LAPP ETHERLINE NF04T, Manual

Page 1: ...itzsch Stra e 25 70565 Stuttgart Phone 49 0 711 7838 01 Fax 49 0 711 7838 2640 info lappkabel de www lappkabel com ETHERLINE ACCESS NF04T Industrial NAT Gateway und Firewall Manual Version 1 16 04 20...

Page 2: ...nt license conditions We can send you the corresponding license conditions including a copy of the complete license text together with the product They are also provided in our download area of the re...

Page 3: ...ranty 9 2 Security recommendations 10 3 Overview 11 3 1 Setup 11 3 2 Connection of the power supply 12 3 3 LEDs status information 12 4 Initial access to the web interface 13 4 1 Initial registration...

Page 4: ...1 Application with step 7 38 10 2 Use in the TIA portal 39 11 Other functions 41 11 1 DHCP server for LAN 41 11 2 Host name WAN 42 11 3 Syslog server 42 11 3 1 Syslog local 42 11 3 2 Syslog remote 43...

Page 5: ...figuration execution and operating errors can interfere with the proper operation of the ETHERLINE ACCESS NF04T and result in personal injury as well as material or environmental damage Only suitably...

Page 6: ...of people from electrical voltage If the hazard warning is ignored there is a probable danger to life and health of people from electrical voltage If the hazard warning is ignored people can be injure...

Page 7: ...situations on machinery and systems Successful and safe operation of the device requires proper transport storage setup assembly installation commissioning operation and maintenance The ambient condit...

Page 8: ...ousing to discharge static electricity Only work with discharged tools Do not touch components and assemblies on contacts 1 6 4 Overcurrent protection Overcurrent protection isn t necessary as the dev...

Page 9: ...lity for any printing errors or other inaccuracies that may appear in the operating manual unless there are serious errors of which U I Lapp GmbH was already demonstrably aware Beyond the instructions...

Page 10: ...the ICS Security Compendium of the Federal Office for Information Security BSI https www bsi bund de SharedDocs Downloads DE BSI ICS ICS Security_kompendium_pdf html Physical access Limit physical ac...

Page 11: ...ifferent networks for this purpose Features of the ETHERLINE ACCESS NF04T NAT Basic NAT SNAT NAPT and port forwarding for network segmentation Bridge functionality for securing network areas with iden...

Page 12: ...ockets are switched and are for the connection of the internal network The inputs IN1 and IN2 do not yet have a function in the current firmware version but will be available in a later firmware versi...

Page 13: ...T Start control panel Network and sharing settings Adapter settings LAN connection properties Internet protocol version 4 Now connect a patch cable with the LAN connection of your PC and one of the LA...

Page 14: ...ue button the password is stored in the device and you will be forwarded to the Overview page of the ETHERLINE ACCESS NF04T The main user is always admin In addition to the main user admin the it user...

Page 15: ...contains an overview of the most important settings and information of the ETHERLINE ACCESS NF04T The topmost line contains the menu with the functions for configuration Please check at the website of...

Page 16: ...The web interface is also suitable for use on tablets and smartphones Responsive design Please note that web access to the ETHERLINE ACCESS NF04T is equipped with inactivity monitoring for security r...

Page 17: ...sic NAT also known as 1 1 NAT or Static NAT is the translation of individual IP addresses or of complete IP address ranges With the help of port forwarding it is possible as an alternative to configur...

Page 18: ...the separation of part of the production network without using different network addresses If bridge is your planned application case please continue reading in chapter 7 Machine network 10 10 1 0 24...

Page 19: ...ot indicated 0 0 0 0 then communication of devices in the LAN with the Internet is prevented Optionally the WAN IP settings the DNS server and the standard gateway can also be acquired per DHCP The en...

Page 20: ...an alternative to entering the IP address a DHCP client can also be activated for the WAN interface The use of the DHCP client presumes that a DHCP server is active in the WAN network The IP settings...

Page 21: ...ach entry is confirmed with the message Rule added successfully Machine network 192 168 10 0 24 192 168 10 1 192 168 10 2 192 168 10 50 192 168 10 100 192 168 10 5 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1...

Page 22: ...a rule In the case of a Basic NAT rule all ports for WAN to LAN data transfer are initially blocked for this rule for security reasons In order to enable access packet filter rules must be created or...

Page 23: ...ine network to certain participants in the WAN set the default action to Reject or Drop In the case of prohibited frames from the WAN Reject sends an error message in response while Drop rejects the f...

Page 24: ...with one another An IP range can be defined with a dash 10 10 1 10 10 10 1 20 A list of IP addresses is indicated with commas 10 10 1 10 10 10 1 15 10 10 1 20 Action defines whether this rule allows...

Page 25: ...ough 6 6 Packet filter LAN to WAN In the basic state data traffic is permitted for devices from the machine network LAN to the production network WAN without limitations Default Action Accept In the L...

Page 26: ...ts needs the ETHERLINE ACCESS NF04T LAN IP as gateway This is a considerable advantage when integrating into existing network structures since the parameters no longer have to be changed here Machine...

Page 27: ...t gateway for every device connected to LAN If the NAPT option is deactivated the query packets from the LAN are forwarded from the LAN to the WAN with their original sender IP and sender port Machine...

Page 28: ...IP The IP address to be addressed in the machine network LAN Internal Port The port of the device to be addressed in the machine network LAN Comment Freely definable comment Machine network 192 168 1...

Page 29: ...and Basic NAT can be used simultaneously in the NAT operating mode If with the packet filters WAN to LAN default action is set to Reject or Drop the corresponding packet filter rules for access must...

Page 30: ...s is necessary when devices from the LAN should reach the Internet via the ETHERLINE ACCESS NF04T If these are not indicated then communication of devices in the LAN with the Internet is prevented The...

Page 31: ...omation cell The following filter criteria on layers 3 and 4 are available IPv4 addresses protocol TCP UDP and ports Note The packet filters are always also available in the direction LAN to WAN see c...

Page 32: ...ield A list of ports is indicated separated by commas 80 443 1194 A port range can be indicated with a colon 4000 5000 or 1 65535 for all ports Combinations of this are also possible 80 443 4000 5000...

Page 33: ...ction is Accept a block can be defined in the filter rules with Reject or Drop for certain devices Blacklisting A maximum of 128 packet filter rules per direction WAN to LAN and LAN to WAN can be defi...

Page 34: ...N with devices in the production network WAN can be completely prohibited or be blocked or allowed for particular devices 7 6 ICMP Traffic LAN to WAN With the ICMP Traffic option you can generally all...

Page 35: ...ers in the ETHERLINE ACCESS NF04T As soon as the first MAC address is entered in the MAC filter mode Whitelist only frames from this MAC address are allowed through irrespective of all other packet fi...

Page 36: ...e 2 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Internal External Machine 1 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Internal...

Page 37: ...can also function in adapted form for other applications Maschinennetzwerk 192 168 10 0 24 192 168 10 1 192 168 10 2 192 168 10 50 192 168 10 100 192 168 10 5 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3...

Page 38: ...outer for the CPU in the project In order to be able to reach a CPU via an alternative IP address this can be entered in the menu Destination system in the dialog Access address This address remains a...

Page 39: ...device in the menu under Online or where necessary Connect expanded online Click on Access Address and enter the WAN IP address specified for the device CPU in the ETHERLINE ACCESS NF04T in Basic NAT...

Page 40: ...4T with NAPT and port forwarding only one CPU can be reached as the Simatic Manager TIA portal always accesses the CPU with the non adjustable port 102 The search via the Siemens function reachable pa...

Page 41: ...at can be used by the DHCP server Lease Time s Time in seconds until the DHCP entry is rejected when the device is no longer logged in The Standard Lease Time is 86 400 seconds 1 day The Lease Time ca...

Page 42: ...unction the DHCP lease is approved and a new one requested 11 3 Syslog server The Syslog server installed in the ETHERLINE ACCESS NF04T logs all user and system events with time of day and date User e...

Page 43: ...ning The IP address of the host and the port can be indicated here 11 4 Change password User management In the Password menu the password of the administrator admin can be changed the additional users...

Page 44: ...hange password of the it user Edit date and time settings All other settings are ReadOnly machine user access rights Access to the ETHERLINE ACCESS NF04T exclusively via the LAN interface Change to th...

Page 45: ...up of the ETHERLINE ACCESS NF04T configuration website in addition to the HTTPS encoding is also trustworthy 11 6 Allow web interface access over WAN network Web Interface Access For security reasons...

Page 46: ...f day can be set either manually or be derived automatically from a SNTP server Simple Network Time Protocol The manually set time of day is not saved in the event of a power failure SNTP should be us...

Page 47: ...n existing configuration for a new ETHERLINE ACCESS NF04T with a similar application The configuration files have the file ending CFG Example of a ETHERLINE ACCESS NF04T configuration file general rou...

Page 48: ...d checked in the ETHERLINE ACCESS NF04T If the content is correct the firmware is burned into the program memory and a restart of the ETHERLINE ACCESS NF04T takes place Operation of the ETHERLINE ACCE...

Page 49: ...in the process 13 1 Resetting to factory settings via the website Select the menu point Factory Reset in the Device menu Press the Factory Reset button and confirm with the confirmation prompt 13 2 R...

Page 50: ...AT operating mode the LAN address of the ETHERLINE ACCESS NF04T must be entered in the CPU as a router in order that the answers of the CPU find their way back to the PC in the WAN You can find more i...

Page 51: ...APT Packet filter IPV4 addresses protocol TCP UDP ports WAN to LAN and LAN to WAN separate MAC addresses black whitelisting Status indicator 4 LEDs function status 8 LEDs Ethernet status Voltage suppl...

Page 52: ...ETHERLINE ACCESS NF04T Version 1 04 16 20 52 15 2 Dimensioned drawing...