 3 Ping commands from a device of Ethernet network 1 (192.168.10.0/24) using below described
addresses (members of network 2)
ping 192.168.20.100
ping 192.168.20.101
ping 192.168.20.102
Result: All sent “pings” should be answered by the requested IP addresses correctly.
2. Run 3 Ping commands from a device of Ethernet network 2 (192.168.20.0/24) using below described
addresses (members of network 1)
ping 192.168.10.100
ping 192.168.10.101
ping 192.168.10.102
Result: All sent “pings” should be answered by the requested IP addresses correctly.
Note:
1. If you perform the ping test using PC’s please check your firewall configuration to ensure that ping re-
quests and echoes are allowed.
2. Keep in mind that every device which will be used for ping testing needs an entry for the standard gateway
(IP address is pointing to the Router of the PC’s network)
Application requirements:
There are 2 industrial Ethernet networks which are connected by the Router. Each network has its own IP address
range. For security reasons the IP addresses of network 1 shall be hidden against devices of network 2. As an exception
2 devices (C and D) of network 1 should be accessible directly from devices of network 2.
No special firewall filter rules shall be configured.
Solution:
1. Activating “NAT masquerading” at WAN port of the Router which is connected to network 2. As result the sender IP
addresses of any outgoing traffic at WAN port – initiated by devices of network 1 connect to LAN port – will be trans-
lated to the IP address of the Router’s WAN port. From the perspective of the receivers the sender is always the Router
WAN port. The IP addresses of devices connected to the LAN port will be hidden and are not visible.
2. To get access to the devices C and D of the hidden network 1 the Router’s “IP address forwarding” feature can be
used, which assigns devices C and D an additional and unused IP address from the range of network 2. Effectively the
Router will have 3 IP addresses at WAN port (Physical WAN IP address and 2 virtual IP addresses). This feature acts
as a special kind of “port forwarding” using only IP addresses and omitting the ports.
Note: Generally “masquerading” only hides a sender IP address (e.g. outgoing from LAN to WAN) but does NOT
block the access to this LAN IP address from WAN network. This explicitly has to be done by a firewall rule.
Solution:
Network 1: 192.168.10.0 / 24 Network 2: 192.168.20.0 / 24
1. Activating NAT masquerading on
(Class C) WAN port
(Class C)
2. Assigning not used IP addresses
Device A of network 2 as virtual IP addresses Device E
to devices of network 1 which shall
192.168.10.100 be accessed directly 192.168.20.100
255.255.255.0 255.255.255.0
Masqueraded (hidden) network
No Standard gateway
Switch
GW 192.168.10.254
Switch
Starting situation
The Router is set with factory default values and can be accessed either using the LAN port by IP address 192.168.1.110
or using the WAN port by IP address 192.168.2.110.
1. Connect the configuration PC to the Router using the LAN Port (this port will be used in the example).
Note: Use autonegotiation on the Ethernet Interface of the PC
3. Start a Web browser and login into the Web Interface of Router (http://192.168.1.110)
User: admin
Password: Detmold
Figure A2-1: Login page of the Router (equivalent with menu Diagnostics System State)
Default gateway Can be left blank because there exists no further target network
Now the configured parameters will be activated (but not saved). After a few seconds the web interface displays the
new IP addresses as shown in Figure A2-3.
Figure A2-3: Display of activated new IP addresses of LAN and WAN port
5. Change the IP address of the configuration PC according to the connected network 192.168.10.0 / 24
► To reconnect to the Router now set the IP address of the PC to the new values
IP address: 192.168.10.99
Subnet mask: 255.255.255.0
Standard-Gateway: 192.168.10.254
6. Again login into the Web interface of the Router using a Web browser
Use IP address 192.168.10.254 (http://192.10.1.254) on LAN port
User: admin
Password: Detmold
► Now click button “Apply settings” to activate the “IP address forwarding table”
To test the NAT masquerading function you must use the tool Wireshark on the PC which receives the ping
request.
1. Run Wireshark on PC (connected to WAN port) with e.g. IP address 192.168.20.100
2. Start an new live capture session to display sent and received Ethernet packets
3. Run a “ping” request from a device of Ethernet network 1 (e.g. 192.168.10.100) with destination address
192.168.20.100
4. Stop the Wireshark live capture session when the packets have been received and displayed.
If you disable NAT masquerading at WAN port and repeat the test then the original sender address
192.168.10.100 will be shown.
1. Run a “ping” request from a device of Ethernet network 2 (e.g. 192.168.20.100) with destination address
192.168.20.202 (Note: Real IP address is 192.168.10.102)
Result: The sent “ping” request should be answered correctly (displayed return address: 192.168.20.202)
2. Run a “ping” request from a device of Ethernet network 2 (e.g. 192.168.20.100) with destination address
192.168.20.203 (Note: Real IP address is 192.168.10.103)
Result: The sent “ping” request should be answered correctly (displayed return address: 192.168.20.203)
Note:
1. If you perform the ping test using PC’s please check your firewall configuration to ensure that ping re-
quests and echoes are allowed.
Application requirements:
There are 2 industrial Ethernet networks which are connected by a Router. Each network has its own IP address range.
All Ethernet nodes in both networks shall have the possibility to communicate with each other except that devices B and
C of network 1 cannot be accessed by a ping request (ICMP protocol).
Solution:
Configure firewall rules to prohibit ping requests from devices of network 2 to devices B and C of network 1.
Switch
Ping
prohibited
Device C Device G
to Device C 192.168.10.102 192.168.20.102
255.255.255.0 255.255.255.0
GW 192.168.10.254 GW 192.168.20.254
Configuration PC
Starting situation
The Router is set to factory default values and can be accessed either using the LAN port by IP address 192.168.1.110
or using the WAN port by IP address 192.168.2.110.
1. Connect the configuration PC to the Router using the LAN Port (this port will be used in the example).
Note: Use autonegotiation on the Ethernet Interface of the PC
3. Start a Web browser and login into the Web interface of Router (http://192.168.1.110)
User: admin
Password: Detmold
Figure A3-1: Login page of the Router (equivalent with menu Diagnostics System State)
Default gateway Can be left blank because there exists no further target network
Now the configured parameters will be activated (but not saved). After a few seconds the web interface displays the
new IP addresses as shown in Figure 3.
Please keep in mind that you now have lost the Router connection due to changing the IP address range of your
connected LAN port.
4. Change the IP address of the configuration PC according to the connected network 192.168.10.0 / 24
► To reconnect to the Router now set the IP address of the PC to the new values
IP address: 192.168.10.99
Subnet mask: 255.255.255.0
Standard-Gateway: 192.168.10.254
► Again login into the Web interface of the Router using a Web browser
Figure A3-5: Menu Packet filter (Tab Layer 3) showing the factory default settings
► Click on the icon + (right side of line “Add a new rule set”) to create a new rule-set and follow the below described
steps (Figure 5)
Figure A3-7: Define additional parameters of the new rule-set according described steps 5 to 7
Figure A3-9: Define additional parameters of the first rule according described steps 13 to 15
Figure A3-10: Define additional parameters of the first rule according described steps 16 to 22
Figure A3-13: Define additional parameters of the second rule according described steps 29 to 31
Figure A3-16: Setting optional date and time limitations of the rule-set
Run 3 Ping commands from a device of Ethernet network 2 (192.168.20.0/24) using below described ad-
dresses (members of network 1)
Results:
1. Sent “Ping” to IP address 192.168.10.100 should be answered by the requested IP addresses
correctly.
2. Sent “Ping” to IP addresses 192.168.10.101 and 192.168.10.102 should be answered by the re-
quested IP addresses as “Destination host unreachable”.
Note:
1. If you perform the ping test using a PC please check the PC’s firewall configuration to ensure that ping
requests and echoes are allowed.
2. Keep in mind that every device which will be used for ping testing needs an entry for the standard gateway
(IP address is pointing to the Router of the PC’s network)
Configuration of Default-Gateway
WAN-Port according to corporate network
10.1.1.254 parameters (not necessary in this
255.255.0.0 example)
Production network 172.16.1.0 (Class B) Router 3 LAN-Port
172.16.1.254
255.255.0.0
Both Routers of machine network 1 and 2 have to be connected by WAN port to the production network 172.16.1.0. The
IP addresses of the WAN ports will be set to
172.16.1.252 / 255.255.0.0 for Router 1 and
172.16.1.253 / 255.255.0.0 for Router 2
The LAN port of each Router is to be connected to their corresponding machine network. Due to the fact that each ma-
chine network uses the same IP address range each LAN port of the Routers is to be configured with 2 IP addresses,
one as a public and one as private address.
“1:1 NAT” means that for each communication between devices of LAN and WAN network the public IP addresses of
LAN devices have to be used.
Examples of IP address mapping (private / public) using 1:1 NAT at LAN port
IP address and subnet of a Resulting Public IP address and
Configured Private IP address Configured Public IP address and
device connected to LAN port subnet of device connected to
and subnet of Router's LAN port subnet of Router's LAN port
(used as private IP address) LAN port (1:1 NAT)
This IP address is known by devices
Subnets of private and public network must be the same
of WAN network
192.168.1.100 / 255.255.255.0 192.168.21.100 / 255.255.255.0
192.168.1.254 / 255.255.255.0 192.168.21.254 / 255.255.255.0
192.168.1.101 / 255.255.255.0 192.168.21.101 / 255.255.255.0
172.16.1.101 / 255.255.255.0 172.16.1.1 / 255.255.255.0 192.168.100.1 / 255.255.255.0 192.168.100.101 / 255.255.255.0
10.8.1.10 / 255.255.0.0 172.16.1.10 / 255.255.0.0
10.8.1.1 / 255.255.0.0 172.16.1.254 / 255.255.0.0
10.8.2.10 / 255.255.0.0 172.16.2.10 / 255.255.0.0
Note: In a class C network with subnet mask 255.255.255.0 only the last segment of an IP address is translated
Note: In a class B network with subnet mask 255.255.0.0 the last 2 segments of an IP address are translated
How to configure Router 1 (Machine network 1), Router 2 (Machine network 2) and Router 3 (Production net-
work)
General note:
The configuration of all Routers is very similar and will be described below together for the Routers of both machine
networks and the production network. Different configuration parameters between the Routers are marked individually.
The alternative method using dynamic routing is described at the end of this document in chapter A5.
Starting situation
All Routers have the factory default configuration and can be accessed either using the LAN port by IP address
192.168.1.110 or using the WAN port by IP address 192.168.2.110.
Due to the fact that the machine network Routers 1 and 2 have to be configured on the LAN port with 1:1 NAT (with a
private and a public IP address), which means setting two times new IP addresses (private and a public) on this port
during the configuration process, it is more comfortable to connect the Configuration PC to the WAN port of the Routers.
Then the IP address of the PC has only one time to be changed after setting the new WAN port IP address.
Figure A4-1: Login page of the Router (equivalent with menu Diagnostics System State)
Now the configured parameters will be activated (but not saved). After a few seconds the web interface displays the
new IP addresses as shown in Figure 3. Please keep in mind that now the Router connection is lost due to changing the
IP address range of your connected WAN port.
Figure A4-3: Display of activated new IP addresses of LAN and WAN port
For re-connecting to Routers 1 and 2 chose e.g. IP address 172.16.1.100 and subnet mask 255.255.0.0. The input field
“Standard-Gateway” can be left empty.
► Again login into the web interface of the Router using a web browser
User: admin
Password: Detmold
Screenshot of Router 1
showing new IP addresses
► Select menu Configuration IP configuration to verify that IP parameters are configured correctly
6. Configuring 1:1 NAT address translation (Do this only for Routers 1 and 2)
► Select menu Configuration Network 1:1 NAT
Screenshot of Router 1
Screenshot of Router 1
Note:
The private IP address 192.168.1.254 now is the new IP address of the Router from the perspective of connected de-
vices at the LAN port. All devices connected to the LAN port have to be configured in the private IP range 192.168.1.0
with subnet mask 255.255.255.0.
The 1:1 NAT (address translation) is working in that way that every address of the private Class C network will be
changed to the corresponding public address.
Exemplary result of IP address mapping of configured 1:1 NAT of Router 1:
Machine 1 of network 1 (IP 192.168.1.1) can be accessed by public IP 192.168.20.1 from production network
Machine 2 of network 1 (192.168.1.2) can be accessed by public IP 192.168.20.2 from production network
Machine N of network 1 (192.168.1.n) can be accessed by public IP 192.168.20.n from production network
Exemplary result IP address mapping of configured 1:1 NAT of Router 2:
Machine 1 of network 1 (IP 192.168.1.1) can be accessed by public IP 192.168.21.1 from production network
Machine 2 of network 1 (192.168.1.2) can be accessed by public IP 192.168.21.2 from production network
Machine N of network 1 (192.168.1.n) can be accessed by public IP 192.168.21.n from production network
7. Configuring static routes (Only for Router 3, skip if you test the”Ssimple scenario” with only 1 Router)
Next 2 static routes have to be configured on Router 3 that all Ethernet devices of machine networks networks 1
and 2 (behind LAN port of Routers 1 and 2) can get access to each other.
Configure below described entries in the area Add new static route of the menu:
►Click button “Add entry” to add the new static route to the routing table.
►Then click button “Apply settings” to activate the new settings.
Figure A4-9: Changed values of menu IP routing (Tab Configuration) displaying 2 new static routes
Figure A4-10: Menu IP routing (Tab State) showing the new active routing table
This symbol starts flashing if the configuration has been changed and
activated but not saved. Clicking on the icon the web interface jumps
into this menu item (regardless which window is currently displayed)
► Click on button “Save settings” to save the current configuration to the non-volatile flash memory of the
Router. If a SIM memory card is installed the configuration additionally will be stored on the SIM memory card.
Additionally the configuration can be stored on the file system of the PC.
► Select menu System Backup settings
Figure A4-13: Menu System Backup settings after saving the configuration
► Click on button “Download settings” to write the configuration file to the PC hard disk (Backup file has the default
extension *.cf2”)
1. Testing the accessibility between an Ethernet device of machine network 1 and an Ethernet device of produc-
tion network (“Simple scenario” if you have only 1 Router for testing)
Note: You can use a PC for simulating an Ethernet device (machine) of networks 1. Use a second PC to be a member of
the production network.
Ensure that the PC simulating machine 1 of network 1 is configured using following parameters:
IP: 192.168.1.100, net mask: 255.255.255.0, Standard Gateway: 192.168.1.254
Ensure that the PC of production network is configured using following parameters:
IP: 172.16.1.20, net mask: 255.255.255.0, Standard Gateway: 172.16.1.252 (pointing to WAN port of
your Router)
1.1 Try to to send a ping request from machine 1 (192.168.1.100) of network 1 to PC of production network
(172.16.1.20).
Result: PC of production network should reply the “ping request” with original reply IP address
172.16.1.20.
1.2 Try to to send a ping request from PC of production network (172.16.1.20) to machine 1
(192.168.1.100) of network 1 by using the public IP address 192.168.20.100.
Result: Machine 1 of network 2 should reply the “ping request” with reply IP address
192.168.20.100 (due to configured 1:1 NAT).
2. Testing the accessibility between Ethernet devices of machine networks 1 and 2 according to the described
application scenario (using 3 Routers)
Note: You can use PC’s for simulating the Ethernet devices (machines) of networks 1 and 2.
Ensure that the Ethernet devices of both machine networks are configured using following parameters:
IP: 192.168.1.100, net mask: 255.255.255.0, Standard Gateway: 192.168.1.254
2.1 Try to send a ping request from machine 1 (192.168.1.100) of network 1 to machine 1 (same IP 192.168.1.100) of
network 2 by using the public IP address 192.168.21.100.
Result: Machine 1 of network 2 should reply the “ping request” with reply IP address
192.168.21.100 (due to configured 1:1 NAT).
2.2 Try to send a ping request from machine 1 (192.168.1.100) of network 2 to machine 1 (same IP 192.168.1.100) of
network 1 by using the public IP address 192.168.20.100.
Result: Machine 1 of network 2 should reply the “ping request” with reply IP address
192.168.20.100 (due to configured 1:1 NAT).
Note: If you perform the “ping” test please ensure that the firewall configuration of the PC is not blocking the test.
Instead of configuring static routes on Router 3 it is more comfortable to use the “dynamic IP routing” feature to an-
nounce the routes of all Router network interfaces to each Router. For announcing the routing information the protocols
RIP or OSPF can be used.
Note:
If dynamic routing is activated but e.g. only the industrial Routers of the machine networks and the production network
should participate, this can be done by assigning additionally a password to the used Router information protocol (RIP or
OSPF). The result is that only the Routers with the same password exchange their routing tables. With this method you
can avoid that routing tables of the industrial networks will be announced also in an upper-level corporate network.
In this example the protocol RIP (Router information protocol) is set for dynamic IP routing. You can chose alternatively
the “newer” protocol OSPF (Open shortest path first). Both are working properly.
Figure A5-1: Default values of menu IP routing (Tab Configuration) Dynamic routing is disabled
Note:
You should always use the same value for “Type” on both ports (LAN and WAN). For example if you leave
Type=disabled on LAN port and you activate only the parameters Type=RIP and Active interface=set on WAN port, then
the Router will not announce (outgoing WAN port) the configured network connected to its LAN port.
The checkbox “Redistribute static routes” can be left blank because we don’t use static routes. As log level you can
chose how detailed information about RIP will be shown in the menu Eventlog.
Result: All sent “pings” should be answered by the requested IP addresses correctly.
Note:
1. If you perform the ping test using PC’s please check your firewall configuration to ensure that ping
requests and echoes are allowed.
2. Keep in mind that every device which will be used for ping testing needs an entry for the standard gateway
(IP address is pointing to the Router of the PC’s network).
Please download this technical note from the Weidmüller website using the following path:
1. Open http://www.weidmueller.com/IE
2. Select section „Industrial Ethernet“ „Documents”
3. Scroll down to section „Technical Notes“
4. Download the file „TechNote-RemoteAccess_via_Router_and_MeetingPoint_V1_??.pdf“
Please download this technical note from the Weidmüller website using the following path:
1. Open http://www.weidmueller.com/IE
2. Select section „Industrial Ethernet“ „Documents”
3. Scroll down to section „Technical Notes“
4. Download the file „TechNote-RemoteAccess_via_Router_as_OpenVPN_Server_V1_??.pdf“
This document is currently in preparation. Please check if this technical note is available from the
Weidmüller website using the following path:
1. Open http://www.weidmueller.com/IE
2. Select section „Industrial Ethernet“ „Documents”
3. Scroll down to section „Technical Notes“
In this example a pre-defined OpenVPN client connection (at tab VPN1) will be configured to be started and
stopped by external 24 VDC input.
C1.5 If a connected OpenVPN tunnel shall be signalized by LED “VPN” and digital output connector “VPN
active”, select tab “Configuration” of OpenVPN menu, goto field “VPN LED / Output Controller” and
select the desired VPN tunnel (below screenshot shows selected L3-VPN1 session).
C1.7 To activate the “not permanent” configured OpenVPN connection provide 2 pins of the 4-pin con
nector named “VPN initiate / VPN active” with 24 VDC. If you disconnect the power then the VPN
tunnel will be closed.
+ -
External 24 VDC
The Ethernet WAN port can physically disabled using several methods:
Note: Disconnecting the WAN port by digital input overrules the software-based CUT events.
+ -
External 24 VDC
As an example below we create a Firewall-rule which will deactivate the WAN port if a device is sending a
ping request incoming into the WAN port and outgoing to a device connected at the LAN port.
Now the rule “LinkDownByPing” is created. We do not need any further rules.
C2.17 Click button “OK” cause we do not set any time limits
Now the new rule-set Disconnect_WAN will be displayed in the Layer3-Filter-table. We need to change the
position of the new rule-set to top-most cause the Packet filter (Firewall) checks the rules from top to bottom.
Due to the fact that the default filter rule “Allow_L3” is always matching for each traffic the new rule-set never
would be used.
Important:
Before testing the CUT function we have to determine how to re-activate a disconnected WAN port. This has
to be done in the menu Cut & Alarm.
By default a triggered CUT or Alarm event has to be re-set manually as shown below left. To re-set manually
triggered events change to tab State and click buttons “Reset cut signal” and/or “Reset alarm signal”
Alternatively the re-set of events can be configured automatically with a selectable time-delay.
The 2 screenshots below show a configured “automatic mode”
After finishing configuration and applying (don’t forget) of the behaviour how to re-set the event, a test of the
configured CUT-Firewall-rule can be started.
C2.24 Connect a second PC at LAN-Port of the Router to check what happens when the CUT-event is
triggered.
As result the WAN port should be disabled immediately. In automatic mode you have to wait the delay time
until the WAN port is re-activating. In manual mode goto to Routers Web-Interface with PC-LAN, select menu
Cut & Alarm, change to tab “State” and click buttons “Reset cut signal” and/or “Reset alarm signal”.
Note: Please keep in mind that “pinging” the IP address of Router’s LAN-Port from WAN-network will not
trigger the configured Firewall-rule. The Layer-3-Firewall is only working for data packets which have to be
transmitted from Router’s inbound to outbound interfaces to an external device.
As an example (as shown in the screenshot below) we create an entry to monitor a device with the IP ad-
dress 192.168.10.11.
C3.2 Enter into the line of section “Add a new entry” the parameters to monitor a device
Note: If you select the action “CUT” it makes only sense to monitor devices at LAN port due to the fact that
the WAN port will be disabled in case of a lost connection.
Note: The behaviour of re-setting a triggered (CUT or Alarm) depends on the configuration of the menu
Configuration Cut & Alarm.
Additionally, if the parameter “Enable automatic client monitoring recovery acknowledgment” is activated
then the Router will automatically re-activate the WAN port if the monitored device (at LAN port) is accessible
again (cause the Router is still checking every 50 seconds by ping request).
The function “Remote Capture” can be used to record the traffic at Router’s LAN- or WAN port using a re-
mote connected PC running Wireshark. The PC is located somewhere in the network and must be able to
access one of the IP addresses of the Router.
Step-by-step guidance
C3.1 Activate the “Remote capture” feature of the Router as shown below (Menu Diagnostics Remote
Capture)
Note: Only one Wireshark-Client-PC (here 172.16.1.10) can be used at the same time record the traffic by
Wireshark. Please deactive this feature if you no longer need to analyze the traffic because it has
an impact on the performance of the Router.
C3.3 Click “Interface list” or alternatively select in the menu “Capture” “Interfaces”
C3.5 Click button “Manage Interfaces” and change to tab “Remote Interfaces”
Note: You can enter either the IP address of LAN or WAN port. The import fact is that the Routers IP ad-
dress is accessible by the Wireshark-PC.
C3.8 Enter into field “Port” the value 2002 (will be filled automatically if you enter an IP address)
The “remote capture interfaces” will be displayed in the list of selectable interfaces.
C3.13 Clear the checkbox “Do not capture own RPCAP traffic”
C3.15 Again click button “OK” to close the window “Edit Interface Settings”
C3.17 Click button “Start” to record the traffic at Routers WAN port
Internet
PC Switch
IP LAN-Port: 192.168.1.110 / 255.255.255.0
Default gateway: can be left blank for 3G Internet access
Note: If the 3G connection is online then the default gateway
automatically is set to 3G provider. As long as the Router is connected
to the Internet a manually configured default gateway will be not used.
Starting situation
▪ The Router has inserted a SIM card of your local Internet provider (slot labeled 3G at rear side of the Router).
▪ The Router is set to factory default configuration and connected to the PC via Router’s LAN port ( IP address
192.168.1.110).
C4.2 Change the IP address of the PC to one out of the range 192.168.1.0
Figure C2: Login page of the Router (equivalent with menu Diagnostics System State)
► Configure the 3G connection according to the data provided by Internet provider (normally PIN and APN)
Note: In many cases you don’t need to fill values into fields „username“ and „password“. If your provider does not use „username“
and „password“ please leave them blank.
You don’t have to configure a Default gateway because the default gateway automatically is set to 3G provider if the 3G connection
is online. As long as the Router is connected to the Internet (Status = online) a manually configured default gateway will be not used.
Now the Router tries to connect to the Internet. Please wait some seconds.
The event log displays the result of initiating the 3G Internet connection.
Important note:
If the Router is connected to the Internet then the Web interface is
displaying IP addresses (Local IP and Remote IP) which have been
assigned dynamically by the Internet provider. If you use standard
SIM cards (with Internet flatrate) like typically used in smart phones
then no one of these diplayed IP addresses can be used to access
the Router from the Internet (e.g. by ping). The reason is that mo-
bile Internet provider by standard use NAT (Network address trans-
lation) between their own “mobile” Internet and the “public” Internet.
The result is that the assigned IP addresses are internal provider
IP’s and not visible/accessible by “public” Internet.
Conclusion: Only outgoing Internet connections are allowed from
the Router if you use standard SIM cards (like typical used in smart
phones).
Figure C5: Screenshot of status of 3G connection If the 3G-Router needs to be accessed from the Internet (eg.
beeing a VPN server) then you have to use a SIM Card which
explicitly is assigned with a static and public accessible IP address
by the provider (eg. m2m SIM cards for machine-to-machine com-
munication). Please clarify with your local mobile providers what
they are offering regarding data SIM cards with a static and public
accessible IP address.
If the Router successfully is connected to the Internet (online) you now can try to open any Internet
Web page by the connected PC.