Eurogard ServiceRouter V2 User manual
Brief description eurogard ServiceRouter V2 1/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
eurogard ServiceRouter V2
Configuration Guide
Version 4.0
eurogard GmbH, January 2011
Brief description eurogard ServiceRouter V2 2/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Hardware ServiceRouter V2
Connection and control elements
The ServiceRouter is designed for installation in a switch cabinet using the mounting rail on
the back cover.
Supply voltage is 18-30VDC/6-18W. The two input terminals for the ± Potential are isolated
by means of diodes. This allows for a redundant voltage supply to the Router, as long as the
ground potential of the sources is at the same level. The +24V LED signalizes adequate
supply to the device.
The Reset button restores the
factory settings of the device. If
required, please press and hold for
at least 3 seconds.
The Setup button copies the last
restore point to the configuration
level. Before use, a restore point has
to be saved in the Router.
The Status LED signalizes the VPN
status.
OFF: VPN terminated
FLASHING: VPN initializing
ON: VPN connection established
The Error LED signalizes the status
of the processor.
ON: Error
FLASHING: Router initializing
OFF: Router in operation
UMTS P Modem module supplied
with voltage
UMTS L Modem module logged into
mobile network
ServiceRouter V2: Technical specifications
- Platform: AMD-Geode 500MHz 256 MB RAM
- 2 GB Flash-Disk, expandable on demand
- Battery backed real-time clock, hardware-Watchdog
- 1 x WAN, 2 x LAN switched, each Ethernet 10/100
- 2 x USB for USB-disk, WEB-Cam and customer add-ons
- miniPCI-slot internal for 54 Mbit WLAN-Option
- Version with UMTS/HSDPA modem available
- Version with 4 digital inputs, 2 outputs available
- Voltage supply 12-30 VDC, 8W (basic version) 18W full version
- Ambient temperature 5-50°C, non-condensing
- DIN-rail mounting
- Dimensions: H:156 W:59 D:160 mm
Brief description eurogard ServiceRouter V2 3/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Ensure accessibility –Target network and DynDNS
Integration into target network (End customer LAN)
Operation as Server in the target network
The ServiceRouterV2 has to be integrated by forwarding the ports described below.
Additionally it has to accessible via DynDNS through updating of its IP.
The port numbers listed below are available.
UDP 1194: For the tunnelled connection to the PLC network (VPN)
OPTIONAL:
TCP 443: for access to the configuration interface(SSL)
Only provisionally: TCP 22 for emergency support through manufacturer
eurogard.
Ports 443 and 22 in the Router can be blocked after first start-up and do
not have to be forwarded after this point.
Since the public IP of our customers is normally dynamic, the public IP of
the ServiceRouters is also dynamic.
For external access to the ServiceRouter, the local IP must be updated
through the provider DynDNS.com.
In order to do this, the Router must be able to communicate via Port 80.
The Router requires access to an NTP server in order to update its system
clock. If an internal NTP is not available, Port 123 outgoing has to be open
for accessing an Internet NTP.
The battery-backed real-time clock of the ServiceRouter bridges offline-
times and allows the Router to be accessed without interruption.
Operation as Client in the target network
If the ServiceRouter V2 is operated as client in the target network, port forwarding
does not apply –along with many a discussion with local IP administrators.
The ServiceRouter V2 only requires an IP in the network and access to the Internet,
just as with any other PC in this network.
Access to an NTP server is required.
DynDNS is only required once at the central server.
Brief description eurogard ServiceRouter V2 4/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Creating a DynDNS account
If the ServiceRouter is to be operated as VPN server, its current IP has to be
traceable for the client wishing to connect. This issue is resolved via the Internet
service DynDNS.com.
At www.dyndns.com an account has to be created for every ServiceRouter–
Server which cannot be accessed via a static IP in the Internet.
Account -> My Services
opens the page shown on
the left. The screen is self-
explanatory and allows for
two free entries.
Access data saved
here subsequently
has to be entered into
the Router.
In case you want to
use the proxy
functions for
visualization purposes, the wildcard function is required, available with the
commercial DynDNS-Pro-Version.
Router configuration: dDNS –Settings of the DynDNS service
Activate the DynDNS-
service at the Router and
enter username and
password of your account
created for this Router.
The Router domain
registered with DynDNS is
entered in the menu item
‘Grundeinstellungen/LAN’
(Basic settings).
Brief description eurogard ServiceRouter V2 5/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Software requirements for the operator without VPN access
Requirements for the operator only allowed access to the web-based operating
interfaces configured in the PLC network are:
Microsoft Internet Explorer or Firefox browser
Animation platform envisaged for the web interface: usually Java TM
In the case of Saia-S-Web: the Java Runtime environment:
http://www.java.com/de/download/manual.jsp
Software requirements for the VPN programming access
In addition to the Explorer, the user with VPN (programming)-access requires:
OpenVPN Client installation. An executable version with Default-Client is included as
part of the scope of delivery. Updates can be downloaded via:
http://openvpn.net/howto.html
The key generated by the Router along with the certificate has to be saved in the
directory „config“ of the OpenVPN installation. For an example, please refer to the
appendix.
The eurogard TeleService Software SRconnect
eurogard provides the VPN-connection tool „ServiceRouter-Connect“, free of charge.
This database oriented
openVPN-Client
administers your
certificates, registers
connection times and, per
mouse-click, sets up a
connection to all
ServiceRouters operated
as servers.
Connections are initiated
from a clearly arranged list and shown in a separate window.
Prior to this, the key files
generated by the
ServiceRouter in the format:
vpn.tar, have to be loaded
into the program.
SRconnect unpacks the
*.tar-file and allows for
additional entries.
For further information
please refer to the
program description.
Brief description eurogard ServiceRouter V2 6/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Functions for users
User-Login
Before the user can access the operating sides of the PLC network, the Router has
to be configurated by the administrator and an account has to be set up in the user
area.
If the Proxy functionality is to be used, at least one webserver in the PLC network
should be created in the Proxy server list, under „Geräte-Webweiterleitung“.
As a standard, communication with the WAN side of the Router takes place via a
secure SSL connection, chosen in the browser by entering https://.
This is followed either by an IP-number
(e.g. 192.168.10.100 as local WAN-IP) or
the DynDNS name, under which the
Router can be accessed in the Internet.
After connection set up, the user
interface of the Router is displayed.
In order to select a menu item, user login
is required.
Menu items for the user: Info-System
The info area provides
information about the
Router itself, eg the
size of the internal disk
and available disk
space is displayed
here, as well as the
temperatures
measured on the
board.
Brief description eurogard ServiceRouter V2 7/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
User –File system
When the user account is created in the admin area, a personal folder for this user is
set up at the same time on the flash drive of the Router.
This user folder is envisaged for storing machine-related data such as PLC projects
or maintenance reports, with password protection. Furthermore, the *.tar-file of the
VPN system is stored here by the Router.
This personalized folder can be accessed via FTP with the user access data at the
LAN-IP of the Router. In the User Area Shared
Documents, all registered
users can share documents.
Set up and use a Proxy Server
Before the user can use the proxy, it has to be set up by the
administrator in the admin area.
The menu item
Geräte (Devices) \
Webweiterleitungen
(Web forwarding)
takes you to the
device list of the
proxy. Here, all
required network
subscribers in the
LAN of the Router
should be entered which are to be accessed at a later point in time.
Click HTML-Cache in order to use the Cache memory in the Router, where you can
store web pages via FTP in order to save PLC memory, and load the web pages into
the Router via FTP at a later point in time. After installation, this
allows a user to view
and utilize these
pages via the web
interface of the
Router without being
granted access to
the PLC network.
Brief description eurogard ServiceRouter V2 8/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Administration of the ServiceRouter
Establishing first contact
The ServiceRouter is connected to the PC via a LAN port. Default IP for accessing
the web interface is: 192.168.155.1.
Local settings
Allow the Router to assign an IP address. Click
Adminlogin in order to change to the
administration area and enter „eurogard“
(default) as user name and password. Go
through the configuration menu in in the order
described below. Please change the password
(see Access –Creating User and Admin
accounts) at a later point in time!
The following parameters are set as default on initial power-up:
WAN / Internet: Connection Ethernet,
DHCP-Client, waiting for IP from the customer network.
LAN: DHCP-Server on: As soon as you connect
a PC to the LAN side via ETHERNET, the
Router attempts to allocate an IP to this PC via
DHCP protocol.
DynDNS: no connection allocated
WLAN: deactivated
Accounts: the device is delivered with the following Administrator / User accounts:
Admin: User: eurogard
Password: eurogard
Settings: Name: Servicerouter
Domain: dyndns.org
Language: German
VPN: No certificates generated, either for the Router or for the user.
Brief description eurogard ServiceRouter V2 9/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
The administration area
Login for the administrator is located in the upper right-hand corner of the initial
screen. At password prompt enter:
User name: eurogard
Password: eurogard
Obviously these accounts should be deleted in
the course of the configuration process and
replaced by creating your own specific user and
administrator accounts.
As a general rule, the following applies for any data
entered in the http interface of the Router:
1. enter parameter
2. press button „Speichern“(Save)
3. then start page functions, eg, Zertifikat „generieren“
(generate certificate).
Some functions, eg the generation of the Router certificate, will take up to 10
minutes! Please do not enter any data during this process and wait for the ready-
message on the user interface!
Please make sure to work through the configuration process from left to right, starting
with the LAN side, then WAN etc, since some functions require parameters from the
preceding menus.
Brief description eurogard ServiceRouter V2 10/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Router configuration: LAN side of the Router
Here, the LAN settings of the local PLC network are entered.
LAN address of the ServiceRouter with subnet mask
DHCP area for the users connected on the LAN side
DHCP area for users connected via VPN
Change of HTTPS port and entry of location for easier identification of the
Router are optional.
The Server is given the host
name and the domain name
as registered at dynDNS. This
entry is also required for the
generation of the certificates.
If the Router is supposed to
allocate IP addresses in your
PLC network, please activate
the DCP server of the Router.
In this case, please enter the
available IP number range. It
must not overlap with the
number range of the VPN
network!
Router configuration: WAN side of the Router
The ServiceRouter can be connected to the Internet in different ways.
Select:
DHCP –where the Router receives all necessary information from the DHCP server
of the host network.
Static Configuration - and connect the Router to the host network manually, entering
the data displayed.
Brief description eurogard ServiceRouter V2 11/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Select:
PPPoE –where you are directly connected to the Internet via an external (A)DSL
modem
Enter the account data according to the directions of your ISP.
Select:
UMTS/GPRS –where you want to set up a wireless connection to the ServiceRouter
with an integrated UMTS modem.
In the UMTS network the Router can only be operated as VPN client. Choose the
relevant settings in the OpenVPN area and configure the corresponding Server,
before setting up the UMTS clients.
Router configuration: Time –Setting the time update
Prior to creating the server certificate and for validity checks during operations, the
Router requires the current time/date. We recommend the use of an
NTP time server in the
Internet (Port 123).
The default configuration
already includes a choice of
different time servers. You
can add to or delete from the
list.
In the case where no NTP is
available when
parameterization is carried
out, please set the time
manually. The integrated battery-buffered real-time clock will guarantee sufficient
precision during certificate administration.
Under its LAN IP, the ServiceRouter also provides an NTP service for LAN
participants.
Brief description eurogard ServiceRouter V2 12/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Router configuration: dDNS –Settings of the DynDNS Service
The access data registered at DynDNS is entered in the Router.
If you wish to use the proxy functions for visualization, Wildcard-Subdomain Mapping
is required which is available only in the commercial Pro-Version at DynDNS. In this
case, please add pro-DynDNS to your DynDNS account and activate the Wildcard
function in the account.
Choose DynDNS on the
Router and enter the account
user name and the
registered password for this
Router.
After a short time lapse, you
can check in the Status-Log-
area if the account has been
updated.
Router configuration: Certificates –Creating the Server certificate
ServiceRouters operated as servers in the VPN network require a server certificate
from which client certificates can then be generated. This can take up to 10 minutes.
Only after termination of this process, users with valid client certificates can be
registered.
Brief description eurogard ServiceRouter V2 13/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
It is essential that the items
Grundeinstellungen
(Settings), Internet and Zeit
(Time) have already been
parameterized.
Save your settings by
pressing the „Speichern“
(Save) button and press
„Neue Serverzertifikate
generieren“ (Generate new
server certificates)!
Subsequently, the certificate can be saved in the browser in order to suppress further
warnings regarding the certificates.
Some browsers reject certificates which have been issued twice and terminate the
connection, if an identical certificate has already been received from a different
ServiceRouter. For this reason there is the possibility to personalize your certificates.
Enter the data which is then transferred into the certificate. Additionally, the name of
the Router and the domain are automatically transferred for personalization.
Furthermore you can set the validity in days and the length of the key. Please note
that the server will no longer accept client connections after expiry of validity.
The certificate can also be imported into your browser in order to suppress warnings
due to unidentified certificates during future connections.
Router configuration: OpenVPN - Configuration of the VPN-network VPN-
Server
In this menu, the parameters of the VPN network are set after the VPN certificate has
been generated.
Normally, the ServiceRouter is operated as VPN server. The remote station is a
software client on your PC or further ServiceRouters which act as clients.
For this reason, OpenVPN Mode (Server / Client) is switchable.
Brief description eurogard ServiceRouter V2 14/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Configuration of the Server mode
Verify that the addresses
for the DHCP in the VPN
do not overlap with the
LAN addresses.
The VPN port subsequently
used to access the server
is freely adjustable so that
several ServiceRouters can
be accessed in the target
network. Please ensure
that the port selected here
is forwarded to the WAN-IP of the ServiceRouter in the company network.
The pre-set values for: VPN protocol, packet size Keepalive and reboot should only
be altered after due consideration.
Settings Crypto-algorithm: For Clients of series V1 to be allowed to connect to this
Router, please choose „Kompatibilitätsmodus für v1-Router“ (Compatibility with V1-
Router), in all other cases please select „Standard v2-Router“.
Setting the Multi-NAT Function
The Router supports Multi-NAT. Normally, the address range of
the VPN connection is to be
found in the same subnet as the
LAN area of the Router. Where
the VPN is to use a different
address range, please enter the
range in the VPN-DHCP fields.
This opens the bridge from the
VPN network to the LAN and the
Router converts all telegrams
from the VPN one-to-one into the
LAN address space. This applies
to incoming and outgoing telegrams (Multi or Twin-NAT)
Example:
In the example above the remote PLC network connected via VPN has the same
address range as the local network of the Client PC on the local side.
In order to enable the Client PC where, for example, programming software is
running, to determine which telegrams are to be sent to the local network and which
to the remote PLC via VPN tunnel, these have to belong to different sub networks.
The telegrams from the programming software have to be addressed to the subnet of
the VPN with NAT activated, so that they can be re-addressed by the local
ServiceRouter to the actual address of the PLC.
Brief description eurogard ServiceRouter V2 15/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Router configuration: OpenVPN - Configuration of the VPN network VPN-Client
If the ServiceRouter is supposed to function as Client, please proceed as follows.
Router configuration time: Please set the time as described above. Also the
Client requires the correct time.
Router configuration dDNS: DynDNS is not required. Please alter the settings
in the Dynamic DNS to „nicht benutzt“ (not in use).
Router configuration certificates: Please do not enter data in the heading
Zertifikate (Certificates), the Router does not require a server certificate.
Router configuration OpenVPN: Please select Client mode.
and pressing the button „Speichern“ (Save), the VPN system of the Client boots up
and connects to the Server.
During connection time, the LED „Status“ at the Router flashes, after successful
connection set up it switches over to continuous light.
As with your PC system, several connections to the Router can be loaded and
selected from the list.
Please check correct connection set up under Status Logg.
Brief description eurogard ServiceRouter V2 16/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Router configuration: Access –Creating User and Admin accounts
The Router supports a multilevel user and administrator management. For further
information please refer to the online support. Here, only administrators
are allowed access to this
area of parameterization.
Please enter user name and
password under „neuen
Zugang hinzufügen“ (create
new access).
Access data can then be
loaded from the Router by
pressing the „download“
button.
A personalized folder for each user is created on the internal file system of the
Router. Here, the personal certificate is also stored as *@*.tar. This certificate can
then be downloaded from the Router on the user level with the pre-set password
without having to enter the admin area.
See example - SIMATIC - at the back of this manual.
The field Online-Status shows the connection status for each client.
Router configuration: WLAN –Parameterization of the WLAN Option
If the WLAN option is included in your purchase, you can use the Router as „LAN-
Accesspoint“, for example, for wireless programming in your plant.
The setting „WAN-Client“ sets up a WLAN connection of the Router to an Access
Point provided in the target network and then to the Internet.
Please select operation
mode and enter ESSID (in
order to identify the Router
in the WLAN) and a pass
phrase of a minimum of 9
characters.
The other settings should
only be changed where
necessary.
Brief description eurogard ServiceRouter V2 17/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Router configuration: Logs –Activating the Log Function
The Router maintains various log files.
These can be enabled and
disabled.
Files are automatically
archived above the file size
set by user.
Router configuration: Firewall –Settings of the Firewall
The Firewall has been pre-set to ensure maximum security.
It only allows pre-set
access for the following
services:
HTTPS (eg. TCP 443),
VPN (eg. UDP 1194)
SSH (eg. TCP 22 )
With the exception of the VPN function these can also be blocked by closing the
corresponding ports in this menu, at a later point in time.
Furthermore, you can block any LAN and VPN network access to the WAN side of
the Router, and thus to the customer network. In order to do so, adjust the setting for
enabling external connections to ‚nein‘(no). This also suppresses access from the
PLC network (LAN) to the Internet.
Brief description eurogard ServiceRouter V2 18/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Completing the parameterization of the Server - Status-
Logs
After completion of the parameterization, the functionality of the various Router
services is verified in the area Status-Logs.
Status-Logs: Connections –Display of the current WAN connections
1. Verification of the IP
allocated in the
target network.
2. Verification of date
and time.
Status-Logs: DHCP –Display of the LAN addresses allocated by the Router
With DHCP service
activated, a list of
addresses allocated by the
Router can be found on this
screen.
Status-Logs: OpenVPN Control of connections in the VPN network
Connections to all clients
are displayed here.
As soon as the VPN client
has been configured on
your PC and has set up
connection to the Router, it
is displayed in the
OpenVPN list under its
name and connection
settings.
Brief description eurogard ServiceRouter V2 19/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Status-Logs: Logs –Display and download of log files
The various log files are
downloaded in this menu.
To display data, we
recommend the use of
‘WordPad‘.
Status-Logs: dDNS –Control of DynDNS-Function
In this screen, the update of the public Router-IP via the DynDNS-Client can be
checked.
When the entries for the
last IP transmitted and the
current IP are identical,
and the forwarding in your
target network is enabled,
the ServiceRouter can be
accessed via Internet.
Status-Logs: Diagnosis –Connection test with PING and NSLOOKUP
Using Ping and
NSLOOKUP, availability
and access of the Router
to the Internet can be
checked.
The tool NSLOOKUP ascertains the correct IP-resolution by
the Router. It also gives additional information regarding the
set routing.
Brief description eurogard ServiceRouter V2 20/23
eurogard GmbH Kaiserstraße 100 D-52134 Herzogenrath T.: +49/2407/9516-0 F: +49/2407/9516-23 www.eurogard.de
Backup and Maintenance
The ServiceRouter is equipped with a system backup.
After parameterization you can:
- set restore points (Wiederherstellungspunkt)
- restore restore points
- download restore points from the Router
- upload restore points to the Router
Once a restore point has been set it can also be activated by pressing the SETUP-
button (approx. 3 seconds). The recessed RESET-button resets the
Router to the delivery status. All settings
and certificates are deleted, and the flash
drive is re-formatted.
Please use this function with particular
care! This button has to be pressed for at
least 3 seconds.
Firmware update
The Router firmware can be re-loaded on to the Router via this screen.
Please contact the eurogard Service-Team or check www.eurogard.de for the latest
version.
Other Eurogard Gateway manuals
