TeleR²-Router PPPoE | Art.Nr. 9374-PPPOE
TeleR⁴-Router PPPoE | Art.Nr. 9374-4-PPPOE
S7-Firewall | Art.Nr. 9374-S7-Firewall

The TeleR are scalable routers. Over the integrated web interface you can configure and operate the TeleR² / TELER⁴.

Applications for TeleR² / TELER⁴ are as Gateway / Connect / remote maintenance of:

• Automation networks
• ProfiNet networks
• Standard Ethernet networks.

Specifically TeleR² / TeleR⁴ supports Simatic S7 systems from Siemens. With few handles the TeleR² / TeleR⁴ is running in the desired mode.

For TeleR² / TeleR⁴, depending on the mode expansion modules available.

In the standard version TeleR² is fitted with a WAN port and a LAN port and the TeleR ⁴ is with a WAN port and 3 LAN ports with switch fitted.
The following operating modes are possible.

You need to configure a PC with web browser

• power supply on POW
• Connect PC and TeleR-Router via Ethernet cable
• set IP-Adresse in the IP-area of TeleR2 / TeleR4
  • for WAN-side 192.168.1.x
  • for LAN-side 192.168.2.x
• Call in the browser the IP address of the router
  • for WAN-side 192.168.1.57
  • for LAN-side 192.168.2.1
• Confirm the login window with “OK”
• Add under WEB-User a SuperUser (su)
• Depending on the application you need to make different settings
  • Routing between two networks
  • OVPN-Server
  • OVPN-Client
  • PPPoE
  • Profinet-Router
  • IP-Address-Changer
• Establish connection to TeleR
  • OVPN-Software for PC
  • Connect 2 TeleR
  • Set routing

That TeleR² / TeleR⁴ can route between two networks, you need to make the following settings:

1. configuration
   1. set routing mode
      • Office, for routing from LAN to the routing interface
      • Machine, for routing from the routing interface to the LAN
   2. Routing interface¹⁾: WAN/IP
   3. set up WAN/LAN IP-Address(es)
2. User
   • WEB-User
     • create Superuser (su)
       (prevents unwanted access)

In TeleR² / TeleR⁴, we have implemented the popular, released under open source OpenVPN. For detailed information, see http://www.openvpn.net. With OpenVPN we provide in TeleR² / TeleR⁴ a new network interface. This interface is connected via a quasi line (virtual line) with the OpenVPN interface of the partner device. The line is realized with software. Hereby all protocols for this interface, will be exchanged by its own UDP / TCP channel. One can say there is a telephone connection between the devices via UDP / TCP prepared. Of course, the connection is encrypted. The keys are stored in TeleR² / TeleR⁴.

Proceed as follows:

1. configuration
   1. Routing Mode: Mashine
      (Routing from Routing interface to LAN)
   2. Routing Interface²⁾: WAN/OVPN
2. Open VPN
   1. OVPN-Mode: Server (UDP) or Server (TCP)
   2. if necessary, change the default port
   3. IP-Pool: IP-Address range for the OVPN-Connection
   4. Interface: This sets the to-reach interfaces
   5. optionally activate services on the interface (web interface, ping, SSH (for developers only))
   6. create VPN-User

In TeleR² / TeleR⁴, we have implemented the popular, released under open source OpenVPN. For detailed information, see http://www.openvpn.net. TeleR² / TeleR⁴ can be operated as OVPN client.
When this mode is activated automatically a OVPN connection to OVPN server is established.
You can use this mode when e.g. the TeleR² / TeleR⁴ should not take on the WAN port routing for LAN.

Proceed as follows:

1. configuration
   1. Routing Mode: Office³⁾
   2. Routing Interface⁴⁾: WAN/OVPN
2. Open VPN
   1. OVPN-Mode: Client (UDP) or Client (TCP)
   2. adapt if necessary Port
   3. Under Server address (Client only) set the IP address or DNS of the OVPN-server
   4. set user and password

On our website you will find OpenVPN Installer for Windows 32/64-bit as download. This package is preconfigured for our TeleR² / TeleR⁴.
Open VPN connections can also be built from Linux or Mac operating systems.

1. install Open VPN Client Software
2. install configurations data
3. under C:\Program Files\OpenVPN\config you can usually find the configuration
   • open “TProf2config.ovpn” and insert the OVPN-Server data
     1. remote “Server-IP-Address”
     2. Port “Server Port”, default 1194
     3. proto udp (default) or tcp (like OVPN-Server settings)
4. Start the OVPN-Client Software as Admin
   1. On the taskbar at the bottom right you can find the application
   2. Right click select desired profile
      1. click “Connect”
      2. then enter the user name and password
      3. while connecting all settings are set

There may be two TeleR be interconnected. Here, the tunnel between the two devices is set up and all the users of the company network can thus access the remote network.
The user can use this connection by setting the routing on the PC or the router.

Sample:
TeleR IP-Address LAN in house: 192.168.0.100
TeleR IP-Address LAN on Machine site: 192.168.3.50
IP-Address PLC: 192.168.3.10

To connect two TeleR, proceed as follows:

1. set the TeleR on the machine side as an OpenVPN server
   1. Open VPN
      1. Set OVPN-Mode “Server (UDP)” or “Server (TCP)”
      2. Set Interface Permissions (PING, Web Interface)
      3. Set up VPN users
2. Configuration
   1. Routing Mode: “Machine”
   2. Routing interface ⁵⁾: “WAN / OVPN”
   3. Set the WAN / LAN address (s)
   4. if necessary, set PPPoE
   5. if necessary, set DynDNS
3. set up the TeleR on the own house as an OpenVPN client
   1. Open VPN
      1. Set OVPN-Mode “Client (UDP)” or “Client (TCP)”
      2. Enter the VPN server address, user and password
   2. Configuration
   3. Routing Mode: “Office”
   4. Routing Interface ⁶⁾: “WAN / OVPN”
   5. Set the WAN/LAN address(es)
   6. if necessary, set PPPoE

TeleR² / TeleR⁴ supports the PPPoE protocol. Set the parameters for operation on a DSL/cable modem here. For the overview and for the easier configuration, the settings for standard gateway and DNS can be done here. As a rule, this should be set to “auto from PPPoE”.

1. Configuration
   1. Set the routing mode
      • Office, for routing from the LAN to the routing interface
      • Machine, for routing from the routing interface to the LAN
   2. Routing Interface ⁷⁾: WAN/PPPoE or WAN/OVPN
   3. PPPoE: activate
      • Enter user data from the provider
      • If necessary, set the gateway e.g. to “auto from PPPoE”

TeleR² / TeleR⁴ can optionally be operated as a Profinet router (Profinet option).
For this, you need 2 TeleR² / TeleR⁴.
The Profibus connection is implemented via a secure OVPN connection. The VPN connection can be established via WAN/IP or via WAN/PPPoE. The router configured as an OVPN client automatically connects to the OVPN server.
Attention : No real-time data exchange is possible

To set up a ProfiNet connection with 2 x TeleR² / TeleR⁴, proceed as follows:
To connect two TeleR, proceed as follows:

1. Set up TeleR on the machine side as an OpenVPN server
   1. Open VPN
      1. OVPN-Mode: “Server (UDP)” or “Server (TCP)”
      2. Set Interface Permissions (PING, Web Interface)
      3. Set up VPN users
   2. Configuration
      1. Routing Mode: “Machine”
      2. Routing interface ⁸⁾ “WAN/IP” or “WAN/PPPoE”
      3. possibly activate DynDNS / PPPoE
2. TeleR in your own house set as an OpenVPN client (Open VPN menu)
   1. Open VPN
      1. OVPN-Mode: “Client (UDP)” or “Client (TCP)”
      2. Enter the VPN server, user and password
   2. Configuration
      1. Routing Mode: “Office”
      2. Routing Interface ⁹⁾: “WAN/IP” Or “WAN/PPPoE”

If you have machinery with the same IP address and want to connect them together, but the IP addresses can not be changed, use our TeleR² / TeleR⁴.

Example:
Shared assets IP address: 192.168.1.10
Plant 1: 192.168.3.15
Plant 2: 192.168.3.16

You only need to make the following settings for the connection:

• Routing Mode: Machine ¹⁰⁾
• Routing Interface ¹¹⁾: WAN/IP
• Adjust WAN / LAN settings
  • WAN-IP first teleR: 192.168.3.20
  • LAN IP: 192.168.1.20
  • WAN-IP second TeleR: 192.168.3.30
  • LAN IP: 192.168.1.30
• Enable IP Address Changer
  • First TeleR
    • New address (WAN) 192.168.3.15
    • Old address (LAN) 192.168.1.10
  • Second TeleR
    • New address (WAN) 192.168.3.16
    • Old address (LAN) 192.168.1.10

Now the machinery are reachable under the new IP addresses and can communicate with each other.

In order to reach the plant network via the PC, there are several possibilities:

1. Start the prompt / console as an administrator
   • Add local routing:
     route add “Destination IP” “Gateway”
     e.g. route add 192.168.3.10 192.168.3.50
   • Or total IP range:
     route add “Target IP range” mask “Netmask” “Gateway”
     e.g. route add 192.168.3.0 mask 255.255.255.0 192.168.3.50
   • Route print command prints the currently set routes
   • Test the routing e.g. with a ping to the destination network
2. In your router / switch, enter routing to the TeleR² / TeleR⁴ WAN-IP
   • Test the routing e.g. with a ping to the destination network

The WAN/LAN port can each receive up to 3 different IP addresses and subnets.
The port can also be operated as a DHCP server or client. The necessary data for the IP assignment is entered here.

For the operation as DHCP/server, fixed assignments MAC- to IP-address can be defined (see below, “DHCP fixed addresses”).

Next, specify which services are available on the port: Web Config, Ping, SSH (for developer only)

DHCP-settings:

1. DHCP: Server
2. enter Start-IP e.g. 192.168.2.100
3. enter End-IP e.g. 192.168.2.150
4. enter Subnet e.g. 255.255.255.0
5. Router-IP: z.B. LAN-IP 192.168.2.1
6. 1.DNS: enter DNS-Server-IP

A USB modem can be plugged into the USB interface, which makes the dial-in to the Internet.
A modem connection is implemented as a PPP connection. Thus, TeleR²/TeleR⁴ can also be used with other dial-up routers. Thus, TeleR 2/TeleR⁴ is an ideal substitute e.g. for Teleservice IE from Siemens.

If ProfiNet is activated, TeleR² / TelleR<sup>4</ sup> is used to connect / remote control Profibus networks. Here is a schematic example:


The ProfiNet connection is implemented via a secure VPN connection. The VPN connection can be established via WAN (TCP / IP) or via WAN / PPPoE. To set up a ProfiNet connection with 2 x TeleR² / TeleR⁴:

• Activate the ProfiNet option on both devices
• Set up one page as an OpenVPN server and the other as an OpenVPN client (see below)
• Possibly. DynDNS / PPPoE

Settings configuration:

The devices connect automatically. If the connection is successful, it can be communicated between the two ProfiNet networks.
Attention!
No real-time data exchange is possible.

Bring same participants with the same IP address into a different network.

Enter the desired destination IP address in the left column and the known IP address in the right column. If you set the hacker to active, this IP address is now available under the new one.

Example:

Configuration looks like following:

Set the parameters for operation on a DSL/cable modem here. For the overview and for the easier configuration, the settings for standard gateway and DNS can be set here. As a rule, this should be set to “auto from PPPoE”.

Again, you can select which services are available at the interface.

All systems with modem connection are managed in the telephone book. The connection is established with a partner simply by clicking on the telephone number.

User and password are maintained in the dial-up user database. It is therefore possible to use a user for several plants.

TeleR² / TeleR<up> 4 </sup> can also be used for other dial-up PPP accesses

If TeleR²/TeleR⁴ should be available via the Internet, e.g. via OpenVPN, the Internet IP address of the device must be known.
In this case it is useful not to work with a fixed IP address, since the provider may change the IP-address after a new establishing a connection (for example by PPPoE).
It is more useful here to address the device with the same domain name.

The service provider DynDNS offers a service on the Internet (http://www.dyndns.org). DynDNS = Dynamic DomainNameSever. You must log on to DynDNS to operate the service. For more information, see the DynDNS homepage. Up to 5 Dynamic IP addresses are free. If you need more than one, you can book a corresponding number of domain names at DynDNS. The price is very reasonable about 30, - US$ a year.

On the whole, this works like this:
You register the desired hostname with DynDNS. (E.g. Myplant.dynalias.com).
You will receive your user and password for your access.
Enter this data in the DynDNS Config setting and set “Use DynDNS” to Yes.

The DynDNS refreshes the data at DynDNS in the specified time interval. If the provider assigns a new IP address, this is corrected again within this interval, thanks to DynDNS. Your TeleR² / TeleR⁴ can then be reached by the registered name e.g. testgeraet.dyndns.org
You enter this domain name in your office device at the VPN participant.

If the built-in DHCP server (on the WAN or LAN) is operating, it can be useful to always allocate the same IP address to certain IP devices. Here you can specify which MAC address, which IP address is assigned.

Here you can change date and time.

In order for TeleR² / TeleR⁴ to always work with the current time, we have implemented an NTP client. This allows TeleR² / TeleR⁴ to synchronize itself automatically over a time server, date and time available on the Internet or with another network.

Normally routing is allowed to all network users. As soon as an entry in this table exists, access is only possible via the above rules. In the standard forwarding, the routing is only possible to LAN or LAN. See operating mode. The “Advanced mode” allows rules in both directions.

In TeleR² / TeleR⁴ we have implemented the popular OpenVPN published under Opensource. For detailed information, see http://www.openvpn.net.

Here I would briefly explain the function of the OpenVPN, as implemented in the TeleR² / TeleR⁴
Basically there are two operating modes of the OpenVPN: server or client.
The device is normally configured as a server on the plant (machines).

With OpenVPN, we are providing a new network interface in the TeleR² / TeleR <4> / <sup>. This interface is connected via a line (virtual line) to the OpenVPN interface of the partner device. The line is implemented with software. All protocols for this interface are exchanged via a separate UPD / TCP channel. One can say it is a telephone connection between the devices by UDP / TCP manufactured. The connection is, of course, encrypted. The keys are stored in the TeleR²/TeleR⁴.

The options Services at the interface define which services are available with an existing VPN connection

Here, it is determined, in which form to the WAN / LAN port over VPN is routed.

off: Routing to the interface is not possible
===>: Routing from VPN to the interface
⇐==: Routing from the interface to the VPN
⇐=⇒: Routing in both directions

Who can now build an OpenVPN connection?
How can access be controlled?

ATTENTION: In principle, anyone with the certificate and the IP address of the TeleR can establish a VPN connection and access the device. You can use your own certificates in the “Advanced Router” extension.
This gives you more security

Here you can manage users who are allowed to connect via OpenVPN.

In the VPN connections, like a phone book, your machines can be managed. The server address, the protocol, the port, and a reference to a VPN user are entered (see above).

In the user administration, you manage the users, which are allowed to use the WEB interface. The access data for users who are allowed to establish a dial-up connection (modem) are also maintained here.

Here is the form for entering the WEB-Interface users. Per user, different authorizations can be assigned. In principle, only one user with “SU” changes can make changes. U1 - U5 may only operate the interface. In the TeleR² / TeleR <4> extension modules, “U1” - “U5” have more precisely specified operating rights.

User level:
SU = Super User,can use all settings
U1-5 May only display or change certain settings

Here is the form for entering the dial-up interface users. The user only gets access if active is set to “yes”. Further, the addition “Dial in & out” or only “Dial out” is available.

If a user chooses, all entries that are set to “Dial in & out” are checked. Other users do not have access. In the telephone book the assignment is made

Here you will find all the settings required for the maintenance of the TeleR.
New Firmware

1. Unzip the downloaded file
2. Disconnect the TeleR² / TeleR⁴ from the mains and connect it to the PC
3. If necessary, set the IP address on the PC
4. Call WEB interface
5. Firmware Upload: Select file *.bin
6. Save
7. confirm with “yes”
8. LED S1 flashes very quickly
9. wait until LED S1 is in steady light

Display of the device status. Here, e.g. with built-in VPN connection.

Displays all currently assigned IP addresses and link states of the individual ports.
You can also find the current routes.

With the HMI-Notification Module SMS and email messages (error and maintenance messages) can be, depending on the event, sent automatically to practically any number of recipients. The system automatically assigns the messages to the respective recipients and sends the message via the correct provider.
Please note:
By sending SMS messages and e-mail messages, additional costs arise (telephone fees, charges for Internet access, etc.). Please check with your provider for the amount of the respective fees. For the HMI module to work properly, some basic settings must be made. The following items must be set up:

• Pagerprovider
• Pager recipient
• Emailserver
• Email recipient
• PLC connections
• PLC variables
• Standardization (optional)
• Notifications
• Initial setting Activate the HMI option
• Activate SMS dispatch or activate email delivery

The HMI module is also secured by access protection via WEB browser. The necessary rights are indicated for the corresponding points.

In order for the TeleR² / TeleR⁴ to send an e-mail, an e-mail account or a server is required, which receives and forwards the messages.
Under Name, enter a meaningful expression for you.
The “Address” field contains the host address of the e-mail server. You can either use a local server (on the local network) or a public on the Internet. The input can be a name (for example, mail.gmx.de) or a fixed IP address.
However, ensure that the corresponding entries are set for the DNS server, gateway or routes, in order to ensure a smooth e-mail transmission.
If an email is sent, TeleR² / TeleR⁴ first tries to reach the appropriate server via the current options (set DNS and gateway). If this is not the case, an Internet connection is established under the setting configuration → PPPoE / DSL or configurations view → Internet → Provider and then tries to find the server. This connection is also used when the Internet connection is set to manual. If the connection to the Internet was established by this way, after 2 minutes of idle (no email is present) or at least after 10 minutes the connection will be closed.
For the Internet via modem, you can use so-called Internet by Call providers.

In the “Email message buffer” menu item, you can track the status of the email and find any errors.
'Email' is the mail address the recipient sees as the sender. This address should be exists, as otherwise anti-spam filters might eliminate these messages. User and password refer to the email account.

In the next step, you specify the recipients of the e-mail messages.

Connections are required for access to the PLC. Connections are currently supported for the SIMATIC S7 over TCP/IP.
Then configure the desired variables.
You can now specify scaling for output.
Then, you create your desired messages.

Now create the desired variables to be displayed or processed.

For correct display and processing of the variables, a conversion may have to be carried out. This conversion can be done with standardization. You can define the necessary conversions here and assign them later to the messages. Since standardization is usually more common, it is useful to manage it centrally.

The actual messages are configured separately. The relationship between the variable, the standardization and the reporting group is made. What the actual message is. The sequence of the messages is made after entering the line number.

To activate the message processing at all, basic settings must be made. Before you activate these settings, the mediations should be projected.
The importance of each Row:

On the SMS Message Buffer page, the messages that are currently pending and not yet sent are displayed. The Column “Tx Trials” shows the number of attempts that have already been made to drop the SMS. This is greater than 0, e.g. Telephone line not available, busy or service settings (telephone number) are not correct. The largest number of attempts is reported to the PLC (see above).

Clicking on the symbol deletes all messages in the list. The messages are not sent!
To testPurposeen remove the telephone cable, you can test the function of the system first without generating costs for sending SMS.

In the menu item View messages you can view the current status of the messages. All message states of the configured messages are displayed there. So also these, which can not generate SMS. As a result, a state can be obtained via the system without PLC programming software. The message window is updated every 3 seconds. Red fields indicate that there is a violation of the limit value.

Documentation for the Version 1.19

S7 firewall is a scalable “PLC firewall”, which not only filters IP / MAC addresses, but also allows access to arbitrary data areas of the PLC to be restricted / defined. S7 firewall can be installed arbitrarily between PLC and operating / programming level. S7-firewall detects the installation direction automatically. Only configured connections are allowed.

Our S7 firewall is based on our TeleR⁴

The WAN / LAN port has shared IP addresses
Up to 3 different IP addresses and subnets can be configured. The port can also be operated as a DHCP server or client. The necessary data for the IP assignment is entered here. For the operation as DHCP / server fixed assignments MAC-IP address can be fixed. (See “DHCP fixed addresses). It also determines which services are available at the port (Web Config), Ping, SSH (for developers only)

Here is the form for the input of the WEB-Interface users. Per user, different authorizations can be assigned. In principle, only one user can make changes with “SU”. U1 - U5 is only allowed to operate the interface. In the S7 firewall expansion modules, “U1” - “U5” have more precisely specified operating rights.

The PLC firewall connections result from the combination of HMI / PG station and PLC station

The connections are made up of the combination HMI / PG station and PLC station. Each HMI / PLC station can be used several times. If the Mac or IP address is changed, this must only be changed centrally in the HMI / PG station or PLC station. Each connection is assigned a connection rule.
If “PG full function” is selected, this connection is a full access. In the future, this access can be divided more closely (Read / write defined blocks, PLC start / stop, reset, system data (read / write)).

In the rule script, the data areas or possible accesses for the respective connection are defined. The script can be reached via the link of the name of the connection.

Syntax of the control script

In a RuleRow, a single operand, or I can enter a range.
Example for entering individual operands: (source from Siemens STEP-S7 PG software)

Note: The entry of “DB0 …” is not allowed due to internal use.
Example for entering ranges, with number of units:
since Flag 60, 10 Byte: MB60, 10
since DB10, Data word 2, 5 words: DB10.DW2, 5
After the comma, the number of units required (depending on the address type, BOOL, BYTE, WORD, DWORD)
Example for entering ranges from “from” to ”:“
Flag Byte 70 bis Flag Byte 200: MB 70 – MB 200
Output A 10.2 bis Output 14.7: A 10.2 – A14.7
Just after start operands with, -, specify the end operand (end address). The end address is included!

On the back are four screw holes. Mount the supplied DIN rail bracket so that the spring faces downwards.

Assembly:
First hook into the DIN rail and then push / pull the TeleR2 / TeleR4 into the holder.

Dismantling:
To disassemble, lift the TeleR2 / TeleR4 and tilt it slightly forward.

For the voltage supply of the device, either the supplied plug-in power supply or an on-site voltage supply of 10-30V / DC With min. 350mA current connected to the green 2-pin connector. The voltage poles are marked with colored wire end ferrules for the supplied plug-in power supply.

The PLUS pole with the color “red”, the MINUS pole with the color “blue”. Connect the PLUS pole to the upper screw terminal and the MINUS terminal to the lower (outer) screw terminal.
The “Power” LED is lit. After a short initialization phase, the “S1” LED is lit in steady light and the device is ready for operation.