Settings

Print version

7. Settings

Information provided in this chapter is identical with the content of Helps for individual menu. which will be gradually added on all screens.

7.1. Interfaces

7.1.1. Ethernet

RipEX2 provides 5 physical Ethernet ports ETH1, ETH2, ETH3, ETH4 and ETH5. First 4 ETH ports are metallic, the 5th port is a SFP port. There is a possibility to define an Ethernet bridge – a logical Network interface – by bridging (joining) together multiple physical Ethernet interfaces. All interfaces bridged together share the same traffic.

The Network interface (technically – an Ethernet bridge) is identified by a name. The name always begins with a “LAN-” prefix. Multiple Network interfaces can be defined. Multiple physical Ethernet interfaces can be bridged together by using single Network interface.

When unit is operating in Bridge mode – the default Network interface bridges together not only physical Ethernet ports, but also the Radio interface. All the ethernet traffic received by those Ethernet ports is transferred to the Radion interface and transmit by the Radio channel and vice versa.

When unit is operating in Router mode – the Radio channel transmits only the traffic, which is destined to the Radio interface by Routing rules.

The radio unit default setting bridges all Ethernet ports together. New Network interfaces can be defined to split the ethernet traffic of the individual ports. Any single Ethernet port can be detached from an existing Network interface and added to another Network interface.

Single or multiple Ethernet subnets can be defined within one Network interface. Each subnet is identified by its IP address&mask. Use the optional field. Note to keep your network configuration in human readable manner.

Enable / Disable: enables / disables specific Ethernet subnet

IP address: IP address&mask of the specific Ethernet subnet (in CIDR notation). IP address represents the Network interface in the Layer 3 Ethernet network.

Note Ethernet subnet description (optional). Pokud je obrazovka zmenšena na menší obrazovce (smartphone), pak se defautlně zobrazí pouze tato note. Po rozkliknutí jsou k dizpozici všechny parametry. On smaller screen (etc. smartphone)

[Note]Note

VLAN (IEEE 802.1Q) settings are accessible via ADVANCED menu only in current FW version.

7.1.2. Radio

Radio interface behavior is heavily affected by a Radio protocol. There are several protocols available:

  • Transparent – This protocol is very simple; no channel access mechanism takes place. Suitable for star topology with maximum one repeater along the packet path. Available in Bridge mode.

  • Base driven – TCP/IP optimized protocol having deterministic channel access mechanism. Suitable for star topology with maximum one repeater along the packet path. Available in Router mode.

Radio channel parameters (such as frequency, output power etc.) are common for all protocols. They are described later in this chapter.

 

A. Transparent protocol (Bridge mode)

Bridge mode with fully transparent Radio protocol is suitable for all polling (request-response) applications with star network topologies, however repeater(s) are possible.

A packet received through any interface (bridged with the radio interface) is broadcasted to the appropriate interfaces of all units within the network.

Any unit can be configured as a repeater. A repeater relays all packets it receives through the radio channel. The network implements safety mechanisms which prevent cyclic loops in the radio channel (e.g. when a repeater receives a packet from another repeater) or duplicate packets delivered to the user interface (e.g. when RipEX2 receives a packet directly and then from a repeater).

Transparent protocol does not solve collisions on the radio channel protocol. There is a CRC check of data integrity, however, i.e. once a message is delivered, it is 100% error free.

 

  • Radio protocol
    List box {Transparent, Base driven}, default Transparent

  • Communication mode
    List box {Half Duplex, Full Duplex}, default Half Duplex
    Full duplex mode is intended to be used mainly for Point-to-Point communication. Full duplex operation is not possible in networks with repeaters.

  • Unit is repeater
    List box {On, Off}, default Off
    Each RipEX2 may work simultaneously as a Repeater (Relay) in addition to the standard Bridge operation mode.

    If “On”, every frame received from Radio channel is transmitted to the respective user interface (ETH, COM) and to the Radio channel again.

    The Bridge functionality is not affected, i.e. only frames whose recipients belong to the local LAN are transmitted from the ETH interface.

    It is possible to use more than one Repeater within a network. To eliminate the risk of creating a loop, the “Number of repeaters” has to be set in all units in the network, including the Repeater units themselves.

    Warning: Should Repeater mode be enabled “Modulation rate” and “FEC” must be set to the same value throughout the whole network to prevent frame collisions occurring.

  • No of repeaters
    Default = 0
    If there is a repeater (or more of them) in the network, the total number of repeaters within the network MUST be set in all units in the network, including the Repeater units themselves. After transmitting to or receiving from the Radio channel, further transmission (from this RipEX2) is blocked for a period calculated to prevent collision with a frame transmitted by a Repeater. Furthermore, a copy of every frame transmitted to or received from the Radio channel is stored (for a period). Whenever a duplicate of a stored frame is received, it is discarded to avoid possible looping. These measures are not taken when the parameter “Number of repeaters” is zero, i.e. in a network without repeaters.

  • Tx delay [B]
    This parameter should be used when all substations (RTU) reply to a broadcast query from the master station. In such case massive collisions would ensue because all substations (RTU) would reply at nearly the same time. To prevent such collision, TX delay should be set individually in each slave RipEX2. The length of responding frame, the length of Radio protocol overhead, modulation rate have to be taken into account.

B. Base driven protocol (Router mode)

Router mode with Base driven protocol (BDP) is suitable for a star network topology with up to 256 Remotes under one Base station. Each Remote can work as a Repeater for one or more additional Remotes. This protocol is optimized for TCP/IP traffic and/or ‘hidden’ Remotes in report-by-exception networks, when a Remote is not be heard by other Remotes and/or different Rx and Tx frequencies are used.

All traffic over the Radio channel is managed by the Base station. Radio channel access is granted by a deterministic algorithm resulting in collision free operation regardless of the network load. Uniform distribution of Radio channel capacity among all Remotes creates stable response times with minimum jitter in the network.

Frame acknowledgement, retransmissions and CRC check guarantee data delivery and integrity even under harsh interference conditions on the Radio channel.

[Note]Note

There is no need to set any routes in Routing table(s) for Remote stations located behind Repeater. Forwarding of frames from the Base station over the Repeater in either direction is serviced transparently by the Base driven protocol.

[Note]Note

When Remote to Remote communication is required, respective routes via Base station have to be set in Routing tables in Remotes.

a.   Radio protocol – Base station

  • Station type
    List box {Base, Remote}, default Base
    Base

    • Only one Base station should be present within one radio coverage when Base driven protocol is used.

b.   Base station – List of Remote stations

  • BDP address (from), BDP address (to)

    Protocol address [0 to 255] is the unique address assigned to each Remote and is only used by Base driven protocol. It is set in Remote unit in its Radio protocol settings. The default and recommended setting assigns Protocol address to be equal to the Radio IP last byte (Protocol address mode in Remote unit is set to Automatic then). If a specific address is required, fill both windows with the same number. If and interval is required, fill both windows with needed numbers.

  • Modulation type

    List box {2CPFSK, 4CPFSK, DPSK, pi/4DQPSK, D8PSK, 16DEQAM, 64QAM, 256QAM}, default 2CPFSK

  • FEC

    List box {Off, 2/3, 3/4, 5/6}, default Off

  • ACK

    List box {On, Off}, default On

  • Retries

    Set value is used in one direction from Base to Remote (Remote to Base direction is configured in Remote unit in its Radio protocol settings). If the Remote station is behind Repeater, set value is used for both radio hops: Base station – Repeater and Repeater – Remote.

  • CTS Retries

    Default = 3 [0=Off, 15=Max]

    Based on sophisticated internal algorithm, Base station sends a CTS (Clear To Send) packet which allows Remote station to transmit. If the Remote station is connected directly to the Base station (not behind Repeater), and the Base station doesn’t receive a frame from the Remote station, the Base station repeats permission to transmit.

  • Connection

    List box {Direct, Direct & Repeater, Behind repeater}, default Direct

c.   Radio protocol – Remote station

  • Automatic address mode

    List box {On, Off}, default On

  • BDP address

  • ACK

    List box {On, Off}, default On

C. Radio channel parameters

  • TX frequency

    Transmitting frequency in Hz. Step 5 kHz (for 25 kHz channel spacing) or 6.25 kHz (for 12.5 or 6.25 kHz channel spacing).

    The value entered must be within the frequency tuning range of the product as follows:

    RipEX2-1A: 135-175 MHz

    RipEX2-3A: 285-335 MHz

    RipEX2-3B: 335-400 MHz

    RipEX2-4A: 400-470 MHz

    RipEX2-4B: 450–520 MHz

  • RX frequency

    Receiving frequency, the same format and rules apply as for TX frequency.

  • Antenna configuration

    List box {Single (Tx/Rx); Dual (Rx, Tx/Rx)}, default Dual (Rx; Tx/Rx)

    See chapter 1.2.1. Antenna for details

  • RF power PEP

    Setting of RF power in dBm (PEP) for the maximum power for individual modulations and the relationship between PEP and RMS see the section called “B. Base driven protocol (Router mode)” of this manual.

  • Channel spacing [kHz]

    List box {possible values}, default = 25 kHz

  • Occupied bandwidth limit [kHz]

    List box {possible values}, default = 25 kHz

    Occupied bandwidth is limited by granted radio channel. The standards supported by using individual OBW limits are in Section 9.1, “Detailed Radio parameters ” of this manual.

  • Modulation type

    List box {FSK, QAM}, default = FSK

    • FSK

      Suitable for difficult conditions – longer radio hops, non-line of sight, noise / interferences on Radio channel…

      [Note]Note

      FSK belongs to the continuous-phase frequency-shift keying family of non-linear modulations. Compared to QAM (linear modulations), FSK is characterized by narrower bandwidth, a lower symbol rate and higher sensitivity. As a result, the system gain is higher, power efficiency is higher, but spectral efficiency is lower.

    • QAM

      Suitable for normal conditions offering higher data throughput.

      [Note]Note

      QAM belongs to the phase shift keying family of linear modulations. Compared to FSK (non-linear modulations), QAM is characterized by wider bandwidth. The spectral efficiency is higher, power efficiency is lower and system gain is typically lower.

  • Modulation

    • FSK modulations:

      List box {2CPFSK, 4CPFSK}, default 2CPFSK

    • QAM modulations:

      List box {DPSK, pi/4DQPSK, D8PSK, 16DEQAM, 64QAM, 256QAM}, default DPSK

  • FEC

    List box {2/3, 3/4, 5/6, Off}, default = Off

    FEC (Forward Error Correction) is a very effective method to minimize radio channel impairments. Basically, the sender inserts some redundant data into its messages. This redundancy allows the receiver to detect and correct errors; used is Trellis code with Viterbi soft-decoder. The improvement comes at the expense of the bitrate. The lower the FEC ratio, the better the capability of error correction and the lower the bitrate. Bitrate = Modulation rate × FEC ratio.

7.1.3. COM

Data incoming to the RipEX2 unit from the COM port are received by the Protocol module. The Protocol module behavior depends on the Protocol selected. In case of Transparent protocol (available in Bridge mode only), it is transparently transmitted to the RipEX2 network and send out through all COM ports with Transparent protocol selected. If any other protocol is selected, the incoming frame from the COM port is processed by the Protocol module, translated into UDP frame, forwarded to the RipEX2 router module and further processed according to router rules. Such UDP frames received by the RipEX2 unit from the RipEX2 network (based on the unit IP address and UDP port of the Protocol module) are translated into original frame format (by the Protocol module) and send out through the COM port.

When expansion board “C” is installed two additional COM ports (RS232) are available. Their setting is simmilar to the COM1 port.

The menu is divided to two parts:

A. COM port parameters

This settings of Baud rate, Data bits, Parity and Stop bits of COM port and setting of connected device must match.

  • Type

    List box {possible values}, default = RS232

    COM port can be configured to either RS232 or RS485.

  • Baud rate [b/s]

    List box {standard series of rates from 300 to 1152000 b/s}, default = 19200.

    Select Baud rate from the list box: 300 to 1152000 b/s rates are available.

    Serial ports use two-level (binary) signaling, so the data rate in bits per second is equal to the symbol rate in bauds.

  • Data bits

    List box {8, 7}, default = 8

    The number of data bits in each character.

  • Parity

    List box: {None, Odd, Even}, default = None

    Wikipedia: Parity is a method of detecting errors in transmission. When parity is used with a serial port, an extra data bit is sent with each data character, arranged so that the number of 1-bits in each character, including the parity bit, is always odd or always even. If a byte is received with the wrong number of 1-bits, then it must have been corrupted. However, an even number of errors can pass the parity check.

  • Stop bits

    List box: {possible values}, default = 1

    Wikipedia: Stop bits send at the end of every character allow the receiving signal hardware to detect the end of a character and to resynchronize with the character stream.

  • Idle [ms]

    Default = 5 Number {10 – 16383}, default = 15

    This parameter defines the maximum gap (in miliseconds) in the received data stream. If the gap exceeds the value set, the link is considered idle, the received frame is closed and forwarded to the network.

  • MRU [B]

    Default = Number {1 – 2047}, default = 1500

    MRU (Maximum Reception Unit) — an incoming frame is closed at this size even if the stream of bytes continues. Consequently, a permanent data stream coming to a COM results in a sequence of MRU-sized frames sent over the network.

    [Note]Note

    1. Very long frames (>800 B) require good signal conditions on the Radio channel and the probability of a collision increases rapidly with the length of the frames. Hence if your application can work with smaller MTU, it is recommended to use values in 200 – 400 bytes range.

    [Note]Note

    2. This MRU and the MTU in Radio settings are independent, however MTU should be greater or equal to MRU.

  • Flow control

    List box: {None, RTS/CTS}, default = None

    RTS/CTS (Request To Send / Clear To Send) hardware flow control (handshake) between the DTE (Data Terminal Equipment) and RipEX2 (DCE – Data Communications Equipment) can be enabled in order to pause and resume the transmission of data. If RX buffer of RipEX2 is full, the CTS goes down.

    [Note]Note

    RTS/CTS Flow control requires a 5-wire connection to the COM port.

B. Common Protocol parameters

Each SCADA protocol used on serial interface is more or less unique. The COM port protocol module performs conversion to standard UDP datagrams to travel across RipEX2 Radio network.

  • Protocol

    List box: {None, Transparent, Async Link, DNP3, DF1, IEC101, RDS, UNI}, default = None

    Transparent protocol can be used when unit operates in Bridge mode only. All the traffic is bridged transparently to RipEX2 network.

  • Broadcast

    List box: {On, Off}, default = On

    Some Master SCADA units sends broadcast messages to all Slave units. SCADA application typically uses a specific address for such messages. RipEX2 (Protocol module) converts such message to a customized IP broadcast and broadcasts it to all RipEX2 units resp. to all SCADA units within the network.

  • Broadcast address

    Number {0 – 65535}, default = 255

    The protocol address which is treated as broadcast address.

  • Address translation

    List box: {Mask, Table}, default = Mask

    SCADA protocol address is translated to the IP address using either Mask (common rule for all addresses) or Table (specific rule per address) type of conversion

    • Mask

      [Note]Note

      − all IP addresses used have to be within the same subnet, which is defined by this Mask

      − the same UDP port is used for all the SCADA units, which results in the following limitations:

      • − SCADA devices on all sites have to be connected to the same interface

      • − only one SCADA device to one COM port can be connected, even if the RS485 interface is used.

    • Base IP / Mask

      A part of Base IP address defined by this Mask is replaced by ‘Protocol address’. The SCADA protocol address is typically 1 byte long, so Mask 24 (255.255.255.0) is most frequently used.

    • Destination UDP port

      List box {Manual, COM1 .. COM3, TS1 .. TS5}, default COM1

      The same UDP port will be used for all destination. This UDP port is used as the destination UDP port in UDP datagram in which serial SCADA packet received from COM is encapsulated. Default UDP ports for COM or Terminal servers can be used or UDP port can be set manually. If the destination IP address belongs to a RipEX2 and the UDP port is not assigned to COM or to a Terminal server or to any other special SW module running in the destination RipEX2, the packet is discarded.

    • Table

      The Address translation is defined in a table. There are no limitations such as when the “Mask” translation is used. If there are more SCADA units connected via the RS485 interface, their multiple “Protocol addresses” are translated to the same IP address and UDP port pair.

      [Note]Note

      You may add a note to each address with your comments (UTF8 is supported) for your convenience.

    • Protocol address (from)

      This is the address which is used by SCADA protocol.

      The typical Protocol address length is 1 Byte. Some protocols, e.g. DNP3 are using 2 Bytes long addresses.

    • Protocol address (to)

      Several consecutive SCADA addresses shall be tranlated using one rule.

    • IP address (base)

      IP address to which Protocol address will be translated. This IP address is used as destination IP address in UDP datagram into which serial SCADA packet received from COM is encapsulated. When several addresses are used, this will be the first IP address, the following one will have +1 etc.

    • Destination (UDP port)

      {MANUAL, COM1 .. COM3, TS1 .. TS5}, default COM1

      This is UDP port number which is used as destination UDP port into UDP datagram in which the serial SCADA message, received from COM, is encapsulated. Different Destination UDP ports can be used in different rules.

C. Individual protocol parameters

  • None

    The None protocol switches the COM port off. All incomming data will be thown away, No data will be send into the COM interface.

  • Transparent protocol

    Operates in Bridge mode only. All the traffic is bridged transparently to RipEX2 network (see Section 5.1.1, “Detailed Description” for details).

  • Async link

    Async link creates an asynchronous link between two COM ports on different RipEX2 units. Received frames from COM port or from a Terminal server are sent without any processing transparently to Radio channel to set IP destination and UDP port. Received frames from Radio channel are sent to COM or Terminal server according to Destination (UDP port) parameter.

    • Destination IP

      This is IP address of destination RipEX2, either ETH or Radio interface.

    • Transmit as broadcasts

      List box: {On, Offl}. default Off

      Allows sending of the packets incomming from COM port as broadcast.

    • Accept broadcasts

      List box: {On, Off}. default Off

      On: Broadcast packets from the radio channel will be send to the COM port.

      Off: Only unicast packets will be send to the COM port.

  • DNP3

    Each frame in the DNP3 protocol contains the source and destination addresses in its header, so there is no difference between Master and Slave in terms of the RipEX2 configuration. The DNP3 allows both Master-Slave polling as well as spontaneous communication from the remote units.

    The common parameters (e.g. address translation) shall be set.

    • Broadcast

      List box: {On, OFF}, default = On

      [Note]Note

      There is not an option to set the Broadcast address, since DNP3 broadcast messages always have addresses in the range 0xFFFD – 0xFFFF. Hence when Broadcast is On, packets with these destinations are handled as broadcasts.

  • DF1

    Each frame in the Allen-Bradley DF1 protocol contains the source and destination addresses in its header, so there is no difference between Master and Slave in the Full duplex mode in terms of RipEX2 configuration.

    • Connected service mode

      List box {Master, Slave}, default=Slave

      SCADA application follows Master-Slave scheme, where the structure of the message is different for Master and Slave SCADA units. Because of that it is necessary to set which type of SCADA unit is connected to the RipEX2.

      [Note]Note

      For connected SCADA Master set Master, for connected SCADA Slave set Slave.

    • Block control mode

      List box: {BCC, CRC}, default = BCC

      According to the DF1 specification, either BCC or CRC for Block control mode (data integrity) can be used.

      [Note]Note

      According to the DF1 specification, packets for the destination address 0xFF are considered broadcasts. Hence when Broadcast is On, packets with this destination are handled as broadcasts.

  • IEC101

    • ComProt_IECMode

      List box: {Primary, Secondary, Combined}, default = Primary

    • ComProt_IECAddrMode

      List box: {8bit,16 bit, 8bit w/o ctrl bytem 8bit swpctrl byte, No addr}, default = 8bit

    • Broadcast

      List box: {On, Off}, default = On

  • RDS
    RDS protocol is a protocol used in MRxx networks. It supports network communication; any node in the network can talk to any other (unlike Master-Slave type of protocols). The RDS protocol should only be used when combining RipEX and MRxx networks or SCADA networks adapted to MRxx networks.Frames are received from the Radio channel and sent to COM1-3 or Terminal server 1-5 according to UDP port settings and vice versa – from wire to radio channel.

    • ACK
      List box: {On, Off}, default = On

      Frame acknowledgement when transmitted over wire (COM or Ethernet) interface. ACK (0x06) frames are transmitted on successful reception and NAK (0x15) on unsuccessful frame reception.

    • ACK timeout [ms]
      Number {0 – 16383}, default = 1000

      When “ACK” is enabled, RipEX is waiting “ACK timeout [ms]” after transmitting frame to receive acknowledgement. If the ACK frame isn’t received, the frame is re-transmitted. Frame re-transmission happens up to “Repeats” number of times.

    • Repeats
      Number {0 – 31}, default = 3

      Number of frame re-transmissions.

    • Reverse mode (will be available in a future FW release)
      List box: {On, Off}, default = On

      If a frame is going to be transmitted over a wire channel, source and destination addresses in the frame must be reversed.

    • Reverse address (Hex)
      HEX number {0x00 – 0xFF}, default = 00

      When Reverse mode is enabled, the frame destination address is overwritten by the Reverse address. It takes place after the frame reception from the wire channel before it is transmitted to the air channel. This only happens if the Reverse mode is enabled.

  • UNI
    UNI is the ‘Universal’ protocol utility designed for RipEX. It is supposed to be used when the required application protocol is not available in RipEX and the network communication is using addressed mode (which is a typical scenario). The key prerequisite is: messages generated by the Master application device must always contain the respective Slave address and the address position, relative to the beginning of the message (packet, frame), is always the same (Address position). Generally, two communication modes are typical for UNI protocol: In the first one, communication is always initiated by the Master and only one response to a request is supported; in the second mode, Master-Master communication or combination of UNI protocol with ASYNC LINK protocol and spontaneous packets generation on remote sites are possible.

    The UNI protocol is fully transparent, i.e. all messages are transported and delivered without any modifications.

    • Mode of Connected device
      Listbox: {Master, Slave}, default = Master

      Mode of Connected device: MASTER

      – Adress mode
      List box: {Binary (1B), ASCII (2B), Binary (2B LSB first), Binary (2B MSB first)}, default = Binary (1B)

      Protocol address format and length (in Bytes).The ASCII 2-Byte format is read as 2-character hexadecimal representation of one-byte value. E.g. ASCII characters AB are read as 0xAB hex (10101011 binary, 171 decimal) value (the ASCII-2-Byte format function will be available in a future FW release).

      – Address position
      Number {1 – 255}, default = 1

      Specify the sequence number of the byte, where the Protocol address starts. Note that the first byte in the packet has the sequence number 1, not 0.

      – Poll response control
      List box: {On, Off}, default = On

      “On” – The Master accepts only one response per a request and it must come from the specific remote to which the request has been sent. All other packets are discarded. This applies to the Master – Slave communication scheme.

      [Note]Note

      It may happen, that a response from a slave (No.1) is delivered after the respective timeout expired and the Master generates the request for the next slave (No.2) in the meantime. In such case the delayed response from No.1 would have been considered as the response from No.2. When Poll response control is On, the delayed response from the slave No.1 is discarded and the Master stays ready for the response from No.2.

      “Off” – The Master does not check packets incoming from the RF channel – all packets are passed to the application, including broadcasts. That allows e.g. spontaneous packets to be generated at remote sites. This mode is suitable for Master-Master communication scheme or a combination of the UNI and ASYNC LINK protocols.

      Mode of Connected device: SLAVE

      Accept broadcasts
      List box: {On, Off}. default On

      On: Broadcast packets received at the radio channel are forwarded to the COM port.

      Off: Broadcast packets (received at the radio channel) are discarded. Unicast packets are forwarded to the COM port.

7.1.4. Terminal servers

Generally, a Terminal Server (also referred to as a Serial Server) enables connection of devices with serial interface to a RipEX2 over the local area network (LAN). It is a virtual substitute for devices used as serial-to-TCP(UDP) converters.

In some special cases, the Terminal server can be also used for reducing the network load from applications using TCP. A TCP session can be terminated locally at the Terminal server in RipEX2, user data extracted from TCP messages and processed like it comes from a COM port. When data reaches the destination RipEX2, it can be transferred to the RTU either via a serial interface or via TCP (UDP), using the Terminal server again.

Up to 5 independent Terminal servers can be set up. Each one can be either TCP or UDP Type, TCP Inactivity is the timeout in seconds for which the TCP socket in RipEX2 is kept active after the last data reception or transmission. As source IP address of a Terminal server will be used the IP address of the RipEX2 ETH interface (Local preferred source address if exists see chap. 7.2.1), Source (my) port can be set as required. Destination (peer) IP and Destination (peer) port values belong to the locally connected application (e.g. a virtual serial interface). In some cases, applications dynamically change the IP port with each datagram. In such a case set Destination port=0. RipEX2 will then send replies to the port from which the last response was received. This feature allows to extend the number of simultaneously opened TCP connections between a RipEX2 and locally connected application to any value up to 10 on each Terminal server. Protocol follows the same principles as a protocol on COM interface.

[Note]Note

Max. user data length in a single datagram processed by the Terminal server is 8192 bytes.

7.1.5. Cellular

RipEX2 optionally provides cellular WWAN interface using embedded cellular module. Two SIM cards are available, only one can be active at a time.

APN must always be set up, all other parameters can keep their default values.

  • Enable / Disable: enables / disables the cellular WWAN connection. When disabled, the module power is off.

  • SIM

    List box {SIM1; SIM2}, default = SIM1

    Active SIM card selection.

  • Prefered service

    List box {2G (GSM) first; 2G (GSM) only; 3G (UMTS) first; 3G (UMTS) only; 2G/3G (GSM/UMTS) only; 4G (LTE) first; 4G (LTE) only; 3G/4G (UMTS/LTE) only}, default = “4G (LTE) first”

    Sets preferences and/or permission of the individual cellular network services. Sets preferences and/or permission of the individual cellular network services.

  • Header compression

    List box {On; Off}, default = Off

    Enables / disables the user data traffic IP headers compression. Not used with 4G service.

  • Data compression

    List box {On; Off}, default = Off

    Enables / disables the user data traffic data compression. Not used with 4G service.

  • MTU [B]

    Number {70 -1500}, default = 1500

    Outgoing packets MTU.

  • Masquerade

    List box {On; Off}, default = On

    Enables / disables SNAT (MASQUERADE) for the packets outgoing to the WWAN interface.

    When on, the source address of packets outgoing via the cellular WWAN interface will be changed to the address assigned to this interface. Returning packets will be correctly routed to this interface.

  • Management enabled

    Enables / disables access into the unit’s management via the cellular WWAN interface.

    SIM1 and SIM2 tabs contain the same setting for SIM1 and SIM2 respectively.

  • PIN protection

    List box {On; Off}, default=Off

    Enables / disables the SIM module PIN protection. It has to be switched on if the PIN is required. The parameter is ignored if the SIM does not require a PIN.

  • PIN code

    String {0000 – 9999}, default = “0000”

    The PIN is used only when PIN protection is On and the module requires the PIN

  • Network selection

    List box {Automatic; Prefer manual; Lock to manual; Lock to home}, default = Automatic

    Defines the network selection preferences:

    • Automatic– network is selected automatically.

    • Prefer manual – the network according to the Location area identity (LAI) is preferred. Other network will be selected when the preferred network is not available.

    • Lock to manual– the network according to the LAI can only be used.

    • Lock to home – only the home network can be used (if the SIM supports PLMN reading).

  • Location area identity (LAI)

    String {00000 – 999999}, default = “00000”

    The Public Land Mobile Network (PLMN) identification number of the cellular network.

  • Access point name (APN)

    String {up to 99 char}, default = <empty>

    The APN for the access into the cellular network.

  • Authentication

    List box {None; PAP (legacy); CHAP}, default = None

    • None – no authentication is used for the APN access.

    • PAP (legacy) –PAP (Password Authentication Protocol) authentication. We do not recommend to use this option because of security issues (the option is provided to offer legacy systems compatibility). Username and Password are required.

    • CHAP – CHAP (Challenge-Handshake Authentication Protocol) authentication. Username and Password are required.

    [Note]Note

    Routing Mode “WWAN (AUX)” is added to the Static routing rules definition. When this mode is selected, the routing Gateway parameter is ignored. The packet is forwarded to the Cellular (WWAN) interface instead.

    Routing rules are added / removed automatically when the Cellular (WWAN) interface is opened / closed.

7.2. Routing

RipEX router supports both static and dynamic IP routing.

Static routing is based on fixed – static – definition of routing tables. Dynamic routing is based on automatic creating and updating of routing tables. Various methods and protocols are used for this purpose. OSPF and BGP standard routing protocols are available in RipEX networks.

7.2.1.  Static

RipEX2 works as a standard IP router with multiple independent interfaces: Radio interface, Network interfaces (bridging physical Ethernet interfaces), COM ports, Terminal servers, optional Cellular interface etc. Each of the interfaces has its own IP addresses and Masks. All IP packets are processed according to the Routing table.

Unlimited number of subnets can be defined on the Network interface. They are routed independently.

The COM ports are treated in the standard way as router devices, messages can be delivered to them as UDP datagrams to selected UDP port numbers. Destination IP address of COM port is either IP of a Network interface (bridging Ethernet interfaces) or IP of Radio interface. The IP address source of outgoing packets from COM ports is equal to IP address of interface (either Radio or Network interface) through which packet has been sent. The source address can also be assigned to Local preferred source address value – see description below. Outgoing interface is determined in Routing table according to the destination IP.

The IP addressing scheme can be chosen arbitrarily, only 127.0.0.0/8 and 192.0.2.233/30 and 192.0.2.228/30 restriction applies. It may happen that also the subsequent addresses from the 192.0.2.0/24 subnet according to RFC5737 may be reserved for internal usage in the future.

  • Active {On / Off}

    Switches the rule on / off

  • Destination IP / mask

    Each IP packet, received by RipEX2 through any interface (Radio, ETH, COM, …), has got a destination IP address. RipEX2 (router) forwards the received packet either directly to the destination IP address or to the respective Gateway, according to the Routing table. Any Gateway has to be within the network defined by IP and Mask of one of the interfaces, otherwise the packet is discarded.

    Each item in the routing table defines a Gateway (the route, the next hop) for the network (group of addresses) defined by Destination IP and Mask. When the Gateway for the respective destination IP address is not found in the Routing table, the packet is forwarded to the Default gateway, when Default gateway (0.0.0.0/0) is not defined, the packet is discarded.

    The network (Destination and Mask) is written in CIDR format, e.g. 10.11.12.13/24.

    [Note]Note

    Networks defined by IP and Mask for Radio and other interfaces must not overlap.

  • Mode {Static}

    Used for static IP routing rules. If the next hop on the specific route is over the radio channel, the Radio IP is used as a Gateway. If Base driven protocol is used and the destination Remote is behind a Repeater, the destination Remote Radio IP is used as a Gateway (not the Repeater address).

  • Name: You may add a name to each route with your comments up to 16 characters (UTF8 is supported) for your convenience.

  • Menu ADVANCED / Routing / Static allows to set additional parameter:

    Local preferred source address: (Routing_LocalUseSrcAddr) Local IP address used as a source address for packets originating in the local RipEX2 unit being routed by this routing rule. It might be for example packets originating from the COM port or from the Terminal Server. If the address is set to 0.0.0.0 it is not considered active. The IP address has to belong to some of the following interfaces: Radio interface, Network interfaces.

7.2.2. OSPF

Open Shortest Path First (OSPF) is a routing protocol for Internet Protocol (IP) networks. It uses a link state routing (LSR) algorithm and falls into the group of interior gateway protocols (IGPs), operating within a single autonomous system (AS). OSPF Version 2 defined in RFC 2328 (1998) for IPv4 is implemented in the RipEX router. OSPF provides Layer 2 dynamic routing. In the context of RipEX networks it is typically used for the backhaul network routing.

DESCRIPTION

OSPF splits the network into “areas” to simplify the network topology. There is a primary “backbone” (0.0.0.0) area and the other areas are connected to this backbone area via border routers.

The route decision process is affected by the path “metric”. There are two types of metrics:

  • Metric Type 1 – path length; individual interfaces pass-over costs are added.

  • Metric Type 2 – is setup on the rules which are exported to the OSPF from outside. Rules having metric ‘Type 2’ are always treated as worse (i.e. longer path) comparing to metric ‘Type 1’.

Routers in a specific area are always connected via interfaces.

  • An address range can be defined for an interface where is the OSPF working. Multiple address ranges can be defined (behaving as another interface).

  • Router to router interconnection can be protected by encryption with the password.¨

  • Specific “Cost” is defined for each interface which is added to metric ‘Type 1.’

  • There are multiple types of interfaces:

    • Stub interface only announces to OSPF: its presence and its address ranges to be propagated further to the network.

    • Broadcast – to be used in the network where all the participants always hear each other (Ethernet). Designated Router (DR) and Backup DR (BDR) are setup between the neighbors. They are responsible for the update propagation (broadcast).

    • NBMA (Non-Broadcast Multiple Access) – to be used in the network where only specific participants can communicate between each other; all the participants hear each other but multicast is not available. DR and BDR is setup.

    • Point2Point – network having only two participants. They discover each other using multicast.

    • Point2Multipoint – network where only predefined pairs of participants can hear each other (e.g. star topology); multicast is not available.

  • Static rules can be defined. Such a routing rules are propagated to the network from this router.

  • It is possible to define exported routing rules aggregation or specific routing rule hiding.

  • It is possible to control the routing rules which are imported into the RipEX unit from the OSPF protocol and those that are exported into the OSPF protocol from the unit by using ‘filters’.

    • Export filters – to control rules exported from the unit to the OSPF protocol which is propagating them further.

    • Import filters – to control rules imported from the OSPF into the unit.

Common – Common settings

  • Active
    List box {On; Off}, default Off
    Enables the dynamic routing and the OSPF protocol.

  • Router ID
    IP address, default = 0.0.0.0
    RipEX unit acts in the OSPF network as a dynamic router. Every router is identified by an ID having the format of IP address. This IP address does not have to be ‘real’.
    Router ID is shared with the BGP protocol.

  • Instance ID
    Default 0, [0-255]
    OSPF protocol instance number. This number is needed in case of running multiple OSPF protocols (for example on the border of 2 independent OSPF networks).

Network – Areas and interfaces – Areas

OSPF areas RipEX unit belongs to are described here. Maximum number of areas is 32.

  • Active
    List box {On; Off}, default Off
    Enables / disables the area.

  • Area ID
    {IP address}, default 0.0.0.0
    OSPF area identifier. The ID has a format of an IP address. This IP address does not have to be ‘real’. The ‘Router ID’ value is used typically. The default value of 0.0.0.0 is called ‘backbone’ and it has to be present somewhere in the OSPF network.

  • Stub area
    List box {On; Off}, default Off
    Defines if the area is of a ‘stub’ type – which means, the traffic is not routed through such an area. Every traffic is originated or terminated in the ‘stub’ area.

  • Stub default GW
    List box {On; Off}, default On
    If ‘On’ – only default GW is routed to the ‘stub’ area. Of ‘Off’ – individual routes are routing the traffic into the area. It may be effective to disable this parameter when multiple border routers are present.

  • Note
    Informational note. It is a good practice to enter some descriptive area name since this value is displayed (when filled) instead of the Area ID as an Area name in other configuration dialogs (e.g. Networks configuration).

Network – Areas and interfaces – Interfaces

OSPF interfaces of the respective OSPF area are defined here. Maximum number of interfaces is 128.

  • Active
    List box {On; Off}, default Off
    Enables / disables the interface.

  • Interface
    String {a-zA-Z0-9_.-}, max 16 chars, default = <empty>
    OSPF interface name. Name of an existing unit interface has to be used. Following interfaces can be used:

    • LAN – “if_” prefix must be used followed by Network interface name, e.g. “if_LAN-141”

    • VLAN – “if_” prefix must be used followed by Network interface name, ‘.’ dot and VLAN number, e.g. “if_LAN-141.29”

    • Radio – “radio”

    • Hot standby – “hstdby”

    • GRE L3 – “gre_tunX” where ‘X’ is the tunnel number, starting from zero

    • Cellular – “aux”

  • Network IP / Network mask
    IP address and mask of the address range above which the OSPF protocol will be working on this interface. The default value is 0.0.0.0/0, which means the whole address range on this interface is available for the OSPF protocol.

  • Network type
    IP address and mask of the address range above which the OSPF protocol will be working on this interface. The default value is 0.0.0.0/0, which means the whole address range on this interface is available for the OSPF protocol.

  • Cost
    Default 10, [1-65535]
    The cost of traffic over this interface. The higher the Cost, the worse the path. It is added to OSPF metric ‘Type 1’.

  • Hello interval
    Default 10, [1-3600]
    Interval (in seconds) of sending Hello packets. The interval must be the same for the all participants of the given interface.

  • Poll interval
    Default 20, [1-3600]
    Interval (in seconds) of sending Hello packets to inactive neighbors in the NMBA type of interface.

  • Retransmit interval
    Default 5, [1-3600]
    Interval (in seconds) of repeating unacknowledged packets.

  • Dead count
    Default 4, [2-64]
    Number of lost Hello packets from the neighbor to treat the connection as interrupted.

  • TTL security
    List box {On; Off}, default On
    Protection against OSPF packets spoofing.

  • Authentication, Password
    List box {None; Keyed MD5 (OSPFv2); HMAC SHA256; HMAC SHA384; HMAC SHA512}, default “None”

    Selection of a method to authenticate the OSPF messages. Password is used as a secret key for the selected hash function. Maximum length of the password is 128 characters.

  • Priority
    Default 1, [0-255]
    Priority is used to select primary or backup router responsible for the routing updates propagation. The higher the number, the higher the priority. ‘0’ states the router cannot be used as a primary or backup router.

  • Use broadcast
    List box {On; Off}, default Off
    Defines if OSPF packets distribution is provided using multicasts (default behavior) or broadcasts (nonstandard behavior).

  • Note
    Informational note. It is possible to enter some descriptive OSPF interface name. This value is used (when filled) instead of the original Interface identification as an Interface name in other configuration dialogs (e.g. Neighbors configuration).

Network – Areas and interfaces – Neighbors

Network neighbors of Point2Multipoint and NBMA types of OSPF interfaces are defined here. Maximum number of neighbors is 512.

  • Active
    List box {On; Off}, default Off
    Enables / disables the interface.

  • Interface
    List box {list of existing OSPF interfaces}
    OSPF interface the neighbor belongs to. The interface – Note value is used when defined. The interface – Interface value is used otherwise.

  • IP
    IP address of the neighbor.

  • Note
    Informational note

Network – Areas and interfaces – Networks

The Networks table modifies networks announced out of the area. It enables partial networks aggregation into the common prefixes or specific network hiding. Maximum number of rules is 256.

  • Active
    List box {On; Off}, default Off
    Enables / disables the interface.

  • Area
    List box {list of existing OSPF areas}
    OSPF area the record belongs to.

  • IP / mask
    IP address and mask of the range (i.e. network) which will be aggregated or hidden.

  • Action
    List box {Aggregate; Hide}, default “Aggregate”

    • Aggregate – small network prefixes will be exported from this area aggregated into this range (defined by IP / mask)

    • Hide – this network prefix will be hidden and will not be exported

    Example:
    Area 0.0.0.1 exports two subnets: 192.168.1.0/24 and 192.168.2.0/24. Area border router between Area 0.0.0.1 and 0.0.0.0 defines a rule for network aggregation: 192.168.0.0/16. As a result of this, the area border router announces to the area 0.0.0.0 only one route 192.168.0.0/16 instead of the two individual routes.

  • Note
    Informational note

Static rules

Pre-defined static routing rules to be exported over the OSPF protocol. Maximum number of rules is 256.

  • Active
    List box {On; Off}, default Off
    Enables / disables the static routing rule.

  • Destination IP / Destination mask
    IP address, default = 0.0.0.0/0
    IP address and mask defining the exported routing rule address range.

  • Metric type
    List box {Type 1; Type 2}, default = “Type 1”
    Metric type of the routing rule. Metric 1 is added to the path cost. Metric 2 stays apart and compared to metric 1 is always bigger.

  • Metric
    Default 1000, [1-65535]
    Routing rule metric value.

  • OSPF tag
    Default 0, [0 – 232-1]
    OSPF tag is added to a rule at the moment of its insertion to the network. The tag travels through the OSPF without any modification so it can be used to distinguish the rule in the filters.

  • Note
    Informational note.

Import filter

OSPF import filter rules. The order of rules matters. Each incoming routing rule is processed by those Import filters. Maximum number of filter rules is 256.

  • Active
    List box {On; Off}, default Off
    Enables / disables the filter rule.

  • Filter network
    List box {Off; Match; Not match}, default Off
    Method of the routing rule target range comparison.

  • Network IP / Network mask
    IP address and mask defining the network range to be compared.

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

    Examples:

    • Rule 0.0.0.0/0{0,32} captures all IP ranges

    • Rule 192.168.1.0/24{24,32} captures 192.168.1.0/24 and all subnets (for example 192.168.1.1/32)

    • Rule 10.9.8.7/32{8,32} captures all ranges having the mask longer than 8 covering the address 10.9.8.7 (e.g. 10.9.0.0/16)

  • Filter source
    List box {Off; Match; Not match}, default Off
    Method of the OSPF routing rule source comparison.

  • Source
    List box {Internal; Inter-area; External type 1; External type 2}, default = “External type 1”

    Source types comments:

    • Internal – internally generated rule, for example interface range

    • Inter-area – rule generated on the area border

  • Filter OSPF tag
    List box {Off; Match; Not match}, default = “Off”
    Method of the OSPF routing rule OSPF tag comparison

  • OSPF tag
    Default 0, [0 – 232-1]
    OSPF tag to be compared.

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Type of action to be performed when the filter rules above matches the incoming routing rule.

  • Set preference
    List box {On; Off}, default = “Off”
    When enabled, the Preference (see next parameter) will be set to this rule.

  • Preference
    Default 200, [0-65535]
    Routing rule preference in the routing table (to be used when Set preference is enabled). The higher the number the better the preference.

  • Local preferred source address
    IP address, default = 0.0.0.0
    Preferred source IP address for the locally generated packets. When disabled (default value 0.0.0.0 is used), the source IP address is set according to the outgoing interface.

  • Note
    Informational note

Export filter

OSPF export filter rules define set of routing rules to be exported from the unit into the OSPF area. The order of rules matters. Maximum number of filter rules is 256.

  • Active
    List box {On; Off}, default Off
    Enables / disables the filter rule.

  • Note
    Informational note

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Selects a method of the routing rule destination range comparison.

  • Network IP / Network mask
    IP address, default = 0.0.0.0/0
    IP address and mask defines the network prefix to be compared

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

  • Filter protocol
    List box {Off; Match; Not match}, default = “Off”
    Selects the way how the routing rule source protocol is compared.

  • Protocol
    List box {System; BGP; BGP external; BGP internal}, default = “System”
    Selection of the protocol origin. “System” – stands for rules from the ordinary routing table.

  • Filter BGP path
    List box {Off; Is empty; Not empty}, default = “Off”
    Compares BGP routing rule path if it is empty (i.e. the rule originates in this AS).

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Defines what action is taken on the routing rule. “Pass” continues in processing.

7.2.3. BGP

Border Gateway Protocol (BGP) is a standardized exterior gateway protocol designed to exchange routing and reachability information among autonomous systems. BGP is classified as a path-vector routing protocol, and it makes routing decisions based on paths, network policies, or rule-sets configured by a network administrator.

DESCRIPTION

BGP splits the network into Autonomous Systems (AS) which are identified by a specific number. Individual BGP routers are interconnected with their neighbors using TCP connections. Any connection can travel over multiple hops. Any connection can be secured using MD5 signatures.

Connections inside the AS are called ‘internal’ (iBGP):

  • All BGP routers within given AS must be fully interconnected – every router must have connection to all other routers.

  • It is possible to define ‘Route reflectors’ – they must be fully interconnected. The other routers behave as Route reflector clients and they need a connection to their reflector only. Route reflector and its clients form a ‘cluster’. It is possible to create a cluster with multiple Route reflectors for the purpose of backup.

  • The iBGP router having a higher local preference will be preferred during the internal AS path selection.

Connections to another AS are called ‘external’ (eBGP):

  • It is possible to communicate from the router to the neighbor AS the MED (Multi-Exit Discriminator) metric designating which of the AS border routers will be used as an input point.

When the routing rules are spread across the multiple AS, those AS are added into the accumulated path (BGP path). Path length is the primary criteria during the decision which of the routing rules will be used.

It is possible to prescribe routing rules toward this router which will be spread across the network (Static rules).

It is possible to control the routing rules which are imported into the RipEX unit from the BGP protocol and those that are exported into the BGP protocol from the unit by using ‘filters’.

  • Import IGP filter – controls which of the routing rules from the BGP are accepted to the dynamic routing table and how

  • Export IGP filter – controls which of the routing rules from the dynamic routing table are exported to the BGP and how

  • Import OUT filter – controls which of the routing rules from the other AS are accepted to the BGP and how

  • Export OUT filter – controls which of the routing rules are exported from the BGP to other AS and how

  • Routing rules passed on between iBGP and BGP tables are not filtered

Common – Common settings

  • Active
    List box {On; Off}, default = “Off”
    Enables the dynamic routing and the BGP protocol.

  • Router ID
    IP address, default = 0.0.0.0
    RipEX unit acts in the BGP network as a dynamic router. Every router is identified by an ID having the format of an IP address. This IP address does not have to be ‘real’.
    Router ID is shared with the OSPF protocol.

  • Local AS
    Number {0 – 232-1}, default = 65000
    Local Autonomous System identification number. AS numbers are assigned by IANA. Part of the range is reserved for private network usage: 64512 – 65534 and 4200000000 – 4294967294. AS numbers from this range can be safely used by anyone.

  • Preference
    Number {0 – 232-1}, default = 100
    Router preference within the local AS. The higher the number, the higher the preference.

  • MED (Multi-Exit Discriminator)
    List box {Off; Static; OSPF metric 1}, default = “Off”
    Setting of MED (Multi-Exit Discriminator) on the routing rules being exported to other AS. MED makes it possible to advertise which of the routers in the local AS is the preferred input point to the AS. “Static” option sets the fixed value for all rules (Static MED). “OSPF metric 1” copies the OSPF metric to MED; for the rules which are not from the OSPF it enters the fixed value Static MED.

  • Static MED
    Number {0 – 232-1}, default = 0 Metric to be used for the preferred input point to the AS selection (see MED (Multi-Exit Discriminator) description). The higher the number the lower the preference.

  • Route reflector
    List box {Off; On}, default = “Off”
    Enables the Route reflector function on this router. iBGP requires connection in between all routers under normal circumstances. Route reflector makes it possible to avoid this requirement by distributing routing updates to all its clients. Such clients do not need any other connection except connection to this Route reflector. Route reflector and its clients form a ‘cluster’. See more details at the beginning of the BGP chapter.

  • Cluster ID type
    List box {Router ID; Manual}, default = “Router ID”
    Controls the iBGP cluster identification. Cluster identification must be the same inside the cluster and it has to be different in another cluster. If the “Router ID” is selected, the Router ID value is used as a cluster id.

  • Cluster ID
    IP address, default = 0.0.0.0
    Cluster identification in the format of an IP address. This IP address does not have to be ‘real’ (valid).

Neighbors

Neighboring BGP routers. Maximum number of neighbors is 256.

  • Active
    List box {On; Off}, default = “On”
    Enables the specific neighbor.

  • Note
    Informational note.

  • Neighbor type
    List box {Internal; External}, default = “External”
    Neighbor router type selection. “Internal” neighbor belongs to the same AS (iBGP). “External” belongs to other AS (eBGP).

  • Neighbor AS
    Number {0 – 232-1}, default = 65000
    Neighbor AS number.

  • Neighbor IP
    IP address, default = 0.0.0.0
    Neighbor router IP address.

  • Local IP of the connection
    IP address, default = 0.0.0.0
    Local IP address of the connection. Default value 0.0.0.0 provides automatic set up of this address – from the routing.

  • Neighbor connection
    List box {Direct; Multihop}, default = “Direct”
    Network connection type between the neighbors. “Direct” means direct – one hop – connection. This is typical for eBGP routers. “Multihop” means connection over the multiple routers. This is typical for iBGP routers.

  • MD5 authentication
    List box {On; Off}, default = “Off”
    Enables BGP packets authentication using TCP MD5 Signature extension.

  • Password
    String, up to 128 characters
    Password for the MD5 authentication.

  • Passive
    List box {On; Off}, default = “Off”
    Passive BGP router does not initiate connection to a neighbor, it is waiting for the neighbor activity.

  • Hold interval [s]
    Number {3 – 10800}, default = 240
    Time (in seconds) to wait for the keepalive message from the neighbor. It is negotiated with the neighbor. When it expires, the connection is treated as interrupted.

  • Keepalive interval [s]
    Number {1 – 3600}, default = 80
    Period (in seconds) of sending keepalive messages. It should not be longer than 1/3 of the Hold interval.

  • Connection retry interval [s]
    Number {1 – 3600}, default = 120
    Time (in seconds) to wait before trying to re-connect the interrupted connection.

  • TTL security
    List box {On; Off}, default On
    Protection against BGP packets spoofing.[PP1] The Generalized TTL Security Mechanism (GTSM – RFC 5082) is used. BGP transmits packets with known TTL value. Incoming packets having lower than expected value (expected number of hops) are discarded.

  • Expected hops
    Number {2 – 32}, default = 2
    Number of expected hops between the neighbors

  • Route reflector client
    List box {On; Off}, default = “Off”
    Defines if this neighbor is a client of this (this unit) Route reflector.

  • Set cost
    List box {On; Off}, default = “Off”
    Enables to set a specific Cost of the BGP connection.

  • Cost
    Number {0 – 232-1}, default = 10
    The cost of connection to this neighbor. The higher the number the higher the cost. It enables to make decisions inside the router between multiple paths from the same neighbor.

  • Next hop self
    List box {Off; Always; Internal; External}, default = “Off”
    Defines it the exported routing rules should have ‘next hop’ addresses overwritten to the address of this router. “Internal” overwrites only the rules from the local AS. “External” overwrites only the rules from the other AS.

Static rules

Pre-defined static routing rules to be exported over the BGP protocol. Maximum number of rules is 256.

  • Active
    List box {On; Off}, default = “Off”
    Enables / disables the static routing rule.

  • Destination IP / Destination mask
    IP address, default = 0.0.0.0/32
    IP address and mask defining the exported routing rule destination address range.

  • Note
    Informational note.

Import IGP filter

Import IGP filter [PP1] rules. The order of rules matters. Maximum number of filter rules is 256.

  • Filter policy
    List box {Accept; Reject}, default = “Reject”
    Defines what action is taken on the routing rules which were not captured (i.e. fallback) in the Import IGP filter.

  • Active
    List box {On; Off}, default = “On”
    Enables / disables the filter rule.

  • Note
    Informational note.

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Selects a method of the routing rule destination range comparison.

  • Network IP / Network mask
    IP address, default = 0.0.0.0/0
    IP address and mask defines the network prefix to be compared

  • Mask from
    Number {0 – 32}, default = 0
    Mask to

  • Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

  • Filter source
    List box {Off; Internal; External}, default = “Off”
    Selection based on the routing rule source. “Internal” selects rules received from the internal (iBGP) connection. “External” selects rules received from the other AS (eBGP).

  • Filter BGP path
    List box {Off; Is empty; Not empty; Contain; Not contain}, default = “Off”
    Filtering based on the BGP Path (routing rule path over different AS). “Is empty” – defines an empty path (routing rule from the local AS). “Contain” – defines paths containing specific AS.

  • Path position
    List box {Any; Neighbor; Source}, default = “Any”
    Selects position of the specific AS (Path AS). “Any” – anywhere on the path. “Neighbor” – the path was received from this AS (last on the path). “Source” – routing rule was originated from this AS (first on the path).

  • Path AS
    Number {0 – 232-1}, default = 65000
    The number of the AS searched for.

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Defines what action is taken on the captured [PP1] routing rule. “Pass” continues in processing.

  • Set preference
    List box {Off; On}, default = “Off”
    Defines if the specific Preference will be set up for this rule.

  • Preference
    Number {0 – 65535}, default = 100
    Routing rule preference in the routing table. The higher the number the higher the preference.

  • Local preferred source address
    IP address, default = 0.0.0.0
    Preferred source IP address for the locally generated packets. When disabled (default value 0.0.0.0 is used), the source IP address is set according to the outgoing interface.

Export IGP filter

Export IGP filter rules. The order of rules matters. Maximum number of filter rules is 256.

  • Filter policy
    List box {Accept; Reject}, default = “Reject”
    Defines what action is taken on the routing rules which were not captured (i.e. fallback) in the Export IGP filter.

  • Active
    List box {On; Off}, default = “On”
    Enables / disables the filter rule.

  • Note
    Informational note

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Selects a method of the routing rule destination range comparison.

  • Network IP / Network mask
    IP address, default = 0.0.0.0/0
    IP address and mask defines the network prefix to be compared

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

  • Filter protocol
    List box {Off; Match; Not match}, default = “Off”
    Selects the way how the routing rule source protocol is compared.

  • Protocol
    List box {System; OSPF}, default = “System”
    Selection of the protocol origin. “System” – stands for rules from the ordinary routing table. “OSPF” stands for rules from the OSPF protocol.

  • Filter OSPF source
    List box {Off; Match; Not match}, default = “Off”
    Selects the OSPF routing rule source comparison mode.

  • OSPF source
    List box {Internal; Inter-area; External type 1; External type 2}, default = “External type 2”
    OSPF sources. “Internal” – stands for internally generated rule (e.g. interface range). “Inter-area” – stands for rule generated on the area borders.

  • Filter OSPF tag
    List box {Off; Match; Not match}, default = “Off”
    Selects the way of filtering based on OSPF tag.

  • OSPF tag
    Number {0 – 232-1}, default = 0
    OSPF tag to be compared. The tag is added to a rule when inserted to OSPF.

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Defines what action is taken on the routing rule. “Pass” continues in processing.

Import OUT rules

Import OUT filter [PP1] rules. The order of rules matters. Maximum number of filter rules is 256.

  • Filter policy
    List box {Accept; Reject}, default = “Accept”
    Defines what action is taken on the routing rules which were not captured (i.e. fallback) in the Import OUT filter.

  • Filter limit
    Number {1 – 65535}, default = 1024
    Limit of the accepted routing rules from the neighbor. The limit applies before this Import OUT filter. Excess rules are dropped.

  • Active
    List box {On; Off}, default = “On”
    Enables / disables the filter rule.

  • Note
    Informational note.

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Selects a method of the routing rule destination range comparison.

  • Network IP / Network mask
    IP address, default = 0.0.0.0/0
    IP address and mask defines the network prefix to be compared

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

  • Filter BGP path
    List box {Off; Is empty; Not empty; Contain; Not contain}, default = “Off”
    Filtering based on the BGP Path (routing rule path over different AS). “Is empty” – defines an empty path (routing rule from the local AS). “Contain” – defines paths containing specific AS.

  • Path position
    List box {Any; Neighbor; Source}, default = “Any”
    Selects position of the specific AS (Path AS). “Any” – anywhere on the path. “Neighbor” – the path was received from this AS (last on the path). “Source” – routing rule originates from this AS (first on the path).

  • Path AS
    Number {0 – 232-1}, default = 65000
    The number of the AS searched for.

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Defines what action is taken with the matching routing rule. “Pass” continues in processing.

  • Prepend local AS
    Number {0 – 8}, default = 0
    Enables to append (even multiple times) local AS number to the BGP path end – making the path virtually longer. The longer path is handicapped during the comparisons and selections.

Export OUT filter

Export OUT filter rules. The order of rules matters. Maximum number of filter rules is 256.

  • Filter policy
    List box {Accept; Reject}, default = “Accept”
    Defines what action is taken on the routing rules which were not captured (i.e. fallback) in the Export OUT filter.

  • Active
    List box {On; Off}, default = “On”
    Enables / disables the filter rule.

  • Note
    Informational note.

  • Filter network
    List box {Off; Match; Not match}, default = “Off”
    Selects a method of the routing rule destination range comparison.

  • Network IP / Network mask
    List box {Off; Match; Not match}, default = “Off”
    IP address and mask defines the network prefix to be compared

  • Mask from
    Number {0 – 32}, default = 0

  • Mask to
    Number {0 – 32}, default = 32
    Definition of the enabled range of the mask length of the processed routing rule.

  • Filter protocol
    List box {Off; Match; Not match}, default = “Off”
    Selects the way how the routing rule source protocol is compared.

  • Protocol
    List box {System; OSPF; BGP; BGP external; BGP internal}, default = “System”
    Selection of the protocol origin. “System” – stands for rules from the ordinary routing table.

  • Filter OSPF tag
    List box {Off; Match; Not match}, default = “Off”
    Selects the way of filtering based on OSPF tag.

  • OSPF tag
    Number {0 – 232-1}, default = 0
    OSPF tag to be compared. The tag is added to a rule when inserted to OSPF.

  • Filter BGP path
    List box {Off; Is empty; Not empty; Contain; Not contain}, default = “Off”
    Filtering based on the BGP Path (routing rule path over different AS). “Is empty” – defines an empty path (routing rule from the local AS). “Contain” – defines paths containing specific AS.

  • Path position
    List box {Any; Neighbor; Source}, default = “Any”
    Selects position of the specific AS (Path AS). “Any” – anywhere on the path. “Neighbor” – the path was received from this AS (last on the path). “Source” – routing rule was originated from this AS (first on the path).

  • Path AS
    Number {0 – 232-1}, default = 65000
    The number of the AS searched for.

  • Action
    List box {Accept; Reject; Pass}, default = “Accept”
    Defines what action is taken on the routing rule. “Pass” continues in processing.

7.3. Firewall

7.3.1. Firewall L2

  • Filter mode list box {Blacklist, Whitelist}, default Blacklist

    • Blacklist

      The MAC addresses listed in the table are blocked, i.e. all packets to/from them are discarded. The traffic to/from other MAC addresses is allowed.

    • Whitelist

      Only the MAC addresses listed in the table are allowed, i.e. only packets to/from them are allowed. The traffic to/from other MAC addresses is blocked.

  • Active list box {Off, On}, default On

    If “On”, Layer 2 Linux firewall is activated:

  • Interface list box {All, ETH1..ETH5}, default All

    MAC IPv4 MAC address

7.3.2. Firewall L3

Firewall L3 active switches L3 firewall Off, On; default is Off

Each individual firewall rule is described by the following items:

  • Protocol

    List box {All, ICMP, UDP, TCP, GRE, ESP, Other}. default All

  • Source IP/Mask source IP address and mask.

    The rule with narrower mask has higher priority. The rule’s order does not affect priority.

  • Source port (from) and (to) interval of source ports

  • Input interface list box {All, Radio, All ETH, ETH1..ETH5, Other}, default All

  • Action list box {Deny, Allow}, default Deny

  • Destination IP/Mask

  • Destination port (from) and (to) interval of destination ports

  • Output interface list box {All, Radio, All ETH, Other}, default All

  • Connection state New list box {Off, On}, default Off – active only for TCP protocol

    Relates to the first packet when a TCP connection starts (Request from TCP client to TCP server for opening a new TCP connection). Used e.g. for allowing to open TCP only from RipEX2 network to outside.

  • Connection state Established list box {Off, On}, default Off – active only for TCP protocol

    Relates to an already existing TCP connection. Used e.g. for allowing to get replies for TCP connections created from RipEX2 network to outside.

  • Connection state Related list box {Off, On} default Off, active only for TCP protocol

    A connection related to the “Established” one. e.g. FTP typically uses 2 TCP connections control and data, where data connection is created automatically by using dynamic ports.

    [Note]Note

    L2/L3 firewall settings do not impact the local ETH access, i.e. settings never deny access to a locally connected RipEX2 (web interface, ping, …).

    [Note]Note

    Ports 443 and 8889 are used (by default, can be overridden) internally for service access. Exercise caution when making rules which may affect datagrams to/from these ports in L3 Firewall settings. Management connection to a remote RipEX2 may be lost, when another RipEX2 acts as a router along the management packets route and port 443 (or 8889) is disabled in firewall settings of that routing RipEX2 (RipEX2 units uses iptables “forward”).

    [Note]Note

    L3 Firewall settings do not impact packets received and redirected from/to Radio channel. The problem described in NOTE 2 will not happen, if the affected RipEX2 router is a radio repeater, i.e. when it uses solely the radio channel for input and output.

7.4. VPN

VPN (Virtual Private Network) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across the VPN may therefore benefit from the functionality, security, and management of the private network.

7.4.1. IPsec

Internet Protocol Security (IPsec) is a network protocol suite that authenticates and encrypts the packets of data sent over a network. IPsec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys for use during the session. IPsec uses cryptographic security services to protect communications over Internet Protocol (IP) networks. IPsec supports network-level peer authentication, data-origin authentication, data integrity, data confidentiality (encryption), and replay protection. IPsec is an end-to-end security scheme operating within the Internet Layer of the Internet Protocol Suite. IPsec is recognized as a secure, standardized and well-proven solution by the professional public.

Although there are 2 modes of operation RipEX2 only offers Tunnel mode. In Tunnel mode, the entire IP packet is encrypted and authenticated. It is then encapsulated into a new IP packet (ESP – Encapsulating Security Payloads) with a new IP header.

Symmetrical cryptography is used to encrypt the packets. The symmetric keys must be safely delivered to the peer. In order to maintain a secure connection, symmetric keys must be regularly exchanged. The protocol used for secure key exchange is IKE (Internet Key Exchange). Both IKE version 1 and the newer version 2 are available in RipEX2.

IKE protocol communication with the peer is established using UDP frames on port 500. However, if NAT-T (NAT Traversal) or MOBIKE (MOBile IKE) are active, the UDP port 4500 is used instead.

[Note]Note

NAT-T is automatically recognized by IPsec implementation in RipEX2.

The IPsec tunnel is provided by Security Association (SA). There are 2 types of SA:

  • IKE SA: IKE Security Association providing SA keys exchange with the peer.

  • CHILD SA: IPsec Security Association providing packet encryption.

Every IPsec tunnel contains 1 IKE SA and at least 1 CHILD SA.

Link partner (peer) secure authentication is assured using Pre-Shared Key (PSK) authentication method: Both link partners share the same key (password).

As and when the CHILD SA expires, new keys are generated and exchanged using IKE SA.

As and when the IKE SA version IKEv1 expires – new authentication and key exchange occurs and a new IKE SA is created. Any CHILD SA belonging to this IKE SA is re-created as well.

As and when the IKE SA version IKEv2 expires one of two different scenarios might occur:

  • If the re-authentication is required – the behavior is similar to IKEv1 (see above).

  • It the re-authentication is not required – only new IKE SA keys are generated and exchanged.

  • Configuration

    Active {On, Off}

    IPsec system turning On/Off

  • Make-before-break {On, Off}, default Off

    This parameter is valid for all IKE SA using IKEv2 with re-authentication. A temporary connection breaks during IKE_SA re-authentication is suppressed by this parameter. This function may not operate correctly with some IPsec implementations (on peer side).

  • Peer Address

    Default = 0.0.0.0

    IKE peer IP address.

  • Local ID

    IP address or FQDN (Fully Qualified Domain Name) is used as the Local side identification. It must be the same as “Peer ID” of the IKE peer.

  • Peer ID

    IP address or FQDN (Fully Qualified Domain Name) is used as the IKE peer identification. It must be the same as “Local ID” of the IKE peer. The “Peer ID” must be unique in the whole table.

  • Add / Edit IPsec associations

    Every item in the table represents one IKE SA. There can be a maximum of 8 active IKE SA (limited by system resources).

    • Start state

      List box {Passive, On demand, Start}, default Passive

    • MOBIKE

      List box {On, Off}, default On

      Enables MOBIKE for IKEv2 supporting mobility or migration of the tunnels. Please note IKE is moved from port 500 to port 4500 when MOBIKE is enabled. The peer configuration must match.

    • Dead Peer Detection

      List box {On, Off}, default = On

      Detection of lost connection with the peer. IKE test packets are sent periodically. When packets are not acknowledged after several attempts, the connection is closed (corresponding actions are initialized). In the case when Detection is not enabled, a connection loss is discovered when regular key exchange process is initiated.

    • Phase 1 IKE

      Parameters related to IKE SA (IKE Security Association) provide SA keys exchange with the peer.

      • IKE version

        List box {IKEv1, IKEv2}, default = IKEv2

        IKE version selection. The IKE peer must use the same version.

      • Authentication method

        List box {PSK}

        Peer authentication method. Peer configuration must match.

        The “main mode” negotiation is the only option supported. The “aggressive mode” is not supported; it is recognized as unsafe when combined with PSK type of authentication

      • Encryption algorithm

        List box {3DES (legacy), AES128, AES192, AES256}, default = AES128

        IKE SA encryption algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

      • Authentication algorithm

        List box {MD5 (legacy), SHA1 (legacy), SHA256, SHA384, SHA512}, default = SHA256

        IKE SA integrity algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The same value as selected for the Integrity algorithm, is used for the PRF (Pseudo-Random Function).

      • Diffie-Hellman group (PFS)

        List box {None (legacy), Group 2 (MODP1024, legacy), Group 5 (MODP1536, legacy),

        Group 14 (MODP2048), Group 15 (MODP3072), Group 25 (ECP192), Group 26 (ECP224),

        Group 19 (ECP256), Group 20 (ECP384), Group 21 (ECP521), Group 27 (ECP224BP),

        Group 28 (ECP256BP), Group 29 (ECP384BP), Group 30 (ECP512BP)}, default = Group 15

        (MODP3072)

        The PFS (Perfect Forward Secrecy) feature is performed using the Diffie-Hellman group method.

        PFS increases IKE SA key exchange security. The RipEX2 unit load is seriously affected when key exchange is in process. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The higher the Diffie-Hellman group, the higher the security but also the higher the network and CPU load.

      • Reauthentication

        List box {On, Off}, default = Off

        This parameter is valid if IKEv2 is used. It determines the next action after IKE SA has expired. When enabled: the new IKE SA is negotiated including new peer authentication. When disabled: only the new keys are exchanged.

      • SA lifetime [s]

        Default = 14400 s (4 hours). Range [180 – 86400] s

        Time of SA validity. The new key exchange or re-authentication is triggered immediately the key expires. The true time of expiration is randomly selected within the range of 90-110%, to prevent collision when the key exchange is triggered from both sides simultaneously.

        Unfortunately, the more frequent the key exchange, the higher the network and CPU load.

    • Phase 2 – IPsec

      Certain parameters are shared by all subordinate CHILD SA. IPsec Security Association provides packet encryption (user traffic encryption).

      • Encryption algorithm

        List box {3DES (legacy), AES128, AES192, AES256}, default = AES128

        IKE CHILD SA encryption algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

      • Authentication algorithm

        List box {MD5 (legacy), SHA1 (legacy), SHA256, SHA384, SHA512}, default = SHA256

        IKE CHILD SA integrity algorithm. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The same value as selected for the Integrity algorithm, is used for the PRF (Pseudo-Random Function).

      • Diffie-Hellman group (PFS)

        List box {None (legacy), Group 2 (MODP1024, legacy), Group 5 (MODP1536, legacy),

        Group 14 (MODP2048), Group 15 (MODP3072), Group 25 (ECP192), Group 26 (ECP224),

        Group 19 (ECP256), Group 20 (ECP384), Group 21 (ECP521), Group 27 (ECP224BP),

        Group 28 (ECP256BP), Group 29 (ECP384BP), Group 30 (ECP512BP)}, default = Group 15 (MODP3072)

        The PFS (Perfect Forward Secrecy) feature is performed using the Diffie-Hellman group method.

        PFS increases IKE CHILD SA key exchange security. The RipEX2 unit load is seriously affected when key exchange is in process. The “legacy” marked methods are recognized as unsafe. Peer configuration must match.

        The higher the Diffie-Hellman group, the higher the security but also the higher the network and CPU load.

      • Payload compression

        List box {On, Off}. default = Off

        This parameter enables payload compression. This takes place before encryption. Peer configuration must match

      • SA lifetime [s]

        Default = 3600 s (1 hour). Range [180 – 86400 s]

        Time of CHILD SA validity. The new key exchange or re-authentication is triggered immediately the key expires. The true time of expiration is randomly selected within the range of 90-110%, to prevent collision when the key exchange is triggered from both sides simultaneously.

        The SA lifetime for CHILD SA is normally much shorter than SA lifetime for IKE SA because the CHILD SA normally transfers much more data than IKE SA (key exchange only). Changing the keys serves as protection against breaking the cypher by analyzing big amounts of data encrypted by the same cypher.

    • PSK

      PSK (Pre-shared key) authentication is used for IKE SA authentication. The relevant peer is identified using it’s “Peer ID”. The key must be the same for both local and peer side of the IPsec.

      • Passphrase

        The PSK key is entered as a password. Empty password is not allowed. It is possible to set 256 bits long Key instead of Passphrase in the ADVANCED / VPN / IPsec menu.

  • Traffic selector

    “Traffic selector” defines which traffic is forwarded to the IPsec tunnel. The rule that defines this selection matches an incoming packet to “Local network …” and “Remote network …” address ranges.

  • Basic rules:

    Each line contains the configuration settings of one CHILD SA and indicates its association to a specific IKE SA

    There can be a maximum of 16 active CHILD SA (in total over all Active IKE SA)

    Every “Active” line must have an equivalent on the peer side with reversed “Local network…” and “Remote network…” fields

    “Local network…” and “Remote network…” fields must contain different address ranges and must not interfere with the USB service connection (10.9.8.7/28) or internal connection to FPGA (192.0.2.233/30)

    Each “Active” Traffic selector in the configuration table must be unique.

  • Local network address / Mask

    Source IP address and mask of the packets to be captured and forwarded to the encrypted tunnel.

  • Remote network address / Mask

    Destination IP address and mask of the packets to be captured and forwarded to the encrypted tunnel.

  • Active {On, Off}, default On

    Relevant CHILD SA can be enabled/disabled.

Advanced menu

Several additional parameters are available in menu: ADVANCED / VPN / IPsec

  • DPD check period [s]

    Default = 30 s. Range [5 – 28800 s]

    Dead Peer Detection check period

  • Dead Peer Detection

    List box {Clear, Hold, Restart}, default = Hold

    One of three connection states automatically activated when connection loss is detected:

    • Clear: Connection is closed and waiting

    • Hold: Connection is closed. Connection is established when first packet transmission through tunnel is attempted

    • Restart: Connection is established immediately

7.4.2. GRE L2

GRE L2 tunnel is interconnected to the bridge (LAN interface) as one of the bridge’s port, it captures Ethernet frames of the bridge and sends them to the other end of the tunnel. It enables to build bridge via the complex network and combine the local partial networks to one network.

GRE L2 tunnel can be used to tunnel the IPv6 traffic over the RipEX IPv4 network.

  • GRE L2 Enable – switches all L2 tunnels On or Off

Individual L2 tunnels:

  • Enable – enables actual L2 tunnel

  • Note – Informational note

  • Peer address – IP address of the equipment with the second end of the tunnel. This address is the expected source address of incoming GRE packets from the peer.

  • Network interface name – has to be set as one of existing bridge’s name in SETTING/Interfaces/Ethernet/ Network interface Name

  • Key enabled – enables using key identification of the tunnel from/to the same peer

  • Key – identification number of the tunnel

    Number [0 to 4,294,967,295], default 0

  • MTU – MTU of the L2 tunnel.

    Number of Bytes [74 to 1500], default 1462

    Overhead of the L2 tunnel is 38 B, so it should be GRE MTU = Path MTU – 38.

7.4.3. GRE L3

GRE L3 tunnel works as an additional unit’s interface with its own IP address (and mask). The routing rules are used for sending packets to this interface. It bridges part of the network, so it seems to be one hop for the user traffic.

  • GRE L3 Enable – switches all L3 tunnels On or Off

Individual L3 tunnels:

  • Enable – enables actual L3 tunnel

  • Note – Informational note

  • Peer address – IP address of the equipment with the second end of the tunnel. This address is the expected source address of incoming GRE packets from the peer.

  • Tunnel address / Mask – IP address and mask of the GRE tunnel interface

  • Key enabled – enables using key identification of the tunnel from/to the same peer

  • Key – identification number of the tunnel

    [0 to 4,294,967,295], default 0

  • MTU – MTU of the L2 tunnel.

    [70 to 1476], default 1476

    Overhead of the L3 tunnel is 24 B, so it should be GRE MTU = Path MTU – 24. If the MTUZ is bigger than is allowed along the route, the GRE packets will be discarded and ICMP report will be send back to the source of the original packet (Path MTU discovery).

7.5. Security

User authentication is required to access RipEX unit management. There are two types of user authentication which differ in the user account location:

  • Local authentication – user accounts are stored directly in the RipEX unit

  • Remote authentication – user accounts are stored on a remote authentication server (RADIUS is implemented)

There are four different levels of user access privileges – they are bound with four different user access roles:

  • Guest (role_guest)

    Read only access for configuration parameters (expect secured part of configuration). Diagnostics tools are available.

  • Technician (role_tech)

    All privileges of Guest role plus: write access for non-secured part of configuration.

  • Security technician (role_sectech)

    All privileges of Technician role plus: write access for secured part of configuration (expect unit authentication related parts); unit firmware up/down-grade

  • Administrator (role_admin)

    No access level restrictions. All privileges of Security technician role plus: user accounts management; remote authentication configuration;

Limitations:

  • At least one Administrator type of account must be defined in the unit.

  • Maximal number of concurrently active sessions is 64. One user can have multiple sessions opened in the same time. If this limit is reached and a new session is to be opened, the oldest active session is deactivated and a new one is opened.

  • Maximal number of Local user accounts (all roles together) is 100.

    [Note]Note

    The Remote access uses local identity and role of the user – there is no additional login to the remote unit (the login into local unit serves as login to the whole network).

Local authentication

The following settings are available only for user with the Administrator role.

Following user account parameters can be changed: password, user role. Any account (expect the last one of Administrator role) can be deleted.

Export all users button provides backup of all Local user accounts into a file.

Import all user button provides restoration of all Local user accounts from a backup file. Active session is logged out automatically after this command.

+ Add user account button invokes new user account creation dialog:

  • Username

    String {1 to 128 chars}

    New Username. Every username in the unit must be unique.

  • Password

    String {5 to 128 chars}

    Password is stored in a secure way.

  • List box {role_admin; role_sectech; role_tech; role_guest}, default = role_admin

    [Note]Note

    It is highly recommended to create a new administrator type of account and delete the default “admin” account.

Advanced feature

When the user account is not active for some time, the user will be automatically log-out. The inactivity timeout of the account is set for 1 day by default. It is possible to change in the range of 5 minutes up-to 2 days (menu ADVANCED/Generic/UserAccess – Web inactivity timeout).

[Note]Note

It is necessary to install firmware version 1.4.5.0 or higher to assure proper functionality of Local and Remote authentication.

7.6. Device

7.6.1. Unit

General

The general settings affecting the whole unit.

  • Unit name

    This name is used as a real name of the Linux router, so the allowed characters are strictly limited to:

    _a..zA..Z0..9

  • Unit note

    Longer unit name without special characters restrictions.

  • Mode list box {Bridge, Router}, default Bridge

    Selecting Bridge or Router mode affects many other parameters across the unit. See Section 5.1, “Bridge mode” and Section 5.2, “Router mode” for detailed description.

Time

7.6.2. Configuration

You can backup the actual unit configuration into a file or restore backed up configuration from the file.

7.6.3. SNMP

SNMP (Simple Network Management Protocol) implementation in RipEX provides three SNMP versions: v1, v2c and v3.

[Note]Note

Following characters are prohibited in SNMP communication:
” (Double quote) ` (Grave accent) \ (Backslash) $ (Dollar symbol) ; (Semicolon)

  • SNMP mode
    List box {Off; v1_v2c_v3; v3}, default = “Off”
    Enables the SNMP and defines which protocol versions are available.

  • Community name
    String {1 to 32 char}, default = “public”
    Community name used by v1 and v2c
    When mode v1_v2c_v3 is used, this parameter is mandatory.

Version 3 settings

  • Security user name
    String {1 to 32 char}, default = <empty>
    User name for SNMPv3. When v3 protocol is selected, this parameter is mandatory.

  • Security level
    List box {NoAuthNoPriv; AuthNoPriv; AuthPriv}, default = “NoAuthNoPriv”
    The v3 protocol security level. Switches on/off Authentication (Auth) and the SNMP data encryption (Priv).

  • Authentication
    List box {MD5_legacy; SHA1_legacy; SHA224; SHA256; SHA384; SHA512}, default = “SHA256”
    Authentication algorithm. Legacy algorithms are not recommended to use, they are available for compatibility reasons only.

  • Authentication passphrase
    String {8 to 128 char}, default = <empty>
    Passphrase used for authentication with SNMP server.

  • Encryption
    List box {DES_legacy; AES128; AES192; AES256}, default “AES128”
    Encryption algorithm.

  • Encryption passphrase
    String {8 to 128 char}
    Passphrase used for data encryption when communicating with SNMP server.

  • Engine ID mode
    List box {Default; User defined}, default = “Default”
    Engine Id serves for unique identification of the SNMP instance (i.e. the RipEX unit) according to RFC3411. When the “Default” Engine ID mode is selected the MAC address of the Eth1 interface is used for the unique part of the Engine Id (the whole Engine ID example: 800083130302a92006ef).

  • Engine ID
    String {1 to 27 char}
    When “User defined” Engine ID mode is selected the differentiated part of the Engine ID can be entered as ASCII characters or generated (e.g. U3qPrisWoDYbBVNsAWluZYGL3M5). This string is converted into HEX number (i.e. 55 33 71 50 72 69 73 57 6f 44 59 62 42 56 4e 73 41 57 6c 75 5a 59 47 4c 33 4d 35). The whole Engine ID for mentioned example:
    800083130455337150726973576f44596242564e7341576c755a59474c334d35.

Notification

Notification is used for asynchronous notification from a RipEX unit into the SNMP server.

  • Notification mode
    List box {Off; Trap; Inform}, default = “Off”
    Mode of notification; Inform is not supported by SNMPv1

  • Notification version
    List box {v1; v2c; v3}, default = “v2cf”
    Notification packets version.

  • Inform repeats
    Number {0 to 10}, default 3
    Number of repeats used when Inform acknowledge was not received.

  • Inform timeout [s]
    Number {1 to 20}, default 10
    Inform acknowledge timeout.

Notification destinations

  • Destination IP
    IP address {0.0.0.0}, default 0.0.0.0
    IP address of SNMP server receiving notification packets.

  • Destination port
    Number {1 to 65535}, default = 162
    Notification packets destination port.

7.6.4. Firmware

Unit firmware defines the unit functionality. There are several principles for managing the firmware in the running network:

  • Maintain the same version of firmware all around the network – preferred scenario. RipEX units are able to cooperate even when running different version of firmware, but using the same firmware version in all units is the best way to keep the network maintenance easy and straightforward.

  • The traditional good-practice says “do not touch the running system” – which means: do not upgrade the firmware if there is no reason to do so.

  • The cyber security issues may force the firmware to be upgraded e.g. when some serious security vulnerability was fixed.

There are 2 stages of the firmware upgrade procedure:

a) Uploading new firmware into the unit internal archive

b) Updating the unit firmware

Both operations can take several tens of seconds.)

[Note]Note

Unit configuration backup is highly recommended prior the firmware update.

To upgrade the firmware:

  1. Optional (recommended): Backup the current unit configuration (menu Settings – Device – Configuration – Back up and download)

  2. Download the required firmware from the Racom web: Products – RipEX – Download – Firmware RipEX2 – ripex2-fw-x.x.x.0.fwp

  3. Click the Choose File button (the button label may differ based on your web browser localization) to select the firmware file

  4. Click the Upload firmware to archive button to transfer the firmware file into the unit. The upload can take a long time – depending on the connection speed between the management PC and the RipEX2 unit. In case of slow connection and file transfer longer than 120 s, the web browser will shut down the connection and the action will not finish successfully. This action does not update the running unit firmware yet. There is no affection on the other communication running through this unit. Successful saving of the new firmware into the archive is announced in the Notifications and the available firmware version is printed Under the “Update firmware” heading (on the right side of the “>” mark).

  5. Click the Update firmware button to update (i.e. reinstall) the unit firmware. The update process takes approx. one minute. The user data communication running through this unit is interrupted for a while. All the processes are restarted in a certain moment (e.g. VPN tunnels need to be re-established).

  6. It is possible not only to upgrade the firmware version, but even to downgrade it, although this operation is not recommended. Be aware of eventual security issues of firmware downgrade as eventually outdated security code can be part of an old firmware. Unit configuration may not be fully compatible. In such a case, parts of the unit configuration will be changed to the default values.

    [Warning]Warning

    Do not shut down the unit during the firmware update process. It may permanently damage the unit.