Documente Academic
Documente Profesional
Documente Cultură
Technical Note
Contents:
1
Scope ..................................................................................................................... 5
Introduction ......................................................................................................... 6
Target audience............................................................................................. 6
Conventions .................................................................................................. 6
Pre-requisites ................................................................................................ 6
Identifying the products ................................................................................ 7
Dual SIM models .............................................................................. 7
The Single SIM Lite models .......................................................... 7
Product code mapping .................................................................................. 8
Grounding .......................................................................................................... 20
1 (134)
1MRS758449 EN
2 (134)
1MRS758449 EN
3 (134)
1MRS758449 EN
4 (134)
1MRS758449 EN
Scope
This document provides instructions on how to configure the following Arctic products
against the M2M Gateway product.
ARG600 Wireless Gateways
ARP600 Wireless Protocol Gateways
ARR600 Wireless I/O Gateways
ARC600 Wireless Controllers
The devices listed above are referred to as M2M GW, Arctic, device or Wireless
Gateway/Controller later on in this document.
This Technical Note explains the parameters and certain recommended values for
configuring the devices. There are also descriptions for functionalities, (e.g. WAN
failover mechanism, D-NAT) and information regarding advanced configurations, such
as connecting a remote field laptop safely to the system.
5 (134)
1MRS758449 EN
Introduction
The 3G/LTE Arctic Wireless Gateways/Controllers are having new features and new
Web human-machine interface (abbreviated later as Web HMI), when compared to
RER603 or REC603 products. This Technical Note instructs configuring the Wireless
Gateways for establishing VPN tunnels to the M2M Gateway. There are also detailed
explanations for menu items of the Web HMI of these devices.
The 2G models (ABB RER603 and REC603) are not in scope of this document.
Target audience
The target audience for this document is:
Field engineers
Sales partners
Customers' technical personnel
Conventions
The following conventions may be used in this document:
The menu items in graphical user interfaces are denoted as bolded font and the
sequence of mouse clicks, while configuring the devices in menus is separated
with an arrow. Example: Click Tools System log.
The console or command line output is printed with courier font and user input is
printed with bold courier new font. Example:
[adm@abb ~]# date
Mon Nov 23 14:24:53 EET 2015
The usernames, passwords and parameter-value pairs are denoted with courier
font.
The placeholders for actual values are written between < and > mark.
For example, the <IP address> would mean the place to write the actual IP
address.
Pre-requisites
It is assumed that the reader of this document has a basic knowledge of Linux and
Windows systems and TCP/IP networking.
6 (134)
1MRS758449 EN
7 (134)
1MRS758449 EN
SMA-type antenna connector whereas the older 2G models are having bigger FME
connector).
8 (134)
1MRS758449 EN
Installation workflow
This document describes the installation and configuration procedures. The theory of e.g.
IP networking and planning is only briefly explained as it is not in scope of this
document. The work flow has been separated into two parts:
1. The procedures for planning and decision making
2. The actual installation procedures
9 (134)
1MRS758449 EN
Before starting
Before starting the installation and configuration, make sure that the following
aspects are covered.
Selecting the cellular operator
Select the cellular operator, whose SIM cards are to be used. You may check the
signal strength and service availability at the site with a cellular phone. Note that
prepaid SIM cards may not work with this solution.
For the billing point of view, it is recommended to choose an operator providing flatfee rates for cellular data transfer, especially if the amount of data transferred over
cellular network is large. Compare the local operators based on fees and network
availability at the site.
Pre-installation checklist
Go through the following check list, in order to ensure that you have all required
aspects covered and available:
10 (134)
1MRS758449 EN
11 (134)
1MRS758449 EN
12 (134)
1MRS758449 EN
13 (134)
1MRS758449 EN
14 (134)
1MRS758449 EN
15 (134)
1MRS758449 EN
port is always type of RS-232. Both RS1 and RS2 port connectors are D9 type in all
models.
Antenna
If the signal in the site is weak or the device is located inside a cabinet, the signal
level may not be sufficient for operation when using the standard antenna. External
antenna can be connected with suitable cable.
Antenna connectors
An external antenna with a cable equipped with the following connectors can be
used.
FME (dual SIM products), male gender in the device itself, female in the
antenna or antenna cable
SMA connector (Lite models; C- P- and R-series), female gender in the
device itself, male in the antenna or antenna cable (the connector is ordinary
SMA).
Antenna type
The recommendation is to use an omnidirectional antenna, which has an even gain in
every direction. Antennas with 3 to 9 dBi gain are recommended, the higher gain the
better. If there is a poor signal level at the site, a directional antenna can be used. It
must be pointing to the cellular base station having the strongest signal. The
polarization of the cellular antennas is vertical; hence mount the directional Yagi
antenna so that the elements are vertically aligned.
Inserting SIM card
Make sure that the SIM card has cellular data plan enabled. You may test the SIM in a
smartphone in order to verify the data transfer capability of the subscription.
If the SIM card requires PIN number, you will need to configure the PIN number in
the device prior to inserting the SIM card. In case of a wrong PIN defined, change the
PIN in web HMI, insert SIM card to a cellular phone and enter the correct PIN. The
device itself tries PIN only once in order to avoid SIM card lockup.
Use standard mini SIM cards. A micro or nano SIM card is not compatible unless a
separate adapter is used (such adapters are not recommended). When the SIM card is
inserted and the device is powered on, the SIM LED should be lit after approx. a
minute from starting (dual SIM products). The SIG LED indicates strong signal (LED
lit), weak signal (LED blinking) or no signal (LED not lit).
16 (134)
1MRS758449 EN
1) Eject the SIM card cradle from the device by pushing the green/yellow eject
button in the SIM holder with e.g. an unfolded paper clip.
3) Insert the holder to the device. Make sure the cradle slides to the rails in the
connector. Push the holder all the way in until it stops.
Rails
Eject
button
17 (134)
1MRS758449 EN
Keyboard
connector
PS/2
VGA
Connector
15-pin
Port 1: eth0
WAN port
Port 2: eth1
LAN port
18 (134)
1MRS758449 EN
Note that the Ethernet port LEDs may be lit even if the M2M GW server is in standby
mode (powered off but power cord and Ethernet cable attached).
19 (134)
1MRS758449 EN
Grounding
In order to avoid device failures due to ground loops or due to other grounding
problems, it is essential to verify that proper actions are taken regarding the
grounding of the equipment.
The grounding of the equipment depends on the use case and also on the national
electrical and safety regulations. Some best practices for grounding of the
equipment are as below:
Consider whether the Shielded Twisted pair Ethernet cable (STP) is
needed, if not, use unshielded cable (UTP) to avoid ground loops.
Use one common grounding point.
Although data transmission is balanced in RS-485, a proper grounding
may be required if the distance between devices is long and/or they dont
otherwise share the common ground.
The most common reason for RS-485/422 circuit damages is the
excessive potential difference between the devices. When separate
grounding is required connect each remote device to the common ground
wire. Connect the common ground to devices signal ground (pin 5) and
to serial connector chassis.
Using optical isolators in serial ports is recommended in e.g. electrical
substations or similarly demanding electrical high-noise environments.
Note that the input voltage DC ground pin of the device has a galvanic
connection to the chassis.
20 (134)
1MRS758449 EN
21 (134)
1MRS758449 EN
22 (134)
1MRS758449 EN
As you are now connected to M2M GW via eth0 interface, which is the future
WAN port, it is recommended to change the eth1 (the LAN port) first
23 (134)
1MRS758449 EN
3. In the Edit Bootup Interface screen of eth1, set the interfaces attributes as
follows. You may change the IP address and netmask according to your setup
(e.g. if the 192.168.0.1 is reserved for the internet gateway, you may configure
the M2M GW as e.g. 192.168.0.2).
a. Name: eth1
b. Netmask: 255.255.255.0
c. MTU: Automatic
d. IP Address: 192.168.0.1, static
e. Broadcast: 192.168.0.255
f. Activate at boot: Yes
g. Enable proxy ARP: No
24 (134)
1MRS758449 EN
25 (134)
1MRS758449 EN
26 (134)
1MRS758449 EN
you will need to define a static route to that subnet. Do not define static routes
over dynamic VPN tunnels.
27 (134)
1MRS758449 EN
28 (134)
1MRS758449 EN
29 (134)
1MRS758449 EN
Free-text fields for respective informational data. These fields can be left
blank.
Web HMI enabled
Usually the Web HMI is always enabled. The setting cannot be changed via
Web HMI.
Menu Style
By default all menu items are shown. To avoid clutter on the screen, the menu
can be collapsed to show only main items.
Session timeout
The devices Web HMI session will time out after specified time (in minutes)
and a new login is needed. The maximum adjustable session timeout is 1440
minutes.
Time
There is an internal real time clock (RTC), which keeps the devices time and
can be synchronized from an NTP server. The time and date can be set
automatically or manually (also manually copied from the computers clock).
There is an internal super capacitor for keeping up the real time clock in a
power outage. In case of long unpowered storage, the capacitor may run out
of power and the real time clock is cleared to time poque, which is the year
1970. While deploying a storage unit, it is a good practice to verify the time.
Note: The OpenVPN will compare the certificates key expiration time with
current reading of RTC. If the certificate is too old (expired) or too new (not
yet valid), the OpenVPN tunnel will not be established.
The device will try resolving the current date and time from cellular network,
but in case it fails, verify that the devices and M2M GWs clocks are in
correct time/date and in matching time zones.
Manual mode
In the manual mode, the time is set manually or copying it from a PC (may
not work if the browser has scripts blocked).
30 (134)
1MRS758449 EN
31 (134)
1MRS758449 EN
32 (134)
1MRS758449 EN
Network interfaces
This section is essential in troubleshooting; the GPRS/WWAN interface
should be seen when the device is equipped with SIM card and the access
point settings are correct. If the gprs0 or wwan0 interface is missing, the
device hasnt been able to establish a GPRS/3G/LTE connection. Note that
some devices are showing the cellular interface differently; the interface name
may also be usb0, depending on the model.
The VPN interface will indicate the establishment of the VPN tunnel. If it is
completely missing, a VPN tunnel has not been established.
Routing table
The routing table shows the destination hosts/networks and the gateway,
through which the destination is available. The LAN subnets network
address is seen in lan0 interface and the 0.0.0.0 destination indicates the
default gateway interface. The routes defined by VPN are appearing in the
routing table once the VPN tunnel is established.
Link status
The dual SIM models have one Ethernet WAN port (wan0) and three
switched Ethernet LAN ports (lan0...lan2). Link status shows the established
Ethernet links as well as cellular link (GPRS/EDGE/3G/LTE depending on
the model). The Lite models are having only one Ethernet interface, which
has operating modes of WAN, LAN and auto.
The link status only shows the established links. The cellular link shows the
information from the time the modem information was last updated. For
recent information, go to Tools Modem info page and click Refresh.
VPN status
The VPN status displays the VPN tunnel and the state of it (enabled/disabled,
active or inactive).
Firewall Status
Application tracking = Track applications that create and use dynamic ports
like FTP.
1. Filter = Use packet filtering firewall
2. LAN-In accept = Accept packets from LAN to the device (e.g. DNS or
DHCP requests)
3. Pass vpnin = Accept packets from VPN tunnel
33 (134)
1MRS758449 EN
34 (134)
1MRS758449 EN
35 (134)
1MRS758449 EN
Lan0, 1, 2 media
The speed and duplex of the lan0...2 Ethernet ports can be set to the
following: 100 Mbits/s, full duplex, 100 Mbits/s, half duplex, 10 Mbits/s,
full duplex or 10 Mbits/s, half duplex.
Lan0, 1, 2 MDI
The MDI (medium dependent interface) is the physical twisted pair
cabling Ethernet port (here 10 or 100 baseT), whereas the MDI-X port is
crossover port. The MDI-X allows using straight Ethernet cable when
connecting two computers, or Wireless Gateway/Controller and computer
(otherwise, a cross-connected cable should be used). The selectable
options are MDI, MDI-X or Auto. The Auto-selection is recommended
unless there are problems in connectivity.
Ethernet port (Lite models)
Lite models have only one Ethernet port and the Ethernet port menu item
is used for selecting the ports functional mode (port function), forcing
media type if needed (Ethernet speed and duplex) and forcing the MDI
settings. See the explanations for these menu items in the previous
chapter.
36 (134)
1MRS758449 EN
Note: Usually the devices Ethernet port is used in LAN mode for
connecting Ethernet devices at site. Remember to configure the selected
port via respective menu item (Ethernet LAN, Ethernet VLAN, Ethernet
WAN).
Ethernet VLAN
Do not enable VLAN tagging in a normal setup scenario. If it is needed to
be used, see the separate VLAN Guide document.
Ethernet LAN
Change to 255.255.255.0
37 (134)
1MRS758449 EN
Interface
The lan0 is the default name of the LAN interface.
IP address, Netmask
The default IP address/netmask of the device is 10.10.10.10/255.0.0.0. It
should be changed to accommodate to remote sites IP planning. Each
field devices LAN subnet needs to be unique. The netmask defines the
size of the LAN. The 8-bit default netmask 255.0.0.0 is recommended to
be changed to a netmask that divides the network to smaller LAN subnets.
Note: The default netmask 255.0.0.0 covers the whole 10.x.x.x network.
This will affect routing if smaller subnets of 10.0.0.0/8 address space are
used. Change the netmask to e.g. 255.255.255.0, this way the first device
in this example will have subnet 10.10.10.010.10.10.255 in its use.
Example:
Device #
Subnet
IP address
Netmask
Device 1
10.10.10.0
10.10.10.10
255.255.255.0
Device 2
10.10.11.0
10.10.11.10
255.255.255.0
Device 3
10.10.12.0
10.10.12.10
255.255.255.0
Device 4
10.10.13.0
10.10.13.10
255.255.255.0
38 (134)
1MRS758449 EN
39 (134)
1MRS758449 EN
MTU
Usually it is not needed to limit the MTU (maximum transfer unit) in the
WAN level. Leave empty for default value.
Connectivity monitor
The WAN interfaces have connectivity monitor, which is used in WAN
failover for testing the availability of a WAN interface. Enable ping
testing only if WAN failover is used. Select an always-on ping target,
which is available through the particular Ethernet WAN interface.
Mobile WAN (3G SIM1, 3G SIM2), Mobile WAN (Lite models)
The Mobile WAN is to be enabled if cellular network connection is used.
In dual SIM products, there are two cellular connection possibilities,
mobile WAN 1 and mobile WAN 2. When only one SIM card is used, it
can be put to either of the SIM slots, however, the Primary WAN must be
respectively enabled and chosen in WAN failover settings.
40 (134)
1MRS758449 EN
Mobile WAN settings. Leave the PIN code field empty if no PIN code is
used. If a wrong PIN code is entered, correct the code and enter the
correct PIN code to the SIM card in a mobile phone.
APN type
By default, the automatic APN (access point name) discovery is
The device tries APN values based on the network ID received
cellular network. If the automatic setting is not working, set the
Type parameter from automatic to manual and define the APN,
username and APN password manually.
used.
from
APN
APN
APN
The APN parameter defines the GPRS access point name. The GPRS
access point is a set of configurations in a cellular network element,
which works as a gateway from cellular network to internet.
There are public and private access points. A public access point is
usually defined. A private access point requires contract with a cellular
operator. This M2M solution is compatible with both public and private
access points. Define the access point name as according to information
received from the cellular operator.
Authentication, username, password
If the cellular network requires authentication for using the access point,
the access points username and password need to be defined in the
device. In this case, select the authentication type (PAP, password
authentication protocol or CHAP, challenge handshake authentication
protocol) as according to information received from cellular operator.
DNS selection, DNS servers
Allows user defined DNS servers, receiving DNS server IP addresses
from cellular network or leaving DNS configuration as disabled. The
DNS servers are used for resolving names to IP addresses.
This M2M solution doesnt require DNS services as the IP addresses are
used instead of hostnames. However, if the Wireless Gateway/Controller
is used as a modem, providing the internet access to a PC, it is
recommended to leave the DNS enabled and automatic. The DNS servers
addresses must be manually defined if the selection type is manual (set
the values as according to information received from cellular operator).
41 (134)
1MRS758449 EN
42 (134)
1MRS758449 EN
43 (134)
1MRS758449 EN
Primary WAN
Primary WAN timeout * fault
tolerance
Backup WAN
Backup WAN timeout * fault
tolerance
Secondary backup
WAN
Secondary backup WAN
timeout * fault tolerance
Remote Site
Arctic
GPRS
Secondary WAN
Cellular
Operators
Network
Viola M2M
Gateway
MAIN
LAN
Primary WAN
Access
Router #2
Arctic LAN
ADSL
Operators
Network
Access
Router #1
REMOTE
LAN
Remote
Router
Main
PC
PC 2
PC 1
44 (134)
1MRS758449 EN
45 (134)
1MRS758449 EN
Monitor
The Monitor provides important main level watchdog functionality. As
opposite to WAN and VPN health checks, the Monitor is connected to
internal hardware and provides overall health checking. Furthermore,
Monitor is able to perform functions like WAN and VPN interface
restarts and even rebooting the device if a problem situation is detected. It
is recommended to always enable the Monitor.
46 (134)
1MRS758449 EN
Static routing
The static routes can be set if there are several subnets in devices LAN
(i.e. remote sites LAN). Usually static routes are left undefined as the
VPN tunnel logic handles all necessary routing. Do not define static
routes over dynamic VPN tunnels; instead use routing parameters under
VPN menu.
SMS config
The SMS config enables certain get and set commands to be sent to the
device via cellular phone SMS messages. The purpose for this is to get the
status of the device, get the detail of devices configuration or reboot the
device. For security reasons, if this feature is used, an allowed phone should
be configured; SMSes from other numbers would then be ignored. Below is a
list of available commands.
GET GPRS COMMANDS
get gprs enabled
Description: returns is the GPRS enabled or not
Return values: 0=disabled,1=enabled,error
get gprs pin
Description: returns the PIN code
Return values: PIN code or error
get gprs apn
Description: return the GPRS apn
Return values: apn name or error
get gprs username
Description: returns the GPRS PAP user name
Return values: user name or error
get gprs password
Description: returns the GPRS PAP password
Return values: password or error
get gprs signal
Description: returns the GSM signal level
Return values: signal level or error
get gprs operator
Description: returns the name of GPRS operator
Return values: operator name or error
47 (134)
1MRS758449 EN
48 (134)
1MRS758449 EN
SET COMMANDS
set reboot
Description: reboots the device (soft reboot)
Parameters: none
Return values: ok or error
set echo
Description: echoes back the message
Parameters: [message]
Return values: message or error
VPN
All VPN-related settings, regardless of the VPN type, are defined under VPN menu. The
following VPN tunnels can be chosen:
OpenVPN
SSH-VPN
L2TP-VPN
IPsec (note that the M2M GW doesnt terminate IPsec tunnels).
Certificates
In the certificates menu, the local identity and trusted CA are defined. Both are
created in M2M Gateway. Local identity is used for authenticating the Wireless
Gateway/Controller to M2M Gateway and trusted CA certificate guarantees the
Wireless Gateway/Controller that the M2M Gateway is authentic.
Note that the local identity and trusted CA certificates are self-signed by M2M
Gateway. These certificates are used internally in this M2M solution. There is no
need for using external Certificate Authorities for issuing these certificates.
49 (134)
1MRS758449 EN
50 (134)
1MRS758449 EN
Note: The Wireless Gateways/Controllers hostname and SSH-VPN peer name (in
M2M Gateway) must be identical.
Firewall
The Wireless Gateway/Controller has packet filtering, stateful firewall, which is highly
configurable. By default, the firewall is enabled and pre-set rule list for standard traffic is
applied. The recommended approach is to drop all packets by default and then "whitelist"
wanted packets, most frequent first in the list.
Stateful firewall
The term refers to the firewalls ability to remember the state of TCP/IP connections. It
allows both a simplified firewall configuration and detailed filtering. Typically, LAN
devices are allowed to connect to and then communicate with other Internet devices.
However, nobody from the Internet should be allowed connecting to devices LAN side. As
the firewall understands the connection states, it can be configured to allow outgoing
connections and the communication between established connections but deny all connection
attempts initiated from the outside of the LAN.
Connection states
When the firewall inspects the IP packet, it will determine the packet status to be one of
following:
NEW packet requests a new connection
ESTABLISHED packet belongs to a connection that is already open
INVALID packet is not part of any connection or is malformed
RELATED packet is somehow related to an existing connection or connection attempt.
This is usually used to match ICMP destination unreachable messages.
The state information mostly applies to TCP traffic but for stateless UDP traffic the
request and response rules should be defined separately.
Filtering actions
The firewall will make one of the following decisions with regard to the packet.
PASS packet is accepted
DROP packet is silently dropped and nobody ever sees it again
REJECT packet is dropped, but the other end of the connection is notified with the
ICMP message port unreachable
51 (134)
1MRS758449 EN
Filtering chains
INPUT packets coming from any interface and terminating to the device itself. This
chain is used to restrict access to devices internal services, such as the SSH server, Web
HMI, or the static key OpenVPN server.
OUTPUT packets originated from the device
FORWARD packets coming to the device from any interface, not targeted to the device
itself, but to be routed to another interface instead. This chain is usually used to control
traffic between remote devices and LAN devices
Output
Input
Forward
Fig. 9.4-1 Firewall chain directions
Interfaces
Any The rule applies to packets entering or leaving via any interface
Any VPN Applies to packet entering or leaving via any VPN tunnel
Any WAN Applies to packet entering or leaving via any WAN interface (i.e. Mobile
WAN SIM1, Mobile WAN SIM2 or Ethernet WAN)
Mobile WAN Applies to packet entering or leaving via cellular WAN interface (i.e.
Mobile WAN SIM1, Mobile WAN SIM2, note that the Lite models are having only
one Mobile WAN interface)
Ethernet WAN Applies to packet entering or leaving via Ethernet WAN interface
Ethernet LAN Applies to packet entering or leaving via Ethernet LAN interface
General Settings
The General settings page makes it easy to configure the most usually used
actions by simple Yes/No configuration.
52 (134)
1MRS758449 EN
53 (134)
1MRS758449 EN
the firewall can track such applications. It is recommended to leave the setting
enabled.
Log unauthorized traffic
The packets that are not allowed by firewall rules are logged. It is
recommended to leave the setting as disabled to avoid flooding the system log
file. It can be used in troubleshooting for detecting accidentally dropped
packets.
Reply to ping
Defines whether the device will answer to ICMP ping messages.
Common Functions
There are additional common functions for making the firewall
configuration easier. One can also define more accurate rules in Filter section
(Filter incoming / forwarded / outgoing).
LAN-LAN accepted
When enabled, the device is allowed to route between LAN interfaces
subnets. Usually the device has only one subnet. The setting can be left as
enabled.
LAN-in accepted
It allows the LAN devices to use Wireless Gateways/Controllers services
(i.e. DHCP, DNS proxy, NTP and so on). It is usually left as enabled.
LAN-out accepted
Defines whether the LAN devices are allowed to access the internet (WAN)
through the Wireless Gateway/Controller. It can be disabled if theres no need
for directly accessing internet through the Wireless Gateway/Controller.
LAN-VPN accepted
If allowed, the LAN devices can freely access the services available via VPN
tunnel.
GUI anti-lockout
When enabled, the GUI access is always allowed from devices LAN,
regardless of other firewall settings. It is highly recommended to leave the
setting as enabled, as it prevents accidental lock-out from GUI.
54 (134)
1MRS758449 EN
Note: If using WAN interface only, enable the Allow Web HMI access from
WAN.
SSH anti-lockout
When enabled, the SSH access from LAN is always permitted.
Note: If using WAN interface only, enable the Allow SSH access from
WAN.
VPN-in accepted
Allows the devices on the M2M side of VPN tunnel to access services
running inside the Wireless Gateway/Controller.
VPN-LAN accepted
Allows the devices on the M2M side of VPN tunnel to access devices in
Wireless Gateways/Controllers LAN.
Allow access to OpenVPN server
Allows incoming connections to the OpenVPN static key server running in
Wireless Gateway/Controller. See a separate static key OpenVPN application
note for more information regarding this feature.
Allow SSH access from WAN
Allow SSH connection from WAN interfaces.
Allow Web HMI access from WAN
Allow the graphical user interface connection from WAN interfaces.
Default Actions
Incoming
Defines which action to take by default for packets targeted to the device.
Usually set as Drop. Note however that additional allowed
protocols/ports/IP addresses (if any) must be configured prior to setting the
action to drop.
Forwarded
Defines which action to take by default for routed packets. Usually set as
Drop. Note however that extra allowed protocols/ports/IP addresses (if any)
must be configured prior to setting the action to drop.
55 (134)
1MRS758449 EN
Outgoing
Defines which action to take by default for packets generated by Wireless
Gateway/Controller. Usually set as Pass. If defined as drop, note that he
allowed protocols/ports/IP addresses must be configured prior to setting the
action to drop.
IP v.6
Set the Deny all IPv6 traffic to yes for denying all IPv6 traffic from/to
Wireless Gateway's/Controller's LAN.
OpenVPN bridge filtering
When the OpenVPN Bridge Filtering is enabled, it will allow only ARP,
DHCP, ICMPv6, and STP Ethernet broadcast/multicast frames. This is used
with bridged OpenVPN setup for limiting unnecessary Ethernet traffic.
Filter incoming
Use packet-level filtering for incoming packets. It is recommended to enable
the firewall and use packet-level filtering. When used, the filter rules must be
defined for incoming, forwarded and outgoing packets.
The main principle is to categorically drop any packet and then white list all
allowed packets before the drop-rule. The firewall processes the filter rule set
rule-by-rule from top to bottom. The first rule that matches the packet causes
the defined action.
Filter forwarded
Use packet-level filtering for forwarded packets (from interface to another,
e.g. from OpenVPN TUN-interface to Ethernet LAN interface).
Filter outgoing
Use packet-level filtering for outgoing packets (out from Wireless Gateway/
Controller to any interface).
D-NAT
D-NAT (destination network address translation and port forwarding) is used
for forwarding packets from Wireless Gateways/Controllers WAN to LAN.
When theres M2M Gateway in the setup, there is usually no need for D-NAT
since the M2M GWs and Wireless Gateways/Controllers LANs are routed
via VPN tunnel.
56 (134)
1MRS758449 EN
D-NAT
17
6.0
2.1
.2
Cellular APN,
172.16.0.0/24
LAN
10.10.10.0/24
10.10.10.1
APN
Viola Arctic 3G GW
172.16.0.X
Default GW
Cell operator
17
2.1
6.0
.1
19
2.1
68
1
.1 .
LAN
192.168.1.0/24
APN Router
Device_1
10.10.10.2
Default GW
PC_1
192.168.1.2
57 (134)
1MRS758449 EN
Arctic
Cellular APN
172.16.0.0/24
APN Router
ICMP ping)
D-NAT
Routing
10.10.10.2
Ping
10.10.10.1
172.16.0.2
10.10.10.2
Ping reply
10.10.10.1
172.16.0.2
Ping
Ping reply
PC_1
Default
GW
172.16.0.1
192.168.0.1
Ping
172.16.0.1
192.168.0.1
Ping reply
192.168.0.2
192.168.0.2
Routing
S-NAT
Commands:
Default
GW
Routing
Web UI 172.16.0.2:443
HTTPS request
HTTPS reply
172.16.0.1
172.16.0.1
192.168.0.1
192.168.0.1
HTTPS request
HTTPS reply
1) ping 172.16.0.2
2) HTTP(S) GET
172.16.0.2:443
Routing
58 (134)
1MRS758449 EN
Private access point doesnt route IP addresses form other private subnets than
what it will assign to the mobile clients. One cannot access the Wireless
Gateway's LAN devices IP address (10.10.10.2) directly from PC_1.
It is also possible that the operator has assigned routing to the same IP address
space to its own internal use, so there may be a server answering to ping messages
sent to 10.10.10.2; however that it is not the Device_1, but some other server in
operators backbone (therefore, use only SIM IP addresses when connecting).
If a public access point, assigning public IP addresses, is used with DynDNS
service, the same rule applies; you cannot access the devices in Wireless
Gateway's LAN directly, but via Wireless Gateway's IP using D-NAT. If
hostnames are used in Wireless Gateway's D-NAT configuration, the Wireless
Gateway must be configured to use DNS for resolving the names to IP addresses.
When troubleshooting (e.g. do the ping messages really flow to the destination
Device_1), you can make protocol traces from the end device if possible, but also
from Wireless Gateway/Controller; in command line as root user, you can use the
command:
tcpdump -i lan0 icmp (do you see outgoing requests and incoming replies
from the LAN device?), pressing <ctrl-c> will stop the trace.
Example configuration for forwarding ping messages.
59 (134)
1MRS758449 EN
60 (134)
1MRS758449 EN
Common problems
All traffic is forwarded to a device in Wireless Gateway's LAN. When defining
rules for forwarding all traffic to a device in Wireless Gateway's LAN (regardless
of the protocol or destination port), it is recommended first to define rule(s) for
accessing Wireless Gateway's own services, like Web HMI. Otherwise all traffic
is indeed forwarded to the LAN device and the Wireless Gateway wouldnt be
accessible through the WAN at all.
Source address is defined in the rule, but the traffic is originated from some other
source address. It is recommended to test the rule first without source IP matching,
then test the functionality and after verification, add the source IP matching, and
then re-test.
Source port is defined in the D-NAT rule. Usually, it is not known what is the
source port; hence leave the source port empty in D-NAT rule, unless youre
absolutely sure that the same defined source port is always used.
Destination IP address is defined as new destination address. The destination
address means the packets original destination address (172.16.0.2 in this
example). The original destination address must be the Wireless Gateway's WAN
IP address.
The Wireless Gateway's LAN devices IP address is tried to be accessed directly.
This is not possible. You must define the destination IP address in originating PC
as Wireless Gateway's WAN IP address (e.g. in PC_1, type ping 172.16.0.2).
61 (134)
1MRS758449 EN
S-NAT
A typical use case for S-NAT would be that computers in Wireless
Gateway/Controller LAN need to access Internet via cellular connection (i.e.
using the Wireless Gateway/Controller as 3G/LTE modem). As the computers
have private IP addresses from Wireless Gateway's/Controller's LAN (e.g.
from 10.10.10.0/24 network), it is not possible for them to access the internet
(the internet doesnt route private IP addresses).
With S-NAT, the Wireless Gateway/Controller will change the source IP
address of the computer that needs to access the Internet via cellular network
to Wireless Gateway's/Controller's own IP address (acquired from cellular
network, this is called masquerading). Respectively, while the packets are
coming back to intranet computer, Wireless Gateway/Controller knows to
forward the packets to the correct host in Wireless Gateway's/Controller's
LAN.
S-NAT masquerade rule is enabled by default and it is recommended to be
left unchanged.
Services
The services are running in Wireless Gateway/Controller itself. Services can be offered to
other devices and usually limited by firewall.
Common
Use DNS proxy
To simplify, the DNS is a naming system that resolves the human memorable
names to IP addresses.
When the Wireless Gateway/Controller has DNS servers IP address set either
automatically or manually, it can work as DNS proxy for the LAN devices.
The Wireless Gateway/Controller is defined as DNS server for LAN devices
(either manually or through DHCP) and the Wireless Gateway/Controller will
forward the name queries to the actual DNS server and back to the LAN
devices.
If the Wireless Gateway/Controller is used as a DHCP server for LAN clients,
remember to add the DHCP servers IP address to Wireless
Gateways/Controllers DHCP server configuration and set the value as
Wireless Gateway's/Controller's LAN IP if its DNS proxy is used.
Copyright 2015 ABB Oy, Medium Voltage Products, Vaasa, FINLAND
62 (134)
1MRS758449 EN
This M2M solution doesnt require name resolution; IP addresses are usually
used throughout the configuration. However, if there is a need for e.g.
browsing the internet through Wireless Gateway/Controller, the DNS is likely
required.
LLMNR responder
The link-local multicast name resolution is a protocol, which enables
Windows machines on LAN to find Wireless Gateway/Controller using its
hostname. This is currently supported in Windows Vista, Windows
Server 2008, Windows 7, 8.x and 10.
mDNS responder
The multicast domain name system is a protocol, which enables Mac OS
X machines on LAN to find Wireless Gateway/Controller using its
hostname.
SSH server
The SSH (secure shell) is an encrypted network protocol for e.g. safe
command line connections. It is widely replacing unencrypted Telnet
protocol.
The Wireless Gateway/Controller has internal SSH server, which allows
incoming SSH connections, if enabled. By default the SSH service is
disabled. There are two options for allowing SSH connections; from all
interfaces or from LAN interface only.
For security reasons, it is recommended to enable the SSH only from LAN
network. Note that remote access to Wireless Gateways/Controllers LAN is
usually possible via VPN tunnel from M2M Gateway side (from the main
site). Also, for security reasons enable only SSH2 connections (only SSH2
tick box ticked). If login authorization is needed, you can define clients SSH
public keys to the text box.
When connecting Wireless Gateways/Controllers command line via SSH, an
SSH client is needed in some operating systems. PuTTY is a free SSH client
and is recommended, because apart from being SSH client, it can also be used
as serial terminal emulator. The login to Wireless Gateway/Controller is done
as adm user and certain actions, like pinging can be done as that user. More
advanced commands usually require root user privileges and the change to
63 (134)
1MRS758449 EN
root user can be done with the following command (without quotes,
remember the dash mark): su -.
DHCP server
The Wireless Gateway/Controller has an embedded DHCP server. It can offer
IP addresses, netmasks and other optional parameters to DHCP clients. You
may refer to RFC2131 for more details on DHCP.
Enabled
When enabled, the Wireless Gateway/Controller will work as DHCP server
for the LAN devices.
Subnet
The subnet, where the Wireless Gateway/Controller listens to DHCP requests
from clients. Usually the whole devices LAN address space (whole subnets
IP address) is defined here. In some configurations, the DHCP enabled subnet
may be smaller than Wireless Gateways/Controllers whole LAN subnet,
because certain address space is reserved for LAN devices with fixed IP
addresses.
Subnet mask
Usually the Wireless Gateway/Controllers LANs whole subnet mask is
defined here.
Range low IP address
This is the lowest IP address given to a client. For example, if Wireless
Gateways/Controllers LAN is 10.10.10.0/255.255.255.0, the usable IP
address space is 10.10.10.110.10.10.254, the Wireless Gateway/Controller
may be 10.10.10.1, and then some space may be reserved for fixed IP clients.
The Range low IP address in this example could be e.g. 10.10.10.100, which
would leave the range 10.10.10.210.10.10.99 to fixed IP clients.
Range high IP address
This parameter respectively defines the highest IP address given to a DHCP
client. In this example, it would be 10.10.10.254 (the last IP address of this
subnet, the 10.10.10.255, is used as IP broadcast address and thus cant be
used as device IP address).
Domain name
64 (134)
1MRS758449 EN
The domain name given to clients is entered here. Usually domain name is not
needed in this M2M solution.
DNS servers
A comma separated list of DNS servers. This may also be Wireless
Gateway's/Controller's IP address if it works as DNS forwarder.
Gateway IP address
The IP address of the default gateway. Usually it is defined as Wireless
Gateway's/Controller's LAN IP address. When this parameter is passed on to
the DHCP client, it tells the client (in Wireless Gateway's/Controller's LAN)
to use Wireless Gateway/Controller as default gateway (i.e. IP packets having
destination address other than Wireless Gateway's/Controller's LAN subnet
are sent to Gateway/Controller for further routing).
Broadcast IP address
Usually, this parameter is set as the last IP address of the subnet.
Default lease time
Define a time for clients that dont request a specific lease time.
Maximum lease time
Define the maximum time for DHCP client leases.
NTP Servers
If Network Time Protocol is used (i.e. there is an NTP server in the network),
enter here the list of NTP servers separated by comma. This may also be
Gateways/Controllers IP address if it works as NTP server.
Usually the following parameters are required to be defined in DHCP server
settings.
Enabled
Subnet
Subnet mask
Range low IP address
Range high IP address
Gateway IP address
Broadcast IP address
65 (134)
1MRS758449 EN
DNS Servers
DynDNS client
There is an Internet name service company Dyn, who is offering name service
for dynamically changing public IP addresses for a monthly fee (it used to be
a free service).
If there is no M2M Gateway in the system, this service may be used for
bypassing the problem of constantly changing public IP address of Wireless
Gateway/Controller. Other options are to use the M2M Gateway or to use a
private APN.
The list of other service providers can be seen from the drop-down menu of
DynDNS service provider. Currently supported dynamic DNS services:
Dyndns.org
No-ip.com
Freedns.afraid.org
Zoneedit.com
Easydns.com
3322.org
Sitelutions.com
SNMP agent
A subset of SNMP v2, (simple network management protocol) is supported.
The SNMP GET and SET for MIB-II tree (RFC 1213) are partially
supported. Note that the vendor specific MIBs are not supported. Refer to
RFC 1157 for more details on SNMP.
Read only SNMP community
The name of the read-only community, default public.
Read and write SNMP community
The name of read and write community, default private.
Server port
The UDP port, where the Wireless Gateway's/Controller's SNMP agent listens
to, usually 161.
66 (134)
1MRS758449 EN
67 (134)
1MRS758449 EN
68 (134)
1MRS758449 EN
69 (134)
1MRS758449 EN
port in the device. The remote server host/port setting has no effect in the
server mode.
Client = Sends the serial data to a server to certain TCP port. The data is sent
to a server defined by Remote server host and port parameters. The local port
parameter has no effect in client mode.
New connection priority
When the "new connection priority" is enabled a new incoming connection
will override the present/old connection. Usually this is the preferred method.
Connection slot
Defines how long time the old connection must be connected before accepting
new one (used only in server mode with new connection priority enabled).
The default value is 0 seconds. Usually the default value can be used.
Local port
Defines in server mode, which port to listen to. Verify that the port number is
unique (e.g. check that another serial Gateway is using a different port).
Remote server
Defines the remote servers IP address and port for connecting (only in client
mode).
Idle timeout
The device will close connection when it has been idle over defined amount
of time, empty=infinite. The empty value can usually be used as there is likely
a retry-mechanism in the originating end.
Serial settings
These values must be set according to the serial device, which is connected to
Wireless Gateway/Controller. Speed, 300460800 bps, data bits, 58,
parity, even, odd or none, number of stop bits, 1 or 2.
Serial handshaking
The flow control in RS-232 can be hardware controlled with RTS/CTS pins,
software controlled with certain XON/XOFF characters or none (no flow
control).
70 (134)
1MRS758449 EN
Set the value according to the serial device connected to Arctic and note that
if the hardware handshaking is used, the serial cable must have the respective
pins connected. Select None if RS-422 or RS-485 is used.
Flush old data
Empty serial data buffers when new connection arrives. Usually enabled.
Serial Frame Spacing
The time of a pause in serial traffic, after which the already received data is
sent. Usually the default value 100 milliseconds can be used.
Serial Frame Size
The maximum amount of bytes received from serial device, after which the
packet is sent. Usually can be left empty for default value.
Network Frame Spacing
The time of a pause in IP traffic, after which the already received data is sent.
Usually can be left empty for default value.
Network Frame Size
The maximum amount of bytes received from the IP device, after which the
packet is sent. Usually can be left empty for default value.
SMS modem (RS1, RS2)
There is an AT-command emulator for sending SMS messages via serial port.
An external entity can use Arctic for sending text mode SMS messages by
connecting to Arctic via serial port. The same serial port cannot be used by
other applications (such as Serial Gateway).
Enable
When enabled, the serial port is used as AT-command emulator for sending
SMS.
SMS Modem logging
Log AT commands to syslog.
Serial Settings
Speed, data bits, parity and stop bit.
71 (134)
1MRS758449 EN
Serial Handshaking
Handshaking mode (None, hardware by RTS/CTS signals, software by
XON/XOFF characters).
The following AT commands are supported
`AT`: replied with `OK`
`ATE0`: replied with `OK`. Turn echo off
`ATE1`: replied with `OK`. Turn echo on
`AT+CPIN?`: replied with `+CPIN: READY` (i.e. no PIN code needed)
`AT+CMGF?`: replied with `+CMGF:` `0` or `1` depending which format is in
use; PDU or TEXT. (Note: Only text mode allowed, returns always `1`)
`AT+CMGF=?`: replied with `+CMGF: (1)`
`AT+CMGF=<format>`: `<format>` only `1` is accepted. Setting `0` will reply
`ERROR`
`AT+CSCS=?`: replied with `+CSCS: ("IRA")`, "IRA" is default charset in
the Arctic (See ITU recommendation T.50).
`AT+CSCS?`: replied with `+CSCS: "IRA"`, "IRA" is default charset in the
device.
`AT+CSCS="IRA"`: allow to change charset to "IRA"
`AT+CMGS="[tel.no]"`: replied with a `>` prompt. After this, the message is read
until Control-Z (0x1A) is received. Can be break with ESC.
Unknown AT commands are replied to with "ERROR" for compatibility.
Note: Enabling this functionality makes the sending of SMS messages via
Arctics serial port possible without logging in to Arctic. This must be noted
from security point of view.
IEC-104 Gateway, Modbus Gateway
Certain models have special serial protocol conversions (i.e. Modbus
RTU/ASCII to Modbus TCP or Modbus RTU over TCP and IEC-101 to IEC104). Refer to their user manuals for more information.
DCU
Some models have DCU application, which is able to poll certain electric
meters. This feature requires customization and is not commonly used.
Tools
72 (134)
1MRS758449 EN
The Tools section has a selection of supportive tools for system administration and
troubleshooting.
System log
The system log is a good troubleshooting tool and is usually requested by
technical support in a support case. It shows the boot time actions, cellular
network attachment, VPN tunnel establishment and other important
information.
The default view shows recent events, click View all log to see the complete
system log. You can download the full log to your PC as a text file by clicking
the Download all log button.
The device can also send its syslog to a remote syslog server. Note however,
that this may generate a lot of traffic over Mobile WAN.
Support log
The support log takes a snapshot of the devices configuration so that it can be
sent to the technical support. The Supportlog will collect device information
for further problem solving. The following are collected: system log, devices
configuration, setup files, performance data and so on.
Modem info
This option displays internal cellular modem related information.
Wireless WAN
Enabled or disabled, up or down.
Last information update
When the modem information has been updated last time. You may force the
modem information update by clicking the Refresh button at the Modem Info
page.
Manufacturer, Type
The manufacturer and model of the internal cellular modem module.
Firmware
Shows the firmware version of the cellular modem module.
IMEI
Copyright 2015 ABB Oy, Medium Voltage Products, Vaasa, FINLAND
73 (134)
1MRS758449 EN
The IMEI code of internal cellular modem. IMEI stands for International
Mobile Station Equipment Identity. It is a unique identifier for GSM, 3G and
LTE devices. In this device, it is the identity code of the internal modem. In
some countries, the IMEI code needs to be sent to the mobile network
operator for allowing the use of the device in operators network.
Supported services
The network services that the internal modem is supporting. Possible values
are: GSM, GPRS, EDGE, UMTS, HSDPA/HSUPA and LTE (depending on
the model). All supported services are not necessarily available in serving
cellular network.
PIN tries used
Indicates how many times the PIN code has been entered erroneously. The
SIM card allows two false codes and locks on third. If the SIM requires PIN
code and you have misconfigured the code in the device, put the SIM card to
a cellular phone, enter correct PIN number, correct the PIN code setting in the
Wireless Gateway/Controller and re-enter the SIM card to the device.
SIM status
Tells whether the PIN number is required by SIM card, or not.
SIM IMSI
Displays SIM cards IMSI (International Mobile Subscriber Identity) code.
With this code, the SIM card of the device can be identified by the cellular
operator.
Temperature
Displays the temperature of the internal cellular modem. The temperature may
be higher than the ambient temperature, especially if there are large amounts
of data transferred over the cellular interface.
Signal level
Displays the signal strength in dBm (decibels referenced to one milliwatt).
The typical range is -70 to -90 dBm. The -90-100 dBm is quite a poor
connection and negative numbers over -100 dBm indicate non-working
connection. If needed, consider external omnidirectional antenna with FME
female plug (SMA male in Lite models) and recommended antenna gain
39 dBi.
74 (134)
1MRS758449 EN
Registration status
Displays the devices registration to the cellular network. Usually should
show registered to home network.
Available services, Current service
The Available services are displaying services available via cellular
operator in a certain place. Possible values are: GSM, GPRS, EDGE, UMTS,
HSDPA/HSUPA, HSPA+ and LTE (depending on the model). The Current
service displays the currently used service.
Current operator
Displays the currently used cellular operator, preceded by operator code, if
available.
Location area code, Cell ID
Displays the location area code and the cell identification code of the
operator, if available.
APN
The cellular access point name used for establishing the cellular data
connection.
Network test
Network test will test the configured connections for troubleshooting
purposes. The following tests will be done:
Check whether the following features are enabled: Mobile WAN, Mobile WAN
pinger, Monitor, Ethernet WAN, DNS, VPN, Patrol (note that the ping may be
disabled in some firewall configurations)
If respective item is enabled, try pinging it (ping Mobile WAN monitor IP,
Ethernet WAN IP, Monitor IP, VPN peer IP and Patrol IP)
If DNS enabled, try resolving certain hostnames to see that the name resolution is
working.
Monitor graphs
When the Monitor is configured to ping a certain ping target, it will produce
data of the round-trip times for each ping message sent and reply received.
This data is shown in graphical form. The graph can be used to get historical
75 (134)
1MRS758449 EN
snapshot of the delays in round trip times, which along with packet loss data
will reveal the quality of the cellular connection.
76 (134)
1MRS758449 EN
Old/New/(confirm) Password
Enter the previous password and the new password for changing the violaadm (or arctic-adm) users password. Enter the same new password again for
comparison.
Old/New/(confirm) Console access password
Enter the previous console access password and new password changing the
root users password. Enter the same new console password again for
comparison.
Restricted shell
The restricted SSH shell enables creating a safe sand-box for e.g. 3rd party
operations and management personnel. When enabled, the restricted shell user
can perform actions that are defined below. The commands that are not
selected cant be performed by the restricted shell user.
77 (134)
1MRS758449 EN
Release notes
This menu item shows brief release notes for the firmware versions.
Configuration profiles
The Wireless Gateways/Controllers are storing the devices entire
configuration in one XML file. It is possible to edit and clone configuration
files. However, there are certain unique identifiers that will need to be
changed after cloning, for example:
Hostname
Administrators password
Console users password
Ethernet IP address/netmask
SIM PIN code, (if used and unique)
VPN username in L2TP-VPN (if used)
VPN login password in L2TP-VPN (if used)
SSH key in SSH-VPN
Certificates for OpenVPN (if used)
78 (134)
1MRS758449 EN
Firmware update
The firmware can be updated via Web HMI or via command line. See the
separate Technical Note for details on the update. In the update process, the
firmware file is first uploaded to the device. After that and if the
preconditions are met (e.g. HW and firmware checks passed), the actual
update is done.
79 (134)
1MRS758449 EN
80 (134)
1MRS758449 EN
81 (134)
1MRS758449 EN
82 (134)
1MRS758449 EN
It is recommended to plan the solution so that each Arctic will have own unique LAN
subnet even though currently there would be only serial connected devices connected
to Arctics. Such configuration would be future proof without any changes to the
configuration if TCP/IP devices were added to the Arctics later on.
You can still change the name(s) of client(s) in the next step, if needed, see the
picture below.
Click the Create clients button.
83 (134)
1MRS758449 EN
84 (134)
1MRS758449 EN
85 (134)
1MRS758449 EN
However, with older M2M GWs, there is only possible to define one push route and
it may not be enough for arranging routing between both from Wireless
Gateway/Controller to another and also from Wireless Gateway/Controller to M2M
GWs LAN.
Therefore, it is recommended to define the VPN tunnel as a default route, so that the
Wireless Gateway/Controller will send all packets via OpenVPN tunnel to M2M GW
for further routing.
This is done by clicking OpenVPN in the left menu column of Arctic and editing the
current OpenVPN configuration (by clicking the pen and paper icon). Change the
Routing drop down menu item to Default Route and click Submit button.
86 (134)
1MRS758449 EN
Select a directory in the PC where to store the client configuration file (either
directly to the computer, which is used in remote administration or you may first
export the file and later transfer it to the remote administration PC. Perform step 3
and beyond only after the file is transferred to the PC used in remote
administration).
87 (134)
1MRS758449 EN
Go to the directory where the file is and unzip the file (click the file with right
mouse button and select Extract all, Extract here or similar, depending on the
extract program).
88 (134)
1MRS758449 EN
89 (134)
1MRS758449 EN
6. Copy the extracted files from the folder you have extracted the clientpc1.zip file
to OpenVPNs config folder.
90 (134)
1MRS758449 EN
rights as it needs to push routing entries to Windows routing table. The following steps are
instructing how to run the OpenVPN permanently with Administrator rights.
1. Start the OpenVPN by clicking Windows start button (Windows logo) and click
All programs and scroll down to OpenVPN, then click the OpenVPN text to see the
OpenVPN GUI menu option. Do not click it yet.
2. With right mouse button, click the OpenVPN GUI menu option, and then from the
context menu, select Properties (at the bottom of the context menu). The following
window opens. Click Compatibility tab.
91 (134)
1MRS758449 EN
4. When the OpenVPN is running, the OpenVPN GUI icon is seen, either directly in the
taskbar or by clicking Show hidden icons button (triangle-shaped button in the picture
above). You can customize the visibility of the OpenVPN GUI icon, see Windows
help for selecting which icons and notifications appear on the taskbar.
5. Click the OpenVPN GUI icon with right mouse button. A context menu opens.
92 (134)
1MRS758449 EN
7. Once the connection screen disappears, the VPN connection to M2M Gateway is
established. The state of the VPN connection can be checked by hovering the mouse
pointer over the OpenVPN icon.
8. For shutting down the VPN tunnel, right-click the OpenVPN icon and select
Disconnect from the context menu.
93 (134)
1MRS758449 EN
94 (134)
1MRS758449 EN
95 (134)
1MRS758449 EN
96 (134)
1MRS758449 EN
2. Enter the server certificate name and select the Server from drop down menu. Use only
numbers and small letter alphabets without spaces or special characters for server name.
97 (134)
1MRS758449 EN
You can leave the other settings as defaults and click Save for creating the server
certificate. While the server certificate is created, the following screen output is printed.
98 (134)
1MRS758449 EN
99 (134)
1MRS758449 EN
100 (134)
1MRS758449 EN
101 (134)
1MRS758449 EN
102 (134)
1MRS758449 EN
Port
You can leave the port as default 1194. If you wish to select another port, you need
to change the respective INPUT and FORWARD rules in M2M GWs firewall as
well.
Key
Select the server key youve created (testserver in this example).
Server Net IP assigns
The Net IP assigns parameter defines the subnet from where the OpenVPN server
allocates the clients peer IP addresses. The peer IP addresses are virtual IP addresses
denoting the endpoints of the VPN tunnel. Define the whole subnet address here,
individual peer IP addresses are set in each clients configuration.
In this example, the network 172.16.30.0/255.255.255.0 has been chosen. This 24-bit
mask subnet allows 64 clients (256 C-class addresses are divided into 30-bit peer
subnets, each having four IP addresses and two of them are actually used. See
OpenVPN documentation for more information on this peer IP design aspect).
Route
The server route covers all clients LANs. For example, if the clients (Arctics) have
the following LANs: Arctic1: 10.10.10.0/24, Arctic2: 10.10.11.0/24 and Arctic3:
10.10.12.0/24, we can set the server route to 10.10.0.0/16. Now the server has only
one routing entry for all Arctics LANs and it also covers future expansion (Arctic4:
10.10.13.0 and so on). In a production installation, smaller subnets may be defined
than in this example (It is unlikely that e.g. Arctics LAN would require 254 usable
IP addresses, as in the 24-bit mask subnet).
The other parameters can be left as defaults (in a large installation the maximum
number of concurrent clients can be increased, though).
3. Create the server by clicking Save button. The Administration page should now
show the created server.
4. Click Start for starting the server.
103 (134)
1MRS758449 EN
104 (134)
1MRS758449 EN
Select the clients name form pull down menu (the name is the client certificates
name, testclient in this example).
Protocol
The protocol in this implementation is UDP although the OpenVPN allows also
TCP.
Device
Select the tun device. The OpenVPN supports tun and tap devices, but only tun is
supported in this implementation.
CA
Select the CA, which was used in this client certificate generation. Usually, there
is only one CA and it is automatically selected.
Choose key, Client certificate and Client key and Random file
These are configured automatically.
Server settings
The server settings network and netmask is already defined in Server
configuration. This is the subnet from where the OpenVPN peer IP addresses are
allocated.
Ifconfig (Transport network)
Define Arctics VPN peer IP here. The OpenVPN peer IP address pairs can be
selected from the following set. The address pair must be unique and a 30-bit
netmask (4 IP addresses per subnet) is used for each pair. The structure is in form
of [<M2M_peer_IP>,<Arctic_peer_IP>].
[1, 2] [5, 6] [9, 10] [13, 14] [17, 18] [21, 22] [25, 26] [29, 30] [33, 34] [37, 38]
[41, 42] [45, 46] [49, 50] [53, 54] [57, 58] [61, 62] [65, 66] [69, 70] [73, 74] [77,
78] [81, 82] [85, 86] [89, 90] [93, 94] [97, 98] [101,102] [105,106] [109,110]
[113,114] [117,118] [121,122] [125,126] [129,130] [133,134] [137,138]
[141,142] [145,146] [149,150] [153,154] [157,158] [161,162] [165,166]
[169,170] [173,174] [177,178] [181,182] [185,186] [189,190] [193,194]
[197,198] [201,202] [205,206] [209,210] [213,214] [217,218] [221,222]
[225,226] [229,230] [233,234] [237,238] [241,242] [245,246] [249,250]
[253,254]
105 (134)
1MRS758449 EN
Remote IP server
This is the WAN IP address of M2M Gateway, which is static, usually public, IP
address. The client configuration generated here is installed to Arctic, which is
put to the field, therefore the term remote denotes remote to Arctic.
The M2M GWs WAN IP can also be private, but then the border router having
public IP address must forward the packets to M2M GW (D-NAT and port
forwarding). See different scenarios in VA-09-1-4 Configuration guide.
Remote backup IP server
The backup M2M GWs public IP address, if present.
Push route
The M2M GW is able to push routes to Arctics. These routing table entries are
enabled after the VPN tunnel has established. In this example, it is assumed that
all Arctics are available in 10.10.0.0/16 subnet, which is further divided into
smaller subnets for each Arctic, e.g. 10.10.10.0/24, 10.10.11.0/24, 10.10.12.0/24
and so on.
In this example, the push route allows Arctics to communicate with each other
via M2M GW; if the packets destination IP fits to 10.10.x.x and doesnt belong
to Arctics LAN, the Arctic will send the packet to M2M GW via OpenVPN
tunnel and the M2M GW in turn routes the packet to another VPN tunnel for
destination Arctic.
3. Click Save button to store the configuration. Now clicking the add/list clients
shows the following screen.
106 (134)
1MRS758449 EN
107 (134)
1MRS758449 EN
108 (134)
1MRS758449 EN
2. Click Submit button for storing the settings. The screen should look as follows.
109 (134)
1MRS758449 EN
110 (134)
1MRS758449 EN
111 (134)
1MRS758449 EN
a. Name, select clientpc1 from the pull down menu (you have earlier
created this client certificate).
b. Ifconfig (Transport network), select 172.16.30.250 as peer IP address.
c. Remote (Remote IP), enter the M2M GWs public IP address.
d. Push route, enter 10.10.0.0/255.255.0.0 here. This covers all Arctics.
112 (134)
1MRS758449 EN
113 (134)
1MRS758449 EN
The correct package is called Windows installer and the filename is in form of
openvpn-install-n.n.n-Ix.x.x-<architecture>.exe, where the n.n.n represents the
current version (at the time of writing this document, the filenames are):
openvpn-install-2.3.8-I601-i686.exe (32-bit)
openvpn-install-2.3.8-I601-x86_64.exe (64-bit)
Click the filename to download it. If youre unsure which package to download, select
the 32-bit version.
2. Run the installer and allow the installer to make changes to the computer. Accept the
default settings by clicking Next to the questions asked. If asked whether to install
TAP-Windows device software, click Install.
114 (134)
1MRS758449 EN
3. Click the start button (Windows logo) and select Computer from the right-side
vertical menu bar. Alternatively, type explorer.exe to the search row and press enter.
4. In the Explorer window, double-click the C-drive text (showing as Windows7_OS
(C:) in the next picture).
115 (134)
1MRS758449 EN
7. You have now copied the client certificate files to the OpenVPN directory. You may
now start using the OpenVPN.
116 (134)
1MRS758449 EN
Place a tick to the checkbox Run this program as an administrator and press OK button.
Again, click Windows start button (Windows logo), click All programs and scroll
down to OpenVPN, then click the OpenVPN text and click OpenVPN GUI. If asked,
allow changes to be made to computer.
3. Now the OpenVPN client is started, but it hasnt established a VPN tunnel yet. You can
see the OpenVPN icon in the notification area of Windows taskbar.
117 (134)
1MRS758449 EN
118 (134)
1MRS758449 EN
119 (134)
1MRS758449 EN
120 (134)
1MRS758449 EN
14 Troubleshooting
Troubleshooting steps
Follow the instructions below for troubleshooting the system. Try to test each leg of
the connection path individually.
1. Check that Arctic has received an IP address from cellular network (System Status).
There should be interface called gprs0, usb0 or wwan0 depending on the model of the
device. If not, verify that the SIM card is inserted and check the Access point name,
Authentication, Username and Password parameters in SIM card settings of Mobile
WAN. Check also that the interface using the SIM card is enabled and set as primary
WAN interface in WAN failover.
2. Check that Arctic has VPN interface vpnc_tun0 in (Menu Status). This means that
the OpenVPN tunnel is up. If not, check that the M2M GW is available in the IP
address defined in Arctics OpenVPN setup. Check as well that the certificates are
properly installed and that the Arctics clock is set to time. Check the Arctics syslog
(Tools System log) for further troubleshooting.
3. Check the OpenVPN peer from M2M Gateway. In OpenVPN (with certificate based
authentication) page, click Add/list clients text and check the checkbox in the left side
of testclient. Then click Start check button. Wait until the test completes and see the
check column in the display. The result should be OK. If Failed verify the M2M
Gateways default gateway setting and firewall settings for OpenVPN port.
4. Try pinging the M2M GW from your SCADA or other monitoring program. If it is in a
different LAN than M2M Gateways LAN, you will need to define a static route to
M2M GW (Network configuration Routing and gateways Static routes). Verify
as well that you have 10.10.0.0/16 (Arctics LANs) set as a static route to SCADA
server (or if in the same LAN as M2M GW, the M2M GWs LAN IP can be set as
default gateway to SCADA).
5. Try pinging the Arctics LAN IP 10.10.10.10 (10.32.1.1 in Easy OpenVPN setup) from
SCADA server. If there is an Ethernet connected RTU in Arctics LAN (e.g.
10.10.10.21), try pinging it as well. If no answer, check that the Arctics IP 10.10.10.10
(10.32.1.1 in Easy OpenVPN setup) is set as default gateway to RTU.
6. Try polling the RTU or similar directly with its LAN IP from SCADA. If no answer,
check the static route and other routing to the M2M GW.
Troubleshooting the routing
121 (134)
1MRS758449 EN
Even though the cellular connection and the VPN tunnel is up and running, there may
still be some routing settings that need to be done. The following picture describes
each route or routing setting, in order to give an idea on how the routing is working.
8
9
1
M2M
LAN
SCADA
LAN
Eth1
Eth0
Arctic
LAN
GPRS
Internet
M2M Gateway
Arctic
10
11
7
3
SCADA
VPN tunnel
M2M GWs
Peer IP
4
Arctics
Peer IP
Device
122 (134)
1MRS758449 EN
123 (134)
5.
6.
7.
8.
9.
1MRS758449 EN
available at the other end of the tunnel). As the Arctic has by default the S-NAT
enabled (see chapter S-NAT for more information), the packets coming from Arctic
to M2M GW are having Arctics OpenVPN peer IP address as source address.
Arctics point-to-point route to M2M GWs peer IP
See the previous point. The Arctic will rename the tunnel adapter to vpnc_tun[n] and it can
be seen in the status screen as one of the network interfaces.
M2M GWs OpenVPN server route to all clients (Arctics)
The OpenVPN server needs a route that covers all clients LANs. This is a CIDR route that
contains all consecutive Arctics subnets. This is set in OpenVPN advanced mode, by
clicking the server name, the parameter is route. If all Arctics subnets are within the
10.32.x.x address space, the server route can be 10.32.0.0/255.255.0.0.
M2M GWs route to Arctics LAN via VPN tunnel
The M2M GW needs to know all the Arctics LAN subnets (i.e. which Arctics subnet is
behind which tunnel). This is defined in M2M GWs OpenVPN peer settings with iroute
parameter. The iroute is the LAN subnet IP address, e.g. if the Arctic has IP
10.32.0.1/255.255.255.0, the subnets IP address is 10.32.0.0. Each Arctic must have
unique LAN subnet (they cant overlap each other).
Arctics cellular network connection
When the cellular modem of the Arctic is enabled, it registers to cellular network and
receives an IP address. From the Arctics scope, this is a point-to-point IP towards the
cellular infrastructure. There are different modem drivers depending on the modem module
and Arctics kernel version, so the Arctics cellular interface name and point-to-point IP
address will vary.
WAN default route in Arctic
In Arctics WAN failover menu, there is a setting WAN default route, which is usually
configured as enabled (recommended). Then the Arctic will use currently enabled WAN
interface as a default route for outgoing packets.
There are some configurations, where the WAN default route may cause problems
(e.g. asymmetric routing in some private APN cases), but these are rarely encountered.
If the WAN default route is set as No, the Next hop parameter needs to be
defined in Arctics OpenVPN configuration.
10. Arctics LAN devices default gateway
A device in Arctics LAN should use the Arctic as the default gateway. This is the easiest
option and doesnt require any configuring work for devices in Arctics LAN if the network
configuration changes. Alternatively (e.g. in a case there is a PC with a need for default
gateway via other network interface), a static (persistent) route can be configured. The
static route must include the SCADA or other control servers subnet and if it is a different
124 (134)
1MRS758449 EN
network than M2M GWs LAN subnet, there may be a need for adding a separate route for
M2M GWs LAN as well.
11. Arctics VPN routing
The Arctic is configured to know the LAN subnet in the other side of the VPN tunnel.
When the VPN tunnel is up, there are three possibilities for telling the Arctic which
networks can be connected through the VPN tunnel:
Routing entry in Arctics VPN configuration (a host, a subnet or several contiguous
subnets in CIDR notation)
Default route in Arctics VPN configuration (all packets are sent to the VPN
tunnel)
OpenVPN push route, defined in M2M GW (a host, a subnet or several subnets in
CIDR notation, the M2M GW will push this route over VPN tunnel to Arctic
once the tunnel is established)
While it is usually the easiest to configure the Arctic to use the VPN tunnel as a
default route, there are some cases, where it is not possible. If the Arctic is to be used
as GPRS router directly to the internet and also as a VPN router towards M2M GW,
one must define either a routing entry in VPN configuration or the OpenVPN push
route. In such a use case, the packets going to M2M GWs LAN are routed via VPN
tunnel and other packets are sent to internet via cellular network.
An example of this kind of use case would be a PC in a remote site, which needs
internet connection, but at the same time it will need a VPN connection to the main
site.
125 (134)
1MRS758449 EN
15 Network IP planning
As in any TCP/IP-connected computer network, the IP network planning plays very
important role when setting up the M2M solution. It is a good practice to have a ready-made
IP plan before continuing to the setup of the devices.
The answer for how many private and public IP addresses are needed depends on the
network setup; the number of M2M GWs and field devices and also on the number of
TCP/IP connected devices in Wireless Gateways/Controllers LANs, if any.
The private IP addresses are typically used in M2M GW's LAN, in VPN peer IPs and in
Wireless Gateways/Controllers LANs. To avoid overlapping the network address space
(thus causing possible routing problems), it is a good practice to use different class of private
IP addresses for each set of addresses.
Scenario 1, the M2M GW connected with public IP address
In this example, the M2M GW LAN networks IP address is 192.168.0.0 and netmask is
255.255.255.0. This is also represented as 192.168.0.0/24, since the 255.255.255.0 netmask
is 24-bit. The 24-bit netmask (C class network) is chosen for the example as it is easy to
understand.
The LAN subnet address is 10.10.10.0/24 and the VPN peer addresses are chosen from
172.16.0.0/16 address space.
Note: In order to avoid routing problems, it is important that the VPN peer IP addresses are
not overlapping the existing IP addresses in the system.
In this simple setup, there is only one public, routable IP address needed; The M2M GW's IP
address. In this scenario, the M2M GW is connected directly to Internet with one public IP
address via its eth0 interface.
126 (134)
1MRS758449 EN
Entity
IP address
Netmask
M2M LAN
192.168.0.0
255.255.255.0
192.168.0.1
255.255.255.0
SCADA computer
192.168.0.2
255.255.255.0
M2M: 172.16.0.1
Device: 172.16.0.2
Point-to-point
N/A
10.10.10.0
255.255.255.0
10.10.10.1
255.255.255.0
Ethernet device
10.10.10.2
255.255.255.0
N/A
127 (134)
1MRS758449 EN
The connection from the Internet to M2M GW is implemented with D-NAT and port
forwarding. Again, here the Wireless Gateways/Controllers are using the cellular operators
public access point for connecting to the Internet.
Example network plan:
Entity
IP address
Netmask
M2M LAN
192.168.0.0
255.255.255.0
192.168.0.1
255.255.255.0
SCADA computer
192.168.0.2
255.255.255.0
M2M: 172.16.0.1
Device: 172.16.0.2
Point-to-point
DMZ LAN
192.168.1.0
255.255.255.0
192.168.1.2
255.255.255.0
192.168.1.1
255.255.255.0
FW/Router public IP
N/A
10.10.10.0
255.255.255.0
10.10.10.1
255.255.255.0
128 (134)
1MRS758449 EN
Ethernet device
10.10.10.2
255.255.255.0
N/A
Static IP address
associated to the
SIM card
192.168.1.1
M2M
LAN
Eth1
Eth0
M2M Gateway
DMZ network
192.168.1.0/24
Arctic
LAN
GPRS Private
APN
DMZ
Arctic
VPN Router
IP: 10.10.10.1
Netmask: 255.255.255.0
Default GW: VPN
Eth0: 192.168.1.2
Netmask: 255.255.255.0
Default GW: 192.168.1.1
Eth1: 192.168.0.1
Netmask: 255.255.255.0
SCADA
computer
IP: 192.168.0.2
Netmask: 255.255.255.0
Default GW: 192.168.0.1
VPN tunnel
VPN peer IP addresses:
172.16.0.1:172.16.0.2
Ethernet
device
IP: 10.10.10.2
Netmask: 255.255.255.0
Default GW: 10.10.10.1
129 (134)
Entity
IP address
Netmask
M2M LAN
192.168.0.0
255.255.255.0
192.168.0.1
255.255.255.0
SCADA computer
192.168.0.2
255.255.255.0
M2M: 172.16.0.1
Device: 172.16.0.2
Point-to-point
DMZ LAN
192.168.1.0
255.255.255.0
192.168.1.2
255.255.255.0
192.168.1.1
255.255.255.0
FW/Router WAN IP
N/A
10.10.10.0
255.255.255.0
10.10.10.1
255.255.255.0
Ethernet device
10.10.10.2
255.255.255.0
N/A
1MRS758449 EN
IP v4 addressing
Public and private IP addresses
The public IP addresses are routable unique addresses in Internet. Private IP addresses are
not routable in Internet, but they can be routed between the private networks. This M2M
solution needs at least one public IP address, for the connection to the Internet. It may be
assigned to M2M Gateway or it can be a company border router, which needs to be
configured for forwarding packets to M2M GW (see Scenario 2, M2M GW behind the
company firewall).
130 (134)
1MRS758449 EN
IP address classes
In the modern IP-addressing, especially in public IP addresses, the classful addresses are not
very common. The lack of addresses in IP v.4 are causing the Internet service providers
switching to classless addressing, where the netmasks are not fitting to the A, B or C classes,
but instead are used to divide the classful addresses into smaller networks.
The historical division of network classes as A, B and C are described in the following table.
The D and E classes are omitted for the sake of clarity. The important thing in planning the
IP network in M2M solution is the number of hosts per network.
Class
Netmask
Size of network
Number bits
255.0.0.0
24
128
16777214
255.255.0.0
16
16
16384
65534
255.255.255.0 24
2097152
254
Classless IP-addressing
As can be seen in the table of classful private IP addressing, the smallest number of hosts per
network is 254 (class C). Sometimes, especially in Wireless Gateways/Controllers LANs, a
smaller number of hosts would be enough.
When calculating the network size, it is commonly found that there is probably one or two
Ethernet connected devices behind each Wireless Gateway/Controller. Let's assume in this
example, that we may need some room for future expansion. Therefore, the suitable netmask
would be 29-bit for leaving three IP addresses for maintenance purposes or future use.
131 (134)
1MRS758449 EN
IP address
Netmask
Description
10.10.10.0
10.10.10.1
10.10.10.2
255.255.255.248 Device #1
10.10.10.3
255.255.255.248 Device #2
10.10.10.4
132 (134)
10.10.10.5
10.10.10.6
10.10.10.7
1MRS758449 EN
Routing
A typical scenario of routing in M2M solution is that there is a local network at the M2M
GW and a remote network behind the Wireless Gateway/Controller. Furthermore, the
devices connected to these two networks need to communicate with each other. An example
of such communication would be a SCADA system in the LAN of M2M GW that
communicates with an Ethernet RTU device, connected to Wireless Gateways/Controllers
LAN at a remote site.
In routing point of view, the M2M GW knows the route to each Wireless
Gateway/Controller via the VPN tunnel (via VPN peer IP addresses). For achieving end-toend communication between two devices residing at LANs of M2M GW and Wireless
Gateway/Controller, this is not enough; it is needed to tunnel the local area networks over
the VPN connection.
This is done by setting the VPN routing parameters with the required values of the network
IP address of the opposite end's LAN (i.e. it is defined which networks are available via
certain VPN tunnel).
CIDR, classless inter-domain routing
When there are several networks, it may be a tedious task to maintain routing table entries
for each individual network. In CIDR routing, a contiguous address space of several smaller
networks is referenced with one routing entry having netmask of a larger network.
An example would be the following networks
10.10.10.0/29
10.10.10.8/29
10.10.10.16/29
10.10.10.24/29
All of these networks can be referenced with only one CIDR network address with netmask
10.10.10.0/27.
See RFC 1519 for more information on CIDR.
Copyright 2015 ABB Oy, Medium Voltage Products, Vaasa, FINLAND
133 (134)
History
First revision
Trademarks
ABB is a registered trademark of ABB Group. All other brand or product names mentioned in this document
may be trademarks or registered trademarks of their respective holders.
Contact information
ABB Oy, Medium Voltage Products
P.O.Box 699
Visiting address: Muottitie 2A
FI-65101 Vaasa, FINLAND
Phone: +358 10 22 11
Fax: +358 10 22 41094
www.abb.com/substationautomation