LAPP ETHERLINE NF04T User manual
U.I. Lapp GmbH | Schulze-Delitzsch-Straße 25 | 70565 Stuttgart
Phone: +49 (0)711-7838-01 | Fax: +49 (0)711-7838-2640 | info@lappkabel.de | www.lappkabel.com
ETHERLINE®ACCESS NF04T - Industrial NAT Gateway und Firewall
Manual
Version 1 | 16.04.20 | as of Firmware V 1.08.200
Notes
All rights reserved, including those related to the translation, reprinting, and reproduction of this manual or of parts
thereof.
No part of this manual may be reproduced, processed, duplicated, or distributed in any form (photocopy, microfilm,
or any other methods), even for training purposes or with the use of electronic systems, without written approval
from U. I. Lapp GmbH
To download the latest version of this manual, please visit our website at www.lappkabel.com
We welcome all ideas and suggestions.
Our products contain open source software, among others. This software is subject to the respectively relevant
license conditions. We can send you the corresponding license conditions, including a copy of the complete license
text together with the product. They are also provided in our download area of the respective products under
www.lappkabel.com.
We also offer to send you or any third party the complete corresponding source text of the respective open source
software for an at-cost fee of 10.00 Euro as a DVD upon request. This offer is valid for a period of three years,
starting from the date of product delivery.
Copyright © U.I. Lapp GmbH 2020. All rights reserved.
Schulze-Delitzsch-Straße 25 | 70565 Stuttgart
STEP, TIA, and SIMATIC are registered trademarks of Siemens AG.
Windows is a registered trademark of Microsoft Corporation.
Revision record:
Version
Date
Change
1
10.04.2020
first Version / Firmware V1.08.200
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 3
Contents
1!General ................................................................................................................................ 5!
1.1!Target audience for this manual ............................................................................................................ 5!
1.2!Safety instructions................................................................................................................................. 5!
1.3!Note symbols and signal words ............................................................................................................. 6!
1.4!Intended use ......................................................................................................................................... 7!
1.5!Improper use ........................................................................................................................................ 7!
1.6!Installation ............................................................................................................................................ 8!
1.6.1!Access restriction .............................................................................................................................. 8!
1.6.2!Electrical installation ......................................................................................................................... 8!
1.6.3!Protection against electrostatic discharges ........................................................................................ 8!
1.6.4!Overcurrent protection ..................................................................................................................... 8!
1.6.5!EMC protection ................................................................................................................................. 8!
1.6.6!Operation ......................................................................................................................................... 8!
1.6.7!Liability ............................................................................................................................................. 9!
1.6.8!Disclaimer of liability ......................................................................................................................... 9!
1.6.9!Warranty .......................................................................................................................................... 9!
2!Security recommendations ................................................................................................ 10!
3!Overview............................................................................................................................ 11!
3.1!Setup ...................................................................................................................................................11!
3.2!Connection of the power supply ...........................................................................................................12!
3.3!LEDs status information........................................................................................................................12!
4!Initial access to the web interface ...................................................................................... 13!
4.1!Initial registration .................................................................................................................................14!
4.2!Main view ............................................................................................................................................15!
4.2.1!Menu overview ................................................................................................................................16!
4.2.2!Responsive design ............................................................................................................................16!
5!Choosing the operating mode ............................................................................................ 17!
5.1!The NAT operating mode......................................................................................................................17!
5.2!The Bridge operating mode ..................................................................................................................18!
6!Application case NAT ......................................................................................................... 19!
6.1!Adjustment of the IP addresses in the NAT operating mode..................................................................19!
6.2!Activate DHCP client at the WAN interface ...........................................................................................20!
6.3!Setting up “Basic NAT” rules .................................................................................................................21!
6.4!Packet filter “WAN to LAN” ..................................................................................................................23!
6.5!ICMP Traffic “WAN to LAN” ..................................................................................................................25!
6.6!Packet filter “LAN to WAN” ..................................................................................................................25!
6.7!ICMP Traffic “LAN to WAN” ..................................................................................................................26!
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 4
6.8!SNAT ....................................................................................................................................................26!
6.9!NAPT ....................................................................................................................................................27!
6.10!Port forwarding ....................................................................................................................................28!
7!Application case Bridge...................................................................................................... 30!
7.1!Activate Bridge mode ...........................................................................................................................30!
7.2!Adjustment of the IP addresses in the bridge operating mode ..............................................................30!
7.3!Packet filter “WAN to LAN” ..................................................................................................................31!
7.4!ICMP Traffic “WAN to LAN” ..................................................................................................................33!
7.5!Packet filter “LAN to WAN” ..................................................................................................................34!
7.6!ICMP Traffic “LAN to WAN” ..................................................................................................................34!
8!MAC address filtering......................................................................................................... 35!
9!Static routes ...................................................................................................................... 36!
10!Use with Simatic Step 7 / TIA portal............................................................................... 37!
10.1!Application with step 7 .........................................................................................................................38!
10.2!Use in the TIA portal .............................................................................................................................39!
11!Other functions............................................................................................................... 41!
11.1!DHCP server for LAN.............................................................................................................................41!
11.2!Host name (WAN) ................................................................................................................................42!
11.3!Syslog server ........................................................................................................................................42!
11.3.1!Syslog local ..................................................................................................................................42!
11.3.2!Syslog remote ..............................................................................................................................43!
11.4!Change password / User management .................................................................................................43!
11.5!File certificate (HTTPS) .........................................................................................................................45!
11.6!Allow web interface access over WAN network (Web Interface Access) ................................................45!
11.7!Time settings (Time) .............................................................................................................................46!
11.8!Export/import of configuration.............................................................................................................47!
12!Firmware update............................................................................................................. 48!
13!Resetting to factory settings........................................................................................... 49!
13.1!Resetting to factory settings via the website .........................................................................................49!
13.2!Resetting to factory settings with button ..............................................................................................49!
14!FAQ ................................................................................................................................ 50!
15!Technical data ................................................................................................................ 51!
15.1!Dimensioned drawing ..........................................................................................................................52!
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 5
1 General
This operating manual applies only to devices, assemblies, software, and services of U. I. Lapp GmbH
1.1 Target audience for this manual
This description is only intended for trained personnel qualified in control and automation engineering who are
familiar with the applicable national standards. For installation, commissioning, and operation of the components,
compliance with the instructions and explanations in this operating manual is essential.
Configuration, execution, and operating errors can interfere with the proper operation of the ETHERLINE®ACCESS
NF04T and result in personal injury, as well as material or environmental damage. Only suitably qualified personnel
may operate the devices!
The specialist personnel is to ensure that the application or the use of the products described fulfills all safety
requirements, including all applicable laws, regulations, provisions, and standards.
1.2 Safety instructions
The safety instructions must be observed in order to prevent harm to living creatures, material goods, and the
environment. The safety notes indicate possible hazards and provide information about how hazardous situations
can be prevented.
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 6
1.3 Note symbols and signal words
If the hazard warning is ignored, there is an imminent danger to life and health of people from electrical voltage.
If the hazard warning is ignored, there is a probable danger to life and health of people from electrical voltage.
If the hazard warning is ignored, people can be injured or harmed.
Draws attention to sources of error that can damage equipment or the environment.
Gives an indication for better understanding or preventing errors.
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 7
1.4 Intended use
The ETHERLINE®ACCESS NF04T Industrial Ethernet Bridge and Firewall (“the device” in the following) connects two
Ethernet networks.
All components are supplied with a factory hardware and software configuration. The user must carry out the
hardware and software configuration for the conditions of use. Modifications to hardware or software configurations
that extend beyond the documented options are not permitted and nullify the liability of U. I. Lapp GmbH.
The device may not be used as the only means for preventing hazardous situations on machinery and systems.
Successful and safe operation of the device requires proper transport, storage, setup, assembly, installation,
commissioning, operation, and maintenance.
The ambient conditions provided in the technical specifications must be adhered to.
The device has a protection rating of IP 20 and must be installed in an electrical operating room or a control
box/cabinet in order to protect it against environmental influences. To prevent unauthorized access, the doors of
control boxes/cabinets must be closed and possibly locked during operation.
1.5 Improper use
The consequences of improper use may include personal injury to the user or third parties, as well as property
damage to the control system, the product, or the environment. Use the device only as intended!
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 8
1.6 Installation
1.6.1 Access restriction
The modules are open operating equipment and must only be installed in electrical equipment rooms, cabinets, or
housings.
Access to the electrical equipment rooms, cabinets, or housings must only be possible using a tool or key, and
access should only be granted to trained or authorized personnel.
1.6.2 Electrical installation
Observe the regional safety regulations.
1.6.3 Protection against electrostatic discharges
To prevent damage through electrostatic discharges, the following safety measures are to be followed during
assembly and service work:
• Never place components and modules directly on plastic items (such as polystyrene, PE film) or in their vicinity.
• Before starting work, touch the grounded housing to discharge static electricity.
• Only work with discharged tools.
• Do not touch components and assemblies on contacts.
1.6.4 Overcurrent protection
Overcurrent protection isn’t necessary as the device transports no load current. The power supply of the device
electronics is to be secured externally with a fuse of maximum 1 A (slow-blowing).
1.6.5 EMC protection
To ensure electromagnetic compatibility (EMC) in your control cabinets in electrically harsh environments, the
known rules of EMC-compliant configuration are to be observed in the design and construction.
1.6.6 Operation
Operate the device only in flawless condition. The permissible operating conditions and performance limits must be
adhered to.
Retrofits, changes, or modifications to the device are strictly forbidden.
The device is a piece of operating equipment intended for use in industrial plants. During operation, all covers on
the unit and the installation must be closed in order to ensure protection against contact.
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 9
1.6.7 Liability
The contents of this manual are subject to technical changes resulting from the continuous development of
products of U. I. Lapp GmbH In the event that this manual contains technical or clerical errors, we reserve the right
to make changes at any time without notice.
No claims for modification of delivered products can be asserted based on the information, illustrations, and
descriptions in this documentation. Beyond the instructions contained in the operating manual, the applicable
national and international standards and regulations must also be observed in any case.
1.6.8 Disclaimer of liability
U. I. Lapp GmbH is not liable for damages if these were caused by use or application of products that was improper
or not as intended.
U. I. Lapp GmbH assumes no liability for any printing errors or other inaccuracies that may appear in the operating
manual, unless there are serious errors of which U. I. Lapp GmbH was already demonstrably aware.
Beyond the instructions contained in the operating manual, the applicable national and international standards and
regulations must also be observed in any case.
U. I. Lapp GmbH is not liable for damage caused by software that is running on the user’s equipment that
compromises, damages, or infects additional equipment or processes through the remote maintenance connection,
and which triggers or permits unwanted data transfer.
1.6.9 Warranty
Report any defects to the manufacturer immediately upon discovery of the defect.
The warranty is not valid in case of:
• Failure to observe these operating instructions
• Use of the device that is not as intended
• Improper work on and with the device
• Operating errors
• Unauthorized modifications to the device
The agreements met upon contract conclusion under “General Terms and Conditions of U. I. Lapp GmbH” apply.
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 10
2 Security recommendations
ETHERLINE®ACCESS NF04T is a network infrastructure component, and thus an important element in the security
considerations of a system or network. When using ETHERLINE®ACCESS NF04T, therefore please consider the
following recommendations in order to prohibit unauthorized access to plants and systems.
General:
• Ensure at regular intervals that all relevant components fulfill these recommendations and possibly any other
internal security guidelines.
• Evaluate your system holistically with a view to security. Use a cell protection concept with corresponding
products, such as the ETHERLINE®ACCESS NF04T.
You can find extensive information, for example, in the “ICS Security Compendium” of the
Federal Office for Information Security (BSI):
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ICS/ICS-
Security_kompendium_pdf.html
Physical access:
• Limit physical access to components of relevance to security to qualified personnel.
Security of the software:
• Always keep the firmware of all communications components up to date.
• Inform yourself regularly of firmware updates for the product.
You can find information on: www.lappkabel.com/activenetworkcomponents
• Only activate protocols and functions you really need
Passwords:
• Define rules for usage of the devices and the awarding of passwords.
• Update passwords and keys regularly
• Change standard passwords
• Only use strong passwords. Avoid weak passwords like, for example, “password1”, “123456789”, or similar.
• Ensure that all passwords are protected and inaccessible to unauthorized personnel.
• Don’t use one password for various users and systems.
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 11
3 Overview
ETHERLINE®ACCESS NF04T, the Industrial NAT Gateway and Firewall, simply integrates machine networks into the
superior production network using network segmentation, packet and MAC address filtering.
The NAT operating mode serves the forwarding of the data traffic between various IPv4 networks. It enables the
address translation via NAT and uses packet filters for the limitation of access to the automation network located
behind.
In the Bridge operating mode, the ETHERLINE®ACCESS NF04T network bridge is active in an IPv4 subnetwork. In
contrast with normal switches, packet filtering is possible in this operating mode. This means that the restriction of
access to individual areas of your network can be achieved without having to use different networks for this
purpose.
Features of the ETHERLINE®ACCESS NF04T:
• NAT (Basic NAT, SNAT, NAPT and port forwarding) for network segmentation
• Bridge functionality for securing network areas with identical IPv4 address ranges
• Access restriction through packet filters: IPv4 addresses, protocol (TCP/UDP), ports
• MAC address filtering with black and whitelisting
• DHCP server (LAN), DHCP client (WAN)
• Quick and easy configuration thanks to responsive web interface
• Static routes to other networks
• Reporting of events to a Syslog server
• Export/import of configuration
• Industry-compatible design for installation on DIN rails
3.1 Setup
The ETHERLINE®ACCESS NF04T has a 100 Mbps WAN port (P1) and three 100 Mbps LAN ports (P2-P4, switched).
A reset to factory settings can be initiated with the function button (FCN) (see ch. 12). The reset button (RST)
initiates a restart of the ETHERLINE®ACCESS NF04T.
FCN: Funktionstaster
RST: Reset Taster
P1: WAN Port
P2—P4: LAN Ports
Spannungsversorgung Betriebs LEDs (siehe Seite 23)
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 12
3.2 Connection of the power supply
The ETHERLINE®ACCESS NF04T must be supplied with 24 V DC at the wide range input 18-30 V DC via the
provided connector. Connection FE is for the functional ground. Connect this correctly with the reference potential.
The RJ45 “P1 WAN” socket is for the connection of the external network. The RJ45 “P2 LAN –P4 LAN” sockets are
switched and are for the connection of the internal network.
The inputs IN1 and IN2 do not yet have a function in the current firmware version but will be available in a later
firmware version for the external switching of firewall rules.
3.3 LEDs status information
PWR
Off
No power supply or device defective
On
Device is correctly supplied with voltage
RDY
On
Device is ready to operate
ACT
Flashing light or On
Data transfer permitted between WAN and LAN
USR
Flashing light
Reset to works setting activated
RJ45 LEDs
Green (Link)
Connected
Orange (Act)
Data transfer at the port
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 13
4 Initial access to the web interface
The ETHERLINE®ACCESS NF04T is set on the LAN side at the factory with the IP address 192.168.0.100 and the
subnet mask 255.255.255.0. Access to the web interface is only possible via the LAN connections P2—P4.
The IP address of your network adapter must first
be set in accordance with the IP subnet of the
ETHERLINE®ACCESS NF04T: Start àcontrol
panel à
Network and sharing settings à
Adapter settings à
LAN connection properties à
Internet protocol version 4
Now connect a patch cable with the LAN
connection of your PC and one of the LAN ports
P2- P4 of the ETHERLINE®ACCESS NF04T.
The web interface can be reached in the delivery condition by entering URL “https://192.168.0.100” in the
browser page.
For security reasons, the web interface can only be reached through a secured HTTPS connection. An exception rule
must be confirmed in the browser once to reach the website. A certificate for the connection backup can be stored
in the “Device/HTTPS” menu.
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 14
4.1 Initial registration
You will be prompted to set a password with the initial registration.
The password must have at least 8 characters and may have a maximum of 128 characters. It may contain special
characters and numbers. With the “Continue” button, the password is stored in the device and you will be
forwarded to the “Overview” page of the ETHERLINE®ACCESS NF04T.
The main user is always “admin”.
In addition to the main user “admin”, the “it-
user” and “machine-user” can also be used
with limited rights.
The users can be activated, and the affiliated
passwords set in the “Device/Password”
menu.
Please note the password well! For security reasons it is not possible to reset the password without setting the
device to the factory settings.
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 15
4.2 Main view
The “Overview” website of the ETHERLINE®ACCESS NF04T always opens after the login. The “Overview” main view
contains an overview of the most important settings and information of the ETHERLINE®ACCESS NF04T.
The topmost line contains the menu with the functions for configuration.
Please check at the website of the ETHERLINE®ACCESS NF04T for a newer
firmware version. The firmware update is described in chapter 12.
Link to firmware:
www.lappkabel.com/activenetworkcomponents
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 16
4.2.2 Menu overview
4.2.3 Responsive design
The web interface is also suitable for use on tablets and smartphones (“Responsive design”).
Please note that web access to the ETHERLINE®ACCESS NF04T is equipped with inactivity monitoring for security
reasons. When the website isn’t used for several minutes, an automatic “log out” takes place.
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 17
5 Choosing the operating mode
Depending upon the application case for the ETHERLINE®ACCESS NF04T, the operating mode must first be defined.
ETHERLINE®ACCESS NF04T supports two principal operating modes: NAT and Bridge
5.1 The NAT operating mode
When an automation cell with preset IP addresses is to be incorporated into a production network with other IP
addresses, the IP addresses of the machine must normally all be set again.
When using Network Address Translation
(NAT), ETHERLINE®ACCESS NF04T offers
the possibility to leave the IP addresses of
the machine as they are, but to enable
communication with the machine network
with own IP addresses from the production
network.
In the NAT operating mode, ETHERLINE®
ACCESS NF04T forwards the data transfer
between various IPv4 networks (Layer 3)
and implements the IP addresses with the
help of NAT.
Packet filters and MAC address filters can
also be used to estimate the data transfer
permitted.
Broadcast traffic is generally filtered at the ETHERLINE®ACCESS NF04T, which means that the time behavior of the
machine network is not impaired by the production network.
Basic NAT, also known as “1:1 NAT” or “Static NAT”, is the translation of individual IP addresses or of complete IP
address ranges.
With the help of port forwarding, it is possible as an alternative to configure that packets be forwarded to a
particular TCP/UDP port of the ETHERLINE®ACCESS NF04T to a certain participant in the machine network (LAN).
The NAT operating mode thus also allows the integration of several automation cells that use an identical IP address
range into the same production network.
Each automation cell can in this case be
assigned a different, free IP address from
the production network.
If “NAT” is your planned application case,
please continue reading in chapter 6.
Machine network 192.168.10.0/24
192.168.10.1 192.168.10.2 192.168.10.50 192.168.10.100
192.168.10.5
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
10.10.1.0/24
Internal (LAN)
External (WAN)
Company network
10.10.1.10 10.10.1.20
P4 LANP1 WAN P2 LAN P3 LAN
Ext. V DC
18... 30 V
+ FE IN1 IN2–
FCN
RST
PWR
RDY
ACT
USR
ETHERLINE
®
ACCESS
NAT/FIREWALL
Internal IP
192.168.10.1
192.168.10.2
192.168.10.5
192.168.10.50
192.168.10.100
10.10.1.11
10.10.1.12
10.10.1.13
10.10.1.14
10.10.1.15
External IP
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 18
5.2 The Bridge operating mode
In the Bridge operating mode, ETHERLINE®ACCESS NF04T behaves like a layer 2 switch between the machine
network (automation cell) and the production network. The IP addresses in the production network are in this case
in the same IP address space (subnet) as the addresses in the machine network.
Access between the two network
areas can be limited or secured
with packet filters and MAC
address filters.
This allows the separation of part
of the production network without
using different network addresses.
If “bridge” is your planned
application case, please continue
reading in chapter 7.
Machine network 10.10.1.0/24
10.10.1.30 10.10.1.31 10.10.1.50 10.10.1.100
10.10.1.32
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
0
1
2
3
4
5
6
7
P4 LANP1 WAN P2 LAN P3 LAN
Ext. V DC
18... 30 V
+ FE IN1 IN2–
FCN
RST
PWR
RDY
ACT
USR
ETHERLINE
®
ACCESS
NAT/FIREWALL
10.10.1.0/24
Internal (LAN)
External (WAN)
Company network
10.10.1.10 10.10.1.20
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 19
6 Application case NAT
To activate the NAT operating mode, select the
“Operating Mode” menu point in the “Device” menu
and set this to “NAT”.
6.1 Adjustment of the IP addresses in the NAT operating mode
Click on the “Network” menu and select the sub-
menu “Interface”. The IP addresses of the
ETHERLINE®ACCESS NF04T in the WAN and in the
LAN (“WAN IP”/”LAN IP”), as well as the affiliated
subnet masks (“WAN netmask”/”LAN netmask”) can
be defined here.
A DNS server and a default gateway can also be
indicated. This is necessary when devices from the
LAN should reach the Internet via the ETHERLINE®
ACCESS NF04T. If these are not indicated (“0.0.0.0”),
then communication of devices in the LAN with the
Internet is prevented.
Optionally, the WAN-IP settings, the DNS server, and the standard gateway can also be acquired per DHCP.
The entry is saved with the “Submit” button and the IP settings are then activated immediately. The current entry is
rejected without acceptance with “Decline”.
A DNS server can also be indicated where necessary. It is necessary to indicate a DNS server for the SNTP service
(see ch. 11.7).
When you change the LAN IP address, you may need to reopen the website of the ETHERLINE®ACCESS NF04T in
the browser using the new IP address and log in again.
The ETHERLINE®ACCESS NF04T has only one active configuration. Changes to the configuration are always
immediately activated. A restart of the ETHERLINE®ACCESS NF04T is not required when changing the
configuration.
ETHERLINE®ACCESS NF04T | Version 1 | 04/16/20 20
6.2 Activate DHCP client at the WAN interface
As an alternative to entering the IP address, a DHCP client can also be activated for the WAN interface.
The use of the DHCP client presumes that a DHCP server is active in the WAN network.
The IP settings acquired from the DHCP client are made visible on the overview page by clicking on “INTERFACE”.
Table of contents
