Ethernet: in­ternal: LAN external: WAN

Serial in­terface

Built-in modem

Serial con­sole via USB¹

FL MGUARD RS4000/RS2000

Yes

Yes

No

No

FL MGUARD RS4004

LAN: 4
WAN: 1
DMZ: 1

Yes

No

No

FL MGUARD RS2005

LAN: 5
WAN: 1

Yes

No

No

TC MGUARD RS4000 3G, TC MGUARD RS4000 4G

LAN: 4
WAN: 1
DMZ: 1

Yes

Yes

No

TC MGUARD RS2000 3G, TC MGUARD RS2000 4G

LAN: 4
WAN: no
DMZ: no

Yes

Yes

No

FL MGUARD CENTERPORT

LAN: 1
WAN: 1
DMZ: 1

Yes

No

No

FL MGUARD SMART2

Yes

No

No

Yes

FL MGUARD GT/GT, FL MGUARD RS, FL MGUARD PCI 533/266, FL MGUARD BLADE, FL MGUARD DELTA, mGuard Centerport (Innominate), mGuard delta (Innominate)

Yes

Yes

No

No

FL MGUARD PCI(E)4000 

Yes

No

No

No

FL MGUARD RS 
(ISDN/analog)

Yes

Yes

Yes

No

FL MGUARD SMART 533/266

Yes

No

No

No

¹See "Serial console via USB" on page 192.

Default setting for TC MGUARD RS4000/RS2000 4G, TC MGUARD RS4000/RS2000 3G, FL MGUARD RS4004/RS2005, FL MGUARD GT/GT, mGuard Centerport (Innominate), FL MGUARD CENTERPORT, FL MGUARD BLADE-Controller, mGuard delta (Innominate)

If the mGuard is operated in Router mode, it must be set as the default gateway on the locally connected computers.

This means that the IP address of the mGuard LAN port must be specified as the default gateway address on these computers.

NAT should be activated if the mGuard is operated in Router mode and establishes the connection to the Internet (see "Network >> NAT" on page 198).

Only then can the computers in the connected local network access the Internet via the mGuard. If NAT is not activated, it is possible that only VPN connections can be used.

If the mGuard is operated in PPPoE mode, the mGuard must be set as the default gate­way on the locally connected computers.

This means that the IP address of the mGuard LAN port must be specified as the default gateway address on these computers.

If the mGuard is operated in PPPoE mode, NAT must be activated in order to access the Internet.

If NAT is not activated, it is possible that only VPN connections can be used.

If the mGuard is operated in PPTP mode, the mGuard must be set as the default gateway on the locally connected computers.

This means that the IP address of the mGuard LAN port must be specified as the default gateway on these computers.

If the mGuard is operated in PPTP mode, NAT should be activated in order to access the Internet from the local network (see "Network >> NAT" on page 198).

If NAT is not activated, it is possible that only VPN connections can be used.

Only for FL MGUARD RS4000/RS2000, TC MGUARD RS4000/RS2000 3G, TC MGUARD RS4000/RS2000 4G, FL MGUARD RS4004/RS2005, mGuard Centerport (Innominate), FL MGUARD CENTERPORT, FL MGUARD RS, FL MGUARD BLADE, mGuard delta (Innominate), FL MGUARD DELTA

If the address of the mGuard is changed (e.g., by changing the network mode from Stealth to Router), the device can only be accessed via the new address. If the configura­tion is changed via the LAN port, confirmation of the new address is displayed before the change is applied. If configuration changes are made via the WAN port, no confirmation is displayed.

If the mode is set to Router, PPPoE or PPTP and you then change the IP address of the LAN port and/or the local netmask, make sure you specify the correct values. Otherwise, the mGuard may no longer be accessible under certain circumstances.

For the further configuration of Built-in mobile network modem / Built-in modem / Modem network mode, see "Dial-out" on page 177.

Only used for FL MGUARD RS devices with a built-in modem or ISDN terminal adapter.

Only for TC MGUARD RS4000/RS2000 3G and TC MGUARD RS4000/RS2000 4G.

Default setting for FL MGUARD RS4000/RS2000, FL MGUARD RS, FL MGUARD SMART2, FL MGUARD PCI(E)4000, FL MGUARD PCI(E)4000, FL MGUARD PCI 533/266, FL MGUARD DELTA

In Single-Stealth mode, a firewall installed on the computer must be configured to allow ICMP echo requests (ping), if the mGuard is to provide services such as VPN, DNS, NTP, etc.

In Stealth mode, the mGuard uses internal IP address 1.1.1.1. This can be accessed from the computer if the default gateway configured on the computer is accessible.

In the Stealth configurations "Autodetect" and "Static", it is not possible to establish a VPN-connection originating from the internal client through the mGuard.

For the use of certain functions (e.g. automatic updates, licence updates or establishment of VPN-connections), it is required that the mGuard makes its own requests of external servers, even in stealth mode.

These requests are only possible when the locally connected computer permits ping re­quests. Configure its security settings accordingly.

Network Status

External IP address

Display only: the addresses via which the mGuard can be ac­cessed by devices from the external network. They form the interface to other parts of the LAN or to the Internet. If the tran­sition to the Internet takes place here, the IP addresses are usually assigned by the Internet service provider (ISP). If an IP address is assigned dynamically to the mGuard, the currently valid IP address can be found here.

In Stealth mode, the mGuard adopts the address of the locally connected computer as its external IP.

Secondary external IP address

(Only if the secondary external interface is activated)

Display only: the addresses via which the mGuard can be ac­cessed by devices from the external network via the second­ary external interface.

Current default route

Display only: the IP address that the mGuard uses to try to reach unknown networks is displayed here. If a default route has not been specified, the field is left empty.

Used DNS servers

Display only: the names of the DNS servers used by the mGuard for name resolution are displayed here. This informa­tion can be useful, for example, if the mGuard is using the DNS servers assigned to it by the Internet service provider.

Connection status of modem to data net­work

(Only for devices with an inter­nal modem)

Displays the status of the internal modem (mobile network modem of the TC MGUARD RS4000/RS2000 3G / TC MGUARD RS4000/RS2000 4G and the internal analog modem for the FL MGUARD RS).

Network mode

Network mode

Router / Stealth

The mGuard must be set to the network mode that corre­sponds to its connection to the network

.

See also:

"Overview of "Router" network mode" on page 132 and "Over­view of "Stealth" network mode" on page 135.

Depending on the network mode selected and the mGuard device, different setting op­tions are available on the web interface:

Router Mode

(Only if "Router" network mode was selected)

Static / DHCP / PPPoE / PPTP / Modem¹ / Built-in modem¹ / Built-in mobile network modem¹

For a detailed description, see:

–"Router Mode: Static" on page 133

–"Router Mode: DHCP" on page 133

–"Router Mode: PPPoE" on page 133 and "PPPoE" on page 144

–"Router Mode: PPTP" on page 133 and "PPTP" on page 145

–"Router Mode: Modem" on page 133 and "Dial-out" on page 177

Stealth configuration

(Only if "Stealth" network mode was selected)

Autodetect / Static / Multiple clients

Autodetect

The mGuard analyzes the network traffic and independently configures its network connection accordingly. It operates transparently.

Static

If the mGuard cannot analyze the network traffic, e.g., because the locally connected computer only receives data and does not send it, then Stealth configuration must be set to Static. In this case, further input fields are available for Static Stealth Configuration at the bottom of the page.

Multiple clients

(Default) As with Autodetect, but it is possible to connect more than one computer to the LAN port (secure port) of the mGuard, meaning that multiple IP addresses can be used at the LAN port (secure port) of the mGuard.

Autodetect: ignore NetBIOS over TCP traffic on TCP port 139

(Only with Autodetect Stealth configuration)

If a Windows computer has more than one network card in­stalled, it may alternate between the different IP addresses for the sender address in the data packets it sends. This applies to network packets that the computer sends to TCP port 139 (NetBIOS). As the mGuard determines the address of the computer from the sender address (and therefore the address via which the mGuard can be accessed), the mGuard would have to switch back and forth, and this would hinder operation considerably. To avoid this, activate the function if the mGuard has been connected to a computer that has these properties.

¹Modem / Built-in modem / Built-in mobile network modem is not available for all mGuard models (see "Network >> Interfaces" on page 131).

External Networks

The addresses via which the mGuard can be accessed by external devices that are lo­cated behind the WAN port. If the transition to the Internet takes place here, the external IP address of the mGuard is assigned by the Internet service provider (ISP).

IP address

IP address via which the mGuard can be accessed via its WAN port.

Netmask

The netmask of the network connected to the WAN port.

Use VLAN

If the IP address should be within a VLAN, activate the func­tion.

VLAN ID

–A VLAN ID between 1 and 4095.

–For an explanation of the term "VLAN", please refer to the glossary on page 452.

–If you want to delete entries from the list, please note that the first entry cannot be deleted.

OSPF area

(Only if OSPF is activated)

Links the static addresses/routes of the internal network inter­face to an OSPF area (see "Network >> Dynamic Routing" on page 220).

Additional External Routes

In addition to the default route via the default gateway specified below, additional external routes can be specified.

Network

Specify the network in CIDR format (see "Network >> Dy­namic Routing" on page 220).

Gateway

The gateway via which this network can be accessed.

See also "Network example diagram" on page 30.

Default gateway

IP of default gateway

The IP address of a device in the local network (connected to the LAN port) or the IP address of a device in the external net­work (connected to the WAN port) can be specified here.

If the mGuard establishes the transition to the Internet, this IP address is assigned by the Internet service provider (ISP).

If the mGuard is used within the LAN, the IP address of the de­fault gateway is assigned by the network administrator.

Internal Networks

IP address

The internal IP is the IP address via which the mGuard can be accessed by devices in the locally connected network.

The default settings in Router/PPPoE/PPTP/Modem mode are as follows:

–IP address:    192.168.1.1

–Netmask:    255.255.255.0

You can also specify other addresses via which the mGuard can be accessed by devices in the locally connected network. For example, this can be useful if the locally connected net­work is divided into subnetworks. Multiple devices in different subnetworks can then access the mGuard via different ad­dresses.

IP address

IP address via which the mGuard can be accessed via its LAN port.

Netmask

The netmask of the network connected to the LAN port.

Use VLAN

If the IP address should be within a VLAN, activate the func­tion.

VLAN ID

–A VLAN ID between 1 and 4095.

–For an explanation of the term "VLAN", please refer to the glossary on page 452.

–If you want to delete entries from the list, please note that the first entry cannot be deleted.

OSPF area

(Only if OSPF is activated)

Links the static addresses/routes of the internal network inter­face to an OSPF area (see "Network >> Dynamic Routing" on page 220).

Additional Internal Routes

Additional routes can be defined if further subnetworks are connected to the locally con­nected network.

Network

Specify the network in CIDR format (see "CIDR (Classless Inter-Domain Routing)" on page 29).

Gateway

The gateway via which this network can be accessed.

See also "Network example diagram" on page 30.

PPPoE

For access to the Internet, the Internet service provider (ISP) provides the user with a user identifier (login) and password. These are requested when you attempt to establish a con­nection to the Internet.

PPPoE login

The user identifier (login) that is required by the Internet ser­vice provider (ISP) when you attempt to establish a connection to the Internet.

PPPoE password

The password that is required by the Internet service provider when you attempt to establish a connection to the Internet.

Request PPPoE ser­vice name

When the function is activated, the PPPoE client of the mGuard requests the service name specified below from the PPPoE server. Otherwise, the PPPoE service name is not used.

PPPoE service name

PPPoE service name

Automatic Reconnect

When the function is activated, you must specify the time in the Reconnect daily at field. This feature is used to schedule Internet disconnection and reconnection (as required by many Internet service providers) so that they do not interrupt normal business operations.

When this function is enabled, it only takes effect if synchroni­zation with a time server has been carried out (see "Manage­ment >> System Settings" on page 47, "Time and Date" on page 49).

Reconnect daily at (hour)

Specified time (hour) at which the Automatic Reconnect func­tion (see above) should be performed.

Reconnect daily at (minute)

Specified time (minute) at which the Automatic Reconnect function (see above) should be performed.

PPTP

For access to the Internet, the Internet service provider (ISP) provides the user with a user identifier (login) and password. These are requested when you attempt to establish a con­nection to the Internet.

PPTP login

The user identifier (login) that is required by the Internet ser­vice provider when you attempt to establish a connection to the Internet.

PPTP password

The password that is required by the Internet service provider when you attempt to establish a connection to the Internet.

Local IP mode

Static / Via DHCP

Via DHCP

If the address data for access to the PPTP server is provided by the Internet service provider via DHCP, select this option. In this case, no entry is required under Local IP.

Static (from field below)

If the address data for access to the PPTP server is not sup­plied by the Internet service provider via DHCP, the local IP address must be specified.

Local IP

The IP address via which the mGuard can be accessed by the PPTP server.

Modem IP

IP address of the PPTP server of the Internet service provider.

DMZ Networks

(Only for TC MGUARD RS4000 3G, TC MGUARD RS4000 4G, FL MGUARD RS4004, FL MGUARD CENTERPORT)

IP addresses

IP address via which the mGuard can be accessed by devices in the network connected to the DMZ port.

In "Router" network mode, every newly added table line has default settings:

–IP address:    192.168.3.1

–Netmask:    255.255.255.0

You can also specify other addresses via which the mGuard can be accessed by devices in the networks connected to the DMZ port. For example, this can be useful if the network con­nected to the DMZ port is divided into subnetworks. Multiple devices in different subnetworks can then access the mGuard via different addresses.

IP address

IP address via which the mGuard can be accessed via its DMZ port.

Default: 192.168.3.1

Netmask

The netmask of the network connected to the DMZ port.

Default: 255.255.255.0

OSPF area

(Only if OSPF is activated)

Links the static addresses/routes of the DMZ network inter­face to an OSPF area (see "Network >> Dynamic Routing" on page 220).

Additional DMZ Routes

Additional routes can be defined if further subnetworks are connected to the DMZ.

Network

Specify the network in CIDR format (see "CIDR (Classless Inter-Domain Routing)" on page 29).

Default: 192.168.3.0/24

Gateway

The gateway via which this network can be accessed.

See also "Network example diagram" on page 30.

Default: 192.168.3.254

Stealth Management

Additional Management IP addresses for the administration of the mGuard can be spec­ified here.

If:

–The Multiple clients option is selected under Stealth configuration 

–The client does not answer ARP requests

–No client is available

Remote access via HTTPS, SNMP, and SSH is only possible using this address.

IP address

Management IP address via which the mGuard can be ac­cessed and administered.

The IP address "0.0.0.0" deactivates the management IP ad­dress.

Change the management IP address first before specifying any additional addresses.

Netmask

The netmask of the IP address above.

Use VLAN

IP address and netmask of the VLAN port.

If the IP address should be within a VLAN, activate the func­tion.

VLAN ID

This option only applies if you set the "Stealth configuration"  option to "Multiple clients".

–A VLAN ID between 1 and 4095.

–An explanation can be found under "VLAN" on page 452.

–If you want to delete entries from the list, please note that the first entry cannot be deleted.

Default gateway

The default gateway of the network where the mGuard is lo­cated.

Networks to be routed over alternative gateways

Static routes

In Stealth modes "Autodetect" and "Static", the mGuard adopts the default gateway of the computer connected to its LAN port. This does not apply if a management IP address is configured with the default gateway.

Alternative routes can be specified for data packets destined for the WAN that have been created by the mGuard. These include for instance the packets from the following types of data traffic:

–Download of certificate revocation lists (CRLs)

–Download of a new configuration

–Communication with an NTP server (for time synchronization)

–Sending and receiving encrypted data packets from VPN connections

–Requests to DNS servers

–Log messages

–Download of firmware updates

–Download of configuration profiles from a central server (if configured)

–SNMP traps

If this option is used, make the relevant entries afterwards. If it is not used, the affected data packets are routed via the default gateway specified for the client.

Network

Specify the network in CIDR format (see "CIDR (Classless Inter-Domain Routing)" on page 29).

Gateway

The gateway via which this network can be accessed.

The routes specified here are mandatory routes for data pack­ets created by the mGuard. This setting has priority over other settings (see also "Network example diagram" on page 30).

Settings for Stealth mode (static)

(Only when "static" stealth configura­tion is selected)

Client IP address

The IP address of the computer connected to the LAN port.

Client MAC address

The physical address of the network card of the local com­puter to which the mGuard is connected.

•The MAC address can be determined as follows:

In DOS (Start, All Programs, Accessories, Command Prompt), enter the following command: ipconfig /all

The MAC address does not necessarily have to be specified. The mGuard can automatically obtain the MAC address from the client. The MAC address 0:0:0:0:0:0 must be set in order to do this. Please note that the mGuard can only forward net­work packets to the client once the MAC address of the client has been determined.

If no Stealth Management IP Address or Client MAC address is configured in static Stealth mode, then DAD ARP requests are sent via the internal interface (see RFC 2131, "Dynamic Host Configuration Protocol", Section 4.4.1).

Secondary External Inter­face

(Not for TC MGUARD RS2000 3G, TC MGUARD RS2000 4G, FL MGUARD RS2005, FL MGUARD RS2000)

The secondary external interface can be used to transfer data traffic permanently or tem­porarily to the external network (WAN).

If the secondary external interface is activated, the following applies:

In Stealth network mode

Only the data traffic generated by the mGuard is subject to the routing specified for the secondary external interface, not the data traffic from a locally connected computer. Lo­cally connected computers cannot be accessed remotely either; only the mGuard itself can be accessed remotely – if the configuration permits this.

As in Router network mode, VPN data traffic can flow to and from the locally connected computers. Because this traffic is encrypted by the mGuard, it is seen as being generated by the mGuard.

In Router network mode

All data traffic, i.e., from and to locally connected computers, generated by the mGuard, can be routed to the external network (WAN) via the secondary external interface.

Network mode

Off / Modem / Built-in mobile network modem

Off

(Default). Select this setting if the operating environment of the mGuard does not require a secondary external interface. You can then use the serial interface (or the built-in modem, if pres­ent) for other purposes (see "Modem" on page 186).

Modem/Built-in modem

If you select one of these options, the secondary external in­terface will be used to route data traffic permanently or tempo­rarily to the external network (WAN).

The secondary external interface is created via the serial inter­face of the mGuard and an external modem connected to it.

Built-in mobile network modem

Firmware 5.2 or later supports an external or internal modem as a fallback for the external interface. From Version 8.0, this also includes the internal mobile network modem of the TC MGUARD RS4000 3G.

The modem can be used permanently as the secondary exter­nal interface.

In the event of a network error, it can also be used temporarily as a secondary external interface.

It supports dedicated routes and DNS configuration.

Secondary External Routes

(Not for TC MGUARD RS2000 3G, TC MGUARD RS2000 4G, FL MGUARD RS2005, FL MGUARD RS2000)

Notes on the Permanent / Temporary operation modes:

In both Permanent and Temporary mode, the modem must be available to the mGuard for the secondary external interface so that the mGuard can establish a connection to the WAN (Internet) via the telephone network connected to the modem.

Which data packets are routed via the primary external interface (Ethernet interface) and which data packets are routed via the secondary external interface is determined by the routing settings that are applied for these two external interfaces. Therefore an in­terface can only take a data packet if the routing setting for that interface matches the des­tination of the data packet.

Operation Mode

Permanent / Temporary

After selecting Modem, Built-in modem or Built-in mobile net­work modem network mode for the secondary external inter­face, the operating mode of the secondary external interface must be specified (see "Example of use of routing entries:" on page 158).

Permanent

Data packets whose destination corresponds to the routing settings specified for the secondary external interface are al­ways routed via this external interface. The secondary exter­nal interface is always activated.

Temporary

Data packets whose destination corresponds to the routing settings specified for the secondary external interface are only routed via this external interface when additional, separately defined conditions are met. Only then is the secondary exter­nal interface activated and the routing settings for the second­ary external interface take effect (see "Secondary External In­terface Probes" on page 156).

Network

Specify the routing to the external network here. Multiple routes can be specified. Data packets intended for these net­works are then routed to the corresponding network via the secondary external interface – in permanent or temporary mode.

Gateway

Specify the IP address (if known) of the gateway that is used for routing to the external network described above.

When you dial into the Internet using the phone number of the Internet service provider, the address of the gateway is usually not known until you have dialed in. In this case, enter %gate­way in the field as a placeholder.

Secondary External Inter­face Probes

(Only Temporary operation mode)

If the operating mode of the secondary external interface is set to Temporary, the follow­ing is checked using periodic ping tests: can a specific destination or destinations be reached when data packets take the route based on all the routing settings specified for the mGuard – apart from those specified for the secondary external interface? Only if none of the ping tests are successful does the mGuard assume that it is currently not pos­sible to reach the destination(s) via the primary external interface (Ethernet interface or WAN port of the mGuard). In this case, the secondary external interface is activated, which results in the data packets being routed via this interface (according to the routing setting for the secondary external interface).

The secondary external interface remains activated until the mGuard detects in subse­quent ping tests that the destination(s) can be reached again. If this condition is met, the data packets are routed via the primary external interface again and the secondary ex­ternal interface is deactivated.

Therefore, the purpose of the ongoing ping tests is to check whether specific destinations can be reached via the primary external interface. When they cannot be reached, the sec­ondary external interface is activated until they can be reached again.

Successful ping test

A ping test is successful if the mGuard receives a positive response to the sent ping re­quest packet within 4 seconds. If the response is positive, the peer can be reached.

Type

Specify the ping type of the ping request packet that the mGuard is to send to the device with the IP address specified under Destination.

Multiple ping tests can be configured for different destinations.

IKE ping

Determines whether a VPN gateway can be reached at the IP address specified.

ICMP ping

Determines whether a device can be reached at the IP ad­dress specified.

This is the most common ping test. However, the response to this ping test is disabled on some devices. This means that they do not respond even though they can be reached.

DNS ping

Determines whether an operational DNS server can be reached at the IP address specified.

A generic request is sent to the DNS server with the specified IP address, and every DNS server that can be reached re­sponds to this request.

Target

IP address of the probe target.

Probe interval (sec­onds)

The ping tests defined above under Probes for activation... are performed one after the other. When the ping tests defined are performed once in sequence, this is known as a test run. Test runs are continuously repeated at intervals. The interval entered in this field specifies how long the mGuard waits after starting a test run before it starts the next test run. The test runs are not necessarily completed: as soon as one ping test in a test run is successful, the subsequent ping tests in this test run are omitted. If a test run takes longer than the interval specified, then the subsequent test run is started directly after it.

Number of times all probes need to fail during subsequent runs before the sec­ondary external inter­face is activated

Specifies how many sequentially performed test runs must re­turn a negative result before the mGuard activates the sec­ondary external interface. The result of a test run is negative if none of the ping tests it contains were successful.

The number specified here also indicates how many consec­utive test runs must be successful after the secondary external interface has been activated before this interface is deacti­vated again.

DNS settings for the sec­ondary external interface

DNS Mode

Only relevant if the secondary external interface is activated in Temporary mode:

The DNS mode selected here specifies which DNS server the mGuard uses for temporary connections established via the secondary external interface.

Use primary DNS settings untouched

The DNS servers defined under Network >> DNS Server (see "Network >> DNS" on page 205) are used.

DNS root servers

Requests are sent to the root name servers on the Internet whose IP addresses are stored on the mGuard. These ad­dresses rarely change.

Provider-defined (via PPP dial-out)

The domain name servers of the Internet service provider that provide access to the Internet are used.

User-defined (servers listed below)

If this setting is selected, the mGuard will connect to the do­main name servers listed under User-defined name servers.

DNS server

(Only user-defined for DNS mode)

The IP addresses of domain name servers can be entered in this list. The mGuard uses this list for communication via the secondary external interface if this is activated temporarily.

This menu is only available on the TC MGUARD RS4000/RS2000 3G and TC MGUARD RS4000/RS2000 4G.

Off

Off

Off

-113 dBm ... -111 dBm

Extremely poor to no network reception

Yellow

Off

Off

-109 dBm ... -89 dBm

Adequate network reception

Yellow

Green

Off

-87 dBm ... -67 dBm

Good network reception

Yellow

Green

Green

-65 dBm ... -51 dBm

Very good network reception

Mobile Broadband Modem State

State of the mobile network interface

Indicates the state of the mobile network modem state ma­chine (e.g., dialing into the data network or SIM card error).

Power state of the mobile network / posi­tioning engine

Operating state: Engine is powered up / Engine is powered down

Temperature state of the modem

Temperature state of the mobile network modem

In the event that the temperature exceeds or falls below a crit­ical temperature, the mobile network modem switches off au­tomatically.

Signal strength

Strength of the mobile network signal, from
0% ... 100%, -113 dBm ... > -51 dBm

The optimum received power is 100% signal strength and - 51 dBm attenuation.

Currently selected SIM slot

Indicates which SIM card slot is used (SIM 1 or SIM 2).

State of the primary SIM

State of the SIM card or SIM tray in slot 1.

State of the secondary SIM

State of the SIM card or SIM tray in slot 2.

Mobile Network State

Modem network con­nection state

Connection state to the mobile data network:

Offline / Dialing in / Online

Currently used mobile network operator

Name of the mobile network provider currently used by the mGuard.

Roaming state of the mobile network engine

Possible states:

–Registered to home network

–Registered to foreign network

–Not registered

Mobile Network Radio Access Technology

Mobile network standard currently used

Public Land Mobile Network (PLMN) of the base station

(Only for "GSM/UMTS/LTE" network connection)

PLMN: unique identification number of the provider assigned to the base station

The PLMN consists of the three-digit Mobile Country Code (MCC) and the two-digit Mobile Network Code (MNC) (MCC + MNC = PLMN).

Location Area Code (LAC) of the base sta­tion

(Only for "GSM/UMTS/LTE" network connection)

LAC: area code, location in the mobile network (in decimal for­mat)

Cell ID (CID) of the base station

(Only for "GSM/UMTS/LTE" network connection)

CID: unique identification number of the mobile phone cell

Mobile network cdma2000 System ID

(Only for "CDMA" network con­nection)

SID: system identification number of the CDMA mobile phone cell

Mobile network cdma2000 Network ID

(Only for "CDMA" network con­nection)

NID: network identification number of the CDMA mobile phone cell

Mobile network cdma2000 Directory Number

(Only for "CDMA" network con­nection)

Phone number (Mobile Directory Number – MDN) assigned to the mGuard by the CDMA network provider (e.g., Verizon). Valid for the North American Numbering Plan (NANP).

The number is only displayed once successfully registered with the CDMA network provider (e.g., Verizon OTASP) (see below).

Mobile network cdma2000 OTASP Registration

(Only for "CDMA" network con­nection)

In order that the mGuard can be operated in the mobile net­work of the CDMA provider (e.g., Verizon), the necessary con­figurations must be requested and downloaded from the CDMA network provider once.

mGuard firmware Version 8.3 or earlier: the configuration is downloaded by clicking on the “Verizon registration” button (OTASP method). In order to do this, the mGuard must first be registered with and authorized by Verizon.

mGuard firmware Version 8.4 or later: the configuration is downloaded automatically as soon as the mGuard registered with and authorized by Verizon connects to the Verizon net­work via CDMA for the first time.

Following successful registration, the MDN is displayed under "Mobile Directory Number (MDN) or the CDMA cell".

Refresh OTASP regis­tration

If an already registered mGuard device is to be operated with a new mobile phone contract (e. g. data plan from Verizon) and a new mobile phone number, the registration must be re­peated.

Click on the "Refresh OTASP registration" button to down­load the new configuration. After successful registration, the new MDN will be displayed under "Mobile network cd­ma2000 Directory Number".

To refresh the registration on the command line, enter the fol­lowing command:

perform_action cdma/otasp_verizon .

Radio Settings

The explicit selection of mobile network frequencies is no longer necessary or possible from mGuard firmware Version 8.4. It is enough to simply select the mobile network stan­dard.

Mobile network stan­dard

(Device-specific)

No mobile network connection: mobile network connection disabled

GSM / UMTS / LTE: mobile network connection via the SIM card provider

CDMA: mobile network connection using the CDMA method without SIM card The MEID code, which is printed on the housing of the device used, is used for registration and autho­rization with the CDMA provider (e.g., Verizon). The configu­ration is registered and downloaded automatically with mGuard firmware Version 8.4 or later (see above).

2G (GPRS / EDGE / 1xRTT)

(Device-specific)

Depending on the selected mobile network standard, the data is transmitted using GPRS/EDGE (GSM/UMTS/LTE) or 1xRTT (CDMA).

3G (UMTS / EVDO)

(Device-specific)

Depending on the selected mobile network standard, the data is transmitted using UMTS (GSM/UMTS/LTE) or EVDO (CDMA).

4G (LTE)

(Device-specific)

The data is transmitted using LTE (GSM/UMTS/LTE).

Not displayed when "CDMA" used as mobile network standard.

Primary SIM (SIM 1)

Activation

You can activate or deactivate the use of the SIM card.

State of the primary SIM

The following statuses are displayed:

–SIM tray inserted and empty (without SIM card)

–No SIM tray (neither the SIM card nor tray are available)

–PIN required

–SIM card authorized (PIN)

–Wrong PIN

–PUK required (if the PIN is incorrectly entered too often)

–SIM card error

PIN of the SIM card

Numeric code provided by the mobile network provider. This field is left empty for SIM cards without a PIN.

Provider selection

You can restrict the SIM card registration to one provider from the list or allow all providers.

When All is selected, a suitable provider that is available is se­lected automatically.

Manual APN selection

(Only for TC MGUARD RS4000/RS2000 4G ATT and VZW)

Default: deactivated

The Access Point Name (APN) on the TC MGUARD RS4000/RS2000 4G ATT and VZW devices is automatically transmitted by the provider and applied by the device.

If errors occur during automatic transmission, the feature Manual APN selection must be activated and the APN must be entered in the field Access Point Name (APN) of the pro­vider (see below).

Access Point Name (APN) of the Provider

Enter the name of the access gateway for the packet transmis­sion of your mobile network provider. The APN can be ob­tained from your mobile network provider.

APN

(Only for TC MGUARD RS4000/RS2000 4G ATT and VZW)

The APN automatically obtained from the provider or entered manually is displayed.

Telephone number

(Only for TC MGUARD RS4000/RS2000 4G VZW)

The telephone number assigned to the SIM card is displayed.

OTA registration sta­tus

(Only for TC MGUARD RS4000/RS2000 4G VZW)

Status of the registration with the mobile network operator
Verizon.

PPP authentication

PPP authentication is required by some mobile network pro­viders for the transmission of packet data.

If you activate the function, you must also enter the corre­sponding access data (login and password).

PPP login

(only when “PPP authentication” function is activated)

Enter the PAP or CHAP user identifier (login) to log into the ac­cess gateway of the mobile network provider. This information can be obtained from your mobile network provider.

PPP password

(only when “PPP authentication” function is activated)

Enter the PAP or CHAP user password to log into the access gateway of the mobile network provider. This information can be obtained from your mobile network provider.

SIM Fallback

(Only if both SIM cards are activated)

(Not available at TC MGUARD RS4000/RS2000 4G ATT and VZW)

Switch back to the pri­mary SIM after

Specifies the time in hours (0 - 24) after which the secondary SIM card (SIM 2) switches back to the primary SIM card (SIM 1), provided the check of the targets was successful.

In the event of an error, it immediately switches back to the pri­mary SIM card.

If “0” is specified as the value, it only switches back to the pri­mary SIM card in the event of an error or after a restart.

SIM initialization time­out

Maximum time period for SIM initialization.

If this time is exceeded, switches to the other SIM if activated. Otherwise, the activated SIM is initialized again.

Mobile network regis­tration timeout

Maximum period of time between successful SIM initialization and connection with the voice network (text messages can be sent).

If this time is exceeded, switches to the other SIM if activated. Otherwise, waits until the mobile network modem can recon­nect to the voice network.

Relogin

Daily relogin

The connection to the mobile network provider is discon­nected and re-established daily at a fixed time in order to avoid forced disconnection by the provider.

Daily relogin at (hour) (minute)

(Only when “Daily relogin” func­tion is activated)

Time at which the connection is renewed.

Default: 0 h : 0 m

Values: 0 - 23 hours and 0 - 59 minutes

Mobile Network Supervi­sion

You can use the following probe targets to check whether data can actually be transmitted with an active mobile network connection with packet data transmission.

To do so, probe targets (hosts) in the Internet are pinged and therefore tested at specific intervals to see whether at least one of the targets can be reached. If the defined targets cannot be reached after specified intervals, the mobile network connection is perceived to be faulty.

If two SIM cards are configured, the mobile network connection is re-established with the SIM card that is currently not in use.

In the case of only one activated SIM card or in the CDMA process, the mobile network modem is reset and then the mobile network connection is reestablished.

Furthermore, state changes in mobile network supervision can be sent by e-mail, text message or SNMP trap.

Mobile network probes

Status of network supervision

Probe interval (min­utes)

Time between two tests in minutes

Value: 2 - 60 minutes (default: 5 minutes)

Number of times all probes need to fail before the mobile net­work connection is considered stalled

Number of attempts before the mobile network connection is considered to be aborted.

Value: 1 - 5 (default: 3)

Probe targets

Type: the ping type can be configured separately for each probe target:

–ICMP Ping (ICMP echo request, ICMP echo reply):

Determines whether a device can be reached at the IP ad­dress specified.

This is the most common ping test. However, the re­sponse to this ping test is disabled on some devices. This means that they do not respond even though they can be reached.

–DNS Ping (DNS query to UDP port 53):

Determines whether an operational DNS server can be reached at the IP address specified.

A generic request is sent to the DNS server with the spec­ified IP address, and every DNS server that can be reached responds to this request.

–IKE Ping (IPsec IKE query to UDP port 500):

Determines whether a VPN gateway can be reached at the IP address specified.

Destination: here you can enter the probe targets as host names or IP addresses. The probe targets are processed in the specified order.

Comment: freely selectable comment.

Text Message Notifications

Any text message recipient can be linked to predefined events and a freely definable mes­sage. The list is processed from top to bottom.

Text message recipi­ent number

Recipient number for the text message

Event

When the selected event occurs, the linked recipient number is selected and the event is sent to them as a text message.

A text message can also be stored and sent.

A complete list of all events can be found under "Event table" on page 69.

Selector

(When an appropriate event is selected: OpenVPN Connection Activation state- or IPsec VPN Connection)

A configured VPN connection can be selected here, which is monitored via text message.

Text message content

Here you can enter the text that is sent as a text message.

Maximum of 160 characters from the GSM-based alphabet (see Text Message Character Set) or 70 Unicode symbols.

The text is freely definable. You can use blocks from the event table which can be inserted as placeholders in plain text (\A and \V) or in machine-readable format (\a and v\). Time stamps in the form of a placeholder (\T or \t (machine read­able)) can also be inserted (see "Event table" on page 69).

Incoming

Incoming text messages can be used to start or stop VPN connections. The text message must contain a configured token and the corresponding command for the relevant VPN connection.

Telephone number and content of the last incoming text mes­sage

Displays the sender number and message of the last incoming text message.

Send text message

Send text message now

Recipient number

Enter the telephone number of the recipient of the text mes­sage (maximum 20 digits, and a '+' for international telephone numbers).

Message

Enter the text that is to be sent as a text message here.

Maximum of 160 characters from the GSM-based alphabet (see Text Message Character Set) or 70 Unicode symbols.

Send text message now

Click on the “Send text message now” button to send the mes­sage.

Text Message Character Set

In firmware versions prior to 8.3, the approach was to try and send a maximum number of characters in one text message. Since some telecommunications providers do not ad­here to standards, some text messages were not sent accurately (word-for-word). This led to problems in automated applications.

In order to ensure word-for-word transmission, the characters used needed to be re­stricted to the following basic character set:

–(space)

–0-9

–a - z

–A - Z

–! " # % & ( ) * + , - / : ; < = > ?

Restrict outgoing text messages to basic character set

In order to force the use of the basic character set, activate the function.

Once activated, a text message sent by the mGuard is not translated into the language set for the web user interface; it is always sent in English. This does not affect e-mail notifications that are sent.

Outgoing

Telephone number and content of the last outgoing text mes­sage

Sender number and message of the last text message sent.

State of the last outgo­ing text message

State of the last text message sent.

Depending on the device, this menu is not available on all mobile devices.

Settings

Enable positioning engine

When you enable this function, the position of the mGuard is determined.

Update system time

When the function is activated, the local system time is syn­chronized by means of the positioning system used.

If time synchronization by means of NTP server is activated at the same time (see "Enable NTP time synchronization" on page 53), all sources are used to determine the time.

Current Position

Validity of the posi­tional data

Indicates whether valid position data is available for the mGuard.

Number of satellites

Displays the number of available GPS/GLONASS satellites for the mGuard which are available for position determination.

Latitude of the current position

Displays the current latitude of the mGuard position.

Longitude of the cur­rent position

Displays the current longitude of the mGuard position.

Show in OpenStreet­Map

A link to OpenStreetMap is generated from the mGuard posi­tion data, which can be used with a web browser to display a map view of the current position of the mGuard.

Only for TC MGUARD RS4000 3G, TC MGUARD RS4000 4G, FL MGUARD RS4000, FL MGUARD RS4004, mGuard Centerport (Innominate), FL MGUARD CENTERPORT, FL MGUARD RS, FL MGUARD BLADE, FL MGUARD DELTA, mGuard delta (Innominate)

PPP Dial-out Options

(Not for TC MGUARD RS2000 3G, TC MGUARD RS2000 4G, FL MGUARD RS2005, FL MGUARD RS2000)

Phone number to call

Phone number of the Internet service provider. The connec­tion to the Internet is established after establishing the tele­phone connection.

Command syntax: together with the previously set ATD modem command for dialing, the following dial sequence, for example, is created for the connected modem: ATD765432.

A compatible pulse dialing procedure that works in all scenar­ios is used as standard.

Special dial characters can be used in the dial sequence.

HAYES special dial characters

–W: instructs the modem to insert a dialing pause at this point until the dial tone can be heard.

Used when the modem is connected to a private branch exchange. An outside line must be obtained first for out­going calls by dialing a specific number (e.g., 0) before the phone number of the relevant subscriber can be di­aled.

Example: ATD0W765432

–T: switch to tone dialing.

Insert the special dial character T before the phone num­ber if the faster tone dialing procedure is to be used (with tone-compatible telephone connections). Example: AT­DT765432

Authentication

PAP / CHAP / None

–PAP = Password Authentication Protocol

–CHAP = Challenge Handshake Authentication Protocol

These terms describe procedures for the secure transmission of authentication data using the Point-to-Point Protocol.

If the Internet service provider requires the user to log in using a user name and password, then PAP or CHAP is used as the authentication method. The user name, password, and any other data that must be specified by the user to establish a connection to the Internet are given to the user by the Internet service provider.

The corresponding fields are displayed depending on whether PAP, CHAP or None is selected. Enter the corresponding data in these fields.

If authentication is via PAP:

User name

User name specified during Internet service provider login to access the Internet.

Password

Password specified during Internet service provider login to access the Internet.

PAP server authenti­cation

The following two input fields are shown when the function is activated:

User name of the server

User name and password that the mGuard requests from the server. The mGuard only allows the connection if the server returns the agreed user name/password combination.

Server password

Subsequent fields

See under "If “None” is selected as the authentication method" on page 179.

If authentication is via CHAP:

Local name

A name for the mGuard that it uses to log into the Internet ser­vice provider. The service provider may have several custom­ers and it uses this name to identify who is attempting to dial in.

After the mGuard has logged into the Internet service provider with this name, the service provider also compares the pass­word specified for client authentication (see below).

The connection can only be established successfully if the name is known to the service provider and the password matches.

Remote name

A name given to the mGuard by the Internet service provider for identification purposes. The mGuard will not establish a connection to the service provider if the ISP does not give the correct name.

Password for client authentication

Password that must be specified during Internet service pro­vider login to access the Internet.

CHAP server authenti­cation

The following two input fields are shown when the function is activated:

Password for server authentication

Password that the mGuard requests from the server. The mGuard only allows the connection if the server returns the agreed password.

Subsequent fields

See "If “None” is selected as the authentication method" on page 179.

If “None” is selected as the authentication method

In this case, the fields that relate to the PAP or CHAP authen­tication methods are hidden.

Only the fields that define further settings remain visible below.

PPP Dial-out Options

Dial on demand

If the function is activated (default): this setting is useful for telephone connections where costs are calculated according to the connection time.

The mGuard only commands the modem to establish a tele­phone connection when network packets are actually to be transferred. It also instructs the modem to terminate the tele­phone connection as soon as no more network packets are to be transmitted for a specific time (see value in Idle timeout field). By doing this, however, the mGuard is not constantly available externally, i.e., for incoming data packets.

–Often: the mGuard is configured so that it synchronizes its system time (date and time) regularly with an external NTP server.

–Sporadically: the mGuard acts as a DNS server and must perform a DNS request for a client.

–After a restart: an active VPN connection is set to Initiate. If this is the case, the mGuard establishes a connection after every restart.

–After a restart: for an active VPN connection, the gateway of the peer is specified as the host name. After a restart, the mGuard must request the IP address that corre­sponds to the host name from a DNS server.

–Often: VPN connections are set up and DPD messages are sent regularly (see "Dead Peer Detection" on page 357).

–Often: the mGuard is configured to send its external IP address regularly to a DNS service, e.g., DynDNS, so that it can still be accessed via its host name.

–Often: the IP addresses of peer VPN gateways must be requested from the DynDNS service or they must be kept up to date by new queries.

–Sporadically: the mGuard is configured so that SNMP traps are sent to the remote server.

–Sporadically: the mGuard is configured to permit and accept remote access via HTTPS, SSH or SNMP. (The mGuard then sends reply packets to every IP address from which an access attempt is made (if the firewall rules permit this access)).

–Often: the mGuard is configured to connect to an HTTPS server at regular intervals in order to download any configuration profiles available there (see "Management >> Central Management" on page 114).

When the function is deactivated, the mGuard establishes a telephone connection using the connected modem as soon as possible after a restart or activation of Modem network mode. This remains permanently in place, regardless of whether or not data is transmitted. If the telephone connection is then in­terrupted, the mGuard attempts to restore it immediately. Thus a permanent connection is created, like a permanent line. By doing this, the mGuard is constantly available exter­nally, i.e., for incoming data packets.

Idle timeout

Only considered when Dial on demand is activated.

When the function is activated (default), the mGuard termi­nates the telephone connection as soon as no data traffic is transmitted over the time period specified under Idle time. The mGuard gives the connected modem the relevant command for terminating the telephone connection.

When the function is deactivated, the mGuard does not give the connected modem a command for terminating the tele­phone connection.

Idle time (seconds)

Default: 300 seconds (00:05:00)

If there is still no data traffic after the time specified here has elapsed, the mGuard can terminate the telephone connection (see above under Idle timeout).

The entry can be in seconds [ss], minutes and seconds [mm:ss] or hours, minutes, and seconds [hh:mm:ss].

Local IP

IP address of the serial interface of the mGuard that now acts as the WAN interface. If this IP address is assigned dynami­cally by the Internet service provider, use the preset value: 0.0.0.0.

Otherwise, e.g., for the assignment of a fixed IP address, enter this here.

Remote IP

IP address of the peer. When connecting to the Internet, this is the IP address of the Internet service provider, which is used to provide access to the Internet. As the Point-to-Point Proto­col (PPP) is used for the connection, the IP address does not usually have to be specified. This means you can use the pre­set value: 0.0.0.0.

Netmask

The netmask specified here belongs to both the Local IP ad­dress and the Remote IP address. Normally all three values (Local IP, IP address of peer, Netmask) are either fixed or re­main set to 0.0.0.0.

Enter the connection settings for an external modem on the Modem tab page (see "Modem" on page 186).

Only for TC MGUARD RS4000 3G, FL MGUARD RS4004, FL MGUARD RS4000, mGuard Centerport (Innominate), FL MGUARD CENTERPORT, FL MGUARD RS, FL MGUARD BLADE, FL MGUARD DELTA, mGuard delta (Innominate)

PPP Dial-in Options

(Not for TC MGUARD RS2000 3G, TC MGUARD RS2000 4G, FL MGUARD RS2005, FL MGUARD RS2000)

Should only be configured if the mGuard is to permit PPP dial-in via one of the following:

–A modem connected to the serial interface

–A built-in modem (as option for the FL MGUARD RS)

–A built-in mobile network modem (for TC MGUARD RS4000 3G, TC MGUARD RS4000 4G).

PPP dial-in can be used to access the LAN (or the mGuard for configuration purposes) (see "Modem" on page 186).

If the modem is used for dialing out by acting as the primary external interface (Modem network mode) of the mGuard or as its secondary external interface (when activated in Stealth or Router network mode), it is not available for the PPP dial-in option.

Modem (PPP)

(Only for TC MGUARD RS4000 3G, TC MGUARD RS4000 4G, FL MGUARD RS4000, FL MGUARD RS4004, FL MGUARD RS (without built-in modem/ISDN TA), FL MGUARD DELTA, mGuard delta (Innominate))

Off / Internal Modem / External Modem

This option must be set to “Off” if no serial interface and no in­ternal modem is to be used for the PPP dial-in option.

If this option is set to Internal/External Modem, the PPP dial-in option is available. The connection settings for the con­nected external modem should be made on the Modem tab page.

Modem (PPP)

(Only for FL MGUARD RS (with built-in modem/ISDN TA))

Off / Built-in modem / External Modem

This option must be set to Off if no serial interface should be used for the PPP dial-in option.

If this option is set to External Modem, the PPP dial-in option is available. An external modem must then be connected to the serial interface. The connection settings for the connected external modem should be made on the Modem tab page.

If this option is set to Built-in modem, the PPP dial-in option is available. In this case, the modem connection is not estab­lished via the serial socket on the front. Instead it is estab­lished via the terminal strip on the bottom where the built-in modem or built-in ISDN terminal adapter is connected to the telephone network. The connection settings for the built-in modem should be made on the Modem tab page.

If the Built-in modem option is used, the serial interface can also be used. For the options for using the serial interface, see "Modem" on page 186.

Local IP

IP address of the mGuard via which it can be accessed for a PPP connection.

Remote IP

IP address of the peer of the PPP connection.

PPP login

User identifier (login) that must be specified by the PPP peer in order to access the mGuard via a PPP connection.

PPP password

The password that must be specified by the PPP peer in order to access the mGuard via a PPP connection.

Incoming Rules (PPP)

Firewall rules for incoming PPP connections to the LAN interface.

If multiple firewall rules are defined, these are queried starting from the top of the list of entries until an appropriate rule is found. This rule is then applied. If the list of rules con­tains further subsequent rules that could also apply, these rules are ignored.

The following options are available:

Incoming firewall rules (serial interface)

Protocol

All means TCP, UDP, ICMP, GRE, and other IP protocols

From IP / To IP

0.0.0.0/0 means all IP addresses. To specify an address area, use CIDR format (see "CIDR (Classless Inter-Domain Rout­ing)" on page 29).

From port / To port

(Only for TCP and UDP proto­cols)

any refers to any port.

startport:endport (e.g., 110:120) refers to a port range.

Individual ports can be specified using the port number or the corresponding service name (e.g., 110 for pop3 or pop3 for 110).

Action

Accept means that the data packets may pass through.

Reject means that the data packets are sent back and the sender is informed of their rejection.

Drop means that the data packets are not permitted to pass through. They are discarded, which means that the sender is not informed of their whereabouts.

Name of rule sets, if defined. When a rule set is selected, the firewall rules configured under this rule set take effect (see "Rule Records" on page 270).

Name of Modbus TCP rule sets, if defined. When a Modbus TCP rule set is selected, the firewall rules configured under this rule set take effect (see "Modbus TCP" on page 283).

Comment

Freely selectable comment for this rule.

Log

For each individual firewall rule, you can specify whether the use of the rule:

–Should be logged – activate Log function

–Should not be logged – deactivate Log function (default)

Log entries for unknown connection attempts

When the function is activated, all connection attempts that are not covered by the rules defined above are logged.

Outgoing Rules (PPP)

Firewall rules for outgoing PPP connections from the LAN interface.

The parameters correspond to those under Incoming Rules (PPP).

These outgoing rules apply to data packets that are sent out via a data link initiated by PPP dial-in.

Only for TC MGUARD RS4000 3G, TC MGUARD RS2000 3G (only console), FL MGUARD RS4004, FL MGUARD RS4000/RS2000, mGuard Centerport (Innominate), FL MGUARD CENTERPORT, FL MGUARD RS, FL MGUARD SMART2, FL MGUARD DELTA (not FL MGUARD SMART 533/266, FL MGUARD PCI(E)4000, FL MGUARD BLADE, mGuard delta (Innominate).

External Modem

(Not for TC MGUARD RS2000 3G, TC MGUARD RS2000 4G, FL MGUARD RS2005, FL MGUARD RS2000)

Hardware handshake RTS/CTS

Off / On

When set to On, flow is controlled by means of RTS and CTS signals for PPP connections.

Baud rate

Default: 57600 / (FL MGUARD GT/GT: 38400).

Transmission speed for communication between the mGuard and modem via the serial connecting cable between both de­vices.

This value should be set to the highest value supported by the modem. If the value is set lower than the maximum possible speed that the modem can reach on the telephone line, the telephone line will not be used to its full potential.

Handle modem trans­parently (for dial-in only)

If the external modem is used for dial-in (see Page 183), acti­vation of the function means that the mGuard does not initial­ize the modem. The subsequently configured modem initial­ization sequence is not observed. Thus, either a modem is connected which can answer calls itself (default profile of the modem contains “auto answer”) or a null modem cable to a computer can be used instead of the modem, and the PPP protocol is used over this.

Modem init string

Specifies the initialization sequence that the mGuard sends to the connected modem.

Default: '' \d+++\dATH OK

Consult the modem user manual for the initialization sequence for this modem.

The initialization sequence is a sequence of character strings expected by the modem and commands that are then sent to the modem so that the modem can establish a connection.

’’ (two simple quotation marks placed directly after one an­other)

The empty character string inside the quotation marks means that the mGuard does not initially expect any information from the connected modem, but instead sends the follow­ing text directly to the modem.

\d+++\dATH

The mGuard sends this character string to the modem in order to determine whether the modem is ready to accept commands.

OK

Specifies that the mGuard expects the OK character string from the modem as a re­sponse to \d+++\dATH.

On many modem models it is possible to save modem default settings to the modem it­self. However, this option should not be used.

Initialization sequences should be configured externally instead (i.e., on the mGuard). In the event of a modem fault, the modem can then be replaced quickly and smoothly with­out changing the modem default settings.

If the external modem is to be used for incoming calls without the modem default settings being entered accordingly, then you have to inform the modem that it should accept in­coming calls after it rings.

If using the extended HAYES command set, append the character string “ AT&S0=1 OK” (a space followed by “AT&S0=1”, followed by a space, followed by “OK”) to the initializa­tion sequence.

Depending on their default settings, some external modems require a physical connec­tion to the DTR cable of the serial interface in order to operate correctly.

Because the mGuard models do not provide this cable at the external serial interface, the character string “ AT&D0 OK” (a space followed by “AT&D0”, followed by a space, fol­lowed by “OK”) must be appended to the above initialization sequence. According to the extended HAYES command set, this sequence means that the modem does not use the DTR cable.

If the external modem is to be used for outgoing calls, it is connected to a private branch exchange, and if this private branch exchange does not generate a dial tone after the con­nection is opened, then the modem must be instructed not to wait for a dial tone before dialing.

In this case, append the character string “ ATX3 OK” (a space followed by “ATX3”, fol­lowed by a space, followed by “OK”) to the initialization sequence.

In order to wait for the dial tone, the control character “W” should be inserted in the Phone number to call after the digit for dialing an outside line.

External Modem

As for the TC MGUARD RS4000 3G, TC MGUARD RS4000 4G, FL MGUARD RS4004, FL MGUARD RS (without built-in modem), FL MGUARD DELTA, mGuard Centerport (Innominate), FL MGUARD CENTERPORT, FL MGUARD BLADE, mGuard delta (Innominate):

Configuration as above for External Modem (see "External Modem" on page 187).

Built-in Modem (analog)

Country

The country where the mGuard with built-in modem is oper­ated must be specified here. This ensures that the built-in modem operates according to the applicable remote access guidelines in the respective country and that it recognizes and uses dial tones correctly, for example.

Extension line (regarding dial tone)

When set to No, the mGuard waits for the dial tone when the telephone network is accessed and the mGuard is calling the peer.

When set to Yes, the mGuard does not wait for a dial tone. In­stead it begins dialing the peer immediately. This procedure may be necessary if the built-in modem of the mGuard is con­nected to a private branch exchange that does not emit a dial tone when it is “picked up”. When a specific number must be dialed to access an outside line, e.g., “0”, this number should be added to the start of the desired peer phone number that is to be dialed.

Speaker volume (built-in speaker)

Speaker control (built-in speaker)

These two settings specify which sounds should be emitted by the mGuard speaker and at what volume.

External Modem

As for the FL MGUARD RS4000, TC MGUARD RS4000 3G, TC MGUARD RS4000 4G, FL MGUARD RS4004, FL MGUARD RS (without built-in modem), mGuard Centerport (Innominate), FL MGUARD CENTERPORT, FL MGUARD BLADE, mGuard delta (Innominate):

Configuration as above for External Modem (see "External Modem" on page 187).

Built-in Modem (ISDN)

1st MSN

For outgoing calls, the mGuard transmits the MSN (Multiple Subscriber Number) entered here to the called peer. In addi­tion, the mGuard can receive incoming calls via this MSN (pro­vided dial-in operation is enabled, see General tab page).

Maximum of 25 alphanumeric characters; the following spe­cial characters can be used: *, #, : (colon)

2nd MSN

If the mGuard should also receive incoming calls via another number for dial-in operation (if enabled), enter the second MSN here.

ISDN protocol

The EuroISDN protocol (also known as NET3) is used in Ger­many and many other European countries.

Otherwise the ISDN protocol should be specified according to the country. If necessary, this must be requested from the rel­evant phone company.

Layer-2 protocol

The set of rules used by the ISDN terminal adapter of the local mGuard to communicate with its ISDN peer. This generally is the ISDN modem of the Internet service provider used to es­tablish the connection to the Internet. It must be requested from the Internet service provider. PPP/ML-PPP is often used.

Only for TC MGUARD RS4000 3G, TC MGUARD RS2000 3G (only console), FL MGUARD RS4004, FL MGUARD RS4000/RS2000, mGuard Centerport (Innominate), FL MGUARD CENTERPORT, FL MGUARD RS, FL MGUARD SMART2, FL MGUARD DELTA (not FL MGUARD SMART 533/266, FL MGUARD PCI(E)4000, FL MGUARD BLADE, mGuard delta (Innominate).

Serial Console

Baud rate

9600 / 19200 / 38400 / 57600 (default) / 115200

(Default for FL MGUARD GT/GT: 38400)

The transmission speed of the serial interface is specified via the selection list.

Hardware handshake RTS/CTS

Off / On

When set to On, flow is controlled by means of RTS and CTS signals.

Serial console via USB

(Only FL MGUARD SMART2)

When the function is deactivated, the FL MGUARD SMART2 uses the USB connection solely as a power supply.

When the function is activated, the FL MGUARD SMART2 provides an additional serial interface for the connected com­puter through the USB interface. The serial interface can be accessed on the computer using a terminal program. The FL MGUARD SMART2 provides a console through the serial in­terface, which can then be used in the terminal program.

A special driver is required under Windows in order to use the serial console via USB. This can be downloaded directly from the mGuard.

Serial USB driver (Windows)

(Only FL MGUARD SMART2)

Click on the “Download Windows Driver from device” button to download the Windows driver.

COM Server

(Only for mGuard platforms with serial interface)

The mGuard platforms with a serial interface have an integrated COM server as of firm­ware 8.0. This enables serial interface data exchange via an IP connection.

Three options are available.

–RFC 2217 (Telnet server, complies with RFC 2217).

In this mode, the serial interface can be configured via client software in the network. The Telnet server is available via the port which is defined under "Local port" .

–RAW client

In this mode, the mGuard initiates a connection to the address which is set under "IP address of the peer" . The connection is established via the port which is configured under "Remote port" .

The interface can be configured here ("Serial parameters" ). The settings of the serial console are used for the baud rate and the hardware handshake (see "External Mo­dem" under "Network >> Serial interface >> Modem" ).

–RAW server

Behaves in the same way as the RAW client. However, the RAW server responds to in­coming connections via the port which is configured under "Local port" .

Type

Here you can select the way that the COM server should op­erate.

Possible options are: RFC 2217, RAW client, RAW server.

IP address of the peer

(only for RAW client type)

Default: 10.1.0.254

Defines the IP address of the peer.

Local port

(only for RFC 2217 and RAW server type)

Default: 3001

Defines the port that the COM server should respond to.

Values: 1 - 65535.

Remote port

(only for RAW client type)

Default: 3001

Defines the port to which the RAW client sends the data.

Values: 1 - 65535.

Via VPN

(only for RAW client type)

The COM servers request is, where possible, carried out via a VPN tunnel.

When the function is activated, communication with the server is always via an encrypted VPN tunnel if a suitable one is avail­able.

If the function is deactivated or if no suitable VPN tunnel is available, the traffic is sent unencrypted via the default gate­way.

Serial parameters

Defines the parity and stop bits for the serial interface.

Supported packet lengths of the serial interface: 8 Bit / 7 Bit.

–8 Bits (7 Bits), 1 stop bit, no parity (standard with 8 Bit)

–8 Bits (7 Bits), 1 stop bit, even parity

–8 Bits (7 Bits), 1 stop bit, odd parity

–8 Bits (7 Bits), 2 stop bits, no parity

–8 Bits (7 Bits), 2 stop bits, even parity

–8 Bits (7 Bits), 2 stop bits, odd parity

COM Server Allowed Net­works

Access rules can be defined for the COM server to prevent unauthorized access to it.

The default rule does not allow any access via the external interface.

From IP

0.0.0.0/0 means all IP addresses.

To specify an address area, use CIDR format (see "CIDR (Classless Inter-Domain Routing)" on page 29).

Interfaces

Internal / External / External 2 / DMZ / VPN / GRE / Dial-in

Interface for which the rule should apply.

Action

Accept means that the data packets may pass through.

Reject means that the data packets are sent back. The sender is informed of their rejection.

Drop means that the data packets are not permitted to pass through. The sender is not informed of their whereabouts.

Comment

Freely selectable comment for this rule.

Log

For each firewall rule you can specify whether the event is to be logged if the rule is applied.

Port Mirroring

(Only for TC MGUARD RS4000 3G, TC MGUARD RS4000 4G, FL MGUARD RS4004)

Port mirroring receiver

The integrated switch controls port mirroring in order to moni­tor the network traffic. Here, you can decide which ports you want to monitor. The switch then sends copies of data packets from the monitored ports to a selected port.

The port mirroring function enables any packets to be for­warded to a specific recipient. You can select the receiver port or the mirroring of the incoming and outgoing packets from each switch port.

MAU Configuration

(Not for TC MGUARD RS2000 3G, TC MGUARD RS2000 4G)

Configuration and status indication of the Ethernet connections:

Port

Name of the Ethernet connection to which the row refers.

Media type

Media type of the Ethernet connection.

Automatic configura­tion

Activated: tries to determine the required operating mode au­tomatically.

Deactivated: uses the operating mode specified in the “Man­ual configuration” column.

Manual configuration

The desired operating mode when Automatic configuration is deactivated.

Current mode

The current operating mode of the network connection.

Port on

Switches the Ethernet connection on or off.

The Port on function is not supported by the mGuard Centerport (Innominate) or FL MGUARD CENTERPORT.

The Port on function is supported with restrictions on:

mGuard delta (Innominate): the internal side (switch ports) cannot be switched off.

FL MGUARD PCI 533/266: in driver mode, the internal net­work interface cannot be switched off (however, this is possi­ble in Power-over-PCI mode).

Link supervision

Only visible when the "Management >> Service I/O >> Alarm output"  menu item under Management >> Service I/O >> Alarm output is set to “Supervise”.

If link supervision is active, the alarm output is opened if one link does not indicate connectivity.

Port mirroring

The port mirroring function enables any packets to be for­warded to a specific recipient. You can select the receiver port or the mirroring of the incoming and outgoing packets from each switch port.

Address Resolution Table

(Only for TC MGUARD RS4000 3G, TC MGUARD RS4000 4G, FL MGUARD RS4004)

Port

Name of the Ethernet connection to which the row refers.

MAC addresses

Lists the MAC addresses of the connected Ethernet-capable devices.

The switch can learn MAC addresses which belong to the ports of its connected Ethernet-capable devices. The contents of the list can be deleted by clicking on the “Purge” button.

Port Statistics

(Only for TC MGUARD RS4000 3G, TC MGUARD RS4000 4G, FL MGUARD RS4004)

A statistic is displayed for each physically accessible port of the integrated Managed Switch. The counter can be reset via the web interface or the following command:

/Packages/mguard-api_0/mbin/action switch/reset-phy-counters

Port

Name of the Ethernet connection to which the row refers.

TX collisions

Number of errors while sending the data

TX octets

Data volume sent

RX FCS errors

Number of received frames with invalid checksum

RX good octets

Volume of the valid data received

Only available with the TC MGUARD RS4000 3G, TC MGUARD RS4000 4G, FL MGUARD RS4004.

Static Multicast Groups

Static Multicast Groups

Multicast is a technology which enables data to be sent to a group of recipients, without the transmitter having to send it multiple times. The data replication takes place through the distributor within the network.

You can create a list of multicast group addresses. The data is forwarded to the configured ports (LAN1 ...  LAN5).

General Multicast Configu­ration

IGMP snooping

The switch uses IGMP snooping to guarantee that multicast data is only forwarded via ports which are intended for this use.

IGMP snoop aging

Period, after which membership to the multicast group ex­pires, in seconds.

IGMP query

IGMP is used to join and leave a multicast group. Here, the IGMP version can be selected (Version v3 is not supported).

IGMP query interval

Interval in which IGMP queries are generated in seconds

Multicast Groups

Displays the multicast groups. The display contains all static entries and the dynamic en­tries which are discovered by IGMP snooping.

ARP Timeout

ARP Timeout

Service life of entries in the ARP table.

The entry can be in seconds [ss], minutes and seconds [mm:ss] or hours, minutes, and seconds [hh:mm:ss].

MAC and IP addresses are assigned to each other in the ARP table.

The MTU settings

MTU of the ... interface

The maximum transfer unit (MTU) defines the maximum IP packet length that may be used for the relevant interface.

The following applies for a VLAN interface:

Network Address Transla­tion/IP Masquerading

Lists the rules established for NAT (Network Address Translation).

For outgoing data packets, the device can rewrite the specified sender IP addresses from its internal network to its own external address, a technique referred to as NAT (Network Address Translation), see also NAT (Network Address Translation) in the glossary.

This method is used if the internal addresses cannot or should not be routed externally, e.g., because a private address area such as 192.168.x.x or the internal network structure should be hidden.

The method can also be used to hide external network structures from the internal de­vices. To do so, set the Internal option under Outgoing on interface. The Internal set­ting allows for communication between two separate IP networks where the IP devices have not configured a (useful) default route or differentiated routing settings (e.g., PLCs without the corresponding settings). The corresponding settings must be made under 1:1 NAT.

This method is also referred to as IP masquerading.

Default setting: NAT is not active.

Outgoing on interface

Internal / External / External 2 / DMZ / Any External¹

Specifies via which interface the data packets are sent so that the rule applies to them. Any External refers to the External and External 2 interfaces.

Masquerading is defined, which applies for network data flows in Router mode. These data flows are initiated so that they lead to a destination device which can be accessed over the selected network interface on the mGuard.

To do this, the mGuard replaces the IP address of the initiator with a suitable IP address of the selected network interface in all associated data packets. The effect is the same as for the other values of the same variables. The IP address of the initi­ator is hidden from the destination of the data flow. In particu­lar, the destination does not require any routes in order to re­spond in a data flow of this type (not even a default route (default gateway)).

From IP

0.0.0.0/0 means that all internal IP addresses are subject to the NAT procedure. To specify an address area, use CIDR for­mat (see "CIDR (Classless Inter-Domain Routing)" on page 29).

Name of IP groups, if defined. When a name is specified for an IP group, the host names, IP addresses, IP areas or net­works saved under this name are taken into consideration (see "IP/Port Groups" on page 276).

Comment

Can be filled with appropriate comments.

1:1 NAT

Lists the rules established for 1:1 NAT (Network Address Translation).

With 1:1 NAT, the sender IP addresses are exchanged so that each individual address is exchanged with another specific address, and is not exchanged with the same address for all data packets, as in IP masquerading. This enables the mGuard to mirror addresses from the real network to the virtual network.

Example:

The mGuard is connected to network 192.168.0.0/24 via its LAN port and to network 10.0.0.0/24 via its WAN port. By using 1:1 NAT, the LAN computer with IP address 192.168.0.8 can be accessed via IP address 10.0.0.8 in the virtual network.

The mGuard claims the IP addresses entered for the “Virtual network” for the devices in its “Real network”. The mGuard returns ARP answers for all addresses from the specified “Virtual network” on behalf of the devices in the “Real network”. The IP addresses entered under “Virtual network” must not be used. They must not be assigned to other devices or used in any way, as an IP address conflict would otherwise occur in the virtual network. This even applies when no device exists in the “Real network” for one or more IP ad­dresses from the specified “Virtual network”.

Default setting: 1:1 NAT is not active.

Real network

The real IP address of the client that should be reachable from another network via the virtual IP address (depending on the scenario at LAN, WAN, or DMZ port).

One or more clients can be reachable depending on the net­work mask.

From mGuard firmware 8.0.0, 1:1-NAT between all interfaces is possible (LAN <–> WAN, LAN <–> DMZ, DMZ <–> WAN).

Virtual network

The virtual IP address with which the clients are reachable from the other network (depending on the scenario at LAN, WAN, or DMZ port).

From mGuard firmware 8.0.0, 1:1-NAT between all interfaces is possible (LAN <–> WAN, LAN <–> DMZ, DMZ <–> WAN).

Netmask

The netmask as a value between 1 and 32 for the local and ex­ternal network address (see also "CIDR (Classless Inter-Do­main Routing)" on page 29).

Enable ARP

When the function is activated, ARP requests sent to the vir­tual network are answered on behalf of the mGuard. This means that hosts located in the real network can be accessed via their virtual address.

When the function is deactivated, ARP requests sent to the vir­tual network remain unanswered. This means that hosts in the real network cannot be accessed.

Comment

Can be filled with appropriate comments.

¹External 2 and Any External are only for devices with a serial interface: TC MGUARD RS4000/RS2000 3G, TC MGUARD RS4000/RS2000 4G, FL MGUARD RS4004/RS2005, FL MGUARD RS4000/RS2000, mGuard Centerport (Innominate), FL MGUARD CENTERPORT, FL MGUARD RS, FL MGUARD BLADE, FL MGUARD DELTA, mGuard delta (Innominate) (see "Secondary External Interface" on page 152).

IP and Port Forwarding

Lists the rules defined for port forwarding (DNAT = Destination NAT).

IP and port forwarding performs the following: the headers of incoming data packets from the external network, which are addressed to the external IP address (or one of the exter­nal IP addresses) of the mGuard and to a specific port of the mGuard, are rewritten in order to forward them to a specific computer in the internal network and to a specific port on this computer. In other words, the IP address and port number in the header of incom­ing data packets are changed.

IP and port forwarding from the internal network behaves as described above.

Protocol: TCP / UDP / GRE

Specify the protocol to which the rule should apply.

GRE

GRE protocol IP packets can be forwarded. However, only one GRE connection is supported at any given time. If more than one device sends GRE packets to the same external IP address, the mGuard may not be able to feed back reply pack­ets correctly. We recommend only forwarding GRE packets from specific transmitters. These could be ones that have had a forwarding rule set up for their source address by entering the transmitter address in the “From IP” field, e.g., 193.194.195.196/32.

From IP

The sender address for forwarding.

0.0.0.0/0 means all addresses. To specify an address area, use CIDR format (see "CIDR (Classless Inter-Domain Rout­ing)" on page 29).

Name of IP groups, if defined. When a name is specified for an IP group, the host names, IP addresses, IP areas or net­works saved under this name are taken into consideration (see "IP/Port Groups" on page 276).

From port

The sender port for forwarding.

any refers to any port.

Either the port number or the corresponding service name can be specified here, e.g., pop3 for port 110 or http for port 80.

Name of port groups, if defined. When a name is specified for a port group, the ports or port ranges saved under this name are taken into consideration (see "IP/Port Groups" on page 276).

Incoming on IP

–Specify the external IP address (or one of the external IP addresses) of the mGuard here, or

–Specify the internal IP address (or one of the internal IP addresses) of the mGuard here, or

–Use the variable %extern (if the external IP address of the mGuard is changed dynamically so that the external IP address cannot be specified).

If multiple static IP addresses are used for the WAN port, the %extern variable always refers to the first IP address in the list.

Incoming on port

The original destination port specified in the incoming data packets.

Either the port number or the corresponding service name can be specified here, e.g., pop3 for port 110 or http for port 80.

This information is not relevant for the “GRE” protocol. It is ig­nored by the mGuard.

Redirect to IP

The internal IP address to which the data packets should be forwarded and into which the original destination addresses are translated.

Redirect to port

The port to which the data packets should be forwarded and into which the original port data is translated.

Either the port number or the corresponding service name can be specified here, e.g., pop3 for port 110 or http for port 80.

This information is not relevant for the “GRE” protocol. It is ig­nored by the mGuard.

Comment

Freely selectable comment for this rule.

Log

For each individual port forwarding rule, you can specify whether the use of the rule:

–Should be logged – activate Log function

–Should not be logged – deactivate Log function (default)

DNS

If the mGuard is to initiate a connection to a peer on its own (e.g., to a VPN gateway or NTP server) and it is specified in the form of a host name (i.e., www.example.com), the mGuard must determine which IP address belongs to the host name. To do this, it con­nects to a domain name server (DNS) to query the corresponding IP address there. The IP address determined for the host name is stored in the cache so that it can be found di­rectly (i.e., more quickly) for other host name resolutions.

With the Local resolving of hostnames function, the mGuard can also be configured to re­spond to DNS requests for locally used host names itself by accessing an internal, previ­ously configured directory.

The locally connected clients can be configured (manually or via DHCP) so that the local address of the mGuard is used as the address of the DNS server to be used.

If the mGuard is operated in Stealth mode, the management IP address of the mGuard (if this is configured) must be used for the clients, or the IP address 1.1.1.1 must be entered as the local address of the mGuard.

DNS cache state

Status of the host name resolution

Used DNS servers

DNS servers for which the associated IP address was queried.

Servers to query

DNS root servers

Requests are sent to the root name servers on the Internet whose IP addresses are stored on the mGuard. These ad­dresses rarely change.

Provider-defined (i.e., via PPPoE or DHCP)

The DNS servers of the Internet service provider (ISP) that provide access to the Internet are used. Only select this set­ting if the mGuard operates in PPPoE, PPTP, Modem mode or in Router mode with DHCP.

From mGuard firmware version 8.6.0, the setting can also be used if the mGuard is located in Stealth mode (automatic). In this case, the DNS server that the client uses can be recog­nized and taken on.

User-defined (servers listed below)

If this setting is selected, the mGuard will connect to the DNS servers listed under User-defined DNS servers.

User-defined DNS servers

(Only when user-defined is selected as root server)

The IP addresses of DNS servers can be entered in this list. If this should be used by the mGuard, select the "User-defined (servers listed below)"  option under Servers to query.

Local Resolving of Host­names

You can configure multiple entries with assignment pairs of host names and IP addresses for various domain names.

You have the option to define, change (edit), and delete assignment pairs of host names and IP addresses. You can also activate or deactivate the resolution of host names for a domain. In addition, you can delete a domain with all its assignment pairs.

Creating a table with assignment pairs for a domain:

•Open a new row and click on the  Edit Row icon in this row.

Changing or deleting assignment pairs belonging to a domain:

•Click on the  Edit Row icon in the relevant table row.

After clicking on Edit row, the DNS Records tab page is displayed:

Domain for the hosts

The name can be freely assigned, but it must adhere to the rules for assigning domain names. It is assigned to every host name.

Active

Activates or deactivates the Local Resolving of Hostnames function for the domain specified in the “Domain name” field.

Resolve IP addresses also

Deactivated: the mGuard only resolves host names, i.e., it supplies the assigned IP address for host names.

Activated: as with “Deactivated”. It is also possible to deter­mine the host names assigned to an IP address.

Hostnames

The table can have any number of entries.

Host

Host name

TTL (hh:mm:ss)

Abbreviation for Time To Live. Default: 3600 seconds (1:00:00)

Specifies how long called assignment pairs may be stored in the cache of the calling computer.

IP

The IP address assigned to the host name in this table row.

DynDNS

In order for a VPN connection to be established, at least one partner IP address must be known so that the partners can contact each other. This condition is not met if both partic­ipants are assigned IP addresses dynamically by their respective Internet service provid­ers. In this case, a DynDNS service such as DynDNS.org or DNS4BIZ.com can be of as­sistance. With a DynDNS service, the currently valid IP address is registered under a fixed name.

If you have registered with one of the DynDNS services supported by the mGuard, you can enter the corresponding information in this dialog box.

When using the TC MGUARD RS4000/RS2000 3G and TC MGUARD RS4000/RS2000 4G, be aware that DynDNS is not permitted by all mobile network providers.

Register the mGuard at a DynDNS service

Activate the function if you have registered with a DynDNS provider and if the mGuard is to use this service. The mGuard then reports its current IP address to the DynDNS service (i.e., the one assigned for its Internet connection by the Internet ser­vice provider).

Refresh Interval (sec)

Default: 420 (seconds). The mGuard informs the DynDNS service of its new IP address whenever the IP address of its In­ternet connection is changed. In addition, the device can also report its IP address at the interval specified here. This setting has no effect for some DynDNS providers, such as Dy­nDNS.org, as too many updates can cause the account to be closed.

DynDNS provider

The providers in this list support the same protocol as the mGuard. Select the name of the provider with whom you are registered, e.g., DynDNS.org, TinyDynDNS, DNS4BIZ.

If your provider is not in the list, select DynDNS-compatible and enter the server and port for this provider.

DynDNS server

Only visible when DynDNS provider is set to DynDNS-com­patible.

Name of the server for the DynDNS provider.

DynDNS port

Only visible when DynDNS provider is set to DynDNS-com­patible.

Number of the port for the DynDNS provider.

DynDNS
login

Enter the user identifier assigned by the DynDNS provider here.

DynDNS password

Enter the password assigned by the DynDNS provider here.

DynDNS hostname

The host name selected for this mGuard at the DynDNS ser­vice, providing you use a DynDNS service and have entered the corresponding data above.

The mGuard can then be accessed via this host name.

The DHCP server also operates in Stealth mode.

In multi-stealth mode, the external DHCP server of the mGuard cannot be used if a VLAN ID is assigned as the management IP.

IP configuration for Windows computers: when you start the DHCP server of the mGuard, you can configure the locally connected computers so that they obtain their IP addresses automatically from the mGuard via DHCP.

The settings for Internal DHCP and External DHCP are essentially identical and are not described separately in this section.

Mode

DHCP mode

Disabled / Server / Relay

Set this option to Server if the mGuard is to operate as an in­dependent DHCP server. The corresponding setting options are then displayed below on the tab page (see "DHCP mode: Server" ).

Set this option to Relay if the mGuard is to forward DHCP re­quests to another DHCP server. The corresponding setting options are then displayed below on the tab page (see "DHCP mode: Relay" ).

If this option is set to Disabled, the mGuard does not answer any DHCP requests.

DHCP mode: Server

If DHCP mode is set to Server, the corresponding setting options are displayed below as follows.

DHCP Server Options

Enable dynamic IP address pool:

When the function is activated, the IP address pool specified under DHCP range start and DHCP range end is used (see below).

Deactivate the function if only static assignments should be made using the MAC addresses (see below).

DHCP lease time

Time in seconds for which the network configuration assigned to the computer is valid. The client should renew its assigned configuration shortly before this time expires. Otherwise it may be assigned to other computers.

DHCP range start

(With enabled dynamic IP ad­dress pool)

The start of the address area from which the DHCP server of the mGuard should assign IP addresses to locally connected computers.

DHCP range end

(With enabled dynamic IP ad­dress pool)

The end of the address area from which the DHCP server of the mGuard should assign IP addresses to locally connected computers.

Local netmask

Specifies the netmask of the computers. Default: 255.255.255.0

Broadcast address

Specifies the broadcast address of the computers.

Default gateway

Specifies which IP address should be used by the computer as the default gateway. Usually this is the internal IP address of the mGuard.

DNS server

Address of the server used by the computer to resolve host names in IP addresses via the Domain Name Service (DNS).

If the DNS service of the mGuard is to be used, enter the inter­nal IP address of the mGuard here.

WINS server

Address of the server used by the computer to resolve host names in addresses via the Windows Internet Naming Service (WINS).

Static Mapping

Client MAC address

To find out the MAC address of your computer, proceed as follows:

Windows 95/98/ME:

•Start winipcfg in a DOS box.

Windows NT/2000/XP/:

•Start ipconfig /all in a command prompt. The MAC ad­dress is displayed as the “Physical Address”.

Linux:

•Call /sbin/ifconfig or ip link show in a shell.

The following options are available:

–Client/computer MAC address (without spaces or hy­phens)

–Client IP address

Client IP address

The static IP address of the computer to be assigned to the MAC address.

Current Leases

The current leases assigned by the DHCP server are displayed with MAC address, IP ad­dress, and expiration date (timeout).

DHCP mode: Relay

If DHCP mode is set to Relay, the corresponding setting options are displayed below as follows.

DHCP Relay Options

DHCP servers to relay to

A list of one or more DHCP servers to which DHCP requests should be forwarded.

Append relay agent information (option 82)

When forwarding, additional information for the DHCP servers to which information is being forwarded can be appended ac­cording to RFC 3046.

Mode

Enable DHCP server on the DMZ port

Enables the DHCP server on the DMZ interface.

If the function is disabled, the mGuard does not answer any DHCP queries on the DMZ interface.

DHCP Server Options

Enable dynamic IP address pool:

When the function is activated, the IP address pool specified under DHCP range start and DHCP range end is used (see below).

Deactivate the function if only static assignments should be made using the MAC addresses (see below).

DHCP lease time

Time in seconds for which the network configuration assigned to the computer is valid. The client should renew its assigned configuration shortly before this time expires. Otherwise it may be assigned to other computers.

DHCP range start

(With enabled dynamic IP ad­dress pool)

The start of the address area from which the DHCP server of the mGuard should assign IP addresses to locally connected computers.

DHCP range end

(With enabled dynamic IP ad­dress pool)

The end of the address area from which the DHCP server of the mGuard should assign IP addresses to locally connected computers.

Local netmask

Specifies the netmask of the computers. Default: 255.255.255.0

Broadcast address

Specifies the broadcast address of the computers.

Default gateway

Specifies which IP address should be used by the computer as the default gateway. Usually this is the internal IP address of the mGuard.

DNS server

Address of the server used by the computer to resolve host names in IP addresses via the Domain Name Service (DNS).

If the DNS service of the mGuard is to be used, enter the inter­nal IP address of the mGuard here.

WINS server

Address of the server used by the computer to resolve host names in addresses via the Windows Internet Naming Service (WINS).

Static Mapping

Client MAC address

To find out the MAC address of your computer, proceed as follows:

Windows 95/98/ME:

•Start winipcfg in a DOS box.

Windows NT/2000/XP/:

•Start ipconfig /all in a command prompt. The MAC ad­dress is displayed as the “Physical Address”.

Linux:

•Call /sbin/ifconfig or ip link show in a shell.

The following options are available:

–Client/computer MAC address (without spaces or hy­phens)

–Client IP address

Client IP address

The static IP address of the computer to be assigned to the MAC address.

Current Leases

The current leases assigned by the DHCP server are displayed with MAC address, IP ad­dress, and expiration date (timeout).

The http(s) proxy settings

Use proxy for HTTP and HTTPS

When the function is activated, connections that use the HTTP or HTTPS protocol are transmitted via a proxy server whose address and port should also be specified.

Connections that are transmitted in encapsulated form using the VPN in TCP encapsulation function are also routed via the proxy server (see "TCP encapsulation" on page 315).

Secondary external interface uses proxy

Only activate the function if the connection (HTTP or HTTPS) of the secondary external interface is also to be established via a proxy server (see "Secondary External Interface" on page 152).

HTTP(S) proxy server

Host name or IP address of the proxy server.

Port

Number of the port to be used, e.g., 3128.

Proxy Authentication

Login

User identifier (login) for proxy server login.

Password

Password for proxy server login.

This menu is only available when the mGuard is in “Router” network mode. An OSPF area cannot be assigned to the WAN interface in “DHCP” router mode.

Activation

Enable OSPF

When the function is deactivated (default): OSPF is disabled on the device.

When the function is activated: dynamic routing using the OSPF protocol is enabled on the device. New routes are learned and distributed by neighboring OSPF routers.

OSPF hostname

If an OSPF hostname is assigned here, this is communicated to the participating OSPF routers instead of the global host name.

Router ID

The Router ID in the form of an IP address must be unique within the autonomous system. It can otherwise be freely se­lected and typically corresponds to the IP address of the WAN or LAN interface of the mGuard.

OSPF Areas

The autonomous system is segmented using OSPF Areas. The routes between OSPF routers are exchanged within an area. The mGuard can belong to one or more OSPF ar­eas. Distribution between neighboring areas is also possible using the “Transition Area” (see below).

Name

The Name can be freely selected (default: ID). An OSPF router is clearly identified by its ID.

ID

In general, the ID can be freely selected. If an OSPF area is as­signed the ID 0, it becomes the “Transition Area”. This area is used to exchange routing information between two neigh­boring areas and then distribute it.

Stub area

If the OSPF area is a stub area, activate the function.

Authentication

None / Simple / Digest

Authentication of the mGuard within the OSPF area can be performed using the “Simple” or “Digest” method. The corre­sponding passwords and digest keys are assigned for the al­located interfaces (see "Additional Interface Settings" ).

Additional Interface Set­tings

Interface

Internal / External / DMZ

Selects the interface for which the settings apply. If no settings are made here, the default settings apply (i.e., OSPF is en­abled for the interface and the passwords are not assigned).

Passive interface

Default: deactivated

When the function is deactivated, OSPF routes are learned and distributed by the interface.

When the function is activated, no routes are learned or dis­tributed.

Authentication 

None / Digest

If Digest is selected, “Digest” is always used for authentica­tion at the selected interface – regardless of the authentication method already assigned to an OSPF area.

The authentication method (None / Simple / Digest) that has already been assigned to an OSPF area is therefore ignored and not used.

Simple authentication password

Password for authentication of the OSPF router (for “Simple” authentication method)

Digest key

Digest key for authentication of the OSPF router (for “Digest” authentication method)

Digest key ID 

Digest key ID for authentication of the OSPF router (for “Di­gest” authentication method)

(1–255)

Route Redistribution

Statically entered routes in the kernel routing table can also be distributed using OSPF. Rules can be created for locally connected networks and networks that are reachable via a gateway.

The networks whose routes are to be distributed using OSPF can be specified in “access lists” via the "Distribution Settings" .

Type

Locally connected routes / Remotely connected routes

Locally connected routes: all local networks are distributed using OSPF, if OSPF is enabled. Distribution can be restricted by using access lists.

Remotely connected routes: all external networks are dis­tributed using OSPF. External networks include, for example, static as well as IPsec, OpenVPN, and GRE remote networks. Distribution can be restricted by using access lists.

Metric

Metric used to distribute the routes. Unit representing the quality of a connection when a specific route is used (depends on the bandwidth, hop count, costs, and MTU).

Access list

Distributes the routes according to the selected access list (see "Distribution Settings" ). If None is selected, all routes of the selected type are distributed.

Dynamic Routes (learned by OSPF)

The status of all routes learned using OSPF is displayed.

Remote network

Dynamically learned remote network.

Gateway 

Gateway to reach the remote network.

Metric

Metric for the learned route.

If a rule is selected for either the “Locally connected routes” or “Remotely connected routes” type, by default (Access List = None) all corresponding routes are distributed us­ing OSPF if OSPF is enabled.

Settings

Name

The Name must be unique and must not be assigned more than once.

Rules

Permit/Deny

Lists the access list rules. These apply for routes that are not distributed dynamically using OSPF.

Permit (standard)means that the route to the entered network is distributed using OSPF.

Deny means that the route to the entered network is not dis­tributed using OSPF.

Network

Network whose distribution is permitted or denied by rules.

The use of GRE tunnels via IPsec connections of the "Transport" connection type is not possible.

Options

Local endpoint

Local IP address from which the tunnel will be created. The IP address must already be configured under "Network >> Inter­faces"  for the mGuard itself.

Remote endpoint

Remote IP address to which the tunnel will be created. The IP address must also be configured at the peer.

Use IPsec VPN con­nection for securing the tunnel

For the selected IPsec connection, it is checked whether the GRE tunnel is routed through and therefore protected by this connection, i.e., whether both endpoints are in the IPsec net­works (local and remote).

Routes to Tunnel

Network

All peer networks that are to be reached via the GRE tunnel in encapsulated form are entered here. Several routes can be configured for each GRE tunnel.

0.0.0.0/0 means all IP addresses. To specify an address area, use CIDR format (see "CIDR (Classless Inter-Domain Rout­ing)" on page 29).

Dynamic Routing

OSPF area

Links the virtual GRE interface to an OSPF area (see "Network >> Dynamic Routing" on page 220).

OSPF metric

Unit representing the quality of a connection through the GRE tunnel.

Local interface IP

IP address of the virtual GRE interface (required in order to ex­change routing information between OSPF routers).

An IP address in the same network must be configured at the peer for the GRE interface.

Local interface mask

Netmask of the virtual GRE interface.

By default, the GRE firewall is set to allow all connections for the GRE connection.

However, the extended firewall settings defined and explained above apply independent­ly for each individual GRE connection (see "Network Security menu" on page 259, "Net­work Security >> Packet Filter" on page 259, and "Advanced" on page 278).

If multiple firewall rules are defined, these are queried starting from the top of the list of entries until an appropriate rule is found. This rule is then applied. If the list of rules con­tains further subsequent rules that could also apply, these rules are ignored.

Incoming

General firewall set­ting

Accept all incoming connections: the data packets of all in­coming connections are allowed.

Drop all incoming connections: the data packets of all in­coming connections are discarded.

Accept Ping only: the data packets of all incoming connec­tions are discarded, except for ping packets (ICMP).

Use the firewall ruleset below: displays further setting op­tions.

The following settings are only visible if “Use the firewall ruleset below” is set.

Protocol

All means TCP, UDP, ICMP, GRE, and other IP protocols.

From IP / To IP

0.0.0.0/0 means all IP addresses. To specify an address area, use CIDR format (see "CIDR (Classless Inter-Domain Rout­ing)" on page 29).

Name of IP groups, if defined. When a name is specified for an IP group, the host names, IP addresses, IP areas or net­works saved under this name are taken into consideration (see "IP/Port Groups" on page 276).

Incoming:

–From IP:   IP address in the GRE tunnel

–To IP:   1:1 NAT address or the actual address

Outgoing:

–From IP:   1:1 NAT address or the actual address

–To IP:   IP address in the GRE tunnel

From port / To port

(Only for TCP and UDP proto­cols)

any refers to any port.

startport:endport (e.g., 110:120) refers to a port range.

Individual ports can be specified using the port number or the corresponding service name (e.g., 110 for pop3 or pop3 for 110).

Name of port groups, if defined. When a name is specified for a port group, the ports or port ranges saved under this name are taken into consideration (see "IP/Port Groups" on page 276).

Action

Accept means that the data packets may pass through.

Reject means that the data packets are sent back and the sender is informed of their rejection.

Drop means that the data packets are not permitted to pass through. They are discarded, which means that the sender is not informed of their whereabouts.

Name of rule sets, if defined. When a name is specified for rule sets, the firewall rules configured under this name take ef­fect (see "Rule Records" on page 270).

Name of Modbus TCP rule sets, if defined. When a Modbus TCP rule set is selected, the firewall rules configured under this rule set take effect (see "Modbus TCP" on page 283).

Comment

Freely selectable comment for this rule.

Log

For each individual firewall rule, you can specify whether the use of the rule:

–Should be logged – activate Log function

–Should not be logged – deactivate Log function (default setting)

Log entries for unknown connection attempts

When the function is activated, all connection attempts that are not covered by the rules defined above are logged.

Outgoing

The explanation provided under “Incoming” also applies to “Outgoing”.