Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

AttributesFunction
Object TypeEtherPort
ParentsSystem → Networks
Instance

Enter a unique instance number between 0 and 16.

The instance number is required to correspondwith the Linux interface name for the Ethernet. Instance #0 and 1 configure the built-in 'eth0' and 'eth1' ports, and Instance #2 configures the 'eth2' port of the optional AIM104-ETHER.

PropertiesValues
Network Card Type(Included only for compatibility with older ACE objects)
Network Card Address(Included only for compatibility with older ACE objects)
Network Card IRQ(Included only for compatibility with older ACE objects)
Network Card DMA(Included only for compatibility with older ACE objects)
Domain NameEnter a unique name for this interface, used in certain ACE objects to identify this network adapter. This is case-sensitive. 
Network Card IPEnter the IP address for the Ethernet adapter, in dotted notation.
To set the Ethernet to use DHCP client(to obtain an IP address, subnet, and default gateway from a DHCP server), set the Network Card IP to 0.0.0.0.
Subnet MaskEnter the subnet mask, in dotted notation.
Make sure that all IP interfaces are configured for non-overlapping subnets. If using DHCP client, this field is ignored and may be set to 0.0.0.0.
Default GatewayEnter the default gateway, which is the IP address of a router for the RediGate to connect to addresses beyond its local subnet.
If a default gateway is configured in a Routes object in the configuration, or if there is no default gateway to be configured, set this property to 0.0.0.0. If using DHCP client, this field is ignored and may be set to 0.0.0.0.

 

Multi-Home

The Multi-Home configuration allows additional IP addresses to be defined on the same Ethernet interface. This object should be omitted unless more than one IP address must be defined.

...

PropertiesValues
IP Homes

Click the Edit Table button to edit the list of Multi-Home addresses.

Network Card IP – Enter the additional IP address to be used, in dotted notation (do not include the primary IP address defined in the Ethernet object).
Subnet Mask
 – Enter the Subnet Mask to be associated with this IP address, in dotted notation.
Default Gateway – Enter the Default Gateway to be used with this IP address, in dotted notation.

...

AttributesFunction
Object TypeDHCP Server 
Parent(s)System → Networks → EtherPort 
InstanceMust be 0
PropertiesValues
LAN Interface Name

Enter the Linux interface name of the Ethernet port on which to run the DHCP server. 

LAN Subnet AddressEnter the subnet address of the subnet that should be served to clients as part of the DHCP information, in dotted notation. Subnet address should follow normal IP rules (for instance, on a 192.3.1.x network with 255.255.255.0 subnet mask, the subnet address would be 192.3.1.0). 
LAN Subnet MaskEnter the subnet mask of the subnet that should be served to clients, in dotted notation. 
Served Address  Range Start IP Enter the starting IP address that should be served to clients, in dotted notation.
Served Address  Range End IPEnter the ending IP address that should be served to clients, in dotted notation. The range of addresses between the Start IP and End IP determines how many DHCP clients be supported simultaneously on the interface. 
Served Default GatewayEnter the address of the Default Gateway to be served to DHCP clients, in dotted notation.
Served Domain
Nam
NameEnter the domain name to be served to DHCP clients (must be from 1 to 64 characters). 
Served DNS Server  PrimaryEnter the address that will be served to DHCP clients as their primary DNS server, in dotted notation. 
Served DNS Server  Secondary Enter the address that will be served to DHCP clients as their secondary DNS server, in dotted notation.
Served Broadcast AddressEnter the address that will be served to DHCP clients as the broadcast IP. The broadcast IP should follow normal IP rules (for instance, on a 192.3.1.x network with 255.255.255.0 subnet mask, the broadcast IP address would be 192.3.1.255). 
Lease Time-DefaultEnter default lease time, in seconds
Lease Time-MaxEnter the maximum lease time, in seconds. 
Authoritative

Select whether or not to make this DHCP Server "authoritative."

Setting this to "No" means that if a client requests an address that the server knows nothing about and the address is incorrect for that network segment, the server will not send a DHCPNAK (which tells the client it should stop using the address.) Setting this to "Yes" will send a DHCPNAK in this case, to force the client to stop using the incorrect address on the network and immediately request a new address.



Async Port

The Async Port configuration defines the asynchronous serial communication properties of a physical serial port. Do not configure an Async Port object for any serial port used as an IP network, such as PPP or SLIP.

Info
titleNote:

Note: Async ports can be defined as "Virtual Ports," that represent internal software links between tasks rather than actual, physical communication ports. For additional information, see the section Virtual Ports.

...

PropertiesValues
PPP Port

Select the physical communication port to be used for PPP. This should be an internal port to which the cell modem is physical connected.

Do not configure this port as an Async or other type of port in addition to the PPP port configuration. If there are Async and PPP objects defined for the same physical COM port, neither will work properly. 

Baud RateSelect baud rate for the cell modem port. 
Parity

Select the parity for the cell modem port (None, Odd, Even).

Parity options supported are None, Odd and Even. 

Word LengthSelect the data bits for the cell modem port (7 or 8 bits). 
Stop BitsSelect the stop bits for the cell modem port (1 or 2 bits). 
Warm Up Time

Enter value for warm up time.

This is the amount of time to wait before sending data after the RTS handshaking lead has been asserted. The default entry of 0 should be used, denoting that RTS/CTS hardware handshaking will be used. 

Warm Down Time

Enter value for warm down time.

This is the amount of time to wait after the entire message packet has been shifted out to keep the RTS handshaking lead asserted. 

The default entry of 0 should be used, denoting that RTS/CTS hardware handshaking will be used. 

Domain Name

Enter the domain name.

Name used by certain tasks internally to identify different IP adapters. This is case-sensitive. 

PPP IP

Enter the PPP IP address.

This is the address at which other network devices will see this device when trying to make a connection via PPP. If connecting to a cell modem network that automatically assigns an IP address, this parameter should be configured as 0.0.0.0 for DHCP. 

Subnet Mask

Enter the subnet mask.

Should always be 255.255.255.255 for PPP.

If a static IP is used and a Default Gateway is required to make outbound connections beyond the local subnet, the Routes object must also be configured (see the section Route). 

Connection TimeToDie 

Number of seconds to operate a PPP session before killing the connection.

This time is absolute, based on the time at which the session was initiated. The PPP connection will be closed regardless if data is still being transferred when the TimeToDie timer expires. This may be used to force a dial connection to hang up to limit cell phone connection charges.

Disable the TimeToDie by setting it to -1 if the connection should never be closed automatically. 

Modem Type

Select the type of modem being configured. This will depend on the hardware physically available on this device.  Options are:

  • SARA-R4 (LTE/CAT-M1)
  • HE910 (GSM/HSPA+)
  • DE910-DUAL (CDMA/EVDO, Verizon)
AT Init Strings

Enter one or more optional text entries for AT commands to be sent to the modem upon initialization. Text strings are limited to 80 characters. The AT Init Strings and all built-in modem initialization commands and responses are logged in a file /tmp/modemlog.txt.

Consult modem manual for initialization parameters or other AT commands available.

NOTE: For the EVDO modem, if using mobile IP (MIP) on a Verizon network, it is recommended to add the following initialization string to force the modem to use MIP rather than permitting fallback to Simple IP (SIP): AT$QCMIP=2 

Connect String

Enter the modem connect string. This is the AT command telling the modem to enter an IP data session and depends on the modem model.

For CAT-M1 or GSM/HSPA+ modem (SARA-R4 or HE910), use: ATD*99***1# 

For EVDO modem (DE910-DUAL), use: ATDT#777

Enable Serial MUX

Select whether to use a serial multiplexer to the modem. This should typically be set to 'Enabled'.

The serial multiplexer allows the data PPP session and other diagnostics to occur simultaneously to the modem. See the sections Modem Ports 73/75/77 and AT Commands for other options that can be used 

Use as Default GatewaySelect whether to use this cell modem network as the Default Gateway. Typically this should be set to 'Yes'. 
Network Inactivity WatchdogEnter the number of minutes of inactivity to be allowed, before the modem and PPP session will be restarted. 
APN

Enter the APN (Access Point Name), which is the network gateway through which the cell modem will connect. This is typically dependent on the cellular carrier that the modem is activated on, and may be a public or private APN depending on the cellular account settings.

Used for CAT-M1 or GSM/HSPA networks only; leave blank for EVDO networks. 

Use Peer DNSSelect whether to use DNS from the cellular network provider. 
Authentication  Type

Select the type of PPP Authentication required by the cellular network. This setting and the Auth User Name and Password will depend on the cellular account activation.

Authentication types are:

Disabled
PAP Authentication
CHAP Authentication 

Auth User Name

Enter the user name required by the cellular network for PAP or CHAP authentication.

User Name is case sensitive and limited to 32 characters. 

Auth Password

Enter the password required by the cellular network for PAP or CHAP authentication.

Password is case sensitive and limited to 32 characters.

...

AttributesFunction
Object Type Port73b_AT-CMDs, Port75b_AT-CMDs_GPS-HE910, Port77b_GPS-DE910 
Parent(s)System → Networks → Cell Modem 
Instance

Instance number for each port must be 0.

The ACE template is built so that each of these objects creates the appropriate AsyncPort filename: port073, port075, port077 

PropertiesValues (Port 73)
 

n/a (only use for AT command access)

PropertiesValues (Port 75)
 Port Settings

Select the AT command or GPS option for this port:

  • AT commands (disable GPS – HE910)  Only use the port for AT commands on the HE910 or DE910 modem. If used with HE910, disable power to the GPS receiver in the modem.
  • AT commands (power GPS – HE910)  Only use the port for AT commands on the HE910 or DE910 modem. If used with HE910, enable power to the GPS receiver. For instance, this might be used to query GPS location using AT commands. 

The following selections enable the GPS receiver to automatically output location data in NMEA format once/second (Port 75 only supports GPS on the HE910 modem). NOTE: a GPS antenna connection is only available on the RediGate 400, not the RediGate 100 series. For a description of the NMEA data messages, see the

 

Telit MT GNSS Software User Guide.

  • GPS (HE910) - All GPS Sentences/Clock
 
 
  • Output all NMEA commands listed below, can be used to set the system's real-time clock.
  • GPS - GGA Only (Lat,Long,Sats,Alt,DOP)
 
 
  • Output only 'GGA' message (14 comma-separated values).
  • GPS - GLL Only (Lat,Long)
 
 
  • Output only 'GLL' message (6 comma-delimited values).
  • GPS - GSA Only (Sats,DOP)
 
 
  • Output only 'GSA' message (17 comma-separated values).
  • GPS - GSV Only (Sats, 1-4 sentences)
 
 
  • Output only 'GSV' messages (19 comma-separated values per message, up to 4 messages depending on number of satellites in view).
  • GPS - RMC only/Clock (Lat,Long,Speed)
 
 
  • Output only 'RMC' message, can be used to set the system's real-time clock (12 comma-separated values).
  • GPS - VTG Only (True Tracking,Speed)
 
 
  • Output only 'VTG' message (9 comma-separated values).
  • GPS - RMC and VTG/Clock
 
 
  • Output only 'RMC' and 'VTG' messages, can be used to set the system's real-time clock.
  • GPS - GGA, RMC, and VTG/Clock
 
 
  • Output only 'GGA', 'RMC', and 'VTG' messages, can be used to set the system's real-time clock.
 
PropertiesValues (Port 77)
 

Same as Port Settings for Port 75, except that it is only applicable to the DE910 modem and should not be used with the HE910.


USAGE NOTE:

There are two ways to get receive GPS data from the modem into RTDB registers and/or use the GPS date/time to synchronize the RediGate system clock:

...

The RediGate regularly sends an AT command to read cellular signal strength in order to control the cellular LED. If any user-configured commands are included in the AT Commands object, those commands will be sent alternately with the built-in signal strength query. AT commands are sent at a regular interval of 5 seconds. For instance, if two user commands are defined to read signal strength and registration status into RTDB registers, the AT command sequence will be:

AT+CSQ(built-in)
(5 seconds)
AT+CSQ(user AT command)
(5 seconds)
AT+CSQ(built-in)
(5 seconds)
AT+CREG?(user AT command)
(5 seconds)

When the response to each user-configured command is received, it is parsed according to certain rules, as described below under the 'Conversion' type field. Often, commands will return a comma-separated list of values. The AT Commands object allows these values to be parsed based on comma.

...

PropertiesValues (Port 77)
 PropertiesValues Timeout Msec

Enter the timeout (in milliseconds) to wait for modem response to AT command. 

AT CmdsThis table defines any user-configured AT commands to be queried regularly
RTDB MapEnter one or more rows in the AT Cmds table to use this feature
AT Command

Enter the AT command string to send to the modem, or a single uppercase character 'C'. The AT string must be a command that is recognized by the modem model being used. 

If the command returns several different values to be parsed, the 'C' indicates a continuation row. This allows the response from a previous command to be skipped or parsed according to different rules, as described in the remaining properties, below. 

Conversion

Select the type of conversion to use when parsing the command response from the modem.

  • SINT16 – Store value(s) as 16-bit signed integer
  • SINT32 – Store value(s) as 32-bit signed integer
  • SINT32 – Store value(s) as 64-bit signed integer
  • REAL32 – Store value(s) as 32-bit floating point
  • STRING-32 – Store parsed parameter(s) as a 32-character string. The Count refers to the number of comma-separated strings.
  • STRING-256 – Store the entire remainder of the AT command response into a STRING-256 register. The Count field is ignored.
  • SKIP – Discard one or more comma-separated parameters from the AT command response, based on Count. 


Use the following GPS conversion options with the "AT$GPSACP" command, which returns GPS data from the modem in the format (the Count column is ignored):

$GPSACP: 214127.000,3853.5898N,09447.4488W,0.9,315.4,3,0.0,0.0,0.0,310715,07

  • GPS REAL32 – Store each comma-delimited parameter of the $GPSACP command into thirteen REAL32 registers verbatim, as:
  1. UTC time as hhmmss.sss (e.g. 214127.000=9:41:27 PM)
  2. Latitude as DDMM.mmmm (e.g. 3853.5898)

  3. Latitude direction, N=78, S=83

  4. Longitude as DDDMM.mmmm (e.g. 09447.4488)

  5. Longitude direction, W=87, E=69

  6. HDOP/Horizontal dilution of precision (e.g. 0.9)

  7. Altitude, meters above mean sea level (e.g. 315.4)

  8. Fix, 0=No fix, 2=2D fix, 3=3D fix

  9. Course over ground, as degrees (ddd.mm)

  10. Speed over ground (Km/hr)

  11. Speed over ground (knots)

  12. Date of Fix, as ddmmyy (e.g. 310715=July 31, 2015)

  13. Total number of satellites in use (0 to 12)

  • GPS Set Clock – Use the time and date returned in the $GPSACP command to set the real-time clock of the RediGate.
  • GPS DDMM.mm to De.gree – Store each comma-delimited parameter of the $GPSACP command into thirteen REAL32 registers (ignore Count). The latitude/longitude values are converted from their normal degree.minute(DDMM.mm) format into degrees. Values are the same as above, except Latitude and Longitude:

2. Latitude as ±dddd.dddd (positive=north, negative=south)
4. Longitude as ±dddd.dddd (positive=east, negative=west)

  • GPS Set Clock, to De.gree – This option combines the previous two options: convert degree/minute/second to degrees and set the real-time clock. 
ChannelEnter the Master Channel number of the destination RTDB. 
RTUEnter the Field Unit address of the destination RTDB. 
RTDB DestEnter the starting numeric register address of the destination RTDB into which data from this command will be stored. The RTDB addresses must be defined and must be of the correct data type. 
CountEnter the number of data entities of the same 'Conversion' type to parse sequentially. If the response to an AT command includes multiple values of different types, these must be handled on separate rows in the table, with the Count appropriate for each row.
CommentOptional column, allowing a descriptive comment to be entered for each row in the table. The Comment field is unused in the configuration.

...

PropertiesValues (Port 77)

INPUT Policy

OUPUT Policy

FORWARD Policy

Select an INPUT packet policy from one of the following options:

Accept All Input/Output/Forwarding Packets

Drop All Input/Output/Forwarding Packets

The first actions in the firewall.sh script flush the existing contents of 'iptables' chains, using the commands:

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F

Then the INPUT Policy, OUTPUT Policy, and FORWARD Policy rules configure the default rules for packets not explicitly defined in the remainder of the configuration. These define commands such as:

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP 

All the remainder of the properties include optional tables that may include 0 or more rows with 'iptables' rules to be added to the firewall.sh script

Accept All INPUT

by Interface

Enter Linux interface name(s) for which to accept all INPUT packets. This setting overrides a global Drop or Reject rule in the INPUT Policy, and defines commands such as:

iptables -A INPUT -i eth0 -j ACCEPT

The following rules are included by default:
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT 

Port Management

The Port Management property allows individual ports to be accepted, dropped, or rejected (with ICMP error), regardless of the above settings. Ports can be specified using the INPUT or OUTPUT chain, protocol (TCP, UDP, or ICMP), Linux interface name, and port number. Some examples of commands are:

iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp -o eth0 --dport 500 -j ACCEPT 

Masquerade

The Masquerade property allows devices on one interface to appear as if they existed on a different interface. This is often used, for instance, where devices on a local Ethernet interface need to make outbound IP connections using a public cellular/PPP interface. The local interface is "masqueraded" to the public network side of the interface. 

Enter one or more rows in the Masquerade table to use this feature:

Output Interface – Select the Linux network interface name, which is the network on which devices should be made to appear. 

Source Network – Enter the IP address range of addresses on one of the other network interfaces which should be allowed to masquerade on the other interface. IP address range should be entered in a format of "IP_network/mask_bits", such as: "192.168.1.0/24". 

Following are examples of a Masquerade command. In these examples, devices on the 192.168.1.x network are masquerated to the 'eth2' interface, and addresses 172.1.1.5-6 appear on the 'ppp0' interface:

Code Block
iptables -t nat -A POSTROUTING -o eth2 --source 192.168.1.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -o ppp0 --source 172.1.1.5/30 -j MASQUERADE

When using masquerading, the following rule is added by default to enable packet forwarding between interfaces:

Code Block
echo 1 > /proc/sys/net/ipv4/ip_forward 
Forwarding by  Interface

The Forwarding by Interface option allows all packets to be freely forwarded between two Linux interfaces, which are selected from a drop-down list. There should always be two rows defined, which will forward packets in both directions. Some examples of 'iptables' commands generated by this option are:

 

Code Block
iptables -A FORWARD -o eth0 -i ppp0
iptables -A FORWARD -o ppp0 -i eth0 
DNAT Pre-routing

The DNAT Pre-routing option allows IP packets to be modified as they arrive at an input interface. By checking the packet's "destination port", the packet can be modified by being assigned a new TCP/IP destination address and port number.

Enter one or more rows in the DNAT Pre-routing table:

Interface Name – Select the Linux interface name on which the IP packets will be arriving. 

Protocol – Select the protocol of packets to be routed (TCP, UDP, or ICMP).

Dest Port – Enter the numeric IP port number of the incoming packets to be listening for.

New IP AndOr Port – Enter the new IP address and optional port number. This should be entered as "IP_address:port", such as "10.10.10.2:161" (this field is limited to 20 characters). Some examples of 'iptables' commands generated by this option are:

Code Block
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8080 -j DNAT --to-destination 10.10.10.2:80
SNAT Post-routing

The SNAT Post-Routing option allows IP packets to be modified before they leave an output interface. By checking the packet's source address and destination port, the packet can then be modified by assigning a new TCP/IP source address and destination port number. 

Enter one or more rows in the SNAT Post-routing table:

Interface Name – Select the Linux interface name on which the IP packets will be arriving. 

Protocol – Select the protocol of packets to be routed (TCP, UDP, or ICMP). 

Source IP – Enter the IP address of the outgoing packets to be modified. 

Dest Port – Enter the numeric destination IP port number of the incoming packets to be modified. Use only a colon instead of a number to exclude the port setting from the 'iptables' command. 

New IP AndOr Port – Enter the new IP address and port number. This should be entered as "IP_address:port", such as "10.10.10.2:161" (this field is limited to 20 characters). Some examples of 'iptables' commands generated by this option are:

Code Block
iptables -t nat -A POSTROUTING -o ppp0 -p udp -s 10.10.10.2 --dport 161 -j SNAT --to-source 192.168.55.22:1661 

Drop All INPUT

by Interface

This property allows for any other INPUT packets that were not caught in previous 'iptables' rules on a given interface to be dropped. Select the Interface Name to drop packets. An example of this rule is:

Code Block
iptables -A INPUT -i ppp0 -j DROP 
Custom IPTABLES

Finally, the Custom IPTABLES option allows you to configure any other 'iptables' commands that the previous Firewall object properties didn't support. The 'iptables' utility has many options and variations that might be needed for certain networking situations. These custom rules are added to the firewall.sh script verbatim, with one qualifier:

The free format table entry only allows a maximum of 80 characters per line. If the command requires more than 80 characters, use a tilde (~) character at the end of a line to indicate that the next line contains a continuation of the command. The tilde character will be converted to a backslash (\) character in the script to perform the continuation. Here are two recommended examples of custom entries allowing incoming and outgoing 'ping' traffic:

Code Block
iptables -A INPUT -p icmp -m state –state ~
NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp -m state –state ~
NEW,ESTABLISHED,RELATED -j ACCEPT

...

PropertiesValues
Route TableClick the Edit Table button to edit the list of Multi-Home addresses.
Destination AddressEnter an IP address in the range of addresses defined in this route entry, typically the first one in the range. When defining a Default Gateway, it must appear in the first row and have the Destination Address and Net Mask set to 0.0.0.0. Also make sure that no other Default Gateway is used for other interfaces in the configuration, including those obtained through DHCP.
Net Mask 

The Subnet Mask defines the range of addresses to be defined by this route entry. If defining the Default Gateway (first row of table only), this must be set to 0.0.0.0.

Gateway 

Enter the IP address to use as the Default Gateway for addresses defined in this route entry. 

If the first row in the Routes table is defined as a Gateway of 0.0.0.0, it is treated as the Default Gateway for the system (overriding a Default Gateway setting in Ethernet objects). Set the Gateway to an address other than 0.0.0.0 to define a specific route definition.

OR, you can define a route based on the interface rather than a specific IP address. To do this, set the Metric to one of several specially designated values (90, 91, 100, 101, etc.), as described below. In this case, the Gateway property may be set to 0.0.0.0 to omit the 'gw' field in the Linux route command.

Note that when defining the Gateway property (other than 0.0.0.0), the address of the gateway must be reachable via the networking defined in other ACE objects for the specified interface. 

InterfaceEnter the text identifier of the network interface to use for the addresses appearing in this route. Note: This is case-sensitive. For instance, if the route entry specifies an address range on the Ethernet network, and the Ethernet object is configured with "Ether1" for its Domain Name, then "Ether1" must be entered as the Interface here. 
Metric

The Metric indicates the relative priority when two routes might be used to reach the same network address. The Metric with the lower number will be given priority.

OR, use the following specially designated values in the Metric field to set up a static route based on interface name rather than IP address:

  • Use Metric of 90 to use the 'ppp0' interface (91=ppp1, 92=ppp2, etc.)
  • Use Metric of 100 to use the 'eth0' interface (101=eth1, 102=eth2, etc.)
  • With these designations, the Linux interface name is used in the 'route' entry instead of IP addresses.
CommentOptional column, allowing a descriptive comment to be entered for each row in the table. The Comment field is unused in the configuration.

...

PropertiesValues
TLS Version

Select the version of TLS or SSL protocol to use.

TLS protocol versions are more secure than SSL. Select "all" to allow the client and server to negotiate the protocol. 

Compression

Selet the type of data compression to

use 

use.

Select 'none', 'zlib', or 'rle'. 

Verify Certificate

Select whether (and how) to use certificate verification for authentication to an TLS/SSL server. A security certificate is optional for a client but required on a server.

The number after the option indicates the "verify=" stunnel value:

  • NO certificate verification
  • ALWAYS require peer cert (2)
  • Request and ignore peer cert (0)
  • Validate only if cert is present (1)
  • Verify peer with locally installed cert (3)
  • Ignore CA chain & only verify peer cert (4) 
Certificate File

If the Verify Certificate option has been selected to employ certificate authentication, identify the location on the Linux file system containing the certificate chain PEM file. If used, this property must begin with "cert = ".

NOTE: If no certificate is to be used, this field must be disabled, either by adding a semicolon at the beginning ("; cert = ") or by clearing the property value entirely. Otherwise, the TLS/SSL connection will fail.

The certificate file must be obtained from an appropriate certificate authority containing credentials for this device, which are also known by the TLS/SSL server. The certificate file must be put on the device in the specified location, and must be in PEM format. 

Key File

If the Verify Certificate option has been selected to employ certificate authentication, identify the location on the Linux file system containing the private key assocated with the certificate. If used, this property must begin with "key = ".

NOTE: If no certificate is to be used, this field must be disabled, either by adding a semicolon at the beginning ("; key = ") or by clearing the property value entirely. Otherwise, the TLS/SSL connection will fail.

The key file is typically created along with the certificate and must be put on the device in the specified location, and must be in PEM format. 

CA File

If the TLS/SSL server's certificate must be validated with a Certificate Authority before connecting to it, a file identifying the CA must be stored on the Linux file system. If used, this property must begin with "CAfile = " (case-sensitive).

The CA file must be in PEM format. 

CRL Path

If using a Certificate Revocation List file(s) to confirm the validity of the server's certificate, this property is used to identify the directory on the Linux file system where the CRL file(s) will be stored.

Only two options are available:

  • none
  • /etc/stunnel/crls
    If using CRL files, they must be stored in the above directory in PEM format. 
Connect Timeout

Select the amount of time to wait for a TLS/SSL connection to be established.

Default selection is 10 seconds. 

Idle Timeout

Select the amount of time to keep an idle connection open when there is no data transmitted.

Default selection is 1 hour. 

Busy Timeout

Select the amount of time to wait for expected data in case of a busy network.

Default selection is 5 minutes. 

FIPS mode

Select whether to use FIPS 140-2 encryption mode.

Default is no. (FIPS mode is not currently supported.)

Cipher List

Enter a list of encryption ciphers to allow for the TLS/SSL connection. This property must begin with "ciphers = " and must contain some criteria for the list of ciphers to include or exclude. Use a colon (

(smile)

:) to separate cipher names or criteria. (This property is not required and may be disabled by adding a semicolon before "ciphers" or by clearing the property entirely.)

Example: ciphers = !SSLv3:DH+AES:ECDH:-AES128

 

In Linux, the ciphers available in the system may be listed using the command: openssl ciphers -v
or (for example): openssl ciphers -v '!SSLv3:DH+AES:ECDH:-AES128'

The openssl command lists ciphers of various strengths, including those used by SSL or TLS protocol versions. In order to ensure more robust encryption, the list may be filtered to allow only more secure ciphers.

In the above example, "!SSLv3" excludes all ciphers used with the older SSLv3. "DH+AES" includes ciphers that use DH or AES, but excludes those using RSA. "ECDH" includes protocols that use ECDH. "-AES128" filters the list of whatever ciphers may have been included in the previous list by excluding those which use AES with 128-bit encryption, but allows those with 256-bit or better.

Consult 'openssl' documentation for further information. 

RenegotiationSelect whether to support connection renegotiation. 
Delay DNSSelect whether to delay DNS lookup until connection. 
Debug Level

Select the debugging level for TLS/SSL diagnostics.

The default level is 5 (notice). Use level 7 for a greater quantity of diagnostic messages in the Log File to troubleshoot connection problems. 

Log File

This property is hard-coded and indicates where the TLS/SSL debug messages may be found.

Only option is /var/log/messages 

Socket option 1

Sets TCP socket options for the connection. This is an optional field, but if used for socket options it must begin with "socket = ". See stunnel documentation for further information.

Default value is "socket = l:TCP_NODELAY=1" 

Socket option 2

Sets TCP socket options for the connection. This is an optional field, but if used for socket options it must begin with "socket = ". See stunnel documentation for further information.

Default value is "socket = r:TCP_NODELAY=1"

 

PIDName of PID file used by Linux for the TLS/SSL process. This option is hard-coded to /var/run/stunnel.pid PIDName of PID file used by Linux for the TLS/SSL process. This option is hard-coded to /var/run/stunnel.pid 

Param 1
Param 2
Param 3

Additional (optional) stunnel parameters.

If used, these fields must be

Param 2Formatted

formatted as proper 'stunnel' configuration options and will be placed

Param 3

verbatim in the stunnel.conf Linux configuration file.

 

Client ModeChoose whether to use client mode for the TLS/SSL connection. In Client Mode, this will listen for a local (non-secure) connection to be made to its listener port, and then initiate a connection to a remote server. If set to Server Mode, this will operate as a TLS/SSL server, waiting for a connection to be made to it from another secure client. 
STUNNEL  ParametersIn the STUNNEL Parameters field, enter a series of properties that are used to define one or more TLS/SSL tunnel between a non-secure and a secure port connection. 
Tunnel NameEnter a unique logical name of the stunnel service (limited to 16 characters) for each tunnel being defined. 
Accept Connection

 Enter a string that defines the port which will receive the connection, and an optional IP address. Some examples of port or "IP:port" are given below:

  • 443
  • 127.0.0.2:1883
  • 192.168.1.2:3040 
Connect To

Enter a string that defines the address and IP port to which a connection will be made after receiving a socket on the "Accept Connection" port. The address being connected to must be accessible using the system's DNS and routing rules. Some examples are:

  • 10.1.2.1:443
  • xyz.com:20000
  • 127.0.0.3:3040

DNS Client

The DNS Client object is used to manually configure DNS entries into the Linux resolv.conf file.

...

PropertiesValues
VLAN Table

In the VLAN Table field, add a table row for every VLAN to be defined. 

Physical

Device –

Device Select the physical LAN device to be divided into VLANs, such as eth0 (corresponding to EtherPort object with instance 0). In Linux, the original network interface will be renamed (e.g., eth0 will be renamed to eth0_base) unless the VLAN_ID is 0.

If the interface is renamed to "eth?_base", the IP address settings configured in ACE for that physical device are not used. However, the instance of the physical port still must be defined in order to give Linux a network interface that can be divided into VLANs. 

New Device

Name –

Name Select the Virtual LAN device to associate with the Physical Device selected (above). The IP settings for this VLAN device will be taken from the EtherPort object with the corresponding instance number. 

VLAN ID – Enter the numeric VLAN ID to use fo

...

AttributesFunction
Object TypePPPport
Parent(s)System → Networks
Instance

Must be 0. This defines the interface as 'ppp0'.

The instance number is the next consecutive number, starting  starting from zero. Instance #0 is the configuration for the 'ppp0' interface. There is no correlation between PPP instance number and the physical COM port to which it will be attached. 

PropertiesValues
PPP Port

Select the physical communication port to be used for PPP.

Do not configure this port as an Async or other type of port in addition to the PPP port configuration. If there are Async and PPP objects defined for the same physical COM port, neither will work properly. 

Baud RateSelect baud rate for the PPP port. 
Parity

Select the parity for the PPP port (None, Odd, Even).

Parity options supported are None, Odd and Even. 

Word LengthSelect the data bits for the PPP port (7 or 8 bits). 
Stop BitsSelect the stop bits for the PPP port (1 or 2 bits). 
Warm Up Time

Enter value for warm up time.

This is the amount of time to wait before sending data after the RTS handshaking lead has been asserted.

An entry of -1 denotes that no handshaking be used. An entry of 0 denotes that RTS/CTS hardware handshaking will be used (no data will be sent until CTS is asserted, and active CD must be present to receive data)). A positive value will transmit data after the configured number of milliseconds, independent of CTS. 

Warm Down Time

Enter value for warm down time.

This is the amount of time to wait after the entire message packet has been shifted out to keep the RTS handshaking lead asserted. 

An entry of -1 denotes that no handshaking be used. 

Domain Name

Enter the domain name.

Name used by certain tasks internally to identify different IP adapters. This is case-sensitive. 

PPP IP

Enter the PPP IP address.

This is the address at which other network devices will see this device when trying to make a connection via PPP. If this device is connecting to a PPP device that can automatically assign an IP address, this parameter may be configured as 0.0.0.0. 

Subnet Mask

Enter the subnet mask.

Should always be 255.255.255.255 for PPP.

If a static IP is used and a Default Gateway is required to make outbound connections beyond its subnet, the Routes object must also be configured (see the section Route). 

Connection  TimeToDie

Number of seconds to operate a PPP session before killing the connection.

This time is absolute, based on the time at which the session was initiated. The PPP connection will be closed regardless if data is still being transferred when the TimeToDie timer expires. This may be used to force a dial connection to hang up to limit telephone connection charges. Disable the TimeToDie by setting it to -1 if the connection is a permanent hard-wired connection, so that it will never be closed.

 

PPP PSTN Dialer (PSTN)

The PSTN Dialer configuration defines how the unit will dial out to the public switch telephone network (PSTN) using a dial-up modem. The PSTN object used for PPP is optional, depending on the needs of the system.

...

PropertiesValues

Secrets_00
through
Secrets_10

 Enter the Linux 'secrets' entry as a text field. through 
Each Secrets entry must include four text fields separated by a space.

The four fields are:

  • Client name
  • Server name
  • Authentication secret
  • Optional IP address (this may be entered as a range of addresses with asterisks, such as ...)
 

Search for "PPP Secrets" documentation on the Internet for additional information on the format of the IP address field.

Host Dial Backup

In HCP applications, it is sometimes necessary to define a primary and secondary connection path from the HCP to the RediGate. The Host Dial Backup object tells the HCP which network interfaces to use for primary and secondary networks, and some characteristics of network failover.

...

PropertiesValues
Primary Connection Network

Select the network interface through which the HCP should make the primary connection.

Ethernet 0 uses the primary IP network address configured in the Ethernet object (instance 0).
Slip 0 and Slip 1 options are currently unused.
PPP 0 uses the IP network address configured in PPP object 0.
PPP 1 uses the IP network address configured in PPP object 1.

Secondary Connection Network

Select the network interface to which the HCP should make a secondary connection whenever the primary connection is unavailable.

The same options are selected as for the Primary network.

Select "No Secondary Connection" if there is only a single IP address/network to which the HCP can connect. 

Time to Fail  to Secondary

Enter the time (in seconds) before the HCP should attempt to make connection to the Secondary network address, after losing connection on the Primary network.

This is ignored if no Secondary connection is defined. 

Time to Stay on Secondary

Enter the time (in seconds) before the HCP should attempt to make connection to the Secondary network address, after losing connection on the Primary network.

This is ignored if no Secondary connection is defined. 

Secondary Idle  Time

Enter the time (in seconds) after disconnecting from the Secondary network address before reconnecting to the Secondary, if the Primary network is still unavailable.

This option may be used to reduce long distance charges by dialing the Secondary network infrequently during a long outage of the Primary network. For instance, the HCP might connect via dial-up PSTN line once or twice an hour to get critical data updates and then disconnect. 

Startup Auto/Man

Select the default failover behavior for HCP connections.

Automatic – On startup, the HCP will automatically switch between Primary and Secondary connection paths.
Manual – On startup, the HCP will wait for an operator to manually switch from the Primary to the Secondary connection. This is the default setting for the connection upon first starting the HCP. The Auto/Manual setting for each RediGate can be overridden in the HCP user console at any time.

...

PropertiesValues
Primary Connection Network

Select the network interface through which the HCP should make the primary connection.

Ethernet 0 uses the primary IP network address configured in the Ethernet object (instance 0).
Slip 0 and Slip 1 options are currently unused.
PPP 0 uses the IP network address configured in PPP object 0.
PPP 1 uses the IP network address configured in PPP object 1.

Connect Port Enter the IP port of the Modbus slave on this unit to use for Modbus communication. This feature requires that a network Modbus slave be configured on the RediGate (encapsulated Modbus, not Open Modbus/TCP). 
Test TriesEnter the number of tries to read or write Modbus data to the device when secondary route testing is performed. 
Test Day

Select the day of the week on which to initiate Secondary Slave testing.

Select the day, or "Never" to disable the test. 

Slave Virtual Unit Enter the Modbus slave device address. 
Write Address

nter the starting register address to use for writing data.

Starting address should be a 40xxx register. 

Write Num  RegistersEnter the number of registers to write, or 0 to disable the write test. 
Read Address Enter the starting register address to use for reading data. 
Read Num  RegistersEnter the number of registers to read, or 0 to disable the read test.
Response TimeoutEnter the number of seconds to wait for slave read or write response.

...

PropertiesValues
 The following parameters are stored into the SNMP configuration file, located at /etc/snmpd.conf. 
Parent(s)System → Networks → HostDialBackup
rocommunity

Read-only community name. The RediGate currently only supports read-only community, not read-write community.

Enter a text string between 1 and 63 characters. 

sysdescr

User-defined system description.

Enter a text string between 1 and 127 characters. 

syslocation

User-defined system location.

Enter a text string between 1 and 127 characters. 

syscontact

System contact of the individual who manages this system.

Enter a text string between 1 and 127 characters. 

The following parameters are used as command-line arguments for the script which calls the snmpd service. Elecsys uses a standard Linux SNMP agent, and documentation on these properties can be obtained from public sources if extra options might be needed.

Agent_ExtraOpts

Extra command line options for the SNMP agent service may be entered here. Normally, this should be left blank.

Text string must be 127 characters or less. 

Agent_ListenOn

This sets the port to listen for an SNMP management system connection.

The default option, 'UDP:161' establishes a server on the standard UDP port 161 to use for SNMP. Multiple ports or protocols (such as TCP) can be added, separated by commas. For example the string 'UDP:161,5000,TCP:2000@localhost' would listen for SNMP on ports 161 and 5000 using UDP protocol, and using TCP protocol on localhost only at port 2000.