Moxa Edr 810 Series Manual v4.0

Industrial Secure Router User’s Manual
Edition 4.0, April 2018
www.moxa.com/product
© 2018 Moxa Inc. All rights reserved.

Industrial Secure Router User’s Manual
The software described in this manual is furnished under a license agreement and may be used only in accordance
with the terms of that agreement.
Copyright Notice
© 2018 Moxa Inc. All rights reserved.
Trademarks
The MOXA logo is a registered trademark of Moxa Inc.

All other trademarks or registered marks in this manual belong to their respective manufacturers.
Disclaimer
Information in this document is subject to change without notice and does not represent a commitment on the part of
Moxa.
Moxa provides this document as is, without warranty of any kind, either expressed or implied, including, but not
limited to, its particular purpose. Moxa reserves the right to make improvements and/or changes to this manual, or to
the products and/or the programs described in this manual, at any time.
Information provided in this manual is intended to be accurate and reliable. However, Moxa assumes no responsibility
for its use, or for any infringements on the rights of third parties that may result from its use.
This product might include unintentional technical or typographical errors. Changes are periodically made to the
information herein to correct such errors, and these changes are incorporated into new editions of the publication.
Technical Support Contact Information
www.moxa.com/support
Moxa Americas Moxa China (Shanghai office)
Toll-free: 1-888-669-2872 Toll-free: 800-820-5036
Tel: +1-714-528-6777 Tel: +86-21-5258-9955
Fax: +1-714-528-6778 Fax: +86-21-5258-5505
Moxa Europe Moxa Asia-Pacific

Tel: +49-89-3 70 03 99-0 Tel: +886-2-8919-1230
Fax: +49-89-3 70 03 99-99 Fax: +886-2-8919-1231
Moxa India
Tel: +91-80-4172-9088
Fax: +91-80-4132-1045
Table of Contents
1. Introduction ...................................................................................................................................... 1-1

Overview ........................................................................................................................................... 1-2
Package Checklist ............................................................................................................................... 1-2
Features ............................................................................................................................................ 1-2
Industrial Networking Capability .................................................................................................... 1-2
Designed for Industrial Applications ............................................................................................... 1-2
Useful Utility and Remote Configuration ......................................................................................... 1-2
2. Getting Started.................................................................................................................................. 2-1
RS-232 Console Configuration (115200, None, 8, 1, VT100) .................................................................... 2-2
Using Telnet to Access the Industrial Secure Router’s Console .................................................................. 2-3
Using a Web Browser to Configure the Industrial Secure Router ............................................................... 2-4
3. EDR-810 Series Features and Functions ............................................................................................ 3-1
Quick Setting Profile............................................................................................................................ 3-3
WAN Routing Quick Setting .......................................................................................................... 3-3
Bridge Routing Quick Setting ........................................................................................................ 3-6
System.............................................................................................................................................. 3-9
Fast Bootup Setting ..................................................................................................................... 3-9
System Information ................................................................................................................... 3-10
User Account ............................................................................................................................ 3-11
Password and Login Policy .......................................................................................................... 3-13
Date and Time .......................................................................................................................... 3-14
Warning Notification .................................................................................................................. 3-15
SettingCheck ............................................................................................................................ 3-20
System File Update—by Remote TFTP .......................................................................................... 3-21
System File Update—by Local Import/Export ................................................................................ 3-22
System File Update –Import/Export the configurations stored on the ABC-02-USB ............................ 3-23
Restart..................................................................................................................................... 3-25
Reset to Factory Default ............................................................................................................. 3-25
Port ................................................................................................................................................ 3-25
Port Settings............................................................................................................................. 3-25
Port Status ............................................................................................................................... 3-26
Link Aggregation ....................................................................................................................... 3-27
The Port Trunking Concept ......................................................................................................... 3-27
Port Mirror ................................................................................................................................ 3-28
Using Virtual LAN .............................................................................................................................. 3-29
The VLAN Concept ..................................................................................................................... 3-29
Configuring Virtual LAN .............................................................................................................. 3-30
Multicast .......................................................................................................................................... 3-32
The Concept of Multicast Filtering ................................................................................................ 3-32
IGMP Snooping ......................................................................................................................... 3-34
IGMP Snooping Settings ............................................................................................................. 3-34
IGMP Table ............................................................................................................................... 3-35
Stream Table ............................................................................................................................ 3-36
Static Multicast MAC .................................................................................................................. 3-36
QoS and Rate Control ........................................................................................................................ 3-37
QoS Classification ...................................................................................................................... 3-37
CoS Mapping ............................................................................................................................ 3-38
ToS/DSCP Mapping .................................................................................................................... 3-39
Rate Limiting ............................................................................................................................ 3-39
MAC Address Table ........................................................................................................................... 3-40
Interface ......................................................................................................................................... 3-41
WAN ........................................................................................................................................ 3-41
LAN ......................................................................................................................................... 3-44
Bridge Group Interface............................................................................................................... 3-44
Network Service ............................................................................................................................... 3-47
DHCP Settings .......................................................................................................................... 3-47
SNMP Settings .......................................................................................................................... 3-51
SNMP Trap Setting .................................................................................................................... 3-53
Dynamic DNS ........................................................................................................................... 3-53
Security........................................................................................................................................... 3-54
User Interface Management ........................................................................................................ 3-54
Authentication Certificate ........................................................................................................... 3-55
Trusted Access .......................................................................................................................... 3-56
RADIUS Server Settings ............................................................................................................. 3-57
Security Notification Setting ....................................................................................................... 3-58
Diagnosis ................................................................................................................................. 3-58
Event Log ................................................................................................................................. 3-59
Connection Status ..................................................................................................................... 3-59
4. EDR-G902/G903 Series Features and Functions................................................................................ 4-1
Overview ........................................................................................................................................... 4-3
Configuring Basic Settings ................................................................................................................... 4-4
System Identification ................................................................................................................... 4-4
Hardware Acceleration ................................................................................................................. 4-5
Accessible IP............................................................................................................................... 4-6
Password.................................................................................................................................... 4-7
Time .......................................................................................................................................... 4-8
SettingCheck ............................................................................................................................ 4-10
Relay Event Setup ..................................................................................................................... 4-11
Warning .......................................................................................................................................... 4-12
System Event Setting ................................................................................................................ 4-12
System File Update—by Remote TFTP .......................................................................................... 4-13
System File Update—by Local Import/Export ................................................................................ 4-14
Backup Media ........................................................................................................................... 4-14
Restart..................................................................................................................................... 4-15
Reset to Factory Default ............................................................................................................. 4-16
Network Settings .............................................................................................................................. 4-16
Mode Configuration ................................................................................................................... 4-16
Link Fault Passthrough ............................................................................................................... 4-17
MTU Configuration (for EDR-810/G902/G903) ............................................................................... 4-18
Speed Configuration .................................................................................................................. 4-20
WAN1 Configuration .................................................................................................................. 4-20
WAN2 Configuration (includes DMZ Enable) .................................................................................. 4-23
Using DMZ Mode ....................................................................................................................... 4-26
LAN Interface............................................................................................................................ 4-27
802.1Q VLAN Setting ................................................................................................................. 4-27
Communication Redundancy .............................................................................................................. 4-28
WAN Backup (EDR-G903 only) .................................................................................................... 4-28
Security........................................................................................................................................... 4-30
User Interface Management ........................................................................................................ 4-30
Authentication Certificate ........................................................................................................... 4-31
RADIUS Settings ....................................................................................................................... 4-31
Traffic Prioritization Setup .......................................................................................................... 4-32
Monitor............................................................................................................................................ 4-36
System Log ...................................................................................................................................... 4-36
EventLog .................................................................................................................................. 4-36
Syslog ..................................................................................................................................... 4-37
5. Routing ............................................................................................................................................. 5-1
Unicast Route ..................................................................................................................................... 5-2
Static Routing ............................................................................................................................. 5-2
RIP (Routing Information Protocol) ................................................................................................ 5-3
Dynamic Routing with Open Shortest Path First (OSPF) .................................................................... 5-4
Routing Table ............................................................................................................................. 5-8
Multicast Route................................................................................................................................... 5-9
Static Multicast ........................................................................................................................... 5-9
Distance Vector Multicast Routing Protocol (DVMRP) ........................................................................ 5-9
Protocol Independent Multicast Sparse Mode (PIM-SM) .................................................................. 5-10
Broadcast Forwarding (EDR-810 only) ................................................................................................. 5-14
VRRP Setting .................................................................................................................................... 5-14
6. Network Redundancy ........................................................................................................................ 6-1
Layer 2 Redundant Protocols (EDR-810 series only) ................................................................................ 6-2
Configuring STP/RSTP .................................................................................................................. 6-2
Configuring Turbo Ring V2 ............................................................................................................ 6-4
Layer 3 Redundant Protocols ................................................................................................................ 6-6
VRRP Settings ............................................................................................................................. 6-6
7. Network Address Translation ............................................................................................................ 7-1
Network Address Translation (NAT) ....................................................................................................... 7-2
NAT Concept ............................................................................................................................... 7-2
1-to-1 NAT Overview ................................................................................................................... 7-2
1-to-1 NAT ................................................................................................................................. 7-3
Bidirectional 1-to-1 NAT ............................................................................................................... 7-4
N-to-1 NAT ................................................................................................................................. 7-5
Port Forward ............................................................................................................................... 7-6
8. Firewall ............................................................................................................................................. 8-1
Policy Concept .................................................................................................................................... 8-2
Policy Overview .................................................................................................................................. 8-2
Firewall ............................................................................................................................................. 8-3
Layer 2 policy ............................................................................................................................. 8-3
Layer 2 Policy Setup (Only in Bridge Mode for EDR-G902/G903) ....................................................... 8-4
Layer 3 policy ............................................................................................................................. 8-5
Quick Automation Profile .............................................................................................................. 8-8
Policy Check ............................................................................................................................. 8-10
Modbus TCP Policy ............................................................................................................................ 8-12
Denial of Service (DoS) Defense ......................................................................................................... 8-16
Firewall Event Log............................................................................................................................. 8-17
9. Virtual Private Network (VPN) .......................................................................................................... 9-1
Overview ........................................................................................................................................... 9-2
IPsec Configuration ............................................................................................................................. 9-2
Global Settings ........................................................................................................................... 9-3
IPsec Settings ............................................................................................................................. 9-3
IPsec Use Case Demonstration ...................................................................................................... 9-8
IPsec Status ............................................................................................................................. 9-11
L2TP Server (Layer 2 Tunnel Protocol)................................................................................................. 9-12
L2TP Configuration .................................................................................................................... 9-12
OpenVPN Configuration ..................................................................................................................... 9-13
Server Settings ......................................................................................................................... 9-14
Client Settings .......................................................................................................................... 9-22
Examples for Typical VPN Applications ................................................................................................. 9-24
Site to Site IPsec VPN tunnel with Pre-Shared Key......................................................................... 9-24
Site to Site IPsec VPN tunnel with Jupiter System.......................................................................... 9-25
L2TP for Remote User Maintenance.............................................................................................. 9-27
Client-to-Client communication via OpenVPN ................................................................................ 9-28
Redirect default gateway via OpenVPN ......................................................................................... 9-28
Create OpenVPN connection on a mobile device ............................................................................ 9-29
10. Certificate Management .................................................................................................................. 10-1
Local Certificate ................................................................................................................................ 10-2
Trusted CA Certificates ...................................................................................................................... 10-2
Certificate Signing Request ................................................................................................................ 10-3
CA Server ........................................................................................................................................ 10-4
11. Diagnosis ........................................................................................................................................ 11-1
Ping ................................................................................................................................................ 11-2
LLDP ............................................................................................................................................... 11-2
Monitor............................................................................................................................................ 11-3
Statistics .................................................................................................................................. 11-3
Bandwidth Utilization ................................................................................................................. 11-3
Display Setting.......................................................................................................................... 11-4
Display Setting.......................................................................................................................... 11-5
A. MIB Groups ....................................................................................................................................... A-1
A-
A-
1
1. Introduction
Welcome to the Moxa Industrial Secure Router series, the EDR-G902, EDR-G902, and EDR-810. The all-in-
one Firewall/NAT/VPN secure routers are designed for connecting Ethernet-enabled devices with network IP
security.
The following topics are covered in this chapter:
 Overview
 Package Checklist
 Features
 Industrial Networking Capability
 Designed for Industrial Applications
 Useful Utility and Remote Configuration
Industrial Secure Router Introduction
Overview
As the world’s network and information technology becomes more mature, the trend is to use Ethernet as
the major communications interface in many industrial communications and automation applications. In
fact, a entirely new industry has sprung up to provide Ethernet products that comply with the requirements
of demanding industrial applications.
Moxa’s Industrial Secure Router series is a Gigabit speed, all-in-one Firewall/VPN/Router for Ethernet
security applications in sensitive remote control and monitoring networks. The Industrial Secure Router
supports one WAN, one LAN, and a user-configurable WAN/DMZ interface (EDR-G903) that provides high
flexibility for different applications, such as WAN redundancy or Data/FTP server security protection.
The Quick Automation Profile function of the Industrial Secure Router’s firewall supports most common
Fieldbus protocols, including EtherCAT, EtherNet/IP, FOUNDATION Fieldbus, Modbus/TCP, and PROFINET.
Users can easily create a secure Ethernet Fieldbus network from a user-friendly web UI with a single click.
In addition, wide temperature models are available that operate reliably in hazardous, -40 to 75°C
environments.
Package Checklist
The Industrial Secure Routers are shipped with the following items. If any of these items are missing or
damaged, please contact your customer service representative for assistance.
• 1 Moxa Industrial Secure Router

• RJ45 to DB9 console port cable
• Protective caps for unused ports
• DIN rail mounting kit (attached to the Industrial Secure Router’s rear panel by default)
• Hardware installation guide (printed)
• CD-ROM with user’s manual and Windows utility
• Warranty card
Features
Industrial Networking Capability

• Router/Firewall/VPN all in one
• 1 WAN, 1 LAN, and 1 user-configurable WAN or DMZ interface
• Network address translation (N-to-1, 1-to-1, and port forwarding)
Designed for Industrial Applications

• Dual WAN redundancy function
• Firewall with Quick Automation Profile for Fieldbus protocols
• Intelligent PolicyCheck and SettingCheck tools
• -40 to 75°C operating temperature (T models)
• Long-haul transmission distance of 40 km or 80 km (with optional mini-GBIC)
• Redundant, dual 12 to 48 VDC power inputs
• IP30, rugged high-strength metal case
• DIN rail or panel mounting ability
Useful Utility and Remote Configuration

• Configurable using a Web browser and Telnet/Serial console
1-2
Industrial Secure Router Introduction
• Send ping commands to identify network segment integrity
1-3
2
2. Getting Started
This chapter explains how to access the Industrial Secure Router for the first time. There are three ways to
access the router: (1) serial console, (2) Telnet console, and (3) web browser. The serial console connection
method, which requires using a short serial cable to connect the Industrial Secure Router to a PC’s COM
port, can be used if you do not know the Industrial Secure Router’s IP address. The Telnet console and web
browser connection methods can be used to access the Industrial Secure Router over an Ethernet LAN, or
over the Internet. A web browser can be used to perform all monitoring and administration functions, but
the serial console and Telnet console only provide basic functions.
 RS-232 Console Configuration (115200, None, 8, 1, VT100)

 Using Telnet to Access the Industrial Secure Router’s Console
 Using a Web Browser to Configure the Industrial Secure Router
Industrial Secure Router Getting Started
RS-232 Console Configuration (115200, None,

8, 1, VT100)
NOTE Connection Caution!
We strongly suggest that you do NOT use more than one connection method at the same time. Following
this advice will allow you to maintain better control over the configuration of your Industrial Secure Router
NOTE We recommend using Moxa PComm Terminal Emulator, which can be downloaded free of charge from
Moxa’s website.
Before running PComm Terminal Emulator, use an RJ45 to DB9-F (or RJ45 to DB25-F) cable to connect the
Industrial Secure Router’s RS-232 console port to your PC’s COM port (generally COM1 or COM2, depending
on how your system is set up).
After installing PComm Terminal Emulator, perform the following steps to access the RS-232 console utility.
1. From the Windows desktop, click Start  Programs  PCommLite1.3  Terminal Emulator.
2. Select Open in the Port Manager menu to open a new connection.
3. The Communication Parameter page of the Property window will appear. Select the appropriate COM
port from the Ports drop-down list, 115200 for Baud Rate, 8 for Data Bits, None for Parity, and 1 for
Stop Bits.
2-2
4. Click the Terminal tab, select VT100 for Terminal Type, and then click OK to continue.
5. The Console login screen will appear. Use the keyboard to enter the login account (admin or user),
and then press Enter to jump to the Password field. Enter the console Password (the same as the Web
Browser password; leave the Password field blank if a console password has not been set), and then
press Enter.
NOTE The default password for the EDR series with firmware v3.0 and later is “moxa”. For previous firmware
versions, the default password is blank. For greater security, please change the default password after the
first log in.
6. Enter a question mark (?) to display the command list in the console.
The following table lists commands that can be used when the Industrial Secure Router is in console (serial
or Telnet) mode:
Login by Admin Account

Command Description
quit Exit Command Line Interface
exit Exit Command Line Interface
reload Halt and Perform a Cold Restart
terminal Configure Terminal Page Length
copy Import or Export File
save Save Running Configuration to Flash
ping Send Echo Messages
clear Clear Information
show Show System Information
configure Enter Configuration Mode
Using Telnet to Access the Industrial Secure

Router’s Console
You may use Telnet to access the Industrial Secure Router’s console utility over a network. To access the
EDR’s functions over the network (by either Telnet or a web browser) from a PC host that is connected to
the same LAN as the Industrial Secure Router, you need to make sure that the PC host and the Industrial
Secure Router are on the same logical subnet. To do this, check your PC host’s IP address and subnet mask.
By default, the LAN IP address is 192.168.127.254 and the Industrial subnet mask is 255.255.255.0 (for a
Class C subnet). If you do not change these values, and your PC host’s subnet mask is 255.255.0.0, then its
2-3
IP address must have the form 192.168.xxx.xxx. On the other hand, if your PC host’s subnet mask is
255.255.255.0, then its IP address must have the form, 192.168.127.xxx.
NOTE To use the Industrial Secure Router’s management and monitoring functions from a PC host connected to
the same LAN as the Industrial Secure Router, you must make sure that the PC host and the Industrial
Secure Router are connected to the same logical subnet.
NOTE Before accessing the console utility via Telnet, first connect the Industrial Secure Router’s RJ45 Ethernet
LAN ports to your Ethernet LAN, or directly to your PC’s Ethernet card (NIC). You can use either a straight-
through or cross-over Ethernet cable.
NOTE The Industrial Secure Router’s default LAN IP address is 192.168.127.254.
Perform the following steps to access the console utility via Telnet.
1. Click Start  Run, and then telnet to the Industrial Secure Router’s IP address from the Windows Run
window. (You may also issue the Telnet command from the MS-DOS prompt.)
2. Refer to instructions 6 and 7 in the RS-232 Console Configuration (115200, None, 8, 1, VT100)
section on page 2-2.
Using a Web Browser to Configure the

Industrial Secure Router
The Industrial Secure Router’s web browser interface provides a convenient way to modify the router’s
configuration and access the built-in monitoring and network administration functions. The recommended
web browser is Microsoft Internet Explorer 6.0 with JVM (Java Virtual Machine) installed.
NOTE To use the Industrial Secure Router’s management and monitoring functions from a PC host connected to
the same LAN as the Industrial Secure Router, you must make sure that the PC host and the Industrial
Secure Router are connected to the same logical subnet.
NOTE Before accessing the Industrial Secure Router’s web browser, first connect the Industrial Secure Router’s
RJ45 Ethernet LAN ports to your Ethernet LAN, or directly to your PC’s Ethernet card (NIC). You can use
either a straight-through or cross-over Ethernet cable.
NOTE The Industrial Secure Router’s default LAN IP address is 192.168.127.254.
Perform the following steps to access the Industrial Secure Router’s web browser interface.
1. Start Internet Explorer and type the Industrial Secure Router’s LAN IP address in the Address field. Press
Enter to establish the connection.
2-4
2. The web login page will open. Select the login account (Admin or User) and enter the Password (the
same as the Console password), and then click Login to continue. Leave the Password field blank if a
password has not been set.
NOTE The default password for the EDR series with firmware v3.0 and later is “moxa”. For previous firmware
versions, the default password is blank. For greater security, please change the default password after the
first log in.
You may need to wait a few moments for the web page to be downloaded to your computer. Use the menu
tree on the left side of the window to open the function pages to access each of the router’s functions.
2-5
3
3. EDR-810 Series Features and Functions
In this chapter, we explain how to access the Industrial Secure Router’s configuration options, perform
monitoring, and use administration functions. There are three ways to access these functions: (1) RS-232
console, (2) Telnet console, and (3) web browser.
The web browser is the most user-friendly way to configure the Industrial Secure Router, since you can both
monitor the Industrial Secure Router and use administration functions from the web browser. An RS-232 or
Telnet console connection only provides basic functions. In this chapter, we use the web browser to
introduce the Industrial Secure Router’s configuration and monitoring functions.
 Quick Setting Profile

 WAN Routing Quick Setting
 Bridge Routing Quick Setting
 System
 Fast Bootup Setting
 System Information
 User Account
 Password and Login Policy
 Date and Time
 Warning Notification
 SettingCheck
 System File Update—by Remote TFTP
 System File Update—by Local Import/Export
 System File Update –Import/Export the configurations stored on the ABC-02-USB
 Restart
 Reset to Factory Default
 Port
 Port Settings
 Port Status
 Link Aggregation
 The Port Trunking Concept
 Port Mirror
 Using Virtual LAN
 The VLAN Concept
 Configuring Virtual LAN
 Multicast
 The Concept of Multicast Filtering
 IGMP Snooping
 IGMP Snooping Settings
 IGMP Table
Industrial Secure Router EDR-810 Series Features and Functions
 Stream Table
 Static Multicast MAC
 QoS and Rate Control
 ToS/DSCP Mapping
 MAC Address Table
 Interface
 WAN
 LAN
 Bridge Group Interface
 Network Service
 DHCP Settings
 SNMP Settings
 SNMP Trap Setting
 Dynamic DNS
 Security
 User Interface Management
 Authentication Certificate
 Trusted Access
 RADIUS Server Settings
 Security Notification Setting
 Diagnosis
 Event Log
 Connection Status
3-2
Quick Setting Profile
WAN Routing Quick Setting

The EDR-810 series supports WAN Routing Quick Setting, which creates a routing function between LAN
ports and WAN ports defined by users. Follow the wizard’s instructions to configuring the LAN and WAN
ports.
Step 1: Define the WAN ports and LAN ports

Click on the ports in the figure to define the WAN ports and LAN ports.
Step 2: Configure the LAN IP address of the EDR-810 and the subnet address
of the LAN ports
Configure the LAN IP address of the EDR-810 to define the subnet of the LAN ports on the secure router.
The default IP address of the EDR-810 on the LAN side is 192.168.127.254, and the default subnet address
is 192.168.127.0/24.
3-3
Step 3: Configure the WAN port type

Configure the WAN port type to define how the secure router switch connects to the WAN.
Connect Type
Setting Description Factory Default
Dynamic IP Get the WAN IP address from a DHCP server or via a PPTP Dynamic IP
connection.
Static IP Set a specific static WAN IP address or create a connection to
a PPTP server with a specific IP address.
PPPoE Get the WAN IP address through PPPoE Dialup.
3-4
Dynamic IP
Static IP
PPPoE
Step 4: Enable services

Check Enable DHCP Server to enable the DHCP server for LAN devices. The default IP address range will
be set automatically. To modify the IP range, go to the DHCP Server page. N-1 NAT will be also enabled by
default.
3-5
Step 5: Activate the settings

Click the Activate button.
NOTE An existing configuration will be overwritten by new settings when processing WAN Routing Quick
Setting.
Bridge Routing Quick Setting

The EDR-810 series supports WAN Routing Quick Setting, which creates a routing function between LAN
ports and WAN ports defined by users. Follow the wizard’s instructions to configuring the LAN and WAN
ports.
Step1: Define the WAN port and Bridge ports

Click on the ports in the figure to define the WAN ports and Bridge ports.
3-6
Step 2: Configure the Bridge LAN IP address of the EDR-810 and the subnet
address of the Bridged ports
Configure the Bridge LAN Interface IP address of the EDR-810 to define the subnet of the Bridge LAN ports
on the secure router. The default IP address of the EDR-810 on the Bridge LAN side is 192.168.126.254,
and the default subnet address is 192.168.126.0/24.
Step 3: Configure the WAN port type

Configure the WAN port type to define how the secure router switch connects to the WAN.
Connect Type
Dynamic IP Get the WAN IP address from a DHCP server or via a PPTP Dynamic IP
connection.
Static IP Set a specific static WAN IP address or create a connection to
a PPTP server with a specific IP address.
PPPoE Get the WAN IP address through PPPoE Dialup.
3-7
Dynamic IP
Static IP
PPPoE
Step 4: Enable services

Check Enable DHCP Server to enable the DHCP server for LAN devices. The default IP address range will
be set automatically. To modify the IP range, go to the DHCP Server page. N-1 NAT will be also enabled by
default.
3-8
System
The System section includes the most common settings required by administrators to maintain and control
a Moxa switch.
Fast Bootup Setting

When booting up a normal security router it generally takes about 3 minutes to complete all the system
settings including firewall, NAT, and VPN. However, three minutes is too long for some users who require
the network connection earlier. When the fast boot up function is enabled, the EDR-810’s VLAN settings,
DHCP server, and WAN/LAN interface will be ready within 30 seconds. This allows end devices connected to
the EDR-810 to communicate with each other and get the IP address from the DHCP server much quicker.
Enable Fast Bootup Setting

Enable/Disable Enable or disable Fast Bootup Disable
NOTE Fast Bootup CANNNOT work together with Turbo Ring and RSTP protocols.
3-9
System Information
Defining System Information items to make different switches easier to identify that are connected to
your network.
Router Name
Max. 30 characters This option is useful for differentiating between the roles or Firewall/VPN Router
applications of different units. Example: Factory Switch 1.
Router Location
Max. 80 characters This option is useful for differentiating between the locations Device Location
of different units. Example: production line 1.
Router Description
Max. 30 characters This option is useful for recording a more detailed description None
of the unit.
Maintainer Contact Info

Max. 30 characters This option is useful for providing information about who is None
responsible for maintaining this unit and how to contact this
person.
Web Configuration
http or https Enable HTTP and HTTPS http or https
https only Enable HTTPS only
3-10
Users can define the message that will show up on the login page, and the message that will show up if
login fails. The maximum length of each message is 512 bytes.
User Account
The Moxa industrial secure router supports the management of accounts, including establishing, activating,
modifying, disabling and removing accounts. There are two levels of configuration access, admin and user.
The account belongs to admin privilege has read/write access of all configuration parameters, while the
account belongs to user authority has read access to view the configuration only.
NOTE 1. In consideration of higher security level, strongly suggest to change the default password after first log
in
2. The user with ‘admin’ account name can’t be deleted and disabled by default
3-11
Active
Checked The Moxa switch can be accessed by the activated user name
Enabled
Unchecked The Moxa switch can’t be accessed by the non-activated user
User Group
System Admin The account has read/write access of all configuration
parameters.
Configuration Admin The account has read/write access of all configuration
System Admin
parameters except create, delete, and modify account.
User The account can only read configurations but cannot make
any modifications.
Create New Account
Input the user name, password and assign the authority to the new account. Once apply the new setting,
the new account will be shown under the Account List table.

User Name User Name None
(Max. of 30
characters)
Password Password for the user account. None
Minimum requirement is 4 characters, maximum of 16
characters
Modify Existing Account
Select the existing account from the Account List table. Modify the details accordingly then apply the setting
to save the configuration.
3-12
Delete Existing Account
Select the existing account from the Account List table. Press delete button to delete the account.
Password and Login Policy

With password and login policy function enabled, administrators can set up complex login passwords to
improve the security of the system. At the same time, administrators can set up an account login failure
lockout time to avoid unauthorized users gaining access.
3-13
Account Password Policy

Enable/Disable Enable password complexity strength check Disable
Account Login Failure Lockout

Enable/Disable Enable Account Login Failure Lockout Disable
Date and Time

The Moxa industrial secure router has a time calibration function based on information from an NTP server
or user specified time and date. Functions such as automatic warning emails can therefore include time and
date stamp.
NOTE The Moxa industrial secure router does not have a real time clock. The user must update the Current Time
and Current Date to set the initial time for the Moxa switch after each reboot, especially when there is no
NTP server on the LAN or Internet connection.
System Up Time
Indicates how long the Moxa industrial secure router remained up since the last cold start.
3-14
Current Time
User-specified time Indicates time in yyyy-mm-dd format. None
Clock Source
Local Configure clock source from local time Local
NTP Configure clock source from NTP
SNTP Configure clock source from SNTP
Time Zone
Time zone Specifies the time zone, which is used to determine the local GMT (Greenwich
time offset from GMT (Greenwich Mean Time). Mean Time)
Daylight Saving Time

The Daylight Saving Time settings are used to automatically set the Moxa switch’s time forward according to
national standards.
Start Date
User-specified date Specifies the date that Daylight Saving Time begins. None
End Date
User-specified date Specifies the date that Daylight Saving Time ends. None
Offset
User-specified hour Specifies the number of hours that the time should be set None
forward during Daylight Saving Time.
NOTE Changing the time zone will automatically correct the current time. Be sure to set the time zone before
setting the time.
Time Server IP/Name

IP address or name of The IP or domain address (e.g., 192.168.1.1, None
time server time.stdtime.gov.tw, or time.nist.gov).
IP address or name of The Moxa switch will try to locate the secondary NTP server if
secondary time server the first NTP server fails to connect.
Enable NTP/SNTP Server

Enable/Disable Enables SNTP/NTP server functionality for clients Disabled
Warning Notification
Since industrial Ethernet devices are often located at the endpoints of a system, these devices will not
always know what is happening elsewhere on the network. This means that an industrial secure router that
connects to these devices must provide system maintainers with real-time alarm messages. Even when
control engineers are out of the control room for an extended period of time, they can still be informed of
the status of devices almost instantaneously when exceptions occur. The Moxa industrial secure router
supports different approaches to warn engineers automatically, such as email, trap, syslog and relay output.
It also supports one digital input to integrate sensors into your system to automate alarms by email and
relay output.
3-15
System Event Settings for EDR-810
System Events are related to the overall function of the switch. Each event can be activated independently
with different warning approaches. Administrator also can decide the severity of each system event.
System Events Description

Cold Start Power is cut off and then reconnected.
Warm Start Moxa industrial secure router is rebooted, such as when network
parameters are changed (IP address, subnet mask, etc.).
Power Transition (OnOff) Moxa industrial secure router is powered down.
Power Transition (OffOn) Moxa industrial secure router is powered up.
DI (Off) Digital input state is “0”
DI (On) Digital input state is “1”
Configuration Change Any configuration item has been changed
Authentication Failure An incorrect password was entered.
There are four response actions available on the EDS E series when events are triggered.
Action Description
Trap The industrial secure router will send notification to the trap server when event is
triggered
E-Mail The industrial secure router will send notification to the email server defined in the Email
Setting
Syslog The industrial secure router will record a syslog to syslog server defined in Syslog Server
Setting
Relay The industrial secure router supports digital inputs to integrate sensors. When event is
triggered, the device will automate alarms by relay output
Severity
Severity Description
Emergency System is unusable
Alert Action must be taken immediately
Critical Critical conditions
Error Error conditions
Warning Warning conditions
Notice Normal but significant condition
Information Informational messages
3-16
Debug Debug-level messages
Port Event Settings
Port Events are related to the activity of a specific port.
Port Events Warning e-mail is sent when…

Link-ON The port is connected to another device.
Link-OFF The port is disconnected (e.g., the cable is pulled out, or the opposing
device shuts down).
Event Log Setting
In event log setting, administrators can set up a warning for when the capacity of the system log is not
enough and how to deal with this. By utilizing this function, the administrator will not miss any system
events.
3-17
Email Settings
Mail Server IP/Name

IP address The IP Address of your email server. None
Account Name
Max. 45 of charters Your email account. None
Password Setting
Password The email account password. None
Email Address
Max. of 30 characters You can set up to 4 email addresses to receive alarm emails None
from the Moxa switch.
Send Test Email

After you complete the email settings, you should first click Apply to activate those settings, and then press
the Test button to verify that the settings are correct.
NOTE Auto warning e-mail messages will be sent through an authentication protected SMTP server that supports
the CRAM-MD5, LOGIN, and PAIN methods of SASL (Simple Authentication and Security Layer)
authentication mechanism.
We strongly recommend not entering your Account Name and Account Password if auto warning e-mail
messages can be delivered without using an authentication mechanism.
Syslog Server Settings
The Syslog function provides the event logs for the syslog server. The function supports 3 configurable
syslog servers and syslog server UDP port numbers. When an event occurs, the event will be sent as a
syslog UDP packet to the specified syslog servers. Each Syslog server can be activated separately by
selecting the check box and enable it.
3-18
Syslog Server 1/2/3

IP Address Enter the IP address of Syslog server 1/2/3, used by your None
network.
Port Destination Enter the UDP port of Syslog server 1/2/3. 514
(1 to 65535)
NOTE The following events will be recorded into the Moxa industrial secure router’s Event Log table, and will
then be sent to the specified Syslog Server:
• Cold start
• Warm start
• Configuration change activated
• Power 1/2 transition (Off (On), Power 1/2 transition (On (Off))
• Authentication fail
• Port link off/on
Relay Warning Status
When relay warning triggered by either system or port events, administrator can decide to shut down the
hardware warning buzzer by clicking Apply button. The event still be recorded in the event list.
3-19
SettingCheck
SettingCheck is a safety function for industrial users using a secure router. It provides a double
confirmation mechanism for when a remote user changes the security policies, such as Firewall filter,
NAT, and Accessible IP list. When a remote user changes these security polices, SettingCheck provides a
means of blocking the connection from the remote user to the Firewall/VPN device. The only way to correct
a wrong setting is to get help from the local operator, or go to the local site and connect to the device
through the console port, which could take quite a bit of time and money. Enabling the SettingCheck
function will execute these new policy changes temporarily until doubly confirmed by the user. If the user
does not click the confirm button, the Industrial Secure Router will revert to the previous setting.
Firewall Policy
Enables or Disables the SettingCheck function when the Firewall policies change.
NAT Policy
Enables or Disables the SettingCheck function when the NAT policies change.
Accessible IP List
Enables or Disables the SettingCheck function when the Accessible IP List changes.
Timer
10 to 3600 sec. The timer waits this amount of time to double confirm when 180 (sec.)
the user changes the policies
For example, if the remote user (IP: 10.10.10.10) connects to the Industrial Secure Router and changes the
accessible IP address to 10.10.10.12, or deselects the Enable checkbox accidently after the remote user
clicks the Activate button, connection to the Industrial Secure Router will be lost because the IP address is
not in the Industrial Secure Router’s Accessible IP list.
If the user enables the SettingCheck function with the Accessible IP list and the confirmer Timer is set to 15
seconds, then when the user clicks the Activate button on the accessible IP list page, the Industrial Secure
Router will execute the configuration change and the web browser will try to jump to the SettingCheck
Confirmed page automatically. Because the new IP list does not include the Remote user’s IP address, the
remote user cannot connect to the SettingCheck Confirmed page. After 15 seconds, the Industrial Secure
Router will roll back to the original Accessible IP List setting, allowing the remote user to reconnect to the
Industrial Secure Router and check what’s wrong with the previous setting.
3-20
If the new configuration does not block the connection from the remote user to the Industrial Secure
Router, the user will see the SettingCheck Confirmed page, shown in the following figure. Click Confirm to
save the configuration updates.
System File Update—by Remote TFTP

The Industrial Secure Router supports saving your configuration file to a remote TFTP server or local host to
allow other Industrial Secure Routers to use the same configuration at a later time, or saving the Log file for
future reference. Loading pre-saved firmware or a configuration file from the TFTP server or local host is
also supported to make it easier to upgrade or configure the Industrial Secure Router.
TFTP Server IP/Name

IP Address of TFTP The IP or name of the remote TFTP server. Must be None
Server configured before downloading or uploading files.
3-21
Configuration File Path and Name

Max. 40 Characters The path and filename of the Industrial Secure Router’s None
configuration file in the TFTP server.
Firmware File Path and Name

Max. 40 Characters The path and filename of the Industrial Secure Router’s None
firmware file.
Log File Path and Name

Max. 40 Characters The path and filename of the Industrial Secure Router’s log None
file
After setting up the desired path and filename, click Activate to save the setting. Next, click Download to
download the file from the remote TFTP server, or click Upload to upload a file to the remote TFTP server.
Text_Based configuration file encryption setting

Enable Password Type in the password for text-based configuration file None
encryption or decryption.

Enable Password The path and filename of the Industrial Secure Router’s None
configuration file is in the TFTP server. When the
configuration file is downloaded from the TFTP server, it is
exported from the EDR-810’s system with firmware version
3.4 or later. The configuration file uses file extension .txt file.
System File Update—by Local Import/Export
Log File
Click Export to export the Log file of the Industrial Secure Router to the local host.
3-22
NOTE Some operating systems will open the configuration file and log file directly in the web page. In such
cases, right click the Export button and then save as a file.
Upgrade Firmware
To import a firmware file that is exported from firmware V3.3 or previous versions into the Industrial Secure
Router, click Browse to select a firmware file already saved on your computer. The upgrade procedure will
proceed automatically after clicking Import. This upgrade procedure will take a couple of minutes to
complete, including the boot-up time.
Upload Configuration Data

To import a configuration file to the Industrial Secure Router, click Browse to select a configuration file
already saved on your computer. The upgrade procedure will proceed automatically after clicking Import.
Text-Based configuration file encryption setting

To export the configuration as an encrypted text-based (command line type) configuration file, click the
Enable Password checkbox and fill in the user-defined password, and then click Apply. The password is
also used for decrypting when importing an encrypted configuration file.
Upload Text-Based Configuration Data

To import a configuration file into the Industrial Secure Router, click Browse to select a configuration file
already saved on your computer. The upgrade procedure will proceed automatically after clicking Apply.
Download Text-Based Configuration Data

To export a configuration file, click Export to export the configuration file from the Industrial Secure Router
to the local host.
System File Update –Import/Export the configurations

stored on the ABC-02-USB
On large-scale networks, administrators need to configure many network devices. This is a time-consuming
process and errors often occur. By using Moxa’s Automatic Backup Configurator (ABC-02), the administrator
can easily duplicate the system configurations across many systems in a short period of time.
Administrators only need to set up the configuration in a system once including the firewall rule and
certificates, and then export the configuration file to the ABC-02. Then, the administrator can plug the ABC-
02-USB into other systems, which allows other systems to sync using the configuration files stored in the
ABC-02-USB. For more details about the ABC-02-USB, please visit:
https://www.moxa.com/product/Automatic_Backup_Configurator_ABC-02-USB.htm
Moxa’s Automatic Backup Configurator (ABC-02)
3-23
Auto Backup Configurator

Enable Allows a system to import or export configuration files and Enable
firmware
Automatically load configurations from the ABC-02 to the new system on boot up
Checked Allows a system to load configuration files from the ABC-02 Checked
automatically on boot up
Unchecked System will not load configuration files from the ABC-02
automatically on boot up
Automatically backup to ABC-02 when configurations change

Checked Allows a system to back up configuration files to the ABC-02 Checked
automatically when configurations change
Unchecked System will not backup configuration files to the ABC-02
automatically when configurations change
Automatically back up event logs to prevent overwrite

Checked Allow systems to automatically backup logs to the ABC-02 Checked
Unchecked System will not automatically back up logs to the ABC-02
NOTE The ABC-02 USB is an optional accessory and has to be purchased separately.
3-24
Restart
This function is used to restart the Industrial Secure Router.
Reset to Factory Default
The Reset to Factory Default option gives users a quick way of restoring the Industrial Secure Router’s
configuration settings to the factory default values. This function is available in the console utility (serial or
Telnet), and web browser interface.
NOTE After activating the Factory Default function, you will need to use the default network settings to re-
establish a web-browser or Telnet connection with your Industrial Secure Router.
Port
Port Settings
Port settings are included to give the user control over port access, port transmission speed, flow control,
and port type (MDI or MDIX).
Enable
Checked Allows data transmission through the port. Enabled
Unchecked Immediately shuts off port access.
3-25
Media Type
Media type Displays the media type for each module’s port N/A
Description
Max. 63 characters Specifies an alias for the port to help administrators None
differentiate between different ports. Example: PLC 1
Speed
Auto Allows the port to use the IEEE 802.3u protocol to negotiate Auto
with connected devices. The port and connected devices will
determine the best speed for that connection.
1G-Full Choose one of these fixed speed options if the connected
100M-Full Ethernet device has trouble auto-negotiating for line speed.
100M-Half
10M-Full
10M-Half
FDX Flow Ctrl

This setting enables or disables flow control for the port when the port’s Speed is set to Auto. The final
result will be determined by the Auto process between the Moxa switch and connected devices.

Enable Enables flow control for this port when the port’s Speed is set Disabled
to Auto.
Disable Disables flow control for this port when the port’s Speed is
set to Auto.
MDI/MDIX
Auto Allows the port to auto-detect the port type of the connected Auto
Ethernet device and change the port type accordingly.
MDI Choose MDI or MDIX if the connected Ethernet device has
MDIX trouble auto-negotiating for port type.
Port Status
This page informs the users about the current status of all the ports including the port transmission speed,
flow control, and port type (MDI or MDIX).
3-26
Link Aggregation
Link aggregation involves grouping links into a link aggregation group. A MAC client can treat link
aggregation groups as if they were a single link.
The Moxa industrial secure router’s port trunking feature allows devices to communicate by aggregating up
to 4 trunk groups, with a maximum of 8 ports for each group. If one of the 8 ports fails, the other seven
ports will automatically provide backup and share the traffic.
Port trunking can be used to combine up to 8 ports between two Moxa switches or industrial secure routers.
If all ports on both switches are configured as 100BaseTX and they are operating in full duplex, the potential
bandwidth of the connection will be 1600 Mbps.
The Port Trunking Concept

Moxa has developed a port trunking protocol that provides the following benefits:
• Greater flexibility in setting up your network connections, since the bandwidth of a link can be doubled,
tripled, or quadrupled.
• Redundancy—if one link is broken, the remaining trunked ports share the traffic within this trunk group.
• Load sharing—MAC client traffic can be distributed across multiple links.
To avoid broadcast storms or loops in your network while configuring a trunk, first disable or disconnect all
ports that you want to add to the trunk or remove from the trunk. After you finish configuring the trunk,
enable or re-connect the ports.
If all ports on both switch units are configured as 100BaseTX and they are operating in full duplex mode,
the potential bandwidth of the connection will be up to 1.6 Gbps. This means that users can double, triple,
or quadruple the bandwidth of the connection by port trunking between two Moxa switches.
Each Moxa industrial secure router can set a maximum of 4 port trunking groups. When you activate port
trunking, certain settings on each port will be reset to factory default values or disabled:
• Communication redundancy will be reset

• 802.1Q VLAN will be reset
• Multicast Filtering will be reset
• Port Lock will be reset and disabled.
• Set Device IP will be reset
• Mirror will be reset
After port trunking has been activated, you can configure these items again for each trunking port.
Port Trunking
The Port Trunking Settings page is where ports are assigned to a trunk group.
3-27
Step 1: Select the desired Trunk Group

Step 2: Select the desired Member Ports or Available Ports
Step 3: Use Up and Down to modify the Group Members
Trunk Group (maximum of 4 trunk groups)

Trk1, Trk2, Trk3, Trk4 Specifies the current trunk group. Trk1
(depends on switching
chip capability; some
products only support
3 trunk groups)
Trunking Status
The Trunking Status table shows the Trunk Group configuration status.
Port Mirror
The Port Mirror function can be used to monitor data being transmitted through a specific port. This is
done by setting up another port (the mirror port) to receive the same data being transmitted from, or both
to and from, the port under observation. Using a mirror port allows the network administrator to sniff the
observed port to keep tabs on network activity.
3-28
Port Mirroring Settings

Setting Description
Monitored Port Select the number of the ports whose network activity will be monitored. Multiple
port selection is acceptable.
Watch Direction Select one of the following two watch direction options:
• Input data stream:
Select this option to monitor only those data packets coming into the Moxa
industrial secure router’s port.
• Output data stream:
Select this option to monitor only those data packets being sent out through the
Moxa industrial secure router’s port.
• Bi-directional:
Select this option to monitor data packets both coming into, and being sent out
through, the Moxa industrial secure router’s port.
Mirror Port Select the number of the port that will be used to monitor the activity of the
monitored port.
Using Virtual LAN

Setting up Virtual LANs (VLANs) on your Moxa industrial secure router increases the efficiency of your
network by dividing the LAN into logical segments, as opposed to physical segments. In general, VLANs are
easier to manage.
The VLAN Concept
What is a VLAN?
A VLAN is a group of devices that can be located anywhere on a network, but which communicate as if they
are on the same physical segment. With VLANs, you can segment your network without being restricted by
physical connections—a limitation of traditional network design. With VLANs you can segment your network
into:
• Departmental groups—you could have one VLAN for the marketing department, another for the
finance department, and another for the product development department.
• Hierarchical groups—you could have one VLAN for directors, another for managers, and another for
general staff.
• Usage groups—you could have one VLAN for email users and another for multimedia users.
3-29
Benefits of VLANs
The main benefit of VLANs is that they provide a network segmentation system that is far more flexible than
traditional networks. Using VLANs also provides you with three other benefits:
• VLANs ease the relocation of devices on networks: With traditional networks, network
administrators spend much of their time dealing with moves and changes. If users move to a different
sub-network, the addresses of each host must be updated manually. With a VLAN setup, if a host
originally on VLAN Marketing, for example, is moved to a port on another part of the network, and
retains its original subnet membership, you only need to specify that the new port is on VLAN Marketing.
You do not need to do any re-cabling.
• VLANs provide extra security: Devices within each VLAN can only communicate with other devices on
the same VLAN. If a device on VLAN Marketing needs to communicate with devices on VLAN Finance, the
traffic must pass through a routing device or Layer 3 switch.
• VLANs help control traffic: With traditional networks, congestion can be caused by broadcast traffic
that is directed to all network devices, regardless of whether or not they need it. VLANs increase the
efficiency of your network because each VLAN can be set up to contain only those devices that need to
communicate with each other.
Managing a VLAN
A new or initialized Moxa industrial secure router contains a single VLAN—the Default VLAN. This VLAN has
the following definition:
• VLAN Name—Management VLAN

• 802.1Q VLAN ID—1 (if tagging is required)
All of the ports are initially placed on this VLAN, and it is the only VLAN that allows you to access the
management software of the Moxa switch over the network.
Configuring Virtual LAN

To configure 802.1Q VLAN on the Moxa switch, use the 802.1Q VLAN Settings page to configure the
ports.
802.1Q VLAN Settings
Management VLAN ID
VLAN ID from 1-4094 Assigns the VLAN ID of this Moxa switch. 1
3-30
Port Type
Access Port type is used to connect single devices without tags. Access
Trunk Select Trunk port type to connect another 802.1Q VLAN
aware switch.
Hybrid Select Hybrid port to connect another Access 802.1Q VLAN
aware switch or another LAN that combines tagged and/or
untagged devices and/or other switches/hubs.
PVID
VLAN ID from 1-4094 Sets the default VLAN ID for untagged devices that connect 1
to the port.
Tagged VLAN
VLAN ID from 1-4094 This field will be active only when selecting the Trunk or None
Hybrid port type. Set the other VLAN ID for tagged devices
that connect to the port. Use commas to separate different
VIDs.
Untagged VLAN
VLAN ID from 1-4094 This field will be active only when selecting the Trunk or None
Hybrid port type. Set the other VLAN ID for tagged devices
that connect to the port and tags that need to be removed in
egress packets. Use commas to separate different VIDs.
Quick Setting Panel
Click the triangle to open the Quick Setting Panel. Use this panel for quick and easy configuration of VLAN
settings.
Input multi port numbers in the “Port” column, and Port Type, Tagged VLAN ID, and untagged VLAN ID, and
then click the Set to Table button to create VLAN ID configuration table.
3-31
VLAN Table
Use the 802.1Q VLAN Table to review the VLAN groups that were created, Joined Access Ports, Trunk
Ports, and Hybrid Ports, and also Action for deleting VLANs which have no member ports in the list.
Multicast
Multicast filtering improves the performance of networks that carry multicast traffic. This section explains
multicasts, multicast filtering, and how multicast filtering can be implemented on your Moxa industrial
secure router.
The Concept of Multicast Filtering

What is an IP Multicast?
A multicast is a packet sent by one host to multiple hosts. Only those hosts that belong to a specific
multicast group will receive the multicast. If the network is set up correctly, a multicast can only be sent to
an end-station or a subset of end-stations on a LAN or VLAN that belong to the multicast group. Multicast
group members can be distributed across multiple subnets, so that multicast transmissions can occur within
a campus LAN or over a WAN. In addition, networks that support IP multicast send only one copy of the
desired information across the network until the delivery path that reaches group members diverges. To
make more efficient use of network bandwidth, it is only at these points that multicast packets are
duplicated and forwarded. A multicast packet has a multicast group address in the destination address field
of the packet’s IP header.
Benefits of Multicast
The benefits of using IP multicast are:
• It uses the most efficient, sensible method to deliver the same information to many receivers with only
one transmission.
• It reduces the load on the source (for example, a server) since it will not need to produce several copies
of the same data.
• It makes efficient use of network bandwidth and scales well as the number of multicast group members
increases.
• Works with other IP protocols and services, such as Quality of Service (QoS).
Multicast transmission makes more sense and is more efficient than unicast transmission for some
applications. For example, multicasts are often used for video-conferencing, since high volumes of traffic
must be sent to several end-stations at the same time, but where broadcasting the traffic to all end-stations
would cause a substantial reduction in network performance. Furthermore, several industrial automation
protocols, such as Allen-Bradley, EtherNet/IP, Siemens Profibus, and Foundation Fieldbus HSE (High Speed
Ethernet), use multicast. These industrial Ethernet protocols use publisher/subscriber communications
models by multicasting packets that could flood a network with heavy traffic. IGMP Snooping is used to
prune multicast traffic so that it travels only to those end destinations that require the traffic, reducing the
amount of traffic on the Ethernet LAN.
Multicast Filtering
Multicast filtering ensures that only end-stations that have joined certain groups receive multicast traffic.
With multicast filtering, network devices only forward multicast traffic to the ports that are connected to
registered end-stations. The following two figures illustrate how a network behaves without multicast
filtering, and with multicast filtering.
3-32
Network without multicast filtering

All hosts receive the multicast
traffic, even if they don’t need it.
Network with multicast filtering

Hosts only receive dedicated traffic
from other hosts belonging to the
same group.
Multicast Filtering and Moxa’s Industrial Secure Routers

The Moxa industrial secure router has two ways to achieve multicast filtering: IGMP (Internet Group
Management Protocol) Snooping and adding a static multicast MAC manually to filter multicast traffic
automatically.
Snooping Mode
Snooping Mode allows your industrial secure router to forward multicast packets only to the appropriate
ports. The router snoops on exchanges between hosts and an IGMP device to find those ports that want to
join a multicast group, and then configures its filters accordingly.
Query Mode
Query mode allows the Moxa router to work as the Querier if it has the lowest IP address on the subnetwork
to which it belongs.
IGMP querying is enabled by default on the Moxa router to ensure proceeding query election. Enable query
mode to run multicast sessions on a network that does not contain IGMP routers (or queriers). Query mode
allows users to enable IGMP snooping by VLAN ID. Moxa industrial secure router support IGMP snooping
version 1, version 2 and version 3. Version 2 is compatible with version 1.The default setting is IGMP V1/V2.
"
IGMP Multicast Filtering

IGMP is used by IP-supporting network devices to register hosts with multicast groups. It can be used on all
LANs and VLANs that contain a multicast capable IP router, and on other network devices that support
multicast filtering. Moxa switches support IGMP version 1, 2 and 3. IGMP version 1 and 2 work as follows::
3-33
• The IP router (or querier) periodically sends query packets to all end-stations on the LANs or VLANs that
are connected to it. For networks with more than one IP router, the router with the lowest IP address is
the querier. A switch with IP address lower than the IP address of any other IGMP queriers connected to
the LAN or VLAN can become the IGMP querier.
• When an IP host receives a query packet, it sends a report packet back that identifies the multicast
group that the end-station would like to join.
• When the report packet arrives at a port on a switch with IGMP Snooping enabled, the switch knows that
the port should forward traffic for the multicast group, and then proceeds to forward the packet to the
router.
• When the router receives the report packet, it registers that the LAN or VLAN requires traffic for the
multicast groups.
• When the router forwards traffic for the multicast group to the LAN or VLAN, the switches only forward
the traffic to ports that received a report packet.
IGMP version 3 supports “source filtering,” which allows the system to define how to treat packets from
specified source addresses. The system can either white-list or black-list specified sources.
IGMP version comparison

IGMP Version Main Features Reference
V1 a. Periodic query RFC-1112
V2 Compatible with V1 and adds: RFC-2236
a. Group-specific query
b. Leave group messages
c. Resends specific queries to verify leave message was the last one
in the group
d. Querier election
V3 Compatible with V1, V2 and adds: RFC-3376
a. Source filtering
- accept multicast traffic from specified source
- accept multicast traffic from any source except the specified source
Static Multicast MAC

Some devices may only support multicast packets, but not support either IGMP Snooping. The Moxa
industrial secure router supports adding multicast groups manually to enable multicast filtering.
Enabling Multicast Filtering

Use the USB console or web interface to enable or disable IGMP Snooping and IGMP querying. If IGMP
Snooping is not enabled, then IP multicast traffic is always forwarded, flooding the network.
IGMP Snooping
IGMP Snooping provides the ability to prune multicast traffic so that it travels only to those end destinations
that require that traffic, thereby reducing the amount of traffic on the Ethernet LAN.
IGMP Snooping Settings
Enable IGMP Snooping (Global)

Enable/Disable Checkmark the Enable IGMP Snooping checkbox near the top Disabled
of the window to enable the IGMP Snooping function globally.
3-34
Query Interval (sec)

Numerical value, input Sets the query interval of the Querier function globally. Valid 125 seconds
by the user settings are from 20 to 600 seconds.
Enable IGMP Snooping

Enable/Disable Enables or disables the IGMP Snooping function on that Enabled if IGMP
particular VLAN. Snooping is enabled
globally
Querier
Enable/Disable Enables or disables the Moxa Industrial Secure Router’s Disabled
querier function.
V1/V2 and V3 V1/V2: Enables the Moxa Industrial Secure Router to send V1/V2
Checkbox IGMP snooping version 1 and 2 queries
V3: Enables the Moxa Industrial Secure Router to send IGMP
snooping version 3 queries
Static Multicast Querier Port

Select/Deselect Select the ports that will connect to the multicast routers. Disabled
These ports will receive all multicast packets from the source.
This option is only active when IGMP Snooping is enabled.
NOTE If a router or layer 3 switch is connected to the network, it will act as the Querier, and consequently this
Querier option will be disabled on all Moxa layer 2 switches.
If all switches on the network are Moxa layer 2 switches, then only one layer 2 switch will act as Querier.
IGMP Table
The Moxa industrial secure router displays the current active IGMP groups that were detected. View IGMP
group setting per VLAN ID on this page.
The information shown in the table includes:
• Auto Learned Multicast Router Port: This indicates that a multicast router connects to/sends packets
from these port(s).
• Static Multicast Router Port: Displays the static multicast querier port(s)
• Querier Connected Port: Displays the port which is connected to the querier
• Act as a Querier: Displays whether or not ths VLAN is a querier (winner of a election)
• Group: Displays the multicast group addresses
• Port: Displays the port which receive the multicast stream/the port the multicast stream is forwarded to
• Version: Displays the IGMP Snooping version
• Filter Mode: Indicates the multicast source address is included or excluded. Displays Include or Exclude
when IGMP v3 is enabled
• Sources: Displays the multicast source address when IGMP v3 is enabled
3-35
Stream Table
This page displays the multicast stream forwarding status. It allows you to view the status per VLAN ID.
Stream Group: Multicast group IP address
Stream Source: Multicast source IP address
Port: Which port receives the multicast stream
Member ports: Ports the multicast stream is forwarded to
Static Multicast MAC
NOTE 01:00:5E:XX:XX:XX on this page is the IP multicast MAC address. Please activate IGMP Snooping for
automatic classification.
MAC Address
Integer Input the number of the VLAN that the host with this MAC None
address belongs to.
Join Port
Select/Deselect Checkmark the appropriate check boxes to select the join None
ports for this multicast group.
3-36
QoS and Rate Control
QoS Classification
The Moxa switch supports inspection of layer 3 ToS and/or layer 2 CoS tag information to determine how to
classify traffic packets.
Scheduling Mechanism
Weight Fair The Moxa industrial secure router has 4 priority queues. In Weight Fair
the weight fair scheme, an 8, 4, 2, 1 weighting is applied to
the four priorities. This approach prevents the lower priority
frames from being starved of opportunity for transmission
with only a slight delay to the higher priority frames.
Strict In the Strict-priority scheme, all top-priority frames egress a
port until that priority’s queue is empty, and then the next
lower priority queue’s frames egress. This approach can
cause the lower priorities to be starved of opportunity for
transmitting any frames but ensures that all high priority
frames will egress the switch as soon as possible.
Inspect ToS
Enable/Disable Enables or disables the Moxa industrial secure router for Enabled
inspecting Type of Service (ToS) bits in the IPV4 frame to
determine the priority of each frame.
Inspect COS
Enable/Disable Enables or disables the Moxa industrial secure router for Enabled
inspecting 802.1p CoS tags in the MAC frame to determine
the priority of each frame.
3-37
Port Priority
Port priority The port priority has 4 priority queues. Low, normal, medium, 3(Normal)
high priority queue option is applied to each port.
NOTE The priority of an ingress frame is determined in the following order:
1. Inspect CoS
2. Inspect ToS
3. Port Priority
NOTE The designer can enable these classifications individually or in combination. For instance, if a “hot” higher
priority port is required for a network design, Inspect TOS and Inspect CoS can be disabled. This setting
leaves only port default priority active, which results in all ingress frames being assigned the same priority
on that port.
CoS Mapping
CoS Value and Priority Queues

Low/Normal/ Maps different CoS values to 4 different egress queues. Low
Medium/High Normal
Medium
High
3-38
ToS/DSCP Mapping
ToS (DSCP) Value and Priority Queues

Low/Normal/ Maps different TOS values to 4 different egress queues. 1 to 16: Low
Medium/High 17 to 32: Normal
33 to 48: Medium
49 to 64: High
Rate Limiting
In general, one host should not be allowed to occupy unlimited bandwidth, particularly when the device
malfunctions. For example, so-called “broadcast storms” could be caused by an incorrectly configured
topology, or a malfunctioning device. Moxa industrial secure routers not only prevent broadcast storms, but
can also be configured to a different ingress rate for all packets, giving administrators full control of their
limited bandwidth to prevent undesirable effects caused by unpredictable faults.
3-39
Ingress Policy
Limit All Select the ingress rate limit for different packet types Limit Broadcast
Limit Broadcast, Multicast,
Flooded Unicast
Limit Broadcast, Multicast
Limit Broadcast
Ingress/Egress Rate
Ingress/Egress Rate Select the ingress/egress rate limit (% of max. Not Limited
throughput) for all packets from the following options:
Not Limited, 3%, 5%, 10%, 15%, 25%, 35%, 50%,
65%, 85%
MAC Address Table

The MAC address table shows the MAC address list pass through Moxa industrial secure router. The length
of time (Ageing time: 15 to 3825 seconds) is the parameter defines the length of time that a MAC address
entry can remain in the Moxa router. When an entry reaches its aging time, it “ages out” and is purged from
the router, effectively cancelling frame forwarding to that specific port.
The MAC Address table can be configured to display the following Moxa industrial secure router MAC address
groups, which are selected from the drop-down list.
Drop Down List

ALL Select this item to show all of the Moxa industrial secure router’s MAC addresses.
ALL Learned Select this item to show all of the Moxa industrial secure router’s Learned MAC
addresses.
ALL Static Select this item to show all of the Moxa industrial secure router’s Static, Static
Lock, and Static Multicast MAC addresses.
ALL Multicast Select this item to show all of the Moxa industrial secure router’s Static Multicast
MAC addresses.
Port x Select this item to show all of the MAC addresses dedicated ports.
The table displays the following information:
MAC Address This field shows the MAC address.

Type This field shows the type of this MAC address.
Port This field shows the port that this MAC address belongs to.
3-40
Interface
WAN
VLAN ID
Moxa Industrial Secure Router’s WAN interface is configured by VLAN group. The ports with the same
VLAN can be configured as one WAN interface.
Connection
Note that there are three different connection types for the WAN interface: Dynamic IP, Static IP, and
PPPoE. A detailed explanation of the configuration settings for each type is given below.
Connection Mode
Enable or Disable Enable or Disable the WAN interface Enable
Connection Type
Static IP, Dynamic IP, Setup the connection type Dynamic IP
PPPoE
Detailed Explanation of Dynamic IP Type
PPTP Dialup
Point-to-Point Tunneling Protocol is used for Virtual Private Networks (VPN). Remote users can use PPTP to
connect to private networks from public networks.
PPTP Connection
Enable or Disable Enable or Disable the PPTP connection None
IP Address
IP Address The PPTP service IP address None
3-41
User Name
Max. 30 Characters The Login username when dialing up to PPTP service None
Password
Max. 30 characters The password for dialing the PPTP service None
MPPE Encryption
None/Encrypt Enable or disable the MPPE encryption None
Example
Suppose a remote user (IP: 10.10.10.10) wants to connect to the internal server (private IP: 30.30.30.10)
via the PPTP protocol. The IP address for the PPTP server is 20.20.20.1. The necessary configuration
settings are shown in the following figure.
DNS (Doman Name Server; optional setting for Dynamic IP and PPPoE types)
Server 1/2/3
IP Address The DNS IP address None
NOTE The priority of a manually configured DNS will be higher than the DNS from the PPPoE or DHCP server.
3-42
Detailed Explanation of Static IP Type
Address Information
IP Address
IP Address The interface IP address None
Subnet Mask
IP Address The subnet mask None
Gateway
IP Address The Gateway IP address None
Detailed Explanation of PPPoE Type
PPPoE Dialup
User Name
Max. 30 characters The User Name for logging in to the PPPoE server None
3-43
Host Name
Max. 30 characters User-defined Host Name of this PPPoE server None
Password
Max. 30 characters The login password for the PPPoE server None
LAN
Create aVLAN Interface

Input a name of the LAN interface, select a VLAN ID that is already configured in VLAN Setting under the
Layer 2 Function, and assign an IP address/Subnet Mask/Virtual MAC Address for the interface. Checkmark
the Enable checkbox to enable this interface.
Delete a LAN Interface

Select the item in the LAN Interface List, and then click Delete to delete the item.
Modify a LAN Interface

Select the item in the LAN Interface List. Modify the attributes and then click Modify to change the
configuration.
Activate the LAN Interface List

After adding/deleting/modifying any LAN interface, be sure to click Activate.
NOTE You can create up to 16 LAN interfaces by configuring each port with unique VLAN ID numbers.
Bridge Group Interface

When ports are set in the VLAN, the packets transmitted within these ports will be forwarded by the
switching chip without being filtered by the firewall. However, in some scenarios, it is required to filter
specific packets transmitted within the VLAN. By selecting ports as Bridge port, the packets transmitted
between these ports will be checked by the firewall.
In addition, when ports are set in different VLANs, the packets transmitted within these VLANs will be routed
by the switching chip locally, without being inspected by the firewall. However in some scenarios, it is
required to filter specific packets transmitted within VLANs. By selecting VLAN to join Bridge Zone, the
packets transmitted between these two zones will be checked by the firewall.
3-44
Adding Ports/VLANs into the Bridge Interface
Port Base
First, select Port-Base in Bridge Type. Then input a name for the Bridge interface and assign an IP
address/Subnet Mask for the interface. In order to enable this feature, checkmark the Enable checkbox.
Finally, please select the port that will be set as the bridge port and check Apply.
3-45
Zone base
First, select Zone-Base in Bridge Type. Next, input a name of the Bridge Zone interface and assign an IP
address/Subnet Mask for the interface. In order to enable this feature, checkmark the Enable checkbox.
Then, Zone-1 and Zone-2 will display on the page. Finally, please select which VLAN should join Zone-1 and
which VLAN should join Zone-2 and then check Apply.
Modify and Cancel the Bridge Group Interface
In order to modify which Bridge member has been selected, users can simply check new ports/VLANs under
the bridge member section, and uncheck ports/VLANs they no longer want to be a member of the bridge
LAN. Finally, they should click Apply.
3-46
NOTE When bridge setting is canceled, for example removing all ports or VLANs from bridge inter, the bridge
interface will still be alive. Even though there is no port in bridge interface, user can see VLAN ID of bridge
interface in VLAN table, e.g.4040, 4041. To remove bride interface, please modify PVID in VLAN Settings.
Network Service
DHCP Settings
Global Settings
DHCP Server Mode

Disable/ Select the DHCP Server Mode Disabled
Dynamic/Static IP Assignment/
Port-based IP Assignment
DHCP Server
The Industrial Secure Router provides a DHCP (Dynamic Host Configuration Protocol) server function for
LAN interfaces. When configured, the Industrial Secure Router will automatically assign an IP address to a
Ethernet device from a defined IP range.
Dynamic IP Assignment
DHCP Server Enable/Disable

Enable/Disable Enable or disable DHCP server function Disable
3-47
Pool First IP Address

IP Address The first IP address of the offered IP address range 0.0.0.0
for DHCP clients
Pool Last IP Address

IP Address The last IP address of the offered IP address range 0.0.0.0
for DHCP clients
Netmask
Netmask The netmask for DHCP clients 0.0.0.0
Lease Time
≥ 5min. The lease time of the DHCP server None
Default Gateway
IP Address The default gateway for DHCP clients 0.0.0.0
DNS Server
IP Address The DNS server for DHCP clients 0.0.0.0
NTP Server
IP Address The NTP server for DHCP clients 0.0.0.0
NOTE 1. The DHCP Server is only available for LAN interfaces.

2. The Pool First/Last IP Address must be in the same Subnet on the LAN.
Static DHCP
Use the Static DHCP list to ensure that devices connected to the Industrial Secure Router always use the
same IP address. The static DHCP list matches IP addresses to MAC addresses.
3-48
In the above example, a device named “Device-01” was added to the Static DHCP list, with a static IP
address set to 192.168.127.101 and MAC address set to 00:09:ad:00:aa:01. When a device with a MAC
address of 00:09:ad:00:aa:01 is connected to the Industrial Secure Router, the Industrial Secure Router
will offer the IP address 192.168.127.101 to this device.
Static DHCP Enable/Disable

Enable/Disable Enable or disable Static DHCP server function Disable
Name
Max. 30 characters The name of the selected device in the Static DHCP None
list
MAC Address
MAC Address The MAC address of the selected device None
Static IP
IP Address The IP address of the selected device None
Netmask
Netmask The netmask for the selected device 0.0.0.0
Lease Time
≥ 5min. The lease time of the selected device None
Default Gateway
IP Address The default gateway for the selected device 0.0.0.0
DNS Server
IP Address The DNS server for the selected device 0.0.0.0
NTP Server
IP Address The NTP server for the selected device 0.0.0.0
Clickable Buttons
Add
Use the Add button to input a new DHCP list. The Name, Static IP, and MAC address must be different from
any existing list.
Delete
Use the Delete button to delete a Static DHCP list. Click on a list to select it (the background color of the
device will change to blue) and then click the Delete button.
Modify
To modify the information for a particular list, click on a list to select it (the background color of the device
will change to blue), modify the information as needed using the check boxes and text input boxes near the
top of the browser window, and then click Modify.
3-49
IP-Port Binding
IP-Port Binding Enable/Disable

Enable/Disable Enable or disable IP-Port Binding function Disable
Port
IP Address Set the desired IP of the connected devices None
Static IP
IP Address The IP address of the connected device None
Netmask
Netmask The netmask for the connected device 0.0.0.0
Lease Time
≥ 5min. The lease time of the connected device None
Default Gateway
IP Address The default gateway for the connected device 0.0.0.0
DNS Server
IP Address The DNS server for the connected device 0.0.0.0
NTP Server
IP Address The NTP server for the connected device 0.0.0.0
Client List
Use the Client List to view the current DHCP clients.
3-50
SNMP Settings
The Industrial Secure Router supports SNMP V1/V2c/V3. SNMP V1 and SNMP V2c use a community string
match for authentication, which means that SNMP servers access all objects with read-only permissions
using the community string public (default value). SNMP V3, which requires that the user selects an
authentication level of MD5 or SHA, is the most secure protocol. You can also enable data encryption to
enhance data security. SNMP security modes and security levels supported by the Industrial Secure Router
are shown in the following table. Select the security mode and level that will be used to communicate
between the SNMP agent and manager.
Protocol UI Setting Authentication Data Encryption Method

Version Type
SNMP V1, V2c V1, V2c Read Community string No Uses a community string
Community match for authentication
SNMP V3 MD5 or SHA Authentication based No Provides authentication
on MD5 or SHA based on HMAC-MD5, or
HMAC-SHA algorithms. 8-
character passwords are the
minimum requirement for
authentication.
MD5 or SHA Authentication based Data encryption Provides authentication
on MD5 or SHA key based onHMAC-MD5 or
HMAC-SHA algorithms, and
data encryption key. 8-
character passwords and a
data encryption key are the
minimum requirements for
authentication and
encryption.
These parameters are configured on the SNMP page. A more detailed explanation of each parameter is
given below.
3-51
SNMP Versions
Disable Select the SNMP protocol version used to manage the secure Disable
V1, V2c, V3, or router.
V1, V2c, or
V3 only
Auth. Type
MD5 Provides authentication based on the HMAC-MD5 algorithms. MD5
8-character passwords are the minimum requirement for
authentication.
SHA Provides authentication based on the HMAC-SHA algorithms.
8-character passwords are the minimum requirement for
authentication.
No-Auth Provides no authentication
Data Encryption Enable/Disable

Enable/Disable Enable of disable the data encryption Disable
Encrypt type
DES/AES Select encryption mechanism DES
Data Encryption Key

Max. 30 Characters 8-character data encryption key is the minimum requirement None
for data encryption
Community Name
Max. 30 Characters Use a community string match for authentication Public
Access Control
Read/Write Access control type after matching the community string Read/Write
Read only (Public MIB
only)
No Access
Target IP Address
IP Address Enter the IP address of the Trap Server used by your network. 0.0.0.0.
3-52
SNMP Trap Setting

For EDR-G902/G903, when the events listed below occur, users can decide whether to send SNMP trap to
notify the administrator.

Warm Start Moxa’s industrial secure router is rebooted, such as when network
parameters are changed (IP address, subnet mask, etc.).
Power Transition (On->Off) Moxa’s industrial secure router is powered down.
Power Transition (Off->On) Moxa’s industrial secure router is powered up.
Port Events Description

Link-On The Port is connected to another device.
Link-Off The port is disconnected (e.g., the cable is pulled out, or the opposing
device shuts down).
Dynamic DNS
Dynamic DNS (Domain Name Server) allows you to use a domain name to connect to the Industrial Secure
Router. The Industrial Secure Router can connect to 4 free DNS servers and register the user configurable
Domain name in these servers.
3-53
Service
> Disable Disable or select the DNS server Disable
> freedns.afraid.org
> www.3322.org
> members.dyndns.org
> dynupdate.no-ip.com
User Name
Max. 30 characters The DNS server’s user name None
Password
Max. 30 characters The DNS server’s password None
Verify Password
Max. 30 characters Verifies the DNS server password None
Domain name
Max. 30 characters The DNS server’s domain name None
Security
User Interface Management
Enable MOXA Utility

Select/Deselect Select the appropriate checkboxes to enable MOXA Selected
Utility
Enable Telnet
Select/Deselect Select the appropriate checkboxes to enable Telnet Selected
Port: 23
3-54
Enable SSH
Select/Deselect Select the appropriate checkboxes to enable SSH Selected
Port: 22
Enable HTTP
Select/Deselect Select the appropriate checkboxes to enable HTTP Selected
Port: 80
Enable HTTPS
Select/Deselect Select the appropriate checkboxes to enable HTTPS Selected
Port: 443
Enable Ping Response (WAN)

Select/Deselect When the WAN connection has been established, if the WAN Deselect
port is pinged it will send a response.
Maximum Login Users For HTTP+HTTTPS

Maximum Login Users Set a limit for the amount of users who can be logged in to N/A
For HTTP+HTTTPS the EDR-810 using HTTP and HTTPS. The maximum number
of users using HTTP and HTTPS is 10.
Maximum Login Users For Telnet+SSH

Maximum Login Users Set a limit for the amount of users who can be logged in to N/A
For Telnet+SSH the EDR-810 using HTTP and HTTPS. The maximum
supported user numbers of Telnet+SSH is 5.
Auto Logout Setting (min)

Auto Logout Setting When the user does not touch the EDR-810 management 5
(min) interface for a defined period of time, the management
interface will logout automatically. The EDR-810 default
setting is 5 minutes.
NOTE To ping WAN port successfully, please make sure “Ping Response (WAN)” is checked, and ping sender IP is
in “Trusted Access” list or “Accept all connection from LAN port” in Trusted Access is checked.
Authentication Certificate
Authentication certificate refers to certificates that use HTTPS. The web console certificate can be generated
by the EDR-810 automatically or users can choose the certificate imported in Local certificate.
3-55
Certificate Database
Auto Generate The EDR-810 will generate a certificate automatically. If not, Auto Generate
please select “Re-Generate” to generate a certificate. Auto
Generate is the default setting.
Local Certificate Select the certificate you import into Local Certificate. The
Database certificate that is loaded here is limited to “Certificate from
CSR” and “Certificate From PKCS#12”.
SSH Key Re-generate

Select/Deselect Enable the SSH Key Re-generate Deselect
Trusted Access
The EDR-810 uses an IP address-based filtering method to control access.
You may add or remove IP addresses to limit access to the Moxa industrial secure router. When the
accessible IP list is enabled, only addresses on the list will be allowed access to the Moxa industrial secure
router. Each IP address and netmask entry can be tailored for different situations:
3-56
• Grant access to one host with a specific IP address

For example, enter IP address 192.168.1.1 with netmask 255.255.255.255 to allow access to
192.168.1.1 only.
• Grant access to any host on a specific subnetwork
For example, enter IP address 192.168.1.0 with netmask 255.255.255.0 to allow access to all IPs on the
subnet defined by this IP address/subnet mask combination.
• Grant access to all hosts
Make sure the accessible IP list is not enabled. Remove the checkmark from Enable the accessible IP
list.
The following table shows additional configuration examples:
Hosts That Need Access Input Format

Any host Disable
192.168.1.120 192.168.1.120 / 255.255.255.255
192.168.1.1 to 192.168.1.254 192.168.1.0 / 255.255.255.0
192.168.0.1 to 192.168.255.254 192.168.0.0 / 255.255.0.0
192.168.1.1 to 192.168.1.126 192.168.1.0 / 255.255.255.128
192.168.1.129 to 192.168.1.254 192.168.1.128 / 255.255.255.128
RADIUS Server Settings

For the entire network, users can set up two RADIUS servers. One functions as the primary and the other
one as the backup server. When the primary RADIUS server fails, the EDR-810 will switch the connection to
the backup RADIUS server.
Radius Status
Enable/Disable Enable to use the same setting as Auth Server Disable
Type
PAP Authentication type of Radius server PAP
CHAP
Primary/ Backup Server Setting

RADIUS Server Specifies the IP/name of the server None
RADIUS Port Specifies the port of the server 1812
RADIUS Secret Specifies the shared key of the server None
3-57
Security Notification Setting

When the events below are displayed, the EDR-810 will send an SNMP trap to notify the server.
Diagnosis
When the system is setup, users can send an ICMP command-Ping to verify if the connection or firewall is
functioning.
3-58
Event Log
By default, all event logs will be displayed in the table. You can filter three types of event logs, System,
VPN, and Firewall, combined with severity level.
Connection Status
For the connection status, the user can monitor most types of connection status including NAT, firewall,
routing, and VPN. The data connection are will be shown in the list, e.g. source/ destination IP, protocol,
and packet amount.
3-59
4
4. EDR-G902/G903 Series Features and
Functions
 Overview
 Configuring Basic Settings
 System Identification
 Hardware Acceleration
 Accessible IP
 Password
 Time
 SettingCheck
 Relay Event Setup
 Warning
 System Event Setting
 System File Update—by Remote TFTP
 System File Update—by Local Import/Export
 Backup Media
 Restart
 Reset to Factory Default
 Network Settings
 Mode Configuration
 Link Fault Passthrough
 MTU Configuration (for EDR-810/G902/G903)
 Speed Configuration
 WAN1 Configuration
 WAN2 Configuration (includes DMZ Enable)
 Using DMZ Mode
 LAN Interface
 802.1Q VLAN Setting
 Communication Redundancy
 WAN Backup (EDR-G903 only)
 Security
 User Interface Management
 Authentication Certificate
 RADIUS Settings
 Traffic Prioritization Setup
 Monitor
 System Log
Industrial Secure Router EDR-G902/G903 Series Features and Functions
 EventLog
 Syslog
4-2
Overview
The Overview page is divided into three major parts: Interface Status, Basic function status, and Recent 10
Event logs, and gives users a quick overview of the EtherDevice Router’s current settings.
Click More… at the top of the Interface Status table to see detailed information about all interfaces.
4-3
Click More… at the top of the Recent 10 Event Log table to open the EventLogTable page.
Configuring Basic Settings

The Basic Settings group includes the most commonly used settings required by administrators to maintain
and control the EDR-G903.
System Identification
The system identification section gives you an easy way to identify the different switches connected to your
network.
Router name
Max. 30 Characters This option is useful for specifying the role or application of Firewall/VPN router
different EDR-G903 units. [Serial No. of this
E.g., Factory Router 1. switch]
Router Location
Max. 80 Characters To specify the location of different EDR-G903 units. Device Location
E.g., production line 1.
Router Description
Max. 30 Characters Use this field to enter a more detailed description of the EDR- None
G903 unit.
4-4
Maintainer Contact Info

Max. 30 Characters Enter the contact information of the person responsible for None
maintaining this EDR-G903
Web Configuration
http or https Users can connect to the EDR-G903 router via http or https http or https
protocol.
https only Users can connect to the EDR-G903 router via https protocol
only.
Hardware Acceleration
By optimizing the hardware and software, the throughput of the functions below will be improved, including
IPv4 Ethernet (Routing/ NAT/ Firewall), PPPoE ad tagged VLAN packet. Please note that when Hardware
Acceleration is enabled, some functions including bridge mode, Modbus policy, Dos defense, traffic
prioritization, statics monitoring and FTP packet forwarding will be disabled.
IPv4 Ethernet (Routing/NAT/Firewall)

Check/Uncheck Check it to improve throughput of IPv4 packet type except Unchecked
PPPoE and Tagged VLAN Packet.
PPPoE
Check/Uncheck Check it to improve throughput of IPv4 packet and PPPoE Unchecked
packet.
4-5
Tagged VLAN Packet

Check/Uncheck Check it to improve throughput of IPv4 packet and tagged Uncheck
VLAN packet.
Accessible IP
The EtherDevice Router uses an IP address-based filtering method to control access to EtherDevice Router
units.
Accessible IP Settings allows you to add or remove “Legal” remote host IP addresses to prevent
unauthorized access. Access to the EtherDevice Router is controlled by IP address. If a host’s IP address is
in the accessible IP table, then the host will have access to the EtherDevice Router. You can allow one of the
following cases by setting this parameter:
• Only one host with the specified IP address can access this device.
E.g., enter “192.168.1.1/255.255.255.255” to allow access to just the IP address 192.168.1.1.
• Any host on a specific subnetwork can access this device.
E.g., enter “192.168.1.0/255.255.255.0” to allow access to all IPs on the subnet defined by this IP
address/subnet mask combination.
• Any host can access the EtherDevice Router. (Disable this function by deselecting the Enable the
accessible IP list option.)
• Any LAN can access the EtherDevice Router. (Disable this function by deselecting the LAN option to not
allow any IP at the LAN site to access this device.)
E.g., If the LAN IP Address is set to 192.168.127.254/255.255.255.0, then IP addresses 192.168.127.1
/24 to 192.168.127.253/24 can access the EtherDevice Router.
The following table shows additional configuration examples:
Allowable Hosts Input Format

Ay host Disable
192.168.1.120 192.168.1.120 / 255.255.255.255
192.168.1.1 to 192.168.1.254 192.168.1.0 / 255.255.255.0
192.168.0.1 to 192.168.255.254 192.168.0.0 / 255.255.0.0
192.168.1.1 to 192.168.1.126 192.168.1.0 / 255.255.255.128
192.168.1.129 to 192.168.1.254 192.168.1.128 / 255.255.255.128
4-6
The Accessible IP list controls which devices can connect to the EtherDevice Router to change the
configuration of the device. In the example shown below, the Accessible IP list in the EtherDevice Router
contains 10.10.10.10, which is the IP address of the remote user’s PC.
The remote user’s IP address is shown below in the EtherDevice Router’s Accessible IP list.
Password
The EtherDevice Router provides two levels of access privilege: “admin privilege” gives read/write access to
all EtherDevice Router configuration parameters, and “user privilege” provides read access only. You will be
able to view the configuration, but will not be able to make modifications.
ATTENTION
By default, the Password field is blank. If a Password is already set, then you will be required to type the
Password when logging into the RS-232 console, Telnet console, or web browser interface.
Account
Admin “admin” privilege allows the user to modify all configurations. Admin
User “user” privilege only allows viewing device configurations.
4-7
Password
Old password Type current password when changing the password None
(max. 16 Characters)
New password Type new password when changing the password None
(max. 16 Characters)
Retype password If you type a new password in the Password field, you will be None
(max. 16 Characters) required to retype the password in the Retype new password
field before updating the new password.
Time
The Time configuration page lets users set the time, date, and other settings. An explanation of each
setting is given below.
The EtherDevice Router has a time calibration function based on information from an NTP server or user
specified Time and Date information. Functions such as Auto warning “Email” can add real-time information
to the message.
NOTE The EtherDevice Router has a real time clock so the user does not need to update the Current Time and
Current Date to set the initial time for the EtherDevice Router after each reboot. This is especially useful
when the network does not have an Internet connection for an NTP server, or there is no NTP server on
the network.
Current Time
User adjustable Time The time parameter allows configuration of the local time in None (hh:mm:ss)
local 24-hour format.
4-8
Current Date
User adjustable date. The date parameter allows configuration of the local date in None
yyyy/mm/dd format (yyyy/mm/dd)
Daylight Saving Time

Daylight Saving Time (also known as DST or summer time) involves advancing clocks 1 hour during the
summer to provide an extra hour of daylight in the evening.
Start Date
User adjustable date. The Start Date parameter allows users to enter the date that None
daylight saving time begins.
End Date
User adjustable date. The End Date parameter allows users to enter the date that None
daylight saving time begins.
Offset
User adjustable date. The offset parameter indicates how many hours forward the None
clock should be advanced.
System Up Time
Indicates the ED-G903’s up time from the last cold start. The unit is seconds.
Time Zone
User selectable time The time zone setting allows conversion from GMT GMT
zone (Greenwich Mean Time) to local time.
NOTE Changing the time zone will automatically correct the current time. You should configure the time zone
before setting the time.
Enable NTP/SNTP Server

Enable this function to configure the EtherDevice Router as a NTP/SNTP server on the network.
Enable Server synchronize

Enable this function to configure the EtherDevice Router as a NTP/SNTP client, It will synchronize the time
information with another NTP/SNTP server.
Time Server IP/Name

1st Time Server IP or Domain address (e.g., 192.168.1.1, None
IP/Name time.stdtime.gov.tw, or time.nist.gov).
2nd Time Server The EtherDevice Router will try to locate the 2nd NTP Server
IP/Name if the 1st NTP Server fails to connect.
4-9
SettingCheck
SettingCheck is a safety function for industrial users using a secure router. It provides a double
confirmation mechanism for when a remote user changes the security policies, such as Firewall filter,
NAT, and Accessible IP list. When a remote user changes these security polices, SettingCheck provides a
means of blocking the connection from the remote user to the Firewall/VPN device. The only way to correct
a wrong setting is to get help from the local operator, or go to the local site and connect to the device
through the console port, which could take quite a bit of time and money. Enabling the SettingCheck
function will execute these new policy changes temporarily until doubly confirmed by the user. If the user
does not click the confirm button, the EtherDevice Router will revert to the previous setting.
Firewall Policy
Enables or Disables the SettingCheck function when the Firewall policies change.
NAT Policy
Enables or Disables the SettingCheck function when the NAT policies change.
Accessible IP List
Enables or Disables the SettingCheck function when the Accessible IP List changes.
Layer 2 Filter
Enable or disable the SettingCheck function when the Layer 2 filter changes.
Timer
10 to 3600 sec. The timer waits this amount of time to double confirm when 180 (sec.)
the user changes the policies
For example, if the remote user (IP: 10.10.10.10) connects to the EtherDevice Router and changes the
accessible IP address to 10.10.10.12, or deselects the Enable checkbox accidently after the remote user
clicks the Activate button, connection to the EtherDevice Router will be lost because the IP address is not in
the EtherDevice Router’s Accessible IP list.
If the user enables the SettingCheck function with the Accessible IP list and the confirmer Timer is set to 15
seconds, then when the user clicks the Activate button on the accessible IP list page, the EtherDevice
Router will execute the configuration change and the web browser will try to jump to the SettingCheck
Confirmed page automatically. Because the new IP list does not include the Remote user’s IP address, the
remote user cannot connect to the SettingCheck Confirmed page. After 15 seconds, the EtherDevice Router
will roll back to the original Accessible IP List setting, allowing the remote user to reconnect to the
EtherDevice Router and check what’s wrong with the previous setting.
4-10
If the new configuration does not block the connection from the remote user to the EtherDevice Router, the
user will see the SettingCheck Confirmed page, shown in the following figure. Click Confirm to save the
configuration updates.
Relay Event Setup

The Industrial Secure Router supports digital input (DI) and digital output (Relay) in the top panel. In Relay
Event Setup, users can configure which event will trigger the relay. The Industrial Secure Router supports
three kinds of events which can trigger the relay, including Power 1/2 input failure, digital input, or at least
one of the interfaces has a change of status.
4-11
System Events
Override Relay Warning Settings

Check/Uncheck Check it to disable relay even when events occur. In this Unchecked
situation, events will still show in the Event Log
Power Input 1 failure (On->Off)

Enable/Disable Enable it to trigger relay if power input 1 status changes from Disabled
on to off
Power Input 2 failure (On->Off)

Enable/Disable Enable it to trigger relay if power input 2 status changes from Disabled
on to off
DI (Off)
Enable/Disable Enable it to trigger relay if there is no digital input Disabled
DI (On)
Enable/Disable Enable it to trigger relay if there is digital input Disabled
Port Events
Link
Ignore/On/Off Choose which status will trigger relay, On or Off. Or just Ignore
choose Ignore to stop interface events triggering relay
Warning
System Event Setting

To monitor device events easily and in real time, users can receive event notifications through syslog and
Email. If users do not enable sending the alerts through syslog/email, the default setting will be for these
events to show in the Event Log Table. Users can decide which events they want to monitor. If users want
to send an SNMP trap for these events, please refer to chapter SNMP.
4-12

Warm Start Moxa’s Industrial Secure Router has rebooted, e.g. when network
parameters change (IP address, subnet mask, etc.).
Power Transition (On->Off) Moxa’s Industrial Secure Router is powered down.
Power Transition (Off->On) Moxa’s Industrial Secure Router is powered up.
Port Events Description

Link-On The Port is connected to another device.
Link-Off The port is disconnected (e.g., the cable is pulled out, or the opposing
device shuts down).
System File Update—by Remote TFTP

The EtherDevice Router supports saving your configuration file to a remote TFTP server or local host to
allow other EtherDevice Router routers to use the same configuration at a later time, or saving the Log file
for future reference. Loading pre-saved firmware or a configuration file from the TFTP server or local host is
also supported to make it easier to upgrade or configure the EtherDevice Router.
TFTP Server IP/Name

IP Address of TFTP The IP or name of the remote TFTP server. Must be None
Server configured before downloading or uploading files.

Max. 40 Characters The path and filename of the EtherDevice Router’s None
configuration file in the TFTP server.
Firmware File Path and Name

Max. 40 Characters The path and filename of the EtherDevice Router’s firmware None
file
Log File Path and Name

Max. 40 Characters The path and filename of the EtherDevice Router’s log file None
4-13
After setting up the desired path and filename, click Activate to save the setting. Next, click Download to
download the file from the remote TFTP server, or click Upload to upload a file to the remote TFTP server.
System File Update—by Local Import/Export
Configuration File
Click Export to export the configuration file of the EtherDevice Router to the local host.
Log File
Click Export to export the Log file of the EtherDevice Router to the local host.
NOTE Some operating systems will open the configuration file and log file directly in the web page. In such
cases, right click the Export button and then save as a file.
Upgrade Firmware
To import a firmware file into the EtherDevice Router, click Browse to select a firmware file already saved
on your computer. The upgrade procedure will proceed automatically after clicking Import. This upgrade
procedure will take a couple of minutes to complete, including the boot-up time.
Upload Configuration Data

To import a configuration file to the EtherDevice Router, click Browse to select a configuration file already
saved on your computer. The upgrade procedure will proceed automatically after clicking Import.
Backup Media
On large networks, administrators need to configure many network devices in order for the whole system to
operate smoothly. This is a time-consuming process and errors frequently occur. By using Moxa’s Automatic
Backup Configurator (ABC-01), it is easy for administrators to duplicate system configuration across many
systems in a short period of time.
Administrators only need to set-up the configurations in a system, e.g. firewall rule, certificate, and export
configuration file in the ABC-01. And then the administrator can plug the ABC-01 into RS-232 console port
of the remaining systems, and the remaining systems will sync with the same configuration file. For
accessory ABC-01 details, please visit
https://www.moxa.com/product/Automatic_Backup_Configurator_ABC-01.htm
4-14
Moxa’s Automatic Backup Configurator (ABC-01)
Auto load ABC’s system configurations when system boots up

Checked Allows system to load configuration file from ABC-01 Checked
automatically when booting up
Unchecked System will not load configuration file from ABC-01
automatically when booting up
Save the current configurations to ABC-01

Save By pressing Save backups the system configuration files to N/A
the ABC-01
Load the ABC’s configuration to Switch

Load Allows system to import configurations from ABC-01 N/A
Restart
This function is used to restart the EtherDevice Router.
4-15
Reset to Factory Default
The Reset to Factory Default option gives users a quick way of restoring the EtherDevice Router’s
configuration settings to their factory default values. This function is available in the console utility (serial or
Telnet), and web browser interface.
NOTE After activating the Factory Default function, you will need to use the default network settings to re-
establish a web-browser or Telnet connection with your EtherDevice Router.
Network Settings
Mode Configuration
Network Mode
EtherDevice Router provides Router Mode and Bridge Mode operation for different applications:
Router Mode
In this mode, EtherDevice Router operates as a gateway between different networks.

• Each interface (WAN1, WAN2 and LAN) has its own IP addresses & different subnet
• It provides Routing, Firewall, VPN and NAT functions
• Default setting of EtherDevice Router
Bridge Mode
In this mode, EtherDevice Router operates as a Bridge mode firewall (or call transparent firewall) in a single
subnet. Users could simply insert EtherDevice Router into the existing single subnet without the need to
reconfigure the original subnet into different subnets and without the need to reconfigure the IP address of
existing devices.
• EtherDevice Router only has one IP address, Network mask and Gateway.
4-16
• VPN, NAT, WAN backup, VRRP, DHCP, Dynamic DNS are not supported in this mode
User could select the appropriate operation mode and press Activate to change the mode of EtherDevice
Router. Change operation mode would take around 30-60 seconds to reboot system!!! If the webpage is no
response after 30-60 seconds, please refresh webpage or press F5.
Link Fault Passthrough

In a big network system, when a port link down or cable drops, this port cannot work normally. However, it
takes time to update this information to other Ethernet devices and update the routing table. In this case, it
will take a long time for the system to recover, which is unacceptable on industrial networks.
To improve the recovery time, the EDR-G902/ G903 supports a function called Link Fault Passthrough. By
enabling this function, users can set up which two ports are linked together. When one port is link down,
EDR-G902/ G903 will change the status of the other port as link down as well by software. And then the
routing table can be updated quicker.
Using the network topology on the figure below as an example, these switches and the EDR-902 form a
Turbo ring coupling. In normal situations, the packet goes through the primary path. But when WAN1 is link
down, the WAN2 will be set as link fail as well by software. And then the routing table can be updated
quicker.
For the EDR-G902 device the configuration setting is explained below:
4-17
Enable
Check/ Uncheck Check to enable Link Fault Passthrough function Check
Port
WAN Select a port which user will monitor link status WAN
Port
LAN Select a port which user will monitor link status LAN
For the EDR-G903 device the configuration setting is explained as below:
Link Fault Passthrough Setting

Check/ Uncheck Check to enable Link Fault Passthrough function Uncheck
Port
WAN1 Select a port which user will monitor link status WAN1
WAN2
LAN
Port
WAN1 Select a port which user will monitor link status WAN1
WAN2
LAN
MTU Configuration (for EDR-810/G902/G903)

MTU stands for Maximum Transmission Unit, which is the maximum packet size (Byte) that packets can
pass through Ethernet ports. Normally, the maximum packet size is 1500 bytes for Ethernet devices, e.g.
router, or a switch. Default MTU in the Industrial Secure Router is 1500.
However, for some special industrial equipment, MTU 1500 byte is not acceptable. In this case, users can
set a small MTU to fit this scenario. Users can configure MTU for each interface of the Industrial Secure
Router. If MTU is set as 1430 bytes, when the inbound or outbound packet size over 1430, the Industrial
Secure Router will drop this packet.
Users can set MTU for WAN1, WAN2, Bridge port, or LAN port in the Industrial Secure Router. For PRP
packet (Parallel Redundancy Protocol), the Industrial Secure Router supports a function called PRP Traffic.
PRP packet format is different with Ethernet packets. PRP packet contains a PRP trailer, which will be cut by
kernel. Via enabling PRP Traffic, PRP packet will keep completed and be able to be routed by the Industrial
Secure Router, and the MTU will be set as 1506 by default.
4-18
But for the PRP Traffic function, PRP Traffic function only works in G902/G903 in Bridge Mode and EDR-
810 Bride port (BRG_LAN).
For the G902/903 devices, the configuration settings are explained below:
WAN1
MTU Set Maximum Transmission Unit for WAN1 interface 1500
WAN2
LAN
For the EDR-810, the configuration setting are explained below:
WAN
MTU Set Maximum Transmission Unit for WAN interface 1500
LAN
MTU Set Maximum Transmission Unit for LAN interface 1500
BRG_LAN
MTU Set Maximum Transmission Unit for BRG_LAN interface 1500
PRP Traffic
Check/ Uncheck Check to keep PRP Trail header Uncheck
4-19
Speed Configuration
In the condition, some old generation devices do not support auto-negotiation, meaning users have to set
the port speed manually. Users can set the same port speed on both the Industrial Secure Router and
devices of the previous generation. Via this way, users can avoid packet loss or packet collision issues when
the port speed is not the same.
WAN1 Configuration
Connection
Note that there are three different connection types for the WAN1 interface: Dynamic IP, Static IP, and
PPPoE. A detailed explanation of the configuration settings for each type is given below.
Connection Mode
Enable or Disable Enable or Disable the WAN interface Enable
Connection Type
Static IP, Dynamic IP, Setup the connection type Dynamic IP
PPPoE
4-20
PPTP Dialup
PPTP Connection
IP Address
User Name
Password
MPPE Encryption
None/Encrypt Enable or disable the MPPE encryption None
Example: Suppose a remote user (IP: 10.10.10.10) wants to connect to the internal server (private IP:
30.30.30.10) via the PPTP protocol. The IP address for the PPTP server is 20.20.20.1. The necessary
configuration settings are shown in the following figure.
Server 1/2/3
IP Address The DNS IP address None
NOTE The priority of a manually configured DNS will higher than the DNS from the PPPoE or DHCP server.
4-21
Address Information
IP Address
Subnet Mask
Gateway
PPPoE Dialup
User Name
4-22
Host Name
Max. 30 characters User-defined Host Name of this PPPoE server None
Password
Max. 30 characters The login password for the PPPoE server None
WAN2 Configuration (includes DMZ Enable)
Connection
Note that there are there are three different connection types for the WAN2 interface: Dynamic IP, Static IP,
and PPPoE. A detailed explanation of the configuration settings for each type is given below.
Connection Mode
Enable or Disable Enable or Disable the WAN interface. None
Backup Enable WAN Backup mode
DMZ Enable DMZ mode (can only be enabled when the connection
type is set to Static IP)
Connection Type
Static IP, Dynamic IP, Configure the connection type Dynamic IP
PPPoE
PPTP Dialup
4-23
PPTP Connection
IP Address
User name
Password
Example: Suppose a remote user (IP: 10.10.10.10) wants to connect to the internal server (private IP:
30.30.30.10) via the PPTP protocol. The IP address for the PPTP server is 20.20.20.1. The necessary
configuration settings are shown in the following figure.
Server 1/2/3
IP Address The DNS IP Address None
NOTE The priority of a manually configured DNS will higher than the DNS from the PPPoE or DHCP server.
4-24
Address Information
IP Address
Subnet Mask
Gateway
PPPoE Dialup
User Name
4-25
Host Name
Max. 30 characters User-defined host name for this PPPoE server None
Password
Max. 30 characters The login password for this PPPoE server None
Using DMZ Mode

A DMZ (demilitarized zone) is an isolated network for devices—such as data, FTP, web, and mail servers
connected to a LAN network—that need to frequently connect with external networks. The deployment of an
FTP server in a DMZ is illustrated in the following figure.
DMZ mode is configured on the WAN2 configuration web page. Set Connect Mode to Enable, Connect
Type to Static IP, and checkmark the DMZ Enable check box. You will also need to input the IP Address and
Subnet Mask. Click the Activate button to save the settings.
NOTE WAN2 configuration and DMZ mode are only available on EDR-G903
4-26
LAN Interface
A basic application of an industrial Firewall/VPN device is to provide protection when the device is connected
to a LAN. In this regard, the LAN port connects to a secure (or trusted) area of the network, whereas the
WAN1 and WAN2/DMZ ports connect to an insecure (or untrusted) area.
LAN IP Configuration
IP Address
IP Address The LAN interface IP address 192.168.127.254
Subnet Mask
Subnet Mask Network Mask of LAN IP 255.255.255.0
802.1Q VLAN Setting
Create a VLAN Interface
Input a name of the LAN interface, select a VLAN ID that is already configured in VLAN Setting under the
Layer 2 Function, and assign an IP address/Subnet Mask for the interface. Checkmark the Enable checkbox
to enable this interface.
Delete a LAN Interface
Select the item in the LAN Interface List, and then click Delete to delete the item.
Modify a LAN Interface
Select the item in the LAN Interface List. Modify the attributes and then click Modify to change the
configuration.
4-27
Activate the LAN Interface List
After adding/deleting/modifying any LAN interface, be sure to click Activate.
NOTE You can create up to 5 interfaces in WAN1/WAN2/WAN/LAN interface separately.
Communication Redundancy
Moxa industrial secure router provides a communications redundancy function: WAN backup (EDR-G903
only). The industrial secure router has two WAN interfaces: WAN1 is the primary WAN interface and WAN2
is the backup interface. When the industrial secure router detects that connection WAN1 has failed (Link
down or Ping fails), it will switch the communication path from WAN1 to WAN2 automatically. When WAN1
recovers, the major communication path will return to WAN1.
WAN Backup (EDR-G903 only)
How Dual WAN Backup Works
A power utility at a field site connects to a central office via two different ISPs (Internet Service Providers).
ISP-A uses Ethernet and ISP-B uses satellite for data transmission, with Ethernet used as the major
connection and the satellite as the backup connection. This makes sense since the cost of transmitting
through the satellite is greater than the cost of transmitting over the Ethernet. Traditional solutions would
use two routers to connect to the different ISPs. In this case, if the connection to the primary ISP fails, the
connection must be switched to the backup ISP manually.
The EtherDevice Router’s WAN backup function checks the link status and the connection integrity between
the EtherDevice Router and the ISP or central office. When the primary WAN interface fails, it will switch to
the backup WAN automatically to keep the connection alive.
When configuring the EtherDevice Router, choose one of the two following conditions to activate the backup
path:
• Link Check: WAN1 link down

• Ping Check: Sends ping commands to a specific IP address (e.g., the IP address of the ISP’s server)
from WAN1 based on user configurable Time Interval, Retry, and Timeout.
When the WAN backup function is enabled and the Link Check or Ping Check for the WAN1 interface fails,
the backup interface (WAN2) will be enabled as the primary interface.
4-28
WAN Backup Configuration
Select Backup for the WAN2/DMZ Connect Mode, and then go to the Network Redundancy  WAN
Backup setting page for the WAN Backup configuration.
Link Check
Enable or Disable Activate Backup function by checking the link status of WAN1 Disabled
Ping Check
Enable or Disable Activates the Backup function if unable to ping from the Disabled
EtherDevice Router to a specified IP address.
IP
IP address The EtherDevice Router will check the ping integrity of this IP None
Address if the Ping Check function is Enabled
NOTE The IP address for Ping Check function should be on the network segment of WAN1.
Interval
1 to 1000 sec User can set up a different Ping Interval for a different 180 sec.
network topology
Retry
1 to 100 User can configure the number of retries. If the number of 3
continuous retries exceeds this number, the EtherDevice
Router will activate the backup path.
Timeout
100 to 10000 (ms) The timeout criterion of Ping Check 3000 ms
4-29
Security
User Interface Management
Enable Ping Response (WAN)

Select/Deselect In the condition that the WAN connection is built, when the Deselect
WAN port is pinged, WAN will send a response.
Maximum Login Users For HTTP+HTTTPS
Limit the amount of users who can access the industrial secure router using HTTP and HTTPS. The
maximum number of users currently supported is 10.
Maximum Login Users For Telnet+SSH
Limit the amount of users who can access the industrial secure router using Telnet or SSH. The maximum
number of users currently supported is 5.
Auto Logout Setting (min)
When a user is not active on the industrial secure router management interface for some time, the
management interface will automatically logout. The default setting for the industrial secure router is 5
minutes.
NOTE To ping the WAN port successfully, please make sure “Ping Response (WAN)” is checked, and the ping
sender IP is in the “Trusted Access” list or “Accept all connection from LAN port” in Trusted Access is
checked.
4-30
Authentication Certificate
Authentication certificate refers to certificates for HTTPS. The web console certificate can be generated by
the EDR-810 automatically or users can choose to import the certificate in Local certificate.
Certificate Database
Auto Generate
The industrial secure router generates certificates automatically. If this does not happen, please select “Re-
Generate” to generate a new certificate. Auto Generate is the default setting.
Local Certificate Database
Select a certificate that has been imported into Local Certificate. Certificates that are loaded here are limited
to “Certificate from CSR” and “Certificate from PKCS#12”.
RADIUS Settings
Across the network, users can set up two RADIUS servers. One is the primary and the other one is the
backup. When the primary RADIUS server fails, the industrial secure router will switch connections to the
backup RADIUS server.
Radius StaFunction Nametus

Enable/Disable Enable to use the same setting as Disable
Auth Server
Type
PAP Authentication type of Radius server PAP
CHAP
4-31
Primary/ Backup Server Setting

RADIUS Server Specifies the IP/name of the server None
RADIUS Port Specifies the port of the server 1812
RADIUS Secret Specifies the shared key of the server None
Traffic Prioritization Setup

With QoS technology, users can easily reserve bandwidth for traffic with high priority, to fulfill different
applications, e.g. VOIP or MPEG. In the EDR-G902/ G903, there are four priorities, priority 0 to priority 4.
Priority 0 to priority 4 are suitable for Unsolicited Granted service, real-time service, non-real time service,
and best-effort service accordingly.
Priority 0 is the highest priority, which is used for Unsolicited Granted service, e.g. VOIP. Priority 4 is the
lowest priority, which is used for best effort protocol, e.g. email, web access.
Users can set up minimum and maximum bandwidth for each priority. And when there is packet flow which
does not meet any rules, the user can set up the default priority for this kind of packet flow.
Enable
Check/ Uncheck Enable QoS setting for traffic from WAN to LAN/ LAN to WAN Unchecked
Max. Bandwidth
Max. Bandwidth Maximum total bandwidth for priority 0 to 3 of traffic from 100
(Kbyte/s) WAN to LAN/ LAN to WAN
4-32
Default Priority
Priority0/ Priority1/ Default priority for packet flow which does not meet any rules Priority3
Priority2/ Priority3/
Priority0
Min. bandwidth Minimum bandwidth for each priority. User can set up sixty- 10
four rules to classify packets. Take priority 0 as an example,
packet flows classified as priority 3 will share this minimum
bandwidth.
Max. bandwidth Maximum bandwidth for each priority. Maximum bandwidth 10
has to be greater than the minimum bandwidth.
Priority1
Min. bandwidth Minimum bandwidth for each priority. Users can set up sixty- 20
bandwidth.
has to be greater than minimum bandwidth.
Priority2
bandwidth.
Priority3
bandwidth.
Outgoing Policy Setup (LAN to WAN)
Users can set up rules to classify packet flow from LAN to WAN. Users can enter up to 64 rules. Users
should click New/Insert to add a new rule, click Move to change the index of rule, click Modify to change
rule setting, and click Delete to cancel rule.
4-33
Enable
Check/ Uncheck Enable rules to classify packets flow. Unchecked
Protocol
All/ TCP/ UDP/ ICMP Select which protocol is with high priority All
Service
By IP/ By MAC Prioritize specific packet source/destination with IP or MAC By IP
Priority
Priority 0/1/2/3 Define priority of each rule. 0 is the highest priority Priority 0
Source IP
All/ Single/Range Define packet from which source IP is with high priority All
Source Port
All/ Single/Range Define TCP/UDP packet from which source port is with high All
priority
Destination IP
All/ Single/Range Define packet to which destination IP is with high priority All
Destination Port
All/ Single/Range Define TCP/ UDP packet to which destination IP is with high All
priority
NOTE If rules are not enabled, the default packet flow will be ’All’.
4-34
Incoming Policy Setup (WAN to LAN)
Users can set up rules to classify packet flow from WAN to LAN. Users can enter up to 64 rules. User should
click New/Insert to add new rule, click Move to changes index of rule, click Modify to change rule setting,
and click Delete to cancel the rule.
Enable
Check/Uncheck Enable LAN to WAN traffic prioritize Unchecked
Protocol
All/ TCP/ UDP/ICMP Select which protocol has the highest priority All
Service
By IP/By MAC Prioritize specific packet source/destination with IP or MAC By IP
Priority
Priority 0/1/2/3 Define priority of each rule. 0 is the highest priority Priority 0
Source IP
All/ Single/Range Define packet from which source IP has the highest priority All
Source Port
All/ Single/Range Define TCP/UDP packet from which source port is with high All
priority
Destination IP
All/ Single/Range Define packet to which destination IP is with high priority All
Destination Port
All/ Single/Range Define TCP/ UDP packet to which destination IP is with high All
priority
4-35
NOTE If rules are not enabled, the default packet flow will be ’All’.
Monitor
You can monitor statistics in real time from the EtherDevice Router’s web console.
System Log
The industrial secure router provides EventLog and Syslog functions to record important events.
EventLog
Field Description
Bootup This field shows how many times the device has been rebooted or cold started.
Date The date is updated based on how the current date is set in the “Basic Setting”
page.
Time The time is updated based on how the current time is set in the “Basic Setting”
page.
System Startup Time The system startup time related to this event.
Event Events that have occurred.
The following events will be recorded in the EtherDevice Router EventLog Table:
Event Status
Syslog Configuration change activated
DNS Configuration change activated
Static Route Configuration change activated
SYSTEMINFO Configuration change activated
SNMPTRAP Configuration change activated
Filter Configuration change activated
NAT Configuration change activated
DoS Configuration change activated
QoS_Bandwith Configuration change activated
QoS_DownStream Configuration change activated
QoS_UpStream Configuration change activated
DHCP Configuration Change activated/ Enable / Disable
4-36
NTP Configuration Change activated/ Enable / Disable

SNMP Configuration Change activated/ Enable / Disable
DDNS Configuration Change activated/ Enable / Disable
WAN Backup Configuration change activated
LAN Link on / Link off / IP change
WAN2 Link on / Link off / IP change
WAN1 Link on / Link off / IP change
Password Configuration change activated
Login Authentication Fail / Authentication Pass
Accessible IP function Enable / Disable
Power transition (On -> Off)
Power transition (Off -> On)
DI transition (Off -> On)
DI transition (On -> Off)
Cold start
Factory default Warm start
System restart Warm start
Firmware Upgrade Warm start
Configuration Upgrade Warm start
NOTE The maximum number of event entries is 1000.
Syslog
This function provides the event logs for the syslog server. The function supports 3 configurable syslog
servers and syslog server UDP port numbers. When an event occurs, the event will be sent as a syslog UDP
packet to the specified syslog servers.
Syslog Server 1/2/3

IP Address Enter the IP address of the Syslog Server used by your None
network.
Port Destination Enter the UDP port of the Syslog Server. 514
(1 to 65535)
4-37
5
5. Routing
 Unicast Route
 Static Routing
 RIP (Routing Information Protocol)
 Dynamic Routing with Open Shortest Path First (OSPF)
 Routing Table
 Multicast Route
 Static Multicast
 Distance Vector Multicast Routing Protocol (DVMRP)
 Protocol Independent Multicast Sparse Mode (PIM-SM)
 Broadcast Forwarding (EDR-810 only)
 VRRP Setting
Industrial Secure Router Routing
Unicast Route
The Industrial Secure Router supports two routing methods: static routing and dynamic routing. Dynamic
routing makes use of RIP V1/V1c/V2. You can either choose one routing method, or combine the two
methods to establish your routing table. A routing entry includes the following items: the destination
address, the next hop address (which is the next router along the path to the destination address), and a
metric that represents the cost we have to pay to access a different network.
Static Route
You can define the routes yourself by specifying what is the next hop (or router) that the Industrial Secure
Router forwards data for a specific subnet. The settings of the Static Route will be added to the routing table
and stored in the Industrial Secure Router.
RIP (Routing Information Protocol)

RIP is a distance vector-based routing protocol that can be used to automatically build up a routing table in
the Industrial Secure Router.
The Industrial Secure Router can efficiently update and maintain the routing table, and optimize the routing
by identifying the smallest metric and most matched mask prefix.
Static Routing
The Static Routing page is used to configure the Industrial Secure Router’s static routing table.
Enable
Click the checkbox to enable Static Routing.
Name
The name of this Static Router list
Destination Address
You can specify the destination IP address.
Netmask
This option is used to specify the subnet mask for this IP address.
Next Hop
This option is used to specify the next router along the path to the destination.
Metric
Use this option to specify a “cost” for accessing the neighboring network.
5-2
Clickable Buttons
Add
For adding an entry to the Static Routing Table.
Delete
For removing selected entries from the Static Routing Table.
Modify
For modifying the content of a selected entry in the Static Routing Table.
NOTE The entries in the Static Routing Table will not be added to the Industrial Secure Router’s routing table
until you click the Activate button.
RIP (Routing Information Protocol)

RIP is a distance-vector routing protocol that employs the hop count as a routing metric. RIP prevents
routing from looping by implementing a limit on the number of hops allowed in a path from the source to a
destination.
The RIP Setting page is used to set up the RIP parameters.
RIP State
Enable/Disable Enable or Disable RIP protocol Disable
RIP Version
V1/V2 Select RIP protocol version. V2
RIP Distribution
Static Check the checkbox to enable the Redistributed Static Route Unchecked
function. The entries that are set in a static route will be re-
distributed if this option is enabled.
5-3
RIP Enable Interface

WAN Check the checkbox to enable RIP in the WAN interface.
Unchecked
LAN Check the checkbox to enable RIP in the LAN interface.
RIP Interface Table (EDR-810 series only)

Enable/Disable Check the checkbox to enable RIP for each interface. Unchecked
Dynamic Routing with Open Shortest Path First (OSPF)

Open Shortest Path First (OSPF) is a dynamic routing protocol for use on Internet Protocol (IP) networks.
Specifically, it is a link-state routing protocol, and falls into the group of interior gateway protocols,
operating within a single autonomous system. As a link-state routing protocol, OSPF establishes and
maintains neighbor
relationships in order to exchange routing updates with other routers. The neighbor relationship table is
called an adjacency database in OSPF. OSPF forms neighbor relationships only with the routers directly
connected to it. In order to form a neighbor relationship between two routers, the interfaces used to form
the relationship must be in the same area. An interface can only belong to a single area. With OSPF
enabled, Industrial Secure router is able to exchange routing information with other L3 switches or routers
more efficiently in a large system.
OSPF Global Settings
Industrial Secure router has an OSPF router ID, customarily written in the dotted decimal format (e.g.,
1.2.3.4) of an IP address. This ID must be established for every OSPF instance. If not explicitly configured,
the default ID (0.0.0.0) will be regarded as the router ID. Since the router ID is an IP address, it does not
need to be a part of any routable subnet on the network.
Enable OSPF
Enable/Disable This option is used to enable or disable the OSPF function Disable
globally.
Current Router ID
Current Router ID Shows the current ID of the Industrial Secure Router. 0.0.0.0
Router ID
Router ID Sets each Industrial Secure Router’s Router ID. 0.0.0.0
5-4
Redistributed
Connected Entries learned from the directly connected interfaces will be Checked
re-distributed if this option is enabled. (Enable)
Static Entries set in a static route will be re-distributed if this option Unchecked
is enabled. (disable)
RIP Entries learned from the RIP will be re-distributed if this Unchecked
option is enabled. (disable)
OSPF Area Settings
An OSPF domain is divided into areas that are labeled with 32-bit area identifiers, commonly written in the
dot-decimal notation of an IPv4 address. Areas are used to divide a large network into smaller network
areas.
They are logical groupings of hosts and networks, including the routers connected to a particular area. Each
area maintains a separate link state database whose information may be summarized towards the rest of
the network by the connecting router. Thus, the topology of an area is unknown outside of the area. This
reduces
the amount of routing traffic between parts of an autonomous system.
Area ID
Area ID Defines the areas that this Industrial Secure Router connects 0.0.0.0
to.
Area Type
Normal/Stub/NSSA Defines the area type. Normal
Metric
Metric Defines the metric value. N/A
OSPF Interface Setting
Before using OSPF, you need to assign an interface for each area. Detailed information related to the
interface is defined in this section.
5-5
Interface Name
Interface Name Defines the interface name. N/A
Area ID
Area ID Defines the Area ID. N/A
Router Priority
Router Priority Defines Industrial Secure Router’s priority. 1
Hello Interval (sec)

Hello Interval Hello packets are packets that an OSPF process sends to its 10
OSPF neighbors to maintain connectivity with those
neighbors.
The hello packets are sent at a configurable interval (in
seconds). The value of all hello intervals must be the same
within a network.
Dead Interval (sec)

Dead Interval The dead interval is also a configurable interval (in seconds), 40
and defaults to four times the value of the hello interval.
Auth Type
None/Simple/MD5 OSPF authentication provides the flexibility of authenticating None
OSPF neighbors. Users can enable authentication to exchange
routing update information in a secure manner. OSPF
authentication can either be none, simple, or MD5. However,
authentication does not need to be configured. If it is
configured, all Industrial Secure Router on the same segment
must have the same password and authentication method.
Auth Key
Auth Key • pure-text password if Auth Type = Simple N/A
• encrypted password if Auth Type = MD5
MD5 Key ID
MD5 Key ID MD5 authentication provides higher security than plain text 1
authentication. This method uses the MD5 to calculate a hash
value from the contents of the OSPF packet and the
5-6
authentication key. This hash value is transmitted in the

packet, along with a key ID.
Metric
Metric Manually set Metric/Cost of OSPF. 1
OSPF Virtual Link Settings
All areas in an OSPF autonomous system must be physically connected to the backbone area (Area 0.0.0.0).
However, this is impossible in some cases. For those cases, users can create a virtual link to connect to the
backbone through a non-backbone area and also use virtual links to connect two parts of a partitioned
backbone through a non-backbone area.
Transit Area ID
Transit Area ID Defines the areas that this Industrial Secure Router connect N/A
to.
Neighbor Router ID
Neighbor Router ID Defines the neighbor Industrial Secure Router’s ID. 0.0.0.0
OSPF Area Aggregation Settings
Each OSPF area, which consists of a set of interconnected subnets and traffic, is handled by routers
attached to two or more areas, known as Area Border Routers (ABRs). With the OSPF aggregation function,
users can combine groups of routes with common addresses into a single routing table entry. The function is
used to
reduce the size of routing tables.
5-7
Area ID
Area ID Select the Area ID that you want to configure. 0.0.0.0
Destination Network
Destination Network Fill in the network address in the area. 0.0.0.0
Subnet Mask
4(240.0.0.0) to Select the network mask. 0.0.0.0
30(255.255.255.252)
OSPF Neighbor Table
This is a table showing the current OSPF Neighbor table.
OSPF LSA Table
This is a table showing the current OSPF LSA information.
Routing Table
The Routing Table page shows all routing entries.
All Routing Entry List

All Show all routing entries N/A
Connected Show connected routing entries N/A
Static Show Static routing entries N/A
RIP Show RIP routing entries N/A
Others Show others routing entries N/A
5-8
Multicast Route
The industrial secure router supports three multicast routing protocols: Static Multicast Route, Distance
Vector Multicast Routing Protocol (DVMRP), and Protocol Independent Multicast Sparse Mode (PIM-SM).
Global setting
Only one multicast routing protocol can be enabled in one industrial secure router. Static Multicast Route,
DVMRP and PIM-SM cannot be enabled simultaneously. Please select the multicast protocol that suits your
application best.

Check/Uncheck Disable multicast routing mode or Disable
select which multicast routing
protocol is used (Static multicast
route/ DVMRP/PIM-SM)
Static Multicast
Distance Vector Multicast Routing Protocol (DVMRP)

Distance Vector Multicast Routing Protocol (DVMRP) is used to build multicast delivery trees on a network.
When a Layer 3 switch receives a multicast packet, DVMRP provides a routing table for the relevant
multicast group, and includes distance information on the number of devices between the router and the
packet destination. The multicast packet will then be forwarded through the Layer 3 switch interface
specified in the multicast routing table.
5-9
Setting
Users can select which interface or VLAN can transmit multicast data stream.
Enable (individual)
Enable/Disable Enable or disable corresponding VLAN to transmit multicast Uncheck
data stream
DVMRP Routing Table
The DVMRP Routing table page shows all routing entries. The “Expire Time” column specifies the routing
information regarding the expiration period. If the industrial secure router does not receive this routing
information update before the expiration period, the routing information will be canceled.
DVMRP Neighbors Table
This table shows the current DVMRP Neighbor table. The “Hold Time” column specifies the time period for
which a neighbor considers the sending router to be operating.
Protocol Independent Multicast Sparse Mode (PIM-SM)

Protocol Independent Multicast (PIM) is a method of forwarding traffic to multicast groups over the network
using any pre-existing unicast routing protocol, such as RIP or OSPF, set on routers within a multicast
network.
In protocol Independent Multicast Sparse Mode (PIM-SM), the multicast source will not flood multicast
packets to all routers. The source will send multicast packets when the source receives a joint message.
5-10
Receivers send a joint message to the Rendezvous Point (RP) and select which group to join. The source
subscribes information in the RP. And then the RP can forward a joint message to the source or forward
multicast information to receivers.
PIM-SM builds a shared tree to distribute multicast packets. There will be one RP for each group. By
following the Shortest Path Tree (SPT), the source sends multicast packets to the RP and then the RP sends
multicast packets to receivers.
Protocol Independent Multicast Source-Specific Multicast (PIM-SSM) builds trees that are rooted in just one
source, which offers a more secure and scalable model for a limited number of applications.
Shortest Path Tree Switchover Method

Never/Immediate Define how Shortest Path Tree switches over Never
Enable (individual)
Enable/Disable Enable or disable PIM-SM by the selected interface Disable
NOTE Only one multicast routing protocol can be enabled on one Moxa Layer 3 switch. DVMRP, PIM-DM, and PIM-
SM can NOT be enabled simultaneously.
This page is used to set up the PIM-SM RP settings for Moxa Layer 3 switches. There are two RP Election
Methods: Bootstrap and Static.
Bootstrap
Candidate BSR Priority

0 to 255 Define the priority of BSR election 0
5-11
Candidate BSR Hash Mask Length

4 to 32 Define the Hash mask length of BSR election 4
Candidate RP Priority
0 to 255 Define the priority of RP election 255
Group Address
Group Address Define the group address N/A
Group Address Mask

4(240.0.0.0) to Select the group address mask. N/A
32(255.255.255.255)
Static
Group Address
Group Address Mask

32(255.255.255.255)
RP Address
RP Address Define the RP address N/A
PIM-SM SSM Setting
This page is used to set up the PIM-SM SSM settings for Moxa Layer 3 switches.
5-12
Enable PIM-SSM
Enable/Disable Enable or disable PIM-SSM Disable
Group Address
Group Address Mask

32(255.255.255.255)
PIM-SM RP Set Table
This is a table showing the current PIM-SM RP-Set table.
This is a table showing the current PIM-SM Neighbor table.
This is a table showing the current PIM-SM multicast routing table.
This is a table showing the current Multicast Forwarding table.
5-13
Broadcast Forwarding (EDR-810 only)

In some scenarios, users have to issue broadcast packets to query all the devices in the network for data
collecting, such as Modbus devices. However, normally, broadcast packets cannot pass through the router.
With the EDR-810, users can configure which interface and UDP port numbers that broadcast packet will
pass through. Users can set up multiple rules by click Add. When configuration is done, click Apply.
Enable
Check/Uncheck Permit broadcast packet to pass through the ERD-810 Unchecked
Inbound Interface
WAN/LAN Which interface broadcast packet will come from N/A
Outbound Interface
WAN/LAN Which interface broadcast packet will pass through N/A
UDP Port
UDP Port Number Service port number. User can enter multiple port numbers. N/A
VRRP Setting
Virtual Router Redundancy Protocol (VRRP) can solve the problem with static configuration. VRRP enables a
group of routers to form a single virtual router with a virtual IP address. The LAN clients can then be
configured with the virtual router’s virtual IP address as their default gateway. The virtual router is the
combination of a group of routers, and is also known as a VRRP group.
5-14
Global Setting
Enable
Enable Enables all VRRP interface Disable
VRRP Setting
VRRP Interface Setting Entry

Enable Enables VRRP Uncheck
Interface Select the interface where you want to enable VRRP, LAN or LAN
WAN interface.
Virtual IP (VIP) Industrial secure routers in the same VRRP group have to be N/A
in the same subnet. Please note the virtual IP has to be the
same subnet with real IP address.
Virtual Router ID Virtual Router ID is used to assign a VRRP group. The N/A
(VRID) Industrial secure routers, which operate as master / backup,
should
5-15
have the same ID. Industrial secure routers support one

virtual router ID for each interface. IDs can range from 1 to
255.
Priority (Prio.) Determines priority in a VRRP group. The priority value range N/A
is
1 to 255 and 255 is the highest priority. If several Industrial
secure routers have the same priority, the router with the
higher IP address has the higher priority. The usable range is
“1
to 255”.
Preemption When the master is back alive, it determines whether the Unchecked
master will take the authority back or not.
Preemption Delay When preemption is enabled, in order to prevent the master N/A
(sec) taking back authority before the network connection is ready,
it is suggested for the master to wait for a defined period of
time before taking authority back.
Advertisement Interval For every defined period of time, the master will send packets N/A
(sec) to all slave devices to inform who the master is.
VRRP Tracking Enable

Native Interface Verify if master’s next hub is still alive. --
Tracking
NOTE Before enabling the function “Native Interface Tracking”, please make sure the WAN interface IP is set.
Object Ping Tracking

Target IP Verify if the connection to destination, e.g. control center, is N/A
workable.
Interval (sec) How many seconds to ping destination to verify connection. N/A
TimeOut (sec) See how many seconds it takes for the ping response before N/A
timeout
Success Count Know how many times the ping responds in order to know N/A
the connection is working.
Failure Count Know how long until the ping does not respond in order to N/A
know the connection is not working.
5-16
6
6. Network Redundancy
 Layer 2 Redundant Protocols (EDR-810 series only)

 Configuring STP/RSTP
 Configuring Turbo Ring V2
 Layer 3 Redundant Protocols
 VRRP Settings
Industrial Secure Router Network Redundancy
Layer 2 Redundant Protocols (EDR-810 series

only)
Configuring STP/RSTP
The following figures indicate which Spanning Tree Protocol parameters can be configured. A more detailed
explanation of each parameter follows.
At the top of this page, the user can check the Current Status of this function. For RSTP, you will see:
Now Active:
It shows which communication protocol is being used—Turbo Ring, RSTP, or neither.
Root/Not Root
This field only appears when RSTP mode is selected. The field indicates whether or not this switch is the
Root of the Spanning Tree (the root is determined automatically).
At the bottom of this page, the user can configure the Settings of this function. For RSTP, you can
configure:
Redundancy Protocol
Select this item to change to the Turbo Ring configuration
Turbo Ring None
page.
RSTP (IEEE
Select this item to change to the RSTP configuration page. None
802.1W/1D)
Bridge priority
Increase this device’s bridge priority by selecting a lower
Numerical value number. A device with a higher bridge priority has a greater
32768
selected by user chance of being established as the root of the Spanning Tree
topology.
Forwarding Delay (sec.)

Numerical value input The amount of time this device waits before checking to see if
15
by user it should change to a different state.
6-2
Hello time (sec.)

The root of the Spanning Tree topology periodically sends out
Numerical value input a “hello” message to other devices on the network to check if
2
by user the topology is healthy. The “hello time” is the amount of
time the root waits between sending hello messages.
Max. Age (sec.)

If this device is not the root, and it has not received a hello
message from the root in an amount of time equal to “Max.
Numerical value input Age,” then this device will reconfigure itself as a root. Once
20
by user two or more devices on the network are recognized as a root,
the devices will renegotiate to set up a new Spanning Tree
topology.
Enable STP per Port

Select to enable the port as a node on the Spanning Tree
Enable/Disable Disabled
topology.
NOTE We suggest not enabling the Spanning Tree Protocol once the port is connected to a device (PLC, RTU, etc.)
as opposed to network equipment. The reason is that it will cause unnecessary negotiation.

Auto 1. If the port does not receive a BPDU within 3
seconds, the port will be in the forwarding
state.
2. Once the port receives a BPDU, it will start
Auto
the RSTP negotiation process.
Force Edge The port is fixed as an edge port and will always
be in the forwarding state
False The port is set as the normal RSTP port
Port Priority
Numerical value Increase this port’s priority as a node on the Spanning Tree
128
selected by user topology by entering a lower number.
Port Cost
Numerical value input Input a higher cost to indicate that this port is less suitable as
200000
by user a node for the Spanning Tree topology.
Port Status
Indicates the current Spanning Tree status of this port. Forwarding for normal transmission, or Blocking
to block transmission.
6-3
Configuring Turbo Ring V2
NOTE When using the Dual-Ring architecture, users must configure settings for both Ring 1 and Ring 2. In this
case, the status of both rings will appear under “Current Status.”
Explanation of “Current Status” Items
Now Active
It shows which communication protocol is in use: Turbo Ring V2, RSTP, or none.
Ring 1/2—Status
It shows Healthy if the ring is operating normally, and shows Break if the ring’s backup link is active.
Ring 1/2—Master/Slave
It indicates whether or not this EDS is the Master of the Turbo Ring. (This field appears only when Turbo
Ring or Turbo Ring V2 modes are selected.)
NOTE The user does not need to set the master to use Turbo Ring. If master is not set, the Turbo Ring protocol
will assign master status to one of the EDS units in the ring. The master is only used to determine which
segment serves as the backup path.
Ring 1/2—1st Ring Port Status
Ring 1/2—2nd Ring Port Status

The “Ports Status” indicators show Forwarding for normal transmission, Blocking if this port is connected
to a backup path and the path is blocked, and Link down if there is no connection.
Coupling—Mode
It indicates either None, Dual Homing, or Ring Coupling.
Coupling—Coupling Port status

It indicates either Primary, or Backup.
6-4
Explanation of “Settings” Items
Redundancy Protocol
Select this item to change to the Turbo Ring V2 configuration
Turbo Ring V2
page.
RSTP (IEEE 802.1W/ None
Select this item to change to the RSTP configuration page.
802.1D-2004)
None Ring redundancy is not active
Enable Ring 1
Enabled Enable the Ring 1 settings Not checked
Disabled Disable the Ring 1 settings Not checked
Enable Ring 2*
Enabled Enable the Ring 2 settings
Not checked
Disabled Disable the Ring 2 settings
Note: You should enable both Ring 1 and Ring 2 when using the Dual-Ring architecture.
Set as Master
Enabled Select this device as Master
Not checked
Disabled Do not select this device as Master
Redundant Ports
1st Port Select any port of the device to be one of the redundant See the following table
ports.
2nd Port Select any port of the device to be one of the redundant See the following table
ports.
Enable Ring Coupling

Enable Select this EDS as Coupler
Not checked
Disable Do not select this EDS as Coupler
Coupling Mode
Dual Homing Select this item to change to the Dual Homing configuration See the following
page table
Ring Coupling Select this item to change to the Ring Coupling (backup) See the following
(backup) configuration page table
Ring Coupling Select this item to change to the Ring Coupling (primary) See the following
(primary) configuration page table
6-5
Layer 3 Redundant Protocols
VRRP Settings
Virtual Router Redundancy Protocol (VRRP) can solve the problem with static configuration. VRRP enables a
group of routers to form a single virtual router with a virtual IP address. The LAN clients can then be
configured with the virtual router’s virtual IP address as their default gateway. The virtual router is the
combination of a group of routers, and is also known as a VRRP group.
Enable
Enable Enables VRRP Disable
VRRP Interface Setting Entry

Enable Enables VRRP entry Disabled
Virtual IP L3 switches / routers in the same VRRP group must be set to 0.0.0.0
the same virtual IP address as the VRRP ID. This virtual IP
address must belong to the same address range as the real
IP address of the interface.
Virtual Router ID Virtual Router ID is used to assign a VRRP group. The L3 0
switches / routers, which operate as master / backup, should
have the same ID. Moxa L3 switches / routers support one
virtual router ID for each interface. IDs can range from 1 to
255.
Priority Determines priority in a VRRP group. The priority value range 100
is 1 to 255 and the 255 is the highest priority. If several L3
switches / routers have the same priority, the router with
higher IP address has the higher priority. The usable range is
“1 to 255”.
Preemption Mode Determines whether a backup L3 switch / router will take the Enabled
authority of master or not.
Track Interface The Track Interface is used to track specific interface within Disable
the router that can change the status of the virtual router for
a VRRP Group. For example, the WAN interface can be
tracked and if the link is down, the other backup router will
become the new master of the VRRP group.
6-6
7
7. Network Address Translation
 Network Address Translation (NAT)

 NAT Concept
 1-to-1 NAT Overview
 1-to-1 NAT
 N-to-1 NAT
 Port Forward
Industrial Secure Router Network Address Translation
Network Address Translation (NAT)
NAT Concept
NAT (Network Address Translation) is a common security function for changing the IP address during
Ethernet packet transmission. When the user wants to hide the internal IP address (LAN) from the external
network (WAN), the NAT function will translate the internal IP address to a specific IP address, or an
internal IP address range to one external IP address. The benefits of using NAT include:
• Uses the N-1 or Port forwarding Nat function to hide the Internal IP address of a critical network or
device to increase the level of security of industrial network applications.
• Uses the same private IP address for different, but identical, groups of Ethernet devices. For example, 1-
to-1 NAT makes it easy to duplicate or extend identical production lines.
NOTE The NAT function will check if incoming or outgoing packets match the policy. It starts by checking the
packet with the first policy (Index=1); if the packet matches this policy, the Industrial Secure Router will
translate the address immediately and then start checking the next packet. If the packet does not match
this policy, it will check with the next policy.
NOTE The maximum number of NAT policies for the Industrial Secure Router is 128.
1-to-1 NAT Overview

If the internal device and external device need to communicate with each other, choose 1-to-1 NAT, which
offers bi-directional communication (N-to-1 and Port forwarding are both single-directional communication
NAT functions).
1-to-1 NAT is usually used when you have a group of internal servers with private IP addresses that must
connect to the external network. You can use 1-to-1 NAT to map the internal servers to public IP addresses.
The IP address of the internal device will not change.
The figure below illustrates how a user could extend production lines, and use the same private IP
addresses of internal devices in each production line. The internal private IP addresses of these devices will
map to different public IP addresses. Configuring a group of devices for 1-to-1 NAT is easy and
straightforward.
7-2
1-to-1 NAT Setting for EDR-G903 in Production Line 1
1-to-1 NAT Setting for EDR-G903 in Production Line 2
1-to-1 NAT
Name
Name Naming NAT rule None
Enable
Enable Enable or disable the selected NAT policy Unchecked
NAT Mode
N-1 Select the NAT types 1-1
1-1
Port Forward
7-3
VRRP Binding
VRRP Index No Select which VRRP setting 1-to-1 NAT rule should work with None
NOTE VRRP Binding function is only supported in 1-to-1 NAT. With selected VRRP setting, 1-to-1 NAT rule is valid
when the system is the master. If no VRRP index is selected, 1-to-1 NAT rule will be valid regardless if the
system is using master or backup.
Outside Interface
Auto, WAN, WAN1, In the EDR-810, select WAN/LAN/BRG_LAN interface for NAT WAN1 (for
WAN2, BRG_LAN, LAN rule. In the EDR-G903, select WAN/WAN2/LAN interface for EDR-G903), WAN
NAT rule. In the EDR-G902, select Auto/WAN/LAN interface (for EDR-810), Auto
for NAT rule. When Auto is selected, the G902 will check if (for EDR-G902)
WAN interface can route the packet with NAT.
Global IP
IP Address Set the public IP address which the internal IP will be None
translated into.
Local IP
IP Address Select the Internal IP address in LAN/DMZ network area None
Bidirectional 1-to-1 NAT
7-4
For some applications, devices need to talk to both internal devices and external devices without using a
gateway. Bidirectional 1-to-1 NAT can do Network Address Translation in both directions without a gateway.
NOTE The Industrial Secure Router can obtain an IP address via DHCP or PPPoE. However, if this dynamic IP
address is the same as the WAN IP for 1-to-1 NAT, then the 1-to-1 NAT function will not work. For this
reason, we recommend disabling the DHCP/PPPoE function when using the 1-to-1 NAT function.
N-to-1 NAT
If the user wants to hide the Internal IP address from users outside the LAN, the easiest way is to use the
N-to-1 (or N-1) NAT function. The N-1 NAT function replaces the source IP Address with an external IP
address, and adds a logical port number to identify the connection of this internal/external IP address. This
function is also called “Network Address Port Translation” (NAPT) or “IP Masquerading.”
The N-1 NAT function is a one-way connection from an internal secure area to an external non-secure area.
The user can initialize the connection from the internal to the external network, but may not be able to
initialize the connection from the external to the internal network.
Enable/Disable NAT Policy

Enable or Disable Enable or disable the selected NAT policy Enabled
NAT Mode
1-1
Port Forwarding
7-5
Interface (N-1 mode)

WAN, LAN, BRG_LAN, In the EDR-810, select WAN/LAN/BRG_LAN interface for NAT Auto(for, EDR-902
Auto, WAN1, WAN2, rule. In the EDR-G903, select Auto/WAN1/WAN2/LAN & EDR-G903), WAN
LAN interface for NAT rule. In the EDR-G902, select (for EDR-810)
Auto/WAN/LAN interface for NAT rule. When Auto is selected,
the G902 will check if the WAN interface can route the packet
with NAT.
The Industrial Secure Router provides a Dual WAN backup function for network redundancy. If the interface
is set to Auto, the NAT Mode is set to N-1, and the WAN backup function is enabled, the primary WAN
interface is WAN1. If the WAN1 connection fails, the WAN interface of this N-1 policy will apply to WAN2 and
switch to WAN2 for N-1 outgoing traffic until the WAN1 interface recovers.
IP Range
IP address Select the Internal IP range for IP translation to WAN IP None
address
WAN IP (N-1 mode)

IP address The IP address of the user selected interface (WAN1, WAN2, None
and Auto) in this N-to-1 policy.
Add a NAT Rule

Checked the “Enable” checkbox and input the correspondent NAT parameters in the page, and then click
“New/Insert” to add it into the NAT List Table. Finally, click “Activate” to activate the configuration.
Delete a NAT Rule

Select the item in the NAT List Table, then, click “Delete” to delete the item.
Modify a NAT Rule

Select the item in the NAT List Table. Modify the attributes and click “Modify” to change the configuration.
Activate NAT List Table

After adding/deleting/modifying any NAT Rules, be sure to Activate it.
NOTE The Industrial Secure Router will add an N-1 policy from the source IP, 192.168.127.1 to 192.168.127.252
to the WAN1 interface after activating the Factory Default.
Port Forward
If the initial connection is from outside the LAN, but the user still wants to hide the Internal IP address, one
way to do this is to use the Port Forwarding NAT function.
The user can specify the port number of an external IP address (WAN1 or WAN2) in the Port Forwarding
policy list. For example, if the IP address of a web server in the internal network is 192.168.127.10 with
port 80, the user can set up a port forwarding policy to let remote users connect to the internal web server
from external IP address 10.10.10.10 through port 8080. The Industrial Secure Router will transfer the
packet to IP address 192.168.127.10 through port 80.
The Port Forwarding NAT function is one way of connecting from an external insecure area (WAN) to an
internal secure area (LAN). The user can initiate the connection from the external network to the internal
network, but will not able to initiate a connection from the internal network to the external network.
7-6
Enable/Disable NAT policy

Enable or Disable Enable or disable the selected NAT policy Enabled
NAT Mode
1-1
Port Forward
Interface (Port Forward mode)

WAN, LAN, BRG_LAN, Select the Interface for this NAT Policy WAN (for EDR-
Auto, WAN1, WAN2, 902), WAN1 (for
LAN EDR-G903), WAN
(for EDR-810)
Protocol (Port Forward mode)

TCP Select the Protocol for NAT Policy TCP
UDP
TCP & UDP
WAN Port (Port Forward mode)

1 to 65535 Select a specific WAN port number None
LAN/DMZ IP (Port Forward mode)

IP Address The translated IP address in the internal network None
LAN/DMZ Port (Port Forward mode)

1 to 65535 The translated port number in the internal network None
7-7
8
8. Firewall
 Policy Concept
 Policy Overview
 Firewall
 Layer 2 policy
 Layer 2 Policy Setup (Only in Bridge Mode for EDR-G902/G903)
 Layer 3 policy
 Quick Automation Profile
 Policy Check
 Modbus TCP Policy
 Denial of Service (DoS) Defense
 Firewall Event Log
Industrial Secure Router Firewall
Policy Concept
A firewall device is commonly used to provide secure traffic control over an Ethernet network, as illustrated
in the following figure. Firewall devices are deployed at critical points between an external network (the
non-secure part) and an internal network (the secure part).
Policy Overview
The Industrial Secure Router provides a Firewall Policy Overview that lists firewall policies by interface
direction.
Select the From interface and To interface and then click the Show button. The Policy list table will show
the policies that match the From-To interface.
Interface From/To
All (WAN1/WAN2/LAN) Select the From Interface and To interface From All to All
WAN1
WAN2
LAN
8-2
Firewall
Layer 2 policy
EDR-810 and EDR-G902/903 (in Bridge Mode (referring to section of Mode Configuration in Network)
provide an advanced Layer 2 firewall policy for secure traffic control, which depends on the following
parameters. Layer 2 firewall policy can filter packets from bridge ports. Layer 2 policy priority is higher than
L3 policy.
Interface From/To
All (WAN1/WAN2/LAN) Select the From Interface and To interface None
WAN1 None
WAN2 None
LAN None
Protocol
Refer to table Select the Layer 2 Protocol in this Firewall Policy None
“EtherType for Layer 2
Protocol” for a more
detailed description
EtherType
0x0600 to 0xFFFF When Protocol is set to “Manual” you can set up EtherType None
manually
Target
Accept The packet will pass the Firewall when it matches the policy None
Drop The packet will not pass the Firewall when it matches this None
Firewall policy
Source MAC Address

Mac Address This Firewall Policy will check all Source MAC addresses of the 00:00:00:00:00:00
packet
8-3
Destination MAC Address

Mac Address This Firewall Policy will check all destination MAC addresses of 00:00:00:00:00:00
the packet
The following table shows the Layer 2 protocol types commonly used in Ethernet frames.
EtherType for Layer 2 Protocol

Type Layer 2 Protocol
0x0800 IPv4 (Internet Protocol version 4)
0x0805 X.25
0x0806 ARP (Address Resolution Protocol)
0x0808 Frame Relay ARP
0x08FF G8BPQ AX.25 Ethernet Packet
0x6000 DEC Assigned proto
0x6001 DEC DNA Dump/Load
0x6002 DEC DNA Remote Console
0x6003 DEC DNA Routing
0x6004 DEC LAT
0x6005 DEC Diagnostics
0x6006 DEC Customer use
0x6007 DEC Systems Comms Arch
0x6558 Trans Ether Bridging
0x6559 Raw Frame Relay
0x80F3 Appletalk AARP
0x809B Appletalk
0x8100 8021Q VLAN tagged frame
0x8137 Novell IPX
0x8191 NetBEUI
0x86DD IPv6 (Internet Protocol version 6)
0x880B PPP
0x884C MultiProtocol over ATM
0x8863 PPPoE discovery messages
0x8864 PPPoE session messages
0x8884 Frame-based ATM Transport over Ethernet
0x9000 Loopback
Layer 2 Policy Setup (Only in Bridge Mode for EDR-

G902/G903)
When the Industrial Secure Router is in Bridge Mode (referring to section of Mode Configuration in Network
Settings), it provides an advanced Layer 2 firewall policy for secure traffic control, which depends on the
following parameters:
EtherType
0x0600 to 0xFFFF When Protocol is set to “Manual” you can set up EtherType None
manually
8-4
Layer 3 policy
The Industrial Secure Router’s Firewall policy provides secure traffic control, allowing users to control
network traffic based on the following parameters.
Global Setting
The Industrial Secure Router supports real-time event logs for Firewall, DoS, and VPN events. You can
configure the system to save these logs locally in the flash or send them to the Syslog server and SNMP
Trap server.
Enable Logging Firewall Events
To enable the function logging events including malformed packet drop and firewall white/black rules, select
the Enable option in Firewall Event Log. For firewall white/black rules event logs, users can select where to
store this log in “Policy Setting”.
Enable Malformed Packets
To enable the function logging dropping malformed packet and storing it in flash or send out syslog/ SNMP
trap. User can set severity of the event.
8-5
Policy Setting
Name
Give a name for each firewall rule
Enable
Enable or Disable Enable or disable the selected Firewall policy Enabled
Severity
<0> Emergency Severity of firewall event <0> Emergency
<1> Alert
<2> Critical
<3> Error
<4> Warning
<5> Notice
<6> Informational
<7> Debug
Flash
Check/Uncheck Firewall white/black rules event logs is stored in flash, and Unchecked
will show in “Event Log “Table
Syslog/ SNMP trap

Check/Uncheck Industrial Secure Router send firewall white/ black rules Unchecked
event logs through syslog or SNMP trap
Interface From/To
All (WAN1/WAN2/LAN) Select the From Interface and To interface From All to All
WAN1
WAN2
LAN
Automation Profile
Refer to the “Quick Select the Protocol parameters in this Firewall Policy None
Automation Profile”
section.
Filter Mode
IP Address Filter This Firewall policy will filter by IP address IP Address Filter
Source MAC Filter This Firewall policy will filter by MAC address and source
Action
Accept The packet will penetrate the firewall when it matches this Accept
firewall policy
Drop The packet will not penetrate the firewall when it does not
match this firewall policy
8-6
Source IP
All (IP Address) This Firewall Policy will check all Source IP addresses in the All
packet
Single (IP Address) This Firewall Policy will check single Source IP addresses in
the
packet
Range (IP Address) This Firewall Policy will check multiple Source IP addresses in
the packet
Source MAC
---/Enable The firewall policy will check source MAC address in the ---
packet. Via this way, the IP Spoofing attack can be decreased
Source Port
All (Port number) This Firewall Policy will check all Source port numbers in the All
packet
Single (Port number) This Firewall Policy will check single Source Port numbers in
the
packet
Range (Port number) This Firewall Policy will check multiple Source port numbers in
the packet
Destination IP
All (IP Address) This Firewall Policy will check all Destination IP addresses in All
the
packet
Single (IP Address) This Firewall Policy will check single Destination IP addresses
in
the packet
Range (IP Address) This Firewall Policy will check multiple Destination IP
addresses
in the packet
Destination Port
All (Port number) This Firewall Policy will check all Destination port numbers in All
the packet
Single (Port number) This Firewall Policy will check single Destination Port numbers
in the packet
Range (Port number) This Firewall Policy will check multiple Destination port
numbers in the packet
NOTE The Industrial Secure Router’s firewall function will check if incoming or outgoing packets match the firewall
policy. It starts by checking the packet with the first policy (Index=1); if the packet matches this policy, it
will accept the packet immediately and then check the next packet. If the packet does not match this policy
it will check with the next policy.
NOTE The maximum number of Firewall policies for the EDR-810 and EDR-G902 is 256, and for EDR-G903 is 512.
8-7
Quick Automation Profile

Ethernet Fieldbus protocols are popular in industrial automation applications. In fact, many Fieldbus
protocols (e.g., EtherNet/IP and Modbus TCP/IP) can operate on an industrial Ethernet network, with the
Ethernet port number defined by IANA (Internet Assigned Numbers Authority). The Industrial Secure Router
provides an easy to use function called Quick Automation Profile that includes 45 different pre-defined
profiles (Modbus TCP/IP, Ethernet/IP, etc.), allowing users to create an industrial Ethernet Fieldbus firewall
policy with a single click.
For example, if the user wants to create a Modbus TCP/IP firewall policy for an internal network, the user
just needs to select the Modbus TCP/IP(TCP) or Modbus TCP/IP(UDP) protocol from the Protocol
drop-down menu on the Firewall Policy Setting page.
The following table shows the Quick Automation Profile for Ethernet Fieldbus Protocol and the corresponding
port number
Ethernet Fieldbus Protocol Port Number

EtherCat port (TCP) 34980
EtherCat port (UDP) 34980
EtherNet/IP I/O (TCP) 2222
EtherNet/IP I/O (UDP) 2222
EtherNet/IP Messaging (TCP) 44818
EtherNet/IP Messaging (UDP) 44818
FF Annunciation (TCP) 1089
FF Annunciation (UDP) 1089
FF Fieldbus Message (TCP) 1090
FF Fieldbus Message (UDP) 1090
FF System Management (TCP) 1091
FF System Management (UDP) 1091
FF LAN Redundancy Port (TCP) 3622
FF LAN Redundancy Port (UDP) 3622
LonWorks (TCP) 2540
LonWorks (UDP) 2540
LonWorks2 (TCP) 2541
LonWorks2 (UDP) 2541
Modbus TCP/IP (TCP) 502
Modbus TCP/IP (UDP) 502
PROFInet RT Unicast (TCP) 34962
8-8
PROFInet RT Unicast (UDP) 34962

PROFInet RT Multicast (TCP) 34963
PROFInet RT Multicast (UDP) 34963
PROFInet Context Manager (TCP) 34964
PROFInet Context Manager (UDP) 34964
IEC 60870-5-104 (TCP) 2404
IEC 60870-5-104 (UDP) 2404
DNP (TCP) 20000
DNP (UDP) 20000
The Quick Automation Profile also includes the commonly used Ethernet protocols listed in the following
table:
Ethernet Protocol Port Number

IPsec NAT Traversal (UDP) 4500
IPsec NAT traversal (TCP) 4500
FTP-data (TCP) 20
FTP-data (UDP) 20
FTP-control (TCP) 21
FTP-control (UDP) 21
SSH (TCP) 22
SSH (UDP) 22
Telnet (TCP) 23
Telnet (UDP) 23
HTTP (TCP) 80
HTTP (UDP) 80
IPsec (TCP) 1293
IPsec (UDP) 1293
L2F & L2TP (TCP) 1701
L2F & L2TP (UDP) 1701
PPTP (TCP) 1723
PPTP (UDP) 1723
Radius authentication (TCP) 1812
Radius authentication (UDP) 1812
RADIUS accounting (TCP) 1813
RADIUS accounting (UDP) 1813
8-9
Policy Check
The Industrial Secure Router supports a PolicyCheck function for maintaining the firewall policy list. The
PolicyCheck function detects firewall policies that may be configured incorrectly. PolicyCheck provides an
auto detection function for detecting common configuration errors in the Firewall policy (e.g., Mask,
Include, and Cross conflict). When adding a new firewall policy, the user just needs to click the
PolicyCheck button to check each policy; warning messages will be generated that can be used for further
analysis. If the user decides to ignore a warning message, the Industrial Secure Router firewall will run on
the configuration provided by the user. The three most common types of configuration errors are related to
Mask, Include, and Cross Conflict. The Source/Destination IP range or Source/Destination port number
of policy [X] is smaller or equal to policy[Y] but the action target (Accept/Drop) is different. For example,
two firewall policies are shown below:
Index Input Output Protocol Source IP Destination IP Target

1 WAN1 LAN ALL 10.10.10.10 192.168.127.10 ACCEPT
2 WAN2 LAN ALL 20.20.20.10 to 192.168.127.20 ACCEPT
20.20.20.30
Suppose the user next adds a new policy with the following configuration:

3 WAN2 LAN ALL 20.20.20.20 192.168.127.20 DROP
After clicking the PolicyCheck button, the Industrial Secure Router will issue a message informing the user
that policy [3] is masked by policy [2] because the IP range of policy [3] is smaller than the IP range of
policy [2], and the Target action is different.
8-10
Include: Policy [X] is included in Policy [Y]
The Source/Destination IP range or Source/Destination port number of policy [X] is less than or equal to
policy [Y], and the action target (Accept/Drop) is the same. In this case policy [X] will increase the loading
of the Industrial Secure Router and lower its performance. For example, two firewall policies are shown in
the following table:

20.20.20.30
After clicking the PolicyCheck button, the Industrial Secure Router will issue a message informing the user
that policy [3] is included in policy [2] because the IP range of policy [3] is smaller than the IP range of
policy
[2], and the Target action is the same.
Cross Conflict: Policy [X] cross conflicts with Policy [Y]
Two firewall policy configurations, such as Source IP, Destination IP, Source port, and Destination port, in
policy [X] and policy [Y] are masked, and the action target (Accept/Drop) is different. For example, two
firewall policies are shown in the following table:

20.20.20.30
3 WAN2 LAN ALL 20.20.20.25 192.168.127.20 to DROP
192.168.127.30
The source IP range in policy 3 is smaller than policy 2, but the destination IP of policy 2 is smaller than
policy 3, and the target actions (Accept/Drop) of these two policies are different. If the user clicks the
PolicyCheck button, the Industrial Secure Router will issue a message informing the user that policy [3] is
in Cross Conflict with policy [2].
8-11
Modbus TCP Policy

Modbus TCP is a Modbus protocol used for communications over TCP/IP networks, connecting over port 502
by default. Some have experimented with using Modbus over UDP on IP networks, which removes the
overheads required for TCP. The following table shows the Modbus TCP frame format:
Modbus TCP Frame Format

Description Length Function
Transaction Identifier 2 bytes Synchronization between messages of server & client
Protocol Identifier 2 bytes The value is 0 for Modbus TCP protocol
Length Field 2 bytes Number of remaining following bytes in this frame
Unit Identifier 1 byte Slave Address (255 is used for device broadcast information)
Function code 1 byte Define message type
Data bytes n bytes Data block with additional information
Modbus Policy Setup
The Industrial Secure Router provides Modbus policy inspection of Modbus TCP packets, which allows users
to control Modbus TCP traffic based on the following parameters:
Add a Modbus TCP Filtering Rule

Check the “Enable” checkbox and input the correspondent Modbus TCP parameters in the page, and then
click “Add” to add it into the Modbus Filtering Table. Finally, click “Activate” to activate the configuration.
Delete a Modbus TCP Filtering Rule

Select the item in the Modbus Filtering Table, then, click “Delete” to delete the item.
Modify a Modbus TCP Filtering Rule

Select the item in the Modbus Filtering Table. Modify the attributes and click “Modify” to change the
configuration.
Activate Modbus TCP Filtering Table

After adding/deleting/modifying any Modbus TCP Filtering Rules, make sure to click “Activate” to activate
the item.
8-12
Enable/Disable Modbus Policy

Enable or Disable Enable or disable the selected Modbus policy Enabled
Interface From/To
All (WAN/LAN) Select the From Interface and To interface From All to All
WAN
LAN
Protocol
All (TCP/UDP) This Modbus Policy will check the UDP packet, TCP packet or All
TCP both.
UDP
UID
1 to 255 Unit Identifier, 0 indicate this Modbus policy will check all 0
UIDs in the packet.
Function Code
Refer to the “Common Select the function code parameters in this Modbus policy. All
function codes” section When the function code is set to “Manual” you can set up the
on page 3-52. function code manually.
Address
All (Address Index) This Modbus policy will check all Data Address Index in the All
packet.
Single (Address Index) This Modbus policy will check single Data Address Index in
the packet.
Range (Address Index) This Modbus policy will check multiple Data Address Indexes
in the packet.
Target
Accept The packet will penetrate the firewall when it matches this Accept
Modbus policy.
Drop The packet will not penetrate the firewall when it matches
this Modbus policy.
Source IP
All (IP Address) This Modbus policy will check all Source IP addresses in the All
packet.
Single (IP Address) This Modbus policy will check single Source IP addresses in
the packet.
Range (IP Address) This Modbus policy will check multiple Source IP addresses in
the packet.
8-13
Destination IP
All (IP Address) This Modbus policy will check all Destination IP addresses in All
the packet.
Single (IP Address) This Modbus policy will check single Destination IP addresses
in the packet.
Range (IP Address) This Modbus policy will check multiple Destination IP
addresses in the packet.
Unit identifier (UID) is used with Modbus/TCP devices that are composites of several Modbus devices. It
may be used to communicate via devices such as bridges and gateways which use a single IP address to
support multiple independent end units.
Function code defines the message type and the type of action required by the slave. The parameter
contains one byte of information. Valid function codes are in the range 1 to 255. Not all Modbus devices
recognize the same set of function codes. The most common codes are supported for quick settings, and
user-defined function codes are also supported.
Most function code addresses a single address or a range of addresses. The Industrial Secure Router
provides code for deep data inspection.
Common function codes

The following table shows the various reading, writing, and other operations.
Function Name Function Code

Physical Discrete Inputs Read Discrete Inputs 2
Read Coils 1
Bit Access Internal Bits or Physical
Write Single Coil 5
Coils
Write Multiple Coils 15
Physical Input Registers Read Input Register 4
Read Holding Registers 3
Write Single Register 6
Data Access Write Multiple 16
16-bit Access Internal Registers or Registers
Physical Output Registers Read/Write Multiple 23
Registers
Mask Write Register 22
Read FIFO Queue 24
Read File Record 20
File Record Access
Write File Record 21
Read Exception Status 7
Diagnostic 8
Get Com Event 11
Counter
Diagnostics
Get Com Event Log 12
Report Slave ID 17
Read Device 43
Identification
8-14
Modbus TCP Filtering controls both directions of communication between Modbus Master and Modbus
Slave. Users need to set up two rules for the data transaction between Master and Slave. One rule is to
accept the Master commands and another rule is to accept the Slave response.
NOTE The main Firewall Policy rules are the first tier of filtering in the Network Layer, and the Modbus Filtering
rules are the second tier of filtering in both the Network Layer and Application Layer.
8-15
Denial of Service (DoS) Defense

The Industrial Secure Router provides 9 different DoS functions for detecting or defining abnormal packet
format or traffic flow. The Industrial Secure Router will drop the packets when it detects an abnormal packet
format. The Industrial Secure Router will also monitor some traffic flow parameters and activate the defense
process when abnormal traffic conditions are detected.
Null Scan
Enable or Disable Enable or disable the Null Scan None
Xmas Scan
Enable or Disable Enable or disable the Xmas Scan None
NMAP-Xmas Scan
Enable or Disable Enable or disable the NMAP-Xmas None
SYN/FIN Scan
Enable or Disable Enable or disable the SYN/FIN Scan None
FIN Scan
Enable or Disable Enable or disable the FIN Scan None
NMAP-ID Scan
Enable or Disable Enable or disable the NMAP-ID Scan None
SYN/RST Scan
Enable or Disable Enable or disable the SYN/RST Scan None
EW-Without-SYN Scan
Enable or Disable Enable or disable the NEW-Without-SYN Scan protection None
ICMP-Death
Enable or Disable Enable or disable the ICMP-Death defense None
Limit (Packets/Second) The limit value to activate ICMP-Death defense None
8-16
SYN-Flood
Enable or Disable Enable or disable the Null Scan function None
Limit (Packets/Second) The limit value to activate SYN-Flood defense None
ARP-Flood
Enable or Disable Enable or disable the ARP-Flood protection None
Limit (Packets/Second) The limit value to activate ARP-Flood protection
Firewall Event Log

The secure router supports real-time event logs for Firewall, DoS, and VPN events. You can configure the
system to save these logs locally in the flash or send them to the Syslog server and SNMP Trap server.
Enable Logging Firewall Events

To enable the overall event log function, select the Enable option in Log Enable.
Enable Firewall Rule Event log

To enable the specific firewall event log, click Flash, Syslog, or SNMP Trap. You may also define the
severity of the firewall rule and record it in the event.
8-17
Enable Logging DoS Events

To enable the DoS event log function, select the Enable option in Log Enable and click Flash, Syslog, or
SNMP Trap. You may also define the severity of the DoS types and record it in the event.
8-18
9
9. Virtual Private Network (VPN)
 Overview
 IPsec Configuration
 Global Settings
 IPsec Settings
 IPsec Use Case Demonstration
 IPsec Status
 L2TP Server (Layer 2 Tunnel Protocol)
 L2TP Configuration
 OpenVPN Configuration
 Server Settings
 Client Settings
 Examples for Typical VPN Applications
 Site to Site IPsec VPN tunnel with Pre-Shared Key
 Site to Site IPsec VPN tunnel with Jupiter System
 L2TP for Remote User Maintenance
 Client-to-Client communication via OpenVPN
 Redirect default gateway via OpenVPN
 Create OpenVPN connection on a mobile device
Industrial Secure Router Virtual Private Network (VPN)
Overview
In this section we describe how to use the Industrial Secure Router to build a secure Remote Automation
network with the VPN (Virtual Private Network) feature. A VPN provides a highly cost effective solution of
establishing secure tunnels, so that data can be exchanged in a secure manner.
There are three common applications for secure remote communication in an industrial automation network:
IPsec (Internet Protocol Security) VPN for LAN to LAN Security: Data communication only in a pre-
defined IP range between two different LANs.
L2TP (Layer 2 Tunnel Protocol) VPN for Remote roaming User: It is for a remote roaming user with a
dynamic IP to create a VPN. L2TP is a popular choice for remote roaming users for VPN applications because
the L2TP VPN protocol is already built in to the Microsoft Windows operating system.
OpenVPN (Open Source VPN) for Mobile Device User: Using OpenSSL encryption, OpenVPN can
provide secure data communication. Download the free OpenVPN app on a mobile device and this app
allows the user to create a VPN connection between the server and a mobile device.
IPsec uses IKE (Internet Key Exchange) protocol for Authentication, Key exchange and provides a way for
the VPN gateway data to be protected by different encryption methods.
There are 2 phases for IKE for negotiating the IPsec connections between 2 VPN gateways:
Key Exchange (IPsec Phase 1): The 2 VPN gateways will negotiate how IKE should be protected. Phase 1
will also authenticate the two VPN gateways by the matched Pre-Shared Key or X.509 Certificate.
Data Exchange (IPsec Phase 2): In Phase 2, the VPN gateways negotiate to determine additional IPsec
connection details, which include the data encryption algorithm.
IPsec Configuration
IPsec configuration includes 5 parts:
• Global Setting: Enable or Disable all IPsec Tunnels and NAT-Traversal functions
• Tunnel Setting: Set up the VPN Connection type and the VPN network plan
• Key Exchange: Authentication for 2 VPN gateways
• Data Exchange: Data encryption between VPN gateways
• Dead Peer Detection: The mechanism for VPN Tunnel maintenance
9-2
Global Settings
The Industrial Secure Router provides 3 Global Settings for IPsec VPN applications.
All IPsec Connection

Users can Enable or Disable all IPsec VPN services with this configuration.
NOTE The factory default setting is Disable, so when the user wants to use IPsec VPN function, make sure the
setting is enabled.
IPsec NAT-T Enable

If there is an external NAT device between VPN tunnels, the user must enable the NAT-T (NAT-Traversal)
function.
VPN Event Log

To enable the VPN event log function, select the Enable option in Log Enable and click Flash, Syslog, or
SNMP Trap. You may also define the severity and record it in the event.
IPsec Settings
IPsec Quick Setting
The Industrial Secure Router’s Quick Setting mode can be used to easily set up a site-to-site VPN tunnel
for two Industrial Secure Router units.
When choosing the Quick setting mode, the user just needs to configure the following:
• Tunnel Setting
• Security Setting
 Encryption Strength: Simple (AES-128), Standard (AES-192), Strong (AES-256)
 Password of Pre-Shared Key
NOTE The Encryption strength and Pre-Shared key should be configured identically for both Industrial Secure
Router units.
IPsec Advanced Setting
Click Advanced Setting to configure detailed VPN settings.
9-3
Tunnel Setting
Enable or Disable VPN Tunnel

Enable or Disable Enable or Disable this VPN Tunnel Disable
Name of VPN Tunnel

Max. of 16 characters User defined name of this VPN Tunnel. None
NOTE The first character cannot be a number.
L2TP over IPsec Enable or Disable

Enable or Disable Enable or Disable L2TP over IPsec None
VPN Connection Type

Site to Site VPN tunnel for Local and Remote subnets are fixed Site to Site
Site to Site (Any) VPN tunnel for Remote subnet area is dynamic and Local
subnet is fixed
Remote VPN Gateway

IP Address Remote VPN Gateway’s IP Address None
Connection Interface
WAN1 The interface of the VPN Tunnel WAN1
WAN2
If the user enables the WAN backup function, WAN1 would be
Default Route
the primary default route and WAN2 would be the backup
route.
Startup Mode
Start in Initial This VPN tunnel will actively initiate the connection with the Start in Initial
Remote VPN Gateway.
Wait for Connecting This VPN tunnel will wait remote VPN gateway to initiate the
connection
NOTE The maximum number of Starts in the initial VPN tunnel is 30. The maximum number of Waits for
connecting to a VPN tunnel is 100.
9-4
Local Network
Network IP address of local VPN network/Subnet mask of local VPN 192.168.127.254/24
network. Users can enter multiple local networks that build
IPsec connections here. If there are two local networks, the
user can enter their addresses
192.168.127.254/24,192.168.126.254/24 and then these
two networks will build an IPsec connection with remote
network.
Remote Network
Network IP address of remote VPN network/Subnet mask of remote N/A
VPN network. Users can enter multiple remote networks that
build IPsec connections here. If there are two remote
networks, the user can enter their addresses
(10.10.100.254/24, 10.10.110.254/24) and then these two
networks will build an IPsec connection with local network.
Identity
Type There are four ID types for users to choose from: IP address, IP address
FQDN, Key ID, and Auto.
Key ID is a string, which users can create by themselves.
Auto (with Cisco) is for building connections for use with
Cisco’s systems.
Local ID ID for identifying the VPN tunnel connection. The Local ID
must be equal to the Remote ID of the connected VPN
Gateway. Otherwise, the VPN tunnel cannot be established
successfully
Remote ID ID for identifying the VPN tunnel connection. The Local ID
must be equal to the Remote ID of the connected VPN
Gateway. Otherwise, the VPN tunnel cannot be established
successfully
Key Exchange (IPsec phase I)
IKE Mode
Main In ‘Main’ IKE Mode, both the Remote and Local VPN gateway MAIN
will negotiate which Encryption/Hash algorithm and DH
groups can be used in this VPN tunnel; both VPN gateways
must use the same algorithm to communicate.
9-5
Aggressive In “Aggressive” Mode, the Remote and Local VPN gateway

will not negotiate the algorithm; it will use the user’s
configuration only.
Authentication Mode
Pre-Shared Key When two systems use a Pre-Shared Key which users define Pre-Shared Key
as an authentication tool to build an IPsec VPN connection.
X.509 In this mode, two systems use certificates that users N/A
imported in advance in “Local Certificate” as an
authentication tool to build an IPsec VPN connection. For the
detailed workflow, please refer to User Scenario 1 and 2 later
in this chapter.
X.509 With CA In this mode, two systems use certificates that users N/A
imported in advance in “Local Certificate”, and the CA that
users imported in advance in “Trusted CA Certificate” as an
authentication tool to build an IPsec VPN connection. For the
detailed workflow, please refer to User Scenario 3, 4, and 5
later in this chapter.
For the detailed workflow of X.509 and X.509 with CA, please refer to the user scenarios 1 to 5 below later
in this chapter.
NOTE Certificates are a time related form of authentication. Before processing certificates, please ensure that the
industrial secure router is synced with the local device. For more information about time sync, please refer
to the Date and Time section.
Encryption Algorithm
DES Encryption Algorithm in key exchange 3DES
3DES
AES-128
AES-192
AES-256
Hash Algorithm
Any Hash Algorithm in key exchange SHA1
MD5
SHA1
SHA-256
DH Group
DH1(modp 768) Diffie-Hellman groups (the Key Exchange group between the DH2(modp 1024)
DH2(modp 1024) Remote and VPN Gateways)
DH5(modp 1536)
DH14(modp 2048)
Negotiation Time
Negotiation time The number of allowed reconnect times when startup mode is 0
initiated. If the number is 0, this tunnel will always try
connecting to the remote gateway when the VPN tunnel is not
created successfully.
9-6
IKE Lifetime
IKE lifetime (hours) Lifetime for IKE SA 1 (hr)
Rekey Expire Time

Rekey expire time Start to Rekey before the IKE lifetime has expired 9 (min)
(minutes)
Rekey Fuzz Percent

0-100 (%) The key exchange interval will change randomly to enhance 100%
security. “Rekey Expire Time” is the baseline interval to
exchange keys. Rekey fuzz percent represents the percentage
of how much “Rekey Expire Time” will change. For example,
the “Rekey Expire Time” is set as 9 mins, and “Rekey Fuzz
Percent” is set as 50%. The key exchange interval will be 4.5
mins.
Data Exchange (IPsec phase II)
Perfect Forward Secrecy

Enable or Disable Uses different security keys for different IPsec phases in Disable
order to enhance security
DH1 (modp768) Diffie-Hellman groups (the Key Exchange group between the DH1 (modp768)
DH2 (modp1024) Remote and VPN Gateways)
DH5 (modp1536)
DH14 (modp2048)
SA Lifetime
SA lifetime (minutes) Lifetime for SA in Phase 2 480 (min)
Encryption Algorithm
DES Encryption Algorithm in data exchange 3DES
3DES
AES-128
AES-192
AES-256
Hash Algorithm
Any Hash Algorithm in data exchange SHA1
MD5
SHA1
SHA-256
9-7
Dead Peer Detection
Dead Peer Detection is a mechanism to detect whether or not the connection between a local secure router
and a remote IPsec tunnel has been lost.
Action
Action when a dead peer is detected.

Hold Hold this VPN tunnel Hold
Restart Reconnect this VPN tunnel
Clear Clear this VPN tunnel
Disable Disable Dead Peer Detection
Delay
Delay time (seconds) The period of dead peer detection messages 30 (sec)
Timeout
Timeout (seconds) Timeout to check if the connection is alive or not 120 (sec)
IPsec Use Case Demonstration

In the following section, we will consider five common user scenarios. The purpose of each example is to
give a clearer understanding of two authentication modes ‘X.509’ and ‘X.509 with CA’.
9-8
Scenario 1: X.509 Mode-One Certificate
Users will sometimes use certificates generated from a server or from the Internet. If users only get one
certificate, they can import this certificate into a system. This system can then use the same certificate to
identify other certificates and then build a VPN connection. In this case, users have to import certificates
(.p12) into both sides. Please follow the steps in the diagram below to learn how to install certificates and
build an IPSec VPN connection.
Scenario 2: X.509 Mode-Two Certificates
Users will sometimes use certificates generated from a server or from the Internet. If users get different
certificates for different systems, users can import these certificates into systems accordingly. However,
systems require all of these certificates to identify trusted systems before building an IPsec VPN connection.
Taking two systems as an example: System A has certificate-1 (.p12) and System B has certificate-2
(.p12). To build an IPsec VPN connection, System A and B have to exchange certificates (.crt) with each
other. And then Systems A and B need to install certificates (.crt) into their systems. Please follow the steps
in the diagram below to learn how to install certificates and build an IPsec VPN connection.
9-9
Scenario 3: X.509 with CA Mode-One CA
In X.509 mode, users have to install all certificates in all systems, which takes a lot of time and effort. To
decrease users’ effort, they can get the certificate from the CA (Certificate Authority). When using
certificates from the CA, each system needs to install the same CA (.crt) to allow each system to identify
different certificates from different systems. One condition is that every certificate should be issued by the
same CA. Please follow the steps in the diagram below to learn how to install CA (.crt) and build an IPsec or
OpenVPN connection.
Scenario 4: X.509 with CA Mode-Two CAs
In some large-scale systems, users may find it difficult to get certificates from one CA and therefore need to
get certificates from different CAs. This scenario applies to the X.509 CA mode. The users have to install all
CAs (.crt) into all systems. This means that every system can recognize certificates from different CAs,
which allows identification of all the different systems. Please follow the steps in the diagram below to learn
how to install CA (.crt) and certificate (.p12) in order to build an IPsec or OpenVPN connection.
9-10
Scenario 5: X.509 with CA Mode-Certificate from CSR
For the previous four user scenarios, even when systems use certificates to identify each other before
building a VPN connection, there is still a risk that someone can steal the certificate and pretend to be part
of the trusted system.
To minimize this risk, there is a function called Certificate Signing Request (CSR) in X.509 with CA mode.
CSR is a request issued by a single system for certificates issued by the CA. Through CSR, the certificate
belongs only to one system and cannot be installed in other systems. By following this method, CSR
significantly reduces the risk of certificates being used illegitimately.
We will now consider an example using System A and System B. The CSR working model is System A or B
issues a CSR (.csr) to the CA and then the CA updates the system with the certificate (.crt) and the CA file
(.crt). Then, system A or B updates the other system with the CA file (.crt). System A or B installs
certificates and the CA file in the system in order to build a VPN connection. Please follow the steps in the
diagram below to learn how to install a CA file (.crt) and certificate (.crt) in order to build IPsec or OpenVPN
connections.
IPsec Status
The user can check the VPN tunnel status in the IPsec Connection List.
This list shows the Name of the IPSec tunnel, IP address of Local and Remote Subnet/Gateway, and the
established status of the Key exchange phase and Data exchange phase.
9-11
L2TP Server (Layer 2 Tunnel Protocol)

L2TP is a popular choice for remote roaming users for VPN applications since an L2TP client is built in to the
Microsoft Windows operating system. Since L2TP does not provide an encryption function, it is usually
combined with IPsec to provide data encryption.
L2TP Configuration
The Industrial Secure Router supports up to 10 accounts with different user names and passwords.
L2TP Server Mode

Enable / Disable Enable or Disable the L2TP function on the WAN1 or WAN 2 Disable
interface
Local IP
IP Address The IP address of the Local Subnet 0.0.0.0
Offered IP Range
IP Address Offered IP range is for the L2TP clients 0.0.0.0
Login User Name

Max. 32 characters. User Name for L2TP connection NULL
Login Password
Max. 32 characters. Password for L2TP connection NULL
9-12
OpenVPN Configuration
Open VPN configuration contains two parts
• OpenVPN Server: Set up the VPN connection, VPN network plan, and user management
• OpenVPN Client: Set up the VPN connection and VPN network, e.g. server IP, and port number.
OpenVPN—Router Mode
Use the OpenVPN router mode to connect two sites that are under different subnets (Layer 3) and encrypt the
TCP/UDP package data transmission. The OpenVPN router mode cannot process broadcast or multicast
frames.
OpenVPN—Bridge Mode
Use the OpenVPN bridge mode to have two locations using different subnets, but there appears to be only
one subnet for encrypting IP packages during data transmission. In this mode, layer 2 broadcast packets
can transmit between different subnets.
9-13
Server Settings
When the Industrial Secure Router is functioning as the OpenVPN Server, it can build connections with up to
five different clients in either TUN mode or TAP mode.
Server Settings–TUN (Router Mode)
OpenVPN Server Setting-TUN

Enable Enable or disable the VPN tunnel. Disable
Server ID Indicate the server user set. The Industrial Secure Router 1
only supports one server at a time.
Interface Type Select the OpenVPN tunnel connection by using either router TUN (Router)
mode or bridge mode.
Network This interface is a virtual interface for server internal usage. 10.8.0.0
Via this interface, server can identify OpenVPN packet and
process it. The default value is 10.8.0.0. Please make sure
the system IP assignment does not conflict with this network
interface.
Netmask The subnet netmask of virtual network is set to 255.255.255.0
255.255.255.0
Push network IP The client will send traffic to the Industrial Secure Router 192.168.127.0
which will forward it to the Push network IP address. The
destination of traffic from client is often the server's LAN
network, so the default value is the server's LAN network.
Push netmask Enter the netmask of the network behind the VPN server. 255.255.255.0
Protocol Select the protocol to be used for the VPN. UDP
Port Enter the port number for the TCP/UDP connection. 1194
9-14
Encryption algorithm Select the authentication mode for key exchange. The BlowFish CBC
configuration fields vary depending on the authentication
mode you select.
Hash algorithm Select the MD5, SHA-1, or SHA-256 VPN key exchange phase SHA1
1 hash mode.
LZO compression Compress tunnel packets using the LZO algorithm. Enable
CA Certificate Select the Certificate Authority (.crt) uploaded in ‘Trusted CA N/A
Certificate’
Certificate Select the certificate (.crt) uploaded in ‘Local Certificate’ N/A
User authentication Only password authentication is supported in server mode Password
Keepalive Check if the client connection is alive Enable
Redirect to default Select Enable to force all clients’ generated traffic to pass Disable
gateway through the tunnel
Allow Client-to-client Select Enable to allow communication between clients Disable
connected to the server. If this function is disabled, the
clients will only be able to communicate with the server. For
more details, please see the section ‘Examples for Typical
VAPN Applications’.
Server Setting–TAP (Bridge Mode)
9-15
OpenVPN Server Settings-TAP

Enable Enable or disable the VPN tunnel. Disable
Server ID Indicates the server the user set. The industrial secure router 1
only supports one server at a time
Interface Type Select OpenVPN tunnel connection by router mode or bridge TUN (Router)
mode
Bridge with LAN In TAP mode, select the LAN interface of the server that will LAN
connect with the client. Please refer to the Interface section
for how to create different LAN interfaces
DHCP Proxy Please refer to DHCP Proxy demonstration. Enable
External Gateway IP Enter in the LAN interface IP which is selected in Bridge with 0.0.0.0
LAN. When OpenVPN server plays as DHCP server, the LAN
interface of the server will be the default gateway of the
client. And client's traffic will be route this LAN.
External Gateway Enter in the LAN interface netmask which is selected in Bridge 0.0.0.0
Netmask with LAN.
IP Pool Range This is the network that will access the remote VPN server 0.0.0.0
and
the IP range that can be assigned (clients number) in this
local
network. The IP address entered here will be the start IP for
the local network (client).
Protocol Select the protocol to be used for VPN. UDP
Port Enter the port number for the TCP/UDP connection 1194
Encryption algorithm Select authentication mode for the key exchange. The BlowFish CBC
configuration fields vary depending on the authentication
mode
you select.
Hash algorithm Select the MD5, SHA-1 or SHA-256 VPN key exchange phase SHA1
1 hash mode.
LZO compression Compress tunnel packets using the LZO algorithm Enable
CA Certificate Select the Certificate Authority (.crt) uploaded in ‘Trusted CA N/A
Certificate’
Certificate Select the certificate (.crt) uploaded in ‘Local Certificate’
User authentication Only password authentication is supported in server mode. Password
Keepalive Select Enable to check if the client connection is alive Enable
Redirect to default Select Enable to force all clients’ generated traffic to pass Disable
gateway through the tunnel. For more details, please check the section
Example for Typical VPN Applications.
Allow Client-to-client Select Enable to allow communication between clients Disable
connected to the server. If this function is disabled, the
clients
will only be able to communicate with the server. For more
details please check the section Example for Typical VPN
Applications.
9-16
DHCP Proxy demonstration
In OpenVPN Bridge mode (TAP interface type), the client and server are configured as one local area
network. In this case, all of the devices will be set as in one subnet. Therefore broadcast packets can be
received by all the devices. To achieve this, the OpenVPN server will assign IP to clients to make sure
clients’ IP are in the same subnet with server’s IP.
If there is a DHCP server behind OpenVPN server, OpenVPN server can play as DHCP proxy to relay
DHCPDISCOVER to DHCP server, and DHCP server will send IP setting (DHCPOFFER, DHCPACK) to clients. If
there is no DHCP server behind OpenVPN server, OpenVPN server will play as DHCP sever to send IP setting
to clients.
According to this user scenario, users can set OpenVPN server as DHCP server or DHCP proxy in DHCP
Proxy.
DHCP proxy Enable
When DHCP Proxy is enabled, OpenVPN server will play as DHCP proxy to relay DHCPDISCOVER from
clients to DHCP server. Packet flow is as below figure.
DHCP Proxy Disable
When DHCP Proxy is disabled, OpenVPN server will play as DHCP server and will manage DHCPDISCOVER
from clients. OpenVPN server will send IP setting to clients. After TCP/IP is set up, OpenVPN server will be
clients’ default gateway. Packet flow is as below figure.
9-17
User Management
Enables management and export of user configurations.
OpenVPN User Setting

OpenVPN Server Indicate the server that the client will connect with. ovpnserver1
User Name Enter the User Name. The Industrial Secure Router supports NULL
five clients to connect with a server, which allows the user to
set up the user name and password for five clients.
New Password Enter the new password. NULL
Confirm Password Enter the password again. NULL
Remote Network Enter the subnet of each user. The Industrial Secure Router is 0.0.0.0
set up to support 5 different subnets.
Netmask Enter the remote network subnet mask of each user. 0.0.0.0
Server to User Config
After finishing the server settings, the user has to create a profile (.ovpn file) as well. However, in order to
achieve this you need basic network knowledge. In order to simplify this process, the Industrial Secure
Router can generate .ovpn file, named ovpnclient, for user to import into the client device.
In Server to User Config, the user can export the ovpnclient.ovpn file and import it into the client device to
build the VPN connection. Below we use a simple case to demonstrate the setup process.
In the following, we will demonstrate how to import this ovpnclient.ovpn file and create OpenVPN
connection.
9-18
Server to User Config demonstration
In the topology below, the client wants to build a VPN connection with OpenVPN server.
Step 1: Setup OpenVPN server
Step 2: Export ovpnclient.ovpn file from the server
Step 3: Download OpenVPN installer and install it in to the client device. Keep the default settings until the
setup is complete.
9-19
Rename virtual interface to pvpn.
Step 4. Import ovpnclient.ovpn file in OpenVPN cofig file.
9-20
Step 5: Connect client to the server. Click the OpenVPN GUI icon. When OpenVPN connection is not built
up, the icon will show in yellow.
Type in the user account and password which can be set in “User Management”.
Step 6: When OpenVPN is built up, the OpenVPN GUI icon will turn green.
9-21
OpenVPN Server Status
Here will show the OpenVPN server connection information, including client name, real IP address and start
time.
Client Settings
When the Industrial Secure Router is functioning as the OpenVPN Client, it can build connections with up to
two different servers in either TUN mode or TAP mode.
9-22
Client Setting
Enable Select Enable to activate the OpenVPN Client. Disable
Client ID The Industrial Secure Router can build connections with a 1
maximum of two different servers.
Interface type Select OpenVPN tunnel connection by router or bridge mode. TUN
Bridge with LAN In TAP mode, select the LAN interface of the client that will LAN
connect with the server. Please refer to the Interface section
for how to create different LAN interfaces.
Remote server IP Enter the IP address of the VPN server that the client wants 0.0.0.0
to connect with.
Port Enter the remote server port number for TCP or UDP 1194
connection.
Protocol Select the protocol to be used for the VPN. UDP
LZO compression Compress tunnel packets using the LZO algorithm. Enable
Encryption Select authentication mode for key exchange. The BlowFish CBC
cipher configuration fields vary depending on the authentication
mode the user selects.
Hash algorithm Select the MD5 or SHA-1 VPN key exchange phase 1 hash SHA1
mode.
CA Certificate Select the Certificate Authority (.crt) uploaded in ‘Trusted CA NULL
Certificate’
Certificate Select the certificate (.crt) uploaded in ’Local Certificate’. NULL
Authentication method Users can select either password or certification to protect the Certificate
authentication.
User name Enter the user name for the client that you set on the server. NULL
Password Enter the client password that you set on the server (up to 15 NULL
characters.)
OpenVPN Client Status
9-23
Examples for Typical VPN Applications
Site to Site IPsec VPN tunnel with Pre-Shared Key

The following example shows how to create a secure LAN to LAN VPN tunnel between the Central site and
Remote site via an Intranet network.
VPN Plan
• All communication from the Central site network (100.100.1.0/24) to the Remote site Network
(100.100.3.0/24) needs to pass through the VPN tunnel.
• Intranet Network is 100.100.2.0/24
• The configuration of the WAN/LAN interface for 2 Industrial Secure Routers is shown in the following
table.
Configuration Industrial Secure Router (1) Industrial Secure Router (2)

EDR-G903 WAN IP 100.100.2.1 100.100.2.2
Interface Setting LAN IP 100.100.1.1 100.100.3.1
Based on the requirement and VPN plan, the recommended configuration for VPN IPsec is shown in the
following table
Configuration Industrial Secure Router (1) Industrial Secure Router (2)

Tunnel Setting Connection Type Site to Site Site to Site
Remote VPN 100.100.2.2 100.100.2.1
gateway
Startup mode Wait for Connection Start in Initial
Local Network / 100.100.1.0 / 100.100.3.0 /
Netmask 255.255.255.0 25.255.255.0
Remote Network / 100.100.3.0 / 100.100.1.0 /
Netmask 25.255.255.0 255.255.255.0
Key Exchange Pre-Shared Key 12345 12345
Data Exchange Encryption / Harsh 3DES / SHA1 3DES / SHA1
9-24
Site to Site IPsec VPN tunnel with Jupiter System

To build up a VPN tunnel, central site router and remote site router have to know the identity of each other
and use the same authentication mechanism to verify each other. Here we take Juniper SSG5 as an
example to elaborate how the Industrial Secure Router can build an IPsec VPN connection with Juniper
systems.
VPN Plan
All communication from the Central site network (192.168.127.0/24) to the Remote site Network
Intranet Network is 10.10.10.0/24
The configuration of the WAN/LAN interface for the Industrial Secure Routers and Juniper SSG5 is shown in
the following table.
Configuration EDR Series Juniper SSG5
Router Setting WAN IP 10.10.10.100 10.10.10.200
LAN IP 192.168.127.254 192.168.128.254
following table:
Configuration EDR Series Juniper SSG5
Remote VPN 10.10.10.200 10.10.10.100
gateway
Local Network / 192.168.127.0 / 192.168.128.0 /
Netmask 255.255.255.0 25.255.255.0
Remote Network / 192.168.128.0 / 192.168.127.0 /
Netmask 25.255.255.0 255.255.255.0
Identity IP address IP address
Local ID: 10.10.10.100 Local ID: 10.10.10.200
Remote ID: 10.10.10.200 Remote ID:
10.10.10.100
Key Exchange Authentication mode Pre-Shared Key or X.509 Pre-Shared Key or
with CA X.509 with CA
Please note to build up a connection with Juniper systems, the identity should set as “IP Address” and
authentication mode should set as “Pre-Shared Key or X.509 with CA”. In the EDR series compliance test
with Juniper SSG5, identity except IP Address and authentication mode X.509 does not work in Juniper
SSG5. The Industrial Secure Router with Juniper compliance matrix is shown below:
9-25
EDR Series VPN Setting to Authentication mode

comply Pre-shared Key X.509 X.509 With CA
with Juniper System
IP Address Comply Not comply Comply

FQDN Not Comply
Key ID
Identity
Auto
(with Cisco)
Site to Site IPsec VPN tunnel with Cisco system
To build up a VPN tunnel, the central site router and remote site router have to know the identity of each
other and use the same authentication mechanism to verify each other. Here we take Cisco’s ASA5510 as
example to elaborate how the Industrial Secure Router builds an IPsec VPN connection with Cisco systems.
VPN Plan
All communication from the Central site network (192.168.127.0/24) to the Remote site Network
Intranet Network is 10.10.10.0/24
The configuration of the WAN/LAN interface for the Industrial Secure Routers and Cisco ASA5510 is shown
in the following table:
Configuration EDR Series Cisco ASA5510
Router Setting WAN IP 10.10.10.100 10.10.10.200
LAN IP 192.168.127.254 192.168.128.254
following table
Configuration EDR Series Cisco ASA5510
Remote VPN 10.10.10.200 10.10.10.100
gateway
Local Network / 192.168.127.0 / 192.168.128.0 /
Netmask 255.255.255.0 25.255.255.0
Remote Network / 192.168.128.0 / 192.168.127.0 /
Netmask 25.255.255.0 255.255.255.0
Identity Auto(with Cisco)
Key Exchange Authentication mode Pre-Shared Key or X.509 Pre-Shared Key or

with CA X.509 with CA
9-26
Please note to build up connection with Cisco systems, please base on your preferred authentication mode
to decide which identity you prefer. Authentication modes including Pre-shared Key and X.509 with CA are
supported when the Industrial Secure Router works with Cisco systems. However, X.509 is not supported in
this case.
If you prefer Pre-shared Key, the identity can be set as “IP Address”, “FQDN”, “Key ID”, or “Auto (with
Cisco)”. If you X.509 with CA, the identity should be set as “Auto (with Cisco)”. The Industrial Secure
Router with Cisco compliance matrix is shown below:
To simplify the setup process, the Industrial Secure Router supports an identity, called “Auto(with
Cisco)”. No matter if Pre-shared Key or X.509 with CA is preferred, you can just select “Auto(with
Cisco)” as identity.
EDR Series VPN Authentication mode

Setting to comply Pre-shared Key X.509 X.509 With CA
with Cisco System
IP Address Comply Not comply Not comply
FQDN Comply
Key ID Comply
Identity
Auto (with Comply Comply

Cisco)
L2TP for Remote User Maintenance

The following example shows how a Roaming user uses L2TP over IPsec to connect to the remote site
network.
VPN Plan
• All communication from the Roaming user (no fixed IP) to the Remote site Network (100.100.3.0/24)
needs to pass through the VPN tunnel.
• Communication goes through the Internet.
• The configuration of the WAN/LAN interface for the Industrial Secure Router is shown in the following
table.
Configuration Industrial Secure Router (1)

EDR-G903 WAN IP 100.100.2.1
Interface Setting LAN IP 100.100.3.1
Based on the requirement and VPN plan, the recommended configuration for L2TP over IPsec is shown in
the following table:
9-27
Configuration Industrial Secure Router (1)

L2TP Server Setting L2TP Server Mode (WAN1) Enable
Local IP (L2TP Server IP) 100.100.4.1
Offer IP Range 100.100.4.1 ~100.100.4.100
Login User / Password User01 / 12345
Tunnel Setting Connection Type Site to Site (Any)
L2TP Tunnel Enable
Local Network 100.100.3.1 / 24
(Same as LAN Interface)
Startup mode Wait for Connection
Key Exchange Pre-Shared Key 12345
Data Exchange Encryption Algorithm 3DES
Harsh Algorithm SHA1
Client-to-Client communication via OpenVPN

Industrial Secure Router supports Client-to Client communication via OpenVPN. In this setting, clients can
have secure communications with each other. At the field site, system security can be significantly
strengthened using this method.
Redirect default gateway via OpenVPN

For some scenarios, user has high security requirements for end devices that are connected to the Internet.
Any traffic destined for the Internet should be examined by OpenVPN server before connecting to the
Internet. First, the traffic will go through the Industrial Secure Router, and then it will pass to the Internet.
Under this setting, traffic from client devices will all be transferred to OpenVPN server first, and then pass to
Internet.
9-28
Create OpenVPN connection on a mobile device

User can use a mobile device to create OpenVPN connection with OpenVPN server.
Please follow the steps below:
Step 1: Download the OpenVPN Connect App into your mobile device. (The OpenVPN Connect App is
compatible with iOS and Android platforms.)
9-29
Step2: Download the ovpnclient.ovpn file from the Industrial Secure Router into the mobile device. And then
open it with the OPenVPN. Connect App. Then the user will see the server IP, which is marked in red below.
Then press “+”icon to add this VPN connection.
Step 3: Type in User ID and password. Then slide the button from disconnected to connected, which is
highlighted in red below.
Step 4: Waiting for server verification.
9-30
10
10. Certificate Management
For the purposes of this document, certificate management refers to the X.509 SSL certificate. X.509 is a
digital certificate method commonly used for IPsec, OpenVPN, and HTTPS authentication. The Industrial
Secure Router can act as a Root CA (Certificate Authority) and issue a trusted Root Certificate. Alternatively,
users can import certificates from other CAs into the Industrial Secure Router.
Certificates are a time related authentication mechanism. Before processing certificate management, please
make ensure the industrial secure router is synced with the local device. For more details regarding time
sync, please refer to section Date and Time
 Local Certificate
 Trusted CA Certificates
 Certificate Signing Request
 CA Server
Industrial Secure Router Certification Management
Local Certificate
For Local Certificates, users can import certificates issued by the CA into the Industrial Secure Router.
Local Certificate
Import Identity Certificate

Certificate/ Certificate Select the type of certificate the user has. Certificate
from CSR/ Certificate Certificate uses the file extension .crt
from PKCS#12 The certificate from CSR is a certificate issued by other CA
Certificate from PKCS#12 uses the file extension .p12
Label
Label No. of certificates N/A
NOTE When importing the Certificate from PKCS#12, the user has to browse the certificate before typing Import
Password
Trusted CA Certificates
In Trusted CA Certificates, users can import a CA that the user trusts into the Industrial Secure Router. It is
recommended that the user imports a trusted CA in advance. Otherwise, the Industrial Secure Router may
not recognize the certificate and reject the connection.
10-2
Certificate Signing Request

If the user wants to get a certificate from the CA for connection purposes, then the two steps below need to
be followed in order to generate a private key and certificate signing request.
Step1: Generate Private Key

Before sending the Certificate Signing Request (CSR) to the CA, the CSR must include a public key that can
be generated with a private key simultaneously. The user can use a private key to encrypt data and the
receiver can use a public key to decrypt the data.
Key Pair Generate
Name
Name Naming each private key N/A
NOTE The user has to click Add before entering the name of each key.
Step2: Generate CSR

After generating the private key, the user can choose the key in Private Key and then must fill in all the
information under Certificate Subject Name. After that, the user can click Generate to create the CSR
and the CSR will be displayed in the Certificate List. To export the CSR, the user can simply choose the
CSR in Certificate List and click Export.
10-3
Certificate Signing Request
Private Key
Private Key Choose the key generated in Key Pair Generate N/A
CA Server
Aside from getting the certificate from other CAs, the Industrial Secure Router can act as a RootCA to issue
a certificate for each connection. After the RootCA has been set up, the Industrial Secure Router can send
requests to ask for a certificate from the RootCA.
Certificate Request
If a system only has their own certificate on hand, and do not have other systems’ certificates, how can the
system recognize other systems? The answer to this problem is Trust CA. As mentioned in the section Trust
CA certificate, users can import a CA (.cer) that they trust into the Industrial Secure Router. When the user
does this, the system will accept the certificate that was issued by a trusted CA.
If users want to use a certificate issued by the Industrial Secure Router functioning as a RootCA, the
receiver must import this RootCA settings (.cer) as a trusted CA and recognize then it will recognize the
RootCA certificate during connection. Otherwise, this connection will be rejected by the receiver. Users can
create RootCA via Certificate Request and export the RootCA settings by clicking RootCA Export.
The user has to fill in all the RootCA information in the Certificate Request in order to create the RootCA.
Certificate Setting
After creating the RootCA successfully, users can issue a request for a certificate from the RootCA in the
Certificate Setting. After filling in the information, users can generate two kinds of certificate: PKCS#12
(.p12) and certificate (.crt). A PKCS#12 request includes a private key but a certificate does not. To export
a PKCS#12 certificate, please click PKCS#12 Export. To export a certificate request, please click
Certification Export.
10-4
11
11. Diagnosis
The Industrial Secure Router provides Ping tools and LLDP for administrators to diagnose network systems.
 Ping
 LLDP
 Monitor
 Statistics
 Bandwidth Utilization
 Display Setting
 Display Setting
Industrial Secure Router Diagnosis
Ping
The Ping function uses the ping command to give users a simple but powerful tool for troubleshooting
network problems. The function’s most unique feature is that even though the ping command is entered
from the user’s PC keyboard, the actual ping command originates from the Industrial Secure Router itself.
In this way, the user can essentially control the Industrial Secure Router and send ping commands out
through its ports. There are two basic steps required to set up the Ping command to test network integrity:
1. Select which interface will be used to send the ping commands. You may choose from WAN1, WAN2, and
LAN.
2. Type in the desired IP address, and click Ping.
LLDP
LLDP Function Overview
Defined by IEEE 802.11AB, Link Layer Discovery Protocol (LLDP) is an OSI Layer 2 Protocol that
standardizes the methodology of self-identity advertisement. It allows each networking device, such as a
Moxa managed switch/router, to periodically inform its neighbors about itself and its configuration. In this
way, all devices will be aware of each other.
The router’s web interface can be used to enable or disable LLDP, and to set the LLDP Message Transmit
Interval. Users can view each switch’s neighbor-list, which is reported by its network neighbors.
LLDP Setting
Enable LLDP
Enable or Disable Enable or disable LLDP function. Enable
Message Transmit Interval

5 to 32768 sec. Set the transmit interval of LLDP messages. Unit is in 30 (sec.)
seconds.
11-2
LLDT Table
Port: The port number that connects to the neighbor device.

Neighbor ID: A unique entity that identifies a neighbor device; this is typically the MAC address.
Neighbor Port: The port number of the neighbor device.
Neighbor Port Description: A textual description of the neighbor device’s interface.
Neighbor System: Hostname of the neighbor device.
Monitor
Statistics
Users can monitor the data transmission activity of all the Industrial Secure Router ports from two
perspectives, Bandwidth Utilization and Packet Counter. The graph displays data transmission activity
by showing Utilization/Sec or Packet/Sec (i.e., packets per second, or pps) versus Min:Sec. (Minutes:
Seconds). The graph is updated every 5 seconds, allowing the user to analyze data transmission activity in
real-time.
Bandwidth Utilization
In Bandwidth Utilization mode, users can monitor total bandwidth in each interface (IP Interface), each
port or port group (Ports). In addition to display type, users can configure which packet flow is monitored,
TX Packets, RX Packets or both (TX/RX). TX Packets are packets sent out from the Industrial Secure
Router, and RX Packets are packets received from connected devices.
11-3
Display Mode
Bandwidth Utilization/ Graph display traffic bandwidth/Graph display total packet Packet Counter
Packet Counter amount per second
Display Setting
Display Type
Port (only supported in Monitor total traffic per port or group port (FE Ports/ GE IP Interface
EDR-810) Ports)
IP Interface Monitor total traffic per interface, e.g. LAN, WAN, Bridge
Port Selection
ALL Ports/ FE Ports/ Users can select which port or port group they want to ALL Ports
GE Ports/ Port1/ Port2/ monitor traffic from
Port3/ Port4/ Port5/
PortG1/ PortG2
Interface Selection
All/LAN/WAN/Bridge_L Select which interface user want to monitor traffic All
AN
Sniffer Mode
(TX/RX)/TX/RX Select which packet flow is monitored TX/RX
Packet Counter
In Packet Counter mode, users can monitor total packet amount per second in each interface (IP
Interface), each port or port group (Ports). In addition to display type, users can configure which packet
flow is monitored, TX Packets, RX Packets or both (TX/RX). TX Packets are packets sent out from the
Industrial Secure Router, and RX Packets are packets received from connected devices. At the same time,
users can choose to monitor different packet types, e.g. unicast, broadcast, multicast and error.
11-4
Display Mode
Bandwidth Utilization/ Graph display traffic bandwidth/ Graph display total packet Packet Counter
Packet Counter amount per second
Display Setting
Display Type
Port/ IP Interface Monitor total traffic per port or group port (FE Ports/ GE IP Interface
Ports)/ Monitor total traffic per interface, e.g. LAN, WAN,
Bridge
Port Selection
ALL Ports/ FE Ports/ Users can select which port or port group they want to ALL Ports
GE Ports/ Port1/ Port2/ monitor traffic from
PortG1/ PortG2
11-5
Interface Selection
All/WAN/LAN/ Select which interface user want to monitor traffic All
/Bridge_LAN
Sniffer Mode
(TX/RX)/TX/RX Select which packet flow is monitored TX/RX
Packet Type
All/ Unicast/ Select which packet type is monitored All
Broadcast/ Multicast/
Error
11-6
A
A. MIB Groups
The Industrial Secure Router comes with built-in SNMP (Simple Network Management Protocol) agent
software that supports cold start trap, line up/down trap, and RFC 1213 MIB-II. The standard MIB groups
that the Industrial Secure Router series support are:
MIB II.1 – System Group

sysORTable
MIB II.2 – Interfaces Group

ifTable
MIB II.4 – IP Group

ipAddrTable
ipNetToMediaTable
IpGroup
IpBasicStatsGroup
IpStatsGroup
MIB II.5 – ICMP Group

IcmpGroup
IcmpInputStatus
IcmpOutputStats
MIB II.6 – TCP Group

tcpConnTable
TcpGroup
TcpStats
MIB II.7 – UDP Group

udpTable
UdpStats
MIB II.11 – SNMP Group

SnmpBasicGroup
SnmpInputStats
SnmpOutputStats
Public Traps
1. Cold Start
2. Link Up
3. Link Down
4. Authentication Failure
Private Traps:
1. Configuration Changed
2. Power On
3. Power Off
4. DI Trap
Industrial Secure Router MBI Groups
The Industrial Secure Router also provides a MIB file, located in the file “Moxa-EDRG903-MIB.my” on the
Industrial Secure Router Series utility CD-ROM for SNMP trap message interpretation
A-2

Moxa Edr 810 Series Manual v4.0

Uploaded by

Copyright:

Available Formats

Moxa Edr 810 Series Manual v4.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Moxa Edr 810 Series Manual v4.0

Uploaded by

Copyright:

Available Formats

Industrial Secure Router User’s Manual

Edition 4.0, April 2018

© 2018 Moxa Inc. All rights reserved.

© 2018 Moxa Inc. All rights reserved.

The MOXA logo is a registered trademark of Moxa Inc.

Technical Support Contact Information

Moxa Europe Moxa Asia-Pacific

1. Introduction ...................................................................................................................................... 1-1

The following topics are covered in this chapter:

• 1 Moxa Industrial Secure Router

Industrial Networking Capability

Designed for Industrial Applications

Useful Utility and Remote Configuration

• Send ping commands to identify network segment integrity

The following topics are covered in this chapter:

 RS-232 Console Configuration (115200, None, 8, 1, VT100)

RS-232 Console Configuration (115200, None,

2. Select Open in the Port Manager menu to open a new connection.

Login by Admin Account

Using Telnet to Access the Industrial Secure

NOTE The Industrial Secure Router’s default LAN IP address is 192.168.127.254.

Using a Web Browser to Configure the

NOTE The Industrial Secure Router’s default LAN IP address is 192.168.127.254.

The following topics are covered in this chapter:

 Quick Setting Profile

Quick Setting Profile

WAN Routing Quick Setting

Step 1: Define the WAN ports and LAN ports

Step 3: Configure the WAN port type

Step 4: Enable services

Step 5: Activate the settings

Bridge Routing Quick Setting

Step1: Define the WAN port and Bridge ports

Step 3: Configure the WAN port type

Step 4: Enable services

Fast Bootup Setting

Enable Fast Bootup Setting

Maintainer Contact Info

Create New Account

Setting Description Factory Default

Modify Existing Account

Delete Existing Account

Password and Login Policy

Account Password Policy

Account Login Failure Lockout

Date and Time

Daylight Saving Time

Time Server IP/Name

Enable NTP/SNTP Server

System Event Settings for EDR-810

System Events Description

Debug Debug-level messages

Port Event Settings

Port Events are related to the activity of a specific port.

Port Events Warning e-mail is sent when…

Event Log Setting

Mail Server IP/Name

Send Test Email

Syslog Server Settings